A new draft law threatens the independence and functioning of the BE DPA
The Belgian data protection authority is concerned about developments that could threaten its independence. These include a preliminary draft law to amend the current BE DPA law, and the lack of resources allocated to it. The DPA has expressed its concerns in an opinion published today, that she also forwarded to the Court of Audit, the Council of State, as well as to the European Commission and the other European supervisors assembled in the European Data Protection Board (EDPB). The BE DPA is of course ready to contribute constructively to the adaptation of the preliminary draft law.
Preliminary draft law amending the Act establishing the BE DPA
The BE DPA has delivered an opinion on a preliminary draft law amending the Act of 3 December 2017 establishing the Data Protection Authority. It welcomes the intention of the draft, which is to strengthen the BE DPA and its executive committee.
However, the opinion of the BE DPA concludes that the preliminary draft law seriously jeopardises both the efficient functioning and independence of the BE DPA. Indeed, it creates new insecurity and risks of infringement proceedings, due to, inter alia:
- An erosion of the guarantees of independence of the BE DPA
- A risk of paralysis, despite the fact that most bodies of the BE DPA function properly (especially in view of the structural lack of resources)
- A weakening of the legal procedures within the BE DPA, which raises particular risks for enforcement
- An even more far-reaching supervision by parliament, while the current law already goes beyond what European and international law allows (i.e. supervision of financial aspects and judicial review)
The preliminary draft law notably introduces parliamentary interference in the internal organisation of BE DPA and in the setting of its priorities. Moreover, it makes the renewal of the mandate of its members conditional on a positive evaluation by the House of Representatives, without any objective criteria to this effect being laid down in the law. This system could lead to a sort "anticipatory obedience" to the House of Representatives. The European Court of Justice has already ruled that "the mere risk" of political influence is sufficient to impede the independent performance of the duties of the national supervisory authorities.
The BE DPA therefore calls for the essential shortcomings identified in its opinion to be addressed.
Need for the necessary resources to best protect the personal data of Belgians
The GDPR requires that every supervisor has the necessary resources at its disposal to perform its tasks. However, the BE DPA's requests for additional human and financial resources, substantiated by the Court of Audit and an external study, have so far been largely ignored. The BE DPA points out that it has only 45.9 case handlers (FTEs) to carry out the 21 different tasks assigned by the GDPR, and that the gap with its European counterparts is therefore widening.
The role of the BE DPA is to ensure that the rights of the data subjects are protected, so it must have the necessary means at disposal to carry out this essential task.
The BE DPA hopes that the comments made in its opinion on the preliminary draft law will be taken into account, in order to avoid exposing the organisation to structural problems that could jeopardise the good performance of its tasks, or even to possible infringement procedures.
The DPA reminds that it had already shared its feedback during the public consultation on the evaluation of the BE DPA law, and that this feedback could bring added value to the text. Being close to the field, the BE DPA believes that it can contribute positively to the preliminary draft law.