Lee & White

On 25th of June 2013, the Belgian Privacy Commission and the Ministry of Justice entered into a protocol agreement which forms the framework for the transfer of personal data outside the EU. Following this, contracts governing the exchange of personal data between companies outside the EU will be handled more smoothly from now on.

The immense volume of personal data transferred between countries has rightly demanded the need for the protection of such personal data. Where the data is transferred within Belgium and the EU, personal data may be transferred subject to the Belgian Data Protection Law. EU member states are accorded the same level of protection for the processing of personal data by virtue of the European Directive 95/46/EC.

Where the data is transferred outside the EU, personal data can only be transferred to countries which provide an adequate level of protection of the data - similar to the protection accorded within the EU. The European Commission has recognised a number of countries which are regarded as providing an adequate level of protection of personal data. This can be viewed on the European Commission's website.

Where a country is not recognised as offering an adequate level of protection, personal data may still be transferred through:

• European Commission's model contracts or contractual clauses drawn up by organizations themselves offering an adequate level of protection of the personal data to be transferred
• Binding Corporate Rules
• Exceptions provided by law.

In Belgium, where the European Commission's model contracts are used, these contracts are sent to the Belgian Privacy Commission to be checked to ensure conformity with the European Commission's standard contractual clauses. There is however, no need for a Royal Decree to validate such contracts and this has been clearly stated in the recent protocol agreement between the Belgian Privacy Commission and the Ministry of Justice. The date on which conformity with the standard contractual clauses is confirmed in writing by the Privacy Commission is also the date on which the data transfer is allowed.

In the second instance where organizations themselves draw up their own contractual clauses binding themselves and the receivers of the personal data, the existing situation is such that a Royal Decree is necessary. However, owing to the shared jurisdiction of the Belgian Privacy Commission and the Ministry of Justice, the process became long and cumbersome and meant that very few organizations took up this method of providing an adequate level of protection.

The protocol agreement has changed that - the Privacy Commission will now play the leading role in this procedure and quicken the process. Organizations can send the contracts to the Privacy Commission for review. If the necessary guarantees for the protection of personal data are in place, the Privacy Commission will forward these contracts to the Ministry of Justice along with a positive assessment and a proposed wording for a Royal Decree for the King's signature and publication in the Belgian Official Gazette. If not, the Privacy Commission will contact the applicant and refer to the principles which are required to be addressed properly in the contractual clauses.

The new procedure will significantly shorten the period of approval of such contracts and is said to be a win-win situation for the government, organizations and citizens. It will also prevent the possible consequences of violation and provide more legal certainty for the data subjects whos personal data is transferred as well as the organizations involved. The protocol agreement takes effect immediately.

Facebook, as mentioned in detail in the news, was exposed for keeping shadow profiles on users and non-users.

Through an incident (which should have been classified as a bug as it had been available for months) it was revealed that Facebook is keeping so-called shadow profiles of its users as well as data subjects who do not use their services.

A shadow profile is information about a certain data subject which the data subject in question did not give to the data processor. This profile is created without consent of the data subject and possibly without his knowledge. This means the data processor gathered this information through or by combining other sources, either through other data subjects or from other sources such as other web sites, chat sessions, search history, phone conversations…

European Data Protection law forbids this kind of ‘data brokerage’, gathering, combining and reprocessing data from different sources to build a file with personal data for these reasons:

• Data processors can only process your data with your explicit consent.
• Data processors can only process such personal data which is relevant to their services to you.

Your personal data has become a commodity which they use for their own profit and without a relationship with you, the data subject. Quite a number of companies, small and large, have made it their business to gather everybody’s personal data and sell it on to the highest bidder. Recent times have made it very easy for such companies to gather all information in an automated way and from the comfort of their own office. They are also not bothered by the fact that they are serving stale information which is no longer or never was correct, but can have very deep implications on your personal life.

European Data Protection Law has several safeguards:

• If a data subject suspects a data processor has such a shadow profile, the law provides a means to officially request a complete list of data kept by the data processor concerning the data subject.
• If a data subject objects to the data processor’s use of the data subject’s data, the data subject can submit a request to cease processing such data.
• The new EU Data Protection proposal mentions the right to be forgotten, but lobbying by major data processors is probably going to water this down.

The lessons for our clients are clear:

• Be transparent, only gather personal data from your data subjects through informed and explicit consent.
• Do not process other information than that given by the data subject and only if it is relevant to the purpose of your relationship with the data subject.
• Keep it alive, keep data up to date and do not keep data of data subjects beyond the duration of the relationship with your data subject.
• Protect the personal data entrusted to you.