IT, Privacy and e-Commerce in Belgium: Recent Developments
Steven De Schrijver -
In this contribution we will briefly discuss a number of interesting new developments in the fields of IT, privacy and e-commerce in Belgium in the past year, including new legislation, decisions and reports from regulators and case law.
Privacy Commission issues note on direct marketing
On 28 May 2008, the Privacy Commission issued a note on direct marketing, in which it has set forth certain rules and directions for companies and consumers dealing with direct marketing.
The note was issued after a study of the legislation relating to direct marketing in other EU member states. It describes how direct marketing has to be undertaken in compliance with the Belgian Data Protection Act (DPA). At this moment, many direct marketers violate the DPA, although it applies to all processing of personal data for the direct marketing purposes.
Besides the DPA, direct marketing practices should also be in compliance with the E-Commerce Act of 11 March 2003 and the Fair Trade Practices Act of 14 July 1991, which prevail over deontological codes, such as those of the Belgian Direct Marketing Association.
In its note, the Privacy Commission sets forth, among others, the following rules:
• Use of personal data of minors is subject to the prior consent of the legal representative of the minor.
• Companies selling personal data in databases for direct marketing purposes or conducting viral marketing (ie, a form of direct marketing whereby publicity is directly addressed to people who did not give their prior consent to receive such publicity, but whose e-mail addresses were passed on by friends or acquaintances) must obtain the explicit and unambiguous consent of the data subject to do this. Less strict rules, however, apply to companies that send direct marketing to existing clients or persons who registered as prospects.
• The rights of the data subject to access, rectify and, as the case may be, oppose to the processing of their data must be respected.
• All companies must file a prior notification to the Privacy Commission of their processing for direct marketing purposes and cannot store personal data for an unlimited term.
• Companies must comply with their information obligation. In order to facilitate this, the Privacy Commission provides an example of a concise privacy statement that companies can use to inform the data subject of the processing of his or her data.
New decrees on audiovisual media services
Both the Flemish and the French community recently implemented the EU Audiovisual Media Services Directive 2007/65 of 11 December 2007 (the AMS Directive). This Directive is aimed at modernising the regulatory framework related to the audiovisual market and has to that end amended the EU Television Without Frontiers Directive 89/552 of 3 October 1989.
The Decree of the French Community of 5 February 2009 and the Flemish Decree of 27 March 2009 were published in the Belgian Official Journal on 18 March 2009 and 30 April 2009, respectively. Both decrees aim to provide for a modern and flexible framework in order to adapt the existing media legislation to new technological developments and practices in the market, such as webcasting and product placement (ie, the explicit use of a particular brand of product in programs).
As under the previous rules, the country-of-origin principle continues to apply. As a result, service providers are subject only to the rules applicable in their country of origin.
Like the AMS Directive, the decrees cover all audiovisual media services, which are divided into two distinct categories: the traditional "linear" services, namely, media services that are passively received by the user, such as traditional radio and television; and the emerging "non-linear" or "on demand" services, that is, services where users actively pull content from a network at their request and at the time of their choice.
The Flemish Decree applies to all "broadcasting activities" (radio and television), which are broadly defined as any supply to the general public of audio or audiovisual services for the purpose of information, entertainment, education or culture, through electronic communication networks.
As it is generally accepted that linear services have a larger impact on public opinion and society than non-linear services, the AMS Directive and the Flemish Decree impose stricter and more elaborate regulations to linear services. This is not the case, however, in the Decree of the French Community. This Decree contains similar provisions for both kinds of services (eg, with respect to advertising rules).
Finally, both decrees contain provisions in relation to "commercial communication", with specific rules for advertising on TV, sponsoring, teleshopping and product placement, as well as advertising addressed to minors and consumers.
Final decision of Privacy Commission in SWIFT case
On 9 December 2008, the Privacy Commission rendered a final decision in the procedure regarding the interbank transaction company SWIFT (Society for Worldwide Interbank Financial Telecommunication). Contrary to its first advice of 27 September 2006 (No. 37/2006), the Privacy Commission found that the transfer of personal data by SWIFT to the US Department of the Treasury (USDT) did not constitute a violation of the Belgian DPA.
SWIFT facilitates international money transfers by offering a worldwide platform for the secure exchange of financial information. During such transfers, SWIFT files incoming financial messages for a certain period and subsequently forwards such messages to a financial institution. The organisation has its headquarters in Belgium and a processing centre in the US.
In 2006, the SWIFT case caused a lot of commotion in the US and Europe after it became public that for a period of four years the USTD had been checking personal data contained in millions of (financial) transactions handled via SWIFT. To that end, the USTD had issued several subpoenas to SWIFT in the framework of a secret control programme established after 9/11. SWIFT complied with these demands, after agreeing with the USTD on additional guarantees to secure the transfer and use of the data concerned.
In its initial advice of 2006, the Privacy Commission stated that there were elements indicating that SWIFT, which it qualified as a "data controller", was guilty of serious violations of the DPA. SWIFT would not have complied with, among other things, its information and notification obligation, its obligation to process personal data in accordance with the principles of proportionality and limited retention, and the requirement of an adequate level of protection in the non-EU country to which personal data are transferred.
In its final decision of 9 December 2008, rendered after a two-year investigation carried out with SWIFT's cooperation, the Privacy Commission clearly defines the specific roles and responsibilities of the various players in the international SWIFT network (such as the banks, the financial community and SWIFT itself) and comes to the conclusion that the aforementioned allegations were unfounded.
The Privacy Commission considers that in the framework of the international "war on terror", SWIFT has been "legally forced" by the USTD to transfer certain information. As far as the Commission is concerned, and taking into account all interests at hand, SWIFT has acted carefully, vigorously and attentively as regards the protection of personal data.
SWIFT also received praise from the Privacy Commission for the far-reaching measures it took during the investigation, such as establishing a data processing centre in Switzerland to handle inter-European data transfers; appointing a privacy officer and data protection workgroup within the organisation; and setting up a formalised procedure in order to comply with the requests of persons whose personal data are processed.
Finally, the Privacy Commission also made a general appeal to the European authorities to set up formal control and protection mechanisms in order to avoid similar problems caused by compulsory administrative warrants.
New laws relating to the telecommunications market
On 18 May 2009, the parliament adopted a new law holding several provisions relating to electronic communication. The law contains a number of clarifications on the cooperation between the Belgian Institute for Postal Services and Telecommunications (BIPT) and the Belgian Competition authorities. Its aim is to strengthen the role of the BIPT as arbitrator, restore confidence of investors and stimulate the information society.
In addition, the federal government has also submitted to the parliament a new proposal of law, which aims to clarify aspects of the several appeal procedures against decisions of the BIPT and the Competition authorities in disputes between telecoms operators.
Recent case law
Restriction of viral marketing on the internet
On 24 June 2008, the president of the Commercial Court of Huy found certain forms of viral marketing on the internet unlawful.
The court case related to a dispute between two competing online dating service providers, one of which used two illegal techniques to obtain e-mail addresses from third parties. The first technique consisted of offering people the possibility to provide their e-mail address and the password of their mailbox during the registration process of their membership, allowing the dating service provider to gain access to the e-mail addresses of all contact persons in his mailbox. A second technique consisted of asking members to provide the e-mail addresses of their friends and acquaintances, in return for an increase of their popularity and more possibilities to meet other members.
People whose e-mail addresses were obtained in either of these two ways received unsolicited publicity via e-mail.
The president of the court ruled that both techniques were unlawful, on the following grounds:
• The viral marketing practices violate the principle of proportionality set forth in article 5.f of the Data Protection Act. The privacy interest of the addressees prevails over the commercial interests of those resorting to techniques of viral marketing. Furthermore, he found it unacceptable that: members were rewarded for providing the e-mail addresses; they were not informed about what would be done with these e-mail addresses; and people received unsolicited publicity about a website to which they did not want to be linked.
• Violation of article 14 of the Electronic Commerce Act. This article provides that the use of e-mail for publicity is prohibited without the addressee's prior consent (opt-in regime). Moreover, the president found that it is not allowed to send an e-mail to someone requesting his consent for receiving publicity via e-mail, as this would constitute sending spam.
This decision of the Court is in line with the above-mentioned note on direct marketing issued by the Privacy Commission and with the advice from the Federal Administration of Economy issued in 2006.
Online defamation is a press offence
In a recently published judgment of 14 May 2008, the Court of Appeal of Mons ruled that the process of multiplying an article through a website is comparable to the process of reproducing it through classic paper printing.
The case involved a train passenger who refused to reveal his identity after having been caught travelling in first class with only a second-class ticket. After an assault on two train inspectors, he ended up spending the night in prison.
The unhappy passenger subsequently published an article entitled One night in jail due to the battle between (first and second) class on an online discussion forum for travellers. The article was also published in a newspaper.
This led the two train inspectors to summon the passenger before the Criminal Court of Mons. This Court qualified the facts as a press offence and declared itself incompetent to adjudicate the case, given that the adjudication of press offences is reserved to the Cour d'Assises. The Court of Appeal of Mons confirmed this reasoning.
A press offence is traditionally defined as "an offence that implies the expression of a thought or opinion in a published and printed written work".
Although the text in question was not a printed paper work and its reproduction did not depend on the process of classic paper printing, the Court considered that the reproduction of the text was unlimited as it could be consulted by any surfer on the internet. These surfers could not only print the article, they could also pass it through to other internet users. The Court therefore gave a broad interpretation to "a published and printed work" as also including the publication of an article on an online forum, accessible for any internet user at any time.
Dismissal of employee for violation of company's IT policy
In a recently published judgment of 2 September 2008, the Labour Court of Appeal of Antwerp ruled that an employer who dismissed an employee for violation of the company's IT policy, did so lawfully.
The employee's violations of the IT policy included: adapting his computer's configuration so that he could continue using the old and less secure internet firewall; visiting websites for private purposes during working hours; frequently sending private e-mails via private e-mail accounts; using MSN Messenger to have private chats; and downloading software from the internet that was not allowed.
After discovering through routine network controls that the employee's computer no longer had a normal internet connection, the employer used a protocol analyser to monitor the employee's internet traffic. When these analyses revealed the IT policy violations, the employer immediately fired the employee for urgent reasons (without notice period or compensation).
The Court rejected the employee's argument that the employer had violated Collective Bargaining Agreement (CBA) No. 81 on the use of electronic online communications, because:
• The employer had respected the finality principle, which provides that an employer may control internet and e-mail traffic only for certain specific purposes, including examining the security of the company's IT system and the employees' compliance with the IT policy.
• The employer had also respected the proportionality principle, which provides that an intrusion of privacy during a control has to be limited to a minimum. The court found that the control could be performed in a useful way only by means of a protocol analyser, which specifically registered the employee's network traffic. The fact that the protocol analyser did not allow to disregard the contents of the electronic communications was considered a non-disproportionate side effect.
• Finally, the employer had respected the required collective and individual information procedures (transparency principle) by introducing an IT policy, organising information sessions about this policy and having the employees sign it for agreement.