[Home] [Databases] [WorldLII] [Search] [Feedback] EPIC --- Privacy and Human Rights Report

EPIC --- Privacy and Human Rights Report 2006

Kingdom of Belgium

Constitutional Privacy Framework

The Belgian Constitution recognizes the right of privacy and private communications.[1273] Article 22 states, "Everyone has the right to the respect of his private and family life, except in the cases and conditions determined by law. . . . The laws, decrees, and rulings alluded to in Article 134 guarantee the protection of this right." Article 29 states, "The confidentiality of letters is inviolable. ... The law determines which nominated representatives can violate the confidentiality of letters entrusted to the postal service." Article 22 was added to the Belgian Constitution in 1994. Prior to the constitutional amendment, the Supreme Court (Cour de cassation) ruled that Article 8 of the European Convention applied directly to the law and prohibited government infringement on the private life of individuals.[1274]

Data Protection Framework

The Law on Protection of Personal Data of 1992 governs the processing and use of personal information in Belgium. Amending legislation to update the 1992 Act and make it consistent with the European Union (EU) Data Protection Directive was approved by the Parliament in December 1998.[1275] A Royal Decree (Arrêté royal) to implement the Act was approved in July 2000. The decree, as a whole, broadens the scope of application of the law by extending the definition of "processing," determines how special categories of data may be processed, and reinforces data subjects' rights. The decree was finally adopted in February 2001, and the law came into effect in September 2001.

Two months after the entry into force of the new data protection regime, the government announced that it had put in place an Internet Rights Observatory (Observatoire des droits de l'Internet)[1276] in order to better assess and analyze the impact of the Internet on the economy and consumer protection. The Observatory aims, through its composition, at being an open forum for all Internet stakeholders, and will issue advisory opinions and annual reports, organize a dialogue between economic actors, and inform the public.[1277] The Observatory has released reports on the protection of minors on the Internet,[1278] e-commerce,[1279] e-government[1280] and Voice over IP.[1281]

Data Protection Authority

The Commission for the Protection of Private Life (Commission de la protection de la vie privée, or Commission) oversees the law and reports directly to the Parliament.[1282] The Commission investigates complaints, issues opinions and maintains the registry of personal files.[1283] In 2004, the Commission answered 678 complaints and requests for information.[1284] The number of public requests also increased from about 6,200 in 1999 to about 7,400 in 2001. As of November 2004, there are 34 permanent staff members,[1285] compared to 19 in 2001 and 28 in 2000.[1286]

The Commission has issued a number of recommendations relating to workplace privacy,[1287] video surveillance,[1288] the compatibility of the census survey (conducted every 10 years) with Belgian privacy regulations,[1289] the protection of privacy in the context of electronic commerce,[1290] the regulation of direct marketing under the data protection legal framework,[1291] the recording by banks of their customers' telephone communications,[1292] the use of electronic communications for electoral advertising purposes,[1293] the project of Royal Decree regarding the model-contract on matrimonial brokerage,[1294] etc.

Since 1998, the Commission has had to determine the legality of specific "black lists," from casinos' lists of cheaters to insurance companies' lists of bad debtors and risks. In 2002, the Commission was asked to assess whether the upload on the Internet of a "black list" of renters[1295] by the National Association of Property Owners (Syndicat National des Propriétaires) was legal. In its opinion, the data protection authority found the database illegal under the Law on Protection of Personal Data of 1992, and that it required prior legislative action to authorize it – if it were to be authorized – and determine the conditions of access.[1296] In 2005, the Commission was asked to deliver an opinion concerning the legality of "black lists" in the private sector. The Commission recommended that they be regulated by a law, especially where they are likely to violate a fundamental right or restrain access to an "essential service." In this latter case, the Commission should authorize the establishment of black lists only upon prior approval. Where the lists process sensitive data (e.g., medical data), they should be regulated by a specific law and strictly follow the provisions of the Law on Protection of Personal Data.[1297]

Alerted by a complained filed by Privacy International alleging the secret disclosure of million of records of European citizens undertaken without regard to legal process under Data Protection law, the Commission started its investigation into the SWIFT case.[1298] SWIFT is a multinational service provider in the financial sector and its headquarters are established in La Hulpe, Belgium.[1299] At the request of the US Treasury Department, SWIFT systematically transmitted information of financial transactions of millions of European bank clients. It appeared that the US Department of Treasury periodically addressed warrants to SWIFT in the US. In its opinion of September 27, 2006, the Commission expressed its astonishment about the exportation of information about Belgian citizens to the US and their revelation to the US authorities each time an individual performs an international payment transaction.[1300] The Commission stated that these practices violate basic provisions of the Belgian and European data protection legislation. This opinion was later confirmed by an opinion of the Article 29 Working Party.[1301]

In November 2006, the Commission received a letter from the Belgian Prime Minister requesting advice on a possible agreement with the US about the transfer of SWIFT data to the US Department of Treasury. In its second opinion, the Commission reminded the Belgian government of the essential principles with regard to transfers of personal data between Europe and the US and suggested a series of possible actions.[1302] In June 2007, the Council of Europe and the US reached an agreement on the transfer of personal financial information from SWIFT to the US.[1303] The agreement stipulates that the US will only obtain information for terrorism investigations; the US will periodically review the information received and delete any unnecessary information from its system; and no information will be kept by the US for longer than 5 years.[1304]

In 2005, the Commission issued an opinion about a project of bill (avant-projet de loi) regarding the Analysis of Threat.[1305] The purpose of the bill is to improve the gathering, use and analysis of information useful to assess terrorist and extremist threats likely to harm national security, Belgian assets and the safety of Belgian citizens abroad. To this end, the bill creates a new institution, the Coordination Agency for the Analysis of Threat (Organe de coordination pour l'analyse de la menace, or OCAM); its task will be to coordinate the collection of that information from various security and intelligence government agencies, and evaluate it. The privacy authority emphasizes that this new type of data collection and analysis by law enforcement is highly sensitive due to the grounds on which it is justified (likelihood and probability) and because it operates unbeknownst to the persons concerned. Although it welcomes the government's project because it provides at least a legal basis to its new processing of data, the Commission has reservations about how the project of bill complies with the provisions of the Law on Protection of Personal Data. In this regard, it recommends that the language of the bill be modified in order to specify the purposes (more than only for "threat analysis" purposes) for which personal data will be transferred between partner security and police agencies and the OCAM, and determine the criteria to be used to appreciate whether to proceed with this transfer; better implement the security safeguards surrounding the processing of data; and establish the guarantees to protect international data transfers among foreign authorities.[1306] The Commission is currently in the process of adopting guidelines to help organizations comply with their security obligations under the Law on Protection of Personal Data of 1992.[1307]

Statutory Rules Related to Privacy

In November 2000, the Belgian Parliament enacted a Computer Crime Law.[1308] The law creates four new crimes: computer forgery ("faux en informatique"), computer fraud ("fraude informatique"), hacking, and sabotage of computer data ("sabotage de données informatiques"). Recent case law tends to temper the harshness of some provisions of the new law.[1309]

In December 1999, the Commission issued an opinion on the Computer Crime Bill, in which it raised serious concerns about its potential negative impact on the protection of privacy. It recommended certain amendments to the Bill including the establishment of a "police monitoring system," which would report back to the Commission, and a three-year review provision.[1310] These suggestions were not included in the law, and the data retention provision even goes against the Commission's official opinion. However, the law provides that the Privacy Commission's opinion is mandatory before any royal decree is enacted on the issue of data retention.

After almost a year of negotiations, a national collective labor organization of employers and employees' representatives (the Conseil national du travail) eventually agreed on common rules regulating the electronic surveillance of workers' computers in the workplace. The common agreement (called convention collective de travail or CCT) entered into force on June 29, 2002 through a royal decree[1311] and applies to all employers and employees in the country. It provides for rules implementing to the specific setting of the workplace the already existing and enforceable European and Belgian general data protection regulations, by ensuring the workers of fairness, information, and compliance with the basic data processing principles of proportionality, purpose specification, and transparency.[1312] The data protection authority had released earlier an opinion[1313] on the same topic in which it refers to the general principles applicable: a general prohibition of the interception of telecommunications, proportionality and transparency, balance of the interests and limited storage of personal data. Also in the field of workplace privacy, another CCT was released in 1998 to regulate the surveillance of workers by video surveillance cameras.[1314] The Commission also issued an Opinion on the use of badges and on employee tracking by means of GPS tracking systems. The Commissioner concluded that the continual surveillance of employees is disproportionate and unnecessary, particularly the use of badges that collect both geographic identifiers and biometric identifiers.[1315]

In August 2002, a new law was enacted that better protects patients' privacy rights by giving them, e.g., the right to be clearly informed about their health state, to consent to any medical interventions, and to have access to their medical files.[1316] There are also laws relating to consumer credit,[1317] social security,[1318] electoral rolls,[1319] the national ID number,[1320] professional secrets,[1321] and employee rights.[1322]

Wiretapping and Other Government Surveillance

Surveillance of communications is regulated under a 1994 law.[1323] Prior to its enactment, there was no specific law. The law requires permission of a juge d'instruction before wiretapping can take place. Orders are limited to a period of one month. There were 114 orders issued in 1996,[1324] and, reportedly, around 1,000 in 2002.[1325] The law was amended in 1997 to remove restrictions on encryption.[1326] The Parliament also amended the law in 1998[1327] to require greater assistance from telecommunications carriers and to give the juge d'instruction and the Attorney General (Procureur du Roi) more powers. The juge d'instruction now has the authority to request the cooperation of experts or network managers to help decrypt telecommunications messages that have been intercepted. The experts, network managers, etc., cannot refuse to cooperate; criminal sanctions are possible in cases of refusal. The law also provides that telecommunications network operators and telecommunications service providers have to record and store calling data (données d'appel) and telecommunications services subscribers' identification data for future law enforcement authorities' needs during a minimum period of 12 months. The law is very vague as to the duration of data retention ("a certain time") and would not prevent an implementing decree from increasing this period for much longer. The Belgian police are officially in favor of a three-year general retention policy.[1328] In 2003, a new royal decree was enacted to implement the June 10, 1998 Law to provide more details about the practical and technical measures that telecommunications network and service providers have to comply with to cooperate with law enforcement authorities.[1329]

Almost unnoticed, a law enacted in December 2001 bans anonymity for subscribers and users of telecommunications network operators and services providers, while the application of the law is, however, subject to a proportionality requirement. A royal decree may prohibit the exploitation of telecommunications services if they render the identification of the caller impossible, or otherwise make it difficult to track, monitor, wiretap, or record communications. With this new rule, the government can now prohibit any telecommunications service that hinders the application of the wiretapping laws.[1330]

In March 2005, the Council of Ministers (Conseil des Ministres) adopted a new Pre-Project of Law (avant-projet de loi) creating a new entity, OCAM, to coordinate the evaluation of the threats of terrorism and extremism. The project of law assigns this task to the OCAM and provides it with the authority to coordinate the collection of such information from security and intelligence entities, as well as other government agencies, such as the Customs Bureau and the Ministry of Foreign Affairs, and assess and analyze it.[1331]

National ID, Travel Documents and Smart Cards

Belgium is the first country in Europe to embed a digital signature in an ID card and to massively roll out ID smart cards at a national level.[1332] The "e-ID" (which stands for "electronic ID") embeds a digital certificate that will, according to the government, allow Belgians to communicate online and conduct secure transactions with government agencies, access e-government applications, and perform e-banking, or other future private applications.[1333] Under the plan, every Belgian citizen (as young as 6 years old)[1334] gets an identification card with his or her name and other identifiers,[1335] photograph and two digital certificates. One is to be used for authentication, the other as a digital signature to sign documents such as declarations or application forms, which will have the same legal value as documents signed by hand.[1336]

The e-ID project, which was originally called "BELPIC" (or Belgian Personal Identity Card) started in July 2001, when the Council of Ministers (Conseil des ministres) approved the idea of introducing an electronic identity card for all Belgians.[1337] In February 2003, the Parliament approved the introduction of BELPIC[1338] and the new chipcards were tested in 11 municipalities (communes) until September 2003. After the government considered the test satisfactory, it decided to roll out the cards to the rest of the Belgian population[1339] – about nine million individuals – on a schedule that would end in late 2009.[1340] By Royal Decree, the government began issuing Kids-ID for Belgian children between the ages of 6 and 12.[1341] The Kids-ID card replaces paper identity certificates and shows the child’s name and an emergency contact number. All other information, such as home address, is contained on the chip. Six pilot projects are currently being conducted.[1342]

The Commission and civil liberties organizations criticized the new ID card as presenting a serious threat to individuals' privacy. The data protection authority noted that it was still unclear how the government answers several important privacy concerns due to the uncertainty of many aspects of the project, and the information that the Commission has so far been provided with from the government.[1343] Other critics say that the e-commerce identity of Internet users should not be linked to day-to-day authentication, that integration of data damages the integrity and rights of users, and that the fact that the Belgian government handed the project to a private company (security firm Ubizen) jeopardizes citizens' privacy rights.[1344] While it does not appear such concerns have been thus far addressed, both the public and private sectors have already developed several new applications and services compatible with e-ID, including online tax returns, certified e-mail, online request of official documents, Internet banking services and electronic library services.[1345] The Commissioner expressed serious reservations regarding the inclusion on the e-card of such information as organ donation choices, or medical files. The Commissioner states that the inclusion of information extraneous to identification and authentication sets a dangerous precedent.[1346]

Belgium began a test program in May 2004 that made it the second country in the world (after Malaysia) to issue passports with an imbedded computer chip for personal information.[1347] The government began producing the RFID[1348] passports in November 2004, and issuing them to the public on January 30, 2005, in full compliance with the current European, US and ICAO[1349] standards and deadlines for biometric based e-passports.[1350] Initially, the chip will be used only for basic information, such as name, date and place of birth, passport number, issuing date and place, digital photo and signature. However, it has the ability to store fingerprints, an iris scan and other biometrics.[1351] Although the Belgian passport received "the world's most secure passport" award from Interpol in 2003,[1352] now that it is equipped with a RFID chip, it may present new privacy and security risks, including the unauthorized reading of its data.[1353]

Miscellaneous Developments

Since 2003, the use of e-mails for marketing purposes is prohibited without the prior, free, specific and informed consent of the recipients, in compliance with the EU Directive on Electronic Commerce,[1354] transposed by the Law of March 11, 2003,[1355] and with the EU Electronic Communications and Privacy Directive.[1356] Further spam provisions were implemented by the Royal Decree of April 4, 2003.[1357] The deadline for the implementation of the Directive expired on October 31, 2003 and infringement proceedings had been launched against Belgium by the European Commission for failure to transpose the remaining provisions into national law. In April 2005, Belgium’s failure to transpose the Directive was confirmed in a judgment of the European Court of Justice. In June 2005, Belgium finally adopted its Law on Electronic Communications.[1358] Belgium has now fully implemented the EU Directive on Privacy & Electronic Communications of 2002.[1359]

The Law on Electronic Communications adds two exceptions to the prohibition on electronic eavesdropping guaranteed in the Penal Code. The recording of electronic communications and their traffic data is lawful as proof of a commercial transaction, or for the purpose of service quality control. Retention, however, cannot exceed one month.[1360]

From the end of 2000, IFPI Belgium, the recording industry trade association, started tracking people downloading and uploading music files from MP3 audio file-sharing web sites such as Napster, Gnutella or KaZaa. In a move that left many Belgian music fans outraged, IFPI collaborated by simple "gentlemen's agreements,"[1361] outside any legal framework, with Internet service providers (ISPs) to get the names and addresses of high-speed Internet connection subscribers in order to send them personalized letters threatening them with legal action if they did not stop their file-sharing practices. In November 2001, the Privacy Commission released an initiative opinion[1362] severely condemning the way IFPI had behaved with respect to the protection of people's privacy and stating that IFPI had violated several Belgian and European telecommunications privacy and data protection laws.[1363] In June 2007, the Belgian Society of Authors, Composers, and Publishers (SABAM) won a case against ISP Scarlet Extended SA in which the court ruled that Scarlet would be required to use Audible Magic filtering technology to stop the spread of music on P2P networks. Scarlet was given six months to comply with the order. Scarlet is appealing the decision. SABAM is currently trying to use the ruling to convince other ISPs to follow suit.[1364] While the Brussels Court ruled that such filtering would not violate user privacy nor create a general expectation of network surveillance, it is not unreasonable to ISPs being required to do the same for movies or other infringing media or activities.[1365]

Voting Privacy

Voting is mandatory for those 18 years and older.[1366] The laws regarding voting, enacted in 1919 and amended to include women in 1949, are strictly enforced.[1367] Non-voting requires an acceptable explanation and may result in a fine, imprisonment, infringement of civil rights, disenfranchisement, or prevent employment in the public sector.[1368] Voter registration lists are publicly posted in polling locations on Election Day and may also be obtained for political campaign purposes.[1369] Election administrators take an oath to maintain the secrecy of votes cast. Voters are guaranteed the right of secrecy of their vote.[1370] In 1989, Belgium became one of the first countries to use electronic means of casting ballots in public elections.[1371] In 1991, experiments began with the use of electronic voting machines at polling locations.[1372] The Election Law was amended by the Act of April 11, 1994 to allow a "system of electronic voters" and was amended again on December 18, 1998 to allow "automated" voting.[1373] The Federal Council of Ministers Rulings of June 20 and July 18, 1997 formally endorsed the adoption of electronic voting. By 1999, 40 percent of voters participating in Belgium's public elections used electronic voting machines.[1374] The direct recording electronic (DRE) system identified was used by 44 percent of voters in 2000. By 2003, an estimated three million votes were cast using electronic voting technology.[1375]

Open Government

The Constitution recognizes that "everyone has the right to consult any administrative document and to have a copy made, except in the cases and conditions stipulated by the laws, decrees, or regional council decrees (i.e., the "rulings referred to in Article 134").[1376] There are freedom of information laws, implementing this constitutional right, on the right of access to administrative documents on the federal,[1377] regional,[1378] community,[1379] provincial and municipal levels.[1380] The basic exemptions to the general rule of access are public security, the protection of fundamental rights, international interests, public order, security or defense, confidentiality, and privacy. Each jurisdiction has a Commission of Access to Administrative Documents (Commission d'Accès aux Documents Administratifs, or CADA) that oversees the act. Citizens can appeal denials of information requests to the administrative agency, which in turn asks for advice from the CADA. The CADA issues advisory opinions both on request and on its own initiative. Requestors can then pursue a limited judicial appeal to the Counsel of State (Conseil d'Etat).[1381] At the federal level, each federal public authority is required to provide a description of their functions and organization, and must have an information officer.[1382] The Law on Protection of Personal Data gives individuals the right to access and correct files about themselves that public and private entities hold, and is enforced by the Commission for the Protection of Private Life. As to the administrative documents that contain personal information, access is regulated by the Law of April 11, 1994.

International Obligations

Belgium is a member of the Council of Europe (CoE) and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108).[1383] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1384] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. The government signed, but has not ratified, the CoE Convention on Cybercrime.[1385]

[1273] Constitution of Belgium, available at <http://www.fed-parl.be/constitution_uk.html>.
[1274] Cour de cassation, September 26,1978.

[1275] Act concerning the Protection of Privacy with regard to the Treatment of Personal Data Files, December 8, 1992 (Loi relative à la protection des données à caractère personnel du 8 décembre 1992) as amended by the Act of December 11, 1998 transposing EU Directive 95/46/EC of October 24, 1995, available at <http://www.law.kuleuven.ac.be/icri/itl/12privacylaw.php>.

[1276] <http://www.internet-observatory.be/>.
[1277] Alain Jennotte, "Un Observatoire au chevet du Net," Le Soir, December 1, 2001, available at <http://www.lesoir.be>.
[1278] Observatoire des Droits de l'Internet, The Protection of Minors on the Internet, Opinion No. 1, February 2003, available at <http://www.internet-observatory.be/internet_observatory/pdf/advices/advice_en_001.pdf>.
[1279] Observatoire des Droits de l'Internet, Pistes pour renforcer la confiance dans le commerce électronique, Opinion No. 3 submitted to the Federal Minister of Economy, June 1, 2004, available at <http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=185&url=legislations/Observatoire_2_avis__01062004.pdf>, <http://www.internet-observatory.be/internet_observatory/pdf/advices/advice_en_003.pdf>.
[1280] Observatoire des Droits de l'Internet, Facteurs de succès de l'e-gouvernement, Opinion No. 2, December 2003, available at <http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=173&url=legislations/avis_observ_egov.pdf>, <http://www.internet-observatory.be/internet_observatory/pdf/advices/advice_en_002.pdf>.
[1281] In its opinion, the Observatory examines the opportunities and challenges related to the development of VoIP services. It concludes that it is important right now to make clear choices about VoIP services and determine the applicable legislation, while avoiding the creation of too many regulatory obstacles to their development, in order to protect consumers and provide legal security. Observatoire des Droits de l'Internet, Opportunités et défis liés au développement des services Voice over IP, Opinion No. 4, May 2005, available at <http://www.internet-observatory.be/internet_observatory/pdf/advices/advice_fr_004.pdf>.

[1282] Commission de la protection de la vie privée homepage <http://www.privacy.fgov.be/>.
[1283] As of June 30, 2004, there were 23,883 records in the Commission's registry. E-mail from An Machtens, Conseiller POMIS, Commission de la protection de la vie privée, to Cédric Laurant, Policy Counsel, Electronic Privacy Information Center (EPIC), July 12, 2004 (on file with EPIC).
[1284] E-mail from Anne-Christine Lacoste, Conseiller, Commission de la protection de la vie privée, to María Verónica Pérez Asinari, researcher at the Centre de Recherches Informatique et Droit (CRID), February 1, 2004 (on file with EPIC).
[1285] E-mail from An Machtens, supra.
[1286] E-mail from Anne-Christine Lacoste, supra.

[1287] Avis d'initiative n° 10/2000 du 3 avril 2000 relatif à la surveillance par l'employeur de l'utilisation du système informatique sur le lieu de travail, available at <http://www.privacy.fgov.be>.
[1288] Avis d'initiative n° 34/99 relatif aux traitements d'images effectués en particulier par le biais de systèmes de vidéo-surveillance, December 13, 1999, available at <http://193.191.208.6/juris/jurfv.htm>; avis d'initiative n° 3/2000 relatif à l'utilisation de systèmes de vidéo-surveillance dans les halls d'immeubles à appartements, January 10, 2000, available at <http://193.191.208.6/juris/jurfv.htm>; avis n° 10/2005 sur le projet d'arrêté royal relatif à l'installation et au fonctionnement de caméras de surveillance dans les stades de football, June 15, 2005, available at <http://193.191.208.6/juris/jurfv.htm>.
[1289] Avis d'initiative n° 37/2001 of October 8, 2001 concernant l'enquête socio-économique 2001, available at <http://www.privacy.fgov.be>.
[1290] Avis d'initiative n° 34/2000 of November 22, 2000 relatif à la protection de la vie privèe dans le cadre du commerce électronique, available at <http://www.privacy.fgov.be>.

[1291] Commission de la protection de la vie privée, "Marketing direct et protection des données personnelles," March 24, 2003, available at <http://www.privacy.fgov.be/publications/note_marketing.pdf>; see also Commission de la protection de la vie privée, Les droits des utilisateurs face aux courriers électroniques non-sollicités,

<http://www.privacy.fgov.be/publications/note_spam.htm>.
[1292] Recommandation n° 01/2002 du 22 août 2002 sur l'enregistrement des télécommunications effectuées dans le cadre des services bancaires, available at <http://www.privacy.fgov.be>.
[1293] Avis n° 07/2003 du 27 février 2003 sur l'utilisation des moyens de communications électroniques à des fins de propagande électorale, available at <http://www.privacy.fgov.be>.
[1294] Avis n° 06/2005 concernant le projet d'arrêté royal relatif au contrat-type de courtage matrimonial, May 4, 2005, available at <http://193.191.208.6/juris/jurfv.htm>.

[1295] The list was available at <http://www.check4rent.com>.
[1296] Avis n° 52/2002 du 19 décembre 2002 relatif à la constitution d'un fichier externe des locataires défaillants, available at <http://193.191.208.6/juris/jurfv.htm>. See also Actualité en détail - « Liste noire » des locataires et avis de la Commission pour la protection de la vie privée, DroitBelge.Net, January 16, 2003 <http://www.droitbelge.be/actualites.asp?display=detail&id=86>.
[1297] Avis n° 09/2005 concernant la demande d'avis sur un encadrement des listes noires, June 15, 2005, available at <http://193.191.208.6/juris/jurfv.htm>.

[1298] Privacy International, “PI launches campaign to suspend unlawful activities of finance giant,” <http://www.privacyinternational.org/article.shtml?cmd[347]=x-347-538985>.
[1299] <www.swift.com>.
[1300] Decision Nr. 37/2006, available at <www.privacycommission.be> (in French and Dutch). See also Privacy International, “Belgian Prime Minister condemns SWIFT data transfers to U.S. as 'illegal',” <http://www.privacyinternational.org/article.shtml?cmd%5B347%5D=x-347-543789>.
[1301] Opinion of November 22, 2006, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp128_en.pdf>.

[1302] Opinion nr. 47/2006 of December 20, 2006, available at <www.privacycommission.be> (in French and Dutch).
[1303] Processing and protection of personal data subpoenaed by the Treasury Department from the US based operation centre of the Society for Worldwide Interbank Financial Telecommunication (SWIFT) June 28, 2007, available at <http://www.epic.org/privacy/pdf/swift-agmt-2007.pdf>.
[1304] Id.

[1305] Avis n° 08/2005 concernant l'avant-projet de loi relatif à l'analyse de la menace, May 25, 2005, available at <http://193.191.208.6/juris/jurfv.htm>. See also Conseil des Ministres, "Organe de coordination pour l'analyse de la menace," press release, March 25, 2005 <http://www.belgium.be/eportal/application?languageParameter=fr&pageid=contentPage&docId=38242>.
[1306] Id.
[1307] Peter Van de Velde, “General security obligation imposed by the Data Protection Act,” Bird & Bird LLP, October 10, 2006, available at <http://www.twobirds.com/english/publications/articles/Belgian_Privacy_Commission.cfm>.

[1308] Loi du 28 novembre 2000 relative à la criminalité informatique, Moniteur belge, February 3, 2001, available at <http://www.cass.be/cgi_loi/legislation.pl>.
[1309] See Jeoffrey Vigneron, Pour la première fois, un juge belge applique la "nouvelle" loi sur la cybercriminalité, January 26, 2004 <http://www.droit-technologie.org/1_2.asp?actu_id=881>.

[1310] Opinion n° 33/99 de la Commission de la protection de la vie privée, available at <http://www.privacy.fgov.be/>.

[1311] Arrêté royal rendant obligatoire la Convention Collective de Travail No. 81 du 26 avril 2002, conclue au sein du Conseil National du travail, relative à la protection de la vie privée des travailleurs à l'égard du contrôle des données de communication électroniques en réseau, Moniteur belge, 29489-29501, available at <http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=120&url=legislations/AR_120602_rendant_obligatoire_CCT_81_cybersurveillance_travailleurs.pdf>.
[1312] See Bertrand Géradin, La convention collective de travail relative à la protection de la vie privée des travailleurs à l'égard du contrôle des données des communications électroniques en réseau du 26 avril 2002, June 14, 2002 <http://www.droit-technologie.org/redirect.asp?type=dossier&dossier_id=77&url=dossiers/analyse_CCT81_260402.pdf>.
[1313] Commission de la protection de la vie privée, Avis d'initiative relatif à la surveillance par l'employeur de l'utilisation du système informatique sur le lieu de travail, opinion No. 10, April 3, 2000, available at <http://www.privacy.fgov.be>.
[1314] Convention Collective de Travail n° 68 relative à la protection de la vie privée des travailleurs à l'égard de la surveillance par cameras sur le lieu de travail, June 16, 1998, available at <http://www.privacy.fgov.be/textes_normatifs/cct-68_FR.pdf>. See generally on recent developments in workplace privacy, Olivier Rijckaert, Surveillance des travailleurs: nouveaux procédés, multiples contraintes, in Orientations, "L’employeur et la vie privée du travailleur," n° spécial 35 ans, 41 et seq. (2005), available at <http://www.droit-technologie.org/redirect.asp?type=dossier&dossier_id=144&url=dossiers/Surveillance_Travailleurs_nouvelles_contraintes.pdf>.
[1315] Ninth Annual Report of the Article 29 Working Party on Data Protection, June 2006, available at <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/9th_annual_report_en.pdf>.

[1316] See Loi du 22 août 2002 relative aux droits du patient (Law on Patient's Rights of August 22, 2002), available at <http://www.cass.be/cgi_loi/legislation.pl>; see also Dominique Mayerus & Pascal Staquet, Actualité en détail: La loi du 22 août 2002 relative aux droits du patient, DroitBelge.Net, October 8, 2002 <http://www.droitbelge.be/actualites.asp?display=detail&id=81>.
[1317] Loi du 12 juin 1991 relative au crédit à la consommation, available at <http://www.privacy.fgov.be/textes_normatifs/loicrdit.PDF>; l'arrêté royal du 11 janvier 1993 modifiant l'arrêté royal du 20 novembre 1992 relatif à l'enregistrement par la Banque Nationale de Belgique des défauts de paiement en matière de crédit à la consommation, available at <http://www.cass.be/cgi_loi/legislation.pl>.
[1318] Loi du 15 janvier 1990 relative à l'institution et à l'organisation d'une banque-carrefour de la sécurité sociale. Modified by the loi du 29 avril 1996, available at <http://www.privacy.fgov.be/textes_normatifs/loicarrefour.PDF>.
[1319] Loi du 30 juillet 1991, available at <http://www.users.skynet.be/psetranger/moniteur.htm>.
[1320] Loi du 8 août 1993: le registre national, available at <http://www.privacy.fgov.be/textes_normatifs/loiregistre.PDF>.
[1321] Article 458 of the Penal Code.
[1322] See Roger Blanpain, Employee Privacy Issues: Belgian Report, 17 Comp. Lab. L. 38, Fall 1995. The employer generally has no right to obtain medical information from his employee, unless the information is absolutely necessary for the appropriate fulfillment of the employee's obligations under the employment contract.

[1323] Loi du 30 juin 1994 relative à la protection de la vie privée contre les écoutes, la prise de connaissance et l'enregistrement de communications et de télécommunications privées, available at <http://www.cass.be/cgi_loi/legislation.pl>.
[1324] "Ecoutes: une pratique décevante et flamande ! Le résultat judiciaire des écoutes téléphoniques est médiocre. La Chambre va modifier la donne," Le Soir, December 12, 1997, available at <http://www.lesoir.be>.
[1325] The increase in wiretaps is partly due to the higher number of types of communications that the police is now able to intercept, from regular landline telephones, to mobile phones, SMS messages, facsimiles, satellite communications, e-mails, chat sessions, etc. Filip Verhoest, "'Meest geavanceerde' telefoontapkamer van Europa in gebruik genomen. Boeven afluisteren in stereo," May 13, 2003, De Standaard; see also Ricardo Gutiérrez, "La Belgique se dote de grandes oreilles," Le Soir, May 12, 2003, available at <http://www.lesoir.be/articles/a_03E4C3.asp>.
[1326] Chapitre 17, Loi modifiant la loi du 21 mars 1991 portant réforme de certaines entreprises publiques économiques afin d'adapter le cadre réglementaire aux obligations en matière de libre concurrence et d'harmonisation sur le marché des télécommunications découlant des décisions de l'Union européenne, December 19, 1997, available at <http://www.cass.be/cgi_loi/legislation.pl>.
[1327] Loi du 10 juin 1998 (adding Art. 88bis, 90ter et seq. to the Code of Criminal Procedure (Code d'instruction criminelle)), modifiant la loi du 30 juin 1994 relative à la protection de la vie privée contre les écoutes, la prise de connaissance et l'enregistrement de communications et de télécommunications privées, June 10, 1998, available at <http://www.cass.be/cgi_loi/legislation.pl>; see "Le GSM en toute sécurité ? Pas sûr," Le Soir, February 20, 1998, available at <http://www.lesoir.be>.
[1328] The European Commission made strong critiques of the law before its enactment. However, most of its critiques were not addressed, and most of them rejected without adequate motivation. Some of the European Commission's critiques mentioned that the law was too vague and could not be considered a "law" pursuant to current case law of the European Court of Human Rights (ECtHR). The European institution also specified that the law, by not restricting the strictures within which the government has to implement data retention measures, is too vague and gives the government carte blanche to act in a discretionary fashion. According to the European Commission, the data retention provision of the Belgian law is also disproportionate with respect to the Court of Justice of the European Community's case law. One has to note that, even though the new EU Directive on Privacy and Electronic Communications allows EU Member States to allow data retention for a reasonable period, the Belgian law, as it is now written, could be considered in violation of current ECtHR's case law. For more information, see European Commission, Opinion regarding Belgian bill on computer crime ("Notification 2000/151/B – Projet de loi relatif à la criminalité informatique – Emission d'un avis circonstancié au sens de l'article 9, paragraphe 2 de la Directive 98/34/CE du 22 juin 1998 – Emission d'observations au sens de l'article 8, paragraphe 2 de la directive 98/34/CE"), June 2000, appended to the Parliamentary report of the Justice Commission, Chamber of Representatives of the Belgian Parliament, October 19, 2000, DOC 50 0213/011.
[1329] Arrêté royal du 9 janvier 2003 portant exécution des articles 46bis, § 2, alinéa 1er, 88bis, § 2, alinéas 1er et 3, et 90quater, § 2, alinéa 3, du Code d'instruction criminelle ainsi que de l'article 109ter, E, § 2, de la loi du 21 mars 1991 portant réforme de certaines entreprises publiques économiques, available at <http://www.just.fgov.be/cgi/article_body.pl?language=fr&caller=summary&pub_date=2003-02-10&numac=2003009111>. For more information, see generally P. Van Eecke & J. Dumortier, Elektronische Handel (Die Keure, Brugge 2003).

[1330] The wording of the law is so vague that a decree might prohibit any kind of anonymization software, the use of proxies by ISPs, since they all make the identification or tracking of communications "difficult," Etienne Wéry, "Surfer anonymement devient illégal en Belgique," March 18, 2002 <www.droit-technologie.org/fr/1_2.asp?actu_id=553>.

[1331] Question from Mr. Tony Van Parys to the vice-Prime Minister and Minister of Justice about the "fight against terrorism following the terror attacks in London," July 12, 2005, at 6-8 (Question de M. Tony Van Parys à la vice-première et ministre de la Justice sur "la lutte contre le terrorisme à la suite des actes de terreur commis à Londres" (n° 7871), C.R.I., Ch. Repr., Comm. Justice, sess. ord. 2004-2005, séance du 12 juillet 2005, pp. 6-8), available at <http://www.dekamer.be/doc/CCRI/pdf/51/ic683.pdf>. See also Permanent Committee for the Control of Intelligence Services, Report of Activities 2004 (Comité permanent de contrôle des services de renseignements, Rapport d'activités 2004), available at <http://www.comiteri.be/rapports/rapport2004_fr.pdf>.

[1332] "Belgium Plans Digital ID Cards," "Belgium Plans Digital ID Cards," BBC News Online, October 4, 2003 <http://news.bbc.co.uk/hi/technology/2295433.stm> and TB6/SINCE Interoperability Group, Open Smart Cards Infrastructure for Europe, eESC Common Specifications v2; Volume - Part 3, February 18, 2004 <http://www.eurosmart.com/Update/Download/February04/SINCE_survey.pdf>.
[1333] TB6/SINCE Interoperability Group, supra.
[1334] Including every foreigner holding an identity card.
[1335] Including the sex, nationality, date of birth, address, card number, identification number in the National Registry and signature.
[1336] The signature file on the card would ostensibly be required when conducting transactions with the government, banks, and other public or private entities, including the payment of taxes and electronic voting. BELPIC contains several digital keys to enable remote identification via the Internet, and personal data on the chip are secured via a public key infrastructure (PKI). Children would also receive their own cards although without the signature feature. See "Belgium Plans Digital ID Cards," supra; EDRI-gram, No. 3, February 26, 2003. See also TB6/SINCE Interoperability Group, supra.

[1337] Région wallonne, Le projet BELPIC, July 20, 2004 <http://egov.wallonie.be/pa030401.htm>. See also Hervé Feuillien, E-Government en Région de Bruxelles-Capitale, December 4-5, 2003 <http://www.cities-lyon.org/fr/articles/227>.
[1338] See Arrêté royal portant des mesures transitoires relatives à la carte d’identité électronique, 25 mars 2003, M.B., 28 mars 2003, p. 15.942, available at <http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=201&url=legislations/AR_mesures_transitoires_CI_electronique_250303.pdf>. See also Arrêté ministériel déterminant le modèle du document de base en vue de la réalisation de la carte d’identité électronique, 26 mars 2003, M.B., 28 mars 2003, p. 15.946, available at <http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=202&url=legislations/AM_modele_CI_electronique_260303.pdf>.
[1339] Arrêté royal du 1er septembre 2004 portant la décision de procéder à l’introduction généralisée de la carte d’identité électronique, M.B., 15 septembre 2004, p. 67.527, available at <http://www.droit-technologie.org/redirect.asp?type=legislation&legis_id=199&url=legislations/AR_usage_generalise_CI_electronique_010904.pdf>. See also "La Belgique adopte la carte d'identité électronique," NetEconomie.com, September 7, 2004 <http://www.neteconomie.com/perl/navig.pl/neteconomie/infos/article/20040907185201>; Etienne Wéry & Sébastien Mélardy, "La Belgique généralise la carte d'identité pour l'ensemble de la population," September 21, 2004 <http://www.droit-technologie.org/1_2.asp?actu_id= 988, 21 Septembre 2004>.
[1340] Corinne De Permentier, Rapport d'évaluation de l'introduction de la carte d'identité électronique fait au nom de la Commission de l'Intérieur, des Affaires Générales et de la Fonction Publique, Chambre des Représentants de Belgique, No. 51K1094, May 5, 2004, available at <http://www.lachambre.be/FLWB/pdf/51/1094/51K1094001.pdf>. See also "Belgium Extends e-ID Applications," eGovernment News, February 7, 2005 <http://europa.eu.int/idabc/en/document/3854/332>.
[1341] L’arrêté royal du 18 octobre 2006 (M.B. du 31 octobre 2006) relatif au document d’identité électronique pour les enfants belges de moins de douze ans.
[1342] “Le document d’identité électronique pour les enfants belges de moins de douze ans (Kids-ID) : sécurisation accrue du document et protection renforcée de l’enfant,” News eid, July 2007, available at <http://www.ibz.rrn.fgov.be/index.php?id=564&L=0>.

[1343] Avis n° 08/2003 du 27 février 2003 sur deux projets d'arrêté royal en exécution de la loi du ... modifiant la loi du 8 août 1983 organisant un Registre National des personnes physiques et la loi du 19 juillet 1991 relative aux registres de population et aux cartes d'identité, available at <http://193.191.208.6/juris/jurfv.htm>; see also avis n° 19/2002 du 10 juin 2002 sur le projet de loi modifiant la loi du 8 août 1983 organisant un Registre national des personnes physiques et la loi du 19 juillet 1991 relative aux registres de la population et modifiant la loi du 8 août 1983 organisant un Registre national des personnes physiques, le projet d'arrêté royal relatif aux cartes d'identité et le projet d'arrêté royal portant mesures transitoires en ce qui concerne la carte d'identité électronique en Belgique, available at <http://193.191.208.6/juris/jurfv.htm>.
[1344] "Belgium Plans Digital ID Cards," supra.
[1345] "Belgium Extends e-ID Applications," supra. There is also a plan to use BELPIC for online identification in conjunction with the Microsoft Corp.'s MSN Messenger service. Proponents of the plan point to the security benefits that an online age verification system would have for individuals who want to log on to children-only chat rooms. Id. See also "MSN Belgium to Use eID Cards for Online Checking," February 1, 2005, The Register <http://www.theregister.co.uk/2005/02/01/msn_belgium_id_cards/> and "Belgian Government Presents e-ID Toolkits for Citizens and Developers," eGovernment News, May 19, 2004 <http://europa.eu.int/idabc/en/document/2557/332>.
[1346] Ninth Annual Report of the Article 29 Working Party, June 2006, supra.

[1347] BBC Worldwide Monitoring, "Passport Acquires Chip," May 19, 2004.
[1348] Radio frequency identification passports. See Section on "RFID" in the "Threats to Privacy" Chapter.
[1349] International Civil Association Organization. See, for more details about biometric passports, the Sections on "Identity Systems" and "Travel Privacy" in the "Threats to Privacy" Chapter.
[1350] Rudi Veestraeten, Oversight Hearing on "October 2005 Statutory Deadline for Visa Waiver Program Countries to Produce Security Passports: Why It Matters to Homeland Security," Committee on the Judiciary, US House of Representatives, April 20, 2005, available at <http://judiciary.house.gov/OversightTestimony.aspx?ID=352>.
[1351] Id.
[1352] Id.
[1353] As of April 30, 2005, no reliable public information was available about the.security features (encryption and measures against clandestine scanning and tracking, skimming and eavesdropping) used in the Belgian e-passport. See "Ari Juels, David Molnar and David Wagner, "Security and Privacy Issues in E-Passports," to appear, IEEE SecureComm 2005, available at <http://www.cs.berkeley.edu/~dmolnar/papers/RFID-passports.pdf>.

[1354] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in particular Electronic Commerce, in the Internal Market, available at <http://europa.eu.int/cgi-bin/eur-lex/udl.pl?REQUEST=Seek-Deliver&COLLECTION=oj&SERVICE=eurlex&LANGUAGE=en&DOCID=2000l178p0001>.

[1355] Loi du 11 mars 2003 sur certains aspects juridiques des services de la société de l'information, Moniteur belge, March 17, 2003, at 12960-12970, available at <http://www.droit-technologie.org/3_1.asp?legislation_id=142>.
[1356] For more information, see generally Thibault Verbiest, "La loi belge enfin adoptée !," Droit et Nouvelles Technologies, April 22, 2003 <http://www.droit-technologie.org/1_2.asp?actu_id=747>; and Jos Dumortier & Mieke Loncke, Ongevraagde reclame langs elektronische post, 21 Mediarecht, Telecommunicatie en telematica 43-74 (Mechelen 2003)
[1357] Royal Decree of April 4, 2003 regulating advertising by electronic mail, Belgian State Gazette, May 28, 2003.
[1358] Law of June 13, 2005 on electronic communications, Belgian State Gazette, June 20, 2005.
[1359] Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201 of July 31, 2002.

[1360] Ninth Annual Report of the Article 29 Working Party on Data Protection, June 2006, supra.

[1361] Olivier Van Vaerenbergh, "L'IFPI poursuit, mais la justice renâcle – Napster: plaintes en Belgique," Le Soir, February 16, 2000, available at <http://www.lesoir.be>.
[1362] Avis No. 44/2001 of November 12, 2001, Avis d'initiative concernant la compatibilité de la recherché d'infractions au droit d'auteur commises sur Internet avec les dispositions juridiques protégeant les données à caractère personnel et les télécommunications, available at <http://www.privacy.fgov.be>. For comments: Etienne Wéry, "La Commision vie privée n'aime pas les manières de l'IFPI de traquer les pirates sur l'internet" (December 17, 2001) <http://www.droit-technologie.org/1_2_1.asp?actu_id=497>.
[1363] The Commission de protection de la vie privée found that IFPI had violated Belgian data protection law of December 8, 1992, Belgian telecommunications privacy laws, and EU Directive 2000/31/EC on electronic commerce. See Avis No. 44/2001, supra.
[1364] Nate Anderson, “Belgian ISP must filter P2P music; files appeal,” July 23, 2007 <http://arstechnica.com/news.ars/post/20070723-belgian-isp-must-filter-p2p-music-files-appeal.html>.
[1365] Id.

[1366] CIA Country Fact Book Online, available at <http://www.cia.gov/cia/publications/factbook/geos/af.html#Govt>.
[1367] International Institute for Democracy and Electoral Assistance, Report: Compulsory Voting, Feburary 11, 2005, available at <http://www.idea.int/vt/compulsory_voting.cfm>.
[1368] Id.
[1369] European Commission, CyberVote Report, Contract number IST-1999-20338, Project: Cybervote, June 1, 2001 available at <http://www.eucybervote.org/MSI-WP6-D21-v1.0.pdf>.
[1370] Belgian Constitution, Article 55, available at <http://www.oefre.unibe.ch/law/icl/be00000_.html>.
[1371] Basque Government, Home Office Department, Management of Electoral Processes and Documentation, Voto Electrónico, April 5, 2004, available at <http://www.euskadi.net/botoelek/otros_paises/sim0_i.htm>.
[1372] Strengthening Regional and Local Democracy in the European Union, Volume I, Belgium, at 148, available at <http://www.cor.eu.int/document/documents/cdr171_2004_vol1_etu_en.pdf>, February 2004.
[1373] Id.
[1374] Id.
[1375] "Belgian National Elections on May 18, 2003 - Over 3.2 Million Belgians Voted Electronically," M2 Presswire, May 23, 2003.

[1376] Article 32, Constitution of Belgium, 1994 <http://www.fed-parl.be/constitution_uk.html>.
[1377] Loi du 11 avril 1994 relative à la publicité de l'administration des actes des autorités administratives fédérales, Moniteur Belge, 30 juin 1994, modifiée par la loi du 25 juin 1998 et la loi du 26 juin 2000. The Law allows individuals to request in writing for access to any document government authorities hold, including documents in judicial files. The Law also includes a right to have the document explained. Government agencies must respond immediately, or within 30 days if the request is delayed or rejected.

[1378] Région flamande (Flemish Region), Décret relatif à la publicité de l'administration, May 18, 1999), Moniteur belge, June 15, 1999; Région wallonne (Walloon Region), Décret relatif à la publicité de l'administration dans les intercommunales wallonne, March 7, 2001, Moniteur belge, March 20, 2001; Région wallonne (Walloon Region), Décret relatif à la publicité de l'Administration, March 30, 1995, Moniteur belge, June 28, 1995; available at <http://www.cass.be/cgi_loi/legislation.pl>.

[1379] Commission Communautaire Commune de Bruxelles-Capitale, Ordonnance relative à la publicité de l'administration, June 26, 1997; Commission communautaire française, Décret relatif à la publicité de l'administration, July 11, 1996, Moniteur belge, August 27, 1996.
[1380] Loi du 12 novembre 1997 relative à la publicité de l'administration dans les provinces et les communes, available at <http://www.cass.be/cgi_loi/legislation.pl>.
[1381] David Banisar, The Freedominfo.org Global Survey: Freedom of Information and Access to Government Records around the World, May 2004, at 14, available at <http://www.freedominfo.org/survey/global_survey2004.pdf>.
[1382] Id.

[1383] Signed May 7, 1982; ratified May 28, 1993; entered into force September 1, 1993, available at <http://conventions.coe.int/>.
[1384] <http://conventions.coe.int/>.
[1385] Signed November 23, 2001, available at <http://conventions.coe.int/Treaty/Commun/ChercheSig.asp?NT=185&CM=8&DF=8/6/2007&CL=ENG>.