BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
gium. Obviously, cybersecurity and cyber-resil - ience requirements may apply under applicable legislation but this is beyond the scope of the present chapter. 3.4 Regulators and Enforcement Member states are required to designate at least one competent authority to deal with the enforcement of the Data Act. It is not known whether Belgium will designate the DPA as the competent authority. In any event, the DPA will remain responsible for monitoring the applica - tion of the Data Act insofar as the protection of personal data is concerned. Belgian legislation implementing the E-Privacy Directive regulates both cookies and any other type of online tracking technology. It imposes (i) transparency requirements (such as posting a cookie notice online) and (ii) an opt-in consent requirement for all non-essential cookies (ie, all cookies that are not strictly necessary to trans - mit a communication over an electronic commu - nications network or to provide an information society service requested by the user). 4. Sectoral Issues 4.1 Use of Cookies The DPA has published guidelines, a non- exhaustive checklist and extensive case law on the use of cookies and the applicable transpar - ency and consent requirements – eg, in relation to the Transparency and Consent Framework of Interactive Advertising Bureau Europe (IAB Europe). To summarise, the DPA states that: • only strictly necessary cookies are exempt from consent requirements (ie, essential tech -
nical cookies such as cookies for load bal - ancing and strictly necessary functional cook - ies such as cookies for temporary storage of language choice, cookie preferences or shop - ping basket content) – all other categories of cookies may only be placed and read if users have given their prior, free, specific, informed, unambiguous and active consent; • cookie walls are not allowed; • designs that give more prominence to the “accept” option are prohibited – eg, using a particular colour that may influence the user’s choice; • the use of cookies for the controller’s adver - tising/profiling purposes, and for third-party advertising/profiling, must be considered as separate purposes, meaning that separate consent must be obtained; • the user must be given the option, if neces - sary in a second layer of the cookie banner, to accept (or not) the use of cookies by a “partner” (joint controller); • a single cookie should not be used to serve different purposes; • consent should be clear and explicit – con - sent may not be inferred from continued browsing, the browser settings of a visitor or the closing of a banner, pre-ticked boxes may not be used and consent may not be linked to the acceptance of the terms and conditions or privacy policy; • the controller should offer an easy way to withdraw consent in one click (eg, via a link or a button) – according to the DPA, however, such withdrawal should go beyond not plac - ing the cookie in the future, and the controller should also ensure “the intended effect” of the withdrawal of consent; • cookie consent needs to be “refreshed” every six months – ie, controllers need to present the cookie banner again to the user within six
22
CHAMBERS.COM
Powered by FlippingBook