Definitive global law guides offering comparative analysis from top-ranked lawyers
CHAMBERS GLOBAL PRACTICE GUIDES
Data Protection & Privacy 2025
Definitive global law guides offering comparative analysis from top-ranked lawyers
Contributing Editor Christian Schröder Orrick
Global Practice Guides
Data Protection & Privacy
Contributing Editor Christian Schröder Orrick
2025
Chambers Global Practice Guides For more than 20 years, Chambers Global Guides have ranked lawyers and law firms across the world. Chambers now offer clients a new series of Global Practice Guides, which contain practical guidance on doing legal business in key jurisdictions. We use our knowledge of the world’s best lawyers to select leading law firms in each jurisdiction to write the ‘Law & Practice’ sections. In addition, the ‘Trends & Developments’ sections analyse trends and developments in local legal markets. Disclaimer: The information in this guide is provided for general reference only, not as specific legal advice. Views expressed by the authors are not necessarily the views of the law firms in which they practise. For specific legal advice, a lawyer should be consulted. Content Management Director Claire Oxborrow Content Manager Jonathan Mendelowitz Senior Content Reviewer Sally McGonigal, Ethne Withers, Deborah Sinclair and Stephen Dinkeldein Content Reviewers Vivienne Button, Lawrence Garrett, Sean Marshall, Marianne Page, Heather Palomino and Adrian Ciechacki Content Coordination Manager Nancy Laidler Senior Content Coordinators Carla Cagnina and Delicia Tasinda Content Coordinator Hannah Leinmüller Head of Production Jasper John Production Coordinator Genevieve Sibayan
Published by Chambers and Partners 165 Fleet Street London EC4A 2AE Tel +44 20 7606 8844 Fax +44 20 7831 5662 Web www.chambers.com
Copyright © 2025 Chambers and Partners
Contents
INTRODUCTION Contributed by Christian Schröder and Odey Hardan, Orrick p.5
INDIA Law and Practice p.184 Contributed by Saikrishna & Associates Trends and Developments p.205 Contributed by BTG Advaya INDONESIA Trends and Developments p.210 Contributed by ABNR Counsellors at Law Contributed by ICT Legal Consulting Trends and Developments p.237 Contributed by ICT Legal Consulting JAPAN Law and Practice p.245 Contributed by Mori Hamada & Matsumoto Trends and Developments p.260 Contributed by Oh-Ebashi LPC & Partners ITALY Law and Practice p.220
BELGIUM Law and Practice p.10
Contributed by Osborne Clarke Trends and Developments p.29 Contributed by Osborne Clarke
BRAZIL Law and Practice p.38 Contributed by Lopes Pinto, Nagasse Advogados
CHILE Law and Practice p.54 Contributed by Magliona Abogados
CHINA Law and Practice p.71
Contributed by Zhong Lun Law Firm Trends and Developments p.88 Contributed by Global Law Office EGYPT Law and Practice p.98 Contributed by Shehata & Partners FRANCE Law and Practice p.121 Contributed by Jeantet Trends and Developments p.139 Contributed by LPA Law
KUWAIT Law and Practice p.269 Contributed by GLA & Company
MACAU SAR, CHINA Law and Practice p.283 Contributed by Lektou, Advogados e Notários Trends and Developments p.294 Contributed by Lektou, Advogados e Notários MALTA Law and Practice p.299 Contributed by Fenech & Fenech Advocates Trends and Developments p.314 Contributed by Fenech & Fenech Advocates MEXICO Law and Practice p.320 Contributed by Nader Hayaux & Goebel
GREECE Law and Practice p.147 Contributed by Psarras, Georgountzou, Gavrilis - GKP Law Firm
HUNGARY Law and Practice p.162 Contributed by PROVARIS Varga & Partners Trends and Developments p.177 Contributed by PROVARIS Varga & Partners
3
CHAMBERS.COM
Contents
PAKISTAN Law and Practice p.332 Contributed by S.U.Khan Associates QATAR Law and Practice p.341 Contributed by GLA & Company SAUDI ARABIA Law and Practice p.354 Contributed by GLA & Company
THAILAND Law and Practice p.457 Contributed by Chandler Mori Hamada Trends and Developments p.467 Contributed by Chandler Mori Hamada TÜRKIYE Law and Practice p.473 Contributed by YAZICIOGLU Legal UAE Law and Practice p.494 Contributed by Bizilance Legal Consultants Trends and Developments p.504 Contributed by Karm Legal Consultants UK Trends and Developments p.514 Contributed by Charles Russell Speechlys USA Law and Practice p.519 Contributed by Davis Wright Tremaine LLP Trends and Developments p.544 Contributed by Fieldfisher USA – GEORGIA Trends and Developments p.550 Contributed by Hilgers Graben PLLC
SERBIA Law and Practice p.369 Contributed by Mikijelj, Janković & Bogdanović Trends and Developments p.381 Contributed by Mikijelj, Janković & Bogdanović
SOUTH KOREA Law and Practice p.386 Contributed by Kim & Chang
SPAIN Trends and Developments p.400 Contributed by Broseta Abogados SWEDEN Trends and Developments p.407 Contributed by Gernandt & Danielsson
SWITZERLAND Law and Practice p.415
USA – ILLINOIS Trends and Developments p.557 Contributed by Seyfarth Shaw LLP
Contributed by Walder Wyss Ltd Trends and Developments p.433 Contributed by Walder Wyss Ltd
TAIWAN Law and Practice p.440 Contributed by Chen & Lin Attorneys-at-Law
4
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
Orrick is a global law firm dedicated to serv - ing the technology and innovation, energy and infrastructure, finance, and life sciences and healthtech sectors. With more than 1,100 law - yers across 25+ markets worldwide, Orrick provides forward-looking, pragmatic advice on transactions, litigation and compliance matters. As one of the world’s leading tech law firms, cy - bersecurity and privacy are central to Orrick's practice. The firm has 15 cybersecurity and pri - vacy-focused partners and more than 50 spe - cialised lawyers, making it one of the strongest
data protection practices in the market, recog - nised by Chambers Global, US and Europe. Or - rick helps clients navigate the complex cyber - security and privacy legal landscape, managing global compliance matters, cyber incidents, liti - gation and regulatory investigations. The team maximises data value, addresses global pri - vacy requirements and reduces security risks. Whether clients are managing compliance chal - lenges, licensing data or acquiring new compa - nies, Orrick offers forward-thinking solutions to address data challenges. Odey Hardan is an associate in Orrick’s cyber, privacy and data innovation group. He provides comprehensive advice on data law and EU digital law, offering strategic guidance to clients and representing them before regulatory authorities and in court proceedings. Prior to joining Orrick, Odey served as a research assistant focusing on European law, authoring several academic papers. During his doctoral studies, he specialised in European, international and data protection law.
Contributing Editors
Christian Schröder is a partner in Orrick's Düsseldorf office and leads the firm's cyber, privacy and data innovation group in Europe. He specialises in data-focused laws, including
cybersecurity, privacy compliance, incident response, data licensing, AI and regulatory investigations. Christian advises on internal and external data transfers, product launches and privacy requirements for connected cars. He maintains strong relationships with German and EU data protection authorities, effectively defending clients in investigations. Recognised by Chambers as a top practitioner, he is a noted thought leader in privacy law.
5
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
Orrick Heinrich-Heine-Allee 12 40213 Düsseldorf Germany Tel: +4921136787 316 Email: cschroeder@orrick.com Web: www.orrick.com
Introduction to the Data Protection & Privacy Guide Data privacy has become a fundamental concern for individuals, businesses and governments worldwide, as the proliferation of digital technol - ogies and the increasing reliance on data-driven services have transformed how personal data is collected, processed and shared. This transfor - mation has brought about significant benefits, including enhanced connectivity, personalised services and economic growth. However, it has also raised critical questions about the protec - tion of personal data and the privacy rights of individuals. Data privacy regulation is a dynamic and evolv - ing field, shaped by the interplay of technologi - cal advancements, societal expectations and legal frameworks. In many jurisdictions, data privacy laws are built on core principles such as transparency, accountability and user con - sent. These principles are designed to ensure that individuals have control over their personal data and that organisations processing data do so responsibly. Key elements of data privacy regulation often include requirements for data security, data minimisation and the rights of indi - viduals to access, correct and delete their data.
One of the most significant challenges in data privacy regulation remains the issue of cross- border data transfers. As data transfers are part of everyday business, regulators must address the complexities of ensuring that personal data transferred to other jurisdictions remains ade - quately protected. This has led to the develop - ment of mechanisms such as Standard Con - tractual Clauses (SCCs), Binding Corporate Rules (BCRs) and adequacy decisions, which provide frameworks for international data trans - fers. Many jurisdictions, particularly in the MENA region, have recently adopted this approach and published data transfer regulations that some - times require specific approval by state authori - ties. For instance, the PDPL of Saudi Arabia requires data transfers occurring in the banking context to be approved by the Central Bank. Similarly, major jurisdictions more often apply prohibitions and far-reaching restrictions on cross-border transfers to jurisdictions with questionable human rights practices, leading to de facto data localisation. The US government implemented an Executive Order that addresses the risk that countries could use advanced tech - nologies and particularly artificial intelligence systems to process large sets of personal data, which could then be used to engage in malicious cyber activities. Jurisdictions also often control
6
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
the export, transit and brokering of technology relating to dual use items and consisting of large sets of data, by applying export control regu - lations and requiring entities to apply for prior approval of the data transfer from export control authorities. European Data Act For a long time, protection focused only on per - sonal data/personal information. The Chinese Data Security Law has established a framework for the protection and transfer of important non- personal data since 2021, and the EU now also aims to significantly expand protection to cover non-personal data by adopting the European Data Act (DA). The DA represents a significant legislative effort to ensure fair access to and use of data within the EU. It complements existing data protection frameworks, such as the GDPR, by establishing new rules for how users of con - nected products and services can utilise the data they generate and how data holders can derive economic value from it. The DA aims to foster a competitive data market, promote data- driven innovation and enhance data accessibili - ty, addressing key challenges in the digital econ - omy. It introduces comprehensive guidelines on how data generated by connected products and related services can be accessed and shared. This includes establishing a data access and sharing regime that applies to both business- to-consumer and business-to-business interac - tions, as well as public entities. The scope of the DA is broad, impacting a wide range of stakeholders, including manufactur - ers of connected products (such as IoT devices like smart cars and home devices), providers of related services, data holders, data recipients, public sector bodies and several providers of data processing services, such as cloud com - puting services.
The DA's requirements cover both personal and non-personal data, with a primary focus on non-personal data rather than personal data, which continues to be governed by the GDPR. The DA imposes specific obligations on several cloud computing service providers, referred to as “data processing services”. These providers must facilitate switching without charging fees or imposing obstacles, ensuring that customers can transition smoothly to a different service provider. The DA requires providers to include mandatory terms in customer agreements to ensure consumers have the right to switch pro - viders, and to comply with technical obligations to facilitate switching. The EU Commission cur - rently develops SCCs for switching between data processing services. The DA applies to manufacturers or related ser - vice providers established outside the EU, pro - vided the connected products and related ser - vices are placed in the EU. This extraterritorial scope shall ensure that users can exercise their access rights under the DA, regardless of the provider's location. European Artificial Intelligence Act The European Artificial Intelligence Act (AI Act) marks a pioneering effort by the EU to establish a unified legal framework for the regulation of artificial intelligence systems. As the first com - prehensive legislation of its kind, the AI Act aims to address the unique challenges and opportu - nities presented by AI technologies, ensuring that they are developed and used in a manner that is safe, ethical and aligned with fundamen - tal rights. The AI Act establishes requirements for high-risk AI systems to ensure transparency, accuracy and data quality, addressing concerns about the potential misuse of AI technologies.
7
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
The AI Act complements the GDPR by set - ting forth additional obligations for high-risk AI systems to ensure responsible data process - ing. While the GDPR mandates lawful, fair and transparent data processing, the AI Act imposes further restrictions on high-risk AI applications, such as social scoring and real-time facial recog - nition, to prevent discrimination and protect pri - vacy. The AI Act emphasises reducing bias and ensuring transparency, particularly for high-risk AI systems, by requiring that users are informed when interacting with AI and understand how decisions are made. Regarding the relationship between the GDPR and AI models, a number of questions remain unanswered. Most recently, the European Data Protection Board (EDPB) issued an opinion that looks at relevant legal problems like when and how AI models can be considered anonymous, whether and how legitimate interest can be used as a legal basis for developing or using AI mod - els, and what happens if an AI model is devel - oped using personal data that was processed unlawfully. The role of data protection authorities Data protection authorities (DPAs) play a crucial role in enforcing data privacy laws and ensuring compliance. These authorities are responsible for monitoring data processing activities, con - ducting investigations and imposing penalties for non-compliance. They also provide guidance to organisations on best practices for data pro - tection and facilitate co-operation among inter - national regulators. In the EU, the EDPB co-ordinates the activities of national DPAs, ensuring consistent applica - tion of the GDPR across member states. The EDPB issues guidelines and recommendations on various aspects of data protection, helping
to harmonise interpretations of the GDPR and address emerging privacy issues. Challenges in cross-border data transfers Cross-border data transfers present significant challenges for data privacy regulation, and con - tinue to be a hot topic. The Schrems II decision by the Court of Justice of the European Union (CJEU) in 2020 highlighted the complexities of cross-border data transfers, invalidating the EU-U.S. Privacy Shield Framework (DPF) and emphasising the need for robust safeguards. In response, the European Commission adopted a new adequacy decision for the DPF in 2023, allowing data transfers to US organisations that self-certify under the framework. Recent developments involve not only increased regulation of non-personal data transfers and the adoption of laws mandating data localisation, but also a trend in privacy litigation. Courts are increasingly awarding damages to individuals for violations of data transfer rules, thereby focus - ing not only on high-risk contexts. This trend necessitates companies to carefully assess and consider risks when using services provided by foreign vendors. Earlier this year, the General Court of the Euro- pean Union made a significant ruling, awarding damages for the transfer of an IP address to the United States during the time when there was no DPF. The court held that the website opera - tor was liable for data transfers made through a third-party API embedded on the website, even though the website operator had not conduct - ed the transfer itself. Such decisions may have implications for companies operating in both low-risk and high-risk contexts, as they could face mass tort litigation for using third-party services that transfer non-sensitive and device- related data to third countries.
8
CHAMBERS.COM
INTRODUCTION Contributed by: Christian Schröder and Odey Hardan, Orrick
Litigation and enforcement trends Such decisions illustrate that data privacy litiga - tion is on the rise, with individuals and organi - sations increasingly seeking redress for privacy violations. In many jurisdictions, data privacy laws provide a basis for claims for immaterial damages, although the determination of such damages remains a contentious issue. Recent court decisions in the EU have clarified some aspects of compensation, emphasising that it should correspond to actual harm rather than serve as a punitive measure. However, courts tend to interpret relevant statutes broadly to ensure efficient protection of user privacy rights, which potentially leads to more waves of mass claim litigation. The introduction of collective redress mecha - nisms, such as the Representative Actions Directive in the EU, has fuelled this trend and expanded legal protection for consumers, ena - bling them to file collective actions for data pro - tection violations. This development increases liability risks for companies, particularly in cross- border contexts, and highlights the importance of robust compliance programmes. Data access and portability The ability to access and transport personal data is a key aspect of data privacy regulation. Laws such as the GDPR grant individuals the right to access their data and transfer it to another service provider, promoting transparency and competition in digital markets. The DA builds on these principles by establishing new rules for data access and portability, ensuring that users of connected products and services can lever - age the data they generate. The DA mandates that data holders make data available to users in a common, machine-read - able format promptly and at no cost. Providers
of connected products or services must inform users about the extent of data availability. The DA also facilitates data portability, requiring data processing service providers to enable custom - ers to switch to another service provider without barriers. In addition, the DA includes measures to balance negotiation power for medium-sized enterprises in relevant contracts. The intersection of data privacy and competition law This is an emerging area of focus, particularly in the context of digital markets. The CJEU has ruled that competition authorities can investi - gate GDPR violations if a company exploits its dominant market position, provided they consult with data protection authorities. This decision has significant implications for organisations with dominant market positions that accumulate extensive personal data. The interplay between data privacy and com - petition law highlights the need for a holis - tic approach to regulation, where privacy and competition concerns are addressed in tandem. This approach ensures that data-driven markets remain competitive while protecting individuals' privacy rights. Conclusion The landscape of data privacy law is complex and constantly evolving, reflecting the rapid pace of technological change and the growing importance of data in the digital economy. As jurisdictions worldwide seek to balance innova - tion with privacy protection, the EU's compre - hensive regulatory framework serves as a mod - el for other regions. Navigating this landscape requires a deep understanding of the legal and regulatory frameworks that govern data privacy, as well as the ability to adapt to new develop - ments and challenges.
9
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette Osborne Clarke
Netherlands
Brussels Belgium
Germany
Luxembourg
France
Contents 1. Legal and Regulatory Framework p.12 1.1 Overview of Data and Privacy-Related Laws p.12 1.2 Regulators p.13 1.3 Enforcement Proceedings and Fines p.13 1.4 Data Protection Fines in Practice p.14 1.5 AI Regulation p.15 1.6 Interplay Between AI and Data Protection Regulations p.16
2. Privacy Litigation p.17 2.1 General Overview p.17 2.2 Recent Case Law p.17 2.3 Collective Redress Mechanisms p.19 3. Data Regulation on IoT Providers, Data Holders and Data Processing Services p.20 3.1 Objectives and Scope of Data Regulation p.20 3.2 Interaction of Data Regulation and Data Protection p.21 3.3 Rights and Obligations Under Applicable Data Regulation p.21 3.4 Regulators and Enforcement p.22
4. Sectoral Issues p.22 4.1 Use of Cookies p.22 4.2 Personalised Advertising and Other Online Marketing Practices p.23 4.3 Employment Privacy Law p.23 4.4 Transfer of Personal Data in Asset Deals p.25 5. International Considerations p.26
5.1 Restrictions on International Data Transfers p.26 5.2 Government Notifications and Approvals p.27 5.3 Data Localisation Requirements p.27 5.4 Blocking Statutes p.27 5.5 Recent Developments p.28
10
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
Osborne Clarke is an international legal prac - tice with over 330 partners and more than 1,300 lawyers in 26 locations. In Brussels, the firm’s data, IP and IT experts work together as a team to support high-profile Belgian and international clients on complex regulatory matters, includ - ing the implementation of the Digital Services Act, the Digital Markets Act and the Digital Operational Resilience Act (DORA). Osborne Clarke has a strong international client base in
a range of industry sectors, including life sci - ences, retail, financial services and particularly fintech, as well as specialist technology clients and companies in the digital sector. The team intercedes in data privacy matters at different levels, from communicating with the Belgian Data Protection Authority, drafting data protec - tion policies and carrying out data protection audits to assisting clients with disputes before the Belgian Data Protection Authority.
Authors
Benjamin Docquir is a partner at Osborne Clarke and heads the Belgian IT/IP law department. His expertise encompasses technology law, data privacy and digital
Margo Cornette is an associate in the intellectual property, information technology and data protection team in Brussels. Margo advises national and international companies on all
regulation. His practice includes transactional, advisory and contentious work for international and Belgian clients. Benjamin is a recognised expert in data protection and digital regulation with hands-on experience in the technology, life sciences and financial services sectors. He is particularly interested in data, software and databases, helping clients turn these into valuable assets. His practice covers algorithms and artificial intelligence, data pooling and sharing projects and international data transfers. Benjamin has litigation experience and represents clients before the data protection authorities.
aspects of data and information technology law, with a strong background in AI, data pools and international data transfers. Margo’s client work includes drafting and negotiating complex IT and outsourcing agreements. She also advises clients on related issues such as consumer protection and intellectual property, and frequently represents clients in litigation before the Belgian courts, including the Belgian Data Protection Authority.
11
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
Osborne Clarke Bastion Tower Pl du Champ de Mars 5 1050 Bruxelles Belgium Tel: +32 2 515 93 00 Email: lena.tausend@osborneclark.com Web: www.osborneclarke.com
1. Legal and Regulatory Framework 1.1 Overview of Data and Privacy- Related Laws Article 22 of the Belgian constitution provides for the right to protection of private and family life, and forms the cornerstone of the Belgian laws governing or impacting privacy in general. In addition, Article 8 of the European Convention on Human Rights has direct effect in Belgium and is a cornerstone of the rule of law and of the Belgian law enforcement system. However, from the point of view of digital tech - nologies and innovation, the most important regulation in Belgium for businesses is the Gen - eral Data Protection Regulation, also referred to as the GDPR (Regulation (EU) 2016/679), which applies to all member states of the EU. Along with the European legislation, the Belgian Law of 30 July 2018 on the protection of natural per - sons with regard to the processing of personal data also applies. This Belgian legislation adopts a number of principles enshrined in the GDPR in respect of the activities of specific state and public bodies. In respect of businesses, it does not add or deviate much from the standard rules laid down by the GDPR.
Belgium has established its supervisory authori - ties by implementing the Law of 3 December 2017, as required by the GDPR. The main super - visory authority is vested with investigative and corrective powers and is entitled to fine a con - troller or processor if they do not comply with the GDPR or the Belgian Law of 30 July 2018. The fines as listed in Article 83 of the GDPR may not, however, be imposed on public authorities and their appointees or agents, unless they are a legal person governed by public law offering goods or services on a market (Article 221, Sec - tion 2 of the Belgian Law of 30 July 2018). In addition to the GDPR and the Belgian Law of 30 July 2018, other laws have been enacted to respect privacy and fundamental rights in differ - ent fields, such as consumer protection, elec - tronic communications, electronic commerce, direct marketing and the use of closed-circuit television (CCTV), etc. Indeed, the Code of Eco - nomic Law (CEL) contains certain provisions on direct marketing in its Book VI and is supple - mented in this respect by the Royal Decree of 4 April 2003, regulating the sending of advertising by e-mail. In addition, the Law of 21 March 2007 on the use of camera surveillance regulates the use of CCTV in public and private areas. The authority responsible for the enforcement of
12
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
these regulations is the Belgian Data Protection Authority (DPA). In December 2024, Belgium also enacted a major reform of private investigations that aims to translate the essential requirements of data protection law in the field of intelligence gath - ering activities of the private sector (see 4.3 Employment Privacy Law ). The Act on Private Investigations is public policy, and breaches thereof can lead to rejection or cancellation of evidence in court, as well as to administrative or criminal offences. At present, no specific legal regime has been enacted with respect to artificial intelligence (AI). 1.2 Regulators The Belgian DPA consists of: • an executive committee; • a general secretariat; • a first-line service; • an authorisation and opinion service; • an inspection service; and • a litigation chamber. The DPA has the right to conduct audits. Furthermore, investigations may be launched on the initiative of the DPA, where a complaint is lodged by a data subject or a body, organisation or association that has been properly constitut - ed in accordance with the law of an EU member state, has statutory objectives of public interest and is active in the protection of data subjects’ rights and freedoms. Alongside the DPA, different regulators and pub - lic authorities have a role to play in data sharing, open data and the national implementation of the EU data spaces strategy.
With respect to AI, it is still unclear whether the DPA will be vested with regulatory powers under the EU AI Act and, if so, to what extent. That being said, there is little doubt that the DPA will exercise its powers in relation to automated decision-making, and the impact of AI projects on fundamental rights, as often as it can. 1.3 Enforcement Proceedings and Fines The DPA must comply with the GDPR and the Belgian Law of 30 July 2018. When a complaint is filed or an investigation is launched, there will usually be an initial fact-finding phase during which the authority will ask a business to provide factual information. Afterwards, proceedings on the merits can be started in front of the Litiga - tion Chamber of the DPA, in the scope of which parties can submit their respective arguments in writing and possibly be heard. After the proceedings, the Litigation Chamber is entitled to: • dismiss the complaint; • order the dismissal of the prosecution; • order the stay of proceedings; • propose a settlement; • issue warnings and reprimands; • order compliance with the requests brought by the data subject relating to the exercise of their rights; • impose periodic penalty payments; or • impose administrative fines. In the event that the DPA imposes an adminis - trative fine, such fine must be effective, propor - tionate and dissuasive, pursuant to Article 83 of the GDPR. Furthermore, specific circumstances must be taken into account when imposing an administrative fine and deciding on its amount.
13
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
If the respondent does not agree with the deci - sion handed down by the Litigation Chamber, the respondent may lodge an appeal before the Market Court (Brussels Court of Appeal) within 30 days of notification of the decision. The Mar - ket Court can overturn the decision, in whole or in part, and remand the case, or decide on all grounds and substitute its decision. Since February 2024, any interested third party affected by a decision of the DPA, who was not a party to the proceedings before the Litiga - tion Chamber, may also lodge an appeal before the Market Court, insofar as it suffers personal, direct, certain, current and legitimate harm due to the decision of the Litigation Chamber. The Litigation Chamber also has the power to propose a transaction. To facilitate a faster resolution, the DPA has recently issued a (non- binding) settlement policy to help companies navigate DPA transactions. While there is no official calculation method for fines in Belgium, the DPA consistently refers to the European Data Protection Board (EDPB) Guidelines 4/2022. These Guidelines outline a methodology for determining the sum of the fine, namely deter - mining: • step one – which and how many actions and infringements are under review; • step two – what amount serves as the start - ing point for calculating the fine for the estab - lished infringements (starting amount); • step three – which mitigating or aggravating circumstances, if any, necessitate an adjust - ment of the amount from step 2; • step four – what maximum amounts apply to the infringements and whether any increas -
es from the previous step exceed these amounts; and • step 5 – whether the final amount of the calculated fine meets the requirements of effectiveness, deterrence and proportionality, where this can be adjusted if necessary. The DPA uses this methodology to determine the extent of administrative fines. In Belgium, fines are transferred to the State Treasury. 1.4 Data Protection Fines in Practice Recent Decisions From the DPA in 2024 Security failures result in EUR200,000 fine (Decision No 166/2024) The DPA fined a hospital EUR200,000 for breach - ing the GDPR following a cyber-attack in 2021. The attack compromised the personal data of 300,000 individuals and made the hospital’s servers inaccessible. The hospital was found to have failed to conduct a data protection impact assessment (DPIA), establish an effective infor - mation security policy or implement essential security measures, such as employee training and system log monitoring. EUR45,000 fine for GDPR violations at the workplace (Decision No 114/2024) On 6 September 2024, the DPA imposed a fine of EUR45,000 on a company following a complaint from an individual who had been employed as a temporary worker for approximately one year. The company collected employees’ fingerprints for time registration without offering alternatives, establishing a legal basis, or informing employ - ees about data storage, retention and third-party transfers. The DPA found the company in viola - tion of GDPR principles, including purpose limi - tation, data minimisation and transparency.
14
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
GDPR violations related to dark patterns in cookie consent (Decision No 113/2024) The DPA fined Mediahuis EUR25,000 per day for using dark patterns and illicit cookie practices on its websites following a complaint. The com - plainant, represented by the European Center for Digital Rights (NOYB), highlighted the absence of an “accept all” button, deceptive button col - ours and difficulties in withdrawing consent. The DPA ordered Mediahuis to adjust the cookie ban - ners within 45 days to include a refusal button and avoid deceptive colours. If non-compliance persists beyond 45 days, a fine of EUR25,000 per day per website will be imposed. The DPA also reprimanded Mediahuis, stating that only strictly necessary cookies may be used based on legitimate interest. Delayed access request response leads to EUR100,000 fine (Decision No 207/2024) The DPA fined an unnamed telecommunica - tions company for failing to respond promptly to a client’s access request. The company made unsolicited changes to the individual’s subscrip - tions. When the individual submitted an access request under Article 15 of the GDPR, the com - pany took 14 months to respond, thereby violat - ing Articles 12(2), 12(3), and 15 of the GDPR. EUR172,431 EUR fine for failing to honour data subject rights (Decision No 87/2024) The DPA fined a company for failing to erase a data subject’s personal data used in direct marketing, and for having an overloaded, part- time data protection officer (DPO) unable to perform their tasks effectively. The initial fine of EUR245,000 was reduced to EUR172,431 due to the company’s financial situation.
Non-compliant cookie banner (Decision No 156/2024) The Belgian DPA imposed a fine of EUR40,000 per day on RTL Belgium for GDPR violations related to non-compliant cookie banners, fol - lowing a complaint by NOYB. The complaint highlighted the absence of a “reject all” button and the use of misleading colours in the cookie banner. The DPA required RTL Belgium to: • add a button to its cookie banner allowing the refusal of all cookies via a single click on every layer where the “accept all” button appears; and • use colours in its cookie banner that are not manifestly misleading, ensuring that the “accept all” and “refuse all” buttons are dis - played equivalently. After RTL Belgium complied with these cor - rective measures, the DPA acknowledged their compliance, resulting in the dismissal of the case and the waiving of the imposed fines. 1.5 AI Regulation To date, Belgium has not adopted any national legislation on AI or machine learning. However, the AI Act has entered into force and will have direct effect in Belgium as it becomes progres - sively applicable. However, it is worth noting that: • the DPA has issued advice on draft laws covering the use of AI – this advice generally considers the rules applicable to automated decision-making (Article 22 of the GDPR) or the proportionality of using AI systems; and • the DPA has issued guidelines on AI and data protection – on 19 September 2024, it released guidelines on AI, detailing the rela -
15
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
tionship between the GDPR and the AI Act in AI system development. 1.6 Interplay Between AI and Data Protection Regulations The AI Act and GDPR should be viewed as com - plementary frameworks, each with their own rules and obligations. Since many AI systems deal with personal data, staying compliant with both set of rules is a must. The following paral - lels can be identified between the AI Act and the GDPR. • Scope: The GDPR’s material scope covers the processing of personal data by auto - mated means and non-automated means if the data forms part of a filing system. Its territorial scope is based on establishment and target criteria applying to entities estab - lished in the EU, and to those outside the EU processing data related to offering goods or services to, or monitoring individuals in, the EU. In contrast, the EU AI Act’s material scope focuses on AI systems and extends to providers, deployers, importers, distribu - tors and authorised representatives. The EU AI Act includes a detailed risk categorisation framework, with most obligations applying to high-risk AI systems. The EU AI Act has a broad geographical scope of application and can catch entities based outside the EU in different respects. • Roles: When using AI systems, it is impor - tant to consider roles and obligations under both the GDPR and the AI Act, as different requirements may apply based on one’s role. The GDPR distinguishes between controllers and processors, with controllers bearing the strictest compliance responsibilities. The AI Act categorises actors into providers, deploy - ers, distributors, importers, etc, with provid - ers and deployers being the most significant
in practice. However, the roles may overlap, completely or in part, with a deployer qualify - ing as a data controller or a provider qualify - ing as a data processor, etc. • Principles: The GDPR sets out seven data protection principles: lawfulness, fairness, transparency, purpose limitation, data mini - misation, accuracy, storage limitation, and integrity and confidentiality (Article 5 of the GDPR). The AI Act outlines general principles for all AI systems and specific obligations to imple - ment these principles, influenced by the OECD AI Principles and the High-Level Expert Group (HLEG)-AI’s seven ethical principles. Recital 27 of the AI Act lists principles such as human agency and oversight, technical robustness and safety, privacy and data governance, transpar - ency, diversity, non-discrimination, fairness and social and environmental wellbeing. These principles are detailed in various articles of the AI Act. For example, Article 10 prescribes data governance for high-risk AI systems, Arti - cle 13 addresses transparency, Articles 14 and 26 introduce human oversight and monitoring requirements, and Article 27 mandates funda - mental rights impact assessments for certain high-risk AI systems. • Human oversight and automated decision- making: Article 22 of the GDPR grants data subjects the right not to be subjected to deci - sions based solely on automated processing unless necessary for a contract, authorised by law or based on explicit consent. It also mandates measures to protect fundamen - tal rights, including human intervention and the ability to contest decisions. Similarly, the AI Act requires high-risk AI systems to allow effective human oversight during use and mandates technical and organisational
16
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
measures to ensure proper use and oversight. Without adequate human oversight, AI sys - tems may fall under the automated decision- making framework of Article 22 of the GDPR. • Reporting incidents: Reporting obligations for serious incidents or malfunctions of AI systems can overlap with GDPR reporting requirements when personal data is involved. For example, deployers using AI must inform the provider, and possibly the distributor or market surveillance authorities, if they identify a significant risk or serious incident. If such an incident results in a data breach compro - mising the data processed by the AI system, they must also notify the relevant DPA within 72 hours and, if necessary, the affected data subjects. This ensures compliance with both the AI Act and GDPR requirements. • Penalties: Both the GDPR and the AI Act impose administrative fines based on the severity of the infringement. Under the GDPR, minor infringements can result in fines up to EUR10 million or 2% of global annual turno - ver, while serious breaches can lead to fines up to EUR20 million or 4% of global annual turnover. The AI Act outlines penalties in Article 99, with serious breaches, such as non-compliance with prohibited AI practices, resulting in fines up to EUR35 million or 7% of global annual turnover. Minor breaches, like providing incorrect information, can incur fines up to EUR7.5 million or 1% of global annual turnover. The AI Act and the GDPR have different scopes and requirements, which can create challeng - es for compliance and consistency. Additional guidance from authorities such as the EDPB, the European Commission and/or the AI Office is of great value. It is worth mentioning the following guidelines.
• On 19 September 2024, the DPA released guidelines on AI and data protection, detailing the relationship between the GDPR and the AI Act in AI system development. • On 18 December 2024, the EDPB adopted Opinion 28/2024 on the use of personal data for AI model development and deployment. The opinion addresses (i) the conditions under which AI models can be considered anonymous, (ii) the use of legitimate inter - est as a legal basis for AI development and use, and (iii) the implications of developing AI models with unlawfully processed personal data. It also considers the use of both first and third-party data. Currently, fines imposed by the DPA are much more common than private litigation concerning data protection infringements. This is most likely due to the high costs of litigation combined with the relatively low number of claims for damages. 2.2 Recent Case Law In 2024, the CJEU issued several rulings regard - ing standard damages in relation to data protec - tion, as outlined in Article 82 of the GDPR. Key elements to consider include the following: • not every breach of the GDPR automatically gives rise to a claim for compensation under Article 82 of the GDPR; • “damage” must be interpreted broadly; • damage caused by a breach of personal data protection is no less serious than bodily injury; 2. Privacy Litigation 2.1 General Overview • Article 82 of the GDPR does not have a threshold of seriousness or a minimum threshold that the damage must exceed;
17
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
Case C-590/22 The CJEU has ruled that a data subject may seek compensation for non-material damages caused by the fear of disclosure of personal data, even if the disclosure itself is not proven, as long as the negative consequences of that fear are proven. Merely proving an infringement, however, is insufficient for compensation; actual damage must be proven. Case C-741/21 The CJEU clarified the right to compensation for non-material damage under the GDPR: • an infringement alone does not constitute “non-material damage” – there must be evidence of “suffered damage” and a causal link; • controllers cannot claim exemption from liability for the mere fact that a person acting under its authority failed to follow its instruc - tions; • the assessment of compensation for non- material damage does not need to follow criteria similar to those for administrative fines; and • multiple infringements related to the same processing operation should be considered in the compensation assessment. Case C-687/21 The CJEU held that non-material damages under Article 82 require the claimant to prove a well-founded fear and a real risk of misuse of
• the fear that personal data will be misused as a result of a cyber-attack can be a compen - sable non-material damage; • excluding liability according to Article 82 (3) of the GDPR is only possible within certain limits; • the GDPR contains no provisions on how to assess damages, and national courts must therefore apply each member state’s national provisions subject to principles of equiva - lence and effectiveness under EU law; • when determining the amount of compensa - tion, Article 82 of the GDPR does not require taking into account the extent of fault or the number of GDPR violations by the controller against the data subject; • when GDPR infringements occur alongside breaches of national law that pertain to per - sonal data protection but do not aim to clarify GDPR requirements, these simultaneous breaches do not need to be considered when determining the amount of damages under Article 82 of the GDPR; and • Article 82 of the GDPR serves a compensato - ry purpose rather than a deterrent or punitive one. Cases C-182/22, C-189/22 The CJEU ruled that, under Article 82(1) of the GDPR, compensation for non-material damage due to personal data theft does not require con - sideration of the severity of the GDPR infringe - ment. The CJEU clarified that compensation should fully cover the damage, and may be mini - mal if the damage is not serious. Furthermore, “identity theft” for the purposes of compensation requires actual misuse of the stolen data, but compensation is not limited to cases involving subsequent identity theft or fraud.
personal data. Case C-340/21
The CJEU ruled that the fear of potential mis - use of personal data by third parties consti - tutes non-material damage under Article 82(1) of the GDPR. Controllers must compensate for damages from unauthorised data disclosure or
18
CHAMBERS.COM
BELGIUM Law and Practice Contributed by: Benjamin Docquir and Margo Cornette, Osborne Clarke
access unless they prove no fault on their part. The CJEU clarified that such incidents alone do not imply inadequate security measures by the controller, who must prove the measures’ appro - priateness. 2.3 Collective Redress Mechanisms On 31 May 2024, the Law of 21 April 2024, which amends Books I, XV and XVII of the Belgian CEL and transposes Directive (EU) 2020/1828 on representative actions to protect the collective interests of consumers (RAD), was published in the Belgian Official Journal . The new Belgian law does not introduce a com - pletely new legal system to allow so-called class actions, as collective redress actions have been available in Belgium for consumers since 2014 and for SMEs since 2018. Nevertheless, the following changes are notable. • A generalised opt-in regime: Consumers only need to decide whether to opt in after a deci - sion on the merits is issued, but there is the possibility to enter into collective settlements on an opt-out basis. Previously, the Belgian CEL allowed the judge to choose which opt- in/opt-out system would apply to a particular collective redress action. However, this is not common practice in other jurisdictions, where the legislator typically determines the applica - ble system. The new law introduces changes in this respect: the mechanism has been revised for the negotiation phase. To reach an agreement, it is necessary to leave as much room for negotiation as possible. Therefore, the parties themselves can decide whether the group will be formed according to an opt- out or an opt-in approach. If no agreement is reached at the end of the negotiation phase, the substantive procedure (“on the merits”)
will start. The composition of the group will then be based on an opt-in system. This opt- in phase has been moved to a different stage in the procedure, namely after the decision on liability, which results in an obligation for the defendant to pay compensation. • Limited rules on litigation funding: To ensure the independence of the qualified entity, third- party funding will be subject to necessary supervision. One of the conditions for recog - nition is that the group representative must be independent and not financially influenced by its funders. If this is not the case, the minis - ter may refuse recognition, or the court may declare the collective redress action inadmis - sible. Furthermore, there is a transparency requirement to state in the request that the collective redress action is funded by a third party, and an obligation on the representative to identify the funding third parties as well as the amounts funded. • Group representatives: Besides recognised entities, it is now possible to set up an ad hoc entity specifically for introducing collective redress proceedings. • Definition of qualified entities: Qualified enti - ties that are allowed to bring representative actions now benefit from a clear and precise definition. This definition includes entities recognised in another member state. Addi - tionally, the text expressly addresses the question of ad hoc entities and allows them to start actions. A complete list of qualified entities will be published on the website of the Federal Public Service Economy. Pending representative actions must be published by the qualified entities. • Cross-border actions: The law permits cross- border collective redress actions, enabling foreign qualified entities to initiate collective redress proceedings in Belgium and allow -
19
CHAMBERS.COM
Page i Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 Page 9 Page 10 Page 11 Page 12 Page 13 Page 14 Page 15 Page 16 Page 17 Page 18 Page 19 Page 20 Page 21 Page 22 Page 23 Page 24 Page 25 Page 26 Page 27 Page 28 Page 29 Page 30 Page 31 Page 32 Page 33 Page 34 Page 35 Page 36 Page 37 Page 38 Page 39 Page 40 Page 41 Page 42 Page 43 Page 44 Page 45 Page 46 Page 47 Page 48 Page 49 Page 50 Page 51 Page 52 Page 53 Page 54 Page 55 Page 56 Page 57 Page 58 Page 59 Page 60 Page 61 Page 62 Page 63 Page 64 Page 65 Page 66 Page 67 Page 68 Page 69 Page 70 Page 71 Page 72 Page 73 Page 74 Page 75 Page 76 Page 77 Page 78 Page 79 Page 80 Page 81 Page 82 Page 83 Page 84 Page 85 Page 86 Page 87 Page 88 Page 89 Page 90 Page 91 Page 92 Page 93 Page 94 Page 95 Page 96 Page 97 Page 98 Page 99 Page 100 Page 101 Page 102 Page 103 Page 104 Page 105 Page 106 Page 107 Page 108 Page 109 Page 110 Page 111 Page 112 Page 113 Page 114 Page 115 Page 116 Page 117 Page 118 Page 119 Page 120 Page 121 Page 122 Page 123 Page 124 Page 125 Page 126 Page 127 Page 128 Page 129 Page 130 Page 131 Page 132 Page 133 Page 134 Page 135 Page 136 Page 137 Page 138 Page 139 Page 140 Page 141 Page 142 Page 143 Page 144 Page 145 Page 146 Page 147 Page 148 Page 149 Page 150 Page 151 Page 152 Page 153 Page 154 Page 155 Page 156 Page 157 Page 158 Page 159 Page 160 Page 161 Page 162 Page 163 Page 164 Page 165 Page 166 Page 167 Page 168 Page 169 Page 170 Page 171 Page 172 Page 173 Page 174 Page 175 Page 176 Page 177 Page 178 Page 179 Page 180 Page 181 Page 182 Page 183 Page 184 Page 185 Page 186 Page 187 Page 188 Page 189 Page 190 Page 191 Page 192 Page 193 Page 194 Page 195 Page 196 Page 197 Page 198 Page 199Powered by FlippingBook