Accessibility Statement

Cyberblog | February 5, 2018

GDPR: Belgium sets up new Data Protection Authority

EU, Data Breach, European Union (EU), Personal Data, Data Protection, Data Security, GDPR, Privacy Regulation, International

Overview

On 10 January, the Belgian Gazette published the Law of 3 December 2017 “setting up the authority for data protection” (the Law). The Law is the first legal text in Belgium applying various provisions of the EU’s General Data Protection Regulation (GDPR). Under the GDPR, EEA Member States must provide for one or more independent public authorities to be responsible for monitoring the application of the GDPR, in order to protect fundamental rights and freedoms of personal persons in relation to processing and to facilitate the free flow of personal data within the European Union. The Law therefore sets up a new “Data Protection Authority” (DPA), which, with effect from 25 May 2018, replaces the current body, the Commission for the Protection of Privacy (Privacy Commission). Although not a “big player,” Belgium is often at the forefront of developments in EU law, including in the protection of privacy. The DPA’s predecessor, the Privacy Commission, has been an active data protection agency, for example it has also been one of several authorities across the EU which has sued social media providers. The DPA will doubtless continue the Privacy Commission’s advisory role, but the Law also grants extensive powers to the DPA: it remains to be seen whether the DPA will merely exhort rather than enforce. Much will depend on the composition of its Executive Committee. The DPA will need to press for sufficient budget to attract the personnel necessary to exercise its powers and to burnish its image as a truly independent authority. If the DPA does “show its teeth,” the Law’s extensive provisions on investigations by the DPA’s Inspection Service, preliminary measures by its Disputes Chamber and on the Chamber’s proceedings on the merits will become familiar reading. The rights of the defense and other safeguards guaranteed in the Law will be put to the test. The ultimate sanction is, however, loss of reputation: no serious economic operator wants to face allegations – often highly publicized - that it has been negligent in its protection of the personal data of its customers. For a full review of the Law and the DPA’s powers, see our briefing.
Press Releases Steptoe Expands Trade Remedies Group With Addition of Partner Ron Kendler February 2, 2026 Press Releases Steptoe Partners with First Liberty Institute and American Civil Liberties Union in First Amendment Challenge to WMATA Advertising Restrictions January 21, 2026 Webinars AI, Data & Digital Roundtable February 11, 2026
Press Releases Chambers Greater China Region 2026 Recognizes Steptoe Practices and Lawyers January 15, 2026 Press Releases Legal 500 Asia Pacific 2026 Recognizes Steptoe Lawyers and Practice January 15, 2026 Press Releases Steptoe Advises Orexo on Strategic Divestiture of Zubsolv® US Rights to Dexcel Pharma January 7, 2026 Press Releases Former Federal Prosecutor Jamari Buxton Joins Steptoe in Los Angeles, Strengthening Investigations, White-Collar Defense & Compliance Practice January 7, 2026 Press Releases Conor Tucker Appointed Chair of the Beverly Hills Bar Association's Appellate Law Section January 6, 2026 Press Releases Steptoe Named to Lexology 100: Data 2026 December 22, 2025 Press Releases The Hill Names Leslie Belcher, Elizabeth Burks, and Rowan Bost to Top Lobbyists 2025 December 12, 2025 Press Releases Chambers Asia-Pacific 2026 Recognizes Steptoe's Top International Trade Practice December 11, 2025 Press Releases Steptoe Earns Four Practice and Three Individual Rankings in Chambers FinTech 2026 December 5, 2025

View More