The European Commission has decided to send a letter of formal notice to Belgium for violating Article 52 of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), which states that the data protection supervisory authority shall perform its tasks and exercise its powers independently. The independence of data protection authorities requires that they remain free from any external influence, direct or indirect, that can potentially affect their decisions.
In March 2021, Didier Reynders, Commissioner for Justice, sent a letter to the Belgian authorities expressing concerns that the Belgian data protection authority was not independent. Some of its members cannot be regarded as free from external influence because they either report to a management committee depending on the Belgian government; they take part in governmental projects on COVID-19 contact tracing; or they are members of the Information Security Committee.
The information provided in the reply from the Belgian authorities in April 2021 did not allay those concerns. Belgium now has two months to clarify the measures taken to ensure full independence of the Data Protection Authority, failing which the Commission may decide to send Belgium a reasoned opinion. More information can be found online on EU data protection rules.