Belgium Addresses Pitfalls for International Data Transfers

• Tanguy Van Overstraeten
• Ronan Tigner

Belgium has gone to great lengths to adopt a comprehensive framework for international personal data transfers based on the safeguards of Binding Corporate Rules (“BCR”) and contractual clauses. As of 2011, the data protection authority (“DPA”) of Belgium, the Commission for the Protection of Privacy, together with the Belgian Ministry of Justice (the “Ministry”), concluded two protocols to streamline the approval process based on these two solutions. Although not exempt from criticisms, the protocols are welcome improvements overall. They increase legal certainty and reduce formalism for companies seeking to implement a compliant contractual transfer solution.

In this paper, following an introduction on personal data transfers under Belgian law and the main reasons for the protocols (Section I), we analyse the protocol for Binding Corporate Rules (Section II) and the protocol for contractual clauses (Section III). We examine the protocols from a substantive and procedural perspective, providing practical insights based on our experience. We also consider developments of these safeguards under the data protection reform (Section IV) before providing some conclusions (Section V).