Belgium: DPA issues opinions on draft royal decrees on tracing and databases in the context of Coronavirus
The Belgian Data Protection Authority ('the Belgian DPA') announced, on 30 April 2020, that it had issued its opinions on the draft royal decree on the use of contact tracing applications ('the Decree on Contact Tracing Apps') and the draft royal decree on the creation of data bases by Sciensano.be ('the Decree on Databases') in order to prevent the spread of COVID-19 ('Coronavirus'). In particular, the Belgian DPA outlined that the protection of personal data is not an obstacle to the use of technology to combat Coronavirus, as long as the tools respect fundamental principles and comply with data protection laws. Specifically, the Belgian DPA summarised that Sciensano must demonstrate that the infringements on the private lives of individuals are necessary and proportionate to the purposes of preventing the spread of Coronavirus and that the implementation of a contact tracing application is allowed only if it constitutes the least intrusive measure to achieve this purpose.
Furthermore, the Belgian DPA noted that the decrees must provide more precise clarification on the source of collected data, any third parties with whom it may be shared, and how it may be used. Moreover, the Belgian DPA requested that, before the launch of a contact tracing app, a Data Protection Impact Assessment (‘DPIA’) must be conducted and the source code must be published.
UPDATE (25 May 2020)
Belgian DPA disapproves of draft law on the Sciensano database
The Belgian DPA issued, on 25 May 2020, its opinion on the draft law on the establishment of a database by Sciensano as part of the prevention of the spread of the Coronavirus ('the Draft Law on Sciensano Database'). In particular, the Belgian DPA outlined that the Draft Law on Sciensano Database is very similar to the previous Decree on Databases and that the majority of issues with the latter have not been amended. As a result, the Belgian DPA asks, among other things, that the draft law be re-read in order to remove any errors in logic and spelling. Specifically, the Belgian DPA criticises, for example, the foreseeability and proportionality of the processing of personal data.
UPDATE (26 May 2020)
Belgian DPA calls for some amendments of draft law regarding tracing apps
The Belgian Data Protection Authority ('Belgian DPA') issued, on 26 May 2020, its opinion on the draft law relating to the use of contact tracing apps as a preventative measure against the spread of COVID-19 ('Coronavirus') ('the Draft Law on Contact Tracing Apps'). In particular, the Belgian DPA outlined, among other things, that the apps allow citizens to know if they have been in contact with an infected individual without knowing their identity and without the locations of individuals being stored in either the application or a centralised database. Specifically, the Belgian DPA noted that Sciensano will maintain log files containing users' secure keys and that this will be available for other users' applications.
Furthermore, the Belgian DPA welcomed changes following the Decree on Tracing regarding, for instance, justifications of the proportionality of processing activities, justification for the three week data retention period, clarification that non-users will not be disadvantaged, the obligation for Sciensano to stop any combination of personal data, and the use of anonymous data for epidemiological research. However, the Belgian DPA added that the Draft Law on Contact Tracing Apps is, among other things, lacking information on the frequency of issuing new secure keys and identifiers, lacking the prohibition to collect any information relating to the user's terminal equipment, incorrect in stating that the applications carry out processing of personal data rather than physical persons, and unclear in its purposes regarding epidemiological research.
You can read the opinion on the Draft Law on Contact Tracing Apps, only available in French, here.