Cyber security law is slowly becoming more mature. For instance, the legal structures that enable the enforcement of privacy rules are being developed. "We have reached the point where we will finally be able to evaluate if the structures that have been created are effective", opens Paul De Hert, Professor of criminal law and privacy expert at the VUB University. "Think of the Bruvax scandal in Brussels, where data on vaccination could easily be retrieved. It remains to be seen whether a court will effectively punish this privacy leak."
These evolutions in data protection and cyber security law are the result of the implementation of GDPR and the so-called NIS Directive in the past years. "Before those regulations were put in place, cyber security was a matter of cashflows, not legal structures. Since 2018 this has changed and security has also become legally enforceable."
Who whould take decisions on data?
An indirect consequence is that privacy has become a topic in the public debate. The best-known example is the case of top civil servant Frank Robben, who created large data systems on health, on behalf of the government. These are inherently very privacy-sensitive issues. But at the same time mister Robben also takes part in the Knowledge Centre of the Data Protection Authority. He has become a symbol of the so-called ‘pragmatic’ approach to privacy protection, which critics say is potentially very dangerous.
"This case illustrates that we need a much more fundamental debate about what kind of big data and AI governance our society wants", De Hert explains. "Frank Robben represents an expert model, which assembles a lot of data, that in a next step is accessible for a limited club of experts to use. For opponents, including myself, this is the wrong approach. Decisions about these data should only be taken by parliament or by a structure that guarantees a democratic debate and participation."
"Debating both models is essential for our democracy. In the Netherlands, the existence of an expert model, which tends to be much more closed, even led to so-called ‘benefits scandal’ that brought down the government. But I notice that this discussion is not an issue for Flemish media. Unlike in Wallonia and Brussels, the privacy discussion is caricatured in Flanders", says De Hert. "The Flemish press is apparently not interested in privacy. 2021 was the year in which the privacy discussion was conducted asymmetrically."
The need for better cooperation
Partly because of limited media reporting, a number of praiseworthy initiatives to increase the protection of privacy did not get enough attention. De Hert: "During the discussion about the difficult choice between privacy and healthcare, for example, the Data Protection Authority took a very courageous stance. But it did not receive the support that I expected from the government. This illustrates that the Belgian privacy policy and the structures to support it need to be strengthened. The Data Protection Authority should be consulted more and play a bigger role."
The need for an organisational reform was included in the evaluation report led by the Secretary of State for Data Protection Mathieu Michel on the occasion of the GDPR's three-year anniversary. "Today our country has five different authorities for personal data. They need to cooperate better", says Paul De Hert. "Moreover, there is a tendency for the establishment of regional authorities with the same competency. But those in favour of such regionalisation should ask themselves if a regional authority will be able to operate independently."