Other sections of this issue:
Privacy & Data Protection | ISP-Liability & Media Law | Contracts & E-Commerce |
Electronic Communications & IT

---

• The Belgian Privacy Commission discusses the draft Royal Decree regarding the legal duty to cooperate with judicial requests regarding electronic communication
• Data Protection Enforcement by National Data Protection Authorities
• Viral marketing is not allowed, according to a Belgian Commercial Court

---

The Belgian Privacy Commission discusses the draft Royal Decree regarding the legal duty to cooperate with judicial requests regarding electronic communication

In an advice dated 3 September 2008, the Belgian Privacy Commission discusses the draft Royal Decree regarding the legal duty to cooperate with judicial requests regarding electronic communication. As the draft Royal Decree has not yet been published, this advice provides useful insight on the current proposal.

Introduction
The draft Royal Decree regarding the legal duty to cooperate with judicial requests regarding electronic communication, if it were to become law, would not actually introduce a legal duty to cooperate with judicial requests to operators of electronic communications services. Such a duty already exists pursuant to articles 46bis, 88bis and 90ter to decies of the Code of Criminal Procedure. What the draft Royal Decree does is to provide in a framework for cooperation between the operators and judicial bodies.

Contents of the draft Royal Decree
The draft Royal Decree requires that a special “Justice Coordination Cell” be created within each operator which will cooperate with the NTSU-CTIF service of the national police. More in particular, the “Justice Coordination Cell” will have to grant the NTSU-CTIF direct and permanent access to the operators client database. The NTSU-CTIF will moreover be able to determine the technical modalities pursuant to which access must be granted.

Future developments
It is far from certain that the draft Royal Decree will be enacted in its current form as both the Belgian Privacy Commission and the Article 29 Working Party have strongly criticized systems where direct access to a database is granted. We will keep you informed in a future bulletin of any future developments.

For more information, contact: Olivier Van Droogenbroek or Thomas De Meese.

---

Data Protection Enforcement by National Data Protection Authorities

Whereas until recently, data protection obligations in Europe seemed to exist in theory only, being infrequently enforced in case of breach, there is an increasing number of recent examples where national data protection authorities are enforcing the laws. We highlight two recent enforcement actions, in Germany and Italy, where considerable penalties have been imposed.

Introduction
Whereas until recently, privacy and data protection obligations in Europe seemed to exist in theory only, being infrequently enforced in case of breach, there is an increasing number of recent examples where national data protection authorities are enforcing the laws.

We here highlight two recent enforcement actions against supermarket chains, in Germany and Italy.

Germany
In September 2008 the competent privacy authorities in Germany imposed a fine of approximately 1.4 million Euro on the supermarket chain Lidl. Fines for individual stores ranged from 10.000 to 310.000 Euro.

Following an in depth investigation, Lidl was found guilty of having instructed several investigative agencies to systematically monitor employees regarding their private life, financial situation and behavior. Furthermore, Lidl was keeping and reading reports of the investigative agencies and did not appoint a responsible person for privacy protection within the company as it is required by German law. The keeping and reading of the reports led to fines between 3.000 and 15.000 Euro per report whereas the non-appointment of a responsible person for privacy protection within the company was fined with 10.000 Euro. In addition, Lidl was ordered to develop and implement a privacy policy.

Italy
The Italian Data Protection authority has fined the supermarket chain GS for abuse of its loyalty card scheme. GS was fined with a 54.000 Euro penalty for failing to provide customers with adequate information with respect to the use of the personal data collected for the purpose of this loyalty card scheme.

The supermarket chain not only processed the names of the customers, but also their e-mail addresses, mobile phone numbers, employment details, the number of receipts issued to them, details of products purchased and the details on the branches where the products were purchased. These data were used for customer specific advertising campaigns, without having ever obtained consent or informed the customers of such use.

Conclusion
These two decisions are illustrative of the increased activity of national data protection authorities in Europe. As stated in our earlier newsletter, there is a tendency amongst European data protection authorities towards actively enforcing compliance and imposing sanctions.

Data protection is increasingly becoming a "big deal" in Europe and national data protection authorities seem to be aiming at high-profile cases to set examples.

For more information, contact: Frederik Van Remoortel or Thomas De Meese.

---

Viral marketing is not allowed, according to a Belgian Commercial Court

The Belgian Commercial Court of Huy has ruled in a litigation between two dating websites, that a company inciting its subscribers to ‘recommend’ its services to friends and contacts violates the Belgian privacy and e-commerce legislation.

Introduction
The Commercial Court of Huy had to assess a litigation between dating sites Nice People and ToiEtMoi. Nice People was accused of infringing on Belgian privacy law by inciting its subscribers to provide Nice People with addresses of friends and contacts and by inciting those subscribers to trigger the dispatch of automatically generated e-mails to those contacts. The latter dispatch allegedly also constituted a violation of the “opt-in” rules on commercial communications under the Belgian e-commerce legislation.

Viral marketing is contrary to privacy law and to the “opt-in” rule
The Commercial Court took a relatively strong stance towards viral marketing. It held that companies “organizing” the viral marketing scheme are to be regarded as responsible for the processing of the personal data concerned, and are in fact the parties making the dispatch of the litigious e-mail messages. The Court issued a cease and desist order enjoining Nice People to refrain from direct marketing practices under penalty of payment of a daily fine.

Further developments
The commented decision has sent shockwaves through the direct marketing community in Belgium, and is now under appeal. In the meanwhile, the Belgian Privacy Commission is reportedly preparing a position paper on the topic. We will keep you informed of any further developments in one of our future bulletins.

Belgian Commercial Court of Huy Judgement [PDF]

For more information, contact: Christoph De Preter or Thomas De Meese.