Two directors at the Belgian data protection authority have distanced themselves from an official statement given by the regulator after several of its members were accused of violating EU independence requirements.
According to a complaint, filed anonymously with the EU Commission Thursday and obtained by POLITICO, four out of seven members of the authority’s panel that gives opinions on Belgian draft laws fail the independence requirements set out in Europe’s privacy law, the General Data Protection Regulation.
In response to the complaint, a spokesperson from the Belgian data protection authority said that the country’s parliament appointed the individuals according to criteria set out in the General Data Protection Regulation and that the individuals themselves have declared the absence of any conflicts of interest.
“There have been discussions in Belgium concerning the nomination of some of our external members, but for most of them the decision was taken by the Belgian Parliament in spring 2019 and there are no new elements,” the spokesperson said. “Nevertheless, we know the Parliament is looking into this matter again and we hope it will be resolved soon,” the spokesperson said, in a nod to hearings that have happened in the Belgian parliament on the topic.
But in a twist that shows internal discord is alive and kicking, two of the authority’s directors contacted POLITICO to distance themselves from the regulator and its head David Stevens.
Referring to the regulator’s statement, directors Charlotte Dereppe and Alexandra Jaspar said “The position expressed by Mr Stevens as the position of the Belgian DPA has not been submitted (nor hence approved) by the DPA’s board of directors. The Belgian parliament has to take a decision in this matter. Neither the DPA nor its individual members should interfere in this official process.”
The panel accused of violating independence rules is known as the “Knowledge Centre,” which gives opinions on whether draft bills or government initiatives comply with data protection requirements.
The complainants said the inclusion of top civil servants Frank Robben, Nicolas Waeyaert and Séverine Waterbley on the panel runs counter to GDPR requirements for members to “remain free from external influence.”
The development raises the stakes of a long-running internal battle at the privacy authority, which is the lead European regulator for Mastercard and the Interactive Advertising Bureau, an adtech lobby whose online advertising framework it is currently investigating.
Of those targeted in the EU complaint Robben is the most well-known in Belgium, and is behind many of the country’s public data initiatives including its COVID-19 contact-tracing app. Waterbley is a top civil servant in the economy ministry, while Waeyaert heads up the country’s official statistics institute.
A fourth member, Bart Preneel, is targeted by the complaint because of his membership in a committee — Comité de sécurité de l’information — that authorizes certain public-sector data sharing. The committee itself is accused in a separate complaint with the Commission, filed in July and seen by POLITICO, of violating bans in the GDPR on pre-authorizing data projects.
“A majority of [the panel’s members] are either reporting in their primary functions (for the three of them) to the authority of a supervisory Ministry or whose secondary functions (for one of them) are related to the practice of a supervisory Minister which aims to authorize most transfers in the public sector,” the complaint reads.
The complainants wished to remain anonymous, as is their right under the EU complaints procedure. But their action has further inflamed the tensions between senior members of the Belgian authority that have spilled into public view in recent months.
POLITICO contacted the individuals targeted by the complaint. Of the three that answered in time for publication, none were aware of the complaint.
Robben noted that under Belgian regulations the “Knowledge Centre” has a full-time chairman and six part-time members that have other roles selected based on their experience in data protection. “Personally, I have more than 30 years of experience in this field, both scientifically and administratively,” Robben said.
“In the performance of my tasks as a member of the Knowledge Center, I am totally free from external influence, whether direct or indirect, and neither seek nor take instructions from anybody, as stated in the GDPR. In my opinion, I am not engaged in any incompatible occupation. I have a public website that describes all my activities. If I could have a potential conflict of interest on a specific file, I don’t participate in the deliberation,” he said.
Preneel told POLITICO that he had “no idea why there would be a problem” with his appointment. He said the Belgian parliament was aware of all of his different functions when it nominated him to the data protection regulator role and that none of those had since changed.
He and Robben both said that the regulator has processes designed to ensure that members who are conflicted on certain files do not participate on those files.
Belgium’s data protection authority wouldn’t be the first to fall afoul of EU independence requirements. Cases involving regulators in Germany, Hungary and Austria have all ended up before the EU’s top court, although before the bloc’s data protection regime was updated in 2018.
Waterbley said she did not intend to respond immediately. Waeyaert did not respond to a request for comment.
The Commission now has 12 months to examine the complaint and decide whether or not to start formal infringement proceedings.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email [email protected] to request a complimentary trial.