The amendments to the Belgian Act on Electronic Communications (Telecom Act) entered into force on October 1, 2012. Amongst other things, the amended Telecom Act introduces a requirement for opt-in consent for cookies and a data breach notification obligation for telecommunications providers.
Opt-in Consent for Cookies
Data Breach Notification Obligation for Telecom Providers
The amended Telecom Act introduces a data breach notification obligation for providers of public electronic communication services (i.e. services that mainly consist of transferring signals over an electronic communication network). This implies that these providers are now required to immediately report any kind of security breach effecting personal data to the Belgian Institute for Postal Services and Telecommunications (BIPT). Furthermore, if the data breach is likely to negatively affect personal data and the privacy of clients or other individuals, these individuals should also be informed without delay, unless the company can demonstrate to the BIPT that the affected personal data is protected by information security measures, which render the data incomprehensible for unauthorized third parties (e.g. encryption techniques). Data breach notices to individuals should contain information on the nature of the data breach, the persons or services that individuals can contact for more information, as well as the measures which individuals can take to mitigate the negative effects of the data breach. In addition, the data breach notification to the BIPT should contain a description of the consequences of the data breach and the actions which the company intends to take or has already taken to address the data breach. In practice, companies subject to the data breach notification obligations should anticipate potential data breaches, for example by preparing operating procedures and notification templates which are ready to use, since the BIPT and the concerned individuals should be notified without delay. Furthermore, it is also required to keep a register of the data breaches that contains information on the facts of the data breach, the consequences and the measures taken to address the incident.