More evidence emerged in May of the sea change underway in Belgium with respect to enforcement of data protection laws, with State Secretary for Privacy Bart Tommelein confirming that the country's Privacy Commission, which began auditing companies last year, would soon be vested with fining powers. While the fines were initially expected to be small, comparable to those that can be imposed by Belgian telecom and energy regulators, the Dutch Senate passed a bill on May 26 that gives the DPA the power to issue fines up to €810,000 or 10% of annual turnover should a prior binding recommendation of the Commission not be observed. The effective date of the legislation, which also establishes a data breach notification obligation, remains to be determined. Although the Commission remains under-resourced, it is becoming clear that the days of what one commentator called "data protection complacency" in Belgium are fading fast.
In mid-month, the increasingly assertive Privacy Commission, which is leading an investigation into Facebook on behalf of several data protection authorities, announced that it is "make or break time" for the company to show that it prioritizes user privacy. In a 28-page report, the Commission said that Facebook processes the personal data of its members as well as other Internet users "in secret," without asking for consent or adequately explaining how the data will be used. According to William Debeuckalaere, the President of the Commission, "The way in which [Facebook] is contemptuous of the private lives of its members and of all Internet users demands action." For its part, Facebook claims that the Belgium DPA has no jurisdiction over its activities and that it already complies with European data protection law, continuing a stance of Silicon Valley stonewalling that even Google has begun to move away from.