In contrast to the previous question, there is Belgian legislation applicable to cloud computing services that may indirectly prohibit, restrict or otherwise govern cloud computing services.
This kind of legislation includes, first of all, legislation on data protection, such as the European General Data Protection Regulation (GDPR) which is directly applicable since 25 May 2018. A cloud provider will typically act as a processor of personal data, which means that a data protection agreement has to be concluded.
Also, legislation on outsourcing in the financial sector in the Law of 11 March 2018 (replacing the Law of 21 December 2009) on the statute and supervision of payment institutions and the institutions for electronic currencies, the access to the company of the payment services provider and the activity of issuance of electronic money and the access to payment systems, may affect cloud computing services. In this regard, cloud computing services are subject to the same principles as traditional outsourcing in the financial sector. However, cloud computing is not directly addressed by the Law of 11 March 2018, but the NBB stated in its communication of 9 October 2012 that cloud computing is considered as a type of outsourcing.
The same communication of the NBB states that the circulars dealing with outsourcing, which establish rules on good practices, will remain applicable. Subsequently, the communication states that, in principle, there is no prior authorisation by the NBB required for outsourcing (in contrast to De Nederlandsche Bank (DNB) in the Netherlands: see www.dnb.nl/nieuws/dnb-nieuwsbrieven/nieuwsbrief-banken/nieuwsbrief-banken-februari-2015/dnb319119.jsp). Nevertheless, the NBB emphasises that it should be informed in advance on how these rules on good practices will be applied in practice (see circular PPB 2004/5 on healthy management practices in outsourcing by credit institutions and investment companies, issued by the Belgian Banking, Finance and Insurance Commission on 22 June 2004, available at www.nbb.be/doc/cp/nl/ki/circ/pdf/ppb_2004_5_circular.pdf, and circular PPB 2006/1 CPA on healthy management practices in outsourcing by insurance companies, issued by the Belgian Banking, Finance and Insurance Commission on 6 February 2006, available at www.nbb.be/doc/cp/nl/vo/circ/pdf/ppb_2006_1_cpa_circular.pdf).
The Belgian Civil Code contains provisions on service contracts (article 1779 ff). These provisions may be relevant for cloud computing services. Other relevant legislation is to be found in the Belgian Code of Economic Law, which contains provisions on distance contracts (Book VI and Book XIV) and information society services, which also contains provisions on the liability of data storage service providers (Book XII).
Article XII.19 of the Code of Economic Law states that where an information society service is provided that consists of the storage of information provided by a recipient of the service, the service provider is not liable for the information stored at the request of a recipient of the service, on the condition that the provider does not have actual knowledge of illegal activity or information and, as regards damage claims, is not aware of facts or circumstances from which the illegal activity or information is apparent; or the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, provided that he or she immediately communicates this to the Public Prosecutor.
Additionally, criminal law provisions in the Belgian Criminal Code and the Code of Criminal Proceedings may also indirectly prohibit, restrict or otherwise govern cloud computing services in Belgium. This includes, for example, a provision on the search in computer systems which can be extended to a computer system or a part thereof that is located in another place other than the place where the search takes place (article 39-bis, article 88-ter and 88-quater).
It should also be noted that other Belgian legislation may, whether or not implicitly, require that certain data remains within the jurisdiction of Belgium, such as article 14 of the Law of 8 August 1983 establishing a National Register of natural persons. However, with regard to the free flow of data across member states within the European Union, the legality or applicability of this kind of data localisation legislation may be uncertain in the future.
Other legislation worth mentioning is the Belgian Income Tax Code (article 315) and the Law of 13 June 2005 on electronic communications, which contains provisions i.a. on the principles applicable to the confidentiality of communications.
In the health sector, the Coordinated law of 10 July 2008 on hospitals and other care facilities was amended in such a way that it does not anymore indirectly prohibit the use of cloud computing services by hospitals. Article 20 section 1 of the Coordinated law of 10 July 2008 now states that the patient file must be kept ‘by’ the hospital, and no longer ‘in’ the hospital. After that, the FPS Public Health has drafted guidelines on this matter which were approved by the Belgian Privacy Commission (the Belgian Data Protection Authority) in Opinion 04/2015 of 25 February 2015 (available at www.privacycommission.be/sites/privacycommission/files/documents/advies_04_2015.pdf).
The Belgian eIDAS law, implementing the eIDAS Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market, may also have indirect consequences for cloud computing in Belgium. It governs, in particular, electronic archiving, which can be very relevant for cloud computing, but it contains also rules on electronic registered mail, electronic seals, electronic signatures, websites authentication, trust service providers and electronic identification schemes.
Back to top