In addition to the previous question, there is also Belgian legislation applicable to cloud computing services that may indirectly prohibit, restrict or otherwise govern cloud computing services.
This kind of legislation includes, first of all, legislation on data protection, such as the European General Data Protection Regulation (GDPR) which is directly applicable since 25 May 2018. A cloud provider will typically act as a processor of personal data, which means that a data processing agreement has to be concluded.
Also, legislation on outsourcing in the financial sector in the Law of 11 March 2018 (replacing the Law of 21 December 2009) on the statute and supervision of payment institutions and the institutions for electronic currencies, the access to the company of the payment services provider and the activity of issuance of electronic money and the access to payment systems, may affect cloud computing services. In this regard, cloud computing services are subject to the same principles as traditional outsourcing in the financial sector. However, cloud computing is not directly addressed by the Law of 11 March 2018, but the National Bank of Belgium (NBB) stated in its communication of 9 October 2012 that cloud computing is considered as a type of outsourcing.
The same communication of the NBB states that the circulars dealing with outsourcing, which establish rules on good practices, will remain applicable. Subsequently, the communication states that, in principle, there is no prior authorisation by the NBB required for outsourcing (in contrast to De Nederlandsche Bank in the Netherlands: see www.dnb.nl/nieuws/dnb-nieuwsbrieven/nieuwsbrief-banken/nieuwsbrief-banken-februari-2015/dnb319119.jsp). Nevertheless, the NBB emphasises that it should be informed in advance on how these rules on good practices will be applied in practice (see circular PPB 2004/5 on healthy management practices in outsourcing by credit institutions and investment companies, issued by the Belgian Banking, Finance and Insurance Commission on 22 June 2004, available at www.nbb.be/doc/cp/nl/ki/circ/pdf/ppb_2004_5_circular.pdf, and circular PPB 2006/1 CPA on healthy management practices in outsourcing by insurance companies, issued by the Belgian Banking, Finance and Insurance Commission on 6 February 2006, available at www.nbb.be/doc/cp/nl/vo/circ/pdf/ppb_2006_1_cpa_circular.pdf). Recently, the NBB has issued a new circular (NBB_2019_19) implementing the guidelines issued by the European Banking Authority (EBA) on outsourcing. These guidelines will apply from 30 September 2019 and clarify the NBB’s approach with regard to less significant institutions, non-EEA branches, payment and electronic money institutions. From 31 December 2021, when this circular becomes applicable to all outsourcing agreements, circulars PPB_2004/5 and NBB_2018_20, communication NBB_2012_11 and the CBFA communication of 5 November 2007 will no longer be applicable.
The Belgian Civil Code contains provisions on service contracts (article 1779 ff). These provisions may be relevant for cloud computing services. Other relevant legislation is to be found in the Belgian Code of Economic Law, which contains provisions on distance contracts (Book VI and Book XIV) and information society services, which also contains provisions on the liability of data storage service providers (Book XII), as well as new provisions introduced by the Law of 4 April 2019 in Book VI of this Code concerning unfair clauses in a B2B relationship that may create an imbalance between the rights and obligations of contracting parties and the abuse of a dependency between the parties. The latter law may have an impact on liability clauses and clauses concerning unilateral modification of contracts that are common in cloud computing contracts.
Article XII.19 of the Code of Economic Law states that where an information society service is provided that consists of the storage of information provided by a recipient of the service, the service provider is not liable for the information stored at the request of a recipient of the service, on the condition that the provider does not have actual knowledge of illegal activity or information and, as regards damage claims, is not aware of facts or circumstances from which the illegal activity or information is apparent; or the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information, provided that he or she immediately communicates this to the Public Prosecutor.
Additionally, criminal law provisions in the Belgian Criminal Code and the Code of Criminal Proceedings may also indirectly prohibit, restrict or otherwise govern cloud computing services in Belgium. This includes, for example, a provision on the search in computer systems which can be extended to a computer system or a part thereof that is located in another place other than the place where the search takes place (article 39-bis, article 88-ter and 88-quater).
It should also be noted that other Belgian legislation may, whether or not implicitly, require that certain data remains within the jurisdiction of Belgium, such as article 14 of the Law of 8 August 1983 establishing a National Register of natural persons. However, with regard to the free flow of data across member states within the European Union, the legality or applicability of this kind of data localisation legislation may be uncertain in the future.
Other legislation worth mentioning is the Belgian Income Tax Code (article 315) and the Law of 13 June 2005 on electronic communications, which contains provisions i.a. on the principles applicable to the confidentiality of communications.
In the health sector, the Coordinated law of 10 July 2008 on hospitals and other care facilities was amended in such a way that it does not anymore indirectly prohibit the use of cloud computing services by hospitals. Article 20 section 1 of the Coordinated law of 10 July 2008 now states that the patient file must be kept ‘by’ the hospital, and no longer ‘in’ the hospital. After that, the FPS Public Health has drafted guidelines on this matter which were approved by the Belgian Privacy Commission (now called the Belgian Data Protection Authority) in Opinion 04/2015 of 25 February 2015 (available at www.privacycommission.be/sites/privacycommission/files/documents/advies_04_2015.pdf).
The Belgian eIDAS law, implementing the eIDAS Regulation (EU) 910/2014 on electronic identification and trust services for electronic transactions in the internal market, may also have indirect consequences for cloud computing in Belgium. It governs, in particular, electronic archiving, which can be very relevant for cloud computing, but it contains also rules on electronic registered mail, electronic seals, electronic signatures, websites authentication, trust service providers and electronic identification schemes.
It should also be noted that the Belgian Data Protection Authority mentions on its website that the Authority is preparing two documents on cloud computing: an opinion on ‘the risks and deployment of unfolding the cloud strategy at the level of public services, including the Federal Police and Defence’ and a recommendation on cloud computing targeting companies. The public sector opinion will enable public authorities to make an informed decision about how to use cloud computing to perform their tasks. The private sector opinion will include legal guidelines, as well as information security guidelines. Among other things, the issue of server locations will be discussed. In addition, the Authority will determine who is responsible for processing for each stage where data is placed ‘in the cloud’ (source: Belgian Data Protection Authority, https://www.gegevensbeschermingsautoriteit.be/cloud-computing). Since these opinions are not yet available, it is not yet clear whether this will indirectly restrict cloud computing services in Belgium.
Back to top