Belgian data watchdog targets adtech with sweeping enforcement strategy

The Belgian Knowledge Safety Authority revealed its 2026-2028 strategic framework following public session in November 2025, establishing two precedence themes for enforcement. The primary targets large-scale knowledge processing operations presenting excessive dangers to citizen rights and freedoms. The second focuses solely on processing minors’ private knowledge.

These priorities sign intensified scrutiny for promoting know-how corporations, programmatic platforms, and knowledge brokers working throughout European markets. The strategic doc identifies promoting know-how processing, cross-border knowledge sharing amongst knowledge brokers, and large-scale profiling programs as examples falling inside enforcement scope.

The authority manages oversight of knowledge safety enforcement in Belgium alongside 4 different specialised directorates dealing with preliminary complaints, legislative advisory capabilities, and common administration. The contentious chamber points binding selections together with administrative fines for GDPR violations.

Grievance volumes elevated 20% from 694 in 2023 to 837 in 2024. Knowledge breach notifications rose from 1,292 to 1,455 throughout the identical interval. Inspection instances jumped from 86 to 157 year-over-year. The litigation chamber maintained regular output at 173 selections in 2024 in comparison with 171 in 2023.

Funds constraints compound rising caseloads. Belgium’s parliamentary accounting fee lately froze recruitment credit for personnel growth by 2029. The authority employs roughly 90 workers members supported by 18 exterior specialists from an professional reserve established to complement inner capabilities.

Prioritization turns into important beneath these useful resource limitations. The strategic plan establishes frameworks for allocating enforcement capability towards instances with vital societal affect somewhat than trying complete investigation of each violation.

The authority restructures grievance dealing with by expanded mediation carried out by its frontline service. This method resolves easy disputes with out formal enforcement proceedings when attainable. Instances failing mediation advance to investigation or direct adjudication relying on complexity and affect assessments.

Conventional grievance processing concerned sequential overview by frontline consumption, investigative providers, and the litigation chamber for many instances. The reformed workflow permits frontline workers to shut issues by settlement or ahead instances on to adjudication when investigation provides minimal worth.

Investigation experiences will think about factual violation findings somewhat than authorized evaluation. This division of duty permits investigators to give attention to proof gathering utilizing statutory powers whereas the litigation chamber handles authorized interpretation and sanction determinations.

Data requests obtain differentiated therapy beneath the brand new framework. The authority acknowledges authorized obligations don’t require particular person responses to each inquiry submitted by residents and knowledge processors. Assets shift towards complete steerage supplies, thematic publications, and focused sector outreach somewhat than personalised recommendation.

The reallocation creates capability for proactive enforcement much less depending on reactive complaint-driven investigations. Grievance-driven fashions restrict authority initiative in figuring out systemic violations or rising compliance dangers requiring regulatory consideration earlier than citizen complaints accumulate.

Cross-border cooperation intensifies by bilateral preparations with different member state authorities and coordinated actions by the European Knowledge Safety Board. Belgium’s authority commits workers from all 5 directorates to EDPB participation somewhat than limiting engagement to particular items.

The Transparency and Consent Framework faced enforcement from Belgian authorities in 2022, with IAB Europe fined €250,000 for GDPR violations associated to consent string processing. Belgian courts subsequently limited IAB Europe’s joint controllership obligations whereas sustaining violation findings.

Legislative advisory capabilities shift towards selective detailed evaluation for laws presenting vital interference with elementary rights or enabling substantial enhancements by technical suggestions. Standardized steerage accompanies different regulatory consultations somewhat than personalized opinions for every submission.

The authority tasks receiving expanded obligations beneath European regulatory developments together with the AI Act, Knowledge Act, European Well being Knowledge Area regulation, and Digital Providers Act. Nationwide implementation of those frameworks will decide particular Belgian DPA roles past baseline GDPR enforcement.

AI Act implementation includes regulatory sandbox improvement and potential market surveillance obligations for high-risk programs. The authority maintains GDPR enforcement authority for AI system improvement and deployment no matter market surveillance assignments.

Knowledge Act provisions set up notification necessities and supervision mandates for the Belgian DPA. Knowledge Governance Act nationwide implementation includes collaboration between financial affairs authorities and knowledge safety oversight. NIS 2 directive transposition assigns further coercive capabilities associated to cybersecurity breaches.

Advisory opinions think about normative texts establishing knowledge processing frameworks somewhat than particular person processing operations. The authority strengthens its consultative relationship with legislators to form future mandates enabling efficient prioritization somewhat than accepting all assignments no matter feasibility.

Authorization selections obtain enhanced technical experience allocation. The cybersecurity area significantly requires speedy turnaround as public authorities can’t proceed with processing operations pending approval or rejection determinations.

Knowledge breach notification dealing with implements stronger prioritization filters. New case administration programs allow automated processing for low-impact incidents whereas concentrating analytical sources on breaches presenting vital societal penalties.

Codes of conduct obtain strict utility assessments earlier than Belgian DPA funding. Business frameworks should show concrete compliance enhancements past restating GDPR necessities. The authority could proactively have interaction sectors the place codes would deal with particular processing challenges.

European Knowledge Safety Board guideline improvement receives desire over national-only positions. Belgian DPA enhances EDPB participation to affect shared requirements relevant throughout member states somewhat than sustaining remoted nationwide interpretations.

Cookie consent mechanisms have drawn repeated Belgian enforcement towards media corporations. Mediahuis confronted corrective orders in September 2024 for consent interface violations together with insufficient reject choices and deceptive design parts. Comparable proceedings advanced against DPG Media in February 2025 following noyb complaints about cookie practices.

Cooperation protocols set up formal relationships with Belgium’s competitors authority concerning Digital Markets Act enforcement and accreditation our bodies for certification schemes. Digital Providers Act and Knowledge Act implementation will formalize collaboration with telecommunications regulators.

Federal knowledge safety supervisor coordination continues by current mechanisms. Regional authority cooperation stays contingent on GDPR compliance by regional entities and legislative framework completion by competent regional lawmakers.

Stakeholder engagement expands by sustained relationships with business sectors, civil society organizations, and knowledge safety officers. The authority considers DPOs precedence audiences given their organizational affect over compliance practices.

The shift towards large-scale processing enforcement impacts hospital well being knowledge programs, banking and insurance coverage profiling operations, reservation platforms, common practitioner file programs, tax databases, promoting know-how infrastructures, and knowledge dealer networks in keeping with strategic doc examples.

Minor knowledge processing receives devoted consideration reflecting vulnerability issues in digital environments. Younger folks expertise steady knowledge assortment, sharing, and evaluation typically with out comprehension of implications. The authority frames present safety efforts as empowerment enabling future generations to develop applicable knowledge safety reflexes.

Balanced safety acknowledges knowledge safety rights require weighing towards different elementary rights and legit financial or social pursuits. The authority rejects absolutist interpretations whereas sustaining that safety prevents discrimination, exclusion, identification fraud, and psychological or bodily hurt.

Clear operations contain public disclosure of priorities, positions, and useful resource utilization. The strategic plan itself demonstrates dedication to exterior accountability concerning goal setting and implementation approaches.

Impartial authority values stay paramount. The structure and GDPR prohibit exterior affect or instruction acceptance throughout mission execution and energy train. No Belgian DPA selections replicate political strain or business lobbying in keeping with organizational values.

Proactive orientation includes steady evaluation, anticipation, and strategic planning concerning technological and regulatory developments. Enhanced prioritization creates capability for forward-looking enforcement somewhat than purely reactive grievance processing.

Experience positioning establishes the authority as Belgium’s knowledge safety data middle serving residents, knowledge safety officers, organizations, media, policymakers, and legislators by various communication channels.

Effectivity maximizes restricted useful resource affect by clear prioritization, focused work approaches, clear buildings, outlined processes, and logical function distributions throughout the 5 directorates.

Analysis happens at plan conclusion in late 2028 with potential orientation updates based mostly on implementation expertise and adjusted circumstances.

Timeline

Abstract

Who: Belgium’s Knowledge Safety Authority, using roughly 90 workers throughout 5 directorates (Frontline Service, Inspection Service, Litigation Chamber, Authorization and Advisory Service, Common Secretariat) supported by 18 exterior specialists, working beneath a administration committee directing strategic coverage and coordinating cross-directorate actions.

What: A strategic framework establishing prioritization and collaboration as elementary ideas for 2026-2028, concentrating on large-scale knowledge processing presenting excessive dangers to rights and freedoms plus minors’ private knowledge processing, whereas restructuring grievance dealing with by expanded mediation, selective investigation, differentiated data responses, and enhanced cross-border cooperation amid recruitment freezes limiting personnel growth.

When: Revealed December 23, 2025, following November 2025 public session, overlaying implementation interval from 2026 by 2028, with analysis and potential updates scheduled for late 2028, working beneath recruitment constraints extending by 2029 per parliamentary accounting fee resolution.

The place: Belgium, exercising jurisdiction over knowledge controllers and processors working inside Belgian territory or concentrating on Belgian knowledge topics, collaborating in European Knowledge Safety Board actions affecting cross-border enforcement coordination, and establishing cooperation protocols with Belgian competitors authorities, accreditation our bodies, telecommunications regulators, and fellow federal and regional supervisory our bodies.

Why: Rising caseloads together with 837 complaints in 2024 (up 20% from 2023), 1,455 knowledge breach notifications, 157 inspection instances, and 173 litigation selections mixed with frozen recruitment budgets necessitate strategic prioritization enabling most societal affect from restricted sources whereas adapting to increasing obligations beneath AI Act, Knowledge Act, European Well being Knowledge Area, Digital Providers Act implementation requiring sustainable enforcement approaches balancing reactive grievance processing towards proactive risk-based supervision.