Photo of Frederik Van Remoortel

Frederik Van Remoortel is a partner in the Brussels office of Crowell & Moring and has been admitted at the Brussels bar since 1998. He joined Crowell & Moring in 2001.

Frederik focuses on corporate, commercial, data protection, and labor & employment law.

Frederik regularly assists international companies in setting up, operating, and restructuring their business in Belgium. This includes corporate transactional matters including acquisitions, mergers, joint ventures, and other collaborative arrangements, as well as general corporate counseling.

The European Commission introduced the draft General Data Protection Regulation (GDPR) in January 2012. The GDPR seeks to harmonize legislation across the EU member states, replacing the 1995 EU Directive and the varying national laws that have implemented this Directive.

The European Parliament formally adopted its compromise text for the proposed GDPR back in March 2014. The Council of Ministers is expected to adopt its general approach to the Regulation during its June 15/16 meetings in Luxembourg. If it does so, the first meeting for the so-called “trilogue” negotiations between the Commission, the Parliament and the Council with a view to agreeing on a final text for the GDPR is scheduled for June 24. It is expected that, if all goes well, these negotiations will continue until the end of the year. Even after that, the new rules will only become effective two years later — so at the earliest by the end of 2017.

As so many stakeholders have been negotiating the draft GDPR for more than three years now, various components of the draft have found a way to reach a larger audience, notably national decision makers.

That is also why, although we may have to wait for quite some time before new EU rules become effective, we are increasingly seeing national legislators introduce the new concepts and obligations themselves, without waiting for the GDPR. This trend is also driven by recent events such as the Snowden revelations and the issues around the Facebook social plug-ins.


Continue Reading

This morning, I went to a seminar organized by the Belgian Data Protection Authority during which the new “Belgian Cyber Security Guide” was introduced.

The guide is an initiative from the ICC Belgium, the Federation of Enterprises in Belgium, B-CCentre (Belgian Cybercrime Centre of Excellence for Training, Research & Education), Isaca, E&Y and Microsoft, with the support of the EU Commission.

The President of the Federation of Enterprises in Belgium, who actually took the first step for the drafting of this guide, mentioned in his speech that the guide is such as the result of a demand from Belgian companies for a practical guide on cyber security.

The goal of the guide is to inform the boardroom and higher management about Cyber Security, its key risks and principles and must-do actions.
Continue Reading

The July 2000 Safe Harbor agreement between the United States and Europe concerning cross-border data flows is one of the key regulatory structures governing how organizations can collect, store, move, and use the massive amount of personal data generated in our interconnected world. Fourteen years after its inception, the agreement is under increasing strain from the rapid pace of technological innovation, high-profile breaches of consumer data, and the continued fallout from the Edward Snowden revelations. The EU and U.S. are in the process of updating the original agreement to reflect these new concerns. The implications for organization data operations and privacy policies could be significant, creating new regulatory structures and demanding new procedures and safeguards.
Continue Reading

With initial approval in the European Parliament civil liberties committee (the so-called LIBE Committee), the EU is moving ahead with overhauling its existing 15-year-old Data Protection Directive, replacing it with the General Data Protection Regulation (GDPR). The European Commission introduced the draft GDPR in January 2012 and seeks to harmonize regulations across the 28 member-states, replacing varying national laws with a single, consistent regulation on data handling and individual rights.

This new regime could fundamentally change the privacy and data transfer practices of every large company operating in Europe or offering goods or services to data subjects in Europe, the flows of data within financial services and other firms, and the business practices underlying internet products, cloud computing, or social networks offered to European consumers.
Continue Reading

In January 2012, the European Commission published its proposal for a general Regulation on data protection, which would apply directly in all EU Member States (see our newsletters from February 28, 2012, July 12, 2012, and January 22, 2013). The new Regulation should replace the current Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the various national laws implementing this Directive.

The Commission’s proposal meanwhile has been extensively discussed within the European Parliament and the Council, thousands of suggested amendments to the original text have been made and lobbyists and interest groups are working overtime.
Continue Reading

Apps on mobile devices collect large quantities of data from the device and process these (i) in order to provide services to the end-user, but also (ii) for other purposes that are often unknown or unwanted by the end-user. Many of the data processed, such as location data, contact data, unique device and customer identifiers, credit card and payment data, browsing history, pictures, videos, etc., are personal data under EU data protection laws.

The various parties involved in the development and commercialization of mobile apps (or other mobile applications) are often unaware of their obligations under data protection law. These parties include app developers, app owners, app stores, operating system and device manufacturers and other third parties that may be involved in the collection and processing of personal data from smart devices.
Continue Reading

As I have previously written, in January 2012 and July 2012, the EU Commission has proposed a comprehensive reform of existing EU data protection rules, including a draft for a new Data Protection Regulation.

This proposal is the subject of the ordinary legislative procedure, which means it is under review by both the Council and the European Parliament as the draft has to be approved by both the European Parliament and the Council in order to become law.

The Committee for Civil Liberties, Justice and Home Affairs (LIBE) has been appointed as the main committee with responsibility for the draft Regulation in the European Parliament. LIBE has already published three working documents and has published a calendar with dates of several meetings, workshops, and hearings that will be organized until the vote in plenary. The current agenda, aiming at an orientation vote within LIBE by March/April 2013 can be found here. MEP Jan Philipp Albrecht, rapporteur for LIBE, has meanwhile published a draft report holding more than 200 pages of suggested amendments to the proposed Regulation, which can be found here. A second exchange of views will be held on the draft report in the LIBE meeting on January 21, 2013. Without entering into the details at this stage – as the report is still not final – the report (with some exceptions) does not seem to take into account criticism and concerns of businesses with respect to the draft Regulation and, if adopted, the amendments will make the new regime even stricter for businesses. It is still anticipated that by the summer of 2013, the Regulation should be ready for a trilogue with the Council and the Commission, and that the Regulation shall be put to a vote in the plenary session of the European Parliament by early 2014.
Continue Reading