For years, GDPR enforcement in Belgium has largely followed the familiar European model. A regulator investigates. Its litigation chamber issues a decision. The target can appeal. The Market Court then reviews the case and may confirm, annul, or revise the sanction. That model remains intact. But the Belgian authority is now signaling that, in certain serious cases, it will not rely only on administrative proceedings. It will refer select matters to criminal courts or pursue settlements through the public prosecutor’s office.
That is more than a procedural change. It is a message to companies, public bodies, adtech operators, data brokers, employers, and digital platforms that privacy violations in Belgium may no longer be treated as merely regulatory paperwork. In the wrong case, unlawful data processing can become a criminal enforcement problem.
Why Belgium Is Moving Beyond Administrative Fines
The Belgian Data Protection Authority has long had an internal disputes chamber with power to impose GDPR fines and corrective orders. But its decisions can be appealed to the Market Court, a specialized section of the Brussels Court of Appeal that has full jurisdiction to review those decisions.
That appellate structure has created a recurring institutional tension. From the regulator’s perspective, strong enforcement loses much of its deterrent effect if serious privacy violations are later met with symbolic penalties. Belgian officials have publicly expressed frustration with cases in which fines were reduced dramatically, including to nominal amounts.
The issue is not that appellate review exists. Judicial review is essential in any rule-of-law system. The deeper issue is proportionality. Belgian courts have made clear that GDPR sanctions must be proportionate to the facts of the case. The regulator, however, appears to believe that repeated reductions risk sending a different signal: that unlawful personal-data processing can be treated as a manageable cost or, worse, a low-risk inconvenience.
The new criminal-court strategy is therefore best understood as an enforcement-pressure release valve. When the authority believes an administrative fine may not be sufficient to stop problematic processing, it can seek a different route. The stated objective is not simply to collect penalties. It is to end unlawful processing.
The Legal Basis: GDPR Allows Member States to Use Other Penalties
GDPR is often discussed as if it only creates administrative fines of up to €20 million or 4% of global annual turnover. That is incomplete. Article 84 of the GDPR allows EU member states to establish additional penalties for infringements, particularly where those infringements are not already covered by the administrative-fine framework.
Belgium’s national data protection law does exactly that. The Belgian Data Protection Act includes provisions that can attach criminal fines to certain forms of unlawful processing, including processing personal data without a lawful basis and other serious violations of the national data protection framework.
This matters because it changes the enforcement psychology. An administrative fine is a regulatory event. A criminal referral is different. It introduces prosecutors, correctional courts, criminal procedure, possible settlements with the public prosecutor, reputational harm, and more serious board-level scrutiny.
What Types of Cases Could Trigger Criminal Referral?
The Belgian authority has not suggested that every GDPR violation will become a criminal matter. The more likely targets are cases where the alleged conduct is serious, repeated, intentional, harmful, or resistant to ordinary regulatory correction.
The categories most likely to draw attention include:
- Processing personal data without a valid legal basis;
- Continuing unlawful processing after warnings, complaints, or prior enforcement;
- Large-scale profiling or tracking without valid consent or proper transparency;
- Failure to honor data subject rights in a systematic way;
- Misuse of sensitive data, employee data, health data, financial data, or children’s data;
- Data broker or adtech practices built on weak consent chains;
- Public-sector or quasi-public processing that affects large populations;
- Cases where administrative penalties are unlikely to stop the conduct quickly enough.
The most important phrase from the regulator’s public posture is that its priority is to put an end to problematic data processing. That tells companies how to read the shift. The criminal route may be used where the authority sees ongoing harm, not merely historical non-compliance.
Belgium’s Market Court Problem
Belgium’s enforcement story cannot be separated from the Market Court. The court has played an unusually prominent role in shaping Belgian GDPR enforcement because it has the ability to conduct broad review of the authority’s decisions. In some cases, this has favored the DPA. In others, it has constrained it.
The tension became especially visible after cases in which fines were reduced to symbolic amounts. The Belgian Court of Cassation has confirmed that the Market Court has full jurisdiction to review and revise DPA sanctions, including reducing fines where it considers them disproportionate.
From a company’s perspective, this is a meaningful due-process protection. From the regulator’s perspective, it can weaken deterrence. If a business believes a fine may be reduced substantially on appeal, the immediate pressure to change its data practices may decline. Criminal referral gives the DPA a way to bypass part of that dynamic in the most serious cases.
Why This Is a Warning Shot for Adtech, Data Brokers, and Consent Practices
Belgium has already been central to some of Europe’s most important digital advertising privacy disputes. The Belgian DPA’s action against IAB Europe and the Transparency and Consent Framework placed Belgium at the center of debates over real-time bidding, consent strings, controller status, and the legal status of advertising preference signals.
That history matters. Belgium is not just enforcing isolated privacy mistakes. It has shown willingness to scrutinize the infrastructure of online tracking. If criminal referrals become part of the Belgian enforcement playbook, companies involved in consent management, data sharing, advertising identifiers, analytics, profiling, and behavioral targeting should pay close attention.
The risk is not limited to companies headquartered in Belgium. GDPR applies based on the processing of EU personal data and the targeting or monitoring of individuals in the EU. A company with Belgian users, Belgian data subjects, Belgian operations, Belgian customers, or Belgian complaints can find itself within the authority’s practical reach.
The Compliance Lesson: Paper Policies Are Not Enough
The Belgian shift reinforces a broader European trend: regulators are no longer satisfied with privacy programs that exist mostly on paper. A privacy notice, a cookie banner, and a generic data processing agreement will not protect a company if the underlying data flows are unlawful.
The practical question for companies is no longer, “Do we have a privacy policy?” The better question is, “Can we prove that our processing is lawful, transparent, documented, and operationally controlled?”
That proof requires a living compliance system. Companies need to know what data they collect, which cookies and trackers fire, what legal basis applies, whether consent is valid, where data goes, which vendors receive it, how user rights are honored, and whether opt-out signals are actually respected.
What Belgian Criminal Privacy Enforcement Could Mean in Practice
A criminal referral does not mean every case will produce a criminal conviction. It does mean the enforcement posture becomes more serious. Companies may face prosecutor involvement, court-supervised proceedings, criminal settlements, and a more damaging public narrative.
In practical terms, the biggest business risks include:
- Greater executive exposure. Privacy failures that were once handled by legal and compliance teams may now require direct attention from the board, CEO, CFO, and general counsel.
- Higher settlement pressure. A company may be more likely to remediate quickly or settle where criminal procedure is in play.
- More serious reputational damage. Being investigated by a privacy regulator is one thing. Being referred to criminal court for data processing violations is another.
- Stronger leverage for complainants. Privacy activists, consumers, employees, and competitors may point to the criminal-enforcement pathway when filing complaints.
- Less tolerance for repeat violations. Companies that ignore prior warnings, complaints, or corrective orders are likely to face the greatest risk.
How To Avoid a Criminal Complaint over GDPR Privacy Violations
Companies operating in Belgium or processing data about Belgian residents should treat this as a prompt to reassess their privacy controls. The response should not be cosmetic. It should focus on evidence, system design, and operational enforcement.
The most urgent steps are:
- Map all personal-data processing activities and confirm the legal basis for each one;
- Audit cookies, pixels, SDKs, analytics tools, session replay tools, and advertising tags;
- Confirm that consent is collected before non-essential tracking begins;
- Review whether consent logs are complete, exportable, and defensible;
- Test whether opt-outs, withdrawals of consent, and Global Privacy Control-style signals are honored in practice;
- Review vendor contracts and data processing agreements for actual data flows, not just template language;
- Document DPIAs for high-risk processing, especially profiling, sensitive data, employee monitoring, or children’s data;
- Make sure data subject access, deletion, objection, and rectification requests are handled within legally required timelines;
- Preserve evidence of remediation when a problem is discovered.
Why Automated Privacy Operations Matter
This is where privacy operations platforms become important. A company cannot credibly defend its GDPR posture if it cannot show what trackers are active, what consent state applied, what vendors received data, and how user rights were fulfilled.
Captain Compliance is built for this type of operational privacy environment. Its consent management, cookie scanning, DSAR automation, opt-out workflows, privacy assessments, and adaptive notice infrastructure help companies move from static compliance documents to live compliance controls. For businesses exposed to GDPR, Belgian enforcement, adtech scrutiny, or cross-border privacy risk, that operational layer is increasingly essential.
In the Belgian context, the key value is defensibility. Companies need to show that they did not merely claim compliance. They implemented it, monitored it, and corrected issues when they appeared.
Belgium’s Move Fits a Larger European Pattern
Belgium is not acting in a vacuum. Across Europe, regulators are becoming more willing to challenge business models built on opaque data collection, weak consent, excessive retention, and undisclosed sharing. The difference in Belgium is the explicit willingness to move certain cases into criminal enforcement channels.
That makes Belgium a jurisdiction to watch. If the approach produces faster remediation or stronger settlements, other regulators may study the model. Even if criminal referrals remain rare, their existence changes the compliance calculus.
For years, many companies treated GDPR enforcement as a financial-risk exercise: estimate the likelihood of a fine, estimate the likely amount, and decide whether remediation is worth the cost. Belgium’s new posture attacks that logic. The risk is no longer just a fine. It is escalation, court exposure, prosecutorial involvement, and a public accusation that unlawful data processing was serious enough to warrant criminal treatment.
Work With Captain Compliance to Avoid Criminal Privacy Actions
Belgium’s decision to send certain privacy cases to criminal courts is one of the more important GDPR enforcement developments in Europe. It reflects frustration with symbolic fines, a desire for stronger deterrence, and a recognition that some data processing violations cannot be solved through administrative penalties alone.
For companies, the lesson is direct: privacy compliance must be real, provable, and operational. Regulators are looking past policies and into systems. If personal data is being collected, tracked, sold, shared, profiled, or retained without a defensible legal basis, Belgium’s new approach raises the stakes.
The GDPR era is moving from paperwork compliance to enforcement reality. Belgium may be showing what that next phase looks like.
