Can the Data Protection Authority set its own rules?

In a ruling of 18 December 18 (No. 119/2025), the Constitutional Court tightened the limits of the Data Protection Authority's (DPA) regulatory autonomy. While the GBA, as an independent regulator, plays a crucial role in protecting our personal data, the Court ruled that it is not completely free to set its own procedural rules. The legislature must draw the essential chalk lines itself, especially when citizens' rights are at stake.

The facts and legal context

The case originates form a law of 25 December 2023 , which was intented to strengthen the functioning and independence of the Data Protection Authority (DPA) . The DPA is the Belgian supervisory regulator that, within the framework of the European General Data Protection Regulation (GDPR), monitors the correct processing of our personal data.

The new law gave the GBA the power to create its own "additional procedural rules" in a set of internal rules of procedure. These included crucial aspects such as the conditions for the admissibility of a complaint, the dismissal of a case, the position of the complainant and even the use of language. The non-profit organization Ligue des droits humains challenged this far-reaching delegation of powers before the Constitutional Court, fearing that it would undermine the legal protection of citizens.

Constitutional Court's decision

The Court largely follows the reasoning of the applicant and annuls an important part of the law..

The core of the judgment revolves around the principle of legality, enshrined in Article 22 of the Constitution, which protects the right to respect for private life. The Court states that when this fundamental right is at stake, the legislature itself must determine the "essential elements" of the regulation. This core task cannot simply be left to an independent administrative authority, no matter how specialized.

Specifically, the Court ruled that the legislature had remained too vague and failed to define the essential elements for topics such as:

• The admissibility of a complaint or report.
• The mediation process.
• The possibility of filing a case without action (dismissal) and deciding it based on opportunity considerations.
• The exact position of the plaintiff and the defenses he can raise.
• The rules around language in procedures.
• Monitoring and compliance with measures imposed by the DPA.

By leaving these powers to the DPA without a clear legal basis, the legislature violated the principle of legality. In order to avoid chaos and legal uncertainty, the Court does maintain the effects of the nullified provisions until the legislature develops a new, correct law, with a deadline of 31 December 2026.

Other complaints, such as those against the shortened deadlines for the GBA to issue opinions or the possibility of calling on external experts, were rejected by the Court..

Legal analysis and interpretation

This judgment is a textbook example of the tension between functional decentralization and the principle of legality. On the one hand, it is logical and even necessary that a highly technical matter such as data protection is overseen by a specialized and independent body such as the GBA. The AVG also requires this. On the other hand, the Constitutional Court reminds us that such independence is not a licence to ignore the foundations of our rule of law.

The democratically elected legislature remains the guardian of fundamental rights. When rules have a direct impact on citizens' rights - such as the ability to file a complaint and see it dealt with - the basic principles must be enshrined in a law. Establishing the conditions of admissibility of a complaint is not a mere technical detail of internal organization; it determines the citizen's access to an effective remedy.

The Court thus confirms the crucial role of the Council of State, Legislative Section, which had warned of this problematic delegation of power in its prior opinion. The ruling underlines that the legislator cannot simply disregard such warnings. The ruling shows that although the GDPR creates a framework, its implementation in Belgian law must always be done with respect for national constitutional principles, such as the supremacy of law.

What this specifically means

• For citizens and organizations: In time, this ruling will lead to greater legal certainty. The conditions and procedures for filing a complaint with the DPA will have to be more clearly enshrined in the law itself. This will strengthen the position of the complainant and make the procedure more predictable and transparent.
• For the Data Protection Authority: The GDPA sees its regulatory autonomy curtailed. It will have to wait for a new legal framework to regulate the procedural aspects that have been overturned. Its core supervisory functions will remain unchanged, but the way it organizes procedures will be driven more strongly by the law.
• For the legislature: Parliament is given the clear task of doing its job again. It must draft a new law that does detail the "essential elements" of DPA procedures. This is an important lesson about the limits of delegating regulatory power to independent agencies.

FAQ (Frequently Asked Questions)

What is the principle of legality in Article 22 of the Constitution?
This principle means that interference with the right to private life (including the protection of personal data) is only allowed if it is based on a sufficiently clear and accessible law. The legislature itself must set the basic rules and cannot leave this entirely to another body.

Does this ruling immediately change the procedures at the DPA?
No, not immediately. The Constitutional Court has temporarily upheld the consequences of the annulled rules until 31 December 2026, at the latest. This gives the legislature time to create a new law and avoids a legal vacuum. Thus, ongoing and new proceedings can continue under the existing rules for the time being.

Why is the DPA not allowed to make its own rules completely autonomously?
Because the DPA, although independent, is part of the executive branch and is bound by the Constitution. The Constitution requires that the essential rules affecting the rights of citizens must be established by the democratically elected legislature (Parliament). This is a fundamental safeguard in our rule of law.

Conclusion

The Constitutional Court's 119/2025 ruling is an important reminder of the hierarchy of standards in Belgium. It confirms that the efficiency and specialization of an independent authority such as the DPA cannot take precedence over the fundamental legal guarantees for citizens. The ball is now in the legislator's court to create a balanced and constitutionally sound framework for the procedures at our data protection authority.