May a social inspector confiscate and read your smartphone?

Smartphones are increasingly being scrutinized during an audit by the NSSO, the NEO or the Social Law Supervision Department. On these devices are payroll data, schedules and communications with employees - but equally private conversations, photos and location data that have nothing to do with social legislation. Can a social inspector seize such a device without question and search the data on it? The Social Penal Code indeed provides broad powers to search, examine and seize information carriers, but since the Court of Justice's Landeck ruling of Oct. 4, 2024, the question of whether those powers are still sufficient without the prior intervention of a judge or independent authority has become an open question. The Social Intelligence and Investigation Service (SIOD) is currently conducting an internal reflection on this.

What the Social Penal Code allows today

Social inspectors have an arsenal of powers to access digital data. Pursuant to Art. 28 Soc.Pc., they may obtain any data carrier containing social data - or data that must be created, maintained or retained under the legislation - if it is located at the workplace or can be accessed electronically from that location.

When the data is located in a computer system or other electronic device, art. 31 Soc.Pc. provides for a right to electronic access, physical access to the hardware, and the right to download and use data. That obligation extends to data physically located abroad but accessible from the Belgian workplace - think cloud services such as OneDrive, Google Drive or an external accounting application. A smartphone, usually permanently connected to such accounts, falls within the broad legal concept of ‘electronic device.

In case of danger of disappearance or alteration of information carriers or the data stored thereon, or when it is necessary for evidence, the inspectors may, pursuant to art. 35 Soc.Pc., seize or seal the information carrier itself, regardless of whether the employer or a third party is the owner. Any search, investigation or seizure measure must be the subject of a written determination pursuant to art. 53 Soc.Pc., under penalty of nullity. This nullity sanction is expressly enshrined in art. 2, § 5 Law June 2, 2010 containing provisions of social criminal law.

What is striking: nowhere does the Social Penal Code require prior intervention by a judge or independent authority for an ordinary workplace. Only the search of occupied premises is subject to authorization by the investigating judge. However, the inspector must comply with the principles of legality, finality and proportionality, and the action must not be an undirected search (“fishing expedition”).

The Court of Justice ruling of October 4, 2024

In the case Landeck (C-548/21), the Court of Justice, in Grand Chamber, examined an Austrian criminal case. The police had seized the individual's smartphone as part of a drug trafficking investigation. Several police officers had then attempted - without any authorization from the prosecution or a judge - to unlock and read the device. The person concerned was not informed of this at any time; he only learned of it during the legal proceedings he himself had initiated.

The Court held that such acts fall within the scope of Directive 2016/680, the so-called Police Directive on Data Protection in Criminal Proceedings. The Court uses a very broad interpretation of the term “processing”: manipulating a device in order to extract and access the personal data stored therein also counts as processing, even if the access attempt fails for technical reasons.

Access to the data on a smartphone, depending on the content and choices made, can cover a very wide range of personal data and allow extremely precise conclusions about the private life of the person concerned. This interference with the fundamental rights to respect for private life and to the protection of personal data the Court qualifies as “serious,” and even “particularly serious” where appropriate.

To this, the Court attaches two fundamental safeguards. First, access must be subject to prior review by a judicial or independent administrative authority. Except in a duly justified emergency - which must then be reviewed within a short period of time - that review must take place before any attempt to obtain access. In addition, the data subject must be informed of the grounds on which consent is based as soon as that information no longer compromises the ongoing investigation. A national rule that would generally exclude any right to information is contrary to Union law.

The Court adds that the possibility of access is not limited to serious crime, but it is up to the national legislator to define the relevant criteria (nature of the offence, categories of offences) while respecting the principle of proportionality.

Why this ruling carries over to social inspection

Landeck was about police officers in a criminal investigation, not social inspectors in an audit of the NSSO or the Social Laws Supervision. The implications of the ruling for the police search of a smartphone we discussed earlier in a separate post; this blog is about the knock-on effect to social inspection. And that knock-on is inevitable for several reasons.

Social inspectors often act in a hybrid context. They perform administrative supervision of compliance with social legislation - a processing that in principle falls under the General Data Protection Regulation (GDPR) - but their findings can lead directly to criminal prosecution by the labor auditorate. Moreover, social inspectors appointed by the King are vested with the capacity of judicial police officer, assistant public prosecutor and labor auditor (Art. 50 Soc.Pc.). When a social inspector reads a smartphone for the purpose of a subsequent criminal prosecution, it is defensible that he acts as a “competent authority” within the meaning of Directive 2016/680 and that Landeck applies directly.

For purely administrative surveillance, the processing falls under the GDPR, not the Police Directive. But even there, respect for private life and protection of personal data are fundamental rights enshrined in Union law (Articles 7 and 8 Charter of Fundamental Rights of the European Union). The Court's reasoning in Landeck - that access to a smartphone can expose a “very wide range of personal data” and allow “extremely precise inferences” about private life - does not lose its force when the readout takes place in an administrative context. Whether the prior review imposed therein can be extrapolated beyond the strictly criminal context is at present an argumentative, not a settled conclusion.

In addition, the case law of the European Court of Human Rights also points in the same direction. In its ruling of March 14, 2013 in the case Bernh Larsen Holding AS and others v. Norway (no. 24117/08), the Court considered the copying of data on a company server by the tax authorities to be compatible with Article 8 ECHR, but only because sufficient procedural guarantees were present: prior notification of the company, presence of a representative at the time of the seizure and destruction of the data at the end of the investigation. The same notion of proportionality and finality is ingrained in Belgian social procedural law: art. 19 Soc.Pc. explicitly obliges social inspectors to ensure that the means they use are appropriate and necessary for monitoring. An unfocused search - in practice called a fishing expedition - is difficult to reconcile with this legal duty of proportionality. The prior review imposed by Landeck can be read as the concretization of those safeguards for today's digital reality.

Therefore, the SIOD, which serves as the umbrella for the federal social inspection services, is currently conducting an internal analysis and reflection on the concrete implications of Landeck for inspection practices. A consent form for the consultation of information carriers has already been made available to the inspection services, but the question of whether this form meets the Landeck requirements - and in particular the requirement of prior external review - has not been answered. Consent of the data subject and prior review by an independent authority are not legally synonymous.

Specifically, what will change?

For the audited employer or self-employed. When a social inspector wants to inspect or seize the smartphone, such access need not be granted unconditionally. It is wise to have a written record of exactly what the request covers, what social data is hoped to find, and whether the inspector has prior review by a judge or independent authority. An indiscriminate reading of a smartphone - private communications, photos, browser history, location data - is difficult to reconcile with the principle of proportionality as interpreted by Landeck. At the same time, physical resistance is not an option: active obstruction of surveillance can be punishable under Art. 209 Soc.Pc. The proper reflex is to request documentation and formulate written reservations.

For the employee whose device is being read. An employee is a third party data subject within the meaning of Directive 2016/680 and the GDPR. He is entitled to information about the processing of his personal data as soon as such information no longer compromises the supervision. The fact that the employer voluntarily handed over the smartphone to the inspection does not affect the employee's own rights as a data subject.

For the attorney handling the case. Appeals are two-track. Investigative seizure and sealing measures can be appealed to the president of the labor court under Art. 2 Law June 2, 2010. Measures carried out in violation of legal conditions are void by operation of law. In subsequent criminal proceedings, the nullity of evidence obtained in this way can be argued before the criminal court, using the Antigone test as an evidence exclusion framework. An argument explicitly relying on Landeck is far from hopeless under that test today.

Frequently Asked Questions

Does a social inspector need a court order to view a smartphone?
In the workplace today, the Social Penal Code does not expressly provide for such an authorization requirement - there, in principle, the inspector's own powers suffice. For occupied premises, however, authorization from the investigating judge is required. As for access to the smartphone itself, since Landeck it has been defended that a prior review by a judge or independent authority is necessary, at least when the device contains personal data, the reading of which constitutes a serious interference with private life. The Belgian legislature has not yet explicitly regulated this point.

Is it permissible to refuse to provide the access code or biometric unlock?
The Social Penal Code requires employers, their appointees or agents to provide effective access to computer systems. Those who refuse risk a report for obstructing surveillance (art. 209 Soc.Pc.). At the same time, an unconditional duty to decrypt runs up against the right to remain silent and the right not to incriminate oneself. This tension is best assessed on a case-by-case basis, especially when a criminal prosecution is imminent.

What if the inspection has already copied data from a smartphone?
Then an opposition can be filed as soon as possible with the president of the labor court pursuant to art. 2 Law June 2, 2010. The return and destruction of the data can be requested, and - in ongoing or subsequent criminal proceedings - the annulment of the evidence thus obtained. In this regard, it is essential to carefully preserve every written finding and registered mail: without these documents, the controlled is procedurally weaker.

Conclusion

At first glance, the powers of social inspectors to confiscate and read smartphones appear to be firmly anchored in the Social Penal Code. However, the Landeck ruling introduces a safeguard that does not leave Belgian practice untouched: a prior review by a judge or independent authority and a right to information from the person concerned. How the SIOD, the legislature and the Belgian courts will translate these requirements into concrete inspection practice is uncertain for now. In any case, anyone confronted today with a social inspection involving the confiscation or reading of digital devices would do well to document each procedural step and critically review its legality.