Belgium

Overview

EU Member State: Belgium is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page. This page covers national laws, intelligence and surveillance, and Belgium’s role in international data sharing.

Belgium operates the world’s oldest intelligence service. The Veiligheid van de Staat / Sûreté de l’État (VSSE) was founded on October 15, 1830, just weeks after Belgium declared independence. For most of its existence, the VSSE operated exclusively through human intelligence (HUMINT) following 1980s scandals that stripped it of technical surveillance capabilities. It was not until the BIM Law of 2010 that Belgian intelligence services were authorised to conduct signals intelligence and electronic surveillance.^[1][2]

Belgium is a member of the Fourteen Eyes intelligence alliance (SIGINT Seniors Europe / SSEUR), yet was itself targeted by UK GCHQ’s Operation Socialist cyberattack against Belgacom to intercept EU institutional traffic routing through Brussels. Belgium hosts SWIFT headquarters (the global financial messaging system), making it uniquely positioned in international financial surveillance under the US Treasury’s Terrorist Finance Tracking Program. Belgium has also been confirmed as a customer of NSO Group’s Pegasus spyware.^[3][4]

Privacy Framework

The Autorité de protection des données (APD) / Gegevensbeschermingsautoriteit (GBA) is Belgium’s bilingual data protection authority, established by the Law of 3 December 2017 with a multi-chamber structure (General Secretariat, Inspection Service, Litigation Chamber, Knowledge Centre). Its location in Brussels means it frequently handles cases involving EU institutions and international organisations.^[5]

Belgium’s primary data protection statute is the Law of 30 July 2018, implementing the GDPR with notable derogations: the age of digital consent is set at 13 (among the lowest in the EU), collective redress for GDPR infringements is available to SMEs and advocacy organisations, and specific provisions govern data processing by intelligence services. The Electronic Communications Act of 13 June 2005 (amended 2021) implements the ePrivacy Directive with strict cookie consent rules including a prohibition on cookie walls.^[6][7]

Notable enforcement includes a EUR 250,000 fine against IAB Europe over the Transparency and Consent Framework (TCF), upheld by the Belgian Market Court in May 2025, establishing that industry bodies governing data-sharing standards can be held liable as joint controllers. The APD/GBA has also fined data brokers (EUR 174,640) and direct marketing companies (EUR 172,431) for unlawful processing.^[8][9]

Surveillance and Intelligence

VSSE (Veiligheid van de Staat / Sûreté de l’État)

Belgium’s civilian intelligence and security service operates under the Minister of Justice. Responsible for counterintelligence, counterterrorism, countering extremism, and protection of Belgium’s scientific and economic potential. The VSSE maintains contacts with over 90 sister intelligence services worldwide and participates in the Club de Berne and the Counter Terrorism Group (CTG).^[10]

SGRS/ADIV (Service Général du Renseignement et de la Sécurité / Algemene Dienst Inlichting en Veiligheid)

Belgium’s military intelligence service operates under the Minister of Defence. The SGRS/ADIV possesses significantly broader technical capabilities than the VSSE and is authorised to employ BIM methods outside Belgium’s borders, including breaking into computer systems, intercepting communications, and recording images in foreign territories. The service has developed a strong cyber intelligence capacity, reflecting Belgium’s role as host of both NATO headquarters and numerous EU institutions.^[11]

Intelligence and Security Services Act 1998 (Law of 30 November 1998)

Provides the legal foundation for both services, classifying intelligence methods into three tiers:^[12]

• Ordinary methods: Open source intelligence, analysis of public data, general surveillance without special authorisation
• Specific methods: Targeted physical surveillance, metadata observation, covert searches of vehicles, requiring service director authorisation
• Exceptional methods: Reserved for grave threats — wiretapping, communications content interception, computer network exploitation, covert entry into private residences. Requires authorisation from a commission of magistrates and ongoing Standing Committee I oversight

BIM Law (2010 Amendment)

The Special Intelligence Methods Act (January 21, 2010) ended the decades-long restriction on technical intelligence collection, authorising targeted interception, electronic data inspection, physical surveillance with technical devices, computer network exploitation (CNE), and covert recording. All BIM methods require judicial approval via the BIM Commission of magistrates, with ongoing oversight by Standing Committee I which can suspend intelligence methods at any time if it determines they are unlawful.^[2][13]

Standing Committee I (Comité permanent de contrôle des services de renseignements)

Belgium’s independent intelligence oversight body, established by the Act of 18 July 1991, reports directly to the Federal Parliament. Key powers:^[13][14]

• Real-time oversight of BIM methods during and after operations
• Suspension power: Can halt any intelligence method at any time if unlawful or disproportionate
• Double-check mechanism: BIM Commission grants permission, Standing Committee I independently verifies
• Data protection supervisory authority for all intelligence service data processing (since 2018 reform), a function the APD/GBA does not exercise

Commercial Surveillance Procurement: NSO Group Pegasus

Belgium has been confirmed as a customer of NSO Group’s Pegasus spyware. Once deployed, Pegasus provides unrestricted access to all communications, photographs, location data, and encrypted messaging with no technical mechanism to limit collection to what is necessary for a specific investigation. This creates a regulatory asymmetry: when Belgian intelligence uses BIM methods, operations require judicial approval and Standing Committee I oversight; when agencies deploy Pegasus, the tool’s total-compromise design cannot be technically constrained to Belgian constitutional requirements on proportionality.^[15]

Data Retention

2015: The Belgian Constitutional Court annulled the national data retention law following the CJEU’s Digital Rights Ireland judgment.^[16]

2022: Belgium enacted a new framework with differentiated retention based on geographic risk zones (airports, train stations, border zones, hospitals, motorways, judicial buildings, municipalities with critical infrastructure). Critics including Patrick Breyer demonstrated that when mapped, these zones effectively cover the entire Belgian territory, amounting to general retention relabeled as “targeted.”^[17][18]

September 2024: The Constitutional Court’s third ruling upheld most of the 2022 law but referred questions to the CJEU on whether the geographic targeting model satisfies requirements for “targeted retention.” The outcome will determine whether Belgium needs a fourth data retention framework in a decade.^[17]

International Data Sharing Agreements

Despite robust GDPR enforcement by the APD/GBA and the BIM Law’s judicial oversight framework, Belgium participates in extensive international data sharing that provides foreign agencies with pathways to access Belgian person data outside domestic safeguards.

Mutual Legal Assistance: Layered Framework

Belgium’s mutual legal assistance coverage operates through multiple overlapping frameworks:^[19]

EU Member States (26 countries): The EU Convention on Mutual Assistance in Criminal Matters (2000) and the Schengen Convention (1990) provide the primary MLA framework within the EU. The European Investigation Order (EIO) has superseded much of this for evidence gathering since 2017, allowing Belgian judges to make binding requests to other EU states for evidence, telephone interceptions, and banking information.

Council of Europe (50 signatory states): The European Convention on Mutual Assistance in Criminal Matters (1959) and its Additional Protocols apply between Belgium and all signatory states, extending MLA coverage beyond the EU to include Turkey, Israel, and other non-EU Council of Europe members.

Benelux Treaty: Belgium maintains a special Benelux Treaty on Extradition and Mutual Assistance in Criminal Matters (signed 1962, amended 1974) with Luxembourg and the Netherlands, providing streamlined judicial cooperation among the three Benelux states that predates and supplements the EU framework.

Bilateral MLAT with the United States: Signed January 28, 1988, entered into force in 2000. Allows Belgian and US law enforcement to request data on each other’s persons through diplomatic channels. Supplemented by the EU-US MLAT framework.^[20]

Fourteen Eyes (SIGINT Seniors Europe)

Belgium is a member of the Fourteen Eyes alliance (SSEUR), participating as a third-tier partner. Both the VSSE and SGRS/ADIV contribute to Belgium’s intelligence sharing obligations. Belgium’s contribution was traditionally limited by the VSSE’s HUMINT-only posture, but the BIM Law and the SGRS/ADIV’s growing cyber capabilities have increased its relevance as a SIGINT partner.^[3][21]

As with all third-party UKUSA partners, Belgium’s participation does not protect it from being targeted by alliance partners. An internal NSA document stated: “The NSA can, and often do, target the signals of most 3rd party foreign partners.” Information flows hierarchically: Five Eyes members access all Fourteen Eyes intelligence, but Belgium has more limited access.^[22]

Operation Socialist: When Belgium Was the Target

In 2013, it was revealed that UK GCHQ conducted Operation Socialist, a cyberattack against Belgacom (Belgium’s primary telecommunications provider) using the NSA’s QUANTUM injection system to compromise engineers and install implants on routers to intercept communications, including EU institutional traffic routing through Brussels. Belgian prosecutors opened a criminal investigation but no charges were filed. The operation demonstrated that even Fourteen Eyes members can be surveillance targets when strategic interests diverge.^[23]

SWIFT Headquarters and TFTP Agreement

Belgium hosts SWIFT (Society for Worldwide Interbank Financial Telecommunication) headquarters. Under the Terrorist Finance Tracking Program (TFTP) agreement (in force August 2010), the US Treasury issues subpoenas to SWIFT for financial transaction data from its EU operations. Europol verifies each request, but the Snowden disclosures alleged that the NSA was systematically accessing SWIFT data through other channels. Every international wire transfer through SWIFT is potentially subject to US Treasury subpoenas. The European Parliament passed a non-binding vote calling for suspension after the Snowden revelations, but the agreement remains in force.^[24]

EU Law Enforcement Data Sharing

Schengen Information System (SIS II): Belgian police can query and contribute to the EU’s largest law enforcement database in real time across all Schengen countries.

Prüm Convention: Belgium was an original signatory (2005) and participates in automated DNA, fingerprint, and vehicle registration data comparison. The Prüm II Regulation (2024) expands this to facial images and police records.

EU-US Data Sharing

EU-US Umbrella Agreement: Entered into force February 2017, granting Belgian citizens judicial redress before US courts for data exchanged between EU and US law enforcement.

PNR Agreements: Belgium participates in the EU-US PNR agreement, transferring comprehensive passenger data for every Belgium-US flight.

Multilateral Frameworks

Interpol I-24/7: Belgium participates in Interpol’s global network (195 countries). Egmont Group: The Belgian FIU (CTIF-CFI) shares financial intelligence across 164+ Financial Intelligence Units. Europol: Belgium is a major contributor, including data sharing with the US FBI.

The Privacy Backdoor Effect

Despite GDPR enforcement and BIM Law judicial oversight, international agreements create alternative pathways for accessing Belgian person data:

• Fourteen Eyes Sharing: Belgian intelligence shares SIGINT with Five Eyes partners; NSA/GCHQ can collect on Belgian persons and share with Belgian intelligence
• EU Framework Sharing: Belgian person data in SIS II, Prüm, or EIO channels becomes accessible to 27 EU member states, and through Europol, potentially to US FBI
• MLAT/CoE Convention: US and 50+ Council of Europe states can request data through MLA channels with potentially different evidentiary standards than Belgian judicial warrants
• SWIFT/TFTP: Belgium hosts SWIFT headquarters; US Treasury subpoenas access international wire transfers with Europol verification as the primary safeguard
• Operation Socialist Precedent: Even as a Fourteen Eyes member, Belgium was targeted by GCHQ cyberattack to intercept EU institutional traffic

Recent Developments

Arizona Coalition Surveillance Expansion (February 2025): Belgium’s new “Arizona” coalition government under Prime Minister Bart De Wever committed to amendments enabling smart camera surveillance, a “living lab” for intelligence services to experiment with new technology, and pilot projects for facial recognition to detect convicts and suspects. This creates tension between Belgium’s historically strong data protection enforcement and a government explicitly expanding technological surveillance capabilities.^[25]

Chat Control and Encryption Access: Belgium has occupied a conflicted position on the EU’s proposed CSA Regulation (“Chat Control”). During its 2024 Council Presidency, Belgium proposed a compromise requiring client-side scanning, later moved to oppose it (officials called it “a monster that invades your privacy”), then shifted to “undecided” ahead of the October 2025 vote. Meanwhile, Belgium’s National Drug Commissioner publicly called in December 2025 for the EU to force Signal and Telegram to cooperate with law enforcement, reflecting the ongoing tension between Belgium’s data protection establishment and its law enforcement community.^[26][27]

Data Retention Uncertainty: The CJEU referral from the September 2024 Constitutional Court ruling remains pending, leaving Belgium’s data retention obligations in legal limbo. The outcome could validate or invalidate the geographic risk zone approach, with implications for other EU Member States.^[17]

Sources