Belgium

The GBA Litigation Chamber issued an enforcement decision against Meta Platforms Ireland for GDPR violations in Belgium relating to Meta's use of 'contractual necessity' as a legal basis for behavioural advertising, finding this basis incompatible with GDPR for processing personal data for ad targeting beyond what is strictly necessary to provide the contracted social media service. The Belgian action was part of a coordinated EU-wide enforcement process that ultimately resulted in the Irish DPC issuing fines of €210M (Instagram) and €180M (Facebook) in January 2023 following an EDPB binding decision. Belgium acted as a concerned supervisory authority triggering the dispute resolution mechanism.

The Belgian DPA (GBA) found that IAB Europe's Transparency and Consent Framework (TCF) — the industry consent mechanism used by virtually every publisher and ad tech company across the EU — violated GDPR in multiple fundamental ways, including that the encoded TC String constitutes personal data, that IAB Europe is a data controller for its creation, and that 'legitimate interest' cannot serve as legal basis for behavioural advertising profiling at scale. The decision had immediate EU-wide consequences as thousands of websites relied on TCF as their primary GDPR consent mechanism. IAB Europe was given six months to bring the TCF into compliance.

The National Bank of Belgium (NBB) imposed supervisory measures and administrative fines against ING Belgium for systemic deficiencies in its anti-money laundering compliance programme identified in the aftermath of parent company ING Group's €775 million Dutch AML settlement in September 2018. Investigators found ING Belgium had inadequate customer due diligence procedures, insufficient transaction monitoring coverage, and delayed suspicious transaction reporting to the Belgian Financial Intelligence Unit (CTIF-CFI). The NBB required a comprehensive AML remediation programme overseen by an independent compliance monitor.