The legal landscape for data protection in the Netherlands is set to change considerably in a couple of weeks. On January 1, 2016, the amended Dutch Data Protection Act (Wet bescherming persoonsgegevens; WBP) and the Dutch Telecommunications Act (Telecommunicatiewet; TW) will take effect. Among other developments:
The DPA has recently published guidelines on data breach notifications and draft guidelines on fines for public consultation. As finalized guidelines on fines are not yet available, the draft as discussed below is still subject to change.
1. Fines Increase to EUR 820,000 or 10% of Annual Worldwide Turnover
The amended law gives the Dutch data protection authority (DPA) the power to impose administrative fines of up to EUR 820,000 or 10% of an organization’s annual worldwide turnover. The DPA’s draft guidance offers some indications as to how it intends to apply this new authority, including how it assesses the severity of violations and what it considers aggravating and mitigating factors.
The amended laws contain the following three fines:
DPA proposes categories of severity
For each of the three types of violations described above, the DPA proposes three subcategories with increasing levels of fines. According to the DPA, these subcategories were inspired partly by the categorization used in the proposed General Data Protection Regulation (GDPR). The DPA intends to punish substantive violations more severely than procedural ones. For example, violations relating to sensitive data and automated decision making (Category III) will be more severely punished than violations of the main data protection obligations, such as purpose limitation and data security (Categories II and III) and violations of individual rights and failure to notify the DPA about a data breach (Category II). Procedural safeguards, such as cross-border transfer obligations, are placed in the lowest priority category (Category I).
DPA intends to consider severity, and aggravating and mitigating circumstances
The DPA plans to calculate a basic fine based on the nature and seriousness of the violation, which it assesses in light of the duration, and the impact on individuals concerned or society at large. It also intends to consider the level of fault and possibly the violator’s financial circumstances. Aggravating circumstances include prior identical or similar violations, in which case the DPA plans to impose a 50% fine increase. Obstruction of the investigation by the violator is another aggravating circumstance. Mitigating circumstances include (i) more extensive cooperation than legally required, (ii) voluntary termination of the violation prior to, or when the violator becomes aware of, the DPA investigation and (iii) compensation of those affected by the violator’s own initiative.
DPA may depart from guidelines
While the DPA proposes relatively detailed guidelines, it reserves the right to go outside the established categories. If the DPA considers the maximum fine of EUR 820,000 to be inadequate, it may impose a penalty of up to 10% of the most recent annual worldwide turnover of the organization.
2. New Mandatory Data Breach Notifications to DPA and Affected Individuals
In addition to transferring supervision of mandatory data breach notifications for telecommunications providers to the DPA, the amendments introduce a general mandatory data breach notification in the WBP that is applicable to all data controllers. The amended WBP requires that the following parties must be notified of any data breach (i) the DPA, if the breach is likely to have “serious adverse consequences” for the protection of personal information and (ii) affected individuals, if the breach is likely to have “unfavorable consequences” for their privacy, unless the breached information has been encrypted or otherwise made unintelligible to unauthorized third parties.
Data breach is broadly defined
According to the DPA guidance, a breach occurs when personal information has been lost or unlawfully processed, unless an organization can “reasonably rule out” such occurrence. Examples of loss of information include lost USB sticks, stolen laptops, hacker intrusions, malware infections, and even calamities (e.g., fire in a data center).
Severity determines whether to notify the DPA and affected individuals
An organization must notify the DPA if a breach is likely to have “serious adverse consequences” for the protection of personal data. Additionally, affected individuals will have to be notified if the breach is likely to have “unfavorable consequences” for their privacy. While the explanatory memorandum and DPA guidance give some pointers as to what might constitute “serious adverse,” or “unfavorable” consequences, it will be up to organizations to assess each incident in light of a multitude of factors.
Notification must be immediate or within 72 hours
The DPA must be notified “immediately” or within 72 hours after discovery of an incident. If complete information on the breach is not yet available within 72 hours, the organization must still notify the DPA within this period on the basis of the information that is available to the organization at that time and provide additional information to the DPA going forward.
Information must be provided to the DPA and affected individuals
When notifying affected individuals, organizations must provide information on the breach, contact points to get more information and recommendations to mitigate potential adverse effects of the breach. If an organization decides not to notify individuals, the DPA may instruct the organization to do so. In addition to the information provided to individuals, notice to the DPA must contain a description of the expected consequences of the breach and the measures taken or to be taken to mitigate those consequences.
A security incident log must be kept
Additionally, organizations must maintain internal documentation on all data breaches covered by the law, including measures taken and any information provided to individuals.
3. Impact of the General Data Protection Regulation
Several years from now, when the GDPR is expected to take effect, it will replace national data protection regimes, including mandatory data breach notifications and administrative fines. At the time these amendments were introduced, the Dutch legislature considered the GDPR to be too early in the negotiating process to provide a model for the Dutch data breach notification requirements. Now that the GDPR has progressed, the DPA has chosen to align some of its guidance with a draft of the GDPR. For example, the DPA cites the GDPR for the 72 hour deadline for notification. The WBP’s mandatory data breach notification is therefore in practice expected to follow the GDPR. Similarly, the DPA cites the GDPR as inspiration for the proposed categories of fines in its draft guidelines. The fines themselves, however, will change considerably. The text of the draft GDPR that was agreed upon in the meetings of the Council, Commission and Parliament on December 15, 2015, provides for maximum fines of EUR 20,000,000 or up to 4% of the total annual worldwide turnover of a company.