Netherlands: Higher Fines and Mandatory Data Breach Notification Take Effect January 1, 2016

12/17/2015
Client Alert

The legal landscape for data protection in the Netherlands is set to change considerably in a couple of weeks. On January 1, 2016, the amended Dutch Data Protection Act (Wet bescherming persoonsgegevens; WBP) and the Dutch Telecommunications Act (Telecommunicatiewet; TW) will take effect. Among other developments:

  • Fines will increase up to EUR 820,000 (approx. USD 900,000) or 10% of annual worldwide turnover; and
  • Data breach notification will become mandatory.

The DPA has recently published guidelines on data breach notifications and draft guidelines on fines for public consultation. As finalized guidelines on fines are not yet available, the draft as discussed below is still subject to change.

1.  Fines Increase to EUR 820,000 or 10% of Annual Worldwide Turnover

The amended law gives the Dutch data protection authority (DPA) the power to impose administrative fines of up to EUR 820,000 or 10% of an organization’s annual worldwide turnover. The DPA’s draft guidance offers some indications as to how it intends to apply this new authority, including how it assesses the severity of violations and what it considers aggravating and mitigating factors.

The amended laws contain the following three fines:

  • Violations of the WBP, including failure to timely notify the DPA and affected individuals about data breach pursuant to the provisions of the WBP and non-compliance with DPA orders regarding the WBP: EUR 820,000 (approx. USD 900,000) or 10% of annual worldwide turnover;
  • Violations of the TW, including failure to timely notify the DPA and affected individuals about a data breach pursuant to the provisions of the TW and non-compliance with DPA orders regarding the TW: EUR 450,000 (approx. USD 495,000); and
  • A limited number of other violations of the WBP: EUR 20,500 (approx. USD 22,500).

DPA proposes categories of severity

For each of the three types of violations described above, the DPA proposes three subcategories with increasing levels of fines. According to the DPA, these subcategories were inspired partly by the categorization used in the proposed General Data Protection Regulation (GDPR). The DPA intends to punish substantive violations more severely than procedural ones. For example, violations relating to sensitive data and automated decision making (Category III) will be more severely punished than violations of the main data protection obligations, such as purpose limitation and data security (Categories II and III) and violations of individual rights and failure to notify the DPA about a data breach (Category II). Procedural safeguards, such as cross-border transfer obligations, are placed in the lowest priority category (Category I).

DPA intends to consider severity, and aggravating and mitigating circumstances

The DPA plans to calculate a basic fine based on the nature and seriousness of the violation, which it assesses in light of the duration, and the impact on individuals concerned or society at large. It also intends to consider the level of fault and possibly the violator’s financial circumstances. Aggravating circumstances include prior identical or similar violations, in which case the DPA plans to impose a 50% fine increase. Obstruction of the investigation by the violator is another aggravating circumstance. Mitigating circumstances include (i) more extensive cooperation than legally required, (ii) voluntary termination of the violation prior to, or when the violator becomes aware of, the DPA investigation and (iii) compensation of those affected by the violator’s own initiative.

DPA may depart from guidelines

While the DPA proposes relatively detailed guidelines, it reserves the right to go outside the established categories. If the DPA considers the maximum fine of EUR 820,000 to be inadequate, it may impose a penalty of up to 10% of the most recent annual worldwide turnover of the organization.

2.  New Mandatory Data Breach Notifications to DPA and Affected Individuals

In addition to transferring supervision of mandatory data breach notifications for telecommunications providers to the DPA, the amendments introduce a general mandatory data breach notification in the WBP that is applicable to all data controllers. The amended WBP requires that the following parties must be notified of any data breach (i) the DPA, if the breach is likely to have “serious adverse consequences” for the protection of personal information and (ii) affected individuals, if the breach is likely to have “unfavorable consequences” for their privacy, unless the breached information has been encrypted or otherwise made unintelligible to unauthorized third parties.

Data breach is broadly defined

According to the DPA guidance, a breach occurs when personal information has been lost or unlawfully processed, unless an organization can “reasonably rule out” such occurrence. Examples of loss of information include lost USB sticks, stolen laptops, hacker intrusions, malware infections, and even calamities (e.g., fire in a data center).

Severity determines whether to notify the DPA and affected individuals

An organization must notify the DPA if a breach is likely to have “serious adverse consequences” for the protection of personal data. Additionally, affected individuals will have to be notified if the breach is likely to have “unfavorable consequences” for their privacy. While the explanatory memorandum and DPA guidance give some pointers as to what might constitute “serious adverse,” or “unfavorable” consequences, it will be up to organizations to assess each incident in light of a multitude of factors.

Notification must be immediate or within 72 hours

The DPA must be notified “immediately” or within 72 hours after discovery of an incident. If complete information on the breach is not yet available within 72 hours, the organization must still notify the DPA within this period on the basis of the information that is available to the organization at that time and provide additional information to the DPA going forward.

Information must be provided to the DPA and affected individuals

When notifying affected individuals, organizations must provide information on the breach, contact points to get more information and recommendations to mitigate potential adverse effects of the breach. If an organization decides not to notify individuals, the DPA may instruct the organization to do so. In addition to the information provided to individuals, notice to the DPA must contain a description of the expected consequences of the breach and the measures taken or to be taken to mitigate those consequences.

A security incident log must be kept

Additionally, organizations must maintain internal documentation on all data breaches covered by the law, including measures taken and any information provided to individuals.

3.  Impact of the General Data Protection Regulation

Several years from now, when the GDPR is expected to take effect, it will replace national data protection regimes, including mandatory data breach notifications and administrative fines. At the time these amendments were introduced, the Dutch legislature considered the GDPR to be too early in the negotiating process to provide a model for the Dutch data breach notification requirements. Now that the GDPR has progressed, the DPA has chosen to align some of its guidance with a draft of the GDPR. For example, the DPA cites the GDPR for the 72 hour deadline for notification. The WBP’s mandatory data breach notification is therefore in practice expected to follow the GDPR. Similarly, the DPA cites the GDPR as inspiration for the proposed categories of fines in its draft guidelines. The fines themselves, however, will change considerably. The text of the draft GDPR that was agreed upon in the meetings of the Council, Commission and Parliament on December 15, 2015, provides for maximum fines of EUR 20,000,000 or up to 4% of the total annual worldwide turnover of a company.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.