On May 26th, 2015, the Dutch Senate passed a new law (“the Law”) (legislative proposal, as adopted, is accessible here), which introduces an obligation to notify the Dutch DPA ‘without delay’ in case of a data breach. The law also broadens the powers of the Dutch DPA, enabling it to impose significantly higher fines for a wide range of privacy violations. The Law is expected to enter into force soon, although the exact date is not known yet.
Data Breach Notification
The Law introduces a new provision, Article 34a, in the Dutch Data Protection Act (Wet Bescherming Persoonsgegevens). This provision obliges companies to notify the Dutch DPA ‘without delay’ (‘onverwijld’) of any breach that leads to a significant probability of serious detrimental consequences or that has serious detrimental consequences for the protection of personal data. Through this new provision, The Netherlands seem to prepare for the future General Data Protection Regulation (GDPR), since the widely debated proposal for the GDPR also contains data breach obligations.
Other elements of Article 34a include:
- Companies must also inform the data subjects if the breach is likely to negatively affect their privacy.
- The notification must include information regarding the nature of the violation; details on where authorities may acquire further information; measures taken to limit the damage caused by the breach, and a description of the known and expected consequences of the breach.
- If the company that suffers a breach takes appropriate measures to make the data “incomprehensible” or “inaccessible”, it is exempted from the obligation to notify. It will be interesting to see how the Dutch DPA will apply this provision in practice.
The Dutch DPA is expected to issue specific guidelines, clarifying the modalities and interpretation of the new Article 34a of the Dutch Data Protection Act.
Changes to the Telecommunications Law
The data breach notification requirement already existed in The Netherlands, but only for particular types of companies (including telecommunication companies and financial institutions). The Law amends some aspects of the Dutch Telecommunications Law of October 19th, 1998. For example, the Law aims to centralize data breach notifications, and therefore provides that telecom companies must direct their data breach notification to the Dutch DPA, instead of the Dutch Authority for Consumers & Markets. Another change relates to the maximum fine for violating the data breach requirements of the Telecommunications Law (see below).
Significant Fines for Variety of Privacy Violations
The Law also expands the Dutch DPA’s competence to impose monetary fines. First, it expands the list of privacy violations that the DPA can impose fines for — the data breach notification obligation is only one of them. Second, the Law increases the maximum amount of those fines: they vary from maximum EUR 20.250 for relatively minor infringements, to maximum fines of up to EUR 810.000 for deliberate and repeated violations. The law also provides the possibility to, in certain circumstances, impose fines on legal entities of up to 10% of their annual turnover for several privacy violations, including in relation to data breaches. However, for telecommunication companies, the Law limits the maximum fine for violating the data breach notification requirement to EUR 450.000.
Name Change Dutch DPA
The Law also changes the name of the Dutch DPA to “Autoriteit Persoonsgegevens” (Personal Data Authority) instead of the current “College Bescherming Persoonsgegevens.”
Entry into Force
The new rules are expected to enter into force soon — according to some reports as soon as July 1st, 2015 (although this is not an official timeline). A separate Royal Decree will determine the exact date.