On 24 November 2014 State Secretary Teeven (from the VVD, a conservative-liberal party) submitted a second memorandum of amendment concerning the legislative proposal adjusting the Dutch Data Protection Act (“DDPA”). The amendment, to be introduced through an adjustment of article 66 DDPA, is intended to give the Dutch Data Protection Authority (“DPA”) the authority to impose higher administrative fines and to be able to do so in more cases.
At the moment this authority is limited to a number of specific administrative provisions such as failure to register a data processing with the DPA. Furthermore, the maximum possible fine is EUR 4,500 which is relatively low and is in practice not imposed. The legislative proposal extends this authority to a large number of general obligations under the DDPA and introduces penalty categories which range from EUR 20,250 for relatively minor violations, to EUR 810,000 for intentional and repeated violations, which can have significant social repercussions. An even higher flexible financial penalty is proposed in relation to legal entities: if the maximum fine level of EUR 810,000 is not sufficiently punitive, the DPA can impose a fine equal to a maximum of 10% of the annual turnover of the respective legal entity. It is remarkable (and good news in practice) that the fine for not registering a data processing with the DPA, which until now was one of the only provisions from the DDPA that was fineable, will cease to exist.
The legislative proposal is consistent with the penalty categories included in article 23 of the Dutch Criminal Code. However, the DPA can only impose such an administrative fine after it has issued a binding instruction to the offender. A time limit in which the offender has to follow the instruction can be imposed. The offender may file a notice of objection against this decision – although this will not suspend the proceedings. This can be problematic since this could in practice lead to two parallel procedures. In situations involving an intentional breach of the material standards of the DDPA, there is no obligation to give a binding instruction and the DPA can impose a fine directly.
If the legislative proposal is accepted, the DPA shall be referred to as ‘Personal Data Authority’. This reflects the terminology of the European proposal for the new General Data Protection Regulation and to prevent any existing confusion with the Dutch Bureau for Economic Policy Analyses (in Dutch “CPB”, DPA in Dutch “Cbp”). In addition the DPA will in the future need approval from the Minister of Security and Justice for the guidelines which serve to explain and interpret the material standards of the DDPA, under which an administrative penalty can be imposed for violations.
The proposal derives from the coalition agreement, which contained an increase of penalty powers. This reinforces supervision and shifts the focus from remedy sanctions such as incremental payments, often imposed by the DPA under the present system, towards administrative fines. The question is, however, whether this will make a difference in practice, especially considering the fact that the DPA is obligated to first issue a binding instruction. This obligation arises from the advice of the Council of State that, given the ‘vague’ standards of the DDPA, it is undesirable to impose a penalty without a previous warning. The DPA does not agree with this part of the proposal: it feels like a ‘paper tiger’ and believes it will not be able to act promptly and efficiently. A fear exists that companies and organisations will not feel the urge to comply with the law. Paper tiger or not, one thing is certain: the creation of a wider penalty authority demonstrates that, after years of talking and lobbying, compliance with the privacy rules is being taken seriously. Privacy compliance has become a boardroom issue and is expected to be on the agenda of a number of companies in 2015.