On May 26, 2015 the Dutch Senate passed a bill to amend the Dutch Data Protection Act (the Bill). The Bill introduces the duty to notify the Dutch Data Protection Authority (DPA) and affected individuals of data breaches. It will also significantly raise the fines faced by companies who fail to give notification of serious breaches from EUR 4,500 to a maximum of EUR 810,000 or 10 percent of annual turnover. The escalation in sanctions for data breaches highlights the importance that Dutch organizations are adequately prepared to safeguard the data they gather, process, and store.
In its current form, Dutch law only contains data breach notification obligations for data processors in specific industry sectors (e.g., the financial and healthcare sectors) and particular types of organizations (e.g., telecommunications and Internet service providers). The new Bill will expand the application of these obligations to make all data controllers subject to the obligation as well. In this respect, the Bill anticipates the finalization of the draft EU Regulation on General Data Protection (draft EU Regulation), which is expected to introduce the duty to notify throughout the EU sometime in 2017 or 2018.1
The Bill adds a new provision, Article 34a, to the Dutch Data Protection Act. This provision will require companies to notify the DPA, “without delay” of any breach that has a significant probability of resulting in detrimental consequences for personal data protection.2 “Without delay” is likely to be defined in line with the draft EU Regulation, which proposes a 24 to 72 hour time notification requirement. In assessing whether the impact of a breach will have “adverse consequences,” the Bill clarifies that the severity of the potential impact of the data breach is key, particularly: (i) the nature and scope of the breach; (ii) the nature of the compromised personal data; (iii) the extent to which technical measures have been put in place to protect the data; and (iv) the privacy consequences for the affected individuals.
In addition to notifying the DPA, in cases where the breach is likely to have serious adverse consequences on the data subject’s privacy, the Bill will require data controllers to notify the effected individuals as well. The Bill does not specify when a security breach is considered to have serious adverse consequences for the protection of personal data, but it is expected that the DPA will issue a guidance document once the Bill has been adopted into law. Regardless of whether a data breach may meet the severity threshold requiring notification, organizations will be required to keep records of all data breaches that may pose a serious risk to an individual’s privacy.
Fines for failure to notify
The Bill bestows greater regulatory and investigative powers on the DPA, which will be responsible for overseeing both the Data Protection Act and the Telecommunications Act. Further, the Bill increases the DPA’s authority to impose administrative fines on organizations that negligently or recklessly fail to report data breaches. In doing so, it aims to restore overall trust in the safety of personal data use and seeks to limit the potential adverse effects of data leaks that may otherwise go unnoticed. Under the new Bill, the DPA can hand out hefty fines ranging from EUR 25,250, for relatively minor offences, up to EUR 810,000 or 10 percent of the company’s annual net turnover, for more serious offences.3 The imposition of the maximum fine will generally only be available where the DPA has first issued a binding instruction that has not been followed. However, in cases of deliberate violations or violations resulting from serious culpable negligence, the DPA will not be required to issue a binding instruction before imposing a fine.
While firm dates have not yet been set, it is currently expected that the Bill will enter into force Jan. 1, 2016. Data controllers are advised to review and update all relevant agreements with their data processors in order to ensure they are in compliance with the new notification requirements for data controllers, ideally before the Bill enters into law. Additionally, companies engaged in data processing should take into account that, in some cases, the new law may extend beyond the data controller to the data processor, who may be held liable as “accomplices” to a data breach. As the entry into force date approaches, more information on the Bill will be made available.