With this first edition of the Loyens & Loeff Monthly Data Protection and Privacy Update, we would like to inform you of the most relevant changes related to privacy and data protection law in the Netherlands.
In this month’s issue we will provide you with a brief overview of the recent changes in Dutch privacy law and we will discuss the Dutch DPA’s focus points for 2016. We will also briefly touch upon the recently published policy rules on camera surveillance and we will, of course, give you an update on the Safe Harbor discussion (including the latest news about the new EU-US data transfer agreement!).
1. Changes in Dutch law
In our previous newsletters, we informed you on the recent changes in Dutch law.
As from 1 January 2016:
- all security incidents that unintentionally result in the disclosure of personal data to third parties, will have to be reported to the Dutch DPA and, in certain situation, also to the data subjects concerned;
- the violation of various provisions of the Dutch Data Protection Act (Wet bescherming persoonsgegevens) can be sanctioned more heavily (fines of up to EUR 820,000 or 10% of a data controller’s annual turnover).
Furthermore, the Dutch Data Protection Authority (Dutch DPA), has changed its Dutch name to ‘Autoriteit Persoonsgegevens’.
2. Dutch DPA Publishes ‘Focus Points’ for 2016
The Dutch DPA published its Annual Agenda for 2016. The agenda highlights the DPA’s key (enforcement) objectives for 2016:
- Security of personal data The Dutch DPA stresses the importance of adequate technical and organizational protection measures.
- Big data and profiling The Dutch DPA intends to issue guidelines on big data and profiling and intends to specifically investigate the protection of children’s privacy in the educational system.
- Medical data The Dutch DPA intends to provide guidelines concerning the use of medical data in the cloud, medical care and scientific research.
- Governmental use of personal data The Dutch DPA will focus on the battling of fraud and misuse of personal data in cooperation with local governmental bodies. Also, it shall further investigate the use of profiling for security reasons.
- Employment The Dutch DPA intends to investigate the use of employee data in the context of employment relationships.
3. Camera Surveillance: new policy rules
The Dutch DPA published policy rules regarding the usage of camera surveillance as well as a practical summary providing do’s and don’ts with respect to camera surveillance. Finally, the Dutch DPA published its letters to both the sauna sector and the funeral industry, setting out its views on the rules of compliance with regards to camera surveillance in these specific industries.
4. Update on Safe Harbor
As a consequence of the Schrems judgment of the European Court of Justice on 6 October 2015, data transfers to the United States on the basis of Safe Harbor are no longer legally valid.
We kindly refer to our newsletter on this subject for further details on the case.
Following this judgement, the national data protection authorities of the EU Member States agreed to grant businesses a transitional period – until 31 January 2016 – before they would take any enforcement measures. Now this transitional period has ended, and the so-called “Safe Harbor 2.0” solution (see below) is not yet implemented, it is important to verify within your organization that any data transfers to the United States are based on a valid legal basis (such as the EU Model Clauses).
On 2 February 2016, the European Commission announced it has reached a political agreement with the United States on a new framework for transatlantic data transfers, named 'EU US Privacy Shield' (or, unofficially, ‘Safe Harbor 2.0’).
The new arrangement will provide for stronger obligations on companies in the United States to protect the personal data of Europeans and stronger monitoring and enforcement by the United States Department of Commerce and Federal Trade Commission (FTC). The arrangement furthermore provides for clear safeguards and transparency obligations on US government access.
At this stage, the exact wording of the arrangement is not available yet, but the European Commission announced that a draft "adequacy decision" will be prepared in the coming weeks. This adequacy decision could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States. Until the new arrangement has been formally approved and implemented, data transfers should be based on other legitimate grounds.