Global Information Technology & Communications
Netherlands - The impending general data breach notification obligation in the Netherlands.
The Dutch Parliament is currently discussing a draft bill which will amend the Dutch Data Protection Act and the Telecommunications Act to introduce a general data breach notification obligation for all data controllers in the Netherlands. The law will probably pass in early 2015. The general data breach notification obligation will apply in the interlocutory period up until the new EU Data Protection Regulation has been adopted. A general data breach notification obligation is introduced in article 31 of the current draft text of the Regulation.
The new bill obliges the data controller to notify the Dutch DPA of any security breaches that he has become aware of with serious negative consequences for the protection of the personal data.
The obligation does not exist if the personal data in question has been protected by the data controller in such a manner that the personal data cannot be accessed or understood by someone who does not have a right to do so. In practice this means the data has been encrypted by the data controller. The minimum quality of encryption is not specified in the law. In principle it is up to the data controller to determine whether the applied encryption is strong enough and has been executed in the right way. Of course, if this assessment is not performed correctly by the data controller, he may be held to have breached his notification obligation.
If the breach is not exempted from the notification obligation, the data controller will need to assess whether it has negative consequences on the protection of personal data. This question relates to the seriousness of the breach. For example, is the breach related to a large number of data subjects or does it concern sensitive personal data? The breach needs to be serious both in the volume and the nature of the personal data that may potentially be lost or has been made subject to unlawful processing. When the breach is serious, the data controller will need to notify it to the Dutch DPA.
Any notice provided to the Dutch DPA (and to the concerned data subjects) should identify the nature of the breach, an overview of the bodies that can provide more information on the breach and suggested measures to limit the negative consequences of the breach. In the notification, the data controller is also expected to address the consequences of the breach for the processed personal data and the measures taken by the data controller to take away these consequences.
The data controller will need to notify a data breach to the concerned data subjects if there is reason to believe that the breach will bring about unfavorable consequences for them. This is the case if it is probable that the breach will cause a specific harm to the data subjects, for example by damaging their reputation or by making them suffer a financial loss.
In the original text of the draft bill, the data controller needed to maintain a record of all data breaches. That has now been removed from the bill by the government.
Any failure of the data controller to act in accordance with his notification obligation has been made subject to the levying of a fine by the Dutch DPA. The fine has a maximum of EUR 450.000,- per violation, which is at par with the fines that can be levied by other EU DPAs. The same fine can be levied in case the data controller does not cooperate with an investigation by the Dutch DPA into a potential violation. The right to levy a fine of this magnitude is new for the Dutch DPA.
It is important to note that the bill also replaces the Autoriteit Consument and Markt (ACM) as the regulatory authority for the oversight of the data breach obligation of providers of electronic communications networks and services in article 11.3a of the Dutch Telecommunications Act.
The draft bill reemphasizes the urgency for all data controllers in the Netherlands to start to draw up and introduce a data breach response and mitigation process. A data breach notification obligation may already be there for them in the beginning of 2015.
For more information, please contact Jeroen Schouten or Frederik Harms.