This bill introduces a duty to notify the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, the "CBP") and the relevant data subject(s) in the event of a breach of security measures for the protection of personal data. The duty will apply to businesses, governmental bodies and others, provided in all cases that they constitute a "data controller" within the meaning of the Personal Data Protection Act (Wet bescherming persoonsgegevens, the "PDPA"). The rule imposing the duty will be set out in a new provision of the PDPA (Article 34a).
The penalty for non-compliance with this duty will be a fine of up to EUR 450,000. A similar fine can be imposed for failure to co-operate in an investigation by the CBP into a breach/possible breach (of the above duty to notify) pursuant to article 5:20 of the General Administrative Law Act (Algemene wet bestuursrecht). This article lays down a general duty to co-operate and therefore such a fine can also be imposed in cases where the CBP is conducting an investigation other than in connection with article 34a of the PDPA.
To whom must a notification be made?
- The CBP must immediately be notified of a breach of security measures if it can reasonably be assumed that, as a result of the breach, there is a significant risk of negative consequences for the protection of personal data being processed.
- The data subject must immediately be notified of a breach as described above if the breach will probably have unfavourable consequences for his/her individual privacy.
The explanatory memorandum to the bill states that the assessment of a breach must be carried out as objectively as possible, based on the actual facts and circumstances of the case in question. Whether the loss of a mobile telephone or USB stick or the theft of a laptop, for example, must be notified will depend on the type of data and the likely risk for the data subject and the enterprise.
An example given in the explanatory memorandum is that if the membership records of a sport association are lost or hacked, this will usually cause inconvenience to the association and its members but is unlikely to necessitate a notification to the CBP. The consequences of a data leak of this type will usually be of a limited nature; in addition, the data subjects can be expected to have accepted a certain degree of risk. A data leak at the tax authorities, a bank or an insurer, however, is usually of a different order. Such a leak can lead to financial loss on the part of the data subject(s) or can result in data that are protected by a duty of confidentiality being compromised. The CBP will probably draw up guidelines to provide more clarification.
What information must be given in the notification?
- Both the CBP and the data subject(s) must in any event be notified of the following: i) the nature of the breach, ii) the parties from which more information about the breach can be obtained and iii) the recommended measures for limiting the negative consequences of the breach.
The explanatory memorandum states that, with regard to the nature of the breach, a general description will usually be sufficient. A data subject who wishes to know more about his/her individual situation can contact the business. For this reason, contact information must be given in the notification. With regard to recommended measures, these could be the changing of usernames and passwords or notification of a credit card company. This is also of significance in connection with a defence, in a liability action, that the data subject himself/herself was at fault.
The information set out in the notification, as well as the actual text of the notification to the data subject(s), must be retained by the data controller itself. The latter is required to maintain a record of all breaches, including breaches that have been detected but not notified. Based on the protocol it must be possible to show which breaches have been detected and which measures have been taken.
According to the explanatory memorandum, it is expected that the great majority of notifications to the CBP will not give rise to the need for an investigation or enforcement measures. The CBP will examine the notifications and assess whether there is reason to initiate an investigation. If such an investigation is initiated, this can subsequently result in enforcement measures. Factors that will play a role in the CBP's assessment include the extent of the data leak, the leak's potential consequences and the type of data in question. It cannot as yet be predicted what proportion of the notifications will give rise to the need for further action.
- The notification to the CBP must, in addition, contain a description of i) the detected consequences and the probable consequences of the breach for the processing of personal data and ii) the measures that the data controller has taken or proposes to take in order to remedy those consequences.
This information will mostly be of a technical nature. In some cases, the information required to be notified may include technical details of a confidential nature. According to the explanatory memorandum, the relevant business can, if it so wishes, explicitly designate such data as "company-confidential" (bedrijfsvertrouwelijk) within the meaning of article 10(1)(c) of the Open Government Act (Wet openbaarheid van bestuur).
Manner of notification to data subject(s)
- The notification to the data subject(s) must be such as to ensure that the provision of information is carried out in a proper and careful manner, taking into account the nature of the breach, the detected consequences and the factual consequences of the breach for the processing of personal data, the circle of data subjects affected and the costs.
The explanatory memorandum states that in cases where the breach affects a relatively limited number of data subjects, these can be approached personally and in a tailored manner. If, however, a larger number of data subjects is affected, a newspaper advertisement in addition to a website announcement would be considered more appropriate.
- Notification to the data subject(s) is not required if appropriate technological protection measures have been taken to ensure that the personal data in question are encrypted or otherwise rendered unintelligible to parties that are not entitled to access those data.
- If no notification has been made to the data subject(s), the CBP may demand that the data subject(s) be notified if it is of the opinion that the breach is likely to have negative consequences for the individual privacy of the data subject(s).
- The notification requirement does not apply if the data controller is a provider of public electronic communications services and, in that capacity, has made a notification as referred to in article 11.3a(1) and (2) of the Telecommunications Act (Telecommunicatiewet). The latter provision sets out a specific notification requirement for providers of public electronic communications services (in connection with the provision of public electronic communications services).
Currently such providers need to notify the Authority for Consumers and Markets. If the bill is adopted they will have to notify the CBP instead of the Authority for Consumers and Markets.
The described exception does not apply in situations where the data controller is a different party than the provider of the public electronic communications services (for example, where the provider is a data processor within the meaning of the PDPA). In such a case, each of the two parties will be subject to a notification duty (under article 34a of the PDPA and under article11.3a of the Telecommunications Act, respectively). If the provider is itself the data controller, its notification duty will be pursuant to article 11.3a of the Telecommunications Act.
- Financial institutions within the meaning of the Financial Supervision Act (Wet op het financieel toezicht, the "FSA") will not be required to notify a breach to the relevant data subject(s), but will still have to notify it to the CBP.
Such institutions are subject to a notification duty under the FSA, as well as the Prudential Rules (Financial Supervision Act) Decree and the Financial Institutions Business Conduct Supervision Decree. According to the explanatory memorandum, in the financial sector it would be too risky (partly in view of the financial crisis) to make public notifications to data subjects mandatory. A financial institution's duty of care provides a sufficient guarantee that the institution will carry out its responsibility towards its clients by contacting them directly.
A financial institution will only be subject to a double notification requirement (to both the CBP and the Dutch Central Bank/Authority for the Financial Markets) if a data leak also constitutes an incident within the meaning of the FSA (and the Decrees mentioned above). Such an incident is conduct or an event that poses a serious threat to the sound conduct of the financial institution's business.
If your enterprise (as a data controller of personal data) engages one or more parties (data processors) to process such personal data on the instruction of, and on behalf of, the data controller, it is important that the notification duty is taken into account in the (data processor) agreement(s). The data processor must, at a minimum, be required to notify the data controller of any breach of security where it can reasonably be assumed that, as a result of the relevant breach, there is a significant risk of negative consequences for the personal data processed by that data processor.
As the wording of the above rule could give rise to many questions, it is probably preferable to make the notification requirement in the agreement more comprehensive and to include additional safeguards. The CBP has set out a checklist in this regard in its guidelines on the protection of personal data (see our earlier newsletter on this subject).
Expected future developments
Further rules on notifications (their content and the manner in which they must be made) may be laid down in one or more general administrative orders. In addition, it has been announced that amendments to the bill will be submitted, consisting of rules aimed at strengthening the enforcement of the PDPA by broadening the powers of the CBP (e.g. to impose fines).
Finally, there are plans to introduce statutory notification requirements for, e.g., i) providers of certification services and ii) certain sectors in which cyber incidents could potentially have a disruptive impact on society.
To be continued.
Click here for the text of the bill (in Dutch)
Click here for the text of the explanatory memorandum to the bill (in Dutch)