Lexology GTDT Market Intelligence provides a unique perspective on evolving legal and regulatory landscapes. This interview is taken from the Privacy & Cybersecurity volume discussing topics including government initiatives, M&A risks and cloud computing within key jurisdictions worldwide.

1 What were the key regulatory developments in your jurisdiction over the past year concerning cybersecurity standards?

In terms of new legislation, it was a relatively quiet year. After the implementation of the General Data Protection Regulation (GDPR) and the EU Cybersecurity Act, it was time to take stock and assess the effectiveness of the existing legislative frameworks. Over the course of the past year, two subjects regarding cybersecurity did emerge that dominated much of the news and public debate.

First, the intelligence and security services warned of espionage by state actors in the telecoms sector. The vulnerability for abuse by state actors is expected to increase further with the introduction of 5G. In December 2019, the Dutch government adopted the Decree on Security and Integrity of Telecommunications implementing the European Commission Recommendation on Cyber Security of 5G Networks. The Decree provides a legal ground to impose additional security measures on providers of public electronic communications networks or services to protect their networks against this threat and to oblige them to only use products or services from trusted parties. Providers already using products or services from suppliers known to be under the influence of state actors that may want to abuse telecommunication networks, could be required to replace or terminate these products and services.

Second, the rapid spread of the covid-19 pandemic has also raised awareness about the need for adequate cybersecurity standards. Various Dutch government institutions have published guidance in relation to working from home. These include the National Cyber Security Centre (NCSC), the Telecommunications Agency and the Dutch Data Protection Authority (DPA). In addition to recommending the use of secure IT systems, taking extra care of sensitive data and being alert about phishing attempts, the Dutch DPA also notably calls for caution in the use of generally available commercial (video) chat services, especially by healthcare providers. The reason for this cautious approach is that it has not been able to establish that these services are fully compliant with the GDPR.

The crisis also triggered debate when the Dutch government invited developers to create a contract tracing app. Following a public selective tender process, the Dutch DPA reviewed a number of proposals, only to conclude that it did not receive sufficient information on the technical and privacy safeguards to judge the merits of the app. As of writing, no app has been created or approved. The Dutch government did launch a portal (www.rivm.nl/infectie-radar)where individuals can submit health data on a weekly basis to track the infection. However, this has been plagued by security issues and has been taken offline repeatedly. The site initially launched on the basis of outdated and no longer secure software, and was later found to be susceptible to url manipulation, potentially exposing sensitive health data of participants.

On 1 May 2020, the highly contested Dutch Intelligence and Security Services Act (WIV 2017) saw its second birthday. The government has appointed an independent commission to carry out the mandatory evaluation of this Act. The government has asked the commission to not only assess whether the objectives of the law (ie, modernisation of powers and strengthening of safeguards) have been achieved, but also review the operational practice of the secret services.

That same month also marked the second anniversary of the GDPR, as well as the accompanying Dutch Act to enable its application, which both became law on 25 May 2018. After its first fine of €600,000 for Uber’s failure to report a data breach in good time, the Dutch DPA has imposed three other fines under the GDPR: first, a Dutch hospital has received a fine of €460,000 due to insufficient security measures to keep medical files (of a Dutch reality-TV star) confidential. This was followed by a fine of €525,000 imposed on the Royal Dutch Lawn Tennis Association for selling personal data (including postal addresses) of members to two sponsors for direct marketing purposes. This decision was based on a controversial new interpretation by the Dutch DPA that purely commercial interests cannot qualify as legitimate interests within the meaning of the GDPR. The most recent fine – at the time of writing this contribution – is also the highest: a fine of €725,000 was imposed on a retailer for processing fingerprints of employees for time-registration purposes. The company that received this fine managed for now to have its name redacted from the decision, after successfully seeking a preliminary injunction against its publication. No fine imposed by the Dutch DPA has yet been challenged in court. According to the Dutch DPA, there are more fines pending.

2 When do data breaches require notice to regulators or consumers, and what are the key factors that organisations must assess when deciding whether to notify regulators or consumers?

Pursuant to article 33 of the GDPR, the controller must notify a personal data breach to the Dutch DPA, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. If the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also, without undue delay, inform the data subjects, communicating in clear and plain language the nature of the personal data breach (article 34 GDPR). This communication is not required when the controller has taken measures to ensure that the risk of a breach is not likely to materialise. Breach notification requirements already existed in the Netherlands before the entry into force of the GDPR. Ever since 2016, the Dutch Data Protection Act contained a data breach notification duty that is more or less similar to that of the GDPR.

Under this previous regime, the Dutch DPA had issued guidelines in English to help organisations determine whether a security incident qualifies as a data breach and, if so, whether they must report this breach to the Dutch DPA and possibly the data subjects. Although formally no longer in force, the policy rules continue to be useful for controllers who are confronted with a possible breach and are in some respects more detailed than the guidance issued in 2017 by the Article 29 Working Party (WP 250). Both guidance documents make it clear that a number of criteria will be relevant to assess whether a notification needs to be made. These include the sensitivity of the data, the number of data subjects affected, the volume of data lost and the possible consequences for data subjects. Moreover, it is also considered relevant to take into account who received the information and to which categories of data subjects the data relate (eg, data relating to children or other vulnerable groups). The Dutch DPA has also given further guidance on its website specifically on the question of whether ransomware can qualify as a breach that needs to be notified. In short, it takes the position that this is indeed the case, as the illegal encryption of data implies illegal access to data and a circumvention of security measures that should have prevented this. Also, the Dutch DPA considers that it will often be hard to establish the precise effects of ransomware and to exclude the risk that it may have transferred or manipulated personal data in addition to encrypting the data.

In case of doubt, the Dutch DPA recommends to submit a preliminary notification of a possible breach to be on the safe side. The notification can always be amended or even withdrawn at a later time, when the controller has more knowledge of the breach and its consequences. Controllers can notify through a web-based notification tool on the Dutch DPA’s website. As of yet, this tool is only available in Dutch. In 2019, 26,956 data breaches were reported, most of which occurred in the financial sector. This is a substantial increase from 2016, when a little over 5,000 breaches were reported to the Dutch DPA, and also a 29 per cent increase compared to 2018. In that year, the Dutch DPA announced that it would focus more on unreported data breaches, as it believed that not all data breaches that ought to be reported had actually been reported. The Dutch DPA has not (yet) published any fine for a violation of the notification duty, but reported in 2020 that it had multiple cases pending for which sanctions may end up being imposed. Conversely, the Dutch DPA did issue a fine following a reported data breach. In July 2019, the Dutch DPA imposed a fine of €460,000 on a Dutch hospital, after it came to light that dozens of employees of the hospital had obtained unauthorised access to the medical file of a celebrity.

3 What are the biggest issues that companies must address from a privacy perspective when they suffer a data security incident?

Companies must continuously assess both the technical as well as the organisational measures they are taking to protect and secure their personal data. If a security incident occurs the company should give priority to fixing the particular security issue and do its utmost to mitigate the negative consequences of the breach. Measures to be taken will vary depending on the type of incident, from trying to locate a lost data carrier, to contacting the recipients of an email that was wrongly sent or addressed, remote wiping of a portable device or working with a processor to establish the extent of a security incident in their domain. If a hacker has got hold of personal data, the company will have to assess whether or not the data had been sufficiently encrypted, as this is relevant to the question if a notification should be made. If passwords have been leaked the company should force users to change these passwords.

In one of the more high-profile security incidents reported last year, the Dutch University of Maastricht fell victim to a ransomware attack in December 2019. The attack, which started with two phishing emails, cost the university almost €200,000. After this incident, a parliamentary debate ensued over the desirability of insuring against ransomware attacks. The Minister of Justice noted that insurance payouts may encourage more attacks.

A data breach could be an indication that existing organisational and technical measures are not adequate. Maintaining appropriate and adequate level of security requires continuous efforts and constant scrutiny through risk assessments, planning, executing, checking and doing the same all over again (the ‘plan-do-act-check’ cycle). The guidance on privacy-by-design and privacy-by-default that was recently put up for consultation by the EDBP confirms this. This is a logical consequence of the notion that the adequacy of measures must be viewed in light of current technical standards. It does not necessarily mean that technical measures need at least annual renewal to match the most advanced security system available. The strength of the measures should also be viewed in proportion to the nature of the data it protects. A pizza shop with a spreadsheet of local customer addresses for mailing promotional flyers will not need military-level encryption. But processing of sensitive data will require measures such as two-factor authentication, encryption, hashing or, if possible, anonymisation or pseudonymisation. According to the Dutch DPA, not only categories that have been designated as special in the GDPR should be considered as sensitive data. For example, while researching a navigation system manufacturer, the Dutch DPA considered that location data could be considered sensitive and additional measures were considered necessary to protect consumers. The manufacturer then went on to anonymise these location data by, among other things, removing GPS locations close to the starting location and destination of the driver. This was considered an adequate measure in this context. The Dutch DPA has similarly held that data concerning someone’s media consumption (search terms used, TV shows watched, websites visited) is also sensitive in nature.

Organisational measures to be applied include confidentiality agreements with employees, disabling access to personal data for employees who have no need to use the data and adequate contracts with data processors. It should be kept in mind that the data controller remains responsible for the data processing of its processors. Access to data should be logged and these logs reviewed regularly. Adequate measures should also include clear documentation and instructions on what actions to take if an incident occurs.

4 What best practices are organisations within your jurisdiction following to improve cybersecurity preparedness?

As with any other modern networked society, the Netherlands is very much dependent on digital infrastructures. Statistics by the NCSC show that the vast majority of cyberattacks concern phishing, ransomware and denial-of-service (DDoS) attacks, all of which require vastly different remedies. As a direct consequence of this diversity, the NCSC advises a varied approach. However, as a general observation, research shows that it is essential to increase individuals’ security awareness, which will not only benefit their security practices at home but also the security of the companies they work for. Updated software and regular backups (patch management) and the need for strong passwords are also essential to resilience against cyberattacks. Using professionally secured cloud services is among the general advice given to companies to increase their security. Large companies are, of course, better equipped to meet the cybersecurity challenges and may also rely on external experts to become more resilient against cyberattacks. However, even this is no absolute guarantee for safety. Another recommendation given by the NCSC is for companies to use ethical hackers to test their security on a regular basis. At the start of the covid-19 pandemic, regulators provided guidance on how to work from home securely, as many organisations needed to make working remotely possible for their employees on very short notice. This increased IT security risks and caused a surge of phishing attacks. The NCSC advised organisations to scale up network capacity to serve the larger number of homeworkers, to force the use of a secure connection to the corporate network through, for example, a virtual private network, and to make maximum use of multi-factor authentication for access to the corporate network and enforce strong passwords. The Dutch DPA provided guidance to workers on how to work securely from home. It advised them to only work from a secure work environment, to protect sensitive documents, to use (video) chat services cautiously and to be on the alert for phishing mails.

5 Are there special data security and privacy concerns that businesses should consider when thinking about moving data to a cloud hosting environment?

The controller is, and will remain, responsible and liable for any personal data he or she collects or processes. An important aspect of cloud services is the location where personal data is actually stored and processed. The GDPR has not changed the existing principle that personal data may only be processed outside the European Union (or more precisely: the European Economic Area) if the third country where the data is processed provides an adequate level of protection. Compliance can be achieved in various ways, all having to do with ensuring that adequate safeguards are in place within either the company or the country to which the data is transferred. However, the EU Court of Justice’s ruling invalidating the European Commission’s US Safe Harbour approval in the case of Schrems has shown that safeguards in context of international data transfers can be fragile. So data controllers are well advised to keep a close watch on developments, especially the ongoing challenges of both the standard contractual clauses before the Court of Justice of the EU (judgment is expected to be delivered on 16 July 2020) and the Privacy Shield before the General Court. To the extent that servers are located in the UK, the ongoing Brexit negotiations will determine whether or not the UK will qualify as providing an adequate level of protection, when the current transition period ends on 31 December 2020. With respect to cloud services in general, the Dutch DPA has published a number of guidelines, which are in line with the article 29 Working Party’s guidance on the issue. For example, the DPA has taken the view that, even for medical data, there is no need to ask consumers for specific permission for the use of cloud hosted services. In the autumn of 2019, it decided not to investigate cloud storage of medical data by a number of Dutch hospitals, as it saw no evidence of non-compliance. Obviously, depending on the sensitivity of the data and amount of data, the controller will need to implement increased security measures before using cloud services.

While this indicates a general openness to cloud solutions, using cloud storage will need to become part of the overall risk assessment the controller makes, and one that may need to involve a data protection impact assessment (DPIA) under the GDPR. The Dutch government has itself commissioned various DPIAs into its own use of commercial cloud services, which have guided its negotiations with a number of large international cloud providers, and prompted Microsoft to amend its privacy policy worldwide. Risk assessment does not stop once the choice has been made for a particular cloud solution: if the cloud host faces security issues, the controller will need to rethink using this particular company. A first indication of the quality of the host may be found in the availability of certificates (ISO, ISAE, NEN) concerning security. According to article 28 GPDR, adherence to an approved code of conduct may also be used to demonstrate sufficient guarantees. In 2019, the Dutch DPA published a draft decision to approve the code of conduct submitted by NL Digital, an association of IT companies, including cloud providers. To assist controllers and processors to determine what ‘appropriate technical and organisational measures’ (article 34 GDPR) are, the European Union Agency for Network and Information Security (ENISA) has published guidelines that should help to answer this question by giving examples of measures. ENISA has emphasised that the guidelines do not have a ‘legal status’, but mainly serve as a guidance for market parties. Recently, the NCSC shared its own experiences on moving to the cloud, which is intended to be helpful to other organisations as well.

Furthermore, it is advisable to address any specific concerns a controller may have in the processor agreement. In any case, the controller should ensure access to the data at all times, even in a situation of conflict with the processor. The processor agreement should also address the issue of data location explicitly, as this is a specific requirement under the GDPR and one that may be particularly challenging to address in a cloud-based setting. Another topic that warrants careful deliberation is the provider’s duty to support the notification duty of the data controller should a breach occur in the cloud provider’s domain.

6 How is the government in your jurisdiction addressing serious cybersecurity threats and criminal activity?

The NCSC was established in 2012. This public–private body advises companies and the government on the usage of software and measures to increase cybersecurity. Its aim is to make the Netherlands more resilient against cybercrime.

In its Cybersecurity Assessment Netherlands 2019, the NCSC concluded that the digital resilience of individuals and organisations is not keeping up with the increasing threat. Cyberattacks are attractive to cybercriminals given their high impact on society on the one hand, and the relatively limited resources they require on the other. Also, it found that the threat of state actors remains prominent. Over a hundred countries worldwide use digital means for espionage and perform digital attacks to influence democratic processes. The NCSC identified a willingness among digital criminals to accept collateral damage in third countries that are not the prime target of a cyberattack (eg, the ‘Petya ransomware’ attack, which was primarily aimed at Ukrainian companies in 2017, resulted in major damage to Dutch companies and the Dutch economy). In December 2019 and January 2020, the NCSC advised organisations that rely on Citrix on how to handle vulnerabilities that had been found in its software. Moreover, it highlighted the worrying trend that cybercriminals no longer need to have dedicated computers at their disposal, as they can easily hire external computing capacity to launch a massive DDoS attack, or, as the NCSC calls it, ‘Cybercrime as a service’. Recent experience also shows that more than a few cybersecurity incidents could have been prevented – or at least the damage could have been contained more effectively – if organisations had invested in maintaining basic levels of cybersecurity by regularly installing security updates and software patches.

To resist such cybersecurity threats, the Cybercrime Act III entered into force on 1 March 2019. This Act provides the judicial authorities and the police with new powers to combat cybercrime. They have been given the authority to secretly and remotely conduct online investigations into computers. In addition, the handling of stolen data and online trade fraud are now punishable as criminal offences.

In addition to the NCSC there is the National Coordinator for Security and Counterterrorism. This agency was established in 2012. It is an agency of the Dutch government whose aim is to protect Dutch society against disruptive security threats. The National Coordinator for Security and Counterterrorism monitors and coordinates initiatives by the public, private and public–private sectors to strengthen cybersecurity in the Netherlands. Finally, the government has also launched the Cybersecurity Alliance. This is a platform for public–private partnerships to enhance cybersecurity in the Netherlands. Participants include telecoms operator KPN, Rabobank, Schiphol Airport and the Dutch postal service provider PostNL.

7 When companies contemplate M&A deals, how should they factor risks arising from privacy and data security issues into their decisions?

Companies are well advised to conduct thorough due diligence on a target’s IT environment and previous experience with security incidents, which should be logged internally as a requirement of law under the GDPR. The occurrence of a security incident need in itself not be worrisome. The response of the company to the incident can be much more telling about the company’s readiness and level of compliance.

When it comes to privacy and personal data, we note an increased emphasis on compliance in the context of due diligence for M&A deals. This increased emphasis is evident in two different ways. First, target companies are investigated with more scrutiny for their GDPR compliance. Second, we see that M&A lawyers are also more aware when it comes to requesting or disclosing personal data from, for example, the employees of a target company, using, for example, GDPR-compliant data rooms. This, no doubt, is linked to the new risk presented by the enormous fines that can be imposed under the GDPR for non-compliance.

There is also an increased awareness among competition authorities about the importance of vast collections of data and their potential monetary value, even if this is not necessarily reflected by equally large market shares. The Dutch competition and consumer rights authority has also highlighted the collection of data by online platforms as a potential source of market power, and Ministry of Economic Affairs and Climate Policy has suggested that upcoming mergers and acquisitions should be reviewed based on deal-value instead of the historic turnover of the companies involved.

The Inside Track

When choosing a lawyer to help with cybersecurity, what are the key attributes clients should look for?

A thorough understanding of cyberthreats and the capability to work with relatively new and untested legal regimes. This requires an open mind, curiosity and creativity, and sometimes a healthy dose of paranoia about the threats and scepticism about potential remedies. It is also important for the lawyer to have a technical interest.

What issues in your jurisdiction make advising on cybersecurity and privacy complex or interesting?

The Netherlands is a relatively tech-savvy country. The country as a whole has been ranked in fourth place on the Digital Economy and Society Index 2020, and our government ranks seventh. Our data protection authority has always taken a keen interest in new technical developments, and never shied away from going after large multinational companies such as Google, Facebook and Uber. It has also played an active role in the international task forces.

How is the privacy landscape changing in your jurisdiction?

The landscape is changing, but not only, or arguably even primarily, because of the GDPR: while the GDPR is more detailed than our previous data protection law, its most important rules are more or less similar to those we already had. While the rules themselves may not have changed all that much, the impact on the Dutch society is significant. We see an increased public awareness on privacy in general: people are more aware of their rights. We expect this public awareness to be a key driver for further change, which could even result in class action litigation.

What types of cybersecurity incidents should companies be particularly aware of in your jurisdiction?

The most frequently notified data breaches related to personal data sent to the wrong recipients (67 per cent), followed, at some distance, by letters or packages lost in the mail or opened before return (9 per cent), lost data carriers (5 per cent), hacking, malware or phishing incidents (3 per cent), the inclusion of the wrong customer data in an online portal (3 per cent) and the inadvertent publication of personal data (3 per cent).