On Feb. 1, 2015, the Dutch House of Representatives voted in favor of a legislative bill introducing a duty to report data leaks.1 The bill, titled Duty to Report Data Leaks and the Expansion of the Administrative Penalty Competence of Dutch Data Protection Authority (Dutch DPA), will amend the Dutch Personal Data Protection Act and the Dutch Telecommunications Act. The bill, which is inspired by the European draft Regulation on General Data Protection,2 has been referred to the Dutch Senate and will only become law if the Dutch Senate votes in favor of it. The Dutch House of Representatives has decided, however, not to wait for the draft Regulation to enter into force, as this will likely not happen before 2016.3
The legislative bill anticipates the draft Regulation by imposing a duty on organizations to report data leaks to the Dutch DPA and the affected individuals.4 However the bill does differ from the draft Regulation with regards to the scope of the duty to report and the conditions applying to the duty to report. The Dutch House of Representatives considered the draft Regulation too premature to clone its current articles on the duty to report.5 The bill aims to restore overall trust in personal data use, as well as limit the adverse effects of data leaks by imposing administrative fines on the failure to report leaks. The bill addresses organizations of both private and public nature, meaning that both undertakings and governmental agencies are to report data leaks to the Dutch DPA.
The Dutch House of Representatives stated that data leaks, for example caused by theft, loss or hacking, have adverse effects on an individuals’ privacy. The bill, therefore, gives the Dutch DPA increased authority to fine organizations that negligently or recklessly fail to report data leaks. Organizations can be fined up to 810,000 euros or 10 percent of their annual gross sales.6
The bill remains silent on the exact circumstances under which an organization is required to report a leak to the Dutch DPA. This gives organizations some discretion to decide when to report. The Dutch DPA is currently working in cooperation with the Committee of Security and Justice and the Ministry of the Interior and Kingdom Relations to develop threshold criteria as to when leaks should be reported.7
The bill furthermore requires organizations to keep records of all data leaks that they believe pose a serious risk to the affected individuals’ privacy. Therefore, a record of the data leaks that should be reported to the Dutch DPA must be kept by all responsible organizations. At the moment, however, the criteria for reporting those data leaks are still unclear.
On Feb. 24, 2015, the Committee for Security and Justice elaborated on the procedure to be followed with the Dutch Senate.8 The Committee has suggested that the preliminary inquiry take place March 10, 2015, and would like the plenary hearing to be concluded before the Dutch Senate changes due to elections.9 The bill will only become actual law when it passes in the Dutch Senate.