Dutch developments

According to the recent annual report 2016 published by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) (DPA), the number of data breach notifications filed by municipalities has significantly increased over the past year. The Dutch DPA explained that the increase in data breach notifications does not necessarily translate to an increase in such incidents. It pointed out that this increase is a direct result of the general obligation for data controllers to notify the Dutch DPA of data breaches, which came into force in January 2016.

Whilst the total number of data breach notifications by municipalities was 533 in 2016, the number of notifications for just the first quarter of 2017 amounts to 331. Over 40% of the latter concerns cases in which sensitive personal data, such as identification numbers and financial information, got sent to wrong recipient.

According to the chairperson of the Dutch DPA, patient data of over 504 patients were unlawfully obtained by third parties, and a total of 666 notifications of data breaches were made by health care providers over the past year. Often times, the data breaches were caused by simple human errors such as stolen computers or lost usb-sticks. The chairperson reassured the public that there has been no sign of a black market involving patient data, but there have been cases of ransomware however.

For the time being, the Dutch DPA has limited its sanctions to warnings. It has nevertheless also cautioned the various bodies that with the entry into force of the General Data Protection Regulation in May 2018, intent will no longer be a relevant component for the Dutch DPA to impose fines. It is therefore imminent that appropriate technical as well as organizational measures are carefully and timely implemented.