The recently introduced obligation to report personal data breaches under the Dutch Data Protection Act (Wet bescherming persoonsgegevens or "WBP") and the adoption of the EU General Data Protection Regulation ("GDPR") earlier this year, have been attracting attention. By introducing the obligation to report data breaches, the Dutch government clearly anticipated the GDPR – which was expected to include some sort of notification obligation. The GDPR has now entered into force and will apply from 25 May 2018. As it turns out, the WBP's provisions regarding data breach notification are not in full agreement with the GDPR's.
Notification of data breaches to the supervisory authority
WBP: Section 34a(1) of the WBP obliges the controller (excluding telecom providers) to notify the Dutch Data Protection Authority of a security breach which results in a substantial probability of serious adverse consequences for the protection of personal data.
GDPR: Article 33 of the GDPR obliges the controller to notify the supervisory authority of a personal data breach (which apparently means the same as "security breach") without undue delay, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
The main difference between the WBP and the GDPR in this regard relates to the criteria for notification. The WBP, first of all, refers to the "protection of personal data" in general, and requires a substantial(not small) probability of serious (not just any) adverse consequences for the protection of personal data. The GDPR on the other hand requires that any personal data breach be reported, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons (note that this is broader than just their 'privacy'). It is my reading that a data breach is therefore more likely to be eligible for notification to the supervisory authority under the GDPR than under current Dutch law, since I expect that in most cases it will be hard for the controller to assess that it is unlikely that anysuch risk exists.
Communication to data subjects
WBP: In addition to notifying the supervisory authority, the controller may be obliged to communicate the security breach to the data subjects affected (section 34a(2) of the WBP). This must be done (again, without delay) if the breach – the very same breach which according to the first paragraph of section 34a must be reported to the supervisory authority (see above) – is likely to have unfavourable consequences to their privacy.
GDPR: Article 34 of the GDPR obliges the controller to communicate "the" personal data breach to the data subjects when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
The WBP clearly links the possible communication to data subjects to the same security breach as reported to the supervisory authority: section 34a(2) of the WBP refers to "the security breach, referred to in the first paragraph". This seems to be the case in the GDPR as well, since a scenario in which a breach imposes a high risk under Article 34 without meeting the criteria of Article 33 of the GDPR, is unlikely to happen. Communicating a personal data breach to data subjects is more likely to be obligatory under the current WBP than under future GDPR rules. Under the WBP, likely unfavourable consequences to privacy are sufficient for triggering the obligation to communicate the breach to the data subjects, whereas the GDPR requires a high risk for the persons' rights and freedoms.
Another aspect which catches attention is that the GDPR does not exclude financial enterprises (such as financial service providers) from the obligation to communicate breaches to data subjects. Currently, section 34a(10) of the WBP does exclude such organisations from having to notify data subjects. The Dutch legislator may decide to re-introduce such an exemption under Article 23 of the GDPR – which to a certain extent leaves room for deviations at a national level.
The current and recently introduced obligation under the WBP to notify data breaches is not entirely in agreement with the future data breach notification provisions of the GDPR.
Under the GDPR, the requirements for reporting a data breach to the supervisory authority are different from those under current Dutch legislation. It seems that a data breach is more likely to be eligible for notification to the supervisory authority under the GDPR than under the WBP. The European Data Protection Board is expected to provide further guidance on the scope of the data breach provisions of the GDPR.
Notifying data subjects under the GDPR is only mandatory in cases where there is a high risk for their rights and freedoms, which in my opinion is certainly a higher threshold than the current section 34a(2) of the WBP.
Organisations that process personal data should keep this in mind, in order to be compliant on 25 May 2018. Last but not least, until the Dutch legislator introduces legislation that provides otherwise, financial enterprises are advised to prepare for the fact that the data breach notification regime will become fully applicable to them as well, including the possibility that they will be obliged to notify data subjects.