On 24 November 2014, the Dutch State Secretary of Security and Justice (Staatssecretaris van Veiligheid en Justitie) introduced an amendment to the bill on notification of data leaks amending, amongst others, the Dutch Data Protection Act (Wet bescherming persoonsgegevens, DPA). In addition to the introduction of a duty to notify the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) and the data subject(s) concerned in the event of a breach of security measures for the protection of personal data which was already included in the bill, the CBP will now also be given the power to impose significantly higher administrative fines for breach of a wider range of provisions included in the DPA.
The maximum administrative fine that is currently at the CBP’s disposal is EUR 4,500 and may only be imposed if a processing of personal data is not (fully) reported to the CBP or to a data protection officer (functionaris voor de gegevensbescherming). In some limited cases, a criminal penalty with a maximum amount of EUR 8,100 may be imposed.1
The provisions of the DPA have primarily been enforced through restorative sanctions (administrative orders and orders for incremental penalty payments). According to their annual accounts, the CBP has not imposed any administrative fines since 2007. Pursuant to the amendment to the bill, the CBP will be authorised to impose an administrative fine for the breach of a significant number of other provisions of the DPA. This is in line with the policy of the Dutch government to promote compliance with the DPA, by both companies and government institutions.
Higher fines and in more cases
The CBP will able to impose administrative fines ranging from EUR 20,250 for relatively minor offences up to EUR 810,000 for more serious offences.2 It should be noted that in case the maximum fine is not deemed to be a suitable punishment, the CBP may also impose an administrative fine equal to ten per cent (10%) of the annual turnover of that company in the preceding year.
A maximum administrative fine of EUR 810,000 may be imposed in case of breach of various obligations, including, but not limited to breach of the obligation:
- to properly and carefully process personal data;
- to collect personal data for specific, explicitly defined and legitimate purposes;
- to have a legitimate statutory ground for processing personal data;
- to not process personal data in a way incompatible with the purposes for which the personal data has been obtained;
- to implement appropriate technical and organizational measures to secure personal data against loss or against any form of unlawful processing;
- to not process sensitive personal data, unless an exception applies;
- to inform the relevant data subject(s) as prescribed by the DPA; and
- to comply with the provisions relating to the transfer of data to countries outside the European Union.
It is, however, important to note that this fine may only be imposed after the CBP has first given the offender an instruction to rectify the breach, a so called ‘binding instruction’ (bindende aanwijzig). This obligation does not apply if the breach is ‘intentional’. But when is a breach intentional? It follows from the explanatory notes to the bill that this will be the case if personal data is unlawfully traded for profit. In such situations, the offenders knowingly breach the rules to make financial gains.
A welcome change is the deletion of the abovementioned penalty which applies if a processing of personal data is not (fully) reported to the CBP or to a data protection officer prior to commencing the processing.
Criticism of the CBP
The CBP has been advocating for more extensive fine powers for some time now, but in a statement on its website they have indicated to have serious doubts that the proposed amendments will lead to the desired outcome. They believe that the proposed changes will not improve compliance with the DPA because the CBP will not able to take quick and efficient action against infringements. Although not explicitly mentioned by the CBP, it is likely that they are referring to the rule that for the most serious offences an administrative fine should in principle be preceded by a binding instruction.