The Dutch Government proposed an amendment to the Dutch Data Protection Act (Wet bescherming persoonsgegevens, "WBP") on 21 June 2013 introducing a general and mandatory data security breach notification. In addition, the bill authorises the Dutch Data Protection Authority (College bescherming persoonsgegevens, "CBP") to levy a fine of EUR 450,000 for failure to notify or cooperate with the CBP. The Dutch Government further underlined its intention to expand the enforcement powers of the CBP by allowing it to levy higher fines for an increased number of violations.
Data breach notification
To address the large number of security incidents negatively impacting the privacy of individuals, the Dutch Government has proposed a duty to notify in the event of a data security breach.
According to the bill, an entity must notify the CBP promptly (in Dutch: onverwijld) of any breach of security measures that can reasonably be expected to have a negative impact on the protection of personal data which it processes. In addition, individuals whose data may have been compromised must also be notified promptly if the breach is likely to adversely affect their privacy. Data controllers experiencing a breach should inform CBP and/or individuals of:
- the nature of the breach
- any 'contact points' the CBP and/or the individuals can turn to for more information on the breach
- recommended measures to mitigate the negative effects of the breach.
Additionally, the bill states that the notification to the CBP must include:
- a description of the actual and probable consequences of the breach for the personal data affected and any measures the data controller has taken to address these consequences.
There are several exceptions to this general obligation to notify. One important exception is the exception for encrypted data. If the data controller has encrypted the personal data involved in the security breach, the data controller is not required to notify the affected individuals. Financial institutions are exempted from notifying individuals but will have to notify the CBP and relevant financial regulators under the separate data breach notification in the Financial Supervision Act (Wet op het financieel toezicht). Telecommunications providers are exempted insofar as they are subject to the data breach notification laid down in the Dutch Telecommunications Act (Telecommunicatiewet). The penalty for failure to notify is a fine of EUR 450,000.
For an overview of what the CBP finds appropriate security measures, please see the CBP guidelines on securing personal data published earlier this year.
Punitive fines for failure to cooperate
At present CBP can levy a fine of EUR 4,500 per offence for selected violations. If the proposal is adopted, the CBP will additionally be able to impose a fine of EUR 450,000 for violations of the obligation to cooperate under Dutch administrative law. This general duty to cooperate enables the CBP to effectively make use of its investigative powers by requiring companies and individuals to follow its lawfully given instructions.
Further expansion of power to impose fines
In the explanatory memorandum to the proposal, the Dutch Government announced its intention to further expand CBP's enforcement powers. As promised in its 2012 legislative program, compliance with the WBP is to be strengthened by authorising the CBP to impose higher administrative fines for violations of the WBP. The Government plans to include these amendments in the current bill.
The bill was sent to the Second Chamber on 21 June 2013 and is to be discussed on 5 September 2013. We will keep you updated on developments.