In June 2013, the Netherlands introduced a legislative proposal to impose mandatory data breach notifications that gives the Dutch Data Protection Authority (DPA) the power to impose substantial fines for failure to comply with the new requirements.1
This regulation provides for a stricter regime than most other EU Member States and is introduced while discussions on the EU General Data Protection Regulation2 are still ongoing.
Recent high-profile data security incidents prompted the Dutch government to commit to stricter regulation of security breaches. The requirements will not be limited to the telecom sector, but will apply to all organizations responsible for processing personal data, including financial institutions and public bodies.
The current notification regime is laid down in Article 11.3a of the Telecommunications Act (TA), which requires providers of public telecommunications services to immediately notify the Dutch Authority for Consumers and Markets (ACM) of any security breach that adversely affects protection of personal data.3 The ACM has the authority to impose fines up to a maximum of EUR 450,000.
The proposal introduces a general obligation to notify data breaches under the Dutch Data Protection Act for all data controllers. According to the newly proposed article 34a of the Data Protection Act, a data controller must:
- Notify the DPA ‘promptly’ of any breach of security measures that can ‘reasonably’ be expected to adversely affect protecting the personal data which it processes.
- Notify those individuals whose personal data have been compromised (data subjects), if the breach is likely to affect their privacy.
To ensure compliance, the DPA will be given the authority to impose fines up to a maximum of EUR 450,000 for failure to comply with the notification obligation or failure to cooperate with the DPA in related investigations.
If data losses occur, the data controller must provide the following information:
- A description of the breach;
- The entities a party could turn to for further information;
- The recommended measures to mitigate the negative effects of the breach.
Besides the above, the data controller must provide the DPA with:
- A description of the actual, and likely, consequences of the breach for the processing of personal data and the (proposed) measures to resolve the resulting privacy issues.
The proposal provides for three main exceptions to the mandatory notification rule:
- If appropriate technological protection measures have been taken to ensure personal data are encrypted or rendered unintelligible to anyone not entitled to access those data; data subjects do not have to be notified. However, if the DPA is of the opinion that the breach is likely to have adverse consequences for the individual privacy of data subjects, it may still demand notification.
- Providers of public electronic communication services, who, in that capacity, have made a notification as referred to in the TA, need not notify the DPA;
- Financial institutions notify the breach to the DPA but are in principle not required to notify the data subjects.
The current proposal has given rise to criticism from various organizations including the Dutch Council of State. Questions have been raised because the proposal does not define when a breach occurs nor does it provide an exhaustive list of possible breaches of security of personal data. This would make it difficult for the DPA to enforce the new provisions and could undermine the efficiency of the new regulation.
In September 2013, the proposal will be discussed in Parliament. In parallel, discussions on EU legislation are ongoing. Under the draft EU General Data Protection Regulation, data controllers would be required to report personal data breaches without undue delay and, if possible, within 24 hours. This proposal led to criticism from various organizations; questions have been raised regarding the potential cost to businesses implementing new procedures necessary to comply with the new reporting obligation.
Recently, the European Commission introduced new data breach notification rules for providers of electronic communication services.4 All telecom operators and internet service providers in the EU Member States will have to inform their national authority within 24 hours of detecting a personal data breach. Subscribers or individuals must be notified when the personal data breach is likely to adversely affect their personal data or privacy unless data have been securely encrypted. Providers that do not have a direct contractual relationship with subscribers must immediately inform the contracting provider if a personal data breach occurs.
These requirements could provide a useful test for the functioning of a new data breach notification regime. The new rules will apply across Europe as of August 25, 2013.