The month of August has brought the following interesting data protection developments:

I Dutch developments

  1. Camera surveillance on highways breaches the Dutch Data Protection Act according to the Advocate-General (Advocaat-Generaal)

The Tax and Customs Administration uses Automatic Number Plate Recognition (ANPR) and camera surveillance on Dutch highways to check whether drivers comply with various tax rules. Currently the Supreme court (Hoge Raad) is asked to answer the question whether the Tax and Customs Administration is allowed to use this camera surveillance in the way they do and for these purposes. The Advocate-General, who advises the Supreme Court, states in his conclusion that the Tax and Customs Administration breaches the privacy of individuals because the surveillance is systemic and permanent. Such a breach of privacy is only allowed in case this is provided for by law. The Advocate-General concludes that there is no law providing for this systemic and permanent camera surveillance and hence is not legitimate.  

  1. Dutch Data Protection Authority published a Q&A regarding privacy issues involved in health projects for kids and youths

The Dutch Data Protection Authority published a Q&A regarding health projects for kids and youths. Personal data related to health qualifies as ‘sensitive’ data. It is prohibited to process personal health data unless the processing is based on a legal exception. Municipalities or schools initiating health projects may only process health data if they received explicit consent thereto of the data subject or, for kids and youths under sixteen years, the explicit consent of their parents. The data subject, or his/her parents, should be properly informed about the exact processing activities to decide whether to give their consent or not. The possibility to opt out does not meet the requirement of ‘explicit’ consent.  

  1. Interview with the vice-president of Dutch Data Protection Authority regarding the collection of data of employees at work

​​​The vice-president of the Dutch Data Protection Authority explains, that whether an employer is allowed to process personal data firstly depends on the purpose of the processing activity and the question whether the processing activity is necessary to reach that purpose. Secondly, an employer is not allowed to process more (categories of) personal data than strictly necessary to reach that purpose. Thirdly, it is important not to retain the personal data longer than necessary. Besides, employers should realize that the relationship within an employer-employee is ‘unequal’ in view of the authority of the employer. Consequently, consent as a legal ground is generally not valid since such consent may not be considered ‘freely given’.  

  1. Dutch court rules that the Dutch Data Protection Authority must further investigate processing of travelers’ personal data by the Dutch Railways

A Dutch court ruled that the Dutch Data Protection Authority must further investigate the processing of travelers’ personal data by the Dutch Railways (NS). The Dutch Railways requires travelers to acquire a personal public transport chip card (OV) if they want to use a discount fare. In the past the Dutch Data Protection Authority investigated this matter and concluded this to be compliant with the Dutch Data Protection Act. The court now finds that the Authority should further investigate other, less radical, possibilities to process the travelers’ personal data.  

  1. Report of Dutch Data Protection Authority on interactive television providers

The Dutch Data Protection Authority issued a report stating that digital television providers such as XS4ALL and KPN processed personal data without consent of their customers and that the personal data was retained too long. In essence, these providers were able to monitor everything their customers viewed, while the customers were not (sufficiently) aware. Television providers may only process personal data if they clearly inform their customers. Only then customers can decide whether they want to give their consent for the processing activities. As a result both XS4ALL and KPN reviewed their privacy policy in this respect.

II European Developments

  1. Article 29 Working Party releases ePrivacy Directive opinion

The development of the digital market calls for a thorough revision of the rules in Directive 2002/58/EC (the ePrivacy Directive). The ePrivacy Directive provides for a set of security and privacy measures with a focus on telephone and internet access providers in addition to the Data Protection Directive 95/46/EC (which will be repealed by the General Data Protection Regulation which will apply as from 25 May 2018). The new ePrivacy Directive will provide for additional rules to protect the security of electronic communications. The new legislative proposal on the ePrivacy Directive is expected by the end of 2016. We will keep you updated on any developments concerning this matter.  

  1. WhatsApp’s changed its privacy policy

WhatsApp (a mobile messaging application) changed its privacy policy and now, as a default, shares it users’ personal data with Facebook. Privacy Regulators expressed their concerns and have indicated to closely monitor this development. This default settings can be changed by going to WhatsApp > Settings > Account and then switch off the option “Share my account info”.  

  1. General Data Protection Regulation (GDPR) On 25 May 2016, the two years’ countdown to the effective date of the EU General Data Protection Regulation has started. Stay updated on the most important requirements of the GDPR through our monthly GDPR updates.