Last Friday, 21th of June, the State Secretary for Security and Justice, Mr Teeven, send a legislative proposal introducing a security breach notification obligation to the Dutch Parliament. The proposal follows an earlier draft of last year to introduce a general notification duty. When the proposal is adopted by Parliament and Senate, controllers will have to notify the Dutch Data Protection Authority of any breach of the security of their personal data. Any failure to comply with the obligation may result in fines up to EUR 450.000.
The proposal follows from the general obligation to implement appropriate technical and organizational measures to protect personal data against loss or other unlawful forms of processing. The Dutch DPA recently published guidelines that aim to further clarify this requirement in practice (also see our earlier coverage).
Any breach of the measures taken under this security obligation must be notified to the DPA. Additionally, breaches that may have a negative impact on the data-subjects’ privacy, will have to be notified to these data subjects as well. This implies that the data subjects will not have to be notified if the controller has encrypted the data in an appropriate manner, ie. in such way that non-authorised persons will not be able to access the data.
The explanatory note to the proposal gives some examples of data breaches that might be covered by the proposal, such as successful hacking attempts, theft of laptops and mobile devices, but also lost memory sticks or emails containing personal data that are sent to wrong recipients.
In Parliament, hopefully a couple of issues will be clarified. For example, the assessment of what constitutes a breach of technical or organizational security measures leaves a lot of room for interpretation. The same can be said about whether or not an alleged breach has a negative impact on the data-subjects’ privacy. In order to provide more guidance for both controllers and processors, the Dutch DPA has also promised to issue further guidelines.
There has been some debate about the legislative proposal in view of the proposal for a new EU General Data Protection Regulation, that is now under discussion in Brussels. The Regulation includes a similar security breach notification obligation. For that reason, the State Secretary had informed Parliament he would not proceed with the legislative proposal, because that most likely would have effect only for a very limited time, ie. until the regulation enters into effect. However, a majority in Parliament insisted that mr Teeven would prepare the legislative proposal nevertheless, which he did - although not too expeditious.
It must be emphasised that this proposal is subject to the approval of Parliament and that members of parliament have the right to propose changes to the draft legislation. Through early and active involvement with the proposal and the legislative process, our team in The Hague is very well-equipped to safeguard your interests in this legislative process.