Articles

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

30.04.2015

On 24 November 2014 State Secretary Teeven (from the VVD, a conservative-liberal party) submitted a second memorandum of amendment concerning the legislative proposal adjusting the Dutch Data Protection Act (“DDPA”). The amendment, to be introduced through an adjustment of article 66 DDPA, is intended to give the Dutch Data Protection Authority (“DPA”) the authority to impose higher administrative fines and to be able to do so in more cases.

At the moment this authority is limited to a number of specific administrative provisions such as failure to register a data processing with the DPA. Furthermore, the maximum possible fine is EUR 4,500 which is relatively low and is in practice not imposed. The legislative proposal extends this authority to a large number of general obligations under the DDPA and introduces penalty categories which range from EUR 20,250 for relatively minor violations, to EUR 810,000 for intentional and repeated violations, which can have significant social repercussions. An even higher flexible financial penalty is proposed in relation to legal entities: if the maximum fine level of EUR 810,000 is not sufficiently punitive, the DPA can impose a fine equal to a maximum of 10% of the annual turnover of the respective legal entity. It is remarkable (and good news in practice) that the fine for not registering a data processing with the DPA, which until now was one of the only provisions from the DDPA that was fineable, will cease to exist.

The legislative proposal is consistent with the penalty categories included in article 23 of the Dutch Criminal Code. However, the DPA can only impose such an administrative fine after it has issued a binding instruction to the offender. A time limit in which the offender has to follow the instruction can be imposed. The offender may file a notice of objection against this decision – although this will not suspend the proceedings. This can be problematic since this could in practice lead to two parallel procedures. In situations involving an intentional breach of the material standards of the DDPA, there is no obligation to give a binding instruction and the DPA can impose a fine directly.

If the legislative proposal is accepted, the DPA shall be referred to as ‘Personal Data Authority’. This reflects the terminology of the European proposal for the new General Data Protection Regulation and to prevent any existing confusion with the Dutch Bureau for Economic Policy Analyses (in Dutch “CPB”, DPA in Dutch “Cbp”). In addition the DPA will in the future need approval from the Minister of Security and Justice for the guidelines which serve to explain and interpret the material standards of the DDPA, under which an administrative penalty can be imposed for violations.

The proposal derives from the coalition agreement, which contained an increase of penalty powers. This reinforces supervision and shifts the focus from remedy sanctions such as incremental payments, often imposed by the DPA under the present system, towards administrative fines. The question is, however, whether this will make a difference in practice, especially considering the fact that the DPA is obligated to first issue a binding instruction. This obligation arises from the advice of the Council of State that, given the ‘vague’ standards of the DDPA, it is undesirable to impose a penalty without a previous warning. The DPA does not agree with this part of the proposal: it feels like a ‘paper tiger’ and believes it will not be able to act promptly and efficiently. A fear exists that companies and organisations will not feel the urge to comply with the law. Paper tiger or not, one thing is certain: the creation of a wider penalty authority demonstrates that, after years of talking and lobbying, compliance with the privacy rules is being taken seriously. Privacy compliance has become a boardroom issue and is expected to be on the agenda of a number of companies in 2015.

 

Click here for a PDF version of the 51st edition of our ICT Law Newsletter.

 

Team

Related news

22.07.2021 NL law
Towards a European legal framework for the development and use of Artificial Intelligence

Short Reads - Back in 2014, Stephen Hawking said, “The development of full artificial intelligence could spell the end of the human race.” Although the use of artificial intelligence is nothing new and dates back to Alan Turing (the godfather of computational theory), prominent researchers – along with Stephen Hawking – have expressed their concerns about the unregulated use of AI systems and their impact on society as we know it.

Read more

19.07.2021 BE law
One year of Schrems II: a state of affairs for international data transfers

Articles - International data transfers have been the subject of intense debates ever since the Court of Justice issued its landmark judgement of Schrems I, on 6 October 2015. The intensity of the debate was further reinforced since the Schrems II decision one year ago, on 16 July 2020. The decision annulled the U.S. Privacy Shield and severely tightened the rules on the use of standard contractual clauses (“SCCs”).

Read more

18.05.2021 NL law
Kroniek: De bestuursrechtelijke aspecten van de AVG

Articles - Tom Barkhuysen, Steven Bastiaans en Fatma Çapkurt (Universiteit Leiden) schreven samen de eerste editie van de nieuwe jaarlijkse NTB kroniek: de bestuursrechtelijke aspecten van de AVG. Hierin bespreken zij onder meer de meest relevante (bestuursrechtelijke) jurisprudentie van het afgelopen jaar op het gebied van de AVG.

Read more

18.06.2021 NL law
FAQ: Wat houdt het Wetsvoorstel elektronische gegevensuitwisseling in de zorg (Wegiz) in en wat is de verhouding tot de AVG?

Short Reads - (Digitale) gegevensuitwisseling in de zorg is een actueel thema. Illustratief is een item bij EenVandaag van april 2021 waarin de analoge werkwijze bij gegevensuitwisseling in de zorg wordt aangekaart, maar ook dit artikel in het NRC van afgelopen maand waarin verslag werd gedaan van een datalek waardoor duizenden gevoelige patiëntgegevens op straat kwamen te liggen. 

Read more

04.05.2021 NL law
Participatie en privacyregels: hoe te combineren onder de Omgevingswet?

Short Reads - In het stelsel van de Omgevingswet (Ow) is een belangrijke rol bedacht voor participatie bij de totstandkoming van besluiten. Het beoogde resultaat: tijdig belangen, meningen en creativiteit op tafel krijgen en daarmee een groter draagvlak en kwalitatief betere besluitvorming bereiken. Door een grotere betrokkenheid van meer personen gaan overheden en initiatiefnemers ook meer persoonsgegevens verwerken. Dit brengt privacyrisico’s met zich mee. Wat regelt de Ow op het gebied van privacy, de verwerking van persoonsgegevens en datagebruik?

Read more