Articles

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

30.04.2015

On 24 November 2014 State Secretary Teeven (from the VVD, a conservative-liberal party) submitted a second memorandum of amendment concerning the legislative proposal adjusting the Dutch Data Protection Act (“DDPA”). The amendment, to be introduced through an adjustment of article 66 DDPA, is intended to give the Dutch Data Protection Authority (“DPA”) the authority to impose higher administrative fines and to be able to do so in more cases.

At the moment this authority is limited to a number of specific administrative provisions such as failure to register a data processing with the DPA. Furthermore, the maximum possible fine is EUR 4,500 which is relatively low and is in practice not imposed. The legislative proposal extends this authority to a large number of general obligations under the DDPA and introduces penalty categories which range from EUR 20,250 for relatively minor violations, to EUR 810,000 for intentional and repeated violations, which can have significant social repercussions. An even higher flexible financial penalty is proposed in relation to legal entities: if the maximum fine level of EUR 810,000 is not sufficiently punitive, the DPA can impose a fine equal to a maximum of 10% of the annual turnover of the respective legal entity. It is remarkable (and good news in practice) that the fine for not registering a data processing with the DPA, which until now was one of the only provisions from the DDPA that was fineable, will cease to exist.

The legislative proposal is consistent with the penalty categories included in article 23 of the Dutch Criminal Code. However, the DPA can only impose such an administrative fine after it has issued a binding instruction to the offender. A time limit in which the offender has to follow the instruction can be imposed. The offender may file a notice of objection against this decision – although this will not suspend the proceedings. This can be problematic since this could in practice lead to two parallel procedures. In situations involving an intentional breach of the material standards of the DDPA, there is no obligation to give a binding instruction and the DPA can impose a fine directly.

If the legislative proposal is accepted, the DPA shall be referred to as ‘Personal Data Authority’. This reflects the terminology of the European proposal for the new General Data Protection Regulation and to prevent any existing confusion with the Dutch Bureau for Economic Policy Analyses (in Dutch “CPB”, DPA in Dutch “Cbp”). In addition the DPA will in the future need approval from the Minister of Security and Justice for the guidelines which serve to explain and interpret the material standards of the DDPA, under which an administrative penalty can be imposed for violations.

The proposal derives from the coalition agreement, which contained an increase of penalty powers. This reinforces supervision and shifts the focus from remedy sanctions such as incremental payments, often imposed by the DPA under the present system, towards administrative fines. The question is, however, whether this will make a difference in practice, especially considering the fact that the DPA is obligated to first issue a binding instruction. This obligation arises from the advice of the Council of State that, given the ‘vague’ standards of the DDPA, it is undesirable to impose a penalty without a previous warning. The DPA does not agree with this part of the proposal: it feels like a ‘paper tiger’ and believes it will not be able to act promptly and efficiently. A fear exists that companies and organisations will not feel the urge to comply with the law. Paper tiger or not, one thing is certain: the creation of a wider penalty authority demonstrates that, after years of talking and lobbying, compliance with the privacy rules is being taken seriously. Privacy compliance has become a boardroom issue and is expected to be on the agenda of a number of companies in 2015.

 

Click here for a PDF version of the 51st edition of our ICT Law Newsletter.

 

Team

Related news

06.06.2019 BE law
TMT Roundtable: Getting a handle on software quality

Roundtable - Erik Valgaeren, TMT Partner at Stibbe Brussels, and his team organize a roundtable on software quality in our Brussels office on June 6th, 2019. Software quality is a recurring theme in many matters handled by our TMT team. Whether our assistance relates to preparing tender documents, contracting effectively, assessing proper performance or allocating ownership and accountability in challenging IT projects, questions concerning software quality always arise.

Read more

27.05.2019 EU law
One year of GDPR - The regulatory warm-up

Short Reads - The first year of the General Data Protection Regulation ("GDPR") is over. Although early noises predicted an entirely new data protection regime, the European legal framework did not change substantially, the major changes being an expansion of the territorial scope to non-EU countries and stronger powers of enforcement. In spite of fears and rumours of immediate enforcement and huge fines, most regulators focused on helping companies achieve compliance, or they enforced without directly imposing fines.

Read more

21.05.2019 EU law
Part one - GDPR and Public Law - Applicability of GDPR to public bodies

Articles - Since the GDPR became applicable almost one year ago, multiple questions have arisen about its interaction with other fields of law. In this three-part blog series of “GDPR and Public Law”, we discuss three relevant issues of the interaction of GDPR with public law and government. In this blog we discuss the applicability of GDPR to public bodies.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring