Articles

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

30.04.2015

On 24 November 2014 State Secretary Teeven (from the VVD, a conservative-liberal party) submitted a second memorandum of amendment concerning the legislative proposal adjusting the Dutch Data Protection Act (“DDPA”). The amendment, to be introduced through an adjustment of article 66 DDPA, is intended to give the Dutch Data Protection Authority (“DPA”) the authority to impose higher administrative fines and to be able to do so in more cases.

At the moment this authority is limited to a number of specific administrative provisions such as failure to register a data processing with the DPA. Furthermore, the maximum possible fine is EUR 4,500 which is relatively low and is in practice not imposed. The legislative proposal extends this authority to a large number of general obligations under the DDPA and introduces penalty categories which range from EUR 20,250 for relatively minor violations, to EUR 810,000 for intentional and repeated violations, which can have significant social repercussions. An even higher flexible financial penalty is proposed in relation to legal entities: if the maximum fine level of EUR 810,000 is not sufficiently punitive, the DPA can impose a fine equal to a maximum of 10% of the annual turnover of the respective legal entity. It is remarkable (and good news in practice) that the fine for not registering a data processing with the DPA, which until now was one of the only provisions from the DDPA that was fineable, will cease to exist.

The legislative proposal is consistent with the penalty categories included in article 23 of the Dutch Criminal Code. However, the DPA can only impose such an administrative fine after it has issued a binding instruction to the offender. A time limit in which the offender has to follow the instruction can be imposed. The offender may file a notice of objection against this decision – although this will not suspend the proceedings. This can be problematic since this could in practice lead to two parallel procedures. In situations involving an intentional breach of the material standards of the DDPA, there is no obligation to give a binding instruction and the DPA can impose a fine directly.

If the legislative proposal is accepted, the DPA shall be referred to as ‘Personal Data Authority’. This reflects the terminology of the European proposal for the new General Data Protection Regulation and to prevent any existing confusion with the Dutch Bureau for Economic Policy Analyses (in Dutch “CPB”, DPA in Dutch “Cbp”). In addition the DPA will in the future need approval from the Minister of Security and Justice for the guidelines which serve to explain and interpret the material standards of the DDPA, under which an administrative penalty can be imposed for violations.

The proposal derives from the coalition agreement, which contained an increase of penalty powers. This reinforces supervision and shifts the focus from remedy sanctions such as incremental payments, often imposed by the DPA under the present system, towards administrative fines. The question is, however, whether this will make a difference in practice, especially considering the fact that the DPA is obligated to first issue a binding instruction. This obligation arises from the advice of the Council of State that, given the ‘vague’ standards of the DDPA, it is undesirable to impose a penalty without a previous warning. The DPA does not agree with this part of the proposal: it feels like a ‘paper tiger’ and believes it will not be able to act promptly and efficiently. A fear exists that companies and organisations will not feel the urge to comply with the law. Paper tiger or not, one thing is certain: the creation of a wider penalty authority demonstrates that, after years of talking and lobbying, compliance with the privacy rules is being taken seriously. Privacy compliance has become a boardroom issue and is expected to be on the agenda of a number of companies in 2015.

 

Click here for a PDF version of the 51st edition of our ICT Law Newsletter.

 

Team

Related news

08.11.2019 BE law
Interview with Wouter Ghijsels on Next Gen lawyers

Articles - Stibbe’s managing partner Wouter Ghijsels shares his insights on the next generation of lawyers and the future of the legal profession at the occasion of the Leaders Meeting Paris where Belgian business leaders, politicians and inspiring people from the cultural and academic world will discuss this year's central theme "The Next Gen".

Read more

13.11.2019 NL law
Een strategisch actieplan voor het gebruik van AI door de overheid

Short Reads - Een paar jaren geleden hoorde je er nog nauwelijks over, maar nu kan je er bijna niet meer om heen: kunstmatige intelligentie, ook wel artificiële intelligentie (AI) genoemd.  AI verwijst naar systemen die intelligent gedrag vertonen door hun omgeving te analyseren en – met een zekere mate van zelfstandigheid – actie ondernemen om specifieke doelen te bereiken. Denk aan zelfrijdende auto's of slimme thermostaten. 

Read more

08.11.2019 EU law
Erik Valgaeren is session chair during IBA's 6th Biennial Technology Law Conference in Berlin

Speaking slot - Stibbe's TMT partner, Erik Valgaeren, chairs a session discussing the new legal challenges, created by the most recent technological developments in the field of software, data, online services and telecom, including 5G, pricing algorithms, platforms and data monetization. This session will take place on the 8th of November 2019 in Berlin.

Read more

24.10.2019 BE law
Virtual Currency Regulation Law Review - Belgian chapter

Articles - The second edition of the Virtual Currency Regulation Law Review is intended to provide a practical, business-focused analysis of recent legal and regulatory changes and developments, and of their effects, and to look forward at expected trends in the area of virtual currencies on a country-by-country basis.

Read more

Our website uses functional cookies for the functioning of the website and analytic cookies that enable us to generate aggregated visitor data. We also use other cookies, such as third party tracking cookies - please indicate whether you agree to the use of these other cookies:

Privacy – en cookieverklaring