Articles

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

Bill submitted to increase penalty powers of the Dutch Data Protection Authority

30.04.2015

On 24 November 2014 State Secretary Teeven (from the VVD, a conservative-liberal party) submitted a second memorandum of amendment concerning the legislative proposal adjusting the Dutch Data Protection Act (“DDPA”). The amendment, to be introduced through an adjustment of article 66 DDPA, is intended to give the Dutch Data Protection Authority (“DPA”) the authority to impose higher administrative fines and to be able to do so in more cases.

At the moment this authority is limited to a number of specific administrative provisions such as failure to register a data processing with the DPA. Furthermore, the maximum possible fine is EUR 4,500 which is relatively low and is in practice not imposed. The legislative proposal extends this authority to a large number of general obligations under the DDPA and introduces penalty categories which range from EUR 20,250 for relatively minor violations, to EUR 810,000 for intentional and repeated violations, which can have significant social repercussions. An even higher flexible financial penalty is proposed in relation to legal entities: if the maximum fine level of EUR 810,000 is not sufficiently punitive, the DPA can impose a fine equal to a maximum of 10% of the annual turnover of the respective legal entity. It is remarkable (and good news in practice) that the fine for not registering a data processing with the DPA, which until now was one of the only provisions from the DDPA that was fineable, will cease to exist.

The legislative proposal is consistent with the penalty categories included in article 23 of the Dutch Criminal Code. However, the DPA can only impose such an administrative fine after it has issued a binding instruction to the offender. A time limit in which the offender has to follow the instruction can be imposed. The offender may file a notice of objection against this decision – although this will not suspend the proceedings. This can be problematic since this could in practice lead to two parallel procedures. In situations involving an intentional breach of the material standards of the DDPA, there is no obligation to give a binding instruction and the DPA can impose a fine directly.

If the legislative proposal is accepted, the DPA shall be referred to as ‘Personal Data Authority’. This reflects the terminology of the European proposal for the new General Data Protection Regulation and to prevent any existing confusion with the Dutch Bureau for Economic Policy Analyses (in Dutch “CPB”, DPA in Dutch “Cbp”). In addition the DPA will in the future need approval from the Minister of Security and Justice for the guidelines which serve to explain and interpret the material standards of the DDPA, under which an administrative penalty can be imposed for violations.

The proposal derives from the coalition agreement, which contained an increase of penalty powers. This reinforces supervision and shifts the focus from remedy sanctions such as incremental payments, often imposed by the DPA under the present system, towards administrative fines. The question is, however, whether this will make a difference in practice, especially considering the fact that the DPA is obligated to first issue a binding instruction. This obligation arises from the advice of the Council of State that, given the ‘vague’ standards of the DDPA, it is undesirable to impose a penalty without a previous warning. The DPA does not agree with this part of the proposal: it feels like a ‘paper tiger’ and believes it will not be able to act promptly and efficiently. A fear exists that companies and organisations will not feel the urge to comply with the law. Paper tiger or not, one thing is certain: the creation of a wider penalty authority demonstrates that, after years of talking and lobbying, compliance with the privacy rules is being taken seriously. Privacy compliance has become a boardroom issue and is expected to be on the agenda of a number of companies in 2015.

 

Click here for a PDF version of the 51st edition of our ICT Law Newsletter.

 

Team

Related news

07.04.2020 NL law
E-book ‘Tijdelijke noodmaatregel overbrugging voor behoud van werkgelegenheid (NOW)’

Articles - De gevolgen van de maatregelen die zijn getroffen wegens de uitbraak van het coronavirus (COVID-19), treffen vrijwel alle werkgevers. Op 17 maart 2020 kondigde de regering een ‘noodpakket banen en economie’ aan met tijdelijke financiële regelingen voor onder andere werkgevers, mkb’ers en zelfstandig ondernemers. Deze maatregelen zijn bedoeld om werkgelegenheid te behouden en inkomens te beschermen.

Read more

02.04.2020 NL law
Stibbe in Amsterdam answers questions from consumers, small business foundations and NGOs about the coronavirus

Inside Stibbe - In a special Q&A (in Dutch), lawyers from our Amsterdam office share their legal expertise and strive to provide answers to questions put to us by consumers, self-employed persons, enterprises large and small, foundations and NGOs as a result of the corona crisis.

Read more

This website uses cookies. Some of these cookies are essential for the technical functioning of our website and you cannot disable these cookies if you want to read our website. We also use functional cookies to ensure the website functions properly and analytical cookies to personalise content and to analyse our traffic. You can either accept or refuse these functional and analytical cookies.

Privacy – en cookieverklaring