Where: The Netherlands
When: 1 January 2016
Law stated as at: 1 January 2016
Introduction of a data security breach notification and higher fines in the Dutch Data Protection Act
The final word on the General Data Protection Regulation (GDPR) is out*, but the Dutch legislator did not wait for its European counterpart and approved new legislation on 26 May 2015. This new legislation amends the Dutch Data Protection Act (Wet bescherming persoonsgegevens) (WBP) and became effective on 1 January 2016. The main changes are:
- the introduction of a data security breach notification obligation for data controllers;
- higher fines; and
- a name change of the Dutch Data Protection Authority (DPA) (from College Bescherming Persoonsgegevens to Autoriteit Persoonsgegevens). These amendments to the WBP emphasise the increased importance of data protection compliance for companies operating in the Netherlands.
What is a data security breach?
Not every security breach requires a notification to the DPA. Notification to the DPA is only required when the data security breach has – or may have – serious detrimental consequences on the protection of personal data. The new law does not define serious detrimental consequences. Instead, the DPA has provided guidelines for data controllers to determine the consequences of a security breach. The nature of the breach, the number of data subjects and the sensitivity of the personal data are important factors when determining the consequences of a security breach. In the event a data security breach involves sensitive data, a data controller should assume that a notification to the DPA is required.
Examples of sensitive personal data are personal health data, data on race, sexual orientation and financial information, the combination of a username and password and passport details. Even if the data security breach only concerns one data subject, a notification may still be required if the nature of the breach demands this.A data security breach requires immediate notification to the DPA. In the guidelines to the data security breach notification the DPA specifies that notification must be done without undue delay and (if possible) no later than 72 hours after the breach. This requirement is based on the data security breach notification in the GDPR. The DPA made available an online notification form on its website. The form allows the data controller to alter and update the notification. The notification register is not made public by the DPA for obvious confidentiality and security reasons.
When to notify the data subjects?
Companies that fall within the scope of the Dutch Telecommunications Act (Telecommunicatiewet) (TA) are already subject to a data security breach notification obligation in relation to the loss of customer data. If the data security breach includes both customer and employee data, two separate notifications are required. One notification is based on the TA for customer data and the other based on the WBP for employee data. Moreover, financial institutions that fall within the scope of the Dutch Financial Supervision Act (Wet financieel toezicht) are exempt from the notification to data subjects based on the WBP. Financial institutions are obligated to inform data subjects based on their general duty of care.
The data security breach notification is a relatively new concept for most companies in the Netherlands. Companies will have to further protect themselves against data security breaches and put in place processes to adequately respond to the DPA and data subjects when a data security breach occurs. Encryption and hashing of personal data are recommended security measures to minimise the harm resulting from data security breaches. Failure to notify or otherwise comply with the WBP can have serious financial and reputational consequences for companies. These financial and reputational risks will increase even further once the GDPR comes into force.
Why this matters:
Failing to notify the DPA or data subjects of a data security breach is considered a breach of the WBP and is subject to penalties. On 1 January 2016 the maximum penalties for breaching the WBP increased from € 4,500 to € 820,000. In practice, the DPA will first impose a binding instruction ordering to remedy a breach. If such binding instruction is not followed, the DPA may impose a penalty up to a maximum of € 820,000 or 10% of annual turnover in the previous year if the penalty of € 820,000 is deemed insufficient. When imposing a penalty the DPA takes into consideration all relevant facts and circumstances including the nature and scope of the breach, duration of the breach and privacy impact on the general public and/or data subjects.
Are there any exceptions to the notification requirements?
If data subjects need to be informed, this must be done immediately. However, data controllers may take some time to assess the nature and scope of the breach, taking into account that data subjects should be able to protect themselves against further harm resulting from the breach. When notifying data subjects, companies should at least include: (i) information on the scope of the breach; (ii) contact details the data subject can reach out to; and (iii) recommended measures data subjects should take to protect themselves against the breach.
If a data controller has taken adequate technical and organisational measures to protect the personal data of data subjects, the data controller may decide not to inform the data subjects of the data security breach. Measures that may qualify as adequate security measures include encryption and hashing of personal data. Ultimately, it is up to the data controller to assess whether the security measures are adequate enough to conclude that the data security breach did not have unfavourable consequences for the privacy of the data subject. Practice will tell how many companies are willing to take this risk. Although dependent on the scope of the breach, it is likely that companies will take a better-safe-than-sorry approach and also inform data subjects (even where there is no strict legal obligation).
Notification to the DPA does not automatically mean that the data subject must also be informed of the data security breach. Data controllers need to separately assess whether such notification is necessary. This is the case if the data security breach is likely to have unfavourable consequences for the privacy of the data subject. Examples of such unfavourable consequences are the loss of a username name and password or other sensitive information that may lead to material and/or immaterial damages. The notification will allow the data subject to protect itself against (further) unlawful processing of its personal data, for example by changing its password.
When to notify the DPA?
For a data security breach to occur there first has to be a security incident. Examples of security incidents are the loss of a USB-stick or the hacking of a computer system. Not all security incidents will lead to a data security breach. A data security breach under the WBP only occurs if the security incident results in: (i) the loss of personal data; or (ii) unlawful processing of personal data.
*On 15 December 2015 an agreement was reached on the wording of the GDPR. Although this version still needs to be formally adopted by European Parliament and Council, the widespread consensus is that this will happen early 2016. Once adopted the GDPR will enter into force after a two-year transition phase.