New Dutch Law Gives DPA New Enforcement, Fining Powers, Mandates Breach Notification

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

June 3 — Data processors operating in the Netherlands will face a significantly tougher enforcement regime starting in 2016, as well as a requirement to provide notification in the event of serious data breaches, under an amendment to the Dutch Data Protection Act that is awaiting royal approval.

The amendment, approved by the Dutch Senate May 26, empowers the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP) to fine data processors up to 10 percent of their net annual global revenues, capped at 810,000 euros ($913,340), for breaches of the Dutch Data Protection Act.

Wim Nauwelaerts, a partner with Hunton & Williams LLP in Brussels, told Bloomberg BNA June 3 that the powers would “definitely be a big difference” compared to the current situation in which the CBP can issue maximum fines of 4,500 euros ($5,074).

In addition, the CBP “will not be required to send a shot across the bows in all cases,” and won't be obliged to issue a warning to companies in breach of the Data Protection Act prior to issuing fines in cases of infringements arising from deliberate action or gross negligence, Nauwelaerts said.

The act requires royal approval as a formality before taking effect. Merel Eilander, a spokeswoman for the CBP, told Bloomberg BNA June 3 that “there is no official date announced yet for the new law to come into force but we expect it to come into force on Jan. 1, 2016.”

Data Breach Notification 

The amendment to the Dutch Data Protection Act will also introduce an obligation for all data processors in the Netherlands to notify the CBP of serious data security breaches, with fines of 10 percent of a data processors' revenues capped at 810,000 euros for noncompliance ($913,340).

In addition, the amendment will enable the CBP to levy fines of 22,250 euros ($25,086) on companies that process data in the Netherlands but don't designate a local representative, or that allow transfers of data to countries with inadequate data protection regimes.

The amendment leaves it to the CBP to provide guidance on the new enforcement rules once royal approval has been granted.

Eilander said that the CBP was “of course very pleased” that the Dutch Senate approved the amendment to the Data Protection Act, but it expects to make limited use of powers to fine companies without warning for deliberate and negligent breaches.

In most cases, fines would be a “preventative remedy” to back up CBP instructions to data processors to bring their practices into compliance with the Data Protection Act, Eilander said.

The potential for high fines would focus the attention of senior company management on data protection and would “help raise the level of data protection overall,” Eilander said.

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com

The text of the amendment is available, in Dutch, at http://www.eerstekamer.nl/behandeling/20150210/gewijzigd_voorstel_van_wet.

The Dutch Senate's Web page on the amendment to the Dutch Data Protection Act is available, in Dutch, at http://www.eerstekamer.nl/wetsvoorstel/33662_meldplicht_datalekken_en.