New Dutch Privacy Chief Seeks Stability Amid EU Changes

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Oct. 20 — The new head of the Dutch Data Protection Authority is planning a steady course through potentially choppy waters caused by the forthcoming European Union privacy regime changes and Brexit.

Companies doing business in the Netherlands may find some comfort from the approach announced by Aleid Wolfsen, who became chairman of the Dutch Data Protection Authority (DPA) Aug. 1.

The Dutch DPA has started to reflect on its future strategy, and is “thinking about what we want to change, what we want to maintain, but I'm not intending to change policy in the short term,” Wolfsen told Bloomberg BNA at the 38th International Data Protection and Privacy Commissioners' Conference in Marrakesh, Morocco.

The primary immediate task for the Dutch and other European DPAs is preparing for the EU General Data Protection Regulation (GDPR) and an EU directive on law enforcement data protection standards. The GDPR, which replaces the 21-year old EU Data Protection Directive (95/46/EC), is set to take effect May 25, 2018.

“We just started the implementation and that's a huge task. In May 2018 it's coming into force and not only do we have to be ready, all the businesses, everybody has to be ready,” Wolfsen said.

Wolfsen said he is aware he must “fill the empty big shoes” of his predecessor, Jacob Kohnstamm, who was highly active in pushing for European and international privacy standards.

Allied Wolfsen
Low Awareness

Much remains to be done to raise awareness among data processors of the GDPR and the new obligations it will bring, Wolfsen said.

“I don't think the awareness is on the level we want it,” he said. “I don't think that everyone in the public sector, or in the private sector, is aware of all the new details, all the new responsibilities, all the new powers of the data protection authority. I think it's important for us to spread the news.”

He added that the possibility that companies might face high fines for breaching the GDPR would help to focus attention. “Once people become aware of these high fines I think it will be at the forefront of the mind for everyone in the private and public sectors.”

The Dutch DPA gained at the start of 2016 the power to fine companies up to 820,000 euros ($900,000) for failure to report data breaches that carry “a significant risk of serious adverse effects” on data subjects.

The fines are among the highest in the EU, ahead of the entry into force of the GDPR, which will empower DPAs to issue fines of 20 million euros, or 4 percent of a company's total revenues for the most serious offences, including violations of data processing consent, individual privacy rights, international data transfer rules and ignoring orders from privacy regulators.

The relatively high Dutch fines “help us a little bit because as a consequence the awareness of privacy in the private and public sectors is getting stronger,” Wolfsen said.

Complexities of Brexit

On the issue of Brexit, and possible implications in terms of potential relocation of companies from the U.K. to the Netherlands, Wolfsen said it was too early to make judgements.

“I think it is absolutely sure that when the GDPR comes into force, the U.K. will still be a member of the European Union, and that's a complexity in itself. The regulation is immediately enforceable,” making data protection enforcement in the context of Brexit “very difficult for our British colleagues,” he said.

Companies “are now watching what is going on in the U.K.,” Wolfsen added. “Next year is a year of transition. The U.K. will maybe leave the EU at the end of 2018 or the start of 2019. So for companies there is time enough to decide. But there are very difficult decisions for the companies and our colleagues in the U.K. I'm not jealous.”

Privacy Bridges

At the 37th International Data Protection and Privacy Commissioners' Conference in 2015 in Amsterdam, former Dutch privacy chief Kohnstamm set out an international “privacy bridges” project intended to improve understanding between the EU and the U.S. and other jurisdictions on data privacy issues.

The project was aimed at smoothing relationships between different jurisdictions in the light of events such as the invalidation by the European Court of Justice of the U.S.-EU Safe Harbor data transfer framework.

Privacy bridges included recommendations on transparency about government data access requests for law enforcement purposes, standards for data de-identification, provision of clearer information to data subjects about redress options in case of misuse of their data outside their home territory, and development of enforceable corporate accountability programs.

Giving an update on the initiative Oct. 19, Kohnstamm said the privacy bridges still had to go “from theory to implementation,” and funding was being sought for further work, but progress had been limited since the Amsterdam conference in 2015.

By Stephen Gardner

To contact the reporter on this story: Stephen Gardner in Marrakesh, Morocco at correspondents@bna.com

To contact the editors responsible for this story: Donald G. Aplin at daplin@bna.com ; Jimmy H. Koo at jkoo@bna.com

Copyright © 2016 The Bureau of National Affairs, Inc. All Rights Reserved.