Contributed By Vondst Advocaten N V
The right to privacy is embedded in Article 10 of the Dutch Constitution. This Article provides for a general right of protection of private life as well as an obligation to lay down rules on data protection. This Article must be interpreted in light of Article 8 of the European Convention on Human Rights and Articles 7 and 8 of the European Charter of Fundamental Rights of the European Union.
In the Netherlands, data protection is regulated by the General Data Protection Regulation (GDPR). The GDPR came into force on 25 May 2018 and regulates the processing of personal data of individuals by imposing obligations on data controllers and data processors.
As a directly applicable regulation, the legal obligations contained in the GDPR have direct effect in the Netherlands without any national implementing measures. However, the GDPR contains a number of derogations that provide EU Member States with discretion to introduce specific derogations on how certain provisions of the GDPR will apply in Member State law.
The Netherlands has introduced such specific derogations in Dutch law through the Dutch General Data Protection Regulation Implementation Act (the ‘Implementation Act’). The Implementation Act repealed the implementation act of the EU Data Protection Directive – the Dutch Data Protection Act. Aside from the enforcement regime set out in the GDPR, the Implementation Act provides for the possibility to impose an administrative enforcement order by the Dutch Data Protection Authority (‘AP’) to enforce obligations laid down by the Implementation Act.
The NIS Directive 2016 regulates the security of network and information systems of operators of essential services and digital service providers, which has been implemented in the Dutch Act on security of network and information systems 2018 (‘Wbni’). Operators of essential services and vital providers are appointed in the Dutch Decision on security of network and information systems (‘Bbni’).
The collection and processing of personal data is also regulated by various specific laws and regulations and certain sectorial laws.
The national data supervisory authority is the AP. The AP is charged with the supervision of the processing of personal data in accordance with the GDPR and the Implementation Act. The AP is competent to perform the tasks and exercise the powers set forth in Articles 57 and 58 of the GDPR. In addition, the Implementation Act provides for the possibility to impose an administrative enforcement order by the AP to enforce obligations laid down by the Implementation Act.
In general, the AP focuses on material personal data breaches. Priority is given to violations that have a big impact on privacy or on minor violations affecting many data subjects. If the AP finds minor violations, it will often first give a warning, provided the violator can demonstrate good faith and is prepared to improve (for example, by implementing new privacy procedures). In 2018, however, the AP imposed a penalty of EUR600,000 on Uber for violating the Dutch Data Breach Regulation (based on the former Dutch Data Protection Act). The AP has performed various targeted enforcement actions since the GDPR came into force.
From time to time, the AP announces specific areas of focus. Recent focus has been on the security of personal data, Big Data and profiling, medical data, personal data with the (digital) government and personal data in labour relationships. The AP has announced that personal data breaches that are not notified in accordance with the GDPR are a focus point for 2019.
The Dutch Authority for Consumers and Markets (‘Autoriteit Consument & Markt’) (ACM) is charged with the supervision of the Telecommunications Act (direct marketing and cookies). For violations of the Telecommunications Act, the ACM may impose an administrative penalty of up to EUR900,000 per breach or 10% of the annual turnover of the company in breach (whichever is higher).
In general, the enforcement process starts with a suspicion or a complaint. The regulator can then decide to launch an investigation. The findings of this investigation are recorded in a report (called a statement of objections). The offender is given the opportunity to express their opinion in writing or orally. If the regulator decides to impose a penalty, it will lay down this penalty in a penalty decision. This decision will in principle be published on the website of the regulator.
Within six weeks after the penalty decision the offender can file an objection with the regulator. During the objection process, the interested parties are given the opportunity to be heard at an oral hearing. The regulator then renders a written decision. The offender can appeal this decision with the District Court and ultimately appeal the judgment of the District Court either with the Administrative High Court for Trade and Industry or the Administrative Jurisdiction Division of the Council of State.
The Netherlands belongs to the continental law tradition in which statutory law is the primary legal source. Dutch privacy and data protection law is based on the same sources as Dutch law in general – law and other statutes, court practice, parliamentary history and established legal doctrine. Being a Member of the EU, the legal framework for privacy and data protection law in the Netherlands is to a significant and continuously growing extent based on European and EU law.
The AP regularly investigates potential violations and often looks for an amicable solution. Generally, the AP tends to impose an administrative order subject to a penalty in the event of non-compliance, allowing companies to end their violation in order to avoid a substantial penalty. After a period of more than 15 years, the AP imposed its first penalty in 2018 (for a violation of the Data Breach Regulations).
The ACM, however, is much more aggressive when it comes to enforcement actions.
In the past 12 months, focus on the GDPR has increased. The AP has performed several targeted enforcement actions, such as investigations into data processing agreements, data protection officers (DPOs), privacy policies at healthcare institutions and political parties and records of processing activities. There have been a limited number of court cases, most of which pertained to the right to be left alone, the right to be forgotten, freedom of speech or the right of access.
The next 12 months will be dominated by further enforcement by the AP, case law on the GDPR and debate on the upcoming e-Privacy Regulation.