On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks (Wetsvoorstel Meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp, the Bill). The Bill introduces a duty for data controllers in the Netherlands to notify a breach of security measures protecting personal data to the Dutch Data Protection Authority (College bescherming persoonsgegevens, CBP). In addition, fines for violations of the Dutch Data Protection Act (Wet bescherming persoonsgegevens, DPA) will significantly increase. Failure to comply with the rules may lead to fines of up to € 810,000 or 10% of the company’s net annual turnover.
1 | When will the Bill enter into force?
As a result of the Bill, the DPA and the Dutch Telecommunications Act (Telecommunicatiewet) will be amended and supplemented. It is expected that the (majority of the) changes will enter into force on 1 January 2016, but the exact date will be determined by means of Royal Decree.
2 | The obligation to notify a breach of security measures
In order to address and mitigate the consequences of the increasing number of security incidents involving personal data, the Bill introduces an obligation for data controllers to immediately notify the CBP of any breach of security measures that has, or poses a significant risk of having, serious adverse consequences for the protection of personal data. In addition, the data controller may also be required to notify the individuals whose personal data are compromised if the breach could lead to adverse consequences for the individuals’ privacy. This is not necessary if the breached data are incomprehensible or inaccessible for third parties (for example, if the breached data is encrypted).
3 | What constitutes a ‘breach of security measurers’ and when will a breach be deemed to have ‘serious adverse consequences’?
The term ‘security measures’ in the Bill refers to the existing obligation for data controllers under the DPA to implement appropriate technical and organisational measures to secure personal data against loss or against any form of unlawful processing. These security measures have been further detailed by the CBP in its 2013 guidelines on the protection of personal data.
There is no definition of a ‘breach of security measures’, but according to the explanatory notes to the Bill a breach of security measures must be understood broadly. It includes situations where there are appropriate security measures in place, but personal data is nevertheless compromised. But also a situation where, in violation of the DPA, no security measures have been taken and personal data is compromised. It may include technical or organisational failures, including human errors, and conscious human behaviour, such as theft or hacking.
Once a data controller has established that an event qualifies as a ‘breach of security measures’, the next step is to determine whether such breach has or is likely to have serious adverse consequences for the protection of personal data. If that is the case the data controller will need to notify the CBP (and possibly the individuals whose personal data it concerns).
How a data controller needs to determine whether there is a serious breach has not been specified in the Bill, but in its response to parliamentary questions the Dutch government has indicated that at least the following factors must be taken into account when assessing whether the consequences of a breach have or are likely to have serious adverse consequences:
- the nature and scope of the breach;
- the nature of the compromised personal data;
- to what extent technical measures of protection were implemented; and
- the possible consequences for the privacy of the individuals concerned.
The CBP will publish guidelines in which it will be further detailed when a ‘breach of security measures’ will need to be notified.
4 | What is the timing for notification?
The Bill provides that the notification to both the CBP and, if necessary, the individuals whose personal data is compromised must be made ‘without delay’ (onverwijld). The Dutch government preferred to include this criterion over a fixed time period. This provides the data controller with the opportunity to investigate the breach, consider the measures it should take and decide how to communicate this to the CBP and the individuals concerned. According to the Dutch government it will depend on the specific circumstances of the case at hand what is considered to be ‘without delay’.
The Dutch government has regularly referred to legislation at a European level which does contain more concrete time periods. In the context of the existing notification obligation of data breaches for providers of public electronic communication services (which in the Netherlands is implemented in the Dutch Telecommunications Act), the European Commission has provided that providers are required to notify the competent authority no later than 24 hours after the detection of a personal data breach (if feasible). The EU General Data Protection Regulation also introduces an obligation to notify data breaches. The first draft of the regulation contained a 24 hour deadline, but the Council of Ministers and the European Parliament proposed 72 hours. Even though the Dutch government has not explicitly indicated that it will apply the aforementioned limits, we believe that it is not unlikely that similar time periods (24 – 72 hours) will be applied under the Bill.
The CBP will publish guidelines in which these deadlines will be further specified.
5 | What information must be included in a notification?
As set out above, a data controller may be required to notify the CBP and, if necessary, the data subject. A notification towards the CBP must at least contain information on:
- the nature of the breach of the security measures;
- where further information on the breach can be obtained;
- the recommended measures in order to mitigate the negative consequences of the breach;
- technical details on the data breach; and
- the actual and expected consequences of the breach as well as the way in which the data controller has dealt with or intends to deal with these consequences.
If a data controller is required to also notify the individuals whose personal data are compromised, such notification must at least contain the information listed in the first three bullet points above.
The Bill provides that additional rules regarding the notification (for example, a form or certain form which is to be used for the notification) can be adopted by means of governmental decree.
We note that it is anticipated that it will be difficult to provide the CBP and the data subject with all required information within the applicable time periods. Therefore, it is recommended that data controllers in the Netherlands have a data breach response plan in place setting out what needs to be done involving which parties in the event of a breach of security measures.
6 | Maintaining a register for breaches of security measures
The Bill introduces an obligation for data controllers to maintain an internal data breach register in which it records all breaches of security measures it has experienced that have or may have serious adverse consequences for the protection of personal data. The most important items to include in this register are information on the nature of the breach, the measures taken to mitigate the consequences and the text of the notifications that have been sent to data subjects.
7 | Data processor agreements
Currently, the processing by a data processor on behalf of a data controller needs to be governed by an agreement and, for evidentiary purposes, the part of the agreement regarding the protection of personal data and security measures needs to be put in writing (the data processor agreement).
The Bill provides that the data controller is required to make sure that the data processor also complies with the obligation the data controller has to notify a breach of security measures. As a result this obligation for the data processor will need to be explicitly included in the data processor agreement. Therefore, existing data processor agreements will most likely need to be amended before the Bill enters into force to make sure this new condition is met.
8 | Higher fines
The CBP will able to impose administrative fines ranging from € 20,250 for relatively minor violations of the DPA to € 810,000 for more serious violations. If the maximum fine is not deemed to be a suitable punishment, the CBP may also impose an administrative fine equal to 10% of the net annual turnover of the company in the preceding year.
The maximum fine of € 810,000 may be imposed in case of breach of various obligations, including, but not limited to a breach of the obligation:
- to properly and carefully process personal data;
- to collect personal data for specific, explicitly defined and legitimate purposes;
- to have a legitimate processing ground justifying the processing of personal data;
- to not process personal data in a way incompatible with the purposes for which the personal data has been obtained;
- to implement appropriate technical and organisational measures to secure personal data against loss or against any form of unlawful processing;
- to not process sensitive personal data, unless an exception applies;
- to inform the relevant data subject(s) with fair processing information; or
- to comply with the provisions relating to the transfer of data to countries outside the European Union.
The maximum fine may in principle only be imposed after the CBP has first given the offender an instruction to rectify the breach, a so called ‘binding instruction’ (bindende aanwijzing).
9 | Who may be subject to fines?
Generally it is the data controller (the person or entity which determines the purpose of and means for processing personal data) which is required to comply with the DPA and as a result subject to sanctions.
If a data controller has outsourced (part of) its processing activities to a data processor, till date it has been generally assumed the data processor would not be subject to sanctions for violations of the DPA as the data controller is ultimately responsible. However, in its response to parliamentary questions the Dutch government has now explicitly stated that a data processor may qualify as an accomplice (medepleger) and as a result be subjected to the CBP’s sanctions.
In addition, the Dutch government has explicitly stated that, even though the data controller primarily bears the rights and obligations under the DPA and should therefore be the main subject of the CBP’s sanctions, directors of a data controller (a legal entity) may also be sanctioned. The directors should have ordered the prohibited conduct or failed to take steps to prevent such conduct. The Dutch government also points out (albeit in cautious/indirect terms) that an employment agreement providing that the legal entity will indemnify a director for such conduct, may well be void (nietig).
10 | Relation to the EU General Data Protection Regulation
In view of the increasing number of security incidents involving personal data, the Dutch government did not want to wait for the EU General Data Protection Regulation (which also contains a data breach notification duty) to be adopted. The Bill is a precursor to the EU General Data Protection Regulation and will apply until the regulation comes into force. This is not expected to be before the end of 2017.