On 26 May 2015, the Dutch Senate passed the Bill on Notification of data leaks. The law imposes an obligation on “data controllers” (the persons or entitis that determine the purpose of and means for processing personal data) in the Netherlands to notify the Dutch Data Protection Authority (CBP) and affected individuals. The law may require data controllers to update agreements with their data processor to account for breach notice obligations. The law also increases fines for violations of the Dutch Data Protection Act (DPA) to up to €810,000 or 10% of the company’s net annual turnover. Both data controllers and data processors (who may be deemed “accomplices” in the breach) may be subject to the fines.
When will the breach notification requirements enter into force?
It is expected that the majority of the requirements will enter into force on January 1, 2016, but the exact date will be set by a Royal Decree.
What are the notice obligations?
The law will require data controllers to immediately notify the CBP of any security breach that has, or poses a significant risk of having, serious adverse consequences for the protection of personal data. The data controller may also be required to notify the affected individuals if the breach can result in adverse consequences to the individuals’ privacy. Notification of the affected individuals is not required if the data affected by the breach is unreadable or inaccessible, by third parties (for example, if the data is encrypted).
What is the definition of a “security breach”?
The new law does not defined the term “security breach,” but the term must be understood broadly as breach of or noncompliance with technical and organisational measures to secure personal data against loss or against any form of unlawful processing (more details on the security measures that need to be implemented are further explained by the CBP in its 2013 guidelines on the protection of personal data).
Under the law, a security breach would encompass situations where there are appropriate security measures in place, but personal data is nevertheless compromised. The law would also apply where, in violation of the DPA, no security measures have been taken and personal data is compromised. It may include technical or organisational failures, including human errors, and conscious human behaviour, such as theft or hacking. Once a data controller has established that an event qualifies as a “security breach,” the next step is to determine whether such breach has or is likely to have serious adverse consequences for the protection of personal data. If that is the case the data controller will need to notify the CBP and, possibly, the affected individuals.
What is the definition of “adverse consequences”?
The Dutch government has indicated that at least the following factors must be taken into account in assessing whether the consequences of a breach have or are likely to have serious adverse consequences (thus requiring notification):
- the nature and scope of the breach;
- the nature of the compromised personal data;
- to what extent technical measures of protection were in place to protect the data; and
- the possible consequences for the privacy of the affected individuals.
The CBP will publish guidelines in which it will be further detailed when the CBP and affected individuals must be notified.
What is the timing of the notification requirement?
The law requires the notification to both the CBP and, if necessary, the affected individuals “without delay” (onverwijld). This requirement is understood to provide the data controller with the opportunity to investigate the breach, consider the measures it should take and decide how to communicate this to the CBP and the individuals concerned. The specific circumstances of the breach will dictate what is considered to be “without delay.”
The Dutch government has regularly referred to legislation at a European level which provides for more specific time periods. For example, in the context of the existing breach notification obligation that govern public electronic communication services (which in the Netherlands is implemented in the Dutch Telecommunications Act), the European Commission requires the notification of relevant authorities no later than 24 hours after the detection of a personal data breach (if feasible). The draft EU General Data Protection Regulation also introduces a breach notification obligation, with an expected 24-72 hour time notification requirement.
The CBP will publish guidelines in which notification deadlines will be further specified.
What information must be included in a notification?
A notification to the CBP must contain at least:
- the nature of the breach;
- where further information on the breach can be obtained;
- the recommended measures to mitigate the negative consequences of the breach;
- technical details on the data breach; and
- the actual and expected consequences of the breach as well as the way in which the data controller has dealt with or intends to deal with these consequences.
A breach notice provided to affected individuals – if required – must at least contain the information listed in the first three bullet points above.
The law provides that additional rules regarding the notification (for example, a form or certain format which is to be used for the notification) can be adopted by means of governmental decree.
What are the requirements for maintaining a register for security breaches?
The new law requires data controllers to maintain an internal data breach register that contains a record of all breaches the controller has experienced that have or may have serious adverse consequences for the protection of personal data. The law includes additional requirements for the types of information that the register must include.
What are the requirements for data processor agreements?
The new law would require data controllers to update agreements with their data processors to ensure that data processors comply with (i.e., assist data controllers in complying with) the obligations the data controller to provide notice of security breaches. Existing data processor agreements will most likely need to be amended before the law enters into force to make sure this new condition is met.
What are the higher fines?
Under the new law, the CBP will be have the authority to impose administrative fines ranging from €20,250 for relatively minor violations of the DPA to €810,000 for more serious violations. If the maximum fine is not deemed to be a suitable punishment, the CBP may also impose an administrative fine equal to 10% of the net annual turnover of the company in the preceding year. The law sets out specific circumstance in which the maximum fine may be imposed, but the imposition of the maximum fine requires the CBP to give the offender a warning to rectify the breach, a so called “binding instruction.”
Who may be subject to fines?
Generally it is the data controller which is required to comply with the DPA and as a result subject to sanctions. Under the new law, however, a data processor may be deemed an “accomplice” and as a result be subjected to the CBP’s sanctions. Company executives may also be liable under the law.
Relation to the EU General Data Protection Regulation
In view of the increasing number of security incidents involving personal data, the Dutch government did not want to wait for the EU General Data Protection Regulation (which also contains a data breach notification duty) to be adopted. The law is a precursor to the EU General Data Protection Regulation and will apply until the regulation comes into force. This is not expected to occur before the end of 2017.