On February 29, 2016, the European Commission published the documents comprising the new EU-U.S. Privacy Shield, the adoption of which we previously covered on our blog. In the Commission’s opinion, the new framework reflects the requirements set forth by the European Court of Justice in the Schrems ruling, which invalidated the U.S.-EU Safe Harbor framework. The Commission’s proposed adequacy decision holds that “the United States ensures an adequate level of protection for personal data transferred from the Union to organisations in the United States under the EU-US Privacy Shield”.

On January 22, 2015, the Netherlands proposed legislation introducing breach notification requirements for critical infrastructure industries, including utilities (electricity, gas and drinking water), telecom, financial services, government (surface-water management bodies) and transport (main ports Rotterdam and Schiphol airport).

The proposed law would require notification in the event of a breach of security or loss of integrity of electronic information systems that are of vital importance to Dutch society (ICT Breaches). Stakeholders have been invited to comment on the Data Processing and Notification Obligation Cybersecurity Act (Wet gegevensverwerking en meldplicht cybersecurity) before March 6, 2015. The bill introduces an obligation to notify the Minister of Security and Justice in the event of an ICT Breach. Notifications would need to be submitted to the Dutch National Cyber Security Centre (National Cyber Security Centrum, the NCSC), a specialized department within the Ministry of Security and Justice.