Monday, January 6, 2014

Holland Privacy Outlook 2014

By popular demand, please find below an English version of my earlier blogpost on what 2014 holds in store for privacy compliance in The Netherlands, based on the legislative and enforcement trends in The Hague and Brussels.

2014 is set to become the year for privacy and data protection in The Netherlands. A number of legislative proposals in The Hague and Brussels will significantly change the way businesses operating in The Netherlands have to comply with privacy and data protection laws. Some details still need to be worked out, but one thing is clear: in 2014, businesses operating in Holland need to get serious about privacy and data protection.

First order of business in 2014 is to seriously step up the maturity level of the organization's privacy compliance. The plans in The Hague and Brussels do no longer tolerate low levels of privacy compliance. The new name of the game is data lifecycle compliance management. This requires significant more resources and attention dedicated to privacy and data protection, as personal data need to be protection during their entire lifecycle and mere 'legal compliance' is no longer tolerated.

Privacy Maturity Path to 2015

Here are 6 trends you need to watch this year in order to stay on the right side of privacy compliance:

1. The Dutch Data Protection Authority Gets Power To Fine

The Dutch Cabinet has recently approved a bill which gives the Dutch Data Protection Authority (CBP) the power to fine businesses for violating the Dutch Personal Data Protection Act (WBP). These administrative fines may equal 6th category criminal fines (since January 1st: 810.000 Euro). The fines can be issued for any violation of the WBP. In theory this may lead to cumulative fines (!).

But it may get worse. State-Secretary Teeven, responsible for the WBP, has suggested in Parliament in November that he was about to send a bill to the Cabinet which would contain turn-over related fines. Probably he was referring to another bill which is currently pending in Parliament, which allows for fines of 10% of the annual turn-over if a fine of 810.000 euro would not be fair. It is therefore highly likely that this possibility is included in the CBP fining powers bill.

The bill is expected to become law on January 1, 2015. This would give businesses only 1 year to address their non-compliances to avoid fines next year.

2. Data Breach Notification Law Introduced

Also currently pending in Parliament is a bill requiring data breaches to be notified to the CBP and the data subject. Data breaches must be notified regardless of the amount of personal data breached. The only exceptions are: 1) where the data were encrypted or otherwise made unintelligible to unauthorized users, and 2) where the data breach is a 'trifle'. We don't know yet how the CBP will interpret this last exception, but one may expect that personal data of a more sensitive nature, such special data and financial data, will not qualify under the exception. It is important to note that data breaches which occur at the data processor's side must be notified by the controller. Processor contracts must contain language which require processors to notify controllers of data breaches.

Also this bill is expected to become law on January 1, 2015. Businesses should therefore use 2014 to review their security practices as well as their processor contracts and to take a close look at their internal security incident reporting procedures.

3. Safe Harbor and Cloud

In the wake of the Snowden-scandal, the European Commission has taken a close look at the Safe Harbor Agreement and has proposed a number of changes. The US have until the summer to implement these changes. If they don't agree, the European Commission may choose to terminate the Agreement.

The problem is that Safe Harbor is widely used to allow data transfers from the EU to the US via cloud services. If the Safe Harbor Agreement is terminated, European cloud customers will need to look for alternatives. One alternative may be to enter into modelcontracts with the US cloud provider, but these may be difficult to implement in cloud environments. Another way (favored by the European Parliament) may be to use a European cloud service, where the privacy rights of European citizens are respected.

CIO's and legal counsel should therefore use the first half of 2014 to take a close look at their organization's cloud strategy and prepare a back-up plan in case Safe Harbor is terminated this summer.

4. EU Data Protection Regulation

The EU Data Protection Regulation, which is supposed to replace the WBP in 2016, has hit some political trouble, which has caused a delay (most likely until 2015). Although details may change, there is high-level agreement on several key-elements of the Regulation, such as more responsibilities for the controller (especially with regard to compliance management), more rights for the data subject (especially on the internet), requirements for privacy-by-design and privacy impact assessments on new information systems and changes to business processes, steep turn-over related fines (up to 5% according to the Parliament) and restrictions on sharing data with foreign governments.

Given the significant impact of the Regulation on the business, it would be sound policy to start preparing an implementation plan in 2014, as the implementation period of 2 years after adoption of the Regulation will most likely be too short for most companies to review each and every data processing operation and data processor.

5. 2014: The Year of the DPO ?

I predict that 2014 will be the year where many organisations in The Netherlands, government bodies and businesses alike, will start looking for a Data Protection Officer (DPO) or even a Chief Privacy Officer (CPO, a DPO at executive level). This would allow such DPO/CPO to start preparing the implementation of the Regulation as well as to fix the most urgent non-compliances before the new fining power of the CBP and the data breach notification law come into force next year.

However, there are not many experienced DPO's around in The Netherlands, let alone experienced CPO's, since most businesses treat privacy compliance as a legal matter, leaving much of the work to law firms. On the other hand, appointing an existing employee as DPO may also not be a good thing, since such employee would need to be thoroughly trained first in order to acquire the required competencies of a DPO. In such case, 2014 would be wasted. It is therefore good to know that DPO's may also be hired externally (as a service). Not only would this provide some flexibility (DPO's have protected employment status in The Netherlands and cannot be fired without the court's approval), but it also ensures high-level expertise where time to bring the organization into compliance is limited. In the meantime, the in-house privacy lead may be trained to become a DPO.

6. Cookie law enforcement

The Dutch cookie law (art. 11.7a Telecommunications Act) is also likely to be changed this year. A bill is currently being prepared, which would exempt cookies with low privacy risks, such as first party analytics cookies, from the information and consent requirements. Also this bill is expected to become law on January 1, 2015.

On the other hand, I wouldn't be surprised if the Consumer and Market Authority (ACM), which enforces the Telecommunications Act, would step up its enforcement efforts with regard to the cookie law. Until now, the ACM has given priority to the information requirement by giving warning to websites, but could very well also start enforcing the consent requirement in 2014.

But also the CBP may enforce the cookie law, as a particular element of the Dutch cookie law is that cookies which track users over multiple websites are considered personal data (unless the party which places the cookie can demonstrate otherwise). In 2013, the CBP has already shown concerns about the implementation of the cookie law, especially with regard to the way consent is obtained. Also, the CBP has expressed concerns in cases where analytics cookies are placed by third party analytics providers, such as Google Analytics. In such case, the CBP requires an agreement similar to a processor agreement to be put in place between the website owner and the analytics service provider. So, I would also not be surprised if also the CBP would step up its enforcement actions in 2014 with regard to the cookie law.

I wish you a happy and data-breach-free 2014 !!
For more info or support, I can be contacted via

No comments: