Holland Privacy Outlook 2014

By popular demand, please find below an English version of my earlier blogpost on what 2014 holds in store for privacy compliance in The Netherlands, based on the legislative and enforcement trends in The Hague and Brussels.

2014 is set to become the year for privacy and data protection in The Netherlands. A number of legislative proposals in The Hague and Brussels will significantly change the way businesses operating in The Netherlands have to comply with privacy and data protection laws. Some details still need to be worked out, but one thing is clear: in 2014, businesses operating in Holland need to get serious about privacy and data protection.

First order of business in 2014 is to seriously step up the maturity level of the organization's privacy compliance. The plans in The Hague and Brussels do no longer tolerate low levels of privacy compliance. The new name of the game is data lifecycle compliance management. This requires significant more resources and attention dedicated to privacy and data protection, as personal data need to be protection during their entire lifecycle and mere 'legal compliance' is no longer tolerated.



Privacy Maturity Path to 2015

Here are 6 trends you need to watch this year in order to stay on the right side of privacy compliance:

1. The Dutch Data Protection Authority Gets Power To Fine

The Dutch Cabinet has recently approved a bill which gives the Dutch Data Protection Authority (CBP) the power to fine businesses for violating the Dutch Personal Data Protection Act (WBP). These administrative fines may equal 6th category criminal fines (since January 1st: 810.000 Euro). The fines can be issued for any violation of the WBP. In theory this may lead to cumulative fines (!).

But it may get worse. State-Secretary Teeven, responsible for the WBP, has suggested in Parliament in November that he was about to send a bill to the Cabinet which would contain turn-over related fines. Probably he was referring to another bill which is currently pending in Parliament, which allows for fines of 10% of the annual turn-over if a fine of 810.000 euro would not be fair. It is therefore highly likely that this possibility is included in the CBP fining powers bill.

The bill is expected to become law on January 1, 2015. This would give businesses only 1 year to address their non-compliances to avoid fines next year.

2. Data Breach Notification Law Introduced

Also currently pending in Parliament is a bill requiring data breaches to be notified to the CBP and the data subject. Data breaches must be notified regardless of the amount of personal data breached. The only exceptions are: 1) where the data were encrypted or otherwise made unintelligible to unauthorized users, and 2) where the data breach is a 'trifle'. We don't know yet how the CBP will interpret this last exception, but one may expect that personal data of a more sensitive nature, such special data and financial data, will not qualify under the exception. It is important to note that data breaches which occur at the data processor's side must be notified by the controller. Processor contracts must contain language which require processors to notify controllers of data breaches.

Also this bill is expected to become law on January 1, 2015. Businesses should therefore use 2014 to review their security practices as well as their processor contracts and to take a close look at their internal security incident reporting procedures.

3. Safe Harbor and Cloud

In the wake of the Snowden-scandal, the European Commission has taken a close look at the Safe Harbor Agreement and has proposed a number of changes. The US have until the summer to implement these changes. If they don't agree, the European Commission may choose to terminate the Agreement.

The problem is that Safe Harbor is widely used to allow data transfers from the EU to the US via cloud services. If the Safe Harbor Agreement is terminated, European cloud customers will need to look for alternatives. One alternative may be to enter into modelcontracts with the US cloud provider, but these may be difficult to implement in cloud environments. Another way (favored by the European Parliament) may be to use a European cloud service, where the privacy rights of European citizens are respected.

CIO's and legal counsel should therefore use the first half of 2014 to take a close look at their organization's cloud strategy and prepare a back-up plan in case Safe Harbor is terminated this summer.

4. EU Data Protection Regulation

The EU Data Protection Regulation, which is supposed to replace the WBP in 2016, has hit some political trouble, which has caused a delay (most likely until 2015). Although details may change, there is high-level agreement on several key-elements of the Regulation, such as more responsibilities for the controller (especially with regard to compliance management), more rights for the data subject (especially on the internet), requirements for privacy-by-design and privacy impact assessments on new information systems and changes to business processes, steep turn-over related fines (up to 5% according to the Parliament) and restrictions on sharing data with foreign governments.

Given the significant impact of the Regulation on the business, it would be sound policy to start preparing an implementation plan in 2014, as the implementation period of 2 years after adoption of the Regulation will most likely be too short for most companies to review each and every data processing operation and data processor.

5. 2014: The Year of the DPO ?

I predict that 2014 will be the year where many organisations in The Netherlands, government bodies and businesses alike, will start looking for a Data Protection Officer (DPO) or even a Chief Privacy Officer (CPO, a DPO at executive level). This would allow such DPO/CPO to start preparing the implementation of the Regulation as well as to fix the most urgent non-compliances before the new fining power of the CBP and the data breach notification law come into force next year.

However, there are not many experienced DPO's around in The Netherlands, let alone experienced CPO's, since most businesses treat privacy compliance as a legal matter, leaving much of the work to law firms. On the other hand, appointing an existing employee as DPO may also not be a good thing, since such employee would need to be thoroughly trained first in order to acquire the required competencies of a DPO. In such case, 2014 would be wasted. It is therefore good to know that DPO's may also be hired externally (as a service). Not only would this provide some flexibility (DPO's have protected employment status in The Netherlands and cannot be fired without the court's approval), but it also ensures high-level expertise where time to bring the organization into compliance is limited. In the meantime, the in-house privacy lead may be trained to become a DPO.

6. Cookie law enforcement

The Dutch cookie law (art. 11.7a Telecommunications Act) is also likely to be changed this year. A bill is currently being prepared, which would exempt cookies with low privacy risks, such as first party analytics cookies, from the information and consent requirements. Also this bill is expected to become law on January 1, 2015.

On the other hand, I wouldn't be surprised if the Consumer and Market Authority (ACM), which enforces the Telecommunications Act, would step up its enforcement efforts with regard to the cookie law. Until now, the ACM has given priority to the information requirement by giving warning to websites, but could very well also start enforcing the consent requirement in 2014.

But also the CBP may enforce the cookie law, as a particular element of the Dutch cookie law is that cookies which track users over multiple websites are considered personal data (unless the party which places the cookie can demonstrate otherwise). In 2013, the CBP has already shown concerns about the implementation of the cookie law, especially with regard to the way consent is obtained. Also, the CBP has expressed concerns in cases where analytics cookies are placed by third party analytics providers, such as Google Analytics. In such case, the CBP requires an agreement similar to a processor agreement to be put in place between the website owner and the analytics service provider. So, I would also not be surprised if also the CBP would step up its enforcement actions in 2014 with regard to the cookie law.

I wish you a happy and data-breach-free 2014 !!
For more info or support, I can be contacted via www.privasense.eu

Why LIBE should not let PRISM get in the way of the GDPR.

Since the news broke about the PRISM program that allows the NSA to gain access to accounts of major US online service providers, work on the General Data Protection Regulation (GDPR) seems to have come to a screeching halt. European politicians, especially Vice-President Reding (JHA) and the members of the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE), are outraged about the secret spying on European citizens and demand safeguards. Officially, the work on the GDPR has been postponed because of the sheer number of amendments tabled by the members of the LIBE committee, but it is hardly surprising that the decision to postpone the vote was taken on the same day the LIBE committee discussed the PRISM schandal. As some call for the (re-)introduction of an anti-FISA clause, PRISM has effectively become part of the GDPR discussion. Others call for the GDPR to be sped up, maybe hoping a new European privacy framework would help stopping things like PRISM. But sorting out the PRISM issue could seriously delay the work on the GDPR.

Here are 5 reasons why LIBE should not let PRISM get in the way of the GDPR.

1. Changes should come from diplomats, not legislators.

The US government is not bound to the GDPR. Unfortunately for European politicians this little thing called sovereignty gets in the way. This means that the US government, within the limits of US law, can do whatever it wants with data from Europeans stored in servers located on US territory or services subject to US law. And there is little European legislators can do about it. So, whatever changes to the PRISM program Europe wants, need to be dealt with via the diplomatic channels. Therefore, the center of gravity of any European anti-PRISM activity should be the hallways of Washington DC, not the Parliament building in Brussels.

Also the upcoming talks about the Transatlantic Trade and Investment Partnership (TTIP) could be a great opportunity to discuss the protection of European data in American online services. However, blocking upfront any discussion about common transatlantic data protection standards makes it less likely to reach an agreement on government access to commercial data. The EP committees which deal with these issues are Foreign Affairs (AFET) and International Trade (INTA), not LIBE. So, these committees should step up in the PRISM discussion.

2. The European answer should be economic, not legal.

Let's be fair. The issue is not Americans spying on Europeans. The real issue is the fact that European online services are virtually non existent in the market, causing most European citizens to use American services like Facebook and Twitter. PRISM is merely a consequence of that fact; a golden opportunity for American security services to snoop on non-Americans.

Therefore, the best way to protect the privacy of European citizens against spying Americans would be to significantly grow the market share of European online services and to offer real alternatives to services coming out of Silicon Valley. This way, Europeans can truly ‘vote with their feet’. The Parliament should call on Vice-President Kroes to lead this work, which would require a little tweak to the European Digital Agenda as the strengthening of European online services is not part thereof. Vice-President Kroes has said that PRISM creates "a golden opportunity for people to make a huge privacy-focussed company" in Europe, but she should actively support this and not wait to see it happen. The lead committee to shape policy which boosts European online services is Industry, Research and Energy (ITRE), not LIBE...

3. An anti-FISA clause will not stop PRISM.

Yes, the Americans were successful in removing the anti-FISA clause from the GDPR draft (see article 42 of the Interservice copy (PDF)). But no, re-introducing this clause will not cause PRISM to stop. Why? Because all such anti-FISA clause will do, is give European data protection authorities the right to fine American online companies, which will be subject to the GDPR pursuant to the extraterritoriality clause of article 3 GDPR. 2% of global turnover should do the trick, you think? Think again. Apart from the sovereignty argument mentioned above, companies generally like to operate in an predictable equilibrium, which is as risk-free a possible. If they cannot evade the power of their own government (except when moving their headquarters), they can evade the power of foreign governments, who disturb their balance by issuing a fine of 2% of their global turnover. If they don’t really need to have an office in that country, they may simply pack up and go. So, if that government wants to collect its fine, it needs to come to their home court to defend its case. And guess who may come running to assist the company in its defense… Sure there are treaties on judicial cooperation, but all they do is ensure that a local court reviews the case prior to enforcing the foreign government’s claim. And if that claim goes against the national security interests of the court's country, guess which side is likely to win the case. So LIBE shouldn't waste time discussing an anti-FISA clause.

4. The EU has no competence on national security.

Some MEP's want answers whether European security agencies have access to PRISM data to snoop on European citizens. But according to article 4(2) TEU, national security is the sole responsibility of the Member States. This is also reflected in article 3(2) of the Data Protection Directive. So, if MEPs want answers, they should ask their colleagues in the national parliaments to ask these questions for them and get over it. They should spend their time on other matters, such as the GDPR.

And last, but not least…..

5. The (digital) economy needs a new privacy framework ASAP.

The information society is exploding. The rules date back to 1995 and even earlier, when there was no cloud computing, no smartphones, no online services, no smart environments, and no massive security breaches. We simply can’t afford having to spend another three years using the same outdated rules. We also cannot afford having to continue to spend tons of money on lawyers to figure out how to deal with the differences between the laws of two Member States. We need a harmonized European data protection regime as soon as possible to boost (digital) trade and services inside the European Union. We also should get rid of the costly administrative burden of notifying DPA’s of data processing operations as soon as possible, as this has no meaningful contribution to the protection of personal data whatsover. However, we also need a Data Protection Regulation, which attributes compliance costs where this is necessary, while still creating meaningful protection for personal data (see also the Council proposal (PDF)).

The LIBE committee should spend its time on really improving consumer privacy rights in Europe and making sure the GDPR is easy to implement in organizations without disproportionate costs, not trying to find a watertight solution within the GDPR for problems like PRISM.

Rethinking Privacy 1.0

Ever since the OECD published its Privacy Principles in 1980, the privacy laws around the world have been focussing primarily on protecting personal data in databases. And all those years the fundamentals of privacy have remained the same. The European Data Protection Directive 95/46, which allows personal data to move across borders in Europe, came into force 15 years after the OECD Privacy Principles on which it is based were published, but meanwhile the world had already changed: the Internet had arrived! Only 8 years after the Directive was introduced, on November 6, 2003, the European Court of Justice -Europe's highest court- was confronted with this change in its only second ever case under the Data Protection Directive: Lindqvist vs. Sweden. This case demonstrated the built-in weakness of the European system of data protection: despite the EU's claim to the contrary, the Directive proved to be not very technology-neutral, and therefore not very future-proof. The various actors in the Lindqvist-case, such as the Advocate-General and the Member States, tried to do their best to get a legal grip on the facts while trying to preserve the essential elements of the Directive, but eventually the Court reached a surprising and far-reaching conclusion: posting personal data on the Internet, despite the fact that everybody around the world with an internet connection could potentially read the information, does NOT violate one of the key-elements of the Directive: the international data transfer rules...!

A second example of my view that today's law is not technology-neutral is Directive 2002/58, a.k.a. the e-Privacy Directive, which specifically addresses privacy in electronic communications. The very first version of this Directive was published in 1997, but already in 2002, it got a complete overhaul. And only 6 years later, the EU is putting Directive 2002/58 up for discussion again, as it is -among other things- trying to address the privacy concerns around Radio Frequency Identification (RFID) technology. So what's next? Bluetooth? GPS? WiMAX? Ubiquitous Computing? Body Area Networks?

In the meantime, governments are trying to broaden their powers to collect information about their citizens and non-citizens in order to prevent terrorism and to combat crime. This is creating a disconnect between the private sector and the public sector, and creates a false impression with the public. Strict privacy rules for the private sector (where privacy risk is relatively low) versus weak privacy rules for the government gives the impression that the private sector cannot be trusted. Which is strange, considering the fact that getting and keeping customer trust is a basic element of doing business for the private sector. Screw your customers and you are out-of-business in no time. On the other hand, weak privacy rules in the public sector is especially damaging if inaccurate or incomplete information is rapidly shared between government agencies or when information is used out-of-context. But such weak privacy rules give the citizen the false impression that governments have such risks under control. George Orwell's "Big Brother" state may not have arrived eyt, but "Little Sister" is already here, and she brought her whole family...!!

We need to rethink privacy in the 21st century!
The world has changed since the OECD introduced its Privacy Principles in 1980. What does privacy mean for us if at the same time we want no terrorism, less crime, better and personalized services, and more convenience? How do we protect privacy in a world that becomes ever more globalized, so our data end up in data systems on the other side of the world? What does privacy mean for people who come from different cultures and backgrounds? How do we protect our privacy if computers, sensors and communication devices become invisible and ubiquitous? How can we build trust into the technologies that we use? How do we make ourselves feel protected against the risk of identity theft and malicious attacks on our private life? And how do we protect the privacy of people who are vulnerable, such as elderly, minors and mentally handicapped, in an inclusive Information Society?

Unlike some other people, I am not saying that privacy is dead. Or that it is an illusion in the Information Age in which we live. No, I am saying that we have to go back to the privacy drawing board, re-define the privacy principles for the 21st century, and come up with a new set of privacy principles that fit the new realities of our global society and which are robust enough to survive technological and social change. Principles that enhance trust with consumers and citizens, stimulate innovation and societal development, and protect democratic principles and the rule of law. What we need is Privacy 2.0 !

All this and more is the main topic of this blog. I welcome you to comment on my thoughts, so we can get a global discussion started how to protect privacy in the 30 years to come.