April 3, 2020

April 03, 2020

Subscribe to Latest Legal News and Analysis

April 02, 2020

Subscribe to Latest Legal News and Analysis

April 01, 2020

Subscribe to Latest Legal News and Analysis

The Dutch Duty to Report Data Leaks

On Feb. 1, 2015, the Dutch House of Representatives voted in favor of a legislative bill introducing a duty to report data leaks.1 The bill, titled Duty to Report Data Leaks and the Expansion of the Administrative Penalty Competence of Dutch Data Protection Authority (Dutch DPA), will amend the Dutch Personal Data Protection Act and the Dutch Telecommunications Act. The bill, which is inspired by the European draft Regulation on General Data Protection,2 has been referred to the Dutch Senate and will only become law if the Dutch Senate votes in favor of it. The Dutch House of Representatives has decided, however, not to wait for the draft Regulation to enter into force, as this will likely not happen before 2016. 3

The legislative bill anticipates the draft Regulation by imposing a duty on organizations to report data leaks to the Dutch DPA and the affected individuals.4 However the bill does differ from the draft Regulation with regards to the scope of the duty to report and the conditions applying to the duty to report. The Dutch House of Representatives considered the draft Regulation too premature to clone its current articles on the duty to report.5 The bill aims to restore overall trust in personal data use, as well as limit the adverse effects of data leaks by imposing administrative fines on the failure to report leaks. The bill addresses organizations of both private and public nature, meaning that both undertakings and governmental agencies are to report data leaks to the Dutch DPA.

The Dutch House of Representatives stated that data leaks, for example caused by theft, loss or hacking, have adverse effects on an individuals’ privacy. The bill, therefore, gives the Dutch DPA increased authority to fine organizations that negligently or recklessly fail to report data leaks. Organizations can be fined up to 810,000 euros or 10 percent of their annual gross sales.6

The bill remains silent on the exact circumstances under which an organization is required to report a leak to the Dutch DPA. This gives organizations some discretion to decide when to report. The Dutch DPA is currently working in cooperation with the Committee of Security and Justice and the Ministry of the Interior and Kingdom Relations to develop threshold criteria as to when leaks should be reported.7

The bill furthermore requires organizations to keep records of all data leaks that they believe pose a serious risk to the affected individuals’ privacy. Therefore, a record of the data leaks that should be reported to the Dutch DPA must be kept by all responsible organizations. At the moment, however, the criteria for reporting those data leaks are still unclear.

On Feb. 24, 2015, the Committee for Security and Justice elaborated on the procedure to be followed with the Dutch Senate.8 The Committee has suggested that the preliminary inquiry take place March 10, 2015, and would like the plenary hearing to be concluded before the Dutch Senate changes due to elections.9 The bill will only become actual law when it passes in the Dutch Senate.


1 Parliamentary Papers Dutch Senate , session year 2014–2015, 33 662, A, p. 1.  

2 Explanatory Memorandum Dutch House of Representatives, session year 2012-2013, 33 662, nr. 3, p. 2. 

3 Explanatory Memorandum Dutch House of Representatives, session year 2012-2013, 33 662, nr. 3, p. 3.  

4 Parliamentary Papers Dutch Senate , session year 2014–2015, 33 662, A, p. 1.  

5 Explanatory Memorandum Dutch House of Representatives, session year 2012-2013, 33 662, nr. 3, p. 3. 

6 Parliamentary Papers Dutch Senate, session year 2014–2015, 33 662, A, p. 4.; Parliamentary Papers Dutch House of Representatives, session year 2014–2015, 33 662, nr. 11, p. 17.  

7 Parliamentary Papers Dutch House of Representatives, session year 2014–2015, 33 662, nr. 11, p. 19.  

8 Agenda Item 2 of the Committee for Security and Justice on Tuesday 24 February 2015, to be consulted on https://www.eerstekamer.nl/commissievergadering/20150224_6.  

9 Brief annotation of the meeting of the Committee for Security and Justice February 24, 2015, to be consulted on http://www.eerstekamer.nl/korteaantekening/20150224_13?dossier=vjashr1my7z6  

©2020 Greenberg Traurig, LLP. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Jacomijn Christ, Greenberg Traurig Law Firm, Amsterdam, Corporate and Environmental Law Attorney
Associate

Jacomijn Christ focuses her practice on corporate and securities matters, real estate, antitrust and environmental. Jacomijn advises on public law aspects in transactions and has experience with regulatory, environmental and real estate related cases.

31020-301-7431
Hans Urlus, Greenberg Traurig Law Firm, Amsterdam, Corporate and Litigation Law Attorney
Shareholder

Hans Urlus coordinates inbound and outbound investments with respect to China and counsels international clients in all aspects of international trade, commercial agency, franchise and distribution, with a focus on EU and national competition law, EU regulatory issues, mergers and acquisitions. He is also involved in litigation and arbitration in relation to these matters. Hans has worked in the regulatory field, including numerous cases involving the introduction of various regulated products into the EU market, and heads the German desk of the firm's Amsterdam office.

Concentrations

  • Corporate law (mergers and acquisitions)

  • Franchise, agency and distribution law

  • Competition law and EU regulatory law

3120-301-7324