The Privacy, Data Protection and Cybersecurity Law Review: Netherlands
Data protection and data security are key areas for our increasingly digital society and the digital transformation that organisations and their products, services and business models undergo. Both areas have seen significant legal development over the past two years following the entry into force of key European legislation such as the General Data Protection Regulation (GDPR) and the Security of Network and Information Systems Directive (the NIS Directive).
The GDPR applies in the Netherlands, as supplemented by the General Data Protection Regulation Implementation Act (the Dutch Implementation Act) and various sector-specific legislation relating to the processing of personal data.
This chapter provides a pragmatic overview of the current legal landscape in the Netherlands and related key legal developments over the past year, including enforcement actions by the Dutch Data Protection Authority (the Dutch DPA).
The year in review
It has been a tumultuous year in the Netherlands, with data protection- and security-related news frequently being the subject of press coverage and public discussion. Major incidents such as the discriminatory and unlawful processing of (dual) nationalities by the Tax and Customer Administration have been widely covered by the media.
The year 2019 saw a shift in public opinion in the Netherlands on big tech, and politicians have been picking up on the sentiment. At the end of 2019, a series of 10 highly critical articles in the Dutch Financial Times dominated the debate. Growing concerns were voiced in respect of the use of big tech's cloud services where personal data is concerned, with, for example, Dutch healthcare providers' intention to start using Google cloud services leading to public criticism. In the private sector we are seeing calls for more cooperation between enterprise customers of the big tech suppliers, to create more leverage in commercial and legal negotiations. Overall, government and thought leaders remain pro-innovation and pro-tech, but alleged abuses of market power by big techs are being contested and are being tested against the key principles underlying existing regulation.
The year 2018 can be considered a transitional year for the Dutch DPA and organisations, both preparing for the entry into force of the GDPR. In 2019, however, the Dutch DPA put the pedal to the metal. As demonstrated by the enforcement actions discussed throughout this chapter, the Dutch DPA does not shy away from using its enforcement powers. It conducted a total of 110 investigations – a significant increase compared to the 20 investigations initiated in 2018. The Dutch DPA also imposed several fines on organisations. In July 2020, for example, the Dutch DPA imposed a record fine of €830,000 on the Dutch Credit Registration Bureau for non-compliance with the right to access.
Enforcement by the Dutch DPA is often initiated following complaints made by data subjects, current affairs brought to public attention by politicians, or the results of investigative journalism. Data subjects continue to find their way to the Dutch DPA with complaints. In its annual report for 2019, the Dutch DPA notes that it received almost 28,000 complaints from individuals, an increase of 79 per cent over the number of complaints received in 2018.2 The Dutch DPA notes that most complaints concerned a violation of a data subject's right, such as the right of access and the right to erasure. Organisations are, therefore, recommended to implement robust data subjects' rights processes and handle requests with due care.
In its agenda for 2020–2023, the Dutch DPA has specified that it will be focusing enforcement efforts specifically on data brokering and the use of artificial intelligence and algorithms.3 Within data brokering, the Dutch DPA will focus most strongly on the internet of things, where it hopes to increase use of standards and certification, and profiling, where it will focus on enforcement and behavioural advertising stimulating the creation of codes of conduct and enforce it actively. The call for supervision of AI and algorithms is increasing among politicians and in Dutch society. Within AI, the key focus will be the development of a regulatory framework that the Dutch DPA will use for its supervision of AI. In February 2020, the Dutch DPA published its vision for enforcement relating to AI.4
i Privacy and data protection legislation and standards
The processing of personal data in the Netherlands is primarily governed by the GDPR and the Dutch Implementation Act, which includes exemptions and limitations as allowed by the GDPR.5 Examples of where the Dutch Implementation Act deviates from the GDPR include additional conditions relating to the processing of genetic data, biometric data, data concerning health and criminal convictions and offences, and exemptions to data subjects' rights obligations in certain specific cases as discussed throughout this chapter.
In July 2020, a public consultation was concluded for the prospective Data Protection Collective Act. The Act's purpose is to amend the Dutch Implementation Act, and update various Dutch laws to promote further consistency with the GDPR. Proposed amendments include further specification of conditions under which biometric data may be processed and an exemption to the prohibition to process special categories of personal data if the processing is necessary for an audit required by law to be performed by an accountant. The Act is still subject to the legislative process and is expected to enter into force in 2021.
As further discussed below under specific regulatory areas, various sector-specific laws also provide rules on the processing of personal data (e.g., in the financial, telecoms and healthcare sectors).
ii General obligations for data handlers
The main obligations of controllers and processors are set out in the GDPR.
From time to time, the Dutch DPA issues guidance on specific aspects of the GDPR and data protection in general. For example, the Dutch DPA published a FAQ and a checklist with regard to the legal grounds for processing, and also provided specific guidance on the legal ground of legitimate interest.6 The Dutch DPA has a strict view on the use of legitimate interest as a legal ground: merely serving purely commercial interests, profit maximisation, following the behaviour of employees without (legitimate) interest or the (buying) behaviour of (potential) customers do not constitute legitimate interests. This point of view seems stricter than that of other supervisory authorities and previous guidance by the Article 29 Working Party. While this form of guidance from the Dutch DPA is not legally binding, the Dutch DPA will likely take this interpretation into account in its supervisory and enforcement decisions.
iii Data subject rights
Pursuant to Chapter III of the GDPR, data subjects have the right to access, rectification, erasure, restriction of processing, data portability, object and to not to be subject to a decision based solely on automated processing, including profiling. The Dutch Implementation Act provides exemptions to data subject rights for all matters set out in Article 23(1) GDPR. Other exemptions apply when processing solely for journalistic purposes or for the benefit of academic, artistic or literary expression forms, automated decision-making (excluding profiling) if necessary for the compliance with a legal obligation or the performance of a task carried out in the public interest. Finally, the right to object does not apply to public registers established by law, and the right to access, rectification and restriction are not applicable to public registers provided that special procedures are established with respect to these rights by other laws.
The right of access is the most exercised right and is used for various purposes, including pseudo-discovery in legal proceedings, often in the context of employment disputes. An interesting development is the proceeding initiated with the court of Amsterdam by two British Uber drivers in July 2020. The claimants requested the court to order Uber to provide full access to their data and transparency about the algorithms used by Uber, so they can assess whether Uber creates hidden driver profiles with performance classifications. The outcome of these proceedings may be relevant for the scope of the right of access, particularly with respect to the extent of what information must be provided about algorithms used for automated decision-making. In July 2020, the Dutch DPA imposed a record fine of €830,000 on the Dutch Credit Registration Bureau (BKR) for non-compliance with the right to access relating to its refusal to act on data subjects' access requests and charging a fee for digital access to their data.7
iv Specific regulatory areas
In addition to the GDPR, various sector-specific laws and regulations contain rules relating to the processing and security of data. These include:
- telecoms: the processing of traffic and location data under the Telecommunications Act;
- healthcare: the processing of personal data concerning health under the Medical Treatments Contracts Act and the Act on Additional Provisions for the Processing of Personal Data in Healthcare;
- energy: the processing of personal data relating to energy use, including smart meters, under the Electricity Act and Gas Act and related subsequent legislation;
- law enforcement and judiciary: such as the processing of personal data under the Act on Police Records and the Judicial Data and Criminal Records Act; and
- financial institutions: as further discussed below.
v Financial sector
Many rules applicable to financial institutions originate from EU law, either directly (such as MiFIR) or via implementation of directives such as CRD IV and AMLD into the Financial Supervision Act and the Money Laundering and Terrorism Financing Prevention Act and subsequent regulations. These regulations contain a wide range of data and security related topics, such as retention and reporting obligations under MiFID II/MiFIR, requirements relating to cloud outsourcing under the EBA guidelines and obligations to use two-factor authentication under PSD II. The Financial Supervision Act mandates extensive policies and procedures with respect to business continuity, disaster recovery and information security that are generally applicable to all regulated financial undertakings, including consumer credit providers and advisers and offerors of financial products.
Credit institutions, operators of trading venues (regulated markets, MTFs and OTFs) and central counterparties are designated as essential services providers under the NIS directive (as implemented into Dutch law) with respect to the offering and settlement of payment and securities transactions. Incident notification obligations under the Security of Network and Information Systems Act generally apply in addition to incident notification requirements under the Financial Supervision Act and the GDPR. With respect to data breaches under the GDPR, the Dutch Implementation Act stipulates that financial undertakings that are subject to the Financial Supervision Act are exempted from the obligation to communicate personal data breaches to data subjects.
Information and cybersecurity and use of (client) data are important topics in the supervisory policies of the financial regulators Authority for the Financial Markets and the Dutch Central Bank. Both supervisors regularly publish guidance and good practices, such as the 'Principles of Information Security' from the Authority for the Financial Markets and the 'Information Security Monitor' from the Dutch Central Bank.
vi Public registers
In certain specific situations, Dutch law provides that personal data must be included in public or semi-public registers. Examples are the Dutch Credit Registration Bureau, the registers for board and supervisory board members of certain financial institutions with the Authority for the Financial Markets and registers of the Employee Insurance Agency. In addition, the register of the Chamber of Commerce may include personal data relating to a person's business or employment. In addition, effective 27 September 2020, most Dutch non-listed companies are required to register their ultimate beneficial owners (UBOs) with the Chamber of Commerce. This obligation under the UBO Register (Implementation) Act follows from the AML Directive. The UBO register will be public, but the Chamber of Commerce may be requested to protect the identity of the UBO in special circumstances, for example if the shareholder is a minor or has police protective security.
The covid-19 pandemic has reignited attention to workplace privacy as the pandemic introduced a need for organisations to process personal data (including data concerning health) in light of the challenges brought by the pandemic. Such challenges include the processing of health data of employees or visitors, secure remote working and videoconferencing.
In March 2020, the Dutch DPA first communicated a lenient approach on enforcing data protection obligations during the pandemic, enabling organisations to focus their resources on combating the pandemic. Throughout the pandemic, the Dutch DPA has actively published guidance on various topics, including:
- privacy aspects of videoconferencing apps;
- secure remote working;
- the permissibility of temperature checks of employees and visitors;
- anonymity of aggregated telecommunication data; and
- contact tracing apps.
viii Technological innovation
Internet of things
Given the rise in the use of smart devices and connected cars, it is not surprising that the internet of things is a key focus area in the enforcement agenda of the Dutch DPA. In particular, the Dutch DPA voiced concerns about the security of smart devices and the detailed view of an individual's personal life that the collected data may give. In June 2019, the Dutch DPA published practical guidance for data subjects relating to the purchasing, installation and use of smart devices.8 In March 2020, the Dutch DPA published practical guidance for data subjects on the purchasing, using, selling and renting of connected cars.9
The processing of biometric data has received quite some attention in the Dutch press. Under the Dutch Implementation Act, biometric data may be processed if it is necessary for authentication or security purposes. In August 2019, the District Court of Amsterdam issued a decision following a request of an employee of a retail company, Manfield Schoenen BV.10 The employee refused to provide the employer its fingerprints for authorisation purposes to operate a cash register. The court ruled that Manfield cannot oblige the employee to use a finger-scan authorisation system unless it is able to demonstrate that the use of this system is necessary and complies with the principles of proportionality and subsidiarity. Manfield failed to do so and the court upheld the employee's choice not to provide finger scans. Following this decision, the retail company HEMA decided to suspend its use of finger scans for authentication purposes.
In April 2020, the Dutch DPA imposed a fine of €725,000 against an unnamed company for the unlawful processing of biometric data to monitor employee attendance, and for time recording.11 The Dutch DPA concluded that the company failed to demonstrate:
- that it had obtained valid consent (which is only available in exceptional cases in an employment context); and
- that the processing of biometric data was necessary in this case. The company challenged the decision to impose a fine in court, and the ruling is pending.
Following signs that supermarkets were interested in using facial recognition, the Dutch DPA reminded supermarkets of the rules for facial recognition in a letter published in June 2020.12 By providing information and intervening where necessary, the Dutch DPA intends to prevent supermarkets from unlawfully using facial recognition. A related interesting development is the use of artificial intelligence and machine learning to create deepfakes: fabricated media in which an individual in an existing image or video is replaced with another individual's likeness.
In the Netherlands, the use of non-strictly necessary cookies and similar technologies is generally subject to explicit consent under the Telecommunications Act. Cookie compliance continues to be of interest to the Dutch DPA and the Authority for Consumer and Market. In December 2019, the Dutch DPA published the outcome of an investigation into the use of tracking cookies.13 Of 175 websites, half utilised tracking cookies without meeting consent requirements. The Dutch DPA stressed that the following methods of obtaining consent for tracking cookies are non-compliant:
- omission to indicate preferences or inactivity;
- further navigating throughout the website; or
- pre-checked boxes.
The Dutch DPA also reiterated its position that websites that only provide access if they consent to placing tracking cookies (cookie walls) are not compliant with the GDPR as they do not provide data subjects a free choice.
Data ownership and control
Under Dutch law, the concept of 'ownership' only applies to tangible assets and is therefore not applicable to the automated processing of (personal) data. Data may be protected by data protection laws, intellectual property rights and contractual terms. A party that wants to be – and more importantly stay – in control of its data must therefore use data protection laws to its advantage and negotiate terms that not only comply with any requirements under the GDPR, but also enable it to be and remain in control of its data.
There is an increasing trend of discussions between customers and cloud providers regarding their data protection roles under the GDPR, particularly with respect to metadata. In 2020, following negotiations with the Dutch government in 2019, Microsoft was the first cloud provider to change its general terms for enterprise customers and internal processes, adopting a processor role for almost all personal data processed in the context of its online services.
International data transfer and data localisation
Under the Dutch Implementation Act, international data transfers to third countries or international organisations are generally not subject to restrictions beyond those set out in Chapter V (titled 'Transfers of personal data to third countries or international organisations') of the GDPR.
On 16 July 2020, the European Court of Justice (ECJ) ruled in In Schrems II (Schrems II)14 that the transfer of personal data from the European Union to the United States can – with immediate effect – no longer be based on the EU–US Privacy Shield framework. The standard contractual clauses for the transfer of personal data to processors in third countries (SCC) as adopted by the European Commission remain valid. However, the ECJ emphasises the responsibility of controllers, and in the alternative, supervisory authorities to assess on a case-by-case basis whether the SCC provide an adequate level of protection for a specific transfer. The ECJ explains that any assessment of an adequate level of protection must be based on the same elements that have led to the invalidation of Privacy Shield. The same criteria likely also apply to other data transfers mechanisms under Article 46 GDPR, including binding corporate rules.
The assessment by the controller whether there is an adequate level of protection is not an easy one to make. Thorough and extensive research is necessary, in particular regarding the various US regulations, and the assessment by European and national courts and supervisory authorities will also have to be taken into account. It is expected that the Dutch DPA and other European supervisory authorities will provide further guidance or take decisions with respect to the permissibility of transfers of personal data from the European Union to the US. However, controllers must take a proactive approach and begin forming their opinion for affected data transfers, and take additional measures where required.
SCC and binding corporate rules continue to be the data transfer mechanisms that are generally most relied upon by organisations. While binding corporate rules provide multinational organisations with a robust framework for international data transfers, it should be noted that the Dutch DPA has had a significant backlog on approving binding corporate rules for years. In its annual report of 2019, the Dutch DPA notes that it received five new binding corporate rules (BCR) requests and 12 BCR update requests. Owing to understaffing, the workload at the end of 2019 totalled 40 BCR requests and 21 BCR update requests. Organisations that are considering adopting BCR with the Dutch DPA as their lead authority should therefore take into account that formal approval of BCR may take longer than anticipated and in practice will likely take upwards of two years.
The Netherlands does not have any formal laws containing specific data localisation requirements. However, there is an increasing demand to keep (personal) data as much as possible within the European Union.
Company policies and practices
Employee training relating to data protection and security is more prominent in larger organisations and is mandatory in certain sectors, such as for financial institutions.
On 27 November 2019, the Dutch DPA published a list of processing activities that require a mandatory data protection impact assessment (DPIA), such as employee monitoring, profiling and credit scoring, that applies in addition to the guidance of the EDPB. If a DPIA indicates that a processing will result in a high risk, the controller must take mitigating measures or, in the absence thereof, consult the Dutch DPA prior to the processing. In 2019, the Dutch DPA received 13 requests for a prior consultation, of which two resulted in a positive advice. These cases related to the design of Dutch passports and a legislative proposal to counter the use of mobile phones while driving. We notice an increase in the publication of DPIAs performed by the public sector, such as the DPIAs of the Ministry of Justice and Security for Microsoft's Windows 10 and Office 365.15
With respect to codes of conduct under Article 40 GDPR, the Dutch DPA published its intended decision to approve the code of conduct for IT companies from the sector organisation Nederland ICT. No final decision has been published to date.
On 16 June 2020, the Dutch House of Representatives adopted a motion requesting the Dutch government to urge international technology companies active in the Dutch education sector to sign a code of conduct called the 'Privacy Covenant'. At the time of writing this chapter, it is unclear whether such obligation will be put in place.
Discovery and disclosure
Disclosure of personal data to third parties is generally subject to and must comply with the GDPR and the Dutch Implementation Act.
The Netherlands does not have extensive (pretrial) discovery of documents available in some countries such as the United States. Subject to strict conditions, the Dutch Civil Procedure Code does provide the possibility to apply for a court order to review, obtain an extract from or obtain a copy of certain specific documents in the possession of another party.
A controller will generally be able to base any intended disclosure following a court order or governmental request to disclose personal data on the legal ground of compliance with a legal obligation to which the controller is subject, provided that the request has a basis under Dutch, European Union or another member states' law and the controller has a binding legal obligation to respond to such request. Any disclosure of sensitive categories of personal data or personal data relating to criminal convictions and offences must additionally comply with, respectively, Articles 9 and 10 GDPR and the Dutch Implementation Act.
Governmental requests from and civil discovery procedures in countries outside of the European Economic Area that require disclosure of personal data can only be recognised or enforceable if the request is based on an international agreement between the third country and the European Union or the Netherlands. A mutual legal assistance treaty is expressly recognised as such an international agreement. Transfers must also comply with other requirements regarding international transfers as described in Section IV, above. In practice, this can be difficult as third-country organisations are often reluctant to enter into standard contractual clauses. Depending on the circumstances of the case, organisations may be able to rely on the grounds for incidental transfers set out in Article 49 GDPR, such as the necessity for the establishment, exercise or defence of legal claims.
If an organisation cannot base a disclosure on a legitimate ground for transfers to third countries or successfully direct a requesting party to an available international agreement, they may find themselves fallen between two stools. In such cases, a risk-based assessment must be made with regard to potential sanctions faced by the organisation for (1) not complying with the request and (2) breaching data protection laws.
Public and private enforcement
i Enforcement agencies
The Dutch DPA is the designated supervisory authority for the Netherlands. In the execution of its powers, the Dutch DPA is bound by the principles of proper administration and procedural rules of the General Administrative Law Act. The Dutch Implementation Act grants the Dutch DPA administrative enforcement rights, such as fines and orders on penalties. Organisations and individuals can object to, and appeal against, decisions of the Dutch DPA before administrative courts. The Freedom of Information Act applies to the activities of the Dutch DPA.
The Dutch DPA is not the only authority involved in the supervision of personal data processing and security. The Dutch DPA established cooperation protocols with other supervisory authorities such as the Authority for Consumers and Markets, the Dutch Central Bank and the Telecom Agency. These cooperation protocols outline, among others, how the supervisory authorities cooperate in the case of enforcement, which supervisory authority will engage in enforcement for specific topics and how they exchange information.
The Authority for Consumers and Markets is the supervisory authority charged with enforcement of consumer protection laws and sector-specific regulation of several sectors.
The Authority for the Financial Markets, European Central Bank and Dutch Central Bank supervise financial institutions and markets, including the strict laws relating to data security that apply in this sector. The Dutch Central Bank is also the supervisory authority for financial institutions that are designated as essential services providers under the Security of Network and Information Systems Act that implements the NIS directive.
While the Dutch DPA and the Authority for the Financial Markets currently do not have a cooperation protocol in place, both authorities participate in the Consultation Forum of Regulatory Bodies (Markttoezichthoudersberaad), where various supervisory authorities that (partly) focus on the functioning of markets and the behaviour of market players come together to share knowledge and exchange experiences on cross-curricular themes. Other participants include the Authority for Consumers and Markets and the Dutch Central Bank.
ii Recent enforcement cases
In August 2019, the Dutch DPA announced a further investigation into Microsoft's data processing practices concerning its Windows operating system. In 2017, the Dutch DPA initiated an initial investigation finding that Microsoft was using telemetry to unlawfully process personal data. The Dutch DPA found that Microsoft had since made improvements to its products, but further investigation brought to light that Microsoft was remotely collecting other data from users, potentially in breach of data protection legislation. The Dutch DPA shared the results of its further investigation with the Irish supervisory authority, that acts as the lead authority for Microsoft under the GDPR.16 A noteworthy related development is the Dutch government's landmark agreement with Microsoft to make Office 365 and other online services GDPR compliant, both legally and technically. This agreement caught worldwide attention and caused changes in Microsoft's Online Services Terms. Since it initially only applied to use of Microsoft's online products by 350,000 civil servants of the central government, the expectation is that more similar agreements will be negotiated with Microsoft and other suppliers in 2020.
Amid worldwide concerns on the processing of personal data by the popular China-based social media app TikTok, the Dutch DPA initiated an investigation in May 2020.17 The Dutch DPA voiced specific concerns regarding the processing of personal data of children, as TikTok is widely used among them. The Dutch DPA announced that it will specifically examine whether TikTok adequately protects the privacy of Dutch children. The Dutch Implementation Act does not deviate from the age threshold under Article 8 GDPR ('Conditions applicable to child's consent in relation to information society services'). However, it does broaden its scope to any processing of personal data of children below the age of 16. If a child is younger than 16 years, the consent of the child's legal representative is required. The Dutch DPA expects to share the results of the investigation in late 2020.
In July 2020, the Dutch DPA published the results of its investigation into the processing of the (dual) nationality of data subjects that applied for childcare allowance by the Tax and Customs Administration of the Netherlands.18 The investigation was initiated following wide media and political attention to possibly discriminatory practices by the Tax and Customs Administration based on the (dual) nationality of individuals. In summary, the Dutch DPA found three distinct processing activities by the Administration of the (dual) nationality of applicants to be unlawful. The Dutch DPA also found that two processing activities were discriminatory:
- the use of nationality of applicants as an indicator in a risk classification model; and
- the processing of nationality for the detection of organised fraud.
Both processing activities make a distinction based on the nationality of applicants without any objective justification. The Dutch DPA will assess whether the Tax and Customs Administration will be sanctioned. The Minister of Finance, the controller for the processing of personal data by the Tax and Customs Administration, has the right to respond to the findings of the Dutch. The Dutch DPA announced that it may announce a possible sanction in the autumn of 2020.
Further interesting enforcement actions by the Dutch DPA include a fine of €460,000 imposed on the HagaZiekenhuis hospital in June 2019 for the absence of frequent reviews of internal access logs to patient files and the lack of the use of two-factor authentication for access to such files.19 In November 2019, the Dutch DPA collected a penalty of €50,000 from the health insurance company Menzis pursuant to an order of penalty imposed on Menzis in 2018.20 The order of penalty followed an investigation in which the Dutch DPA found, among others, that employees of Menzis' marketing department had unlawful access to data relating to the health of insured individuals. In March 2020, the Dutch DPA imposed a fine of €525,000 on the Royal Dutch Tennis Association following complaints of its members to the Dutch DPA.21 The Dutch DPA found that the association unlawfully provided personal data of approximately 350,000 of its members to two of its sponsors. The data were provided to the sponsors against a fee, constituting a sale, and were intended for direct marketing activities by the sponsors.
iii Private litigation
Dutch civil courts may award actual damages to data subjects if they are able to prove that damages have occurred as a result of a breach of data protection legislation. There is an increase in private enforcement of data protection obligations and data subjects have been awarded damages in various civil cases.
An interesting development is the entry into force of the Collective Damages in Class Actions Act in January 2020. This Act paves the way for class actions through Dutch courts, including for breaches of data protection legislation. Under the Act, an interest organisation may claim monetary damages for its members, provided that the action has a sufficiently close connection with the Netherlands.
In August 2020, the interest organisation Privacy Collective launched the first GDPR-related class action. The Privacy Collective is seeking damages from Oracle and Salesforces for the alleged unlawful processing of personal data of Dutch internet users by using third-party cookies for advertisement tracking and targeting.
Considerations for foreign organisations
In line with the territorial scope of Article 3 of the GDPR, the Dutch Implementation Act applies to the processing of personal data as part of the activities carried out on behalf of a controller or processor established in Netherlands, regardless of whether the processing takes place in the Netherlands. Similarly, the Dutch Implementation Act applies to the processing of personal data of data subjects who are in the Netherlands by a controller or processor not established in the Netherlands, where the processing activities are related to:
- the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Netherlands; or
- the monitoring of their behaviour as far as their behaviour takes place within the Netherlands.
Cybersecurity and data breaches
Organisations (including government entities and non-profit organisations) are subject to the security requirements for personal data set out in the GDPR, including data breach reporting requirements. In 2019, the Dutch DPA received about 27,000 notifications of data security breaches, mostly from the financial (30 per cent) and health (28 per cent) sectors.22
Additional rules apply to government organisations and organisations in certain sectors such as healthcare and financial institutions. Mostly, requirements relating to data and cybersecurity are principle-based rather than rule-based, meaning organisations have some freedom in determining what measures to implement. However, in some cases, the law mandates the use of certain technologies or standards. Examples are DigiD, the identity management platform for communication between government organisations and Dutch residents, and mandatory NEN information security standards for the healthcare sector.
Best practices differ based on the size of the organisation as well as the risks involved. In addition to any mandatory legal requirements that may apply, organisations that process large amounts of data or sensitive data are expected to have robust policies in place and commitments in this respect (including audit obligations) are often the topic of negotiation in negotiations and included in contractual documentation. Increasing GDPR and security awareness and developments such as the Schrems II ruling and remote working due to the covid-19 pandemic continue to boost procuring market parties' critical view of security. Organisations hoping to do business in the Netherlands should take into account that information and cybersecurity, including mitigation of risks that can lead to a loss of control or foreign state access, can be a deal-breaker when not properly addressed.
Designated operators of essential services and digital services providers are subject to the Security of Network and Information Systems Act and secondary regulations, which implement the NIS Directive. The supervisory authority for these organisations is the Dutch Minister responsible for the sector that the relevant service provider operates in. Essential and digital service providers are obligated to maintain adequate technical and organisational procedures and measures that mitigate security risks of network and information systems and prevent incidents. In the case of a threatened or actual incident, notification must be made to the relevant Computer Security Incident Response Team (CSIRT), which is the National Cybersecurity Institute for essential service providers and the CSIRT-DSP for digital service providers.
The National Cybersecurity Institute frequently publishes White Papers and guidance with respect to security measures. In cooperation with a Dutch university, the National Cyber Security Centre developed the 'Cyber Cube Method', a framework that combines European Union Agency for Cybersecurity (ENISA), National Institute of Standards and Technology and George Mason University requirements to identify the required competencies of Security Operations Centers and CSIRT personnel based on the services offered by the relevant organisation.
The appointment of a chief information security officer and policies regarding internal reporting lines are in some cases mandatory based on sector-specific rules, such as the Financial Supervision Act and ENISA guidelines for digital service providers. The Dutch Corporate Governance Code, applicable to Dutch listed companies on a 'comply-or-explain' basis, requires the management and supervisory boards to have sufficient expertise to identify opportunities and risks that may be associated with innovations in business models and technologies in a timely manner, and to implement adequate risk-management policies. In its report on the financial year 2018, the Monitoring Committee Corporate Governance Code identified that most companies view cybersecurity as an operational risk and urge companies to (also) consider this risk in the context of long-term value creation of the company, which is one of the basic principles of the Corporate Governance Code.
A notable public initiative is the Dutch Institute for Vulnerability Disclosure, an organisation of information security experts committed to reporting vulnerabilities they find in digital systems to people who can fix them.
International data transfers in the post-Schrems II era will continue to keep organisations busy in the coming year. Owing to the lack of practical guidance by supervisory authorities at the time of writing, organisations are currently facing uncertainty with regard to the assessment they must make on whether a third country provides an adequate level of protection. We hope that the European Data Protection Board will publish practical guidance that will aid organisations in making their assessments. At the same time, we expect a rise of the increasing demand to keep data within the European Union.
As discussed above, data brokering and artificial intelligence are key focus areas of the Dutch DPA for 2020–2023. We believe the next few years will be formative for case law and legislation around data protection and AI; the knowledge on the technology has now become widely dispersed and a cohort of younger and more tech savvy lawyers and politicians is starting to weigh in on these topics. At the same time, the pace of change is reducing. This will provide a window to formalise views on these topics. Companies in this space have an opportunity to help shape the regulatory environment on these topics and would do well to make use of that, while also taking care to earn the public's trust and confidence.
1 Herald Jongen is a shareholder and Nienke Bernard and Emre Yildirim are associates at Greenberg Traurig LLP.
10 https://uitspraken.rechtspraak.nl/inziendocument?id=ECLI per cent3ANL per cent3ARBAMS per cent3A2019 per cent3A6005.
14 ECJ, Case C-311/18, 16 July 2020 (Data Protection Commissioner v. Facebook Ireland Ltd and Maximilian Schrems).