On Monday, 24 November, a bill was sent to Parliament giving  the Dutch Data Protection Authority (CBP) the power to fine controllers and processors for violation of the Dutch Personal Data Protection Act and any other laws containing data protection rules.

The fine, which may be as high as 810,000 euro, adjusted periodically, may be issued for a number of specified articles in the Personal Data Protection Act, such as processing personal data without a legitimate interest or justification; processing personal data for incompatible purposes; retaining personal data longer than necessary; violating confidentiality and professional secrecy obligations; providing insufficient security safeguards; violating the rules on special data or the Social Security number (BSN); not properly informing the data subject; failure to notify a data breach; not complying with data subject access; correction and objection rights, and violating the rules on international data transfers.

The bill refers to another bill (No. 33685), passed in the Dutch Senate on November 18 and is now waiting to be enacted by the king, which raises the maximum fine from 810,000 euros to 10 percent of the annual turnover of the entity that is the controller or processor, where the maximum of 810,000 euros “would not be appropriate," thus opening up the possibility of fines into the millions of euros for serious data protection violations by major companies.

However, before any fine may be issued, the CBP has to issue a so-called “binding order," allowing the controller or processor for a (short) period of time to bring itself into compliance with such order, except where the violation is intentional. The binding order has been introduced after the State Council, which advises the government on all proposed legislation, advised that a fine is not justified where the data protection rules are too vague (lex certa principle). The binding order forces the CBP to specify the rules in any given case before issuing a fine.

Furthermore, the bill raises the maximum fine for not appointing a representative for non-EEA controllers to 20,250 euros, maximum. On the other hand, the CBP will no longer be able to issue a fine for failure to notify the data processing, currently 4,500 euros maximum.

Interestingly, the bill also allows the CBP to fine individual employees for failure to meet their confidentiality obligations (Art. 12 PDPA). This may be the case where employees intentionally disclose personal data to unauthorized persons, an act also punishable under criminal law, but also where employees have been grossly negligent causing a data breach.

The bill amends the Data Breach Notification Bill (No. 33662), which has been pending in Parliament for some months now. Said bill requires the CBP to be notified of breaches that have “serious adverse consequences for the protection of personal data," a phrase which should be interpreted as “serious breaches, and requires the data subject to be notified if the breach “is likely to have adverse consequences for his/her privacy." The obligation to notify the CBP or the data subject does not exist where the personal data have been made “unintelligible or inaccessible for unauthorized persons."

Last but not least, the Dutch CBP (College Bescherming Persoonsgegevens) will change its name to the Personal Data Authority (Autoriteit Persoonsgegevens).

The bill is expected to be enacted by July 1, 2015.