On Dec. 13, the Dutch government sent the GDPR Implementation Bill to the Parliament. The bill, which was long expected, supplements the EU General Data Protection Regulation with regard to personal data that are processed by automated means or which form part of a filing system and insofar as those data are processed in the context of the activities of establishments of controllers or processors in The Netherlands or where personal data are processed related to the provision of goods or services to people in The Netherlands or the monitoring their behavior insofar as such behavior takes place in The Netherlands.
The main theme of the bill is that the GDPR is implemented in a "policy-neutral manner." This means that the bill continues all current law, insofar as is allowed under the GDPR. As a result, the bill reiterates the age of 16 for the applicability of Article 8 of the GDPR (already the age limit for consent in the current Data Protection Act). It also extends the rules of Article 8 to other vulnerable groups like (mentally ill) people for whom the courts have appointed a legal guardian. It further states that the rights of the data subject outlined in Chapter 3 of the GDPR, like data subject access and the right to be forgotten, may only be executed by the parent or legal guardian. This is especially challenging for the data portability right, since — in combination with the age limit of 16 — may put a significant burden on the part of controllers.
Data Protection Authority
The bill re-establishes the Dutch Data Protection Authority and governs its organization and additional powers. Regarding the composition of the DPA nothing changes, except that the staff will now be directly employed by the DPA and are no longer on the payroll of the Ministry of Justice and Security. Also, the powers don’t change. The DPA will still be allowed to enter a private home against the will of the resident. And the DPA will also be allowed to enforce the GDPR and the Implementation Act by administrative coercion. This means that the DPA can either choose to factually terminate illegal processing and send the bill to the controller or processor, or — more likely — issue an administrative order under penal sum to force the controller or processor to comply. Interestingly, the bill fixes an omission in the GDPR with regard to fines for violating Article 10 (criminal data). I always wondered why Article 10 was not included in Article 83 (fines). Most likely, it was caused by the fact that criminal data have gotten their own article in the GDPR compared to the original Commission draft. The bill places a maximum fine of 20 million euro or 4 percent of global turnover on violation of Article 10.
The Court of Justice of the EU’s Max Schrems case has also made its way into the bill. After investigation, the DPA may challenge an adequacy decision before the Judicial Branch of the State Council, the highest administrative court, which in turn may send the case to the CJEU.
Additional exceptions for special data
Probably the most important part of the bill is Chapter 3, which contains several additional exceptions for the processing of special data in The Netherlands. Next to generic exceptions, like explicit consent, the current Data Protection Act contains specific exceptions per type of special data. Such exceptions either allow specific types of special data to be processed by a specific category of controllers (e.g., hospitals, schools, insurance companies), or limit the processing of such data to specific purposes (e.g., identification, sick leave management, benefits and pensions, pre-employment screening, prevention against crime, etc.). As part of the policy-neutral implementation of the GDPR, all such exceptions are maintained in the bill. Just like the current exceptions, the legal basis for these exceptions is Article 9(2)(g) (“necessary for reasons of substantial public interest”).
An important new addition to these exceptions is the exception for the processing of biometric data for authentication and security purposes (like biometrics-based access systems to computers and buildings). This too fixes an omission of the European legislator, who promoted biometrics to the special data category without including a useful exception for the processing of such data, especially where biometrics-based security is used in the workplace. Evidently, the only relevant exception in Article 9(2) for biometric data, explicit consent, cannot be used in the workplace, which would — oh irony — put sensitive personal data currently protected by biometric authentication systems at risk.
The bill specifically prohibits collective actions against the will of the data subject. Therefore, for a collective action to be admissible, all data subjects in a contested data processing operation must sign up to the collective action if their data is to be submitted as evidence in support of the claim. Therefore, The Netherlands does not support the possibility offered in Article 80(2) to start a claim in the interest of the data subject.
Data protection officer
The bill binds the DPO to secrecy with regard to anything that has come to their knowledge in the course of their duties. Unfortunately, both the bill and the Explanatory Memorandum fail to clarify whether the secrecy obligation also applies against the DPA or the courts. In other words, whether the DPO has a legal privilege. In my humble opinion, such a DPO privilege would be very helpful in strengthening the role and influence of the DPO, because on the basis of administrative law, the Dutch DPA could force the DPO to provide all information he or she has on a particular set of processing operations. Such investigation policy, or even the slightest risk thereof, would significantly weaken the position and effectiveness of the DPO.
Automated decision making/profiling
The bill specifically allows automated decision making with legal effects or similarly significant effects if such decision making is based on compliance with a legal obligation or necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This means that Dutch tax payers will continue to receive automated tax bills. But the bill also specifically excludes profiling from this article. Therefore, public authorities cannot engage in risk profiling without an (explicit) legal basis, which seems logical considering the legality requirements of Article 8 of the European Convention of Human Rights for infringements on the right to privacy.
The bill fully implements the generic exceptions to the rights of the data subject and the breach notification mentioned in Article 23 of the GDPR. It should be noted that in accordance with current Dutch interpretation of such exceptions, the “rights of others” includes the compelling interests of the controller. This is unlikely to change. However, this exception should be invoked only in the most serious of circumstances (e.g., in case of the preparation of a dismissal or investigation into serious wrongdoing on the part of an employee).
The bill maintains the current exception in the Data Protection Act for companies in the financial sector to notify data breaches to data subjects. This exception only applies insofar as the company is covered by the Financial Supervision Act, like banks, insurance companies and trusts. However, such company must notify the breach to the DPA and the financial regulators.
Research and statistics
Institutions for scientific and applied research and statistics are exempted for applying Article 15 (data subject access), 16 (correction), and 18 (restriction) of the GDPR, provided they have taken appropriate measures to ensure the personal data are only used for research or statistics. The use of the Dutch social security number (BSN) and similar numbers is restricted to controllers who are allowed to process such data by law. This allows employers to store the BSN in their payroll administration for tax purposes, but prohibits them from using it as a generic employee identifier in their systems.
The bill ends with a few transitional provisions. Most importantly, all decisions taken by the current DPA are considered decisions by the new DPA. However, under the current Dutch Data Protection Act, binding corporate rules are covered by a permit from the Minister of Justice and Security. The bill is silent on what happens to such permits, so this would mean that all current BCRs approved in The Netherlands would be null and void per May 25, 2018, unless the DPA issues an authorization by then.
State Council advice
It should be mentioned that with the publication of the bill, the advice of the Dutch State Council, the official advisory body to the Dutch government, has also been published. The State Council’s advice contains two interesting points.
One; current Dutch law requires the Dutch DPA to issue a "binding interpretation" before issuing a fine. When the current fining powers of the Dutch DPA were introduced back in 2016, the State Council stressed the risk of unfair fines because data protection law inherently lacks clarity (the Lex Certa principle). Once again, the State Council stresses the need for clarity of the law under the GDPR before a fine is issued and makes the argument for allowing such an instrument on the basis of Article 83(8). In its response to the advice, the Dutch government takes the position that the GDPR does not allow the introduction of a "binding interpretation" before a fine is issued. I don’t agree with the government’s position. Not only do I think Article 83(8) explicitly allows such a procedural safeguard to protect against unfair enforcement, it also ensures that the risk-based approach as enshrined in the GDPR is actually implemented. Without said clarity, lawyers may tend to go overboard in their efforts to reduce fining risks. Building unnecessary legal roadblocks contravenes the idea behind the GDPR that data processing must serve mankind and the fact that the right to data protection must be balanced against other fundamental rights (Recital 4).
Two; the State Council voices its concerns over the transparency and accountability of the European Data Protection Board and the way the data subjects are included in its decisions. The State Council qualifies the opinions of the EDPB as “soft law.” The Council stresses the fact that the EDPB’s decision-making evades the influence of the member states, but that the GDPR is not a true regulation, since it contains multiple aspects which are left to the member states. The Council requires the Dutch government to explain how the GDPR contains "checks and balances" that meet its concerns. The response of the Dutch government to this criticism is kind of weak. It mentions the rules of procedure (Article 72) and the annual reports (Article 71) as sufficient checks and balances. However, the government’s response mentions the advice by the Dutch Minister for Interior and Constitutional Affairs to investigate the impact of the fact that constitutional rights are increasingly determined on the European level on the national rule of law.
In conclusion, the Dutch GDPR Implementation Bill contains little or no surprises for Dutch privacy lawyers. But some improvements are necessary. It’s expected that the bill will be swiftly decided upon in the Parliament; first the Second Chamber, then the Senate. We will keep you updated.
If you want to comment on this post, you need to login.