Greetings from Utrecht!

The Dutch data protection authority recently disclosed that in 2018 a total of 20,881 data breaches were reported, 15,000 of which were post-GDPR notifications. In a DLA Piper report, the Netherlands tops the ranking of European countries for reported breaches, with Germany and the U.K. in second and third place.

The results caused some interesting speculation on social media on why so many data breaches were reported in the Netherlands. Here are my two cents: First, the Netherlands already has a GDPR-style breach notification obligation since January 2016, so we are probably already used to it. Second, the Netherlands has a relatively high number of global headquarters compared to other EU member states, so data breaches that technically took place abroad may have been reported to the Dutch DPA as the lead authority. Third, under the 2016 law, a vulnerability might qualify as a data breach if one could not rule out that a breach took place. I am sure that as a result, the 20,881 number contains its fair share of vulnerabilities, which are not data breaches under Article 4(12) of the GDPR.

However, the most interesting number is the number that is not reported. When the Dutch legislature introduced the data breach notification bill back in 2014, it estimated that about 66,000 data breach per annum would be reported. Even though that number was found to be a bit overestimated later in the discussions in Parliament, the gap between 66,000 and 20,881 reported breaches is significant. Most likely, there is still underreporting going on, and looking at the numbers in the DLA Piper report, that is most likely the case in other EU member states.

Data breach reporting obligations seem to have put privacy and GDPR compliance at the top of the priority lists in Dutch organizations. Ever since 2016, CIPP/E and CIPM training have exploded in the Netherlands. When asking why people take the training, many trainees tell me that they want to understand the law as they are now dealing with breach notifications. As a result, the IAPP now has about 3,400 members in the Netherlands, way more than any other European country except the U.K.

For our non-Dutch readers, let me share some interesting figures from the AP report:

• 63 percent of breaches involved sending personal data to the wrong person, with lost or opened return-to-sender mail; lost or stolen devices came in second; and third place with 9 percent and 7 percent respectively.
• The actual number of breaches is supposedly higher given the fact that data subjects report breaches that have not been reported by the controller. The AP considers this a serious matter and has declared non-reported data breaches among its top enforcement priorities.
• 14,489 of the 20,881 data breaches were looked into, and in 298 cases, the AP took action.
• In 35 percent of those 298 cases, the AP sent a “norm-explaining letter,” and in 23 percent, the AP had a “norm-transferring conversation” with the controller (yes, exactly like being called to the principal’s office). In seven cases, an investigation was started.
• The number of people in the breach ranged from 1 (58 percent) to more than 100,000 (1 percent). When more than 5,000 data subjects were involved, the breach was in most cases caused by malware or phishing.
• Health care organizations were responsible for 29 percent of the reported breaches, with financial organizations and public authorities in second and third place with 26 percent and 17 percent respectively.
• One fine was issued in 2018 (Uber for 600,000 euros) because of negligence to timely report a data breach.

With all that attention for breach notifications, one might forget that the real purpose of breach obligations in the GDPR is to invest in better security to avoid the embarrassment of one of those “norm-transferring conversations” with the supervisory authority.