Last week, the IAPP held its inaugural Data Protection Intensive: Nederland in The Hague. More than 300 delegates gathered as the conference opened with remarks from the Dutch data protection authority, Autoriteit Persoonsgegevens. Marianne Niessink, Director of International Affairs, Policy and Strategy, and Communications discussed the current state of affairs for privacy and data protection in The Netherlands.
Niessink noted that the Autoriteit sees many signs that “awareness about the fundamental importance of privacy and data protection is increasing” since the new government took office in January 2022. This shift appears as the Autoriteit had been very critical toward the previous government, reporting that “in about 20% … of all new draft laws concerning data processing, data protection is insufficiently secured regarding collection, retention and sharing of personal data of citizens. Illustrative of this failing approach was, according to the Autoriteit, the draft bill for the National Coordinator for Counterterrorism and Security. A positive sign according to Niessink? The new government coalition agreement “contains some explicit words about the importance of data protection and privacy, and about the importance of robust supervision and enforcement.”
Incidentally, the Autoriteit itself has been under criticism from the Dutch Ombudsperson in a December 2021 report, for not doing a good job at dealing with citizens’ privacy complaints. The backlog at the end of 2020 was amounting to 9,800 privacy cases pending, with long waiting periods. The Ombudsperson recommended bringing more expertise to the Autoriteit and for it to be clearer and more open in its communication with citizens. Perhaps the additional budget announced, “increasing from 26 million euros now to 35 million euros in 2025,” according to Niessink, will help alleviate some of these concerns.
The Autoriteit is also active in the European Data Protection Board’s activities. For instance, it took part in the EDPB’s assessment of EU legislative proposals such as the Data Governance Act (now into effect), the Digital Services Act or the still debated drafts Data Act and Artificial Intelligence Act. Niessink recalled that EDPB’s concerns relate to the creation of new supervisory authorities and European cooperation structures other than the data protection authorities, raising questions of cooperation and competences, as well as a risk for inconsistencies between the new proposals on the one hand and the existing data protection framework on the other. “(New proposals) should clearly state that they shall not undermine the application of the existing data protection rules. And that, when they use GDPR terminology, the terms should mean the same.”
Niessink closed by wishing the European Commission would work on a set of harmonized horizontal provisions in administrative procedural law. This would help overcome both obstacles to efficient cooperation in the one-stop shop created at national level by Member States’ (including The Netherlands) own national enforcement process, as well as aspects of other member states’ legislation.
Photo by Alireza Parpaei on Unsplash