9 December 2016

Dutch draft data protection reform bill published

Today, the Dutch Ministry of Security and Justice published the draft Implementation Bill General Data Protection Regulation (“Implementation Bill“). This bill provides the first insight into the Dutch government’s implementation of new data protection principles in the light of the European developments. The bill is highly relevant for our clients since it will replace the current Dutch data protection framework and requires an assessment of overall data protection compliance.

The implementation of the GDPR
The Implementation Bill is the Dutch legislative response to the European General Data Protection Regulation (“GDPR“). The GDPR was adopted in April 2016 to strengthen existing obligations and to modernise the current data protection framework. It will apply directly in all member states as of spring 2018. However, there is some room for manoeuvre for national authorities to implement and specify European principles. The bill that is presented today gives the first insight into this national approach to the new data protection laws.

National implementation
In general, the Dutch government has tried to maintain the rules which already exist in the Data Protection Act (Wet bescherming persoonsgegevens), unless the GDPR requires a change. New matters include, for example, local law on profiling, special categories of personal data, rights of data subjects, and the mandatory notification of a data breach. Other topics where the bill provides further specification of the GDPR include rules on health and education related data. The bill also provides derogative grounds such as criminal investigations and investigative powers.

Another interesting aspect of the Implementation Bill is its expansion of the role of the Dutch Data Protection Authority, the Autoriteit Persoonsgegevens (“AP“). This enforcement body will interact to a greater extent with international data protection authorities and has stronger enforcement powers.

What is next?
The Implementation Bill is now open for public consultation until 20 January 2017. After this period, both the Dutch Senate and the Second Chamber must debate and adopt the bill. The exact time of entry into force is therefore unknown at this time.

We recommend our clients monitor this legislative process and review their internal processes and policies. Whereas the GDPR was the first incentive to evaluate overall data protection, this Bill further clarifies and specifies the new obligations. It is key for our clients to have their revised policies and practices up to date by spring 2018, when the GDPR becomes directly applicable in all EU member states.