10 April 2014

Dutch Data Protection Authority to prioritise profiling, tracking and tracing of internet users

The Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) has published its annual report for 2013 and its agenda and priorities for 2014. While the annual report gives an insight into trends of the CBP’s supervisory tasks, the agenda for 2014 shows that its priorities for this year include profiling, tracking and tracing of internet users. Clients performing processings that fall within these thematic or enforcement priorities run a higher risk of becoming subject to enforcement actions by the CBP and are therefore advised to ensure that those processings are compliant.

What to expect in 2014: thematic priorities and enforcement priorities
In the selection of its priorities, the CBP focuses on subjects and areas where there are (suspected) serious violations of a structural nature which affect many data subjects and for which the CBP through its use of enforcement tools can make a difference.

The agenda for 2014 includes five thematic priorities for the CBP, for most of which the DDPA has formulated enforcement priorities. These include the processing of personal data within employment relationships (especially the transfer of personal data relating to employees to third parties), profiling (particularly the tracking and tracing of users on the internet or users of with wireless connections), the decentralisation of governmental tasks to municipalities, (particularly the processing of personal data by municipalities and the security of that data), the processing of medical data, (especially the processing of data by healthcare providers), and the processing of data by law enforcement authorities.

Within these priorities, the CBP will focus on three principles of the Dutch Data Protection Act: consent, transparency and security.

The DDPA also states it is vigorously pursuing international cooperation with other data protection authorities in order to strengthen the effectiveness of investigations of possible breaches of data protection legislation.

Annual report 2013: interesting figures
The annual report shows that the CBP carried out 73 enforcement actions in 2013, an increase of 25% compared with 2012. The instigation of several of these investigations was directly related to complaints and questions received by the CBP, which showed an increase of 14%. These increases show that not only is the public becoming more active in submitting complaints or questions to the CBP, but that the CBP is not shy about initiating enforcement actions from signals it picks up from the public.

Most complaints and questions involved the transfer of personal data between non-related companies or organisations. This trend is reflected in the priorities of the CBP for 2014.