10 October 2013

Proposal for mandatory data breach notification and penalty for not cooperating with DPA

The Dutch government has proposed a general and mandatory data security breach notification. If these proposals are enacted, data breaches must always be notified, subject to a penalty of EUR 450,000. The Dutch government has also reinforced the Dutch Data Protection Agency’s investigative powers.

Mandatory data breach notification
To address the large number of security incidents that negatively affect the privacy of individuals, the Dutch government has proposed a duty to notify in the event of a security breach. An entity must promptly notify the Dutch Data Protection Agency (“DPA”) of any breach of security measures that can reasonably be expected to have a negative impact on the protection of personal data which that entity processes. In addition, individuals whose data may have been compromised must be notified if their privacy is at risk. Companies that qualify as data controllers should have an action plan for data security breaches. Failure to notify where there is a requirement is punishable by a fine of EUR 450,000.

An important exception to the notification duty relates to personal data that have been encrypted. If data have been encrypted, there is no requirement to notify the individuals affected.

Reinforcement of investigative powers of Dutch DPA
To further enable the Dutch DPA to make full use of its investigative powers as established by law, the government proposes making it possible for the Dutch DPA to impose a fine of EUR 450,000 on companies which do not fully cooperate with the authorities in investigations. This is a huge increase in the investigative powers of the Dutch DPA, as it could previously only issue orders under pain of payment of a monetary penalty. The creation of the possibility to issue fines for non-cooperation increases the DPA’s powers. Companies may be confronted with these new powers during dawn raids or other investigations as carried out by the Dutch DPA.