14 November 2019

Dutch DPA announces three-year enforcement focus on commercial use of data and AI

The Dutch Data Protection Authority has published its supervision and enforcement priorities for 2020-2023 (in Dutch). Although the selected areas of focus are predictable, the publication gives an indication of what the enforcement risks will be for years to come. It also reveals a shift in the supervision and enforcement strategy of the data protection watchdog. Instead of setting a few annual priorities, as it has done so far, the Dutch DPA will, through 2023, target a specific set of companies with investigations stretching out over several years. The priorities indeed overlap with the strategies adopted by DPAs across Europe. After decades of relative calm, companies that process customer data for commercial purposes on a large scale should prepare for data watchdogs to knock on their door, critically questioning the commercial use or re-use of personal data. In relation to artificial intelligence, another major theme for the Dutch DPA, clients should stay ahead of the curve and prepare for the legal and ethical regulatory framework on AI that is sure to come in the near future.
The Dutch DPA announced on 11 November 2019 that through 2023, it will direct its resources towards the following three areas: commercial use or re-use of personal data (trade in data), digital government and AI & algorithms. These focus areas are generally in line with the supervision and enforcement activities of the Dutch DPA and its counterparts across Europe that we have observed in our practice. The "trade in data" focus area is broad and encompasses virtually all data monetisation practices. The DPA emphasises that it will especially direct its resources to data minimisation; privacy by design and default of Internet of Things (IoT) devices; fairness and transparency of profiling; and legitimate legal bases for monitoring individuals' online behaviour for behavioural advertising. In its recent guidance, the Dutch DPA took the position that purely commercial interests and maximisation of profits cannot be considered a legitimate interest in processing personal data, thus implying companies will need consent from customers instead. In light of this guidance, we expect the Dutch DPA to take a firm line in applying the General Data Protection Regulation (GDPR) to these practices. This approach, however, appears to be in conflict with a much more flexible interpretation by the European DPAs and with case law of the Court of Justice of the European Union on this issue (for example, Google Spain and Asnef). We can see heated debates and litigation on the horizon. In contrast with the trade in data, the Dutch DPA elaborates much less on AI. This may be due to the general immaturity of the regulatory framework on the issue. The main priority of the DPA is to develop a monitoring system for AI systems and algorithms using personal data. The DPA highlights that companies must ensure that AI systems and algorithms not only use personal data in a GDPR-compliant manner, but also responsibly and ethically. This ties in well with the ongoing policy efforts at the European Union level to regulate AI technologies through a combination of legal and soft law mechanisms. The incoming European Commission has already announced that comprehensive legislation on the governance of AI will be proposed in early 2020. We are assisting several clients in designing future-proof AI systems, as companies will be required to consider the legal and ethical governance of AI from the outset of systems design, rather than as an afterthought. Digital government constitutes a third theme of the Dutch DPA. Rightly so, the Dutch DPA is concerned with poor data security practices in the public sector, especially at the municipal level. Moreover, the DPA argues that non-compliant data sharing among public sector bodies seriously impairs the right to privacy by creating an undesirable imbalance of power between individual citizens - and the citizenry more generally - and the government. This applies particularly to people who have fewer means to defend themselves against information and power asymmetries. Whereas the Dutch DPA used to communicate themes on an annual basis, it has now committed itself to these areas for the foreseeable future. This approach makes sense as any serious investigation takes several years to come to a conclusion. The DPA now signals that it will also shift its attention from providing guidance on the meaning of privacy obligations, towards enforcing those obligations. Companies that find themselves within the scope of these focus areas should heed that message.