The Dutch DPA announced on 11 November 2019 that through 2023, it will direct its resources towards the following three areas: commercial use or re-use of personal data (trade in data), digital government and AI & algorithms. These focus areas are generally in line with the supervision and enforcement activities of the Dutch DPA and its counterparts across Europe that we have observed in our practice.
The “trade in data” focus area is broad and encompasses virtually all data monetisation practices. The DPA emphasises that it will especially direct its resources to data minimisation; privacy by design and default of Internet of Things (IoT) devices; fairness and transparency of profiling; and legitimate legal bases for monitoring individuals’ online behaviour for behavioural advertising.
In its recent guidance, the Dutch DPA took the position that purely commercial interests and maximisation of profits cannot be considered a legitimate interest in processing personal data, thus implying companies will need consent from customers instead. In light of this guidance, we expect the Dutch DPA to take a firm line in applying the General Data Protection Regulation (GDPR) to these practices. This approach, however, appears to be in conflict with a much more flexible interpretation by the European DPAs and with case law of the Court of Justice of the European Union on this issue (for example, Google Spain and Asnef). We can see heated debates and litigation on the horizon.
In contrast with the trade in data, the Dutch DPA elaborates much less on AI. This may be due to the general immaturity of the regulatory framework on the issue. The main priority of the DPA is to develop a monitoring system for AI systems and algorithms using personal data. The DPA highlights that companies must ensure that AI systems and algorithms not only use personal data in a GDPR-compliant manner, but also responsibly and ethically. This ties in well with the ongoing policy efforts at the European Union level to regulate AI technologies through a combination of legal and soft law mechanisms. The incoming European Commission has already announced that comprehensive legislation on the governance of AI will be proposed in early 2020. We are assisting several clients in designing future-proof AI systems, as companies will be required to consider the legal and ethical governance of AI from the outset of systems design, rather than as an afterthought.
Digital government constitutes a third theme of the Dutch DPA. Rightly so, the Dutch DPA is concerned with poor data security practices in the public sector, especially at the municipal level. Moreover, the DPA argues that non-compliant data sharing among public sector bodies seriously impairs the right to privacy by creating an undesirable imbalance of power between individual citizens – and the citizenry more generally – and the government. This applies particularly to people who have fewer means to defend themselves against information and power asymmetries.
Whereas the Dutch DPA used to communicate themes on an annual basis, it has now committed itself to these areas for the foreseeable future. This approach makes sense as any serious investigation takes several years to come to a conclusion. The DPA now signals that it will also shift its attention from providing guidance on the meaning of privacy obligations, towards enforcing those obligations. Companies that find themselves within the scope of these focus areas should heed that message.