Going Dutch: a national initiative on data breach notification overtakes EU proposal

A data date

The momentum towards EU data protection reform is currently advancing towards a new text for a Regulation on the protection of individuals with regard to the processing of personal data and the free movement of such data. Indeed, after the EU Parliament supported the Commission's proposal for a Data Protection Regulation in its plenary resolution of 12 March 2014, Ministers in the Justice Council reached a general approach on such a Regulation this Tuesday, 15 June.  The EU Data Protection reform now awaits the first Trilogue Meeting on the Regulation, which takes place in Brussels next Wednesday, 24 June. While final agreement is expected by the end of this year, the Dutch Parliament has recently passed a new Act focusing on a particular aspect of data protection: the data breach notification duty (which, we expect, will be included in the EU Data Protection Regulation).

In story-telling tradition, no-one has been
better-known for dealing with breaches
than the Dutch (see here)

The Dutch Act imposes an obligation on the data Controller to notify any security breach which either has or threatens serious consequences for the protection of personal data. Notification must be made both to the national Data Protection Authority and to the individual whose privacy is affected by the breach (in the latter case, only when the data can be accessed by third parties).  The Dutch Parliament has introduced a broad concept of security breach, embracing instances in which personal data is compromised regardless of whether security measures were implemented. Thus both technical and organisational errors, as well as voluntary human conduct, may give rise to a notifiable security breach.

What is a security breach? Article 4 of the Proposal for the Regulation defines "personal data breach" as "the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed". However, the duty of notification requires that such a breach must have serious adverse consequences. In this regard, the Dutch Act sets forth some parameters to help assess the consequence of a breach. These include the nature and scope of the breach, the nature of the personal data, the extent of the technical protective measures activated and the impact on the privacy of the individuals affected by the breach.

Reporting a breach? You
may need to exchange your
clogs for running shoes ...

The Dutch reform addresses the time limits for the data controller to notify the breach. Notification should be executed without delay, giving the data controller the time necessary to analyse the breach and to decide how to respond to the notice. Timing of the notification is essential for the protection of an individual against possible economic loss and social harm, including identity theft or fraud, physical harm, significant humiliation and damage to reputation. In contrast, according to the Recitals in the proposal for the Regulation, notification is presumed to have been made without delay if this is done between 24-72 hours from the moment the breach occurred. However, there is no proposed time limit for making a notification.

Liability for violation of the Dutch Data Protection Act can be ascribed jointly to the data controller and the data processor, if the latter is also involved in the breach. The data controller and the data processor may agree to cooperate in fulfilling the obligation of notification. Incidentally, personal liability is also placed on company executives under the Dutch reform.

Liability will be punished with a fine of between 20,250 and 810,00 euros, depending on the seriousness of the violation. In extreme cases an administrative fine of 10% of the net annual turnover may be imposed, if the violation is not rectified after the Data Protection Authority sends its 'binding instruction'.

Given the sensitivity of personal data breaches, perceived as being of an urgent nature in everyday life, the reforms discussed here are welcome, provided that data controllers establish best practices in complying with the obligation to notify the breach in an effective and expeditious fashion. The time frame in which data controllers may exercise their discretion in notifying data breaches to the individuals affected should be as short as possible as to allow for the cooperation of data breach victims in containing the consequences of the breach. In this context a 24-hour time limit should be good where it is feasible.