Duty to report data leaks and chance of penalties tightens privacy protection
Senate adopts bill
Suppose you buy a service somewhere and a hacker steals your data. Or it is lost by a careless employee. A decent company would inform you about this, but it has no obligation to do so. This is about to change.
Bart Witteman - May 26, 2015
On May 26, 2015 the Senate adopted a bill under which, subject to certain conditions, a data leak must be reported to the supervisory authority (the Dutch Data Protection Authority, or the DPA) and to the person whose data it involves.
What’s more, the DPA will be able to impose hefty penalties. This may have strong consequences for many companies: not only may the penalties be high (more than EUR 800,000 or 10% of the annual sales), such penalties can create a great deal of negative publicity.
The obligation to report requires the ability to detect
Reporting a leak is only possible if you know one has occurred. This makes detection of incidents a vital issue. Many organizations have a process in place for detecting security incidents and dealing with them. Such a process should clearly show when a personal data leak is involved. The key thing here is to have a clear procedure in place, and above all staff who are sufficiently knowledgeable.
Establish the expected consequence of a breach
The bill is limited to breaches leading to the considerable probability of serious negative consequences or serious negative consequences for the protection of personal data. Just what exactly this means is not yet clear: this also depends on the analysis organizations carry out themselves. The DPA will ultimately stipulate the term “serious.”
It was former State Secretary Teeven who said that if a list stating the members of the local korfball club is out in the open this is unlikely to be a serious thing; access to the patient files of the local hospital most likely is. This is quite open to interpretation. The DPA will issue guidelines for this.
Inform the DPA and the people involved, if necessary
The duty to report has two sides: first, the DPA may need to be informed about personal data breaches, while secondly the people involved may need to be informed if a breach specifically relates to them. Various criteria are applied to that end:
- A security breach leading to the considerable chance of serious negative consequences or serious negative consequences for the protection of personal data requires immediate notification of the DPA (“without any delay, taking into account the circumstances of the case”).
- When a breach is likely to have adverse consequences for the personal privacy of a specific person, this person must be notified immediately as well.
Hence, the DPA will generally have to be informed sooner than a specific person. If an incident is reported the DPA may still decide that informing individual persons is necessary. It would be wise to seriously consider encryption: if “skillfully encrypted data” is lost, a report to the people involved will generally not be necessary – besides, reasonable arguments can then be provided that “likely adverse consequences” for the people involved will not occur.
The DPA now has real power to impose penalties
The DPA’s powers to impose penalties had always been very limited. The main resources had focused on enforced remedy of shortcomings: administrative enforcement and imposing a penalty. Much has been said about the high penalties in the announced European Data Protection Directive; its apparent delay has triggered the Netherlands to extend the authority to impose penalties.
The DPA will soon be authorized to impose penalties for a broad set of breaches. Those penalties are capped at EUR 810,000. If parties fail to comply with a binding instruction issued by the DPA, this may even be as high as 10% of the annual sales. Such penalties will not be imposed quickly, though. Nevertheless, companies will clearly have to factor in a better equipped supervisory authority.