NL Council of State publishes critical view on CESOP implementation has been saved
NL Council of State publishes critical view on CESOP implementation
Recently, the Council of State (in Dutch: “Raad van State”) published its advice on the implementation of the CESOP in the Netherlands (please note that the advice is only available in Dutch). In its advice, the Council of State recommends at least changing the explanatory notes to the legislation and potentially the text of the legislation itself.
3 October 2022
The Council of State expresses concerns about the feasibility of the new legislation. The Dutch tax authorities (“DTA”) have indicated that implementation of the permanent systems necessary for this legislative proposal is not feasible before January 1, 2024. Therefore, they are going to put a temporary solution in place. The Council of State is critical of this process, as it is still unclear whether the DTA will be able to effectively meet the expectations under CESOP. Additionally, the Council of State is not convinced of the added value of the CESOP data, taking into account the collection of data from platforms under DAC7 [see our DAC7 site].
Personal data and interaction with the GDPR
The CESOP requirements will lead to some reporting of personal data by PSPs. Especially where it relates to payments received by natural persons, or where data reported relating to organizations can be traced back to the individual owner (and, for instance, their income). It is unclear from the explanatory notes whether Dutch Data Protection Authority (“Dutch DPA”) was consulted. The Council of State underscores that, even though it concern the implementation of an EU directive, the Dutch DPA should still be consulted and advises the legislator to expand on the treatment and safeguarding of personal data under CESOP, as well as including an advice from the Dutch DPA.
The Council of State specifically mentions the de minimis threshold of 25 payments per payee. Here it recognizes a risk of ‘overcollection’ of data: what is the organization reports personal data on payees receiving less than 25 payments? Will this be subject to the same fines as non-compliance, or will there be specific, other consequences? The Council of State advises to address these issues in the explanatory notes to the proposal. We understand that, at least from the EU Commission’s point of view, ‘overreporting’ is not acceptable and will be seen as non-compliance.
Fines and penalties
The current Dutch legislative proposal contains a maximum fine for non-compliance of EUR 900.000. The choice for this (rather high) maximum is not specifically addressed in any of the legislative documents. The Council of State finds that the maximum is significantly higher than other fines for non-compliance in VAT matters and requests the legislator to substantiate or change this choice.
Lastly, the Council of State recommends specifying why the draft Dutch legislation references PDS2 directly, and uses the PSD2 terminology. PSD2 (as with any directive) has been implemented in Dutch law, using its own, Dutch, terminology. The Council asks why the CESOP implementation is not aligned to the PSD2 implementation, but to the directive directly.
There are still some quite fundamental questions and concerns that relate to the CESOP implementations in Member States. This example from the Netherland illustrates that it is not a straightforward as it may seem. In any case, PSPs will have a fine line to walk between ‘underreporting’ and ‘overreporting’, performing a balancing act between meeting CESOP and not breaching the EU GDPR. Taking into account the significant fines that are expected, and the decentral reporting in each of the Member States where PSPs provide reportable payment services, the design of CESOP reporting processes deserves a place at the top of organizations’ agendas.