Although the GDPR (Regulation (EU) 2016/679) is not a directive, it still does not fully harmonise EU data protection law. With regard to some aspects, such as exceptions for processing of health data, the age of consent for minors, and consent in the employment context, there is still some room for manoeuvre for the member states. As a consequence, the member states are currently developing national laws (implementation acts) that will apply along with the GDPR. This does not make things easier for companies working hard to become compliant with the GDPR as from 25 May 2018.
Besides the fact that there will still be some differences in legislation, one may expect the data protection authorities not to take an identical approach in all member states. In this article I would like to focus on what may be expected when it comes to penalties for breaches of the GDPR in the Netherlands.
Current Dutch legislation
The possibility to impose substantial administrative penalties is not entirely new for the Netherlands. As from 1 January 2016 the Dutch Data Protection Act ("DPA") already contains the possibility for the Data Protection Authority ("the Authority") to impose penalties of up to EUR 820,000. However, the DPA requires (except for deliberate violations or situations of serious negligence) that the Authority, before imposing a penalty, first issues a binding order in which a time limit may be set within which the offender must comply with the order. This element was added to the law on the basis of the advice of the Council of State (which can be seen as the highest advisory body for the government, advising on all legislation). The Council of State was of the opinion that, given the large amount of open norms and vague definitions in data protection legislation, imposing immediate sanctions without a warning would be in breach of the lex certa principle.
It is interesting to note that, under the current legislation, the Authority has not imposed any penalty over the past two years. In a recent news article on this topic, the Authority announced that it does not see imposing penalties as a goal, but rather as a final remedy to ensure compliance.
The Dutch Implementation Act
Given the advice of the Council of State with regard to the introduction of penalties in the DPA in 2016, one would expect the Dutch implementation Act for the GDPR (the Implementation Act), to contain a similar obligation for the Authority to issue binding orders before imposing penalties. After all, the GDPR still contains many vague and open norms which create uncertainty for organisations trying to comply with the GDPR in good faith, and the GDPR does not explicitly contain an option for a binding order.
At the time this article was written, the Dutch Implementation Act had not yet been finalised. However, the main preparatory steps (including the advice of the Authority and the Council of State) have already been taken.
In the preparatory phase, the Authority has taken the position that the GDPR does not leave room for an obligation for the Authority to first issue a warning or binding order before imposing a penalty. The Council of State did not agree with this. It was of the opinion that the binding order could be included in the Implementation Act without breaching the GDPR. In that regard it referred to article 83 (8) of the GDPR which states that the exercise by the supervisory authority of its powers shall be subject to appropriate procedural safeguards in accordance with EU and member state law.
The legislative proposal, however, did not follow the Council of State's advice, and as a result the current proposal for the Implementation Act does not contain the binding order. The Secretary of State, however, did emphasise on behalf of the government that imposing a penalty without previous notice may be in contravention of principles of proper administration in case of open norms on which the supervisory authorities have not yet provided sufficient clarity.
The most recent step in the legislation process has been the publication of a report of the committee for Justice and Security. This report contains various critical notes from different political parties on the possibility for the Authority to impose penalties without a binding order. It will therefore be interesting to see how this debate develops.
Conclusion
The last word has yet to be said about a higher threshold for penalties as a result of obligatory binding orders in the Implementation Act. If the proposal for the Implementation Act remains unchanged, the Authority will no longer have the obligation to first issue binding orders before imposing administrative penalties. However, based on current practice and the background of the Implementation Act, we expect that the Authority in the Netherlands will exercise restraint in case it finds a breach of the law, provided that the organisation in question can show that it acted on the basis of a good faith interpretation of open norms in data protection law. Undoubtedly the Dutch Authority will, however, be influenced by the approach taken in other EU member states after 25 May 2018.
If you have any questions about this subject, please do not hesitate to contact Martin Hemmer.
Although the GDPR (Regulation (EU) 2016/679) is not a directive, it still does not fully harmonise EU data protection law. With regard to some aspects, such as exceptions for processing of health data, the age of consent for minors, and consent in the employment context, there is still some room for manoeuvre for the member states. As a consequence, the member states are currently developing national laws (implementation acts) that will apply along with the GDPR. This does not make things easier for companies working hard to become compliant with the GDPR as from 25 May 2018.
Besides the fact that there will still be some differences in legislation, one may expect the data protection authorities not to take an identical approach in all member states. In this article I would like to focus on what may be expected when it comes to penalties for breaches of the GDPR in the Netherlands.
Current Dutch legislation
The possibility to impose substantial administrative penalties is not entirely new for the Netherlands. As from 1 January 2016 the Dutch Data Protection Act ("DPA") already contains the possibility for the Data Protection Authority ("the Authority") to impose penalties of up to EUR 820,000. However, the DPA requires (except for deliberate violations or situations of serious negligence) that the Authority, before imposing a penalty, first issues a binding order in which a time limit may be set within which the offender must comply with the order. This element was added to the law on the basis of the advice of the Council of State (which can be seen as the highest advisory body for the government, advising on all legislation). The Council of State was of the opinion that, given the large amount of open norms and vague definitions in data protection legislation, imposing immediate sanctions without a warning would be in breach of the lex certa principle.
It is interesting to note that, under the current legislation, the Authority has not imposed any penalty over the past two years. In a recent news article on this topic, the Authority announced that it does not see imposing penalties as a goal, but rather as a final remedy to ensure compliance.
The Dutch Implementation Act
Given the advice of the Council of State with regard to the introduction of penalties in the DPA in 2016, one would expect the Dutch implementation Act for the GDPR (the Implementation Act), to contain a similar obligation for the Authority to issue binding orders before imposing penalties. After all, the GDPR still contains many vague and open norms which create uncertainty for organisations trying to comply with the GDPR in good faith, and the GDPR does not explicitly contain an option for a binding order.
At the time this article was written, the Dutch Implementation Act had not yet been finalised. However, the main preparatory steps (including the advice of the Authority and the Council of State) have already been taken.
In the preparatory phase, the Authority has taken the position that the GDPR does not leave room for an obligation for the Authority to first issue a warning or binding order before imposing a penalty. The Council of State did not agree with this. It was of the opinion that the binding order could be included in the Implementation Act without breaching the GDPR. In that regard it referred to article 83 (8) of the GDPR which states that the exercise by the supervisory authority of its powers shall be subject to appropriate procedural safeguards in accordance with EU and member state law.
The legislative proposal, however, did not follow the Council of State's advice, and as a result the current proposal for the Implementation Act does not contain the binding order. The Secretary of State, however, did emphasise on behalf of the government that imposing a penalty without previous notice may be in contravention of principles of proper administration in case of open norms on which the supervisory authorities have not yet provided sufficient clarity.
The most recent step in the legislation process has been the publication of a report of the committee for Justice and Security. This report contains various critical notes from different political parties on the possibility for the Authority to impose penalties without a binding order. It will therefore be interesting to see how this debate develops.
Conclusion
The last word has yet to be said about a higher threshold for penalties as a result of obligatory binding orders in the Implementation Act. If the proposal for the Implementation Act remains unchanged, the Authority will no longer have the obligation to first issue binding orders before imposing administrative penalties. However, based on current practice and the background of the Implementation Act, we expect that the Authority in the Netherlands will exercise restraint in case it finds a breach of the law, provided that the organisation in question can show that it acted on the basis of a good faith interpretation of open norms in data protection law. Undoubtedly the Dutch Authority will, however, be influenced by the approach taken in other EU member states after 25 May 2018.
If you have any questions about this subject, please do not hesitate to contact Martin Hemmer.