2016 accounted for a real turning point in privacy legislation. In 2016, the mandatory requirement to report data breaches came into force, the General Data Protection Regulation (Algemene Verordening Gegevensbescherming, “AVG”) was adopted, the European Court of Justice ruled that Member States are not authorised to impose general retention requirements on (communication) data, and the EU-US Privacy Shield was agreed on. All this might seem very distant to you, but for many companies, these new rules come with new obligations. At Ovidius, a Taskforce Privacy Law conveys regularly to discuss the most recent developments regarding privacy law. Their insights are at your disposal on our dedicated webpage ‘Privacy law update‘. This article briefly touches on a number of relevant topics. Other news flashes elaborate further on these subjects.

Back to the basics: what is Privacy law?

The foundation of Dutch privacy law lies within several treaties and also within the Dutch Constitution. In short, these documents stipulate that everyone’s personal lives are to be respected, hence, one has a ‘right to privacy’. In 1995, the European Privacy Directive came into force. This directive required all Member States to incorporate rules into their national legislation to protect personal data. This Privacy directive was prompted by the developments in ICT which increasingly facilitated the exchange of data. In the Netherlands, the Privacy directive resulted (amongst others) in the Dutch Data Protection Act (Wet bescherming persoonsgegevens, “Wbp”). The Wbp is effective as of 1 September 2001. This law stipulates how companies, government and individuals should handle personal data. By law, this ‘handling of personal data’ is referred to as ‘processing personal data’. It includes automatic processing (digital files, applications, maps, etc.), but also non-automated processing (for example, files with customer data, contractual agreements or employee dossiers). Personal data is all information leading to the identification of a natural person. The most important provisions from the Wbp are summarised as follows:

• Personal data may only be processed in accordance with the law, and in a proper and diligent manner;
• Personal data may be collected for specified, explicitly pre-defined and legitimate objectives only. This data may, subsequently, also only be processed for purposes in consistence with those objectives;
• The individual whose personal data is processed (the “data subject”) should, at least be aware of the identity of the organisation or person processing the personal information (the “controller”), as well as to what purpose the data is processed;
• Personal data must be protected in an appropriate manner. Sensitive personal information, such as race, health and religion, is subject to even more stringent rules;

The Wbp was revised as recent as 1 January 2016. One of the most significant amendments relates to the national regulator, the Data Protection Authority (previously College bescherming persoonsgegevens, presently Autoriteit Persoonsgegevens, “DPA”). As of 1 January 2016, the DPA is authorised to impose fines on organisations that violate the Wbp.

1 January 2016: mandatory requirement to report data breaches effective

As of 1 January 2016, it is also mandatory to report data breaches. In the period prior to this, late 2015, the DPA published guidelines. Using these guidelines, organisations that process personal information can determine what constitutes a data breach and, if a breach does materialise, whether this data breach needs to be reported to the DPA (and potentially the data subject(s)). An organisation that unjustifiably omits to report such a breach, or does not report this in a timely manner, is at risk of a regulatory fine up to EUR 820.000, or 10% of the organisation’s annual turn-over. Consequently, it is important for an organisation to implement measures to prevent data breaches, as well as measures to comply with the requirement to report data breaches. Read more on data breaches in our previous newsflash.

25 May 2016: the European Privacy Regulation effective

On 25 May 2016, the General Data Protection Regulation (Algemene Verordening Gegevensbescherming, “Privacy Regulation”) came into effect. As of 25 May 2018, this directive substitutes the aforementioned Privacy Directive. Consequently, companies have until then to adapt their operations in line with this Privacy Regulation. More information provided by Ovidius on the Privacy Regulation can be found here.

1 August 2016: EU-US Privacy Shield into effect

According to the Privacy Directive, personal data may only be transferred to countries outside of the EU if the country in question offers ‘an adequate level of protection’ of personal data; this means that countries that have not implemented the Privacy Directive into their national legislation, must be able to ensure that the level of protection of personal data offered is at least at the same level as within the EU. The level of protection offered by the United States is considered inadequate. Therefore, in 2000, the European Commission and the American government formally agreed to the ‘Safe Harbour principles’. This scheme enabled American companies to comply with the directive through self-certification, whereby, consequently, they did offer an adequate level of protection. On 6 October 2015, the European Court of Justice put an end to the Safe Harbour pact. In the case Schrems vs Facebook, the Court ruled that data transfer to the United States exclusively based on Safe Harbour was no longer in accordance with the Privacy Directive. Subsequently, the European Commission and the United States renewed their negotiations to establish a new and safe process to transfer personal data to the United States. On 12 July 2016, the European Union and the United States came to a framework agreement providing the transfer of data to the United States with a (temporary) legal foundation: the EU-U.S. Privacy Shield. This framework, again, is criticised substantially, and was already under severe attacks shortly after it came into effect. For more information on the Privacy Shield and other ways to transfer data to the United States (or another country outside of the European Union) we kindly refer you to our newsflash.

12 December 2016: end of directive on retention requirements of communication data

In Europe, until 8 April 2014, a directive on the retention of communication data was effective. In a ruling in a case filed by Digital Rights Ireland, the European Court of Justice declared this directive invalid. Despite the invalidness of the directive, national legislation on retention requirements remained in effect, also in the Netherlands. In the Netherlands, the court of law in The Hague suspended the Telecommunications Data Retention Act (Wet bewaarplicht telecommunicatiegegevens) on 11 March 2015. As of then, work commenced to amend this law. On 13 September 2016, the Ministry of Security and Justice submitted a legislative proposal to the Tweede Kamer (House of Representatives) to that extent. Due to preliminary questions from Sweden and the United Kingdom, the European Court of Justice considered if national legislation requiring telecommunication service providers to retain electronic communications, is compatible with European Law. The ruling on 21 December 2016 concludes that national legislation providing for general and indiscriminate retention of electronic communications, is in violation of the right to privacy.

What can Ovidius do for you?

The new and ever changing legislation on privacy not only requires companies to scrutinize their contracts with third parties, but also to implement all necessary amendments to their own business operations. This may vary from drawing up a privacy statement for your corporate website, to implementing a protocol to report data breaches. Ovidius will gladly help you with advice and in legal proceedings. Ovidius has, for example, expertise in:

• Providing advice on relevant rules and regulations on the protection of personal data;
• Verifying if your organisation complies with privacy rules and regulations;
• Drafting a privacy policy for your organisation;
• Helping you to come to proper (contractual) agreements on the protection and processing of personal information with your business partners and any third parties you may enlist;
• Advising on international data transfers (for example, with suppliers, or within your global organisation);
• Drafting a privacy disclaimer or cookie policy;
• Drafting a protocol for camera surveillance in the office;
• Drafting a protocol for (supervising) the usage of internet and email;
• Drafting a protocol for data breaches;
• Drafting a consent form to process personal data of your employees;
• Advising on requests to provide data to beneficiaries or to judicial departments;
• Advising on privacy related matters when developing new products or services; and
• Providing legal support in legal proceedings arising from a dispute with a data subject (such as a customer or employee), or in case the Data Protection Authority enforces its authority.