The Netherlands: New Rules for Cookies, Data Breaches and Fines
New rules on cookies
The most significant change is the introduction of a lighter regime for cookies that (a) are used to gather information on the quality and effectiveness of a requested service; and (b) have little or no effect on the privacy of the user of the service. For these cookies (e.g. analytic cookies, affiliate cookies and a/b testing cookies), the standard requirements for cookies (informing the user and obtaining consent) are no longer required.
For tracking cookies or similar technologies the duty to inform individuals and request consent remains in effect. The new rules state that ‘the placing of cookies for the purpose of collecting, combining or analyzing information about the use of various services of the information society’ (such as, for the purpose of profiling or targeted advertising) is presumed to constitute processing of personal data subject to the Dutch Data Protection Act (Act). Therefore when using tracking cookies for these purposes the company should comply with the Act, unless it can demonstrate that it does not process personal data.
In accordance with the Act, prior to processing personal data, the informed consent of the user is required. As such, tracking cookies may not be placed on a device unless a user has performed a positive act of consent (e.g. clicking ‘Yes’ or ‘I agree’).
It is important to note that the Dutch Data Protection Authority (DPA) indicated that its priorities for this year include investigating companies involved in profiling, tracking and tracing of internet users. Also, the Authority for Consumers and Markets has indicated that it will actively enforce the new cookie rules. Accordingly, companies processing personal data that fall within these priority areas run a higher risk of scrutiny and becoming subject to enforcement actions. Compliance with the new cookie rules is therefore extremely necessary.
- Mandatory Data Breach Notification
The Dutch Second Chamber has approved a draft bill introducing a mandatory data breach notification rule requiring data controllers to immediately notify the DPA of any security breach that has or is likely to have severe negative effects on the protection of personal data. In addition, an individual whose personal data may have been compromised must be notified if it is expected that the breach could have a negative effect on the individual’s privacy (although the draft bill refers to severe negative effects as well as negative effects, we consider that this is likely to amount to the same standard in practice). Moreover, companies should have an action plan to respond to data security breaches and should maintain a data breach register recording all breaches they experience. A failure to comply with the notification obligations can lead to fines of up to €810,000 (approx. $USD 908,295).
The bill does not specify the situations or give examples of where a breach has ‘negative effects’ on the protection of personal data. It is expected that the DPA will issue guidance on this in due course. However, once the bill becomes law and until guidance is issued, data controllers should determine whether a breach has ‘negative effects’ by considering the nature and scope of the breach. In all likelihood, a reasonable belief by the data controller that the breach has negative effects on the protection of personal data (which effectively means a negative effect on the privacy of the individual(s) affected) will trigger the obligation to notify.
Affected individuals should be notified of (i) the nature of the breach, (ii) information or measures to mitigate the negative effects of the breach, and (iii) a point of contact for further information about the breach. The DPA should receive the same information plus information about the technical details and background of the breach. The controller should explicitly inform the DPA if any of this information is confidential.
An important exception to the notification obligation relates to data that is unintelligible to third parties or encrypted. For instance, if data has been securely encrypted, there is no requirement to notify the individuals affected. However, the obligation to notify the DPA remains.
Companies using data processors should take the data breach notification obligation into account in their data processing agreements with data processors. It is recommended that the data processor must, at a minimum, be under a contractual obligation to immediately notify the company of any data security breach where it is likely that the breach could have severe negative effects on the privacy of individuals’ whose data is processed by that data processor.
- Increased fines and strengthening the DPA’s investigative powers
To increase the DPA’s powers, the proposed new rules enable the DPA to impose fines of up to €810,000 on companies that do not comply with the Act or with the DPA’s investigations. This is an enormous boost to the powers of the DPA, as it could previously only issue orders to be complied with under pain of payment of a (minimal) monetary penalty. Companies may face these new powers if the DPA finds that a company has not obtained informed consent prior to using tracking cookies, or has not properly notified the DPA of a data breach.
An important qualification to the DPA’s power to impose a fine of €810,000 is that the DPA must first serve the data controller with a ‘binding instruction’ granting the company in breach a period of time to make changes in order to be compliant. But if the company fails to make the changes in time, the DPA may issue the fine.