Privacy Advisor

THE NETHERLANDS—Dutch DPA Gets Power To Fine

December 12, 2013

By Jeroen Terstegge, CIPP/US

Dutch Data Protection Authority (CBP) Chairman Jacob Kohnstamm told the audience of the National Data Protection and Privacy Conference in Rotterdam on December 11 that his office will get the power to fine organizations in both the public- and the private-sector for violations of the Dutch Personal Data Protection Act (WBP).

The fine could be as high as 780,000 euros, or about U.S. $1 million, per violation.

Earlier, Secretary of State Fred Teeven of the Ministry of Security and Justice had informed Parliament that he was about to send a bill to the cabinet giving the Dutch DPA the power to issue “steep fines.” The bill, which was approved by the Dutch Cabinet December 6, is a change to another bill currently being discussed in the Second Chamber of the Dutch Parliament. The latter bill introduces a general data breach notification obligation in The Netherlands and gives the Dutch DPA the power to fine data controllers only for failure to notify the DPA about a breach.

As a result of the recent change, the data breach bill is expected to be put on hold in order to allow the Council of State, the official advisory body to the cabinet and Parliament, to advise on the new fining powers. As the council’s advice is not expected before March or April next year, both the obligation to notify data breaches and the fining power are likely to come into force only on January 1, 2015, according to Kohnstamm.

Jeroen H.J. Terstegge, CIPP/US, is executive director and owner of PrivaSense, a consultancy firm on strategy and policy development, compliance, risk management, communication and training with respect to privacy and protection of personal data.