Starting January 1 the Dutch privacy law finally gets teeth: causing a data breach (or failing to report one) can be fined with up to 800.000 Euros per incident. And not just data breaches: virtually all violations of privacy law are now tied to fines. This includes processing data without permission (or other ground) or failing to inform persons about how their personal data is processed. With this new law, the privacy game suddenly became a lot more serious.
A data breach is not just a large-scale break-in where thousands of personal records are stolen by foreign hackers. The law defines any loss or unlawful processing as a “data breach” if some form of security is breached or circumvented.
Some people have argued that there would be no data breach if you have no security at all. After all, what’s there to breach if there is nothing? But that won’t fly: the law also imposes this fine on not having adequate data security in place.
Examples of what would constitute data breaches:
- A messaging board that allows users to read each others’ messages by manipulating the URL.
- A web shop that receives customer data through an unsecured channel – SSL must be used.
- A company where any employee can access all customer records, regardless of need to know.
In addition to fines for data breaches, there is also a requirement to report data breaches to the supervisory authority, and in many cases also to the persons affected. This requirement applies if the data breach has a serious chance of negatively affecting the persons involved, e.g. through identity theft or fraud. No reporting needs however to take place if the data that ws misappropriated was protected through encryption.
The ability to issue a fine is coupled to a requirement on the supervisory authority to first issue an order on how to improve security. Only if the order is not complied with, can a fine be issued. However, a fine can be issued directly if the breach occurred through intentional misconduct or gross negligence.
The provisions on data breaches are going to be very important the coming years. Europe is working on similar legislation, but this will not take effect until somewhere in 2017 at the earliest.