As generally known, on 25 may 2018 the General Data Protection Regulation (GDPR) came into effect. This Regulation conferres the national Data protection authorities to impose hefty fines (up to 20 million euro or 4% of the annual worldwide turnover). In addition, citizens can file a complaint at the national Data protection authority.
Lack of strength
This change in regulation creates a great amount of work for the Data protection authorities. At the meantime, in the Netherlands the capacity to implement the new legislation is seriously doubted.
Although the organisation of the Dutch data protection authority grew from 72 employers to 123, the envisaged growth to 140 employers was not achieved.[1] Furthermore, a number of important people left the organisation. Moreover there would be a good deal of dissatisfaction within the organisation.[2] To mitigate and avoid further turbulences the executive board will soon be extended with a third member.[3] As a consequence of all these circumstances, a lack of authority of the national Data protection authority is presumed.
Differences in points of view between the Dutch Government and the Dutch data protection authority
Furthermore, the request for extra finance of the Data protection authority has also been denied by the responsible Dutch Minister of Justice. The Minister has indicated that no extra money will be provided until “the dust settles”.[4]
Money however is certainly not the only subject of discussion between the Minister of Justice and the Dutch data protection authority. Shortly before the GDPR entered into force the Minister of Justice reassured small and medium-sized enterprises that they should not fear immediate penalties if not GDPR-compliant: ”If you are working on it, the Dutch data protection authority will not be knocking on your front door on de 26 th.[5]
All much to the displeasure of the Dutch data protection authority, that in response to this pronouncement made clear that not the Minister but only the authority is responsible for the enforcement of the legislation and that every organisation, big or small, needs to comply with the Regulation. [6]
Other European countries also inadequately prepared
The Netherlands are not the only European Member State where the ability of the Data protection Authority to respond effectively to violations of the GDPR is questioned.
According to a survey by the press agency Reuters, 17 of the 24 National authorities noted that they did not yet have sufficient financial resources, or at the time of entry did not have sufficient powers to fully carry out the new Regulation. Most of the Member States were even now still required to adjust their national laws. Only 5 of the 24 national Authorities were able to confirm that they have both the sufficient financial resources and the assets to be able to act adequately.[7]
Dutch Insurance Industry in forefront with new Privacy Code of Conduct
Dutch Insurers and foreign insurers operating in the Netherlands however in general have taken significant measures in order to achieve a compliant operation.
In addition, the Dutch Association of Insurers, the sector organisation for the insurance industry, has also acted progressively by drawing up a new Privacy Code of Conduct, the so called “Gedragscode Verwerking Persoonsgegevens Verzekeraars”, which is grafted onto the GDPR and will be submitted for approval to all the Insurers affiliated at the General Members’ Meeting on 20 June 2018.
This Code of Conduct replaces the previous code that was obsolete, partly in view of the both new and advanced technologies in the use of personal data. In case of an affirmative vote by a majority of the Members, this Code of Conduct for insurers will acquire the status of binding self-regulation. Authorised brokers and intermediaries may also choose to commit to the Code of Conduct.
In the Code of Conduct the GDPR is translated into a set of concrete rules for the insurance industry. Important topics are the large-scale analysis of personal data by insurers for determining the premium, and the processing of personal data for the safety and integrity of the sector. The Code of Conduct has not yet been certified in the sense of art. 40 GDPR, because further detailed Directives of the European supervisors are still being prepared.
The implementation of the GDPR in the Netherlands has thus been approached at a sector wide level. The scarce enforcement capacity of the Dutch data protection authority is therefore not expected to be primarily aimed at insurers. Or, as the Dutch data protection authority in an interview with the Dutch Association of Insurers stated: “I do not worry so much about insurers. I have the impression that the sector is well organized.”
[1] “Privacy watchdog with big plans and tight budget”, De Volkskrant, 24 may 2018
[2] “Unrest with privacy watchdog Authority Personal Data”, Het Financieele Dagblad and “Administrative disputes limit authority to the Personal Data Authority”, NOS, 25 mei 2018.
[3] “Dekker is looking for third board member of the Authority for Personal Data”, Het Financieele Dagblad
[4] “Dekker:” not immediately fine for football club due to new privacy law, NOS, 24 mei 2018.
[5] “Minister Dekker: Smaller organizations do not have to expect immediate penalties by AVG”, Algemeen Dagblad, 24 mei 2018.
[6] “Minister speaks in turn about enforcement of privacy law”Het Financieele Dagblad
