More fines for privacy violations, data leaks

The Dutch Data Protection Authority (CBP) may soon have the power to hand out higher fines and in more cases.

This is according to a letter that State Secretary Fred Teeven of Security and Justice and Minister Ronald Plasterk of Internal Affairs sent the Second Chamber. The Chamber still has to approve the proposed legislative amendment. If it is approved the CBP, which will continue as Authority for Personal Data, will have broader powers for handing out fines.

Currently the CBP can only fine businesses and government agencies if, for example, the requirement to report the processing of personal data is ignored. Under the new law the organization will be able to also impose fines if the data is not processed properly, if it is kept for longer than is necessary, if the security is not sufficient or if personal details are misused. The maximum fine is 20,250 euro in the lowest category and 810,000 euro in the highest category.

"This allows the CBP to more effectively take action against government agencies and companies that handle the information of citizens carelessly", said the Ministry of Security and Justice in a statement.

The legislative proposal also includes the obligation to report data leaks. Companies only need to report a data leak if it is a "serious" leak. If companies fail to report such an leak, they can be fined up to 810 thousand euros.

In a response to the legislative proposal, CBP announced that it has "serious questions" about the changes. This would not lead to "better compliance with the Data Protection Act".