The Dutch implementing law to the AVG states that the Autoriteit Persoonsgegevens Authority must take into account the needs of small, medium and micro enterprises. Further analysis reveals that these are an awful lot of enterprises. All those enterprises thus seem to have an additional argument in procedures.
Author: Mark Jansen, Dirkzwager
A small step back in time. The final text of the AVG had been published on May 4, 2016. Just before that, it became clear that the AVG would come into effect on May 25, 2018.
Nevertheless, the corresponding implementing law took some time to be finalized. The draft text of the UAVG first became available on December 14, 2017, just over 5 months before the deadline. That same day, the minister sent a letter to both the House of Representatives and the Senate asking them to expedite their consideration.
Two months later, the government came up with a bill of amendment. In addition, only 4 motions and 2 amendments were passed in the House of Representatives.
The Senate was presented with the bill on March 14, 2018, and concluded on April 24, 2018, that consideration of the bill was adequately prepared . On May 15, 2018, the bill was then disposed of as a hammer piece. Just one day later, the bill was signed and published and its entry into force was announced.
The debate on the UAVG in Parliament - partly because of this rush - has been quite limited. In fact, the substantive debate has been pushed forward.
The Koopmans motion, which was adopted, called for, among other things, an evaluation after six months and - where necessary - additional or updated rules on at least some of the subjects specifically mentioned. The recent evaluation in fact states that further consultation or further research is required on all the more 'exciting' topics. So for now, no substantive changes are to be expected.
It is notable that in all the rush, and all the attempts to push the debate forward, one amendment (amendment) did make it, namely Amendment No. 15 by Van der Staaij.
The amendment is very beautiful in its simplicity. Van der Staaij is actually doing nothing more than making an optional text from the recitals of the AVG, into a mandatory text in the UAVG.
Indeed, the preamble to the AVG in margin number 13 reads as follows:
"Furthermore, Union institutions, bodies, offices and agencies, and Member States and their supervisory authorities are encouraged to take into account the specific needs of micro, small and medium-sized enterprises when applying this Regulation. The definition of micro, small and medium-sized enterprises should be taken from Article 2 of the Annex to Commission Recommendation 2003/361/EC."
Van der Staaij takes this text to heart and turns it into an article of law as follows:
"In applying the Regulation, the Autoriteit persoonsgegevens Authority shall take into account the specific needs of micro, small and medium-sized enterprises as referred to in Article 2 of the Annex to Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJEU 2003 L124)."
Thus, where the AVG "encourages" institutions to consider the needs of micro, small and medium-sized enterprises, the UAVG now mandates this to the Autoriteit Persoonsgegevens (AP).
In his explanation, Van der Staaij stressed, among other things, that the amendment is intended to avoid administrative burdens and that without it, there is a high risk that"organizations and companies will have to deal with increasingly far-reaching obligations."
The amendment passed unanimously at the time.
This naturally begs the question: who does this benefit? Remarkably, the simple answer is: lots of entrepreneurs.
The definition of micro, small and medium-sized enterprises is laid down in an annex to a European decision. The decision is quite nuanced, as it totally elaborates what exactly constitutes an active person and which other (group) companies you all have to take into account. It goes a bit far for the blog to take all that nuance into account.
At its core, however, it boils down to the following:
Today, when I request figures from CBS on the number of companies and their company size, the following figures emerge:
That means there are (only) (1,792,145 minus 1,788,915 =) 3,230 companies with more than 250 employees. So the remaining 1,788,915 companies (!) are covered by Article 2a UAVG, unless their turnover exceeds the thresholds for that purpose.
Whether the definition of "employed person" at CBS is entirely the same as that of the European decision, I have not investigated and will leave for now. It is possible that this still leads to a slight shift in the numbers. However, that would not change the principle.
Thus, given the legal text, the Autoriteit Persoonsgegevens (AP) must consider the "specific needs" of those nearly 1.8 million business owners with fewer than 250 employees when applying the AVG.
Exactly what that means will have to be seen in practice. In my expectation, it will at least mean that the AP will give extra explicit reasons why it makes a particular decision affecting a company, given the specific needs of that company.
I am thinking primarily of decisions to take enforcement action against a particular company. It would seem that when taking enforcement action against the at most medium-sized companies, the AP will be particularly careful to justify why enforcement action is taken despite the (relatively) small size of the company. After all, the purpose of the amendment was to reduce administrative burdens for those companies. If the AP does not properly justify the decision on that point, it could "go under" for that reason alone.
Indeed, the argument"why don't you crack down on the bigger guys who do more or less the same thing?" could thereby become just as relevant in privacy law. After all, in privacy law it is in the law. This while this appeal to equality and anti-randomness generally does not apply in administrative law.
The rule could also affect decisions of more general scope by the Autoriteit Persoonsgegevens. For example, when approving a code of conduct that will only apply to small businesses, it would then be obvious to be less strict than for codes of conduct that could also apply to multinational companies. Or consider approving the processing of criminal data of, say, shoplifters by (an association of) all relatively small companies. If the AP does not take sufficient account of the specific interests involved, this is presumably an independent ground for appeal in such decisions as well.
Incidentally, of course, none of this does not alter the fact that under the General Administrative Law Act, the general principles of proper administration, the EU Charter and the legal principles accepted in EU law (such as the principle of proportionality and transparency of administration), among others, the AP will have to motivate why it is taking enforcement action and why its enforcement is proportionate, given (the seriousness of) the violated standard.
In short, it pays to check whether the AP is (sufficiently) taking into account your business size and the resulting specific needs. If you receive a letter or decision from the AP, or they are suddenly at your doorstep, check for this.
This article can also be found in the AVG file
