This week marks the third anniversary of the enactment of the General Data Protection Regulation ("AVG"). A good time, then, to take stock of the current state of affairs and specifically consider some of the hot topics that have continued to occupy minds since then.
One of these is the Dutch government's so-called "data hunger." This continues to grow, fueled in part by the current Covid-19 pandemic. Examples include tracking individuals in public spaces (via Wi-Fi or Bluetooth), use of biometrics to combat identity and document fraud, and the use of algorithms to detect certain abuses.
Another example was denounced last week by Research Group Cybersafety of the Thorbecke Academy of NHL Stenden Hogeschool. (1) Dutch municipalities appear to be using online resources to monitor citizens. By monitoring Facebook groups, Twitter profiles and other social media, they wanted to gain insight into possible disturbances, such as riots and demonstrations and benefit fraud by citizens. Fake accounts were even used for this purpose. (2) The report drawn up by the research group showed that municipalities still do not know what is and is not allowed when monitoring citizens online. This while the Personal Data Authority ("AP") has already clearly stated since November 27, 2019 that in the case of (surreptitious) monitoring and fraud prevention, the performance of a Data Protection Impact Assessment ("DPIA") - on the basis of which potential privacy risks and necessary mitigating measures can be determined - is mandatory. (3)
Similarly, the perils surrounding the development of the CoronaMelder app, in which the government had to jump through several hoops to make it comply with the rules from the AVG (4), shows that the government is struggling to implement solutions that contribute to the public interest, such as protecting public safety on the one hand and limiting as much as possible the infringement of citizens' privacy rights on the other.
The AP's limitation in budget and manpower also remains a thorny issue. Whereas in 2018 the AP still emphasized education about the new AVG, the focus in 2019 quickly shifted to enforcement. (5) Although the AP imposed a total of 11 fines in recent years, including six (!) in 2021, the most substantial privacy violations do not seem to be addressed. Consider, for example, unlawful transfers of personal data to organizations outside the European Economic Area, such as in the United States, as a result of the Schrems II judgment of the Court of Justice (EU). (6) It is notable in this regard that many of the AP's enforcement actions take place in the key of a data breach reported (not or not timely). Despite the fact that the AP seems in the meantime to have crept well into its role of enforcer, I cannot escape the impression that these enforcement actions so far see mainly low-hanging fruit.
Due to lack of budget and staff, the AP is limited in its enforcement. In early 2021, the House of Representatives expressed to the outgoing cabinet the need to create more capacity for the AP. (7) The goal of this is not only to increase the chances of catching violators, but also to provide more room for the AP to provide education. At present, many organizations are not yet (sufficiently) aware of the fact that the act in question is a violation of the law. This is evidenced by the monitoring actions of municipalities mentioned above. In this context, a position paper was sent by the AP to the informateur of the new cabinet on May 19, 2021, with the aim of having a proposal for increasing the AP's budget included in the Spring Memorandum 2021. In doing so, the AP indicated that it considers a budget of EUR 100 million necessary (a tripling of the current 2021 budget of EUR 24.6 million). This would be in line with the budgeting currently being released for other regulators, such as the AFM and De Nederlandsche Bank.
The above shows that application and enforcement of the AVG since its entry into force on May 25, 2018, is still not without controversy in practice. I expect that this will be no different in the coming years and that - also from other angles - new tensions will continue to arise between the right to protection of privacy and personal data of individuals on the one hand and the desire to implement (technical) solutions on the other. Hopefully by then the budget and capacity of the AP will have increased significantly, so that through more information these tensions can be prevented as much as possible in advance, or that they can and will be better enforced.
(2) https://www.nrc.nl/nieuws/2021/05/16/ambtenaren-willen-meer-dan-mag-a4043770
(3) Personal Data Authority, Decision on List of Personal Data Processing Operations Requiring a Data Protection Impact Assessment (DPIA), Nov. 27, 2019.
(4) AP, Investigative report on source and contact detection apps, April 20, 2020.
(5) https://autoriteitpersoonsgegevens.nl/nl/nieuws/jaarverslag-ap-2019-meer-focus-op-handhaving
(6) Court of Justice (EU), July 16, 2020, C-311/18(Schrems II).
