Last month, a large majority of the House of Representatives voted in favor of a motion to allow the Personal Data Authority (AP) to grow substantially in the coming years.(1) Whereas the AP currently has to make do with 184 full-time employees, from 2022 this number would increase to eventually 470 employees. The motion was introduced during a debate on the GGD data breach, which once again highlighted the role of AP.
In 2020, the AP was able to investigate only 0.04% of privacy complaints and 0.3% of reported data breaches. According to Lower House member and petitioner Hijink, it is therefore crystal clear: the authority simply does not currently have the resources to do its job properly. Hijink bases this on an independent study that KPMG recently conducted on behalf of the AP and the Ministry of Justice and Security. The study examined exactly what tasks the AP must perform and how many financial resources are needed to do so. The report made no bones about it: for effective task performance, the annual budget will have to increase from €21 million to more than €66 million.
Despite the conclusion of this report, Minister Dekker initially reacted cautiously. Late last year, for example, he wrote in a letter to the House that, as far as he was concerned, the numerical results were too much of an estimate and gave too wide a range to be able to attach any financial consequences to them. Also during the parliamentary debate, the motion could not count on his support. According to Dekker, more and more money has gone to the AP in recent years. Moreover, he felt that this discussion should really only be held during the next budget round. The minister had to "certainly advise against" the motion in this form, but this advice was waved away by 79 MPs voting in favor.
More manpower and budget. Between 2016 and 2020, staffing did indeed grow 158%, and the budget also increased 130%. Good news to begin with, but the complaint that the AP is not yet operating at full strength has been around for much longer.
KPMG was not the first to launch a study. For example, in 2017 - when the AVG was still imminent - consulting firm AEF examined what capacity AP would need in light of that new legislation. AEF calculated with an assumption of up to 10,000 data breach notifications per year, while in 2018 this number would already be more than double. Needless to say, the scope was difficult to estimate at that time, but even in that scenario, the required budget was estimated at €19.6 to €29.4 million per year.
This was followed by a final report by Klaas Dijkhoff, the then State Secretary of Security and Justice. It showed that the AP was already under pressure even before the introduction of the AVG. This was mainly related to the data breach notification obligation, which went into effect on Jan. 1, 2016. Furthermore, the AP would need at least 185 full-time employees to enforce the AVG. At the end of 2018, AP had 157 employees; in addition, Minister Dekker decided to grant the AP a budget of €18.5 million. starting in 2019.
Solid staff growth would be a welcome step in the right direction. But note that a motion only includes a wish addressed to the Cabinet by the House of Representatives. In theory, therefore, the minister could still disregard this motion. It is also worth noting that AP has been struggling with a structural shortage of capacity in recent years. In an interview with Trouw, AP board chairman Aleid Wolfsen says that this shortage has led to 'laughable backlogs'.(2) Should the government comply with the motion, this does not mean that all problems will be solved.
Footnotes
(1) https://www.privacy-web.nl/nieuws/kamerbrief-over-uitvoering-motie-hijink-over-het-budget-van-de-autoriteit-persoonsgegevens
(2) https://www.trouw.nl/binnenland/aleid-wolfsen-gestolen-data-zijn-veel-erger-dan-een-gestolen-fiets~b5aeaa91/
Do you want to be fully up to date with the latest developments in privacy law? Then follow the 'Current affairs course AVG'.
Nearly three years after the General Data Protection Regulation (AVG) actually became applicable, it is gradually becoming clear how further details will be given to the mostly open standards in the AVG and the AVG Implementation Act (UAVG).
On April 6, 2021 , privacy specialist Thomas van Essen of SOLV Advocaten will use case law, the opinions and decisions of the AP and opinions and guidelines of the European Data Protection Board (EDPB) to give an idea of how these standards work in practice.
Click here to learn more about the "AVG Actuality Course.
Click here for more articles from SOLV Lawyers.
