Law Minister Dekker answers questions by Member Kathmann (PvdA) on the report that most Dutch companies do not comply with privacy laws.
Question 1
Are you familiar with the article "Majority of Dutch companies do not yet comply with privacy law after three years"? 1)
Answer to question 1
Yes.
Question 2
What do you think about the fact that costs and efforts to comply with the AVG legislation will fall entirely on the shoulders of European companies, while they rely heavily on non-European tech giants?
Answer to question 2
The costs and efforts of complying with the requirements of the General Data Protection Regulation (AVG) are not entirely on the plate of European companies. Where appropriate, the AVG can also apply directly to non-EU-based companies. (1) The AVG has a system in which there is a ´processing controller´ that determines the purpose and means of data processing. In addition, there is the ´processor´, which is engaged by the controller to process data. This processor also has obligations under Article 28 AVG.
Pursuant to Article 28(1), the controller may only use processors that provide sufficient guarantees that the processing complies with the AVG. Paragraph 3 of the same article further provides that an agreement shall be drawn up between the two parties setting out the obligations of the processor, known in practice as the ´processor agreement´. This lays down, among other things, what instructions the processor is given to process the data, what security measures must be taken and how the rights of data subjects are effected. If, contrary to the AVG, a processor itself determines the purposes and means of processing, then that party itself should be considered a data controller. (2) All in all, then, the AVG has a system in which responsibilities and obligations are divided among involved parties.
Question 3
Do you agree with the observation that Dutch companies have too poor a bargaining position against U.S. tech giants when it comes to implementing AVG measures? If not, why not?
Answer to question 3
As outlined in response to Question 2, in the processor agreement, parties lay down the manner in which data are processed and what requirements are observed in doing so. The processor agreement must therefore be tailored to the processing that the processor performs on behalf of the controller.
Thus, the agreement may differ for each processing operation performed on behalf of the data controller. Although this makes a general inference about the bargaining power difficult, it does go to the heart of the problem facing many Dutch cloud service customers. The supplier's standard contract does not always provide the customer with the necessary guarantees it needs under Article 28(1). Some services are provided by a number of large players who are not always willing to adapt the individual contract to the needs of the customer. An additional disadvantage for the recipient is further that it sometimes requires a lot of resources to ascertain exactly how the processor's service is structured and what contractual provisions are therefore needed. If it is then concluded that the supplier is not a suitable processor because it does not offer sufficient guarantees and is unwilling to change this, it is very questionable, given the limited number of suppliers, whether a suitable alternative is available. As the FD article also points out, the government did succeed in enforcing AVG customization in relation to a cloud services provider. The article rightly points out that companies are not in the same good negotiating position in every case and thus cannot always enforce it.
Question 4
Do you share the opinion of the CIO Platform that the legislator calls for granting access to the European market only if software companies comply with AVG requirements? If not, why not?
Answer to question 4
Parties based in the EU that process data must comply with the requirements of the AVG. Where appropriate, parties not established in the EU may also fall within the scope of the AVG. (3) If they violate the AVG as controllers or processors, regulators can enforce them. Software companies that do not act in accordance with the AVG can thus already be dealt with.
In appropriate cases, however, the supplier may offer the service AVG-compliant, but an organization wishing to acquire the service may not apply it AVG-compliant. This can occur in situations where suppliers also want to process data for other purposes. This is sometimes also part of their revenue model. As long as the supplier is transparent about these purposes and the supplier itself has a legitimate basis for processing, the service can be AVG compliant. For example, consent can be requested from the individual consumer, which this data subject is free to give or not. However, using this service as a larger organization (e.g. a company) may then be problematic if the supplier's 'own' purposes do not match the purposes for which the data were collected. It will therefore have to be considered on a case-by-case basis whether a service can be legitimately deployed. It is therefore not possible in all cases to determine whether software meets the AVG requirements when entering the European market.
Question 5
Do you share the opinion of Ronald Verbeek, director of the Platform, that not the user of software, but the developer should be responsible for implementing AVG requirements? If so, what do you think about the fact that users of non-secure software can be fined 20 million euros or 4% of their annual turnover? If no, why not?
Answer to question 5
As indicated in answer to question 2, the AVG provides its own system for the division of responsibilities when processing personal data. This division may change according to the actions of the parties involved: if the processor starts to behave as the party that independently determines that it will process data, then this party should be addressed as the data controller. The basis of this system, however, is that the party that processes citizens' data and determines what happens to it remains in principle responsible - and thus accountable - for the processing. After all, the controller chooses to work with a particular processor and makes agreements with that processor. I think this system is right, because otherwise citizens lose control over their data. It is ultimately up to the Autoriteit Persoonsgegevens to determine with respect to which party or parties it takes enforcement action.
Question 6
Do you agree that the Dutch government should do more to get tech giants to implement AVG guidelines in order to help Dutch companies protect personal data in this way? If so, what will you do? If no, why not?
Answer to question 6
As indicated in response to question 4, the issue of compliance with the requirements of the AVG should be viewed with nuance. It is too simplistic to state that cloud service providers would not comply with the AVG, or would not want to enable their customers to comply with the AVG. However, in answer to question 3 I did indicate that I also see that it can be difficult and costly for smaller companies in particular to ascertain exactly how the service of a potential processor functions in order to subsequently enforce modified conditions in order to be able to purchase the service.
The Dutch government has resources at its disposal to conduct solid research into the operation of certain software packages, for example by conducting a Data Protection Impact Assessment (DPIA), in order to map out how the processing agreement should be shaped on that basis. An example of this concerns the DPIA conducted by Strategic Supplier Management Rijk (SLM Rijk) on Google G Suite Enterprise about which your House was informed by the Minister of Justice and Security. (4) This DPIA was submitted to the Autoriteit Persoonsgegevens because residual risks were identified by SLM Rijk. The AP will issue a written opinion on this shortly. Possibilities are currently being explored to broaden this approach to the other strategic suppliers of the Rijksoverheid. The systematic assessment of such software packages by the government and the AP will provide clarity on the extent to which use is possible within the boundaries of the AVG.
I expect suppliers to take any identified risks seriously and to work with the Dutch government to address them jointly. It is important to emphasize that in this case there is thus no question of jointly working on or developing software packages. It is therefore correct that the government is not the ´owner´ of the software. However, governments and private parties may benefit in the future from the work done for these DPIAs and from any modifications made to contracts as a result. That is why the government shares its knowledge, insights and experiences wherever possible, for example by publishing the aforementioned DPIAs.
Furthermore, the Cabinet is also committed to European cooperation to jointly boost the quality and quantity of cloud services offered. In late 2020, the Cabinet signed a declaration for a European ´cloud federation´ initiative, through which member states have committed themselves to jointly work on and invest in European connected data and cloud infrastructures. (5) In addition, there is the GAIA-X initiative to connect and enrich existing cloud offerings by developing standards based on European regulations. TNO is also working on setting up a Dutch GAIA-X hub, where joint use cases can be developed.
The Online Trust Coalition (OTC) is also working on this issue in a European public-private context, addressing both the perspective of the provider and that of the customer. The OTC is committed to developing unambiguous, efficient methods by which providers of cloud services can demonstrate that their services are trustworthy and secure, and which will provide customers with the desired clarity in complying with relevant laws and regulations, such as the AVG.
Footnotes:
1) Financieele Dagblad, April 6, 2021, "Majority of Dutch companies fail to comply with privacy law after three years," https://fd.nl/economiepolitiek/1379255/meerderheid-nederlandse-bedrijven-voldoet-na-drie-jaar-nogniet-aan-privacywet
(1) Article 3(2) General Data Protection Regulation (GDPR).
(2) Article 28(10) AVG.
(3) Article 3(2) AVG.
(4) Parliamentary Papers II, 2020/21, 26643/32761, no. 747
(5) Declaration 'Building the next generation cloud for businesses and the public sector in the EU', available at: https://digital-strategy.ec.europa.eu/en/news/towards-nextgeneration-cloud-europe
