Last year, hosting platform Leaseweb fell victim to a hack that may have involved a data breach. When the AP received no information from Leaseweb, it claimed the data from IT service provider. In summary proceedings, the AP lost the case.
In summary proceedings (1), cybersecurity firm Northwave has won a victory against the Autoriteit Persoonsgegevens (AP). The interim relief judge ruled that the AP was not entitled to order Northwave to provide information regarding a data breach investigation of one of their clients, a hosting provider that was the victim of a cyber attack last summer. The judge suspended the order for periodic penalty payments imposed on Northwave until two weeks after the decision on appeal, pending further review.
This case revolved around the fundamental question of whether the AP has the ability to demand information from a third party, such as Northwave, that is not directly the subject of the investigation but provides services to the entity under investigation. The incident in question occurred last year, when the hosting provider engaged Northwave to respond to and recover from a cyberattack.
The AP, seeking more information about the incident, was not satisfied with the hosting provider's responses and decided to approach Northwave with a demand for information, despite the fact that Northwave was not the primary focus of the investigation. This decision met with resistance from Northwave.
Cees Plaizier, attorney at Northwave, explained the judge's decision on LinkedIn (1): "The interim relief judge was clear in his opinion that the Autoriteit Persoonsgegevens should have first approached the hosting provider, as is also indicated in the General Data Protection Regulation (AVG) and the AVG Implementation Act (UAVG). The fact that the AP did not first use all possible means to obtain the information from the hosting provider, such as an order under penalty or an on-site investigation, is inexplicable, according to the court."
Plaizier further emphasized the importance of this ruling for the cybersecurity industry: "Cybersecurity companies like Northwave play a crucial role in the fight against cybercrime in the Netherlands. It is vital that these organizations can do their work without unnecessary interference from regulators. This decision supports the position that regulators should focus on the entities under their direct supervision, not the service providers that assist them."
The ruling of the preliminary injunction court is preliminary in nature and is not binding for any subsequent proceedings. However, it sets a clear precedent on how the AP should exercise its supervisory powers, particularly in the context of cybersecurity incidents and data breaches.
(1) https://uitspraken.rechtspraak.nl/details?id=ECLI:NL:RBMNE:2024:1804
(2) https://www.linkedin.com/feed/update/urn:li:activity:7183068391102947328/
