During the National Privacy Conference on January 28, 2026, Bart Schellekens opened with a provocative question: can the Netherlands position itself as a privacy leader? In his lecture—and in the conversation that PONT | Data & Privacy had with him afterwards—he sketched a country that is at a tipping point. "I think we are doing very well in the Netherlands. I think a 'C+' is justified." But that doesn't mean there isn't still work to be done.
Schellekens, an IT lawyer working at the intersection of law and technology and employed by the Responsible Data Use Advisory Function (part of IBDS), prefers to talk about privacy maturity rather than just GDPR compliance. In compliance practice, maturity is often measured by ticking boxes: is there a data protection officer, is there a data breach policy, are processes being followed? But according to him, that says little about the actual quality of the considerations.
In his lecture, Schellekens warned against the risk of overregulation of the GDPR: "Everything seems to be personal data these days." According to him, the focus on personal data also distracts attention from the fact that there are many issues that the GDPR does not regulate. Privacy is, of course, much broader than data protection. The focus on the data of the data subject means that issues that transcend the individual are sometimes overlooked. For example, the ever-increasing power we see in big tech. Or the consequences of technology for our democracy."
One point Schellekens wanted to emphasize is what he calls the "DPIA drip." "You see that a lot of bureaucracy has arisen, which I also call the DPIA drip." By this he means an excessive compliance culture, in which the DPIA has become a formal obligation that must be ticked off, while the real discussion about risks and social consequences remains underexposed. According to Schellekens, this creates a "bipolar" situation in which an organization's employees are driven crazy by a bureaucratic GDPR mill, while on the other hand, projects with excessive risks are still being carried out.
"It becomes too much of a checklist, and then we actually stray from the intention of the legislation. A DPIA is really a means to an end, not an end in itself." This touches on a fundamental point: privacy protection is not about process documents, but about substantive choices about what we as a society find acceptable.
According to Schellekens, this is where the accountability problem lies. He says it is about actually taking responsibility. Too often, people think: we have done a DPIA, so that's that. Privacy is then 'managed away' in a bureaucratic vehicle, when in essence it should be about what measures actually mean for people.
This shift from content to procedure is also evident in public debate. During the conference, Schellekens referred to the contribution made by Rotterdam Ombudsman Marianne van den Anker. She argued that privacy should not be an obstacle. Schellekens nuances that view. He agrees with the call to broaden the discussion, but not with the implicit suggestion that privacy is the problem. The relevant legislation already takes the various interests and the balance between fundamental rights into account to a large extent.
He points to cases such as Clare's Law and the approach to femicide. Virtually everyone wants to prevent violence, but the question is how far the government can go in sharing information about (former) suspects. "This is a prime example of a discussion that should not only take place at the level of civil servants or in a DPIA, but at a higher social level: what do we as a society find acceptable?"
In other words, these kinds of fundamental considerations should not be fought out in a DPIA or exclusively within the civil service's policy development process. They belong at a higher social and political level. Privacy legislation provides scope for weighing up these interests, but this weighing up must be done explicitly. According to Schellekens, this is an important part of privacy maturity.
He also sees progress being made by the Autoriteit Persoonsgegevens AP). He notes that the AP is focusing more on guidance and dialogue, which he considers positive. At the same time, Schellekens is critical of enforcement incentives. If reporting a data breach increases the likelihood of further investigation, while non-reporting is hardly penalized, the question arises as to whether the right signals are being sent.
In addition, he advocates clear prioritization: focus most of the capacity on large-scale business models and structural privacy interference, rather than on smaller players. Only in this way can the original spirit of the GDPR—curbing concentrations of power and structural data abuses—be upheld.
Nevertheless, Schellekens remains largely optimistic. He sees initiatives such as the Dutch Privacy Awards as concrete proof that innovation and privacy protection can go hand in hand. "The Privacy Awards clearly demonstrate that it is possible to view the Netherlands as a leader in privacy."
According to him, Europe does not need to build a new Facebook or OpenAI if that means copying the same data-driven business models. The alternative is a product with a healthy revenue model that respects European values. "You have to create a good product with a working business model that respects the values we know in Europe."
These examples are still small-scale, but they show that it can be done. If the Netherlands succeeds in breaking through bureaucracy, bringing the debate to the right table, and linking innovation to fundamental rights, then 2026 will indeed mark the start of a new chapter.
In the final minutes of our conversation, Schellekens wanted to emphasize one more point: "Privacy should not be a party for lawyers." With this, he may have touched on the core of his argument. Privacy is not just about legislation, regulators, and DPIAs, but about social choices, technology, governance, and entrepreneurship. Only when lawyers, technicians, administrators, politicians, and citizens engage in dialogue together can the Netherlands truly become the privacy leader he advocated for during the conference.
