Since the entry into force of the AVG in 2018, awareness of the risks of data-driven work has increased significantly at both smaller and larger municipalities. Privacy policies, DPIAs, procedures for dealing with data breaches have since become a regular part of municipal project routines, while privacy departments are increasingly welcoming new colleagues. But all is not rosy. Kenneth Sleijpen (Privacy Officer Municipality of The Hague) and Nasim Ahmadi (Department Manager Privacy Municipality of Amsterdam) explain how, despite the steps forward in recent years, municipalities still do not always find their way through the privacy maze.
Municipalities hold an enormous amount of personal data. With it, they can have a lot of impact on people, both in positive and negative ways. There are quite a few challenges for privacy teams within Dutch municipalities. With the introduction of the AVG and the first fines from the Autoriteit Persoonsgegevens , the average municipality is placing a strong emphasis on the importance of compliance. However, the back-end story is different.
Kenneth Sleijpen (The Hague) says: "When I look at the privacy policies of some municipalities, I still see 'last modified May 25, 2018' at the top. Indeed, you saw at the beginning that designing a privacy policy involved merely copying and pasting the AVG articles. However, a good policy should to some extent concretely demonstrate how you invest responsibility in different processes," he says. According to Sleijpen, the bridge between mere compliance and the reality of policy implementation can still be improved. "If you have a good privacy policy ready to go, how do you make sure that you always have a stick and that the executives within your organization carry it out properly? These kinds of questions need to come up more in privacy departments."
Ahmadi (Amsterdam) joins Sleijpen. The biggest hurdle in the first few years was getting administrators on board with the privacy story. "Directors have a lot on their plate, often complicated matters with various interests. Then they were also held responsible for data protection, in the broadest sense of the word. Due to unfamiliarity with the subject and because it was often labelled as very legal or very technical, it received little attention. If the person with final responsibility did not assume his role, it was very difficult to get our message across to the people implementing it." The comparison she gives is that of the mythological Cassandra, whose calls always went unheard.
While the two lawyers appreciate and applaud the growing awareness among municipal administrators, municipalities need to raise their level of maturity in terms of privacy. According to Ahmadi and Sleijpen, there is still a major misunderstanding about the role of the Privacy Officer, who is still mistakenly considered the person ultimately responsible for data protection. "However, this responsibility lies with the directors and everyone within the organization who works with data. The Privacy Officer is the one who must ensure that privacy is and remains on the agenda, that policies and frameworks are practical to implement and provide guidance in doing so. Of course, as a privacy expert, you cannot say, "I've given advice, now figure it out, good luck with that!" I see that we can make a big difference as privacy professionals by taking joint responsibility for privacy," Ahmadi said.
In addition to the AVG, municipalities must also comply with a large number of EU pieces of legislation on digitization. Starting in 2023, this already applies to the Data Governance Act, while the Data Act does not apply until 2025. And then there is also the AI Act that must come into effect, in addition to other cybersecurity regulations, such as the NIS2 Directive that organizations already have to comply with as of last year. Ahmadi and Sleijpen view with concern the amount of work expected of municipalities. "I think the initiatives are very important and very good but it has become a big pan of soup, with all kinds of things in it and being thrown decentrally over the fence - says Ahmadi. What complicates this situation is that a lot of things are still so unclear. That's where we lack cooperation between government agencies on these big files."
According to Sleijpen, compliance and policy in the digital domain becomes a matter of priorities. "Suppose that as an alderman I was working on the proper implementation of the NIS2 directive while in the meantime I see that thousands of people are denied benefits or that the neighborhoods in my city have become more unsafe, I would intuitively turn my attention to the latter issues. It feels kind of like a moving train that needs another wagon step by step while they are still working on the parts that were previously on their plate." This applies to both politicians and officials at the municipal level.
He continues: "What you see happening in practice is that even today municipalities are pulling their own plan. Often it happens by hiring external expertise that they keep to themselves at first. Only later on, when they start sharing their strategy with the other municipalities, they discover and realize that the rest were working on the same issue. The expectation is that on important topics like digital policy, some 'common ground' will be held, but unfortunately that is not always the case."
Both Ahmadi and Sleijpen worked at smaller municipalities in the past. If larger organizations are already struggling with this process, it is much more challenging for "the little ones." After all, they do not have the same budget, manpower and resources. So the two lawyers call on the ministries and the VNG, and especially the Autoriteit Persoonsgegevens (AP), to play a more active role. With larger municipalities, it is quite easy to keep the ministries and the privacy regulator in the loop, while this is not so obvious for the smaller parties. "With them the AP does not engage as much, in my opinion. The same goes for the Rijksoverheid. It is true that they did catch up with pilots also in smaller villages. Still, you do notice some reluctance, especially on the part of the AP, to raise their voice there a bit more."
Like Sleijpen, Ahmadi understands that the AP must adhere to its independent mandate and cannot be expected to offer quick advice on every issue. "But as a municipality, you are still curious how the regulator looks at your plans. Now that is often very backwards. We have to keep asking ourselves what the implications are for the smaller municipalities that face their own problems that are not necessarily on the agenda of the larger cities. How do we make sure they can also get the right attention and help?".
