In both public and private organizations, there is a need to exchange data. For example, to tackle fraud and undermining. Based on privacy regulations (e.g. the AVG) this is not allowed. The Data Processing by Collaborative Organizations Act (Wgs) will provide a basis for data processing by collaborative organizations that aim to combat fraud, crime and/or undermining.
For what problem does the Wgs provide a solution? What can the Wgs be used for and what should you pay attention to when using the law? In a blog series, we inform you about what you need to know about the Wgs. In this part of the blog series, we update you on what the Wgs provides a basis for.
The original bill for the Wgs was introduced in 2019. Subsequently, the Personal Data Authority (AP) advised the Senate advised not to adopt the Wgs because, in its opinion, the Wgs gives government organizations and private parties (too) broad powers to share personal data with each other. As a result, the bill was loose to be called into question. Because the bill was substantially amended in the interim, the AP, Council of State (the Division) and the Human Rights Board were again asked to provide information on the bill.
Following the AP's opinion, the Senate asked the Division for additional advice and a number of adjustments were made. In the supplementary opinion the Division concludes that the adjustments made have largely met the requirements.
The Senate passed the bill on June 18, 2024. Shortly thereafter, the Wgs was published in the Official Gazette published. The aim is for the law to enter into force on January 1, 2025, or as much earlier as possible.
According to the explanatory note to the Wgs, a number of bottlenecks arise in the current collaborative arrangements. For example, there is often a lack of an appropriate basis for the processing of (personal) data by collaborative ventures, at least by the various participants within such a collaborative venture. This is often due to the fact that the participants are active in different sectors and the sectoral legislation that applies to each individual participant in that context. As a result, participants in the alliance are often unsure of what is and is not allowed. In one case, they push the limits and may process personal data unlawfully in order to achieve goals in the context of fraud, crime and/or undermining, and in the other case the participants are risk-averse and do not process personal data at all, even though this may be seen as necessary. This was considered undesirable by the government.
The Wgs defines a partnership as (Article 1.1 Wgs):
"An association of participants jointly processing data for an objective of substantial public interest established by or under this Act."
It basically comes down to a collection of agencies that cooperate with each other and exchange data with each other, or with a number of participants, for their purposes. One of these parties must be a government agency. The objective of the partnership must be to tackle and combat undermining crime and fraud.
Both government agencies and private parties can participate in such a collaborative arrangement (Article 1.3 Wgs). Designation of a private party as a participant in a collaborative arrangement can only take place if the goal of the collaborative arrangement cannot reasonably be achieved without the participation of this private party and if government agencies or public bodies also participate. The Wgs does not affect the fact that participants of collaborative arrangements other than those mentioned in the Wgs can continue to process data among themselves pursuant to another law, all this of course as long as (for example) the AVG is complied with.
The participants of a partnership are joint controllers of processing within the meaning of the AVG (Article 1.4 Wgs). That is, it is assumed that the participants - to a certain extent - jointly influence the purposes and means of the processing operations that take place. As a result of this qualification, an arrangement must be made ex Article 26 AVG. Among other things, this arrangement must agree on how the participants implement the rights that data subjects (natural persons to whom the personal data to be processed relate) have under the AVG, for example the right of inspection. The essence of this arrangement must be made known to data subjects, for example through an external privacy statement. The "Article 26 arrangement" can (also) be contained in a cooperation agreement or covenant.
Participants of a collaborative arrangement may provide certain data that they process according to their statutory duties to the collaborative arrangement (Article 1.5 Wgs), all this only insofar as this is necessary for the purpose of the collaborative arrangement. Subsequently, the results of processing may be provided for certain purposes within the partnership or, under conditions, to third parties (Article 1.7 Wgs).
The Wgs provides a basis for four specific partnerships:
The Financial Expertise Center (FEC);
The Criminal and Unexplained Assets Infobox (iCOV);
The Regional Information and Expertise Centers (RIECs) and;
The Care and Security Houses.
Not every random collaborative that claims to meet the above definition may process personal data under the Wgs. Collaborative partnerships may only be created on the basis of the Wgs for three purposes, namely preventing and fighting crime, unlawful use of public funds and evasion of legal obligations. The starting point is that the cooperative associations are designated in the Wgs. Going through such a legislative process takes time. Therefore, there is an option to designate participants by Order in Council (AMvB) in case of urgency. The addition of a collaborative is on commitment of the minister only possible to bridge the time needed to eventually regulate this in the Wgs itself.
During the parliamentary debate, an amendment was adopted by the House of Representatives that requires that a preliminary procedure be followed for the addition of new collaborative arrangements by order in council, coupled with prior approval by parliament. Thus, it is ultimately up to parliament to determine whether there is a "compelling public interest" that justifies the designation of a collaborative arrangement (Article 1.1 Wgs).
The Wgs is a so-called "framework law." This means that the law provides the basis for elaborating a large number of issues by Executive Order. This has been done in the Decree on Data Processing by Collaborative Groups (Bgs).. The draft Bgs is now before the Council of State for its opinion. According to the government and the Senate, there was no objection to adopting the Wgs in the meantime. The draft Bgs broadly regulates the following:
Delineation of exactly what collaboratives are allowed to do. For example, the draft Bgs further clarifies the bases for sharing data and incorporates more safeguards for personal data protection;
A number of concerns that have been addressed by Parliament, the Council of State and the Personal Data Authority are also given a place in the draft Bgs, in the form of safeguards and limits on data processing by partnerships;
Rules on how to handle requests for inspection or rectification from data subjects;
Concretization of the categories of data to be provided to RIECs.
In this part of the blog series, we updated you on what the Wgs will enable. In the next blogs in the series, we will set out the safeguards provided by the Wgs and discuss the arrangements for the RIECs and Care and Safety Homes.
