News Update Privacy & Data Protection | October 2019

4 October 2019

Significant increase in Dutch privacy complaints
In September 2019, the Dutch DPA released a report (Dutch Only) on the privacy complaints it received between January and June 2019. More than 15,000 people lodged a complaint with the DPA in relation to the data processing practices of different organisations. This is a 59% increase compared to the last six months of 2018.

A large proportion of the complaints (32%) concern the rights of data subjects (such as the right of access to and rectification of personal data). In addition, many complaints concerned:

• The transfer of personal data to third parties.
• The processing of personal data in violation of the purpose limitation principle.
• Unlawful processing (processing without legal basis).
• The use of personal data for purposes related to unsolicited direct marketing.

Since the Dutch DPA is understaffed, it takes them an average of four to six months to deal with a complaint. The DPA has already taken measures to manage this problem, such as requiring data subjects to first submit their complaint to the relevant organisation before asking the Dutch DPA to intervene. Besides that, the DPA is in consultation with the Ministry of Justice and Security to find a long-term solution.

Employers processing health data: Dutch DPA continues to raise awareness 
On 1 October 2019, the Dutch Data Protection Authority announced that it will continue to raise awareness amongst employers about processing the personal data of sick employees. Specific privacy rules apply to the processing of employee personal data in the event of illness. Health data is considered a special category of personal data and its processing is subject to a more stringent legal regime. This regime only allows employers to process certain information about sick employees to the extent strictly necessary. An example is information required to continue paying wages, whilst taking into account the privacy of sick employees.

Google v CNIL – right to be forgotten does not apply worldwide
On 24 September 2019, the European Court of Justice (ECJ) issued its judgment on questions referred to it by the Conseil d'État (Council of State, France) for a preliminary ruling. The questions related to the interpretation of Article 17(1) of General Data Protection Regulation (GDPR), which addresses the 'right to be forgotten'.

In May 2015, the French Data Protection Authority (CNIL) served a formal notice on Google requiring it to remove links to webpages in Google Search worldwide, in the event of a valid de-listing request. Google refused to comply with this formal notice. Google only removed the links to webpages for Member States of the European Union, not worldwide. The CNIL imposed a €100,000 fine on Google. Google appealed the decision of the CNIL, after which the Conseil d'État referred questions for a preliminary ruling to the ECJ.

The ECJ ruled that on the basis of a lawful de-listing request under Article 17(1) of the GDPR, a search engine operator is not required to de-list search results on all versions of its search engine worldwide, but only on the versions of the search engine corresponding to the EU Member States.

The ECJ's ruling is a new chapter in the development of 'the right to be forgotten'. Since the GDPR came into force, Google has received 845,501 requests for de-referencing. This amounted to approximately 3.3 million Uniform Resource Locators (URLs). Google deleted 45% of these URLs.

Amended Proposal for draft ePrivacy Regulation
On 18 September 2019, the Presidency of the European Council published its proposed amendments to the Proposal for a Regulation Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications (the “Draft ePrivacy Regulation”). The Draft ePrivacy Regulation will replace the ePrivacy Directive and will complete the EU’s framework for data protection and confidentiality of electronic communications.

Numerous amendments have been proposed to the draft text by the Presidency, including amendments to the provisions on the processing of electronic communications metadata. There are several amendments to the provisions on direct marketing and cookies compared to the original proposal. We are monitoring these developments closely.

Hospital receives the first fine from the Dutch DPA under the GDPR
The Haga Hospital is the first organisation in the Netherlands to receive a fine under the GDPR. The Dutch DPA started an investigation into the hospital's data security practices after it became known that 85 hospital employees had been able to consult the medical file of a well-known Dutch celebrity. The DPA concluded that the hospital's internal security of patient records was insufficient and therefore violated the GDPR. The Dutch DPA consequently imposed a fine of €460,000 (decision in Dutch only). The hospital has been given until 2 October 2019 to improve the security of patient records.  If it fails to do so, the hospital must pay an additional €100,000 for every two weeks it remains non-compliant (up to a maximum of €300,000).

The chairman of the DPA emphasised the importance of confidentiality in a healthcare provider–patient relationship. When it comes to the security of patient files, a hospital must take all technical and organisational measures to ensure that patient medical data is stored safely and can only be consulted by employees and physicians on a need-to-know basis. The Haga Hospital lacked sufficient security measures in two areas:

• First, the hospital must regularly check who consults which file. This gives the hospital the opportunity to identify that someone who is not authorised to do so is consulting a file and take measures.
• Second, good security practices require identification using at least two factors. For example, a password in combination with an employee badge can be used to identify a person before they gain access to patient records.