News Update Privacy & Data Protection
30 May 2023
On 17 May, the Dutch Data Protection Authority (Dutch DPA) published its Annual Report 2022 and Annual Plan 2023. In this News Update, we look at the Dutch DPA's activities in 2022 and its upcoming plans.
Annual Report 2022
The annual report highlights the Dutch DPA's key results in 2022. In 2022, the Dutch DPA fined 13 violations, laid down in 8 enforcement decisions, including the following:
- A EUR 565,000 fine imposed on the Dutch Ministry of Foreign Affairs (in Dutch) for years of large-scale violations of the law in the granting of visas. Security measures were inadequate and visa applicants were not properly notified that their data would be shared with other parties.
- A EUR 50,000 fine imposed on the Dutch police (in Dutch) for using cars with 360-degree cameras, which collected and stored far more footage of people than necessary.
- A EUR 3.7 million fine imposed on the Dutch Tax and Customs Administration (in Dutch) for the unlawful processing of personal data in its FSV fraud system. This system wrongly identified people as fraudsters.
- A EUR 525,000 fine imposed on Sanoma/DPG Media (in Dutch) for their improper handling of access and deletion requests.
In addition, the Dutch DPA imposed two orders subject to a penalty and issued ten reprimands in 2022. Aside from these enforcement actions, the Dutch DPA also provided guidance, such as developing tools for organisations, answering questions from the public and organisations, and cautioning organisations to change their procedures.
Data breaches
The Dutch DPA received over 21,000 data breach notifications in 2022, down 15% from 2021. The Dutch DPA itself also notified four data breaches that had occurred within its own organisation in 2022.
Data breach supervision is risk based, centring on data breaches that present major risks for victims. Relevant risk factors in 2022 included cyberattacks, as well as data breaches that had not been notified to the Dutch DPA in spite of requirements. The Dutch DPA will explore this issue further in its data breach report to be published soon.
Complaints and investigations
- The Dutch DPA received around 12,500 complaints in 2022, around 10,000 of which it considers 'tips'. Overall, the number of complaints submitted dropped by over 30% from 2021.
- The Dutch DPA initiated 45 investigations in total, including 17 international investigations.
- It closed 110 objection cases in 2022 but only 9 were declared well-founded. In addition, 47 appeals came to a close, with the Dutch DPA being ruled against in 4 cases.
Annual Plan 2023: supervision in a digital society
In 2023, the Dutch DPA will focus on algorithms and AI, Big Tech and freedom and security.
Algorithms and AI
The Dutch DPA specifically monitors the transparent, lawful and privacy-friendly development of algorithms and AI. In addition, it will prioritise investigations of complaints and data breach notifications in those areas in 2023.
Big Tech
The Dutch DPA especially wants to ensure that Big Tech companies handle personal data properly. To this end, it will identify and analyse signals, give priority to victims' complaints about Big Tech companies and, if necessary, initiate accelerated proceedings.
Freedom and security
In 2023, the Dutch DPA particularly seeks to ensure a justifiable balance between freedom and security in personal data processing. Specifically, the Dutch DPA states that investigations on this point will be completed in 2023 and that the granting of permits for personal data processing in criminal investigations will receive particular attention.
Conclusion
The Annual Report 2022 and Annual Plan 2023 emphasise the Dutch DPA's limited options due to budgetary reasons. The authority is unable to perform all its statutory duties properly and effectively while running an adequate organisation. In concrete terms, this means it cannot promptly handle all complaints, properly look into all data breaches, proactively give legislation advice and efficiently settle requests for binding corporate rules (BCRs). The waiting period for such requests is now more than seven years.
