Over the last five years, the Dutch parliament has adopted a number of amendments to laws that govern the privacy of online personal data. The Constitution was changed to protect privacy of telecommunications and the key law on personal data protection, the Personal Data Protection Act, underwent a significant overhaul in 2015 that enhanced breach notification procedures, increased fines for violation of the Act, and strengthened the powers of the newly titled Personal Data Authority. At the same time, changes were made to the Telecommunications Act, among them the addition of a new article setting forth the conditions on the permissibility of storage of or access to information in peripheral equipment of a user via an electronic communications network. In late 2015, the Authority issued rules to clarify what constitutes a data breach and the breach notification procedures. Earlier in 2015, following a decision reached in 2014 by the Court of Justice of the European Union, a Dutch judge struck down the 2009 Data Retention Act on grounds that it was too intrusive and breached the privacy of telephone and internet users. In 2017, the Dutch Senate adopted a new Act on Intelligence and Security Services. Some of the Act’s provisions have entered into force, but on November 1 the Dutch Electoral Council announced that a referendum will be held within six months on the new Act. Among new developments that affect personal data privacy in the Netherlands are the 2017 legal certification of the government to use digital ledgers in the healthcare sector and the adoption of legislation that allows storage for up to four weeks of vehicle registration data recorded by automatic plate number recognition cameras set up at certain locations on public roads.
According to legal researchers at the Institute of eLaw at Leiden University, in a study comparing “aspects of privacy, such as government policy, legislation and monitoring and enforcement, in eight European countries,” the Netherlands leads the other states in reporting requirements on data leaks, and the Dutch “have a high level of awareness and self-reliance with regard to their privacy.”  The Netherlands is also reportedly one of the leaders in conducting societal debate and information campaigns on privacy, and in carrying out privacy impact assessments, which are “instruments for determining privacy risks of data processing in advance.” The study found, however, that in all the countries studied “transparency with regard to the collection and processing of personal data still leaves much to be desired,” and the Netherlands has room to improve in such areas as the number of privacy officials, the certification of personal data security, and dialogue engaged in by the key privacy supervisory body, the Personal Data Authority. Nevertheless, the researchers stated that “[t]he Dutch government has already put many instruments into place relating to all aspects of the protection of privacy,” and therefore “the country is well prepared for the General Data Protection Regulation (GDPR) to be implemented by the EU in May 2018.”
This report summarizes some of the major legal developments that have occurred in the area of online privacy law in the Netherlands over the last five years, since 2012.
In 2012, the Staten-Generaal (States-General, the Dutch parliament) discussed amending article 13 of the Dutch Constitution, on protection of privacy of correspondence, with a view to protecting communications more broadly. The parliament finally adopted the amendment in July 2017 and it was published in the Official Gazette in August, but is not yet in force. The unamended article 13 states
1. The privacy of correspondence shall not be violated except in the cases laid down by Act of Parliament, by order of the courts.
2. The privacy of the telephone and telegraph shall not be violated except, in the cases laid down by Act of Parliament, by or with the authorisation of those designated for the purpose by Act of Parliament.
The amended article states
1. Everyone is entitled to the right of privacy of correspondence and of telecommunications.
2. Limitation of this right may be determined in cases laid down by Act of Parliament, with the authorization of the court, or in the interests of national security, by or with the authorization of those designated for the purpose by Act of Parliament.
A. Amendments to the Personal Data Protection Act
The Dutch Parliament passed a number of amendments to the Personal Data Protection Act (Wet bescherming persoonsgegevens, PDPA)  on May 26, 2015. Those amendments were published in June 2015, and came into force on January 1, 2016. Among the key changes in the Act are the introduction of a general duty of notification of personal data breaches and a major increase in the fines that the renamed Data Protection Authority (College bescherming persoonsgegevens), now the Personal Data Authority (Autoriteit Persoonsgegevens, PDA), may impose for violations of the Act, along with enhanced PDA powers to fine individuals, such as directors, within an organization. The changes “directly affect any company subject to Dutch law,” thus companies were advised “to be aware of the new supervisory powers of the PDA and … to make the necessary amendments to their internal data protection and security policies. The latter particularly includes drafting or reviewing policies related to personal data breaches, as well as verifying that contracts with third parties adequately address these obligations.”
The adoption and entry into force of the amended Act preceded the EU’s adoption of the GDPR on the protection of the processing of personal data and on such data’s free movement.
Formerly, the PDA’s capacity to impose fines was limited, and it could only impose an administrative fine of up to €4,500 (about US$5,300) for violation of the requirement to notify the PDA before commencing processing of personal data. Moreover, while the agency could give an order to cease or remedy a violation of the Act, under threat of penalty, it could not impose an administrative fine. Under the amended Act, the PDA may now impose fines up to €820,000 (about US$966,360) under the sixth category, the highest, of the latest fines schedule set forth in the Criminal Code, or 10% of the entity’s annual net turnover when a legal entity is involved and the highest category of fine is deemed insufficient punishment for the violation. Increased fines of up to €20,500 (about US$24,160) are imposed on any non-EU entity that processes personal data in the Netherlands “without having designated a local representative to oversee compliance with the Dutch Data Protection Act.” Finally, the PDA may also impose separate fines of up to €820,000 on individuals within an organization, including directors and managers.
2. Binding Orders
The amended PDPA provides that before the PDA may impose a fine, it must first issue a “binding order” (een bindende aanwijzing) after having conducted an investigation of an incidence of noncompliance with the Act. As one commentator points out, “[t]his is a recovery-oriented corrective measure, in which the PDA specifies exactly what actions must be taken in order to remedy the non-compliance.” Moreover, the PDA “may set a time limit within which the offender must comply with the order,” and if the offender fails to comply, the PDA may then apply the relevant punitive fine. However, “if the violation was deliberate or the result of serious negligence” the PDA is not subject to the binding order requirement and may immediately impose the fine.
A new article 67 in the Act accords the PDA the authority to issue a “policy rule” on the interpretation of article 66(2) on the imposition of fines of the highest category for violation of various provisions of the Act, provided that the PDA consults the Minister of Security and Justice and the Minister of the Interior and Kingdom Relations beforehand. This will make it “easier for the PDA to construe ‘wilful intent’ or ‘culpable negligence’ in cases of non-compliance, allowing it to directly impose an administrative fine as described above.” He further comments that the consultation process “will generally also involve consultation with relevant industry stakeholders.”
3. New Article 34a on Data Breach Notification Obligation
Another major change made by the 2015 amendment to the Act was the introduction of a notification requirement for personal data breaches, without waiting for the issuance of the EU General Data Protection Regulation. The notification duty under the Act “follows similar principles as seen across Europe and the rest of the world.” The new article 34a prescribes that a controller (verantwoordelijke, the responsible party), defined in the Act as “the natural or legal person or any other party who or the administrative body which, alone or jointly with others, determines the purposes and means of the processing of personal data,” must notify the PDA without delay of any breach of personal data security that results in “a substantial probability of serious adverse consequences or which has serious adverse consequences for the protection of personal data.”
Controllers must also immediately inform the individuals affected by the data breach, if the breach is likely to have a negative impact on the individual’s privacy, except in cases “where the controller has taken appropriate technical protective measures that render the personal data concerned incomprehensible or inaccessible to any person who does not have a right of access to the data.” Other exceptions to this duty to inform the affected individuals include, for example, where it is necessary in the interests of national security, the prevention of crime and the investigation and prosecution of criminal offenses, important economic or financial interests of the state and other public entities, monitoring compliance with the legal requirements established in connection with the interests of crime prevention/prosecution and economic/financial interests, and the protection of the data subject or of the rights and freedoms of others. The new notification requirement also does not apply if the controller is a provider of a public electronic communications service and has made a notification as such under the provisions of the Telecommunications Act. The Telecommunications Act “has had a notification duty for security breaches with ‘electronic communication providers’ (such as telecom operators) for some time.” It prescribed that these providers had a duty to notify “any security breach which has an adverse effect on the privacy of individuals involved” to the telecom regulator (the Authority for Consumers and Markets, Autoriteit Consument en Markt) and individuals; in conformity with the amended PDPA, the notifications must be addressed instead to the PDA. Another exception to the duty to notify individuals of a breach is made for financial institutions “within the meaning of the Financial Supervision Act,” e.g., banks and insurance companies, “because a specific regulation for such institutions exists and includes a separate notification duty to the financial authority,” the Autoriteit Financiële Markten (Dutch Authority for the Financial Markets, AFM). One commentator noted that while financial institutions are obliged to report security breaches to the PDA and the AFM, and to keep a record of the breaches, “a duty for financial institutions to notify individuals of a breach is thought to have potential adverse and unexpected effects on the financial market, justifying the exemption to notify individuals.”
Under the new notification requirement, the notification of a breach made by controllers to the PDA and the persons concerned (“data subjects”) must include “the nature of the breach, the bodies where more information about the breach can be obtained, and the measures recommended to limit the negative consequences of the breach.” The PDA notification must also provide “a description of the observed and probable consequences of the breach” and “the measures that the controller has taken or is proposing to take” in order to remedy them. The data subject notification must be made in such a way as to guarantee, taking into account the nature of the infringement, the “proper and careful provision of the information” regarding the observed and actual consequences of the breach, the data subjects involved, and the costs of enforcement. If the controller does not notify the data subject, the PDA may require the controller to do so if it deems the breach “likely to have unfavourable consequences for the data subject’s privacy.”
4. New Language on Reporting Breaches
Controllers are obligated to keep a record of serious security breaches; the record is to include, in any case, “the facts and data regarding the nature of the breach … as well as the text of the notification to the data subject.” As noted by one commentator, “the new regime also obligates controllers to specifically address this requirement in their contracts with processors. Companies are therefore strongly advised to review their contractual relationship with their processors to ensure that this has been appropriately addressed.”
Thus, if a controller has a processor do the processing of personal data on the controller’s behalf, the controller must ensure that the processor
provides sufficient guarantees in respect of the technical security measures and organisational measures governing the processing to be carried out and in respect of the report of a breach of security, referred to in Section 13, which results in a substantial probability of serious adverse consequences or which has serious adverse consequences for the protection of personal data processed by him.
Section 13 provides that the controller implements appropriate measures “to protect personal data against loss or any unlawful forms of processing” that “will guarantee a level of security appropriate to the risks represented by the processing and the nature of the data to be protected” and “also seek to prevent the unnecessary collection and further processing of personal data.”
5. Enhanced Powers of Cooperation
Under a new article 51a of the PDPA, the PDA has gained enhanced powers “to share and request information from other supervisors, making it mandatory for supervisors to provide any information to other supervisors insofar as this is necessary for performing its supervisory tasks.” The article states as follows:
1. The Authority may make arrangements with other supervisory authorities in the interest of efficient and effective supervision of the processing of personal data and draw up cooperation protocols with these supervisory authorities for that purpose. Any cooperation protocol is to be published in the Government Gazette.
2. The Authority and the supervisory authorities, referred to in subsection 1, may on their own initiative and must on request disclose to one another the data relating to the processing of personal data that are necessary for the exercise of their functions.
6. 2016 and 2017 Amendments to the PDPA
A few additional amendments to the PDPA were adopted in 2016 and 2017. Article 26 of the PDPA provides that orders in council (statutory regulation) may be issued in connection with the general rules on the processing of personal data governed under the PDPA’s sections 6 through 11. In October 2016 (effective July 2017), a new paragraph 3 was added to article 26 to the effect that presentation to the full legislature of an order in council in connection with the Act on the Use of a Citizen Service Number in Healthcare can be done no sooner than four weeks after the draft order has been submitted to each Chamber of the States-General; if one of the Chambers decides not to approve the order, no presentation of it will be made and no new draft order will be presented to each Chamber sooner than six weeks after the decision of the disapproving Chamber has been made.
In regard to healthcare data, on October 1, 2017, that the Dutch government had received “legal certification, the first of its kind in the healthcare sector” for “a digital ledger solution in the healthcare sector that would allow blockchain to be used for communications between the country’s health institutions, including hospitals and government agencies.” Blockchain has been described as a digital “open, distributed ledger that can record transactions between two parties efficiently and in a verifiable and permanent way. The ledger itself can also be programmed to trigger transactions automatically.” The use of blockchain technology in the healthcare sector has four key advantages, according to one industry proponent: it “puts individuals in charge of their own data, allowing them to control which information will be released to a doctor or insurance company”; it connects scattered healthcare data “onto one digital highway, making it far more efficient”; it should result in a much lower cost of administering healthcare payments “because once a patient signals that he has used his digital wallet to pay for healthcare the insurance company is notified and a payment can be issued immediately”; and because transactions on the blockchain cannot be altered, “if someone wants to try and change the data they would have to break into six different data bases, making it … nearly impossible to hack.”
An amendment act of December 2016 changed several laws, including the PDPA, to conform to implementation of the 2014 EU Regulation on Electronic Identities and Trust Services. The amending act added a new paragraph to PDPA article 34a on the data breach notification obligation, providing that the article, with one exception, does not apply to trust service providers as referred to in the EU Regulation. A trust service provider is defined under the EU Regulation as “a natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider.”
B. Telecommunications Act
In March 2015, an amendment to the Telecommunications Act, inserting a new article on the conditions in which storage of or access to information in the peripheral equipment of a user via an electronic communications network is permissible, was published in the Official Gazette. The article provides that, without prejudice to the PDPA, such storage or access is only permitted if the user concerned is (a) provided with clear and complete information in accordance with the PDPA, at least regarding the purposes for which this information is used; and (b) has given permission for the storage or access. These two requirements also apply in the event that, in a manner other than by means of an electronic communications network, information is stored via an electronic communications network or access is granted to information stored on the peripheral device.
The provision on requirements for storage or access do not apply if the storage or access is (a) for the sole purpose of carrying out communication about an electronic communications network, or (b) strictly necessary in order to provide the information society service requested by the subscriber or user or, provided this has no or minor impact on the privacy of the subscriber or user concerned, to obtain information about the quality or effectiveness of a delivered information society service. An activity that aims to collect, combine, or analyze data about the use by the user or subscriber of different services of the information society, so that the user or subscriber concerned “can be treated differently” (anders behandeld kan worden) is deemed to be a processing of personal data as referred to in article 1(b) of the PDPA. User access to an information society service provided by or on behalf of a legal person set up under public law will not be made dependent on the granting of permission under the required conditions (a) and (b), above. By or pursuant to an Order in Council, further rules may be laid down by the Minister of Security and Justice with regard to those conditions and the exceptions thereto (under art. 11.7a(3)). The Dutch Data Protection Authority is to be consulted on the draft of such an order.
C. Data Breach Notification Rules
The Dutch Parliament heavily debated the notification obligation, along with the new supervisory powers of the PDA, because certain key aspects of the obligation needed more clarification, such as “what exactly qualifies as a breach? How to assess whether a breach is ‘likely to have serious adverse consequences’? And what are ‘negative effects to an individual’s privacy’?” The PDA issued guidelines to address these issues in December 2015.
The Reporting Duty on Data Breaches Under the PDPA Rules state, for example, that there is only a data breach if a security incident—e.g., loss of a USB stick, theft of a laptop, successful hacking attempts—has actually occurred, because not every security incident is also a data leak. A data breach exists if personal data has been lost during the security incident, or if the occurrence of unlawful processing of the personal data cannot reasonably be excluded; if there is only a weak spot in security, it is a “vulnerability,” not a data breach, and does not have to be reported to the PDA. Examples of personal data of a sensitive nature that should be reported to the DPA include
- special personal data as referred to in article 16 of the PDA, i.e., personal data about a person’s religion or belief, race, political opinions, health, sexual life, membership in a trade union, and criminal personal data and personal data about unlawful or annoying behavior in connection with a prohibition imposed on that behavior;
- information about the financial or economic situation of the person concerned, such as data on (problematic) debts, salary, and payment data;
- data that can lead to stigmatization or exclusion of the person concerned (e.g., data on a gambling addiction, school or work performance, or relationship problems);
- user names, passwords, and other log-in details (depending on the possible consequences, such as the data to which the log-in details give access); [and]
- data that can be misused for (identity) fraud (e.g., biometric data, copies of identity documents, and the citizen service number).
Other factors, such as the amount of personal data leaked per person or the number of data subjects whose personal data have been leaked, may also be grounds for reporting the data breach, but if the nature of the leaked data warrants it, the controller may have to report a data breach when the personal data of only one person are involved.
The controller must report the breach “without undue delay and, if possible, no later than 72 hours after the discovery of the data breach.” The PDA website makes available on its website a web form for this purpose, through which the controller can supplement or withdraw the notification if necessary. The Rules also cover such topics as notification of the person concerned, exceptions to the obligation to report, fines, a primer on the new reporting duty, and a schematic guide with key questions to consider in applying the new requirements. The questions include, for example, “1. Does the duty to report data breaches from the Wbp apply to me?; 1.2. Am I the controller or his representative?,” and so on. Under question 3.1, “Is there a breach of security?,” the examples are “a lost USB stick; a stolen laptop; burglary by a hacker; a malware infection; and a calamity such as a fire in a data center.”
The Dutch guidelines were expected to stay close to the EU Article 29 Data Protection Working Party’s opinion on personal data breach notification.
D. 2017 Act on Intelligence and Security Services
The Dutch Senate adopted the new Act on Intelligence and Security Services (Wet op de inlichtingen- en veiligheidsdiensten, Wiv), in 172 articles, on July 26, 2017, “after years of debate and criticism from both the country’s constitutional courts and online privacy advocates.” The new Act is intended to replace the 2002 Act on Information and Security Services, laying down new rules on the duties and powers of intelligence and security services in the field of national security, the coordination of performance of these services, their processing of data, national and international cooperation in these services, and the exercise of supervision and treatment of complaints and confidentiality.  Certain portions of the new Act entered into force on September 1, 2017.
Although the Act was passed “with broad support,” the rights group Bits of Freedom reportedly cautioned that “the Netherlands’ military and civil intelligence agencies will now have the opportunity to tap large quantities of internet data traffic, without needing to give clear reasons and with limited oversight,” and expressed opposition to the Act’s “three-year term for storage of data that agencies deem relevant, and the possibility for them to exchange information they cull with foreign counterparts.” Government officials contend, however, that the augmented powers “are needed to counter threats to national security in the modern era, and their use can be tested by an oversight panel.” A government press release, while noting that the Dutch intelligence and security services (AIVD and MIVD) would now have the power to investigate cable and other types of telecommunications, contended that there are strong safeguards to ensure that the use of the agencies’ powers is always legitimate, including by conducting independent testing in advance.
Articles 32–35 have to do with the establishment, terms of reference, task assignment, composition, and other special provisions with regard to a review committee, comprised of three members (including a chairman) that has the power to review permission given by the relevant Minister in regard to such activities as observing and recording data about natural persons or things, tracking and recording data about natural persons or things, and so on. The review committee’s decisions are binding. Article 97 now provides for a supervisory committee for the intelligence and security services that incorporates the already extant supervision department (to supervise the legality of execution of acts taken pursuant to the Act) and the complaints-handling department. Articles 98–106 and 170 are on the functioning of the new supervisory committee.
On November 1, 2017, the Electoral Council (Kiesraad) of the Netherlands publicly announced that a referendum will be held within six months, based on the more than 384,000 signatures received, on the Act on Intelligence and Security Services. The Council of State (Raad van Staat) has ruled that an appeal made against the Electoral Council decision admitting the final request to hold the consultative referendum is inadmissible; therefore the Electoral Council’s Referendum Commission can proceed to set the date for the referendum.
The Consultative Referendum Act sets a threshold of 300,000 signatures as necessary for holding a public vote. Since the Consultative Referendum Act came into force in 2015, it has become possible for almost all parliamentary laws and approved treaties to be put to a referendum. According to the Electoral Council, this is the second time that both the introductory phase (with at least 10,000 valid requests) and the final phase (with at least 300,000 valid requests) for holding a referendum has been reached. The first time was the referendum on a partnership agreement with Ukraine. The outcome of a referendum is only an advisory verdict for rejection of a law if the majority votes in favor of rejection with at least 30% of the total number of eligible voters taking part.
E. Data Retention Act Voided
The Guardian reported in March 2015 that a judge in The Hague had struck down the 2009 Data Retention Act, stating that the Dutch regime for retention of telephone and internet user data helps in solving crime “but is too intrusive” and breaches the privacy of telephone and internet users. The ruling followed a similar decision issued in April 2014 by the Court of Justice of the European Union that did away with EU data collection legislation it found to be too broad and lacking in sufficient privacy safeguards.
III. Other Developments
On November 21, 2017, the Dutch Senate adopted an act to the effect that the registration data of vehicles that have recently passed by an Automatic Number Plate Recognition (ANPR) camera at certain locations on public roads “may be stored for four weeks.” According to the Ministry of Justice and Security,
ANPR … is important for the purposes of investigating serious offences for which it does not emerge until further down the line that information about a vehicle plays a role. Such information could be crucial in cases of using explosives to target ATMs, abductions, human trafficking and terrorism. ANPR can also help in efforts to apprehend fugitives.
Because vehicle registration data might provide important clues for identifying suspects and tracking down their home addresses,
the police are being given the option of investigating what vehicles were driving at the scene of a crime as well as where the suspect’s vehicle came from or headed to. This ability to look back at recorded data is new. The police are not currently authorised to store the number plate data of all vehicles passing a camera and consult that data retrospectively.
The Ministry states that the legislation has safeguards to ensure road users’ data protection; for example, the number plate data may only be gathered “on public roads and in locations relevant to investigatory activities,” namely “airports as well as ports, car parks alongside motorways and border crossings,” and there will be careful control of access to the vehicle registration data. In addition, the access will be given only to “specially authorised investigative officers … at the behest of the public prosecutor,” with the information consultable only in order to investigate serious crimes and apprehend fugitives. The authorities will also annually publish a camera site plan specifying the permanent cameras’ exact location.
Prepared by Wendy Zeldin
Senior Legal Research Analyst
 The Netherlands One of the Leaders in Privacy Protection, Leiden University (Oct. 4, 2017), https://www.uni versiteitleiden.nl/en/news/2017/09/the-netherlands-one-of-the-leaders-in-privacy-protection, archived at https://perma.cc/QH4Z-TKH3.
 Constitution of the Kingdom of the Netherlands (Aug. 24, 1815, as in force on Mar. 15, 2014), http://www.dutchcivillaw.com/legislation/constitution011.htm, archived at https://perma.cc/DE38-ETXH; Grondwet voor het Koninkrijk der Nederlanden van 24 augustus 1815 (as last amended June 27, 2008, in force on July 15, 2008), http://wetten.overheid.nl/BWBR0001840/geldigheidsdatum_02-05-2012, archived at https://perma.cc/J879-68WP.
 Wet van 19 augustus 2017, houdende verklaring dat er grond bestaat een voorstel in overweging te nemen tot verandering in de Grondwet van de bepaling inzake de onschendbaarheid van het brief-, telefoon- en telegraafgeheim [Law of 19 August 2017, Stating That There Are Grounds for Considering a Proposal to Amend the Constitutional Provision Concerning the Inviolability of Privacy of Correspondence and of Telephone and Telegraph Communications], Staatsblad van het Koninkrijk der Nederlanden [Stb.] [Official Gazette of the Kingdom of the Netherlands], No. 334 (Sept. 14, 2017), https://zoek.officielebekendmakingen.nl/stb-2017-334.html, archived at https://perma.cc/3LEL-YU7W.
 Constitution of the Kingdom of the Netherlands art. 13.
 Wet van 19 augustus 2017, art. 13.
 Wet van 6 juli 2000, houdende regels inzake de bescherming van persoonsgegevens (Wet bescherming persoonsgegevens) [Law of 6 July 2000, Concerning Rules on the Protection of Personal Data (Personal Data Protection Act)] (as last amended effective July 1, 2017), http://wetten.overheid.nl/BWBR0011468/2017-07-01, archived at https://perma.cc/RZ4N-QP6K; Personal Data Protection Act [PDPA] (effective Jan. 1, 2016), https://www.akd.nl/t/Documents/17-03-2016_ENG_Wet-bescherming-persoonsgegevens.pdf, archived at https://perma.cc/2TQ3-AFHD; Berend van der Eijk, Substantial Revision of the Dutch Data Protection Act: Higher Fines, Specific Obligations for Data Breaches and More, Bird & Bird (June 23, 2015), available at
https://www.lexology.com/library/detail.aspx?g=e16eb8af-f905-413f-93de-cd8675455c10, archived at https://perma.cc/D5P3-F22U.
 Wet van 4 juni 2015 tot wijziging van de Wet bescherming persoonsgegevens en enige andere wetten in verband met de invoering van een meldplicht bij de doorbreking van maatregelen voor de beveiliging van persoonsgegevens alsmede uitbreiding van de bevoegdheid van het College bescherming persoonsgegevens om bij overtreding van het bepaalde bij of krachtens de Wet bescherming persoonsgegevens een bestuurlijke boete op te leggen (meldplicht datalekken en uitbreiding bestuurlijke boetebevoegdheid Cbp) [Act of 4 June 2015 Amending the Personal Data Protection Act and Any Other Laws in Connection with the Introduction of a Duty to Report in the Event of a Breach of Measures for the Security of Personal Data as well as the Extension of the Authority of the Data Protection Authority in Order to Comply with the Provisions of or to Impose an Administrative Fine Under or Pursuant to the Personal Data Protection Act (Duty to Report Data Leaks and Expansion of the Cbp Administrative Fine Power)] (Amendment Act of June 4, 2015), Stb. No. 230 (June 19, 2015), https://zoek.officielebekend makingen.nl/stb-2015-230.html, archived at https://perma.cc/SUD2-FL8Z.
 Van der Eijk, supra note 9.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR), 2016 O.J. (L 119) 1, http://eur-lex.europa.eu/ legal-content/EN/TXT/?qid=1510677980976&uri=CELEX:32016R0679, archived at https://perma.cc/P684-DNSK.
 Id.; Part II(L), “Administrative and Criminal Sanctions,” in Wendy Zeldin, Online Privacy Law: Netherlands (Law Library of Congress, June 2012), https://www.loc.gov/law/help/online-privacy-law/netherlands.php, archived at https://perma.cc/Y2JH-6N5E (with reference to art. 66 of the Act, imposing fines for violation of arts. 27, 28, and 79(1)).
 Van der Eijk, supra note 9; PDPA art. 66 ¶¶ 2 & 5; Wetboek van Strafrecht art. 23(7).
 Van der Eijk, supra note 9; PDPA art. 66(1) (with reference to arts. 4 & 78(2)).
 Van der Eijk, supra note 9; PDPA art. 66(2) (with reference, e.g., to art. 12(1): “Any person acting under the authority of the controller or of the processor, including the processor himself, in so far as they have access to personal data, only processes them on instructions from the controller, unless required to do so by law.”).
 Van der Eijk, supra note 9; PDPA art. 66(3).
 Van der Eijk, supra note 9.
 PDPA art. 66(3).
 Id. art. 66(4); Van der Eijk, supra note 9.
 PDPA art. 67; Van der Eijk, supra note 9.
 Van der Eijk, supra note 9.
 Id. The GDPR, supra note 13, was adopted in 2016.
 Van der Eijk, supra note 9.
 PDPA art. 1(d).
 Id. art. 34a(1).
 Id. art. 34a(2).
 Id. art. 34a(6).
 Id. art. 43.
 Id. art. 34a(9) (with reference to art. 11.3a, paras. 1 & 2, of the Telecommunications Act, Wet van 19 oktober 1998, houdende regels inzake de telecommunicatie (Telecommunicatiewet) (as last amended effective July 1, 2017), http://wetten.overheid.nl/BWBR0009950/2017-07-01, archived at https://perma.cc/C7M4-PA3Q).
 Van der Eijk, supra note 9.
 Telecommunicatiewet art. 11.3a(1).
 PDPA art. 34a(10); van der Eijk, supra note 9.
 Van der Eijk, supra note 9.
 PDPA art. 34a(3).
 Id. art. 34a(4).
 Id. art. 34a(5).
 Id. art. 34a(7).
 Id. art. 34a(8).
 Van der Eijk, supra note 9.
 PDPA art. 14(1), as amended by Amendment Act of June 4, 2015, art. I(A).
 PDPA art. 13.
 Van der Eijk, supra note 9.
 PDPA art. 51a.
 PDPA art. 26 para. 1.
 Wet aanvullende bepalingen verwerking persoonsgegevens in de zorg, i.e., Wet van 10 april 2008, houdende regels inzake het gebruik van het burgerservicenummer in de zorg (Wet gebruik burgerservicenummer in de zorg) [Act of 10 April 2008 Containing Rules Concerning the Use of the Citizen Service Number in Healthcare (Act on the Use of a Citizen Service Number in Healthcare)] (as last amended effective July 1, 2017), http://wetten. overheid.nl/BWBR0023864/2017-07-01, archived at https://perma.cc/KKX8-3FTD. According to this Act, “[r]ules may be laid down by or pursuant to an Order in Council on facts or data to be processed by care providers with regard to clients whose identification or citizen service number proves impossible, or requires a disproportionate effort, to find.” Id. art. 11 para. 1. The Act further provides, “[b]y or pursuant to the Order in Council referred to in the first paragraph, it can be determined which security requirements the data processing referred to in the first paragraph meets.” Id. art. 11 para. 2.
 PDPA art. 26 para. 3. Wet van 5 oktober 2016 tot wijziging van de Wet gebruik burgerservicenummer in de zorg, de Wet marktordening gezondheidszorg en de Zorgverzekeringswet (cliëntenrechten bij elektronische verwerking van gegevens), Stb. No. 373 (Oct. 19, 2016), https://zoek.officielebekendmakingen.nl/stb-2016-373.html, archived at https://perma.cc/5SN6-RWP2. Most provisions of the amendment entered into force on July 1, 2017. Besluit van 13 juni 2017, houdende vaststelling van het tijdstip van inwerkingtreding van de Wet van 5 oktober 2016 tot wijziging van de Wet gebruik burgerservicenummer in de zorg, de Wet marktordening gezondheidszorg en de Zorgverzekeringswet (cliëntenrechten bij elektronische verwerking van gegevens) [Decree of 13 June 2017, Determining the Date of Entry into Force of the Law of 5 October 2016 Amending the Use of the Citizen Service Number in Healthcare, the Healthcare Market Organization Act, and the Health Insurance Act (Client Rights in Electronic Data Processing)], Stb. 2016, No. 373, https://zoek.officielebekendmakingen.nl/stb-2017-279.html, archived at https://perma.cc/ZXW3-JA6X.
 Jennifer L. Schenker, Dutch Government Gets Legal OK to Use Blockchain to Connect Healthcare Sector, Innovator (Oct. 1, [2017?]) https://innovator.news/dutch-government-gets-legal-ok-to-use-blockchain-to-connect-healthcare-sector-fb070ad0fa8d, archived at https://perma.cc/ZY7F-428R.
 Marco Iansiti & Karim R. Lakhani, The Truth About Blockchain, Harvard Bus. Rev. (Jan.–Feb. 2017), https://hbr.org/2017/01/the-truth-about-blockchain, archived at https://perma.cc/S3X8-WT5G.
 Schenker, supra note 54.
 Wet van 21 december 2016 tot wijziging van de Telecommunicatiewet, de Boeken 3 en 6 van het Burgerlijk Wetboek, de Algemene wet bestuursrecht alsmede daarmee samenhangende wijzigingen van andere wetten in verband met de uitvoering van EU-verordening elektronische identiteiten en vertrouwensdiensten (uitvoering EU-verordening elektronische identiteiten en vertrouwensdiensten) [Act of 21 December 2016 Amending the Telecommunications Act, Books 3 and 6 of the Civil Code, the General Administrative Law Act and Other Laws Relating to the Implementation of the EU Regulation on Electronic Identities and Trust Services (Implementation of EU Regulation on Electronic Identities and Trust Services)] (2016 Amendment Act), Stb. No. 13 (Jan. 30, 2017), https://zoek.officielebekendmakingen.nl/stb-2017-13.html, archived at https://perma.cc/7763-RMTM.
 Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG, archived at https://perma.cc/2KZS-AHRH.
 2016 Amendment Act art. X, adding a new para. 10 to PDPA art. 34a.
 Regulation (EU) No. 910/2014, supra note 58, art. 3(19). A trust service is defined under art. 3(16) as follows:
an electronic service normally provided for remuneration which consists of:
(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services; or
(b) the creation, verification and validation of certificates for website authentication; or
(c) the preservation of electronic signatures, seals or certificates related to those services; … .
 Wet van 4 februari 2015 tot wijziging van de Telecommunicatiewet (wijziging artikel 11.7a) (in force on Mar. 10, 2015), art. 11.7a(1), https://zoek.officielebekendmakingen.nl/stb-2015-100.html, archived at https://perma.cc/P7PY-Z2MM.
 Id. art. 11.7a(2).
 Id. art. 11.7a(3).
 Id. art. 11.7a(4). PDPA art. 1(b) defines the processing of personal data as “any operation or set of operations which is/are performed upon personal data, including in any case the collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction of data.”
 Wet van 4 februari 2015 tot wijziging van de Telecommunicatiewet (wijziging artikel 11.7a), art. 11.7a(5).
 Id. art. 11.7a(6).
 Van der Eijk, supra note 9.
 Meldplicht datalekken Wet bescherming persoonsgegevens [Reporting Duty on Data Breaches under the Data Protection Act] (Rules) (in force on Dec. 16, 2015), http://wetten.overheid.nl/BWBR0037346/2015-12-16, archived at https://perma.cc/LA6G-UMVM (with Annex of articles cited from the PDPA).
 Id. The citizen service number (burgerservicenummer, BSN) “is a unique personal number allocated to everyone registered in the Personal Records Database (Basisregistratie Personen, BRP).” Citizen Service Number (BSN), Government of the Netherlands, https://www.government.nl/topics/personal-data/citizen-service-number-bsn (last visited Nov. 20, 2017), archived at https://perma.cc/TY8B-ETUW.
 Rules, supra note 68.
 Van der Eijk, supra note 9; Article 29 Working Party, 693/14/EN WP 213, Opinion 03/2014 on Personal Data Breach Notification (adopted Mar. 25, 2014), http://ec.europa.eu/justice/data-protection/article-29/documentation/ opinion-recommendation/files/2014/wp213_en.pdf, archived at https://perma.cc/PTN2-UYMQ.
 Wet van 26 juli 2017, houdende regels met betrekking tot de inlichtingen- en veiligheidsdiensten alsmede wijziging van enkele wetten (Wet op de inlichtingen- en veiligheidsdiensten 2017) [Act of 26 July 2017, Containing Rules on the Intelligence and Security Services and Amendment of Some Other Laws (Intelligence and Security Services Act 2017)] (Wiv), Stb. No. 317 (Aug. 17, 2017), https://www.eerstekamer.nl/9370000/1/j9vvkfvj6b 325az/vkgudfl6pgy4/f=y.pdf, archived at https://perma.cc/C3WN-AG2F.
 Dutch Pass ‘Tapping’ Law, Intelligence Agencies May Gather Data en Masse, Cetusnews.com (July 11, 2017), http://www.cetusnews.com/news/Dutch-pass-%27tapping%27-law--intelligence-agencies-may-gather-data-en-masse.rJeqq_0Mrb.html, archived at https://perma.cc/NL6T-3W97.
 Wiv, preamble.
 Besluit van 19 augustus 2017 tot vaststelling van het tijdstip van inwerkingtreding van enkele onderdelen van de Wet op de inlichtingen- en veiligheidsdiensten 2017 [Decision of 19 August 2017 Determining the Date of Entry into Force of Some Parts of the Intelligence and Security Services Act 2017], Stb. No. 318 (Aug. 25, 2017), https://www.eerstekamer.nl/9370000/1/j9vvkfvj6b325az/vkh37qglhlye/f=y.pdf, archived at https://perma.cc/M2TR-XHXX.
 Dutch Pass ‘Tapping’ Law, Intelligence Agencies May Gather Data en Masse, supra note 78.
 Press Release, Ministerie van Binnenlandse Zaken en Koninkrijksrelaties, Eerste Kamer stemt in met nieuwe Wet op de inlichtingen- en veiligheidsdiensten [First Chamber Votes in Favor of New Law on Information and Security] (July 11, 2017), https://www.rijksoverheid.nl/ministeries/ministerie-van-binnenlandse-zaken-en-koninkrijks relaties/nieuws/2017/07/11/eerste-kamer-stemt-in-met-nieuwe-wet-op-de-inlichtingen--en-veiligheidsdiensten/, archived at https://perma.cc/C56C-FQQQ.
 Wiv arts. 32 & 33.
 Id. art. 97 paras. 1 & 2.
 Press Release, Kiesraad, Referendum over Wiv gaat door [Referendum on Wiv Continues] (Nov. 1, 2017), https://www.kiesraad.nl/actueel/nieuws/2017/11/01/referendum-over-wiv-gaat-door, archived at https://perma.cc/R7J6-E6TU. According to the Electoral Council, it is likely that the referendum will coincide with the holding of municipal elections on March 21, 2018. Id. See also Kenneth Hall, Netherlands to Hold Referendum on Surveillance Law, Jurist Paper Chase (Nov. 1, 2017), http://www.jurist.org/paperchase/2017/11/netherlands-to-hold-referendum-on-surveillance-law.php, archived at https://perma.cc/LUG3-5GHL.
 Press Release, Kiesraad, Beroep niet-ontvankelijk: referendum Wiv definitief [Action Inadmissible: Wiv Referendum Final] (Nov. 10, 2017), https://www.kiesraad.nl/actueel/nieuws/2017/11/10/beroep-tegen-besluit-over-referendum-wiv-niet-ontvankelijk, archived at https://perma.cc/N3HC-V5KP.
 Wet van 30 september 2014, houdende regels inzake het raadgevend referendum (Wet raadgevend referendum) [Act of 30 September 2014, Concerning Rules for the Consultative Referendum (Consultative Referendum Act] (as last amended effective Apr. 1, 2017), art. 2, http://wetten.overheid.nl/BWBR0036443/2017-04-01, archived at https://perma.cc/X4A4-ZJ4K.
 Press Release, Kiesraad, Referendum over Wiv gaat door, supra note 86.
 Wet raadgevend referendum art. 3.
 Data Retention: Netherlands Court Strikes Down Law As Breach of Privacy, The Guardian (Mar. 11, 2015), https://www.theguardian.com/technology/2015/mar/12/data-retention-netherlands-court-strikes-down-law-as-breach-of-privacy, archived at https://perma.cc/ZK2R-RQB5.
 Id.; David Meyer, Dutch Court Suspends Metadata Surveillance Law over Privacy, TechEU, http://tech.eu/news/ dutch-court-suspends-data-retention-law/ (last visited Dec. 14, 2017), archived at https://perma.cc/ML8E-EHPD; Danny O’Brien, Data Retention Directive Invalid, Says EU’s Highest Court, Electronic Frontier Foundation (Apr. 8, 2014), https://www.eff.org/deeplinks/2014/04/data-retention-violates-human-rights-says-eus-highest-court, archived at https://perma.cc/27FA-PMHS.
 Press Release, Ministry of Justice and Security, Senate Supports Storing Vehicle Registration Data (Nov. 21, 2017), https://www.government.nl/ministries/ministry-of-justice-and-security/news/2017/11/21/senate-supports-storing-vehicle-registration-data, archived at https://perma.cc/ZX5X-XU7N.
Last Updated: 04/05/2018