Annual Review of Privacy 2022

2022 was a year in which the (European) legislator, judges and regulators made plenty of noise in the field of privacy law. Numerous legislative initiatives at both the European and national levels saw the light of day, and more than once did the Dutch Data Protection Authority advise the Dutch legislator to pay more attention to the protection of the (privacy) rights of citizens and not to use legislative proposals as a license to collect personal data. More clarity on the interpretation and application of the GDPR was provided by both case law and through the recommendations and guidelines of the data protection regulators. In addition, quite a few (high) fines were imposed in 2022 for violations of the GDPR. In this annual review you will find a selection of the developments in 2022 and at times an advance on what is to come in 2023.

Laws and regulations

European level

International data transfer

More than two years ago, the Court of Justice of the European Union (CJEU) declared the Privacy Shield invalid in the Schrems II ruling. The European Commission and U.S. President Biden subsequently announced their intention to create a new Privacy Shield (2.0). Before this is possible, changes must first be made to U.S. laws and regulations, and legal protection of data subjects by an independent judge must be sufficiently guaranteed. In this context, President Biden signed a presidential decree on October 7, 2022, which contains safeguards for more secure data transfers to America. In December, the European Commission subsequently published the draft adequacy decision for transfer to America. This draft will first have to pass through European regulators, member states and the European Parliament for approval.

At the end of 2022, the old Standard Contractual Clauses (SCCs), which were still based on Directive 95/46/EC, also became invalid. Following the entry into force of the GDPR and the Schrems II‑ ruling from 2020, the new SCCs were published in 2021 and may now be used exclusively.  

ePrivacy

The legislative process for the ePrivacy Regulation has proven to be a difficult process. The ePrivacy Regulation covers electronic communications and includes, among others, rules on the use of metadata, cookies and direct marketing. The original proposal dates back to 2012, and since 2021 the European Commission, European Parliament and European Council have been negotiating a final text. Perhaps there will be more to report in the next annual review.

Digital Services Act & Digital Markets Act

The Digital Services Act (DSA) and the Digital Markets Act (DMA) came into effect on Nov. 1, 2022. The DSA imposes responsibilities on “online services,” which include intermediaries, social media, hosting services and online platforms. The DSA builds on the E-commerce Directive (2000/31/EU) and online service providers that fall within the scope of the DSA have time to comply until January 1, 2024.

The DMA aims to curb the power of platforms designated as gatekeepers and create a fairer digital playing field. A gatekeeper is a platform that has significant impact on the internal market, control over an important gateway for business users to final consumers and has an entrenched and durable position. Large online platforms and search engines that fall within the scope of the DMA are expected to be designated by the European Commission in mid-2023 and then have four months to comply with the obligations from the DMA.

Artificial Intelligence Act

On April 12, 2021, the European Commission proposed an Artificial Intelligence Act (AI Regulation), which lays down rules for the use of Artificial Intelligence (AI) and the development of AI systems. Based on the risks posed by AI systems, they may be determined to be banned or must comply with certain requirements and obligations. When personal data is suspected to be processed by an inadequate AI system, data subjects can invoke their rights under the GDPR. The aim is to reach a final agreement on the text of the AI Regulation in the fall of 2023, after which providers of AI systems will be given a deadline to begin complying with the obligations under the AI Regulation.  

Data Act & Data Governance Act

On February 23, 2022, the European Commission published the Data Act (DA) that provides rules for fair access to and use of data within the EU. This Data Act aims to promote data exchange within the EU and across sectors, but this may involve personal data. The supervisory authorities emphasize that the GDPR always takes precedence when using personal data. Negotiations on the proposal are not expected to be completed until spring 2023 at the earliest.

There is close connection between the Data Act and the Data Governance Act (DGA), the final text of which was published on June 3, 2022. The DGA aims to increase the amount of data available for (re)use. This primarily involves regulating the reuse of government data, but may include personal data. The DGA came into force on June 23, 2022, and will apply from September 2023.

European Health Data Space

European ‘Data Spaces’ are intended to make data more available in the future for use in the economy and  society. Within such Data Spaces, both data users and data providers should be able to share, exchange and use data. One of the 10 sectors within which Data Spaces should be created is the health sector. On May 3, 2022, a proposal for a Regulation on a European Health Data Space was published. The purpose of this Regulation is to give individuals greater ability to access and control their electronic health data through digital means, both at a national and EU level. The Regulation contains specific rules that take into account the high sensitivity of medical personal data. However, the EDPB and EDPS still see areas where the proposal needs to be improved. For example, it should be clearer for which purposes the data may be used and the supervisory authorities advocate an obligation to process health data within the EU. Negotiations on the final text of the regulation are underway in Brussels, and it is not expected to become applicable until mid-2024 at the earliest.

Cybersecurity

The year 2022 featured a lot of work on the new NIS Directive (NIS-2), which will replace NIS-1. NIS-2 contains security obligations for digital service providers and aims to increase the resilience of EU member states’ networks and information systems. NIS-2 has a much broader scope than NIS-1 and therefore becomes relevant for many organizations. The Netherlands has until October 3, 2024 to implement this Directive into national law.

The Digital Operational Resilience Act (DORA) aims to increase the digital resilience of the financial sector and mitigate cyber threats. DORA sets requirements for the security of network and information systems of financial firms. DORA is expected to become applicable beginning in the second quarter of 2025.  

The European Commission presented the proposal for the Cyber Resilience Act (CRA) on September 15, 2022. This Regulation introduces a duty of care for manufacturers regarding the cyber security of hardware and software with digital elements for the entire lifetime of the products. It is possible to provide feedback until January 23, 2023, after which further work will be done on a final text proposal.

National level (Netherlands)

Data Protection Act

The Data Protection Bill (in Dutch: Verzamelwet gegevensbescherming) contains amendments to the Dutch GDPR implementation act  (“UAVG” in Dutch: Uitvoeringswet AVG) and some other laws following an initial survey of experiences with the UAVG. Incidentally, the Bill does not take into account the observations from the study ‘Bescherming gegeven? Evaluatie UAVG, meldplicht datalekken en de boetebevoegdheid‘ (only available in Dutch), which was published in June 2022. A few important changes are that minors between the ages of 12 and 16 can independently exercise the rights under the GDPR and rules will be included to clarify the transfer of medical records by caregivers and non-caregivers. The bankruptcy law will clarify that the bankruptcy trustee may process (special) categories of personal data when performing his legal duties. The bill was submitted to the House of Representatives on December 22, 2022.

Accounting Industry Future Act

The proposed Future of Accountancy Act regulates, for quality control purposes, that reviews of individual accountants’ work be published by name. According to the Dutch Supervisory Authority (In Dutch: the Autoriteit persoonsgegevens or AP), this is a major invasion of accountants’ privacy and the AP questions the subsidiarity of the measure. After all, quality control could also be arranged for at the level of the accountancy firm. Moreover, sufficient safeguards are necessary for accountants to defend themselves against a review or publication thereof. The bill has been amended in the sense that a retention period can be established by a formal decision of the government (in Dutch: algemene maatregel van bestuur). Furthermore, the bill clarifies the purpose and necessity of data processing. On November 30, 2022, the Council of State issued its opinion. Now we await for the bill to be presented to the House of Representatives.

Bill for data processing by partnerships

In the Annual Review 2021, we already wrote about this bill that aims to create a basis for the systematic processing of personal data (including profiling) by public and private partnerships that process personal data for important public interests. The bill is still pending before the Senate. The AP previously advised the Senate not to adopt the bill.

Law addressing multiple problems

This bill (in Dutch: Wet aanpak meervoudige problematiek) aims to eliminate bottlenecks in data exchange and privacy when dealing with multiple problems in the social domain. The bill provides for legal tasks for the college of mayors and aldermen for investigation, planning and coordination in multiple problems in the social domain. The bill has not (yet) been submitted to the House of Representatives at this time.

Healthcare

On September 27, 2022, the Bill on Electronic Data Exchange in Healthcare (in Dutch: Wet elektronische gegevensuitwisseling in de zorg or Wegiz) was passed in the House of Representatives. On the basis of this bill, specific data exchanges in healthcare can be appointed to at least take place electronically. In addition, language and technical requirements may be imposed for specific data exchanges, such as the mandatory use of an information technology product or service that is certified.  The bill is currently before the Senate for consideration.

The proposed Care Quality Registration Act (in Dutch: wetsvoorstel Wet kwaliteitsregistraties zorg or Wkz) lays the basis for the compulsory and lawful supply of (special) personal data by healthcare providers, without the client’s consent, for the purpose of quality registrations in healthcare. The Netherlands Healthcare Institute will be given the task of including quality registrations, which have been determined to serve the measurement and improvement of the quality of care and thus the public interest, in a (new) register for quality registrations. Finally, this bill provides for the legal duty for healthcare providers, in case a quality registration is included in the register for quality registrations of the Healthcare Institute (in Dutch: Zorginstituut Nederland), to provide the requested information to (the data processor of) the quality registration in question. The bill was submitted to the House of Representatives on December 16, 2022.

The Digital Government Act  (in Dutch: Wet Digitale Overheid or WDO) aims to ensure that Dutch citizens and companies can log in securely with the (semi-)government, including healthcare institutions. The original bill has been amended by means of a so-called novella and has been submitted for (plenary) consideration in the Senate.

Case Law

European level

The CJEU made several rulings on the interpretation of the GDPR in 2022 that are interesting and relevant to practice.

GDPR applicable to providing information to tax authorities for the purpose of combating tax fraud and tax collection

The Latvian Tax Administration makes a request to an Internet advertising provider to periodically provide data on cars offered (including chassis numbers and information about the advertisers), for the purpose of tax collection and combating tax fraud. The provider refused to cooperate with this request invoking the GDPR. The CJEU rules on February 24, 2022 that this processing of personal data for tax purposes falls within the scope of the GDPR. The tax authority and the provider must therefore comply with the GDPR, which according to the CJEU means, among other things, that (i) a request by the tax authority must state the specific purposes, (ii) also a tax authority cannot deviate from the principles in the GDPR unless a national law complying with Art. 23 GDPR offers that possibility, and (iii) bulk transfers are not excluded, provided that the conditions of the GDPR are met, such as necessity and proportionality.

Supervisor’s competence regarding the processing of personal data by courts

In response to a preliminary question from a Dutch court, the CJEU addresses the limitation of the competence of the national supervisor with respect to the processing of personal data by courts (Article 55(3) GDPR) in the judgment of March 24, 2022. The reason for the questioning was that the Dutch Supervisory Authority was asked to review the lawfulness of the court making procedural documents containing personal data available to a journalist. The CJEU explains that the restriction in Article 55(3) GDPR should be interpreted broadly and covers all processing by courts in the exercise of their judicial activities. It can be inferred from the ruling that the Dutch Supervisory Authority is not competent to supervise processing operations where the supervision by the Dutch Supervisory Authority could directly or indirectly affect the independence of (the members of) courts or their decisions.

Collective actions

In German proceedings, the question arose as to whether an interest group could take action against Meta Platforms Ireland. In the April 28, 2022 judgment, the CJEU ruled that Article 80(2) of the GDPR allows Member States to provide by law that interest groups can bring an action (within the limits of the GDPR) for a breach of the GDPR without an order from the data subjects. Interestingly, under this article, the recognition of standing to sue does not require that a data subject be individually identified; reference to a group or category is sufficient. Nor is it required that there be a concrete violation of a data subject’s rights, according to the CJEU. In the Netherlands, the legislator has not yet made use of the possibility offered by Article 80(2) GDPR.

Dismissal protection officer

In Germany, there is a regulation on the basis of which it is not permitted to dismiss a data protection officer unless there are important reasons. The CJEU points out in the June 22, 2022 judgment that this regulation goes beyond the dismissal protection required under Article 38(3) GDPR. However, according to the CJEU, member states are free to provide increased protection, provided it does not undermine the achievement of the objectives of the GDPR.

Broad interpretation of the concept of special personal data

To prevent corruption and conflicts of interest of decision-makers in the public sector in Lithuania, information about the private interests of these decision-makers is published on the website of the public institution. The CJEU considers in the August 1, 2022 judgment that the transparency thus provided is appropriate to contribute to these objectives. However, it continues that insufficient care was taken to assess whether the processing of personal data is necessary to meet those objectives. Moreover, it considers that from the data published about the decision-maker’s partner, information about their sexual behavior/direction can be indirectly inferred. The CJEU therefore concludes that the publication of these data on the website constitutes processing of special personal data within the meaning of Article 9(1) GDPR.

Right to compensation

On October 6, 2022, the Opinion of Advocate General (A-G) to the CJEU Campos Sanchez-Bordona was published in proceedings in which the Austrian court raised preliminary questions as to whether the mere violation of the GDPR – without any harm being suffered by the data subject – is sufficient to give rise to a right to damages for the data subject. According to the A-G, that question should be answered in the negative. This is in line with the Supreme Court’s 2019 EBI ruling. Following the A-G’s opinion, it is now up to the ECJ to rule. That ruling is eagerly awaited, as the ECJ’s ruling is likely to be significant for the many compensation proceedings being conducted under the GDPR.

Further processing of personal data for test database

In the judgment of October 20, 2022, the CJEU addresses the question of whether the further use of personal data in a test database set up for testing and error correction is compatible with the principles of purpose limitation and storage limitation from Article 5 GDPR. According to the CJEU, these principles do not generally preclude the establishment of a test database, but in a concrete case there must be compatibility between the original processing purpose and the processing of personal data in the test database, and the personal data in the test database must not be kept longer than necessary to carry out that test and rectify the errors. The CJEU provides the frameworks for assessing compatibility, but leaves the decision on compatibility in the concrete case to the referring court.

Consent and the ePrivacy Directive

Under Article 12(2) of the ePrivacy Directive, consent must be obtained for the publication of personal data in a public telephone directory. According to the CJEU, the subscriber gives consent in accordance with the GDPR for the purpose of publication in a public directory. Provided that the subscriber is properly informed about it, according to the CJEU’s judgment of October 27, 2022, this consent then applies to subsequent processing of the subscriber’s personal data by third-party companies.

UBO register

The CJEU finds that making information about the beneficial owner (UBO) available to the general public constitutes a serious interference with the privacy of the individual. The obligation in the Anti-Money Laundering Directive (in Dutch: antiwitwasrichtlijn) to make this information publicly available to everyone is insufficiently substantiated and therefore invalid in light of the Charter. As a result of this ruling, the UBO register is no longer publicly available for the time being. However, the obligation to register UBOs remains.  

Right to be forgotten

Furthermore, on December 8, 2022, the ECJ ruled on the removal right for search results in search engines that on the basis of Article 17(3)(a) GDPR (i) the balancing of interests between freedom of expression and privacy does not require that preliminary clarity has been obtained as to the accuracy of the linked information and (ii) that the informative value of the photo must be taken into account when assessing a removal request in respect of thumbnail photos placed with a text, irrespective of the context of the publication, but that in doing so all text placed directly with the display of these thumbnails should be taken into account that is relevant and can provide more clarity on the informative value. 

National level

The number of judgments published on jurisprudence.com in 2022 in which the term GDPR appears has risen to 424, an increase of over 30% compared to 2021. Below is an overview of several interesting rulings from 2022.

Collective actions

In late 2021, the Amsterdam District Court ruled that The Privacy Collective was inadmissible in its collective claim under the Mass Tort Claims Settlement Act (in Dutch: Wet afwikkeling massaschade in collectieve acties or WAMCA) against Oracle and Salesforce, which, according to The Privacy Collective, unlawfully collect and use personal data of millions of Dutch citizens. On March 28, 2022, the Privacy Collective appealed this ruling.

In the proceeding(s) against TikTok, filed in 2021, the court declared jurisdiction to hear the substance of the dispute on November 17, 2022. The three plaintiffs were required to take a deed December 21, 2022, on the designation of one of them as exclusive advocate and to have submitted the financing agreement with the litigation financier to the court by the same date. On February 1, 2023, TikTok must take a deed and rule on (among other things) the exclusive advocate who becomes its counterparty.

Provision of name and address information

BREIN Foundation claims that Internet service providers, including Ziggo, forward warnings to frequent and long-term uploaders whose IP addresses BREIN has detected. On October 11, 2022, the Arnhem-Leeuwarden Court of Appeal ruled in summary proceedings that such linking of NAW data with IP addresses as supplied by BREIN constitutes processing of personal data under criminal law within the meaning of Article 10 of the GDPR. According to the court, Ziggo has no basis for processing these personal data, as a result of which Brein’s claim must be rejected.

Legitimate interest

In 2020, the Dutch Supervisory Authority imposed a fine of 575,000 Euros on VoetbalTV because it would only serve a purely commercial interest with its data processing and such an interest cannot be seen as a legitimate interest, according to the Dutch Supervisory Authority. On July 27, 2022, the Administrative Law Division of the Council of State (in Dutch: Raad van State) ruled on appeal that it is up to VoetbalTV to substantiate what the interest in the data processing is. VoetbalTV argues that it also has other interests that are not of a commercial nature, so there is no question of a purely commercial interest. The Dutch Supervisory Authority should have considered these other interests as well but failed to do so. The appeal lodged by the Dutch Supervisory Authority was declared unfounded by the Council of State. The court‘s ruling was upheld and the fine therefore remained entirely off the table. The question of whether an exclusively purely commercial interest in itself can be a legitimate interest is unfortunately not answered by the Council of State. Perhaps more clarity on this will be obtained in 2023 as the Amsterdam court has asked preliminary questions on the interpretation of legitimate interest in proceedings by the Royal Dutch Lawn Tennis Association (In Dutch: Koninklijke Nederlandse Lawn Tennis Bond or KNLTB) against the Dutch Supervisory Authority.

Rights of data subjects

Right of inspection

In response to a request for inspection, the Leeuwarden Court of Appeal addressed the question of the role of the Administrative Integrated Approach to Organized Crime North Netherlands (in Dutch: Bestuurlijke Geïntegreerde Aanpak Georganiseerde Criminaliteit Noord-Nederland or RIEC NN), a partnership of government organizations, in its judgment of February 22, 2022. The court ruled that RIEC NN has an instrumental role and does not influence the purpose and means of processing personal data. Therefore, it is not a (joint) controller and does not have to comply with a request for inspection directed against it.

The College of Mayor and Aldermen of Ede (in Dutch: college van Burgemeester en Wethouders van Ede) wrongfully did not qualify a request that was included in a letter that also contained an objection as a request for inspection within the meaning of Article 15 of the GDPR, according to the Council of State in its ruling of March 9, 2022. Indeed, the applicant had included a separate heading called “request for inspection. Moreover, copies of personal data were requested. That only physical copies were requested does not make the qualification different. On the position that there is an abuse of right, the Council of State reiterates that for a successful appeal to this, there must be more to it than just excessive reliance on a government facility.

A request that relates to the provision of a complete (process) file and procedural documents in the context of the reassessment of a situation with regard to childcare benefits cannot, according to the Zeeland-West-Brabant District Court in its ruling of June 30, 2022, be regarded as an GDPR request concerning the taking note of (the processing of) personal data. An explicit reliance on the GDPR does not make this different.

A father’s request for access to his children’s address was rightly denied according to the June 1, 2022 State Council ruling. This is because the father is not making this request on behalf of his children, but as a third party. He therefore has no right to access the address information. 

On July 13, 2022, the Council of State ruled that, in light of the 2017 ECJ Nowak judgment, in principle, access must be granted to internal correspondence because it qualifies as personal data. This internal correspondence of the (in Dutch: Immigratie- en Naturalisatiedienst or IND) on a language analysis is not equated by the Council of State with a legal analysis in a minute (as in this 2014 ECJ judgment). A legal analysis involves an analysis of data about a person for the purpose of a decision to be made by the State Secretary. That is not what the internal correspondence in this case satisfies. The Council of State then ruled that it is impossible to see why the internal correspondence cannot be checked for accuracy and ordered the State Secretary to make a new decision.

The existence of a statutory duty of secrecy, for example as in this case under the Money Laundering and Terrorist Financing (Prevention) Act (In Dutch: witwassen en financieren van terrorisme or Wwft), means, according to the Amsterdam Court of Appeal in its July 26, 2022 ruling, that access may only be refused with respect to the data to which that secrecy relates. The data subject does have the right to inspect the personal data not covered by the legal obligation of secrecy.

Right to be forgotten

On February 25, 2022, the Supreme Court will consider a removal request that concerns search results that refer to disciplinary personal information on the website “zwartelijstartsen.nl”. The right of freedom of expression prevails more quickly if it concerns a publication about the professional capacity of the person concerned and the information finds sufficient support in the facts. The Supreme Court leaves open whether disciplinary data is covered by Article 10 GDPR, because it does not change the standard for assessing the removal request.

A request for erasure of personal data may be rejected to the extent that the personal data are necessary for the establishment, exercise or support of a legal claim (Art. 17(3)(e) GDPR). The Council of State clarified on July 20, 2022, considering other language versions and the purpose of the GDPR, that it also includes the defense of a legal claim.

Identification of the applicant

Also in 2022, the Council of State reiterates that the production of a copy passport is in principle considered a reasonable measure to verify the identity of an applicant. This is in contrast to what the European Data Protection Board (EDPB) notes in the consultation version of the guidelines on the right of access, namely that requesting a copy of identification as such should be considered inappropriate unless it is strictly necessary and appropriate under circumstances and in accordance with national law. Furthermore, the Council of State considers that if the data subject has refused to identify himself, it is not possible to grant the request and this leads to the rejection of the request.

Repeated requests

In a decision of June 2, 2022, the Den Bosch court of appeal follows the line of the Hague court of appeal, namely that filing a repeated removal request does not circumvent the exceeding of the six-week period for filing a petition in Article 35 (2) UGDPR. In doing so, the Den Bosch court of appeal explicitly deviates from the line taken by the Amsterdam court of appeal in 2019, according to the Den Bosch court of appeal.  

Damages

In 2022, only a limited number of cases will be awarded damages for a violation of the GDPR. On January 6, 2022, the District Court of Noord-Holland awarded equitable damages of 400 euros for the unlawful disclosure of medical and confidential and, moreover, partially incorrect data about a data subject. However, the court leaves open whether there is a violation of the GDPR because it has been sufficiently established that the act was done with what is customary according to unwritten law in social intercourse and thus a wrongful act on the basis of Art. 6:162 paragraph 2 of the Dutch Civil Code.

On February 25, 2022, the Subdistrict Court of Rotterdam awarded 250 euros in damages under Art. 82 GDPR. An Excel sheet containing contact details and sensitive financial data (including income and assets) had been wrongfully shared with “only” a group of 1100 people. The Zeeland-West Brabant District Court ruled on September 21, 2022, that a hospital was liable in tort because with respect to the monitoring of the logging of patient records, appropriate security measures had not been taken as required under the GDPR. The court awards equitable damages of 2,000 euros to the data subject for immaterial damages suffered due to a breach of the protection of her personal data.

Supervisors

European level

European Data Protection Board (EDPB)

Recommendation

The EDPB published new recommendations on the use of Binding Corporate Rules on November 17, 2022.  Among other things, it writes about the requirements for applying for Binding Corporate Rules, incorporating the implications for international transmission following the Schrems II ruling. It also includes a new, standard application form. This is a consultation version, which was open for comments until January 10, 2023.

Guidelines

The consultation version of the guidelines on the right of inspection was published on January 18, 2022. This provides more clarity on what the right of inspection entails and the scope of a request. There has been discussion (in the Netherlands) about the strict interpretation of the EDPB regarding requesting a copy of an identification document which, according to the EDPB, is usually an unreasonably burdensome remedy. However, the Council of State has repeatedly ruled that this is a permissible means for the verification of an applicant’s identity by an administrative body.

The March 14, 2022 consultation version of the Dark Patterns guidance describes different examples of dark patterns. With dark patterns, data subjects are influenced to make choices that may negatively affect the processing of their personal data. The social media interfaces appear to comply with the GDPR requirements, but are actually in violation of them in terms of content.

On March 14, 2022, the EDPB published the Guidelines on the Application of Article 60 GDPR, which elaborates on the cooperation between leading supervisory authorities and other relevant supervisory authorities under the “one-stop-shop mechanism.” These guidelines are relevant in cross-border data processing and cross-border supervision.

The EDPB states in the May 12, 2022 consultation version of the Guidelines on the Use of Facial Recognition Technology in Law Enforcement that the use of facial recognition technology is a serious breach of data subjects’ privacy rights. Therefore, according to the EDPB, all rules related to data protection should be followed. Some forms of facial recognition technology should be eliminated, according to the EDPB.

After publication of the guidelines with examples of data breaches in December 2021, it was found that there was also a need to clarify the notification requirements. Therefore, in October 2022, the EDPB released the Guidelines on Data Breach Notification under the GDPR.

Opinions

The EDPB and the European Data Protection Supervisor (EDPS), the latter overseeing the processing of personal data by EU institutions, bodies, offices and agencies, issued a joint opinion on July 12, 2022, on the proposal for a regulation on the European health data area. In the opinion, they recommend clarifying the relationship with other laws, providing clarity on the use of data and making the processing of health data mandatory in the EU.

On July 28, 2022, the EDPB and the EDPS recommend that the European Commission amend a new European legislative proposal requiring communications services to scan communications for child abuse. The bill raises the risk of communication services watching all communications between people in the EU.

Harmonization

With the consultation version of the Guidelines on the calculation of administrative fines under the GDPR dated May 12, 2022, the EDPB wishes to outline a more harmonious framework for the calculation of administrative fines for national authorities regulated under Article 83 of the GDPR. The guidance complements the previously adopted 2017 guidelines and the final version will be published after processing responses to the consultation version.

The EDPB also sought to contribute to further harmonization in the field of international supervision and cooperation by national supervisors in 2022, including through the guidelines on the application of Article 60 GDPR. In addition, on October 10, 2022, the European Commission sent a letter to the European Commission with a list of procedural aspects of supervision that could be considered for further harmonization at the EU level and asked for their consideration. In doing so, the EDPB hopes to smooth out the procedural aspects of supervision that currently differ among European member states.

National level

Dutch Supervisory Authority (AP)

Four years after the GDPR became applicable, the Dutch Supervisory Authority is no longer always able to accomplish all of its tasks within a reasonable time. By its own admission, the Dutch Supervisory Authority is “severely understaffed, and the National Ombudsman expresses persistent concerns about the Dutch Supervisory Authority’s complaint handling.

Advice and handouts

On June 28, 2022, the Dutch Supervisory Authority recommended on several occasions to limit the possibility of processing personal data. For example, the Dutch Supervisory Authority recommended amending the Reuse of Government Information Act (in Dutch: Wet hergebruik van overheidsinformatie or Who) because the amendment to the law creates the risk of sharing personal data without the consent or knowledge of data subjects. Too few limits are placed on making personal data from government data available for reuse, according to the Dutch Supervisory Authority.

On July 19, 2022, the Dutch Supervisory Authority advised the Cabinet that the government may no longer simply forward churches personal data of church members from the Personal Records Database (in Dutch: Basisregistratie Personen or BRP). This is because providing personal data from the BRP to churches serves no public interest and is not necessary.

Also, the processing of personal data as described in the draft bill ‘Money Laundering Plan’ (in Dutch: ‘Plan van aanpak witwassen’) is not bounded enough. According to the Dutch Supervisory Authority – in its December 2019 opinion that became public in October 2022 – this law could open the door to unprecedented mass surveillance of Dutch citizens if the objections are not removed. The proposed system would essentially amount to a banking dragnet.

In response to the publication on August 29, 2022 of the new government-wide cloud policy, the Dutch Supervisory Authority informed State Secretary for Digitalization Van Huffelen by letter on November 11, 2022 that if the government wants to store government data with commercial cloud services, this will entail major privacy risks. According to the Dutch Supervisory Authority, the cabinet should work with this in the further elaboration of the policy.


Furthermore, on November 7, 2022, the Dutch Supervisory Authority published two guides for city council members on how to monitor the use of technology and participate in partnerships. Both handouts are supplements to the handout ‘Municipalities and privacy: what can you do as a council member?’ (in Dutch: ‘Gemeenten en privacy: wat kunt u als raadslid doen?’) from May 18, 2022. Since municipalities often share personal data with other parties, it is important to consider the privacy of those involved.

Enforcement

The Dutch Supervisory Authority again imposed several fines in 2022 and – as far as published – refrained from doing so in one case.

For the unnecessary processing of too much personal data, the Dutch Supervisory Authority imposed a fine of 525,000 euros to DPG Media on February 24, 2022, because it routinely asked data subjects who wanted to view their data or have it removed to first upload a copy of their identity document and did not indicate that parts of the identity document (such as photo and the social security number) could be shielded.  According to the Dutch Supervisory Authority, DPG Media should have first checked whether it did not already have (identifying) (contact) information and, in addition, should have considered the nature and amount of personal data. Requesting a copy of an identity document was in this situation too heavy a means, according to the Dutch Supervisory Authority.

Spanish regulator Agencia Española de Protección de Datos (AEPD) has fined a Spanish hotel 30,000 euros. A Dutch hotel guest had filed a complaint because the hotel was illegally storing and distributing guests’ passport photos. The Dutch Supervisory Authority then launched an investigation with the AEPD, which resulted in the fine.

On April 7, 2022, the highest fine to date was imposed. The Tax Authority was fined 3.7 million Euros  for illegally processing personal data in the Fraud Signaling Facility for years. This was a blacklist on which the Tax Authority kept track of signals of fraud. This often had major consequences for the people who were wrongfully on the list.     

The Ministry of Foreign Affairs was fined 565,000 euros on February 24, 2022, for violating the law in granting visas for years, on a large scale and in a serious manner. The Ministry did not inform visa applicants which third parties their personal data was shared with, and security was substandard, allowing unauthorized persons to view and modify files.

The Dutch Supervisory Authority refrained from imposing a fine on Municipal Health Service GHOR Nederland and/or the two Municipal Health Services investigated for substandard security in the processing of personal data in the context of the corona pandemic, it informed by letter on September 29, 2022. Sufficient improvement measures have been taken, but, the Dutch Supervisory Authority notes, security of personal data is not a one-time exercise but an ongoing process.

On December 21, 2022, the Dutch Supervisory Authority imposed a fine of 50,000 euros on the Chief of Police. During Covid-19 camera cars were deployed in Rotterdam with which detailed images of people were collected and stored, with the aim of being able to check whether people were keeping a distance of 1.5 meters. The deployment of these camera cars was done without first mapping the privacy risks and, moreover, was by no means always necessary. In imposing the fine, the Dutch Supervisory Authority takes into account the fact that the deployment took place at the beginning of the corona pandemic outbreak in March 2020 and that there is ambiguity about the scope of the basis in the Police Data Act. The Dutch Supervisory Authority is still coming up with a standards explanation on the relevant section of the law.

Approval decisions

In early 2022, the Dutch Supervisory Authority granted STI AIDS Netherlands a license to set up and manage the online platform for sex workers Ugly Mugs Netherlands. Through this platform, sex workers can report violence by clients and investigate clients themselves.

On April 19, 2022, the Dutch Supervisory Authority decided to approve Netbeheer Nederland’s Slim Netbeheer code of conduct. The code of conduct deals with the processing of personal data (metering data) for the statutory task of network operators. The Dutch Supervisory Authority does attach a suspensive condition to the approval because the required supervisory body is not yet in place.

Other

The Dutch Supervisory Authority in November 2022 warned visitors to the Qatar World Cup soccer tournament to pay close attention to their digital security and, in that context, about mandatory installation of tracking apps that are likely to collect information about users without users’ knowledge.

On October 25, 2022, the Government Gazette published the cooperation protocol between the Dutch Supervisory Authority and De Nederlandsche Bank (DNB), which lays down agreements on matters affecting each other’s supervision, the exchange of information for its benefit with respect to payment services and joint cooperation in a broad sense.

Want to know more?

If so, please contact one of our specialists.