7 Things the Dutch Want to Change About the GDPR

Burden reduction for SMEs whilst taking on tech giants’ data power

From its LGBT rights, to its soft drugs policy – the Netherlands is widely known for its tolerance. However, when it comes to data protection, the Dutch Government seems to be taking a firm stance. In a recent Letter to Parliament, Minister for Legal Protection Sander Dekker announced that he has brought to the attention of the European Commission seven points on which he believes the General Data Protection Regulation (GDPR) should be evaluated and, ultimately, revised to ensure adequate data protection. The points were brought forth as part of the ongoing GDPR evaluation by the European Commission, which is scheduled to present its Evaluation and Impact Assessment Report to the European Parliament on 25 May 2020.

In addition to the 7 points brought to the European Commission by the Dutch Government, Minister Dekker, in his Letter to Parliament, highlighted important points he seeks to have revised in the country’s own GDPR Implementation Act (Uitvoeringswet Algemene Verordening Gegevensbescherming, UAVG), for which changes in the GDPR are not required. Such points include the use of personal data for profiling in online advertising and automated decision-making with the result of price differentiation in products and services between groups, and potentially even, exclusion from products and services for some – all of which are concerns that are felt more widely among EU Member States.1)Malgieri, ‘Automated decision-making in the EU Member States: The right to explanation and other “suitable safeguards” in the national legislations’, in: Computer Law & Security review, 35:5, 2019.

With regard to the GDPR, the Dutch Government proposes evaluation and revision on at least 7 points, including:

1. Burden reduction for Small-Medium Enterprises (SMEs)
In response to the objections made by umbrella organizations that SMEs are struggling – sometimes to the point of interference with their business activities – with their registry duties, Minister Dekker aims to put the SMEs position on the Commission’s agenda.

2. Preventing the extraterritorial effect of national implementation acts
Several Dutch Acts implementing EU law have extraterritorial effect, meaning they produce a legislative effect in a third country, for instance a Dutch act producing legislative effect in Germany. This leads internationally operating organisations to be confronted with a multitude of legislations, the very situation the GDPR was meant to prevent. The Dutch government, therefore, proposes that the prevention of extraterratorial effect be explicitly mentioned as a principle in the GDPR.

3. Harmonisation of children’s age of consent
Art. 8 GDPR currently allows Member States to set the age of consent for data processing anywhere between 13 and 16 years. Minister Dekker highlights the interests at stake. If, for example, the age of consent were set at 13, then parents of early teenagers would not be able to withdraw the invalid consent given by their (pre-)teen who may not have fully understood the implications of such consent. On the other hand, the Minister is sympathetic to the idea of allowing young adults a certain level of independence and personal privacy, which makes the case for a lower age of consent. The Dutch Government will, in formulating its final standpoint on the matter, take into account the findings of the research on the children’s psychological judgement capabilities, which is currently being carried out by Leiden University and for which the results are expected in November 2019.

More importantly, however, are the Governments deliberations about the level at which the age for consent should be determined: at the EU level or the Member State level. Given the cross-border nature of present-day data processing and transfer – such as the case with for instance online gaming, it is desirable for all parties – corporations, children and parents alike, to have a uniform standard across the Member States. This may be different in exceptional situations such as pertaining to medical data. The Government will therefore propose a single, EU-determined age limit, to be determined in consultation with scientific and civil society partners, and with the possibility for exceptions for special situations.

4. Further exploring options of restricting the data power of major tech companies
As part of its broader mission for ‘horizontal privacy’, the Dutch Government proposes to further explore the options to restrict tech giants’ power over citizens’ data. Research in this field is still taking place and includes, amongst other things, dataportability and potential new enforcement instruments for the Data Protection Authorities.

5. Specifying the non-mandatory nature of the monitoring body
Both the Dutch umbrella organisation for SMEs, as well as the Dutch Government have, since the entry into force of the GDPR, held the position that the GDPR provisions do not oblige organisations which have voluntarily instituted a Code of Conduct, to also establish a monitoring body. The Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679, issued by the European Data Protection Board in February 2019, nevertheless, seem to assume such a requirement.2)European Data Protection Board, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 2019. Minister Dekker fears that a mandatory nature of the monitoring body will form a disincentive to the establishment of Codes of Conduct and thus it should be made unequivocally clear that they are non-mandatory.

6. Furthering certifications at EU level, limiting certification at the national level
Art. 42 GDPR holds that “Member states, Supervisory Authorities, the European Data Protection Board (EDPB) and the Commission will promote certification”. Articles 42 sub 5 and sub 8 GDPR allow the EDPB and Commission approve criteria and set standards, resulting in common certification. However, art. 42 sub 5 also allows for the various Supervisory Authorities to approve criteria at the national level. The Dutch Government is of the opinion that nationally-applicable certification mechanisms for harmonised rules are counterproductive to further harmonisation, and are thus contra the intentions behind the GDPR. Hence, the Dutch Government proposes that questions of efficiency and efficacy are taken into account in evaluating the options for certification mechanisms and proposes that certification mechanisms in the national context be limited to situations in which this serves a clear, objective purpose.

7. A uniform form for data breach reporting
Aside from the EDPB’s important role in issuing guidelines, recommendations and best practices for clarification of the GDPR, the Dutch Government proposes that the EPBD also helps enhance the practical aspect of GDPR compliance by developing a single harmonised form for the reporting data breaches. This would prevent data processors from being confronted with a large variety of forms, in case they have to report breaches in different countries.

These and all other Member State viewpoints will be taken into consideration throughout the GDPR review and revision process and, thus, the future of the GDPR remains to be an exciting one.

Author: Rosalie Salameh

References   [ + ]

1. Malgieri, ‘Automated decision-making in the EU Member States: The right to explanation and other “suitable safeguards” in the national legislations’, in: Computer Law & Security review, 35:5, 2019.
2. European Data Protection Board, ‘Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679’, 2019.