The month of February has brought the following interesting data protection developments:
Dutch Data Protection Authority’s focus areas for 2017
Traditionally, the Dutch Data Protection Authority (the Dutch DPA) starts each new year by publishing an agenda setting out its focus areas for the respective year. The Dutch DPA Annual Agenda 2017 was published on 27 January 2017.
Readers of our monthly data protection and privacy update will be aware that as per 25 May 2018, the General Data Protection Regulation (EU/2016/679, the GDPR) will have to be implemented by organizations that conduct business in the EU, including a significant amount of organizations that do not have an establishment in the EU. In view hereof, it may not come as a surprise that ‘providing information and advice on the GDPR’ is at the top of the Dutch DPA’s agenda for 2017. In 2017, the Dutch DPA intends to publish information on its website aimed at (i) informing data subjects on their rights under the GDPR and (ii) informing organizations on how to correctly implement the GDPR.
With the exception of providing GDPR information and advice, the Dutch DPA’s focus areas for 2017 remain very similar to 2016:
|Personal data and (digital) government: ‘e-government’||GDPR information and advice|
|Big data and profiling||‘from collection to profiling’, with primary focus on transparency of profiling|
|Health data||Sensitive personal data, with primary focus on the prohibition to process sensitive personal data and correct implementation of the required safeguards in case of an exception to that prohibition.|
|Security of personal data||Security of personal data, with primary focus on (security of) online client portals and the data breach notification obligation that was introduced as per 1 January 2016.|
|Personal data in employment relationships|
Dutch Supreme Court rules that Dutch Tax Authorities may not use ANPR Data to verify private use of company lease-cars
On 24 February 2017, the Dutch Supreme Court ruled that the use by the Dutch Tax Authorities of ‘Automatic Number Plate Recognition’ data (ANPR Data) obtained from the national police to verify private use of lease-cars constitutes an unlawful infringement of the right to privacy.
Pursuant to Dutch tax law, employees who use their company lease-car privately incur additional income tax (bijtelling), unless such private use is limited to less than 500 km per year. Employees invoking the exception are required to keep record of all private trips with their company-lease car (Private Trip Log) so that it can be verified by the Dutch Tax Authorities.
Pursuant to an agreement between the Dutch Tax Authorities and the Dutch national police, the Dutch Tax Authorities were provided with a complete copy of all ANPR Data collected by the Dutch national police on a weekly basis. Among others, these ANPR Data were used to verify Private Trip Logs.
The Private Trip Log of several Dutch tax payers did not correspond with the ANPR Data, in the sense that their company lease-car has been spotted at times and places not included in their Private Trip Log. The Dutch Tax Authorities therefore concluded that these tax payers had used their company lease car privately for more than the permitted 500 km and on that basis imposed additional tax assessments and (administrative) fines.
Several Dutch tax payers subsequently initiated (administrative) proceedings in which they claimed that the use of ANPR Data by the Dutch Tax Authorities, constituted an unlawful infringement of their right to privacy as protected by (among others) article 8 of the European Convention on Human Rights (ECHR) and article 10 of the Dutch Constitution.
The Dutch Supreme Court held that the use of ANPR Data by the Dutch Tax Authorities indeed qualifies as an infringement of the right to privacy. Consequently, such use is only lawful if the resulting infringement of the right to privacy is in accordance with the law and is necessary in a democratic society in the interest of one of the legitimate purposes provided by the ECHR. The Supreme Court then assessed several (general) provisions of Dutch tax law and concluded that these were insufficiently precise to serve as a legal basis for the infringement. For example, article 55 of the AWR (the Dutch State Taxes Act) provides that government institutions (such as the national police) must provide the Dutch Tax Authorities with information requested by them for purposes of executing Dutch tax law. However, the Dutch Supreme Court held that this ‘information obligation’ was too general in nature to serve as a basis for the provision of ANPR Data to the Dutch Tax Authorities.
It follows from the Dutch Supreme Court ruling, that the use of ANPR Data by Dutch Tax Authorities could be lawful if a sufficient legal basis is provided. As there may be no other viable means for verifying Private Trip Logs, we do not exclude the possibility that the Dutch legislator will implement such (specific) legal basis in the future.
First Dutch Supreme Court case regarding the ‘right to be forgotten’
On 24 February 2017, the Dutch Supreme Court also issued a judgement (ECLI:NL:HR:2017:316) in a case regarding the ‘right to be forgotten’ as established by the EU Court of Justice (EU CoJ) in ‘Google Spain’ (ECLI:EU:C:2014:317). In this verdict, the Dutch Supreme Court held that the Court of Appeal in Amsterdam had incorrectly applied (the criteria for invoking) ‘the right to be forgotten’ and therefore referred to case back to the Court of Appeal in The Hague for further assessment.
In Google Spain, the EU CoJ ruled that the right of access (article 35.1 of the Dutch Data Protection Act, the DDPA) and the ‘right to object’ (article 40.1 DDPA) are to be interpreted as meaning that if the conditions laid down by these provisions are met, “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name, links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” The EU CoJ further held that in order to invoke this ‘right to be forgotten’, it is not necessary that the relevant data subject is prejudiced by the information on the websites that the data subject wishes to be removed from the search engine results. Lastly, the EU CoJ held that the ‘right to be forgotten’ in principle prevails over the economic interest of the search engine and the interest of the general public in having access to the information on the websites that were requested to be removed. The only exception hereto according to the EU CoJ is “if it appeared, for particular reasons, such as the role played by the data subject in public life, that the interference with his (fundamental) right to be forgotten is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.”
The Dutch Supreme Court has now given its first verdict in a case regarding this ‘right to be forgotten’. The case concerned a Dutch individual who had recently been convicted to six years imprisonment (without probation).The criminal case which led to this conviction had gotten a lot of publicity in the Netherlands. The individual requested Google to remove links to websites with information on his criminal conviction from the results when searching on his name. Google refused to comply with this request and the individual therefore initiated proceedings.
The Court of Appeal in Amsterdam rejected the individual’s claim to delete the relevant search engine results, effectively because ‘the general public generally has a large interest in having access to information regarding serious offences’. However, it follows from Google Spain that the ‘right to be forgotten’, due to its fundamental nature, in principle prevails over this interest of the general public. The Court of Appeal in Amsterdam had failed to specifically assess why that was different in this particular case and the Dutch Supreme Court therefore nullified its verdict and referred the case back to the Court of Appeal in The Hague for further assessment.
It will be interesting to see what the final judgment will be in this case. Taking into account the fundamental nature of the ‘right to be forgotten’ according to Google Spain, we would not be surprised if Google will eventually get the short end of the stick.
II European developments
European Commission publishes proposal for ePrivacy Regulation
EU data protection laws are currently subject to a major revision process. As a result hereof, the GDPR has been adopted and will enter into as per 25 May 2018. In addition, the European Commission has now published a proposal for a ‘Regulation on Privacy and Electronic Communications’ (the ePrivacy Regulation). The ePrivacy Regulation will supersede the ePrivacy Directive (Directive 2002/58/EC) and legislation of EU Member States based thereon. The ePrivacy Regulation is lex specialis to the GDPR and will particularise and complement it as regards electronic communications data that qualify as personal data. Both the GDPR and the proposed ePrivacy Regulation are envisioned to apply directly in all EU Member States as per 25 May 2018.
The proposed ePrivacy Regulation will bring significant changes compared to the ePrivacy Directive. Most importantly, the ePrivacy Regulation provides for:
– an increased scope of application by applying (i) to all providers of electronic communications services (including Facebook Messenger, Whatsapp, etc.) and (ii) to both content and meta-data;
– stricter rules and more harmonization of these rules throughout the EU;
– more effective enforcement
It remains to be seen whether the ePrivacy Regulation will be adopted in its current form. In any case, we will provide further guidance on the ePrivacy Regulation once it has been adopted definitively.
Article 29 Working Party concerned about Windows 10
Several data protection authorities, including the Dutch DPA, have concerns regarding the protection of personal data processed via Windows 10 by Microsoft.
The article 29 Data Protection Working Party (WP 29) sent two letters to Microsoft expressing their concerns related to default installation settings, the lack of control for users to prevent Microsoft from collection and further processing of their personal data and the scope of personal data that is collected and further processed.
The WP 29 recalled that users consent can only be considered valid if the consent is fully informed, freely given and specific. Furthermore WP 29 explicitly states that the purposes have to be specified, explicit and legitimate. The personal data cannot be further processed incompatible with the original purposes.
Standard contractual clauses mechanism challenged
After the invalidation of the European Court of Justice of the “Safe Harbour” regime for transfer of personal data form the EU tot the US, we informed you in our update of October 2016 about the challenging of the Privacy Shield data agreement before the European Court of Justice (CJEU). Just like Safe Harbour and the Privacy Shield, the European Standard Contractual Clauses (SCC) are under debate. Many companies use the SCC for the transfer of personal data to countries not offering an adequate level of protection. In current proceedings before the Irish High Court the Data Protection Commissioner asked the High Court to request the CJEU for a preliminary ruling on the legality of the SCC.
With this request, also this practical legal ground for the transfer of personal data from the EU to the US seems to be at stake. We will of course keep you posted on further developments related to the Privacy Shield case and the request regarding SCC.
Compliments of Loyens & Loeff – a member of the EACCNY