momius -

Interview: GDPR will give Dutch privacy watchdog its teeth

The Netherlands’ privacy watchdog has not handed out fines so far because there has been no reason to, says the organisation’s chairman, Aleid Wolfsen

The Netherlands’ privacy watchdog, Autoriteit Persoonsgegevens (AP), has been criticised in the past for its lack of action on data breaches.

Chairman Aleid Wolfsen has often said that the AP will “finally start showing its teeth” and threatened to fine companies that do not comply with the Netherlands’ privacy laws – but this hasn’t happened so far.

The watchdog has had a mandate to fine offenders since January 2016. Since then, companies in the Netherlands have been obliged to report data leaks. The number of reported leaks has exploded in the past year, with 10,000 in 2017 compared with 5,849 in 2016. 

But despite its mandate, the watchdog has yet to impose any penalties. It says it started 635 investigations in 2017, most of which are ongoing. “Under the current obligation to report data leaks, the AP can only hand out fines where data was leaked maliciously,” Wolfsen tells ComputerWeekly. “So far, we haven’t found evidence that that has happened.”

This ought to change when the EU’s General Data Protection Regulation (GDPR) comes into effect on 25 May, says Wolfsen. “Two things will happen – fines will go up, and the bar to hand them out will go down. Under the GDPR, we can fine companies when they don’t take proper precautions to safeguard data, so intent is no longer the deciding factor like it is now.”

Wolfsen does not want to say exactly what will happen after 25 May. Fines are coming, but for who? He cannot say, but speculates that it might be a high-profile cases.

Wolfsen mentions a recent case where saunas were caught filming customers, and it was later discovered that some images ended up on pornographic websites. It is cases like these that Wolfsen hints should be investigated soon – and quickly. 

On the other hand, the watchdog finds it hard to say whether companies in the Netherlands are ready for the GDPR, and expects a final sprint to compliance. “What can you say?” says Wolfsen. “People naturally postpone these kinds of things.”

Read more about GDPR

  • Organisations in the Netherlands are racing towards General Data Protection Regulation compliance, but there is still much to be done.
  • The Netherlands is a pioneer when it comes to legislating around data protection, so GDPR might not be as much of a shock as in other countries.
  • Businesses dealing with EU citizens’ data urged to ensure they are on track to comply with the GDPR, as the world marks Data Protection Day 2017.

But that doesn’t mean the AP is sitting on its hands. The watchdog launched a website called, where organisations can use a step-by-step tool to see what to do to comply with the law. “If companies follow that tool, they should be compliant,” says Wolfsen.

Other than that, the AP tries to allow GDPR awareness to trickle down from groups it is in close contact with. “We work together with branch organisations to stay in touch with companies and to educate them on the upcoming regulation,” he says. “Some are more involved in that than others.”

Recent research showed that many small companies in the Netherlands are not ready for the GDPR.

Another important link between the privacy watchdog and the business world are data protection officers (DPOs), who must be appointed by government institutions and companies working with “special personal data”, such as people’s social security numbers or medical data. “We rely heavily on DPOs to update us on how companies handle data protection,” says Wolfsen.

The presence of a DPO in organisations is one of the first things the AP will check when the GDPR comes into effect, he says. “From day one, it’s going to be simple – we will check whether companies have a DPO if they are required to. If they don’t, we’re going to take action.”

Wolfsen declines to say what kind of action that might be. Fines are a possibility, but the AP is known to show leniency in such matters, warning a company rather than fining immediately.

Teeth or no teeth?

This has led to some criticism from both opponents and privacy groups. Some say they are disappointed in the AP’s “weak” stance in not fining companies after a breach.

This also seems contrary to what Wolfsen said when he took office in August 2016. “This watchdog is finally getting teeth,” he said in several interviews. Privacy groups interpreted those comments as saying the watchdog would finally use its mandate to hand out fines, which the AP had lobbied for. But more than 18 months later, Wolfsen now clarifies that he meant “when the GDPR comes into effect”.

But there is reason to be sceptical whether that really will happen under the GDPR. While it might be easier for the AP to impose fines, the watchdog has been criticised repeatedly by judges for not taking stronger action on certain issues. This happened three times in one month.

However, Wolfsen doesn’t see that criticism as a wake-up call, and defends the AP. “It wasn’t a matter of how we interpreted the law, which we should do properly as a watchdog,” he says. “In those cases, it was a matter of prioritisation for us.”

Wolfsen, who himself was once a judge, then turns the conversation to the moment the court did say the AP had done well. “It’s good we have the judicial system to keep us alert, but it also helps us when they say we do a good job,” he says.

Although Wolfsen wants to hand out fines, he points out that fines are a means, not an end. “Organisations shouldn’t become GDPR compliant out of fear of fines, but out of a genuine willingness to protect customer data,” he says, emphasising that the AP will hand out fines that are proportional to the offence.

But the watchdog is still struggling with funding and understaffing – problems it has had for years. Wolfsen adds: “Yes, that’s a point of irritation – no two ways about it.”

Read more on CW500 and IT leadership skills

Data Center
Data Management