The proposal for a Dutch GDPR Implementation Act
The proposal for a Dutch GDPR Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming, "Implementation Act") that seeks to implement the General Data Protection Regulation ("GDPR") was published online on 9 December 2016 for the purpose of public consultation. The GDPR has been adopted on 27 April 2016, and various posts on guidance regarding the contents of the GDPR can be found here.
The Implementation Act will contain a legal framework for implementing the GDPR in the Netherlands. As of 25 May 2018, this Implementation Act will replace the Dutch Data Protection Act ("DDPA"), which currently applies and implements EU Directive 95/46/EC. Because the GDPR has direct effect in all member states, the provisions thereof are not included verbatim in the Implementation Act, so one must consult both the GDPR and the Implementation Act in view of this layered legal framework.
The GDPR does require member states to implement specifically some topics by themselves, but it leaves discretionary room for specific implementation of other topics also. It is the latter which the Netherlands wishes to implement through its Implementation Act. The Dutch government has indicated that it will strive for "policy-neutral" implementation, meaning that the Dutch GDPR Implementation Act intends to follow the current DDPA as close as possible. However, we do note some specific changes that the Implementation Act will bring about if it remains unchanged from its current proposal form:
- There will be changes as to how appointments are made at the competent supervisory authority, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), and how those appointments are regulated. To safeguard the authority's independence, its officers will be appointed directly by the authority instead of by the Ministry of Security and Justice, as is currently the case.
- There will be a specific exception allowing for the processing of biometric data for the sole purpose of identifying a natural person. Clause 26 of the Implementation Act will allow the processing of biometric data if such processing "is done to identify the data subject where such identification is necessary and proportional for the legitimate purposes of the controller or a third party." This exception is the Netherlands' specific implementation of Clause 9 of the GDPR that prohibits the processing of special categories of data including biometric data for the sole purpose of identifying a natural person, and which allows by member states to lay down exceptions to it as long as certain criteria are met (Clause 9(2)(b) GDPR).
The public consultation period for the Implementation Act proposal has ended on 20 January 2017. During this time, all citizens, companies, and other bodies or institutions could submit their reactions to the proposed Implementation Act. There have been 67 reactions, which can be consulted as they are publicly available.