Bart Custers on notification obligation data leaks
The Dutch Data Protection Authority (DPA) has announced that 27,000 data leaks were reported in 2019, a huge increase compared to previous years. Bart Custers, Professor of Law & Data Science at eLaw ¬- Center for Law and Digital Technologies, claims in Dutch newspaper Trouw (22 February 2020) that the DPA’s notification obligation is therefore failing to achieve its objectives.
As of 2016, companies and government organisations are required to notify the DPA of a serious data leak within 72 hours. The idea behind the obligation is that organisations will set up better security measures in advance, in order to prevent reputation damage, and will respond to incidents faster. The Netherlands is one of the countries at the forefront in the EU when it comes to the protection of privacy. The DPA’s notification obligation concerning data leaks came into force here in 2016, before it became effective across the whole of the EU by virtue of the General Data Protection Regulation (GDPR). In the first year, a few thousand data leaks were reported to the DPA. Now, this number has grown explosively and there seems to be no end to the rise in numbers. After Germany and the United Kingdom, Dutch companies report the highest number of data leaks in the EU to the authorities. Per head of the Dutch population, the number of reports is in fact the highest in the whole of the EU.
The notification obligation is failing to achieve its objectives. First, because the naming & shaming mechanism is no effective, since these huge numbers mean that enforcement is becoming an issue. And second, because many incidents are still not even being reported.