Notes from the IAPP Europe, 13 Sept. 2019
Greetings from Holland.
Now that the first GDPR storm has blown over, we have also seen the first court cases here in Holland. As you may know, the Dutch love their money, so it is no surprise that several Dutch have tried their chances in court to be forgotten in the Central Debt Register â€¦ and failed.
The Dutch are also known for their pragmatism. So, it should also not be a surprise that the Dutch District Courts have produced some very pragmatic and useful guidance this summer with regard to the application of the GDPR, especially on the topic of accountability.
The first case that warrants our attention was a case where an employer â€“ claiming obligations under the GDPR â€“ refused to provide personal data to a judicial officer (which, in Holland, is a court-appointed private company), who had requested information about an employee in order to execute a court order. The employer, probably afraid of a data breach, insisted on verifying the court order first; the judicial officer refused to cooperate, pointing to the legal obligation to provide the data in the Code of Civil Procedure. The court decided in favor of the judicial officer, also pointing to the trust mechanisms that surround the profession of the judicial officer, such as disciplinary measures. In other words, the GDPR does not require a controller to verify the competency of the party requesting the data if there is a legal obligation to disclose the data. Misuse of powers would be the problem of the party requesting the data, not of the disclosing party acting in good faith.
In the second case, the Dutch Data Protection Authority won in court when its decision not to enforce the GDPR was challenged. In an earlier phase, the court had ordered the AP to investigate the disclosures of health information by the Healthcare Authority. Instead of looking into each disclosure, the AP assessed the quality of the decision-making process of the Healthcare Authority and was satisfied with its DPIA process and the involvement of its DPO. The court agreed with the AP that the quality of the decision-making process was an indication of the legitimacy of the disclosures and no further investigation by the AP was necessary. This case confirms the â€œsystem supervisionâ€� strategy that is an important element of the APâ€™s enforcement policy.
But this recent Amsterdam District Court should become a classic: The court held that the use of a biometrics-protected cash register in a shoe store was disproportionate because the employer â€“ especially taking into account that processing biometric data is prohibited in the GDPR â€“ had not assessed the pros and cons of any less privacy-invasive alternatives. In other words, had the employer executed a DPIA that would have proven that the use of biometrics was indeed necessary in light of the risks, thus warranting the application of the exception for biometrics for security purposes in the Dutch GDPR Execution Act, he would probably have won.
The Dutch courts teach us a very important lesson: â€œDo your homework, but donâ€™t exaggerate,â€� which is the heart of the risk-based approach that is incorporated in Chapter 4 of the GDPR. If we all take this to heart, that would save us privacy professionals a lot of conference calls and frustration.