On 18 November, the Dutch government finally issued its response to the Court of Justice of the European Union (CJEU) ruling in April 2014 that invalidated the data retention directive 2006/24/EC. Despite all the debate about the legality of data retention practices, the government wants to retain its current data retention legislation.
Dutch News reports that the national privacy watchdog CBP is threatening Google with a fine of up to €15m for contravening Dutch privacy legislation. Since 2012, Google has been combining information about users from Gmail, Google maps, YouTube and search results into a single profile. However, the CBP says Google is not informing users properly about its actions or asking them permission. This, the CBP says, contravenes Dutch law. Privacy regulators in Britain, Germany, Spain and Italy are also taking action, the CBP says.
Since July 2014, the Dutch Data Protection Authority has received 111 requests to delist search results on a person's name in a search engine. The right to de-list information from the index of a search engine follows a ruling by the European Court of Justice in the case Google Spain (C-131/12). All requests related to Google. In 32 cases the Dutch DPA has mediated between Google and the data subject. In 24 cases the search results were delisted.
Effective 1 January 2017, Dutch data protection law requires organizations to notify the Dutch Data Protection Authority within 72 hours of “a breach of security […] which results in a significant chance of severe detrimental effects or has severe detrimental effects for the protection of the private life". The data subject must also be informed if “the breach probably will result in adverse effects on their private life”. These obligations only apply if the Dutch Data Protection Act applies, for instance in situations wherein a Dutch entity is data controller.
The Dutch government has released a statement in which it says that "it is currently not desirable to take restricting legal measures concerning the development, availability and use of encryption within the Netherlands". It also notes that forcing companies to add backdoors to their products and services would have "undesirable consequences for the security of communicated and stored information," since "digital systems can become vulnerable to criminals, terrorists and foreign intelligence services".