18 months until the renewed Privacy Legislation

2016 is about to end, which also means that the new privacy legislation is one step closer of happening. Last December was all about the new European Privacy Legislation for the Article 29 Working Party and the Dutch government.


The European privacy watchdogs, united in the WP29, held a plenary meeting in Brussels on the 12th and 13th of December to discuss the introduction of the new European privacy legislation by May 2018. Among other things, the WP29 has provided some clarification of terms through guidelines and FAQs from the Regulation on the protection of natural persons with regard to the processing of personal data (Regulation).

Data Protection Officer

Within the new privacy legislation, some undertakings are obliged to appoint a Data Protection Officer (DPO). The guidelines provide more insights in which cases appointing a DPO is mandatory and what tasks a DPO should have. Read more about this topic in this article.

Right to Data Portability

The Regulation gives the right to data portability to those whose personal data is being used. Shortly said, this means that the concerned individual has the right to request data from the undertaking that has his data and process it for himself, in which he could opt to transfer the data to third-parties. More clarification is provided in the guidelines on the procedures of data portability and which personal data undertakings have to provide.

Supervisory Authority

The new privacy legislation states that one supervisory authority will be in place. The Supervisory Authority from the Member State where the main establishment of the concerned undertaking is located will take the lead. This means that the respective watchdog of that Member State will become the main Supervisory Authority. His actions will be aligned with the watchdogs in other Member States where the violation takes place. The guidelines provide more insights on how to decide which Authority will become the leading Authority.

These guidelines are not finalized yet, indicating that one can still provide feedback until January 31st, 2017. Watchdogs can also complement the guidelines to make them easier to implement.

Implementation Law of the Regulation on Data Protection

Besides the guidelines and FAQs from the WP29, the Dutch government has also been working on the new legislation. A draft version from the Implementation Law of the Regulation on Data Protection was published on December 9th, 2016. This law includes the implementation of the new Regulation and the repeal of the current privacy legislation, the Act on Data Protection (Wet bescherming persoonsgegevens, Wbp).

The Regulation will be enforced immediately in the Netherlands. However, the Regulation provides Member States some room to adjust certain rules and subjects nationally. As seen in the draft version from the Implementation Law, the Dutch government has done so. The execution of the law will be politically neutral, meaning that existing legislation will be used as much as possible unless the Regulation states differently. Concerning the reduction of the prohibition on processing exceptional data, the government has added some lines. Such exemptions in the Implementation Law include the processing of biometric data. Processing such data is only allowed if the purpose to identify the concerned individual is necessary and proportional.

The Implementation Law is not finalized yet. Consultation is taking place at the moment. Citizens, companies and other undertakings can respond to the legislative proposal and its explanation.

With regards to the new privacy legislation, I will give a lecture during the Webwinkel Vakdagen on this topic on January 19th, 2017. Click here for more information.