The letter also calls on the minister to cease processing operations that are contrary to the judgment issued by the Court of Justice of the European Union on 21 June 2022 regarding the PNR Directive (the PNR judgment) with immediate effect. In its judgment, the Court ruled, inter alia, that the application of the PNR Directive and the ways in which Member States may process PNR data should be limited to what is strictly necessary. In addition, the Dutch DPA calls on the minister to immediately take every necessary step to reconcile domestic legislation with the interpretation of the PNR Directive as set out in the PNR judgment.
The Dutch DPA had already submitted a letter to the minister's predecessor on 3 January 2022 regarding the processing of PNR data and national PNR law. In this letter, the Dutch DPA noted that the PNR system involves the systematic collection, automated processing and retention of a very large amount of personal data relating to a very large group of persons who are not a focus of attention. According to the Dutch DPA, the necessity and proportionality of these processing operations remained unsubstantiated, in particular due to their mass surveillance nature, and required further justification.
Balance between the objective and rights
The principle of proportionality is an important cornerstone of the PNR judgment. It is one of the general principles of EU law and enshrined in Article 52 of the Charter of Fundamental Rights of the European Union. In this context, proportionality means that the fundamental rights of the EU can only be limited if doing so is both necessary and genuinely meets objectives of general interest recognised by the EU or the need to protect the rights and freedoms of others. In the PNR judgment, the Court considered, inter alia, that protection of the fundamental right to respect for private life requires that exceptions to the protection of personal data and limitations of that right must remain within the bounds of what is strictly necessary. Establishing whether that is the case requires a balanced consideration of the relevant objective and the rights at stake. The Court held that, under the principle of proportionality, the battle against crime in general does not justify the serious interference entailed by the PNR Directive.
Focus on proportionality
It has become clear by now that the Dutch DPA is particularly concerned about safeguarding proportionality and the principle of proportionality. For example, on 20 February 2023 it submitted a letter to the House of Representatives’ standing Committee for Digital Affairs about the failure of the minister for Economic Affairs and Climate Policy to comply with its recommendations. These recommendations concerned an amendment to the Trade Register Decree allowing publication in the Chamber of Commerce Trade Register of a list of individuals who were forbidden to be on a company’s board for a period of five years.
The Dutch DPA advised against this amendment, in part because these processing operations would not be proportionate to the intended objective. Another example is its submission of additional topics (dated 26 January 2023) for consideration in relation to the review and next legislative amendment of the Dutch GDPR Implementation Act (UAVG). According to the Dutch DPA, legislation regarding limitations on data subjects' rights (currently Article 41 of the UAVG) must adhere to the strict standards of the proportionality principle.
Important for companies too
The above examples relate specifically to public authorities. This is in line with the Dutch DPA's focus on digital government, the subject of its 'Focus AP 2020-2023: Dataprotectie in een digitale samenleving’. It is also important for companies to be mindful of proportionality, however. Privacy laws require necessity to be established on the basis of proportionality and subsidiarity, and necessity is a component of several norms under the GDPR. Consider, for example, legitimate purpose, processing basis and data minimisation. Companies are therefore well advised to pay particular attention to the proportionality criterion and properly document this in the interests of accountability.
Investigation and enforcement authority
At the end of its letter, the Dutch DPA points out that as a regulator, it has full powers to investigate data protection compliance at the national level and that it takes action on enforcement. For example, it can prohibit processing under Article 58(2)(f) of the GDPR. It can also impose an order for periodic penalty payments (under Article 16 of the UAVG) or an administrative fine (under Article 18 of the UAVG, specifically targeting public authorities). The prohibition on processing sends a clear signal, but it is not an enforcement measure to induce the infringing party to rectify the situation. If the minister fails to comply with a prohibition on processing, the Dutch DPA may proceed to impose an order for periodic penalty payments or an administrative fine.
The Dutch DPA has already made clear that it does not hesitate to fine other governmental bodies. In 2021, it imposed fines of EUR 600,000 on Enschede's Municipal Executive (for Wi-Fi tracking), EUR 2.75 million on the Dutch Tax and Customs Administration (for inadequate protection of personal data), and a further EUR 3.75 million on the Tax and Customs Administration (for offences related to the 'Fraud Alert Facility'). It also fined the minister of Foreign Affairs EUR 565,000 for weak security arrangements surrounding visa applications. Its focus on public authorities is also clear in its move to step up its supervision of the Municipality of Eindhoven, announced on 1 March 2023.
In the closing paragraph of its letter, the Dutch DPA asks to receive a response from the minister within 14 days (from the date of the letter) indicating which action the Ministry has taken and may still take. We can well imagine that this will be a challenging timeline for the minister.