Rb. Den Haag - SGR 20/1516

From GDPRhub
Rb. Den Haag - AWB - 20 _ 1516
Courts logo1.png
Court: Rb. Den Haag (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 32(1) GDPR
Article 32(2) GDPR
Article 33(1) GDPR
Article 6(2) UAVG
Decided: 31.03.2021
Published: 15.04.2021
Parties: OLVG
Autoriteit Persoonsgegevens
National Case Number/Name: AWB - 20 _ 1516
European Case Law Identifier: ECLI:NL:RBDHA:2021:3090
Appeal from: AP (The Netherlands)
[1]
Appeal to:
Original Language(s): Dutch
Original Source: Linked Data Overheid (in Dutch)
Initial Contributor: Kave Noori

The District Court of The Hague reduced a fine imposed on a private hospital by the Dutch DPA from €460,000 to €350,000 after the hospital improved its technical and organizational measures during the appeal phase. The Court also noted that the Dutch DPA has the power to interpret and give substance to Article 32 GDPR.

Facts

The Dutch DPA, Autoriteit Persoonsgegevens ('AP') fined OLVG, a private foundation running a hospital, for breaching the GDPR. The investigation was initiated by the AP in response to two reports of data breaches by OLVG. The AP found that OLVG had breached Article 32 GDPR by having inadequate login security and by failing to adequately control whether patient records were read by unauthorized persons. Access to patient records from outside OLVG hospital was protected by two-factor authentication. The AP found it insufficient that access from locked computer rooms within the hospital was protected by only one factor. The AP's enforcement decision against the OLVG (summarised on the GDPRhub here) resulted in a fine of €460,000 and an order to implement two-factor authentication when accessing patient records from computer rooms, as well as increased logging and auditing practices. The OLVG went on appeal to challenge several parts of the decision AP.

Dispute

Was the right against self-incrimination violated?

The OLVG argued that the fine should be dismissed because its right against self-incrimination (sometimes known as “the right to remain silent”) had been violated by the AP. Since OLVG was legally required to report the data breaches under Article 33(1) GDPR, OLVG claimed that the data breach reports were evidence that it involuntarily submitted to AP. The OLVG wanted the court to consider whether the AP's decision to fine was consistent with the principle of nemo tenetur. Nemo tenetur is an unwritten legal principle protected by Article 6 of the European Convention of Human Rights (ECHR). According to this principle, everyone has the right to remain silent and is protected from being improperly forced by authorities to make self-incriminating statements.

Was the right to legal defense violated?

The OLVG argued that the fine should be dismissed because its right to legal defense had been violated. The right to legal defense is protected by Article 6(2) ECHR and Article 48(2) of the EU Charter of Fundamental Rights. The OLVG claimed that the AP extended the scope of the investigation beyond what it had initially communicated to the OLVG. OLVG argued that the original purpose of the AP was to investigate unauthorized access to patient records, which was later extended to the processing of patient data in hospital information systems. OLVG maintained that the AP's conclusion that OLVG had not implemented two-factor authentication was irrelevant to the original scope of the investigation (which regarded unauthorized access).

The legal basis for the fine and APs order

The OLVG argued that the AP’s decision to fine and order to implement two-factor authentication and increased logging should be dismissed because it was unlawful. OLVG claimed that the AP had violated the principle of due diligence (zorgvuldigheidsbeginsel), which requires the AP to investigate each case sufficiently. Further OLVG claimed that AP violated the motivation principle (motiveringsbeginsel) which requires the AP to properly explain the reasons for its decision . When the AP concluded that the OLVG had violated Article 32 GDPR by failing to implement the necessary technical and organizational measures, the AP decision referred to national standards: The Decree on Electronic Data Processing by Healthcare Providers (Begz) and the NEN standards 7510 and 7513, which are Dutch standards for information security in healthcare. The OLVG argues that the AP misapplied Article 32 GDPR by directly enforcing these national standards and thus violated the two principles.

In the OLVG's view, AP should have reviewed its actions exclusively from the perspective of Article 32 GDPR. The OLVG held that Article 32 GDPR provides for various factors to be weighed against each other when deciding which technical and organizational measures are appropriate for a particular data processor. The OLVG claimed that the AP exceeded its powers by directly applying the NEN standards, which are not related to or based on the GDPR and therefore do not constitute an interpretation of Article 32 GDPR.

Was the principle of legality violated?

The OLVG argued that the enforcement decision should be dismissed because APs violated the principle of legality by enforcing Article 32 GDPR. The principle of legality (lex certa), which is protected by Article 7 of the ECHR, requires the legislature to formulate laws so clearly that citizens can foresee the consequences of their actions. The OLVG claimed that Article 32 GDPR was an open norm that had not yet been fleshed out. The OLVG considers enforcement measures based on Article 32 GDPR to be a violation of the principle of legality because of its vagueness.

Was the principle of equal treatment violated?

The OLVG argued that the enforcement decision should be dismissed because APs decision based on Article 32 GDPR, violated the principle of equal treatment before the law. The OLVG referred to the AP 's enforcement decisions against two health insurance companies and the Employee Insurance Agency (UWV). The OLVG alleged that the two insurers had committed more serious violations and yet one insurer received a lower sanction fee. Further, the AP was content to require only reactive logging, while the OLVG was burdened with reactive and proactive logging. OLVG also claimed that UWV had only one-factor authentication. To clarify the other cases only resulted in fines while OLVG was imposed a fine in combination with an order to take certain actions

Was the fine too high?

The basic amount of the fine under the APs Fines Guidelines was €310,000. Taking into account the individual circumstances of the case, the AP concluded that the fine should be increased by €150,000 (€75,000 x 2). The OLVG questioned the amount of the fine of €460,000 that AP had imposed on them. The OLVG wanted the court to examine whether it was proportionate and justified.

Holding

Was the right against self-incrimination violated?

According to the court, there was no basis for the claim that the evidence used to impose fines on OLVG was obtained in violation of the principle of nemo tenetur. The court noted that AP did not ask OLVG to produce evidence. The court concluded that AP wanted OLVG to present the result of its internal investigation into the data breaches. The court referred to the already established case law that information provided to comply with a request from a supervisory authority does not violate the principle of "nemo tenetur". The court also found that the AP had good reason to initiate an investigation into OLVG's compliance with Article 32 GDPR based on its receipt of the data breach notifications. Finally, the Court noted that in its letter to OLVG, AP advised the organization that it was not required to provide self-incriminating information. In the October 12, 2018 letter, the AP wrote "beware" and "you are not required to answer questions that may incriminate you or your organization."

Was the right to legal defense violated?

The court found that there was no basis for OLVG's claim that its right to defend was violated because two-factor authentication was not part of the original scope of the investigation. The Court noted that in its October 12, 2018 letter to OLVG, AP made clear that it was investigating organizational and technical measures under Article 32 GDPR. In the annex to that letter, the AP asked OLVG questions about access control, logging, and unauthorized access reports related to reported data breaches. The court held that technical solutions that allow a computer system to determine a user's identity (e.g., two-factor authentication, reporters remark) are part of the concept access control. The court ruled that the scope of an investigation does not change just because the same words are not used in all documents of an investigation.

The legal basis for the fine and APs order to OLVG

First, the Court found that the fine and injunction were lawful and based on OLVG's failure to take appropriate technical and organizational measures within the meaning of Article 32(1) GDPR. Next, the court found that the AP did not directly enforce the Begz and NEN standards simply because its decision mentioned that Article 32 GDPR must be read together with those standards. Thirdly, the court noted that the AP is vested with the power to interpret and give substance to Article 32 GDPR; this power derives from Article 6(2) of the Dutch Act implementing the GDPR (UAVG). Finally, the court pointed out that the OLVG was obviously well acquainted with the Begz and NEN standards, which are generally accepted standards for information security in the Dutch healthcare sector, and because the OLVG's own data protection policy referred to the NEN standards.

Was the principle of legality violated?

The court referred to settled case law when it stated that it is sometimes necessary for the legislature to write laws that are vague to some extent. The court recognized the need to sometimes describe punishable actions in the statute in general terms to ensure that undesirable acts do not fall outside its scope. The court went on to explain that this vagueness is sometimes unavoidable: it is not always possible for the legislature to predict how an interest that the statute seeks to protect will be infringed.

Next, the court assessed the vagueness of Article 32 GDPR. The court found that there was no basis for the claim that the principle of legality had been violated in this case. The court explained that the GDPR does not only apply to the healthcare sector, but that the words in the law must be sufficiently general so that they can be used by all data controllers and processors. The court recalled that the phrase "appropriate technical and organizational measures" in Article 32 GDPR is the same as in the previous Data Protection Act (Wpb), which was based on the Data Protection Directive (95/46/ EC). The Court went on to state that Article 32 GDPR cannot be considered as a completely open standard: Article 32(1) GDPR specifies technical and organizational measures and Article 32(2) GDPR indicates the processing risks. The Court considered that Article 32 GDPR is sufficiently clear to be compatible with the principle of legality. The Court considered that the fact that the AP could not tell the OLVG exactly how often it had to check the logs did not make the statutes applied too vague. According to the court, the OLVG is a professional organization that has the ability to determine whether the standards are being applied correctly. Finally, the Court held that the AP was authorized by law to take enforcement action against OLVG.

Was the principle of equal treatment violated?

The court held that the above cases were not comparable to the present one and there was no basis for the contention that OLVG had been treated unequally. In the insurers' case, the court pointed to several differences. One difference was that the APs look into the insurers did not specifically focus on technical and organizational measures. Another key difference was that the AP audited the insurers under the old Data Protection Act (Wbp), which clearly instructed the AP to issue fines only as a last resort. In the UWV case, the circumstances were also different. The enforcement decision against the UWV was also based on the old Data Protection Act (Wbp). Moreover, the UWV case concerned login security to an employer portal, an external service, while this case concerned an internal system with access to patient records by OLVG staff. The Court concluded that there had been no breach of the principle of equal treatment.

Was the fine too high?

The Court considered €460,000 to be unjustified and reduced the amount to €35,000. The Court took into account that the OLVG had taken several measures to prevent unauthorized access to patient records, such as mandatory staff training, tightening of employment contracts and access authorizations. Finally, the Court recognized that AP had failed to address OLVG's improvements regarding two-factor authentication and enhanced logging during the appeal phase of the case. The Court held that these factors warranted a reduction in the fine.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.