The upper house of the Dutch parliament has approved a new law that makes not declaring data breaches punishable with fines of up to €450,000.
Whenever sensitive data is lost or stolen, companies now have to inform both the Dutch Data Protection Authority and those directly affected by the leak.
Companies will have to give up information on the scale of the breach, the exact content lost, possible consequences, and what changes the company will make to prevent any future mishaps.
Previously, private companies faced little accountability in the event of large-scale data thefts or losses, and only public institutions had been obliged by the government to report such breaches.
The Dutch Data Protection Authority, whose name will now be changed to the Personal Data Authority, will also see its powers increase as the organisation can now hand out much tougher fines. In the past, the board could only fine organisations €4,500, irrespective of their size, for administrative violations. That now changes to 10 percent of annual turnover, up to a total of €810,000.
The new law, first proposed in 2013, covers sensitive data that turns up in the wrong hands, either as a result of hacking or theft of, for example, USB sticks or printouts of documents.
Encrypted data is not exempt under the terms of the law, so failure to notify the data watchdog in the event an encrypted hard drive has been stolen is also punishable. However, an important caveat is that breach should have potentially serious negative consequences for those concerned, or that the breach is large scale.
As with many laws, it has so far been left vague as to what constitutes serious negative consequences and what 'large scale' involves. Companies affected by the law include those that are directly responsible for keeping the data safe rather than those who 'process' the data, such as SaaS vendors or hosting companies.
The law has sparked some criticism. Nederland ICT, an IT industry association, back in 2013 when the last was first discussed in parliament, wrote it would mean more hassle for IT organizations even when they have good track records for data hygiene.
"When an incident is not serious enough to merit reporting, companies will have to register it under a duty of protocol', the organization wrote. While "processing parties will not have to notify the Dutch Data Protection Authority themselves, they would still have to submit their clients with all information needed."
Also, the association points out that the European Commission is planning to bring its European Union-wide General Data Protection Regulation, which has similar goals, in effect within a year.
Read more on data breaches