Many foreign parties hold information relating to people living in the Netherlands. And partly thanks to the internet, personal data travel around the world instantly. But Privacy law is still largely provided for on a national level. A decision from the District Court of Amsterdam of 26 March 2014 shows that this can lead to lacunae in practice.

Investigation by foreign investigative agencies commissioned by insurer
If I understand the decision correctly – the rendering of the parties anonymous has made it somewhat difficult to read – the question concerns the following. An American man who has been living in the Netherlands since 2005 has been receiving a disability benefit from a US insurer since 2000. The insurer stopped this benefit in 2010. It seems as if the discontinuation of this benefit was based on investigation carried out by private detective agencies in 2008. These agencies are based in England and the Netherlands; the investigation was carried out in part in the Netherlands. Evidently information was also provided to these investigation agencies by an American hospital.

Enforcement request submitted, but dismissed
The man then filed a report on account of violation of the Private Security Organisations and Detective Agencies Act (Wpbrb). He also filed a request with the Data Protection Authority (CBP) for enforcement. The CBP dismissed the request, however. The reasons for this were that the CBP is reportedly not authorised to take action against the foreign parties and because in view of the Policy Rules for Enforcement there are no connecting factors to take action against the Dutch parties in this individual case.

Man appeals to district court, appeal is admissible
The man then appealed this dismissal before the district court. First of all, the question of whether this is even possible was raised, since the CBP claims that this kind of dismissal is not a decision in the sense of the General Administrative Law Act. The judge quickly rejected this reasoning, however. The appeal was indeed admissible.

District Court: CBP is indeed not authorised with respect to foreign parties
Having overcome this official hurdle did not get the man very far, however. The district court endorsed the CBP’s position that it is not authorised with respect to parties located abroad:

14. The district court considered as follows. The district court states first and foremost that article 4 of the Directive was implemented in section 4 of the Wbp. It follows from article 4 of the Directive that what must be concerned is personal data processing ‘in the context of the activities of a location in the territory of the Member State of the controller responsible for the processing’. Based on this, the district court concluded that the controller must therefore have a location here in the Netherlands that is involved in the processing of personal data. This is not the case for [insurance company], [investigation agency 1] and [company 3]. The assertion of the ‘fiction of a location’ argued by the claimants does not succeed, in the district court’s view. The district court agrees with the defendant that there are no legal connecting factors that support this assertion from the claimants. It is also important here that [investigation agency 1] and [company 3] are located in England and therefore do have a location within the EU. English law applies and the English supervisory body is competent. With respect to [insurance company], [investigation agency 1] and [company 3], there is no jurisdiction for the defendant on grounds of the Wbp. These grounds for appeal do not succeed.

District Court: lacuna in legislation was deliberate choice of the legislator
The man had also argued that there was a lacuna in the legislation. After all, this means that a citizen cannot turn to the national supervisory bodies for privacy violations committed by companies located abroad. The district court pointed out, however, that this is an issue that the legislator must address, not the judiciary:

15. With regard to the claimants’ complaint that there is a lacuna in legal enforcement since there is currently inadequate protection against infringements by third parties, the district court points out that the legislator took over the Directive and saw no reason to provide other protection. The district court cannot intervene in choices made by the legislator.

District Court: no reason to deviate from the policy for parties located in NL
Beyond this, with regard to the parties with respect to which the CBP did reportedly have enforcement jurisdiction, the district court saw no reason to deviate from the CBP’s enforcement policy. This policy can therefore withstand the test of criticism.

The fact that ‘the Wbp is set up such that it provides the latitude for citizens to themselves take action against a controller who does not comply with the legal rules’ explicitly played a role in the district court’s considerations. In other words: the man can always sue the particular Netherlands-based parties via separate proceedings; a general supervisory body cannot be expected to handle every individual dossier.

Final comments
The privacy directive has resulted in national privacy law in all the countries of the EU. This privacy law should largely be consistent throughout the EU. From a formal standpoint, it is separately arranged in all these countries and there is no overarching EU privacy law.
This case illustrates well to what consequences the choice for a privacy directive can give rise. After all, the district court referred the man to the English supervisory body as far as the actions of English parties were concerned. The fact that the actions were committed in the Netherlands is evidently not relevant.
Perhaps the English supervisory body may dismiss the case similarly after a complaint. In that case the man will have to start proceedings in both the Netherlands and England in order to broach the infringement of his privacy. This could of course result in contradictory judgements.
It is possible that the future privacy regulation may provide better instruments to address these kinds of international matters properly. It is precisely the cross-border issues that appear to be a controversial matter in the consultation on this regulation …

By Mark Jansen