Personal Data Authority not yet ready for whistleblower reports
The Personal Data Authority (AP) is charged with investigating whistleblower reports on AVG breaches. This means the AP is obliged to set up a proper reporting channel for this purpose and follow up incoming reports promptly. These obligations do not seem to have been met yet, and it is to be feared that they will not be soon. Which leaves whistleblowers basically free to seek publicity directly. But that is not without risk
In late 2019, the EU Whistleblowers Directive came into force, which was implemented by the Netherlands in the Whistleblowers Protection Act (Wbk) in February 2023. As of now, Dutch law states that any breach of the AVG (and related laws, such as the Police Data Act) is 'reportable'. This means quite a lot.
If an employee suspects an AVG breach - future or already committed - they can report it protected. Where 'employee' includes a trainee (former or otherwise), volunteer or director.
For AVG breaches, or privacy breaches, you can think of data breaches (or a threat thereof), but also of processing personal data without sufficient AVG basis.
The reporter must not be disadvantaged (such as being fired or harassed) as a result of the violation. Those who know about the report are obliged to maintain confidentiality; including the identity of the reporter. Employers with more than 50 employees, government employers, and employers in some specific sectors, must have an internal reporting procedure for whistleblower reports.
Many employers do not yet have such an internal reporting procedure. But even if they do, the whistleblower may also report the problem immediately to the designated authorities. For privacy breaches, this is the Personal Data Authority.
The reporter may also seek immediate publicity if there is an imminent or real danger to the public interest, or if there is a risk of harm if the report is made, or if it is unlikely that the malpractice will be remedied effectively. But beware: this can be risky. We will come back to this at the end of this article.
AP must get to work quickly
The AP must send an acknowledgement of receipt no later than six days after receiving the report. Then, in principle, the AP must inform the reporter about the assessment and follow-up of the report within three months. This period can be extended once by three months, provided sufficient reasons are given. Thereafter, the reporter must be informed of the outcome of the investigation. The AP can only waive 'follow-up' (investigation and action) if the report is "clearly of minor significance". This must be communicated to the reporter immediately.
If the AP does not respond, or does not respond adequately, or responds too late, then the reporter has the right to seek publicity about the privacy violation he suspects (which, as mentioned above, in some cases would therefore have been allowed earlier).
Furthermore, the AP is now required to make available a webpage with whistleblowers' rights and obligations, and to set up a secure reporting channel. The AP must also be able to take oral reports.
That webpage is not there yet. However, the so-called 'tip option' on the AP's site has existed for some time, but it certainly does not meet the legal requirements. It is therefore questionable whether the AP is sufficiently aware of its duties under the Wbk. News reports also indicate that there are backlogs in enforcement and handling complaints from directly affected parties. The AP's own prioritisation in this regard will further complicate meeting the fatal Wbk deadlines.
Disclosure remains risky for reporters
So for now, there is a good chance that reports of privacy violations will not be picked up properly or timely by the AP. These may end up in the 'tips' pile, where it is not clear whether the AP does anything with them at all.
Reporters who have tried with good intentions to raise a breach with the AP may take refuge with investigative journalists out of frustration, or air their grievances themselves on social media. While they may be protected from being harmed, reported or held liable by their employer, this can still be a hair-raising issue.
After all, a reporter has to challenge his employer's claims in court, with all the costs and misery that entails. Therefore, it is wise for a reporter to first contact the 'Advice Department' of the House for whistleblowers.