Skip to main content

New Potential Risks for Companies that Process Personal Data of Dutch App Users

On Nov. 22, 2016, the District Court of The Hague ruled on a non-compliance matter under the Dutch Data Protection Act (DDPA), which implements the EU Privacy Directive (Directive). The ruling of the District Court broadens the scope of application of the DDPA.

The ruling pertains to a decision of the Dutch Data Protection Authority (DPA) which held that the processing of personal data from Dutch smartphones by a U.S. app operator is subject to the DDPA, and that the U.S. app operator is required to appoint a local representative, even if it does not have, and does not make use of, an establishment in The Netherlands.

The DPA based its decision on Article 4(2) DDPA, according to which the DDPA applies to the processing of personal data by or on behalf of a controller who is not established in the EU if automated or other equipment that is situated in the Netherlands is used for the processing (unless such equipment is used only for purposes of the transfer of personal data). The DPA held that the U.S. app operator used such equipment when accessing the Dutch residents’ smartphones to process personal data stored thereon.

In addition, the DPA also referred to Article 4(3) DDPA and ruled that the U.S. app operator was prohibited from processing personal data unless it designated a person or body in the Netherlands that acts on its behalf.

The District Court upheld the DPA’s decision and confirmed that app operators from outside of the EU that process personal data via apps on Dutch smartphones are obligated to appoint a representative in the Netherlands. In case no representative is appointed, they may face sanction decisions of the DPA.

Consequently, unless and until the District Court’s decision is overturned on appeal, U.S. and other app operators from outside of the EU should comply with the DDPA whenever they process personal data through applications or similar tools that are stored on mobile devices in the Netherlands. In addition, they should designate a representative in The Netherlands – although this obligation will eventually change in May 2018 when the new EU Data Protection Regulation enters into force. Then, it will be sufficient for the app operator to designate a representative in any EU Member State.