As mentioned in the introduction to our blog series on ePrivacy Regulation in the EU, the EU Council has reached a compromise agreement on its position on the new ePrivacy Regulation.

In March 2021, the European Data Protection Board (EDPB) published a statement welcoming the Council’s compromise agreement. However, it also underlines that the ePrivacy Regulation should under no circumstances lower the level of protection for personal data in the EU.

Supervisory authorities

One of the focus points included in the statement relates to the relevant supervisory authority. The EDPB emphasises that, in order to conciliate a high level of protection of personal data and legal and procedural certainty, national authorities responsible for enforcement of the GDPR should be entrusted with the oversight of the provisions of the future ePrivacy Regulation. In the Netherlands, this is the Dutch Data Protection Authority (DPA).

In this blog post, we will focus on how this approach would broaden the mandate of the DPA and whether this would suit the current structure of the DPA.

In the Netherlands, the ePrivacy Directive has been implemented in the Dutch Telecommunications Act. The Authority for Consumers and Markets (ACM) has been designated by the legislator as the supervisory authority for the ePrivacy rules.

The DPA has concluded a cooperation agreement with the ACM to ensure uniform interpretation and application of the relevant legal provisions. The agreement provides for a possibility where – if data processing is involved – in addition to the ACM, the DPA can also enforce the ePrivacy rules (article 19(2) of the agreement). 

If the advice of the EDPB is adopted and included in the new ePrivacy Regulation, the mandate of enforcement of the ePrivacy rules would be taken away from the ACM and become the sole responsibility of the DPA. This would result in a large expansion of the DPA’s mandate.

Expansion of the DPA – sufficient resources?

A relevant question in this regard is whether the DPA has enough resources (ie employees and budget) to cover such an expansion of its tasks. This question arises in light of a report on the research into the tasks and financial resources of the DPA. The report, commissioned by the Ministry of Justice and Security, states that the DPA should grow in order to fulfill all its legal tasks sufficiently. According to the DPA, this means it should grow from 184 FTE to 470 FTE from 2022.

In February 2021, a motion requesting the government increase the budget of the DPA to enable the growth suggested in the above report was adopted by the House of Representatives with 96 votes out of 149. Such increased resources appear necessary in light of the expansion of the DPA’s mandate as proposed by the EDPB. More clarity in this respect is expected at the end of 2021 or early 2022, when the text of the ePrivacy Regulation is likely to be finalised. 

Other post in this series include: