Dutch DPA: ‘Cooperation with European privacy regulators bears fruit’

2024 has been a fruitful year for the Dutch data protection authority (DPA). The Autoriteit Persoonsgegevens (AP) carried out numerous successful interventions and imposed multiple fines, all thanks to the help of other European privacy regulators.

The AP took measures against several international corporations and tech companies, including Meta, Netflix, Booking.com, Clearview, and Uber, it says in the regulator’s 2024 year review.

In the case of Meta, the DPA concluded that public organizations shouldn’t use commercial platforms like Facebook, because they cannot be sure what happens to people’s data. Thus, to protect the privacy of citizens, it’s better not to actively approach citizens through these types of platforms.

The Dutch regulator imposed various fines and penalties on the other businesses. Netflix got a fine of €4.75 million, and Booking.com had to pay €475,000 for reporting a data breach too late. For its unlawful data collection of profile pictures, Clearview received a fine of €30.5 million and penalties up to over €5 million.

Passenger transport provider Uber was slapped with two hefty fines: a €10 million fine because the company didn’t provide sufficient disclosure about the European drivers’ data retention, plus a €290 million fine for transferring and storing sensitive personal data from European drivers to servers in the United States for over two years.

The Dutch DPA says that Big Tech companies pose “a serious threat” to the privacy and freedom of Europeans. Only by working with other European privacy regulators, the exploitation of personal information can be stopped.

“As privacy regulators, we are working together more and more successfully within Europe. Sometimes we have acted together in imposing fines, but we have also deployed other interventions,” says Aleid Wolfsen, Chairman of the AP.

For example, the Dutch DPA was one of the initiators in formulating a joint position on Meta’s ‘pay or okay’ business model. “For those platforms, it’s crystal clear now. They cannot limit themselves to offering only two choices: pay, or consent to share your data. In other words, you don’t have to pay for your privacy,” Wolfsen continues.

Last year, the AP processed over 7,500 complaints and handled around 40,000 data breaches. The regulator’s workforce expanded from 252 FTEs to 320 FTEs. Despite this growth, there’s still a shortage of resources and staff members at the DPA to effectively do its job.

“Despite these great numbers, privacy complaints from people continued to linger longer than desirable, companies had to wait a long time for clarity, the AP was unable to launch enough new investigations, and there was too little capacity to educate companies and supervise AI and algorithms. A serious investment in the AP’s capacity is and will continue to be needed,” the regulator concludes.