Employment and Pension Law Update 2019: The Netherlands

Posted in governing law, GT Alert, Labor & Employment, pensions

This GT Alert provides an update on employment and pension law in the Netherlands for 2019. Topics covered include diversity in boards of larger companies; the Balanced Labour Market Act (Wab), effective 1 January 2020; amendments to restructuring rules applied by the Employee Insurance Agency (UWV), effective 1 October 2019; Dutch pension system reforms; and Pending acts and regulations, including Transfer of Undertaking in Bankruptcy Act (Wet overgang van onderneming in faillissement), changes to civil servant status, and extended birth leave. We also provide a list of training courses offered by GT and our areas of concentration in Labor & Employment law in the Netherlands.

Click here to read the full GT Alert.

New CJEU Decision on Use of Cookies

Posted in Court of Justice of the European Union (CJEU), data protection, GT Alert, intellectual property, privacy

On October 1, 2019 the Court of Justice of the European Union (CJEU) issued a new judgment on the use of cookies which, under the EU E-Privacy Directive, requires users’ informed consent. The court decided that

  • the cookies consent cannot be obtained by using a pre-ticked consent checkbox; and
  • information must be provided to users which includes the duration of the operation of cookies and whether third parties may have access to the cookies.

To read the full GT Alert, “New CJEU Decision on Use of Cookies,” click here.

EU Limits Territorial Scope of ‘Right to Be Forgotten’ on the Internet

Posted in Court of Justice of the European Union (CJEU), data protection, ePrivacy, EU, European Union Law, GDPR, governing law, GT Alert, litigation, privacy

On Sept. 24, 2019, the Court of Justice of the European Union (CJEU) decided that the “right to be forgotten” does not require a search engine operator to carry out de-referencing on non-EU member state versions of its search engine. The case relates to a penalty of €100,000 that the French data protection authority, CNIL, had imposed on Google in March 2016. In granting a de-referencing request, the search engine – on free speech grounds – declined to apply the de-referencing worldwide to all domain-name extensions of its search engine. Arguing for global freedom of expression, Google appealed the penalty and filed an application for the annulment of CNIL’s decision with the French Council of State. The French court then referred several questions concerning the territorial scope of the “right to be forgotten” to the CJEU for preliminary ruling.

The CJEU reviewed the case both under the former Data Protection Directive 95/46/EC (Privacy Directive) and the General Data Protection Regulation (GDPR), which replaced the Privacy Directive on May 25, 2018.

Click here for the full GT Alert, which discusses the CJEU ruling.

Brexit: Unlawful Prorogation Means Continued UK Parliament Scrutiny of Brexit Plans

Posted in Brexit, EU, GT Alert

In a historic decision issued 24 September 2019, the UK Supreme Court ruled that the UK prime minister, Boris Johnson, acted unlawfully when he advised the Queen to prorogue, or suspend, the UK Parliament for five weeks, until 14 October 2019. The effect of the very clear and unanimous decision of the 11 Supreme Court judges is that Parliament was not in fact suspended and can immediately resume its work.

This in turn means that Parliament has more time to scrutinise the government’s Brexit plans, as opposed to having to wait until 14 October to do so, and that it can continue to reject a no-deal Brexit by insisting on an extension to the Brexit timetable if Mr Johnson does not agree to new withdrawal terms with the EU at a council meeting on October 17-18.

Click here to read the full GT Alert, “Brexit: Unlawful Prorogation Means Continued UK Parliament Scrutiny of Brexit Plans.”

Revised Dutch Code of Civil Procedure: Effective 1 October 2019

Posted in Dutch Code of Civil Procedure, governing law, litigation

Introduction

Effective 1 October 2019, the Dutch Code of Civil Procedure (DCCP) will partly be revised. This revision is related to the failed digitalization of the Dutch judicial system: Program Quality and Innovation of Justice (in Dutch: Programma Kwaliteit en Innovatie Rechtspraak (KEI)). Only the district courts of Gelderland and Midden-Nederland have switched to the new digital system and accompanying procedural rules. This means there are different litigation systems for different Dutch courts. To harmonize the litigation systems in the Netherlands, an Emergency Act has been accepted by the Dutch government, with (mostly practical) consequences for Dutch litigation beginning 1 October 2019. This blog post explains a few concrete consequences of the Revised Dutch Code of Civil Procedure (Revised Code).

Consequences of the Revised Code

Current Dutch legal proceedings at first instance have a pronounced written aspect. As such, it often takes longer for an oral hearing (in Dutch: mondelinge behandeling) to be scheduled and witnesses or party-appointed experts to be heard. With the Revised Code, Dutch legal proceedings will have a stronger oral element, leaving more room for the court’s direction. Most of the consequences of the Revised Code therefore relate to oral hearings.

The Court’s Increased Directing Role

With the Revised Code, the court will be given more discretion to direct legal proceedings. The court may (also at the request of parties) in all cases and in every phase of the proceedings order an oral hearing in which the court can – inter alia – discuss continuation of the procedure. During oral hearings, the court may direct or order parties regarding the performance of further procedural acts. The Revised Code cancels the section on the basis of which parties were offered the possibility to request oral pleadings (current article 134 DCCP).

The court’s increased directing role is also demonstrated in its statutory authority to ask questions during the oral hearing. Parties may also ask each other questions, subject to the court’s authority to prevent certain questions from being answered.

The Revised Code states that, when parties settle during an oral hearing, the procedure ends. In addition, the court will be given more authority regarding settlement discussions during the oral hearing.

Furthermore, the Revised Act provides general rules concerning the record of the hearing (in Dutch: proces-verbaal). The court may, inter alia, determine that the written record of the oral hearing should be replaced by an image or sound recording made by the court or on behalf of the court.

Hearings of Witnesses and Party-Appointed Experts

With the court’s prior permission, witnesses and party experts may be heard during an oral hearing. This improves the (speed of the) procedure, because separate witness hearings do not need to be ordered by the court.

The judge may determine that a statement made by a party, witness, or expert will be included in its entirety in the hearing record. In so doing, the oral hearing is more fully represented than when the court only includes a few passages in the record (as is customary under the current DCCP).

Other Consequences

Given the Revised Act, procedural law applicable to the district courts of Gelderland and Midden-Nederland will be aligned with procedural law applicable to other Dutch courts. Furthermore, it will be formalized in statute that – in principle – procedural documents and other documents must be submitted to the court at least 10 days before the oral hearing.

For more on the Dutch Code of Civil Procedure, click here.

Brexit: Political Impasse After UK Parliament Votes to Block October 31 No-Deal Departure From EU

Posted in Brexit, EU, GT Alert

Our last GT Alert on Brexit quoted the saying, “a week is a long time in politics”. New Conservative Prime Minister Boris Johnson has found that a mere 72 hours is an eternity as he seeks to break the political impasse on the terms of the UK’s exit from the European Union – so far, unsuccessfully.

Although the 2016 referendum decision to leave the EU was carried with a low majority – 52% to 48% – and was ‘advisory’ in UK law, successive UK Governments have held that the vote must be treated as a commitment. In January 2017 the UK Supreme Court, responding to a claim brought by an individual (the ‘Miller Case’), ruled that Government could not withdraw the UK from the EU by exercising its executive powers but must seek the consent of Parliament by proposing legislation. This is the origin of the impasse Mr Johnson now faces.

Click here for the full GT Alert, “Brexit: Political Impasse After UK Parliament Votes to Block October 31 No-Deal Departure From EU.”

Brexit: Can the Remainers Stop a No-Deal Brexit?

Posted in Brexit, EU, GT Alert

Brexit has driven fault lines through British politics as seen at no time since the 1680s. Fervent ‘leavers’ and fervent ‘remainers’ can be found in both of the main political parties, although most favour various compromise options in between.

This is reflected in the composition of the UK Parliament and has resulted in an impasse, with Parliament rejecting both the transitional ‘deal’ to leave the EU negotiated by former Prime Minister Theresa May at the end of 2018 and the prospect of leaving the EU without a deal – a ‘no deal’ Brexit. The election of Boris Johnson as the new UK prime minister and his appointment of a government leaning firmly towards leaving the EU, with or without a deal on October 31, 2019, throws up some distinctive legal challenges: If a new deal cannot be struck with the EU, is a no-deal Brexit inevitable, or can the remainer MPs stop it?

Click here for the full GT Alert, which explores Prime Minister Johnson’s options, the two legal routes open to remainer MPs, and more.

CJEU Finds Website Operators Using Social Media Plugins Are Joint Controllers

Posted in Court of Justice of the European Union (CJEU), ePrivacy, EU, European Directive, European Union Law, GDPR, GT Alert, litigation, privacy

On July 29, 2019, the Court of Justice of the European Union (CJEU) found that a website operator using a social media plugin is a joint controller with the social media company providing the plugin and can be held jointly liable in relation to such processing activities. Although the case was decided under the Privacy Directive 95/46, since the ruling concerns definitions that also exist under the General Data Protection Regulation (GDPR), website operators should take note and may want to review their previous legal bases determinations and notices as well as their existing contractual arrangements with the social media company to ensure they are in compliance with GDPR.

The case arose when a German consumer protection association sued a German online fashion retailer, Fashion ID, for allegedly breaching the then-existing national data protection laws when it enabled the transfer of visitors’ personal data to a third party via a social plugin. The German Higher Regional Court referred the matter to the CJEU.

In the proceedings it became apparent that the social media plugin (a “like” button) on Fashion ID’s website caused the visitor’s browser to request content from the company providing the plugin; then the browser transmitted the visitor’s personal data to the social plugin company. This happened as soon as the visitor consulted the website and regardless of whether or not the visitor:

  • was aware of such an operation;
  • was a member of the social media platform; or
  • had clicked on the plugin.

Click here for the full GT Alert on the CJEU’s finding, the website operator’s responsibilities, and key takeaways for website operators.

Brexit Update: Impact of New UK Prime Minister

Posted in Brexit, GT Alert

The UK’s new prime minister, Boris Johnson, will take office on 24 July 2019, just over three months before the UK is due to leave the EU, on 31 October 2019.

When the UK voted to leave the EU in June 2016, few predicted that Brexit would not yet be achieved over three years later. But repeated failure to gain UK parliamentary approval of the draft withdrawal agreement terms negotiated by then-Prime Minister Theresa May in late 2018 resulted in the original 29 March 2019 Brexit date being postponed to the current 31 October 2019 deadline. This failure also led to Theresa May announcing her intention to stand down as leader of the governing Conservative Party and as prime minister.

To read the full GT Alert, click here.

For more on Brexit, click here.

First fine imposed by the Dutch Data Protection Authority since GDPR

Posted in data protection, GDPR, privacy

Background

The Dutch Data Protection Authority imposed an administrative fine of
EUR 460,000 on Haga Hospital in The Hague on 18 June 2019 (published 16 July 2019) (link in Dutch). It is the first fine imposed in the Netherlands for a violation of the General Data Protection Regulation (GDPR).

The hospital is facing this fine because it did not sufficiently secure its medical log files. Several dozen hospital employees (approximately 85) had unnecessary access to a specific medical file. This medical file belonged to a famous Dutch reality star whose hospital admittance received a lot of media attention in the Netherlands in 2018. A whistleblower published about the unlawful access to the medical file through the website Publeaks, eventually leading to an investigation by the Dutch Data Protection Authority.

Data breach

The breach lies in the fact that the hospital did not meet the requirement to have a two-factor authentication process in place to protect the medical files. Furthermore, the medical log files were not evaluated regularly. This omission resulted in a breach of article 32(1) of the GDPR, according to the Dutch Data Protection Authority. This article requires data controllers and processors to implement the appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

The Dutch Data Protection Authority applied the 2019 Dutch fining policy rules to determine the EUR 460,000 fine amount.

The Dutch Data Protection Authority has also imposed an order on the hospital, subject to penalty, that aims to cure this continuing GDPR breach. If the infringement is not fixed within 15 weeks, the hospital will incur an additional penalty of EUR 100,000 per two weeks with a maximum amount of EUR 300,000.

First Dutch fine under GDPR

Although some consider an earlier fine issued to a transportation network company on 6 November 2018 of
EUR 600,000 for a data breach as the “first Dutch GDPR fine”, (link in Dutch) the fine issued to the hospital is the first fine imposed solely under the GDPR by the Dutch Data Protection Authority and also not under the GDPR’s statutory predecessor (which was the case with the transportation network’s fine).

The hospital has already stated that it plans to appeal the height of the fine.

For more on the data protection and the Netherlands, click here.

LexBlog