NMa imposes fines on Liander and Nuon CCC for inadequate protection of customer data

Network operators are legally required to keep their customers’ data confidential. The Netherlands Competition Authority (NMa) has imposed a fine on Dutch regional network operator Liander for having inadequately protected its customers’ data, enabling energy supplier Nuon Sales to peruse that data. That situation created the possibility for Nuon Sales to use that information for its own marketing purposes. Even though it appears that such abuse did not happen, it could have led to an unfair competitive advantage and, thus, to a distortion of the market. Non-compliance with the confidentiality requirement is considered a serious violation. The NMa has imposed a fine of EUR 3.32 million on Liander, and a fine of EUR 208,000 on Nuon CCC, a subsidiary of energy supplier Nuon.

The Dutch Independent Grid Administration Act requires network operators to be ‘unbundled’ from the undertakings that produce and supply energy. This mandatory unbundling prevents network operators from giving preferential treatment to a supplier belonging to the same holding. This is a necessary condition for fair competition between energy suppliers. A liberalized energy market is therefore of critical importance.

Both Liander and Nuon Sales have stored their customer data with Nuon CCC as part of their respective programs to outsource administrative tasks. At Nuon CCC however, their data sets were not saved separately. Had an error occured in the access rights system, it would have been possible for Nuon Sales staff to access data of Liander customers in the IT system that Nuon CCC used for its administrative tasks, including data of former Liander customers who, over the years, have switched to suppliers other than Nuon. Liander is statutorily required to safeguard its data’s confidentiality, and carries full responsibility for properly separating its data, even when it has stored its data with a different undertaking for carrying out certain tasks. That is why it is imposed a fine. Nuon CCC, as co-violator, is also fined for failure of safeguarding the data’s confidentiality. Furthermore, Liander must take measures to ensure that Nuon CCC staff, which carries out tasks for Nuon Sales, no longer has any access to confidential data of Liander’s customers, insofar these are not Nuon Sales customers.