Dutch Data Protection Authority (DPA): shielding personal data in the Land Registry and Commercial Register necessary against doxing

According to a new legislative bill, people can be prosecuted under criminal law for publishing someone’s personal data in an attempt to scare this person. Yet to combat this practice called doxing, it is also necessary that the government itself stops making residential addresses easily accessible via the Land Registry and the Commercial Register, without good reason. The Dutch Data Protection Authority (DPA) writes this in its advice on this bill.

Doxing is the collection or publication of, for example, someone’s address or telephone number. The aim is to frighten this person, cause serious inconvenience or impede this person in performing his or her duties. This may involve information that is already public in other places. For example, on social media, on sites that publish data from a data breach or in government registers such as the Land Registry and the Commercial Register.


Last year, then Minister of Justice and Security Grapperhaus, at the request of the Dutch House of Representatives, drew up a bill that could give perpetrators of doxing a maximum prison sentence of 1 year.
 

Address on Twitter

“This form of intimidation is happening more and more often. And it has far-reaching consequences on the victim,” says Aleid Wolfsen, Chair of the DPA. “Say someone putting the address of a politician or police officer on Twitter with a clear purpose other than sending flowers. The result: the victims and their families live in constant fear that someone may show up at their door. To threaten them, or worse. And unfortunately, that fear is sometimes justified.”
“Doxing is, in fact, a violation of GDPR privacy laws and punishable under the GDPR. And the DPA could ban that processing operation or have it removed and impose a fine on the perpetrator. Under this new law, you as a victim can immediately report it to the police. And the perpetrator even runs the risk of a prison sentence. This a good thing.”
 

Government as a source of data

“Information for doxing can come from anywhere. Yet the government, too, must take action and pay attention to the sources of data used for doxing. The government should amend legislation to prevent data from its own registers being used for doxing,” Wolfsen continues.
Current legislation and regulations mean that too much data is accessible in the Commercial Register and the Land Registry that can be used for doxing. This data can now also be requested without the applicant having to demonstrate that he or she has a specific interest in obtaining that data.

Commercial Register

Home addresses of self-employed people working from home can be looked up in the Commercial Register, which is managed by the Chamber of Commerce. There is no need for that, in the eyes of the DPA. 
That is why last year the DPA advised the Ministry of Economic Affairs and Climate to start shielding the home addresses of self-employed people working from home. Yet the ministry did not adopt this advice.

Land Registry

Information about the owners of a building or property can be requested per address in the Land Registry. This includes information such as name, date of birth, whether someone is married and the price someone paid for the property. Anyone can request this information, by paying a fee.
Including people with less good intentions and/or who do not intend to buy the property or with any interest other than related to the reason why those data are included in the Land Registry. Again, the DPA does not see the need for these generous access options. 
The DPA previously pointed out to the government the option to check whether someone has good reason to request data from the Land Registry.
 

""