Cloud computing services comprise a wide range of services. The concept "cloud computing services" covers services that allow access to a scalable and elastic pool of shareable computing resources. In the Netherlands, the concept of cloud computing is governed by the NIS Directive (Security of Network and Information Systems Directive (EU) 2016/1148). The Directive was implemented into national law on 17 October 2018 by means of the Security of Network and Information Systems Act (SNISA).
The Directive offers provisions to boost the overall level of cybersecurity in the EU and secures the continuity of cloud computing services. Cloud service providers must comply with the security and notification obligations listed below. The following obligations are also applicable to essential services and digital services operators, and, therefore, have an impact on the services operators who use cloud services themselves.
In order to qualify as a cloud service provider as meant in the Directive, a provider must employ 50 employees or more and/or have a balance sheet total or turnover of EUR10 million or more on annual basis.
In the Netherlands cloud computing services are indirectly governed by the Dutch Civil Code (DCC) and the GDPR ((EU) 2016/679), as follows.
On 20 May 2019, Directive 2019/770 regarding the supply of digital content and services was introduced. This Directive establishes a harmonised level of consumer protection for digital content, including cloud computing services. The Directive is scheduled to be implemented into national law by 1 July 2021 and it applies to agreements concluded from 1 January 2022.
Cloud service providers should take into account EU cybersecurity strategy initiatives such as the proposal for a renewed NIS Directive and a proposal for a directive on the resilience of critical entities, which offer an expansion in scope of the current directives.
Financial Supervision Act and Prudential Rules Decree
Financial institutions increasingly utilise cloud computing services. In this context, they remain responsible for complying with relevant financial legislation and must control their operational processes. Financial institutions must comply with the strict statutory (supervision) requirements as laid down in the Financial Supervision Act (Wet op het financieel toezicht) while using cloud computing services. This indirectly impacts the delivery of these cloud computing services.
Financial institutions may not enter into cloud computing agreements if this could impede the exercise of adequate supervision by the supervisory authority for Dutch banks. Consequently, financial institutions are obliged to have a range of obligations in their cloud computing contracts and must obtain the right for the supervisory authority to examine the cloud services.
The Cloud Computing Circular, issued by the Dutch National Bank (DNB), requires that before supervised Dutch financial institutions engage in cloud computing, they must inform the DNB of their prospective outsourcing arrangements to ensure that operational processes and risks are under control.
Guidelines on Outsourcing to Cloud Services Providers
The Guidelines on outsourcing to cloud services providers of the European Securities and Markets Authority (ESMA), published on 18 December 2020, are useful for both financial institutions as for cloud services providers when negotiating cloud outsourcing arrangements. The guidelines are intended to help identify, address and monitor the risks arising from cloud outsourcing arrangements. They provide guidance to the governance, organisational and technical frameworks to put in place to monitor the performance of the cloud service providers.
Good Practice Information Security 2019–20
The Good Practice Information Security, a guide drafted by the DNB, offers tools with which financial institutions can give practical substance to control measures in the areas of governance, organisation, people, processes, technology, facilities, outsourcing, testing and the risk management cycle. Good Practice sets out various recommendations for control measures which, in DNB's opinion, properly implement the requirement of Section 3.17 of the Financial Supervision Act, in conjunction with Section 20 of the Prudential Rules Decree and the Pensions Act. These guidelines are based on international standards such as COBIT (Control Objectives for Information and related Technology) of the ISACA, ISO27000 and the NIST Cybersecurity Framework.
Over the past decade, the use of "distributed ledger technology" has increased rapidly. A distributed ledger (also known as a general ledger, or distributed general ledger technology) is a technology that uses decentralised ledgers, also known as "nodes", to share, record and synchronise transactions across the distributed network. One of the most well-known types of distributed ledger technology is blockchain.
Risk and Liability
Even though blockchain has been praised as being safe and unhackable, practice has shown that this is not the case. Even blockchain can be subjected to malware, and even blockchain can, in the near future, be hacked by quantum computers.
Therefore, it is of utmost importance as a blockchain provider to implement proper organisational and technical security measures to be able to monitor potential (personal) data breaches. If the blockchain provider does not implement a level of security that is appropriate to the risks that are involved, the blockchain provider may be in violation of Article 32 of the GDPR, and thus liable for any (personal) data that has possibly been altered or deleted, also depending on the contractual clauses that have been concluded between the blockchain provider and the user.
Also, as with any technology service, blockchain services can suffer programming defects, which – depending on the type of defect – may trigger liability issues. Therefore, blockchain providers and customers should, prior to the purchase and use of blockchain, negotiate certain contractual rights and obligations, such as a contractual defects liability period, and include details of the scope and expectations regarding the blockchain application, such as detailed key performance indicators. In case of standard terms and conditions, it is also important to be aware of any limitation of liability, the governing law and jurisdiction, termination of the services, and the contractual possibility to block certain users that violate the guidelines or breach the terms and conditions.
There are two types of blockchain that can be distinguished: blockchain can be (i) "permissionless", which means that there is no special authority that is able to deny their permission to participate in the blockchain and to add any transactions to the ledger, or (ii) "permissioned", which means that there is a limited group of participants that retain the power to add transactions to the ledger. In the context of an infringement of an intellectual property right, permissionless blockchains can give rise to disputes. If an intellectual property protected work is recorded on the blockchain, it can be difficult in proving the relevant ownership and identifying any potential breaches, handling transfers or licences to third parties.
Prior to using blockchain, it must be taken into account what type of data will be shared, and whether this data is, for example, subject to any intellectual property rights or trade secrets, and whether any contractual rights and obligations of the blockchain provider may apply.
The decentralised nature of the blockchain makes it difficult to identify the person responsible for processing, which in turn makes it impossible to guarantee a whole range of data subjects' rights. The distributed nature requires a high degree of transparency, which conflicts with the principle of data protection by design and default settings.
Finally, the permanent nature of blockchain prevents the possibility of guaranteeing various data subjects rights, such as the right to be forgotten, and clashes with a large number of general principles, including data minimisation and storage limitation.
The business processes built on blockchains may be vulnerable to technology and operational failures, as well as cyber-attacks. Blockchain users need to have a robust business continuity plan and governance framework to mitigate such risks.
Additionally, blockchain solutions shorten the duration of many business strategy processes, which means that it is of utmost importance to assess the (business critical) risks that are involved, and to mitigate any business continuity risks by concluding service level agreements, that detail specific adequate incident response and recovery times – for example, between participating nodes and the administrator of the network.
If a dispute arises about blockchain – for example, between a blockchain supplier and a customer – it is important to determine which rules of which country apply. If a supplier and a customer are located in different countries, international private law should be invoked. On the basis of international private law, it should then be determined (i) which court is competent, and (ii) which law is applicable. Potential issues can be prevented by explicitly entering into an agreement or accepting terms and conditions that designates a competent court and governing law.
Big data means a large amount of unstructured data, which grows exponentially and is processed at high speed. Big data can be obtained directly from the source, such as the person providing this data, but can also be obtained indirectly by linking data together.
Potential risks when collecting and using big data
When collecting big data, one of the issues that can arise is whether or not the data can be used to (in)directly identify an individual. If so, the data must be regarded as "personal data", which means that the GDPR and the Dutch GDPR Implementation Act applies. In such case, the legal grounds for processing personal data as mentioned in Article 6(1) of the GDPR must apply and, depending on the sensitive nature of personal data, one of the exemptions as mentioned in Article 9(2) of the GDPR must also be in place.
Storing big data is happening more often by using "data lakes", which means that raw data is being stored in a repository. Once the big data is stored in the repository, organisational and technical measures must be set in place to secure the big data and to prevent any data breaches. Even if the data does not contain personal data, the data itself can also be protected by intellectual property rights or can be protected under trade secrets. By protecting the data, cyber-attacks and other security incidents may be prevented.
Artificial Intelligence (AI)
Artificial intelligence (AI) can be defined in many different ways. In general terms, however, we can say that artificial intelligence is the theory and practice of creating computers that can automate and perform activities in a "human-like" manner.
One of the key components of artificial intelligence is machine learning. Machine learning is essentially the study of algorithms, which are programmed to learn from (un)structured data and produce predictive models, that are constantly updated and refined.
To be able to train an algorithm and gain valuable insights from (un)structured data, (i) enough representative data is needed (ie, data quantity), (ii) this data also needs to be accurate, representing the aspects you wish to observe, with as little errors as possible (data quality), and (iii) sufficient computing power is needed.
Potential risks of implementing artificial intelligence and machine learning
When implementing or developing artificial intelligence, and in particular machine learning, there are a few privacy risks that developers, customers and lawyers should be mindful of.
Artificial intelligence, and in particular machine learning, can affect the privacy of individuals, as it is not always completely transparent to the individual what kind of personal data is being generated, collected and/or shared, or for which purposes the personal data will be used.
When algorithms process personal data in or from the European Economic Area, the GDPR and the GDPR Implementation Act applies. Also, if the personal data will be used for unsolicited communication or spam, the ePrivacy Directive and the Dutch Telecommunication Act (Telecommunicatiewet) applies.
In such cases, the outcome of the algorithm may be used for automated individual decision-making and profiling, which can have a significant adverse effect on the individual. Therefore, this type of processing is regarded as high risk and, prior to implementing and using algorithms, it is obliged to conduct a Data Protection Impact Assessment (DPIA), as mentioned in Article 35 (3) (a) of the GDPR and also in the European Data Protection Board Guidelines on Data Protection Impact Assessment.
By conducting a DPIA, potential risks to individuals can be assessed and ways can be identified to address and mitigate these risks. It is also important to note that automated processing, including profiling, which produces legal effects concerning individuals, may only be carried out if one of the three exceptions as set out in Article 22(2) of the GDPR applies, in addition to having a lawful basis for the processing of personal data as set out in Article 6 of the GDPR.
Based on Article 25 of the GDPR, it is also mandatory to adhere to the principles of "data protection by design" and "data protection by default". Data protection by design means that privacy and data protection issues must be addressed at the design phase and then throughout the life cycle, ideally at the earliest stages of the design of the processing operations, in order to safeguard privacy and data protection principles. Data protection by default means that, as a matter of course, safeguards must be put in place to ensure that the personal data that shall be processed is necessary to achieve the specific purposes.
By adhering to the principles of data protection by design and data protection by default, developers and users of artificial intelligence and machine learning applications are able to address privacy issues in a timely manner.
EU Data Initiatives
In addition to the GDPR, the Dutch Implementation Act, the ePrivacy Directive and the Dutch Telecommunication Act (Telecommunicatiewet), the European Commission has presented their Strategy on Data and Artificial Intelligence consisting of, among others, a white paper on artificial intelligence and a proposal for the Digital Services Act.
The Internet of Things (IoT) describes a system that consists of interrelated and internet-connected devices, in order to be able to connect and exchange (personal) data between these devices. When contemplating a project that revolves around the development or use of Internet of Things technologies, such as smart car software, smart security systems and connected health wearables, there are multiple legal restrictions and potential legal issues that must be taken into account when setting up these projects.
Internet of Things devices collect high amounts of real-time data and share this between the different devices. If the data that is collected and shared relates to an identified or identifiable natural person – which is most likely the case due to the fact that multiple devices and datasets are being linked by different devices – the data must be considered to be personal data. When processing personal data in or from the European Economic Area, the GDPR and the Dutch GDPR Implementation Act applies. In such case, the principles of the GDPR must be taken into account prior to, and during, the project.
The European Data Protection Board Guidelines on Data Protection Impact Assessment (wp248rev.01) explicitly mentions that “innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control”can trigger the need to carry out a DPIA. The reason is that it is a new way of collecting, using and sharing personal data.
The purposes for which the personal data is being processed are most often not transparent to the individual, which means that personal and social consequences are not always directly known and thus difficult to envisage. The deployment of Internet of Things devices may thus impose a high risk to the rights and freedoms of individuals. Therefore, the European Data Protection Board has decided that in such cases it is required to conduct a DPIA, in order to assess and mitigate any potential privacy risks.
It is also important to note that if Internet of Things technologies will be used for automated individual decision-making and profiling, which will produce legal effects concerning individuals, such processing may only be carried out if one of the three exceptions as set out in Article 22(2) of the GDPR applies, in addition to having a lawful basis for processing as set out in Article 6 of the GDPR.
Due to possible vulnerabilities of connected devices, cybersecurity is also a high priority. The organisational and technical measures that must be taken into account based on Article 32 of the GDPR, must take into account, among others, the costs of the implementation, the nature of the processing and the risks, and also the "state-of-the-art", which means that if there are certain relevant security standards and codes of practices that apply and are being used by other market participants, it can be mandatory to implement these standards. Furthermore, the principles of data protection by design and data protection by default, as mentioned previously, also applies to the implementation and use of Internet of Things devices.
IT service agreements are not specifically regulated under Dutch law. Generally an IT service agreement falls under the scope of Articles 7:400 to 7:413 of the Dutch Civil Code (overeenkomst van opdracht). When a software solution is developed specifically for the customer (agile or waterfall), tailored to the intended use of the customer, it is more likely that the IT service agreements fall under the special scope of Articles 7:750 to 7:764 of the Dutch Civil Code (aanneming van werk). Both sections in the Dutch Civil Code, however, refer to general services and do not particularly govern IT services. Moreover, Dutch contract law is strongly influenced by the freedom of contract principle. This means that parties in the context of IT services are free to shape and determine the content of their arrangements, without prejudice to overriding mandatory Dutch law.
Duty of care
Dutch case law shows a development in which the content of duty of care is becoming more comprehensive. When the IT services consist of software development, configuration and implementation work, or application design, a certain duty of care applies to the IT supplier. Based on this duty of care, customers may hold the IT supplier accountable in the event of a failed IT project or default in the provision of IT services. This duty of care of IT suppliers may arise from the contract itself or tort.
An IT supplier will at least have to act in accordance with the efforts that can be required of a reasonably acting peer. The duties of care that can be distinguished are as follows:
Additionally, in the context of IT Service Agreements, responding to a call of tender issued by a public entity or a listed company requires specific formal requirements for the submission and entails disclosure of specific documents from the IT supplier.
Furthermore, due to the GDPR, privacy and data protection is also a frequently discussed topic during IT service negotiations, as IT suppliers that provide hosting services and maintenance and support services may have access to the production environment of the customer.
In these circumstances, the IT suppliers must be regarded as a data processor. In this scenario, the IT Service Agreement must contain contractual guarantees provided by the IT supplier. If the customer determines the purposes and means of processing and the IT supplier will process the personal data on behalf of and based on the instructions provided by the customer, the customer should be considered to be a data controller. In such case, a data processing agreement as mentioned in Article 28(3) of the GDPR must be concluded between the IT supplier and the customer.
Core Rules Regarding Data Protection
Players in the field should keep in pace with the broad range of policy measures geared toward Europe’s digital ambition that touches data protection and privacy, as well as cybersecurity in 2021, including current proposals on the:
In most EU member states, including the Netherlands, there is no legal definition of "data" and no such thing as "data ownership". Dutch law merely recognises ownership of physical objects, which are defined as all "material objects which are susceptible to human control" (Article 3:2 of the Dutch Civil Code). In legal practice, this often results in challenging situations which are mostly resolved in legal contracts.
With regard to data protection, there are three pieces of EU legislation that are directly applicable in the Netherlands or have been implemented into Dutch law. Whilst the EU is still seeking consensus on a new ePrivacy Regulation governing, among others, electronic communications and the use of metadata, most recently the Free Flow Regulation ((EU) 2018/1807) entered into force. This regulation applies to electronic data, meaning all data other than personal data as defined in the GDPR and the Dutch GDPR Implementation Act, in order not to affect the existing framework for personal data protection. The Free Flow Regulation, GDPR and the ePrivacy Directive (2002/58/EC) eventually complement each other and currently create the comprehensive and coherent EU framework for the free movement of all data in the digital single market of the EU.
General Processing of Data
In general terms, it is important to grasp the interaction between the GDPR and the Free Flow Regulation, especially regarding datasets comprising of both personal and non-personal data. Examples include the following.
The two regulations will function together to enable the free flow of any data, creating a common European space for data.
If a company processes mixed datasets, neither the Free Flow Regulation nor the GDPR obliges it to separate or store personal and non-personal data separately. If the company decides not to separate the datasets and processes them as mixed datasets, the data protection rules will apply to the entire mixed dataset. The Free Flow Regulation and the GDPR together create legal certainty for companies, and guarantee that personal and non-personal data (even when they are included in a mixed dataset) can move freely within the EU. Therefore, companies can decide to store, transfer or process the mixed dataset anywhere in the EU, wherever they consider is the most beneficial to them.
Examples of mixed datasets include:
Processing of Personal Data
As regard to its territorial scope in the Netherlands, the GDPR and Dutch GDPR Implementation Act simultaneously apply to the processing of personal data in the context of the activities of the establishment of a controller or a processor (see below) in the Netherlands (Article 3(1) of the GDPR).
It additionally applies to the processing by a controller or processor not established in the Netherlands of the personal data of data subjects who are in the Netherlands, where the processing activities are related to:
Controllers and processors
A controller is the entity deciding on the purposes and the means of the processing of personal data. A processor processes personal data on behalf of a controller, having generally no control over the purposes and the means of the processing. Controllers must conclude a data processing agreement with processors (Article 28 of the GDPR).
Processing of personal data is only permitted if there is a legal ground for that processing activity. Legal grounds are:
Consent must be freely given, specific, informed and unambiguous. Children below the age of 16 years (Article 5 of the GDPR Implementation Act) cannot give valid consent, consent must be given by their parents or guardians.
For the processing of special categories of personal data (eg, personal data revealing racial origin, political opinions and trade union membership) to be permitted, there must be a legal ground and one of the exceptions of Article 9(2) of the GDPR must apply. Besides the exceptions set forth in Article 9(2) of the GDPR, there are exceptions of national law set out in the GDPR Implementation Act – for example, exemptions for the processing of health data in Article 30 of the Dutch GDPR Implementation Act.
The processing of personal data must meet the principles of Article 5 of the GDPR:
Controllers and processors must maintain a record of processing activities (Article 30 of the GDPR), and, in case of a high-risk processing activity, a DPIA must be carried out based on Article 35 of the GDPR. In particular situations, a controller or processor must appoint a data protection officer (Article 37 of the GDPR).
Rights of data subjects
Data subjects have the right to be informed, therefore certain information (set out in Article 13/14 of the GDPR) must be provided to data subjects, usually by means of a privacy notice.
Controllers must be able to comply with data subject's request to exercise their rights, namely:
Data breaches are breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12) of the GDPR).
Data breaches that are likely to result in a risk to the rights and freedoms of natural persons must be notified to the Dutch DPA (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of it (Article 33 of the GDPR). When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, it must be communicated to the data subjects without undue delay (Article 34 of the GDPR).
To prevent a personal data breach and to protect personal data, controllers must implement technical and organisational measures to ensure an adequate level of security (Article 32 of the GDPR).
Transfer of personal data outside the EEA
Transfer of personal data to countries outside the EEA is not permitted unless:
In respect of Brexit, it remains to be seen when an adequacy decision permitting EEA to UK personal data transfers will be reached. In the meantime, interim periods apply, in which a transmission of personal data from the EEA to the UK shall not be considered as transfer to a third country under EU law.
The GDPR is intended to make data protection a boardroom issue. It introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or EUR20 million, whichever is the greater. These fines apply to breaches of many of the provisions of the GDPR, including failure to comply with the six general data quality principles or carrying out processing without satisfying a condition for processing personal data.
A limited number of breaches fall into a lower tier and so are subject to fines of up to 2% of annual worldwide turnover or EUR10 million, whichever is the greater. For example, failing to notify a data breach or failing to put an adequate contract in place with a processor fall into this lower tier.
In addition to the fines, the Dutch DPA (Autoriteit Persoonsgegevens) has a range of other powers and sanctions at its disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. It also has corrective powers enabling them to issue warnings or reprimands, to enforce an individual’s rights and to issue a temporary or permanent ban on processing.
In the Netherlands, the DPA has the power to enter residences without the consent of the owner. Furthermore, obligations of secrecy cannot be invoked against the DPA to the extent that information or co-operation is required regarding that organisation’s own involvement in data processing.
Finally, data subjects have a right to compensation in respect of material and non-material damages. In the Netherlands, we see litigation emerging on the basis of the new Act on collective damages claims (Wet afwikkeling massaschade in collectieve actie or WAMCA) that entered into force on 1 January 2020.
Restrictions on monitoring and limiting use by employees of company computer resources are predominantly driven by data protection laws.
Workplace monitoring will usually involve processing personal data and is therefore governed in the Netherlands by the GDPR and the Dutch GDPR Implementation Act.
Identify the Purpose of Monitoring
When considering whether or how to monitor employees, the starting point should be identifying the purpose and underlying interest of the employer. What is the employer trying to pursue, ensure or protect? Is it for efficiency purposes, or are there specific security concerns? Is it a one-off, incidental case of monitoring (such as a breach of company confidentiality by an employee and subsequent investigations) or is it a more general concern (data loss prevention tools, web traffic monitoring, extensive private email use, e-discovery tooling)? Would monitoring the flow of communications be sufficient or is actual content inspection intended?
Employers should conduct a thorough risk analysis and make sure that the monitoring chosen is proportionate to the risks employers are looking to mitigate. This risk analysis should help employers to meet legislative requirements. Once an employer has identified the reason or purpose for any monitoring, the next step should be to consider how the chosen monitoring addresses the concern or reason identified, and whether there are any alternative ways of meeting its purpose other than monitoring. This has a practical as well as legal purpose – if there is a less intrusive way to protect a business than monitoring employees, the courts and the Dutch DPA (Autoriteit Persoonsgegevens) would expect the employer to take it and doing so should lower the risk to the business.
In order to carry out GDPR-compliant monitoring of employees, employers must identify a legal basis for carrying out and processing the monitoring information, and any exemptions for special category personal data such as data related to health, religion or ethnicity/race.
It is noteworthy that consent is not considered a proper legal basis for processing personal data in the employment context (especially for intrusive processing activities such as monitoring). In the Netherlands, in most cases employers will have to rely on the "legitimate interest" legal basis for processing. This means that a legitimate interests assessment (LIA) must be conducted to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated. Such limitations could be:
Employee monitoring is considered to be "high risk" processing, according to the Dutch DPA. Consequently, a DPIA must also be conducted. The Dutch DPA distinguishes between general monitoring and covert monitoring. For covert monitoring to be lawful, employers must have a reasonable suspicion of a criminal offence or wrongful use of company information and where notifying concerned individuals would prejudice its detection or prevention.
Companies with a works council will also need to obtain prior consent from the works council before conducting employee monitoring based on the Dutch Works Counsel Act. Furthermore, it is of significant importance that such assessments are appropriately documented as (aside from demonstrating accountability with other data protection principles and requirements) the documentation will form the basis of the employer's defence in the event of a claim, complaint or Dutch DPA investigation.
Information and Transparency
Employers are obliged to inform employees in a transparent way of the purposes and means of the monitoring activities. This kind of information is often captured by means of a(n) (employee) privacy notice. This notice draws the relevant acceptable use and monitoring policies to the attention of the employees. Appropriate training for staff carrying out and using monitoring data is also key.
Failure to do so may leave employers exposed to additional risk and claims. Depending on the circumstances, employees may also have grounds for an unfair dismissal or constructive dismissal claim, and might in some circumstances be able to establish a whistle-blowing aspect to such a claim. This could seriously impair the position of the employer, which could lead to significant financial and reputational damages. After all, employee communications are key to avoiding lasting damage to employee relations.
Access Limitation and Retention
Employers must ensure that they limit access to monitoring data. Only those who really need access should be able to access it (ie, on a need-to-know basis). This means assessing control access, permission grants/sign-off processes, etc, to facilitate access where necessary.
Furthermore, monitoring data should only be kept to the extent it is relevant to the purpose for which it is processed and whilst it remains accurate. Indefinite retention is never permissible. The period of retention will, to a certain extent, depend on the nature of the information collected and its usefulness. For example: CCTV images may, in principle, be retained for a maximum term of four weeks in the Netherlands. In addition, the employer is obliged to implement appropriate technical and organisational measures to ensure the safety and integrity of the data at all times. Once no longer needed, the data must be destroyed safely and securely.
Private Remains Private
Private and working lives are now more intertwined than ever. During the COVID-19 crisis, many more employees will be using their personal devices rather than work devices when working remotely. Employers need to be extremely careful of the following:
Additionally, accessing communications without grounds to do so could amount to criminal or other civil offences for the business and potentially its directors.
Tracking of location data is seen by the Dutch DPA as a particularly invasive form of employee monitoring. Employers may feel the need to track company assets or equipment, such as laptops, tablets and phones. However, even if the employer can pass the legal hurdles, if it wants to use such data for the management and discipline of wayward employees it must spell this out clearly for employees, otherwise it will breach key provisions of the GDPR and employment legislation. Otherwise, it could set itself up for additional claims and risks.
There will inevitably remain scenarios where an employer is tempted to use monitoring tools for wider purposes, particular in the COVID-19 context – for example, on the private use of company devices or on homeworking conditions and efficiency. However, risks remain significant and employers should beware of the so-called "mission creep" – ie, incremental expansion beyond the initial purpose of monitoring. Monitoring data should only be used for the purpose for which it is collected, and changing its purpose will raise further questions and compliance hurdles as to whether the monitoring was legitimate and employees were properly informed. Justifying employee monitoring is a hard task; using the same data for other purposes creates a new layer of risk.
Currently, there are multiple technologies that are deemed to fall within the scope of local telecommunications rules. Prior to bringing such technologies on the market, it is important to comply with the requirements as set out in local law.
The Dutch telecommunications sector is primarily governed by the Dutch Telecommunications Act (Telecommunicatiewet), which also incorporates multiple European Directives, such as the aforementioned ePrivacy Directive, the Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services (Framework Directive), and the Directive 2002/22/EC on communications networks and services (Universal Service Directive).
The Telecommunications Act requires registration with the Authority Consumers and Markets (Autoriteit Consument en Markt) for a provider of:
Furthermore, when offering the aforementioned services, providers are obliged to solve and report any interruptions or technical failures and they may not impede or delay services or applications on the internet, including charging different rates for different internet applications.
In the Netherlands, there are two authorities that supervise the enforcement of the Telecommunications Act: the Authority Consumers and Markets (Autoriteit Consument en Markt), which is responsible for competition oversight, telecom-specific regulation and consumer protection, and the Dutch Radiocommunications Agency (Agentschap Telecom), which is responsible for obtaining and allocating frequency space and monitoring its use.
Radio Frequency Identification (RFID) are chips that use radio frequencies to collect (personal) data from uniquely identified tags and transfer the (personal) data over electronic communications networks.
Based on Article 3.4(1)(a) of the Telecommunications Act, Article 18 of the Frequency Decree (Frequentiebesluit) and the Regulation on the use of frequency space without a licence (Regeling gebruik van frequentieruimte zonder vergunning), RFID chips are exempted from the obligation to receive a permit prior to the use of frequency space.
However, collecting and transferring (personal) data with RFID chips may trigger privacy and security issues. The Directive 2009/136/EC, which amended the ePrivacy Directive and the Universal Service Directive, explicitly states that: “use of such technologies can bring considerable economic and social benefit and thus make a powerful contribution to the internal market, if their use is acceptable to citizens. To achieve this aim, it is necessary to ensure that all fundamental rights of individuals, including the right to privacy and data protection, are safeguarded. When such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC (Directive on privacy and electronic communications), including those on security, traffic and location data and on confidentiality, should apply.” (Directive 2009/136/EC, consideration 56).
If RFID chips collect and transfer personal data, the GDPR and the Dutch GDPR Implementation Act shall apply. Therefore, when producing or using RFID chips, the principles of the GDPR and the Dutch GDPR Implementation Act must be taken into account. Furthermore, a Data Protection Impact Assessment as mentioned in Article 35 of the GDPR must be carried out. The European Data Protection Board adopted a specific Privacy and Data Protection Impact Assessment Framework for RFID applications on 12 January 2011, which can be used to conduct such assessment.
Voice over Internet Protocol (VoIP) is the transmission of voice and multimedia communications over an internet connection. Based on the Telecommunications Act, a provider of VoIP services is regarded to be a provider of electronic communications services. Therefore, in the Netherlands, the Dutch Telecommunications Act applies and providers must register with the Authority Consumers and Markets (Autoriteit Consument en Markt) prior to providing such services to customers.
This has also been confirmed in the case C-142/18 Skype Communications Sarl v IBPT (5 June 2019). In this case, the European Court of Justice (ECJ) ruled that Microsoft’s Skype service, SkypeOut – which is an additional feature of the Skype software and allows Skype-users to make calls from a terminal to a fixed or mobile telephone line using VoIP – is an electronic communications service, as defined in the Framework Directive (Directive 2002/21/EC, as amended) and is therefore subject to European telecoms regulations.
In the Netherlands, any natural or legal person may in principle provide a commercial media service or solicitation, provided that they:
On 1 November 2020, the new Dutch Media Act came into force due to the implementation of the revised Directive on Audiovisual Media Services (AVMSD, (EU) 2018/1808). The new Media Act contains, among others, provisions for public media services, commercial media services, video platform services, protection of young people, major events, use of broadcasting networks and supervision and enforcement by the Dutch Media Authority (Commissariaat voor de Media).
The new Media Act has major consequences for providers of commercial media services on demand, including online video channels. The following criteria are used to determine whether a provider qualifies as a media service on demand:
These criteria can be found in the Policy Rule Classification of Commercial Media Services on Demand. The Dutch Media Authority examines whether the notified service is actually a commercial on-demand media service on the basis of the Dutch Media Act. If that is the case, the media service is included in the Register Commercial Media Institutions. Media organisations providing on-demand commercial media services are required to pay an annual fee of EUR200 (plus indexation) for each media service.
Under the new Media Act, platforms such as YouTube are obliged to take adequate measures in order to clarify if the content shown contains advertisements, sponsorships or other kinds of commercial activities. The supervisory authority that is located in the same country as the video-sharing platform provider will be the competent authority and can issue fines or other measures.
The new Media Act prohibits influencers to encourage viewers to buy or hire products or services shown in the video through specific recommendations. They may not pay excessive attention to products in their videos, which must indicate whether any advertisement is included. Videos that target children younger than the age of 12 cannot show any sponsored content or advertisements. Such videos must be stored for at least two weeks in order for the Dutch Media Authority to be able to file request and check whether there have been any violations.
Furthermore, as far as online video channels are concerned, adequate measures must be taken to protect the interests of minors. This means that parents must be able to control what their minors watch via an accessible system. Measures must also be taken to protect minors from videos inciting violence or distributing videos containing criminal offences.
In the Netherlands, there are no formal legal requirements governing the use of encryption. Encryption supports respect for privacy and secure communication of individuals and companies by providing them a means to communicate protected data confidentially and with integrity. Encryption that cannot be hacked is considered vital to a company’s competitiveness in the global marketplace. According to the Dutch government, confidence in such secure communication and storage data is essential for the future growth potential of the Dutch economy, which is mainly in the digital economy.
In the GDPR, encryption is considered as a potential appropriate safeguard to mitigate risks. For example, it should be considered as a measure when processing personal data for a purpose other than that for which the personal data has been collected (Article 6 (4) (e) of the GDPR) or to comply with Article 32 of the GDPR regarding the security of processing.
Encryption is considered a (mere) security measure by the Dutch DPA (Autoriteit Persoonsgegevens) due to its reversible nature. By using the right key, the original information can be obtained (decryption). Encryption is used, among other things to secure data when transmitting data over the internet, when storing data on portable devices and on removable media such as USB sticks, and in other situations where data is vulnerable to unauthorised access.
When cryptographic operations like encryption are used, it is therefore critical to assess periodically whether reliability requirements are still met. Various (international) standards provide further guidelines in terms of using encryption methods, such as ISO:20001 and NEN7510 (applicable to the healthcare sector).
The Dutch government issued emergency legislation as well as initiating programmes and other initiatives to address the COVID-19 pandemic. Although they lack specific TMT sector focus, they are nevertheless relevant.
First of all, a set of financial measures to help entrepreneurs came into effect three times in 2020, with the last time being on 1 October. These measures, among other things, offer entrepreneurs relief for paying wages and offer compensation for self-employed professionals, thereby aiming to minimise lockdown effects in selected sectors. Other measures relate to tax, credit and guarantees relief and payment extensions. For a full overview, please refer to Corona: Dutch government measures overview.
On 2 December 2020, the temporary Corona Act entered into force. This legislation replaces former emergency legislation incorporating all temporary measures that had been issued by the government as of March 2020. As this is temporary legislation, it will only remain in force for three months, with a possible extension by an additional three months. This temporary legislation covers five separate arrangements, three specifically for the islands Bonaire, Sint Eustatius and Saba and two regarding the European part of the Kingdom of the Netherlands. These latter two refer to legislation based upon which the use of facial masks can be declared mandatory in public spaces and a law that implements “social distancing by law” – for example, maintaining 1.5-metre distancing between individuals, forbidding groups of more than four people in public spaces and the temporary closure of shops, restaurants, etc.
At the beginning of January 2021, the Dutch government started with a COVID-19 vaccination programme. Focussed on people working in healthcare and those in care for the elderly, in the course of the first part of 2021 the vaccine will become publicly available to all residents of the Netherlands. This vaccination is, at this time, not declared mandatory by the Dutch government and discussions have arisen as to whether employers can demand vaccination of its employees and customers. Up until now, it is the decision of the Dutch government, as well as the Dutch DPA, that in general such demand cannot be made from employees by employers unless there are specific circumstances that would make such vaccination absolutely necessary. Dutch law offers better possibilities to make such demands of customers (such as patients or visitors to private premises).
One of the challenges for employers in the Netherlands is the position of the Dutch DPA regarding the processing of medical information and also, therefore, information on vaccination. The Dutch DPA is adamant in its opinion that the processing of vaccination information of any data subject, including employees, is not allowed under the GDPR unless a legitimate ground and exception can be identified in Articles 6 and 9 of the GDPR, respectively. This position, combined with the strict view of the Dutch DPA on “legitimate interest”, means in practice that it will be challenging, even in situations where there is an urgent need for vaccination, to stay within both the GDPR and the Dutch DPA's view on the GDPR.
However, the position of the Dutch DPA is under scrutiny in the press as well, because of a recent ruling against their position by a Dutch Court in the VoetbalTV case (District Court Midden-Nederland, ECLI:NL:RBMNE:2020:5111, 23 November 2020). This case concerned an internet platform, VoetbalTV, on which amateur football matches was broadcasted. The DDPA imposed a fine of EUR575,000 because there would be no legal basis for recording and broadcasting football matches (and thus processing personal data). The DDPA argued that production and processing of recordings is an invasion of the privacy of a large number of the persons concerned and, because it also concerned underage football players, justified a significant fine. In this case, the DDPA had only examined in its investigation whether there was a legitimate interest. It was only after the decision on the fine had been taken that the DDPA reasoned that the legitimate interest requirements were not met. The court eventually came to the conclusion that because the investigatory report on the basis of which the fine decision was taken was incomplete and therefore negligent, it should be annulled.
Therefore, in conclusion, it remains highly advisable to keep a close watch on the actual position of the Dutch DPA in the Netherlands regarding the processing of COVID-19-related personal data.
Brexit – Broadcasting and Video On-demand Services
The Audiovisual Media Services Directive
As of 1 January 2021, the UK is no longer part of the EU, and this has consequences for the broadcasting and video on-demand services from and to the EU. The Audiovisual Media Services Directive (AVMSD) sets out a country-of-origin principle, where providers of broadcasting channels and video on-demand services based in one country are only subject to the set of rules and regulations from that country of origin; in the other countries of the EU, the broadcasts or video on-demand services are not subject to secondary control.
The AVMSD and the country-of-origin principle in general no longer apply to services under UK jurisdiction broadcast into the EU.
Broadcasting and video on-demand services from the UK to the EU may, however, still qualify for the AVMSD, even if the head office is located in the UK. A service provider is deemed to be established within an EU country (Article 2 (3) AVMSD) when its head office is located in the EU and the editorial decisions for a service are taken within an EU country. If the head office is in one location but the editorial decisions are taken in another EU country, establishment is based on the location of the office where a significant part of the workforce is located. If the editorial decisions related to the broadcasting or video on-demand services are taken in an EU country and a significant part of its employees are located in that country, the provider of these services will be deemed to fall under the jurisdiction of that country.
If the broadcasting or video on-demand service does not have a significant workforce within an EU country, the AVMSD may still apply if a service is provided via a satellite uplink in an EU country or satellite capacity appertaining to an EU country. In such event, jurisdiction would fall to that country (Article 2 (4) AVMSD).
European Convention on Transfrontier Television
In the event the AVMSD does not apply anymore, the broadcasting or video on-demand services may rely on the European Convention on Transfrontier Television (ECTT) which came into force in 1993. Not all EU countries are a party to the ECTT, but 21 of the countries are. EU countries that have signed and ratified the ECTT are Austria, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, Finland, France, Germany, Hungary, Italy, Latvia, Lithuania, Malta, Poland, Portugal, Romania, Slovakia, Slovenia and Spain. The UK is also a party to the ECTT.
ECTT guarantees freedom of reception between parties to this convention and sets out that they must not restrict the retransmission of compliant programmes within their territories. (However, ECTT sets out that EU countries should apply the AVMSD not ECTT between each other. This means that even the EU countries who have signed ECTT observe only AVMSD rules inside the single market.)
The EU Satellite and Cable Directive
The EU Satellite and Cable Directive provides a country-of-origin principle for licensing of copyright material in cross-border satellite broadcasts. This means that when a satellite broadcaster transmits a copyright-protected work – for example, music or a film – from one EEA (European Economic Area) state to another, they are only required to obtain the copyright-holder’s permission for the state in which the broadcast originates. This avoids satellite broadcasters having to secure individual licences for every EU country in which their broadcasts are received.
UK broadcasters no longer benefit from the country-of-origin principle for broadcasts into the EEA from 1 January 2021. They need to obtain additional right-holder permissions covering the EEA states to which they broadcast.
In the UK, the country-of-origin principle will continue to be applied to broadcasts from any country. Legitimate satellite broadcasts of copyright protected works transmitted into the UK from abroad will not need specific right-holder permission for the UK, except where the broadcast is commissioned or uplinked to a satellite in the UK and it originates from a country that provides lower levels of copyright protection.
New EU Initiatives for Regulation of Platforms
On 15 December 2020, the European Commission published two new legal initiatives, the Digital Services Act and the Digital Markets Act. Both initiatives aim to create a safer digital environment where the rights of its user are protected while, at the same time, innovation and competitiveness in the European Single Market is fostered.
Digital Services Act
The Digital Services Act covers a wide range of digital service providers, such as intermediary services, hosting services, online platforms, and very large online platforms that pose specific risks in the "dissemination of illegal content and societal harms".
All different types of service providers must comply with the new act, though the obligations will depend on their ability and size to do so.
The new obligations include:
Digital Markets Act
The Digital Markets Act aims to regulate gatekeeper platforms and restore balance to digital markets. Gatekeepers are platforms that have a strong economic and intermediation position and a durable position in the digital market. For gatekeepers, far-reaching obligations will apply in order to create a fairer and more competitive market. The relevant obligations can be divided into dos and don’ts.
The dos include allowing third parties to interoperate with the platform’s own services in specific situations as well as providing companies that advertise on their platform with tools and information required to verify and review their advertisements. Business users must also be allowed to promote and conclude contracts with their own customers outside of the platform. In addition, platform users must be allowed access to the data that they generate in their use of the gatekeeper’s platform.
The don’ts include preventing consumers from connecting with businesses outside their platforms and preventing users from uninstalling pre-installed software or apps if they wish to do so.
At the time of writing this article (January 2021), both acts are under discussion by the European Parliament and the member states and it may take a number of years before they are adopted as regulations. If adopted, they will become directly applicable throughout the European Union.
Cybersecurity continues to be a top priority. The SolarWinds attack sent shivers down the spine of the security community due to its sophistication and widespread effects, which did not leave Dutch entities untouched. It once more became evident that state actors are growing their cyber-arsenal and do not shy away from employing such weapons. However, attacks by private actors should not be underestimated, and neither should the need for effective cybersecurity practices. This was painfully demonstrated last October by a Dutchman that discovered that the password for Trump’s Twitter account was “maga2020!”
In December 2020, the European Commission launched its EU Cybersecurity Strategy for the Digital Decade. A key legal development is the revised Directive on Network and Information Systems (NIS Directive). The proposal aims to address the deficiencies of the existing NIS Directive and future-proof it. Going forward, the revised NIS Directive will include new sectors and classify entities either as essential (for the sectors of energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space), or important (for the sectors of postal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing and digital providers).
The revised NIS Directive includes a clear size cap: all medium and large enterprises (as defined under EU law) that operate within these sectors will fall within its scope. Explicit governance requirements are introduced that require management of in-scope entities to supervise security risk management measures and to educate themselves through security training. The revised NIS Directive further expands reporting obligations and harmonised administrative fines up to the higher of EUR10 million or 2% of the total worldwide annual turnover.
New Advisory Committee for the Dutch State’s IT Projects
In 2014, a parliamentary committee published a report about the Dutch state’s grip on ICT projects. The conclusions were shocking: the Dutch state did not have sufficient control over large IT projects, many projects therefore failed and around than EUR15 billion was being wasted every year. The word "chaos" was used to describe the situation.
As a result, a committee (BIT) was established that would review the state’s IT projects. The BIT was dissolved on 31 December 2020. In January 2021, the government announced that a new Advisory Committee for IT has been established (Adviescollege ICT-Toetsing). All ministries must give notice to the Advisory Committee of all projects of which the IT component is higher than EUR5 million. The Advisory Committee will assess the risks and chances of successful completion prior to the start of the project.
However, the Advisory Committee may also proactively publish its opinion about IT matters. Later this year the government will send a proposal to Parliament to give the Advisory Committee a proper legal basis. This legislative proposal will contain more detail about the Advisory Committee’s role and powers.
In the meantime, the Dutch state’s IT projects continue to cause debate – Bits of Freedom, the privacy organisation, published a report on the basis of internal investigations by the Dutch police, in which the police concluded that none of their 36 mission-critical IT systems comply with the GDPR.
Bringing the Entire Application Landscape to the Cloud
In 2021, many companies will bring their entire IT environment, or the better part of it, to the cloud. We have seen such projects in 2020, but there are many more to come. COVID-19 has accelerated the convergence to online sales and the cloud is indispensable in terms of service levels, flexibility, volume-based pricing, capacity and security. These projects can be very challenging since several existing applications cannot be brought to the cloud and will need to be replaced. This may therefore require a partial overhaul of the application landscape. Only the best IT suppliers will be able to undertake these complex projects and we note their stance that it is often impossible to give a binding hard stop date for completion, since there will always be unexpected problems and delays.
Solving these problems requires a partnership approach and an agile way of working and contracting. This means that new contracting models will appear, in which governance and partnership are more important than specifications, binding dates and pricing. It also means that there may be more failed projects and disputes, especially if the supplier is mediocre and not really up to these complex projects or in case the realistic partnership approach is not agreed or, if agreed, is not complied with.
Landmark Case: District Court Overturns Decision of the DPA
On 23 November 2020, the Dutch District Court Midden Nederland rendered an important decision about a fine of EUR575,000 that was awarded under the EU General Data Protection Regulation 2016/79 (GDPR) by the Dutch Data Protection Authority (DPA).
The decision concerns the platform VoetbalTV, a company initiated by the Royal Dutch Football Association and Talpa Network. VoetbalTV is a video platform for amateur football. VoetbalTV makes video recordings of games in amateur football on behalf of football clubs. In 2020, 153 clubs joined VoetbalTV and about 2,500 to 3,000 matches were recorded and broadcast monthly. VoetbalTV also offers an app with which football moments can be watched, analysed and shared with others. VoetbalTV’s own editorial team also collects and displays "highlights" such as goals.
The DPA held the view that with these recordings the right to privacy of the individuals involved (eg, underage soccer players) was infringed as there was no legal basis for the processing of the related personal data. The legitimate interest of monetisation argued by VoetbalTV was not deemed valid by the DPA. The DPA was of the opinion that such interest must be designated as a legal interest in the relevant laws.
The "legitimate interest" is one of the six legal bases for the processing of personal data under the GDPR. The legitimate interests of a controller or of a third party may provide a legal basis for lawful processing, provided that the interests or fundamental rights and freedoms of the data subject do not outweigh this legitimate interest. In this regard, the reasonable expectations of the data subject based on his or her relationship with the controller should be taken into account. As this legal basis leaves room for interpretation, the extent of it continues to be a puzzle that must be assessed on a case-by-case basis.
The DPA’s reasoning, however – that the absence of a legal basis in relevant laws means the legitimate interest does not apply – entailed a strict interpretation of the legitimate interest. Indeed, this excludes all interests that are not specifically included in the relevant laws. The DPA also took the view that purely commercial interests cannot, in any case, be legitimate.
In the administrative appeal proceedings, VoetbalTV argued that this strict interpretation was not in line with the GDPR. The District Court Midden Nederland agreed with VoetbalTV and ruled that a correct interpretation of the legitimate interest entails a different test; if an envisaged interest is not illegitimate or against the relevant laws, it qualifies as legitimate interest under the GDPR. In this respect, it does not matter whether this interest is of a commercial nature.
This decision is expected to have a major impact on the use of the legitimate interest legal basis for the processing of personal data in the Netherlands. A win not only for parties such as VoetbalTV, but also for data subjects more broadly? This remains to be seen.