TMT 2021

Last Updated February 19, 2021

Netherlands

Law and Practice

Authors



Eversheds Sutherland is a global top ten law practice, providing legal advice and solutions to an international client base which includes some of the world’s largest multinationals. The firm has over 100 dedicated TMT sector lawyers across 30 countries, who combine strategic understanding with technical excellence to ensure that their advice is commercial and pragmatic. In the Netherlands, its team of lawyers provides a fully integrated privacy, data protection and cybersecurity offering. The firm understands the sector-specific challenges TMT companies face, and is regularly engaged to guide clients on industry-leading matters. As its clients’ markets develop to adapt to new technologies, so too do Eversheds Sutherland's areas of expertise so that it continues to deliver practical advice in fast-developing and innovative areas of law. Acting for clients such as Comcast, CyrusOne, Intel, Microsoft and Nokia, the firm represents companies of all sizes, from promising start-ups to established domestic and global companies. It also advises institutional, venture capital, private equity and individual investors and lenders who invest in, buy, sell and finance TMT businesses.

Cloud computing services comprise a wide range of services. The concept "cloud computing services" covers services that allow access to a scalable and elastic pool of shareable computing resources. In the Netherlands, the concept of cloud computing is governed by the NIS Directive (Security of Network and Information Systems Directive (EU) 2016/1148). The Directive was implemented into national law on 17 October 2018 by means of the Security of Network and Information Systems Act (SNISA).

The Directive offers provisions to boost the overall level of cybersecurity in the EU and secures the continuity of cloud computing services. Cloud service providers must comply with the security and notification obligations listed below. The following obligations are also applicable to essential services and digital services operators, and, therefore, have an impact on the services operators who use cloud services themselves.

  • Security: cloud service providers must identify possible risks to the network and information systems they use and take measures to ensure an appropriate level of security. When identifying the appropriate and proportionate technical and organisational measures, the cloud service provider should approach information security in a systematic way, using a risk-based approach. Network and information systems should contain precautions in order to protect the availability, integrity, confidentiality and authenticity of the stored, sent or processed data from those network and information systems.
  • Notification: cloud service providers are obliged to notify without delay incidents with a significant impact on the provision of the cloud computing services offered in the EU. The supervising authorities for the Netherlands are the Radiocommunications Agency Netherlands and the Cyber Security Incident Response Team.

In order to qualify as a cloud service provider as meant in the Directive, a provider must employ 50 employees or more and/or have a balance sheet total or turnover of EUR10 million or more on annual basis.

In the Netherlands cloud computing services are indirectly governed by the Dutch Civil Code (DCC) and the GDPR ((EU) 2016/679), as follows.

  • General: the DCC consists of general and specific provisions that apply to all respectively particular agreements. As cloud computing agreements are not defined under Dutch law, merely the general provisions apply. Deviation from such general provisions by contracts (in accordance with the freedom of contract principle) is market practice.
  • Consumers: consumer contracts are subject to mandatory consumer protection provisions incorporated in the DCC, following the implementation of the Consumer Rights Directive and the Unfair Contract Terms Directive. These contain mandatory provisions that apply to all types of consumer contracts, including cloud computing contracts. Contractual provisions that contravene mandatory consumer protection legislation may be void or voidable in certain circumstances.
  • GDPR: when cloud services providers process any personal data, they are generally considered as "processors of personal data". Processors may not determine purposes and means of processing personal data, but they still need to demonstrate that their processing activities comply with the GDPR. Typical issues in this context arise when cloud service providers utilise personal data for their own purposes (eg, to analyse and/or improve their own services) and/or have a decisive saying in the determination of applied means of processing.

On 20 May 2019, Directive 2019/770 regarding the supply of digital content and services was introduced. This Directive establishes a harmonised level of consumer protection for digital content, including cloud computing services. The Directive is scheduled to be implemented into national law by 1 July 2021 and it applies to agreements concluded from 1 January 2022.

Cloud service providers should take into account EU cybersecurity strategy initiatives such as the proposal for a renewed NIS Directive and a proposal for a directive on the resilience of critical entities, which offer an expansion in scope of the current directives.

Financial Supervision Act and Prudential Rules Decree

Financial institutions increasingly utilise cloud computing services. In this context, they remain responsible for complying with relevant financial legislation and must control their operational processes. Financial institutions must comply with the strict statutory (supervision) requirements as laid down in the Financial Supervision Act (Wet op het financieel toezicht) while using cloud computing services. This indirectly impacts the delivery of these cloud computing services.

Financial institutions may not enter into cloud computing agreements if this could impede the exercise of adequate supervision by the supervisory authority for Dutch banks. Consequently, financial institutions are obliged to have a range of obligations in their cloud computing contracts and must obtain the right for the supervisory authority to examine the cloud services.

The Cloud Computing Circular, issued by the Dutch National Bank (DNB), requires that before supervised Dutch financial institutions engage in cloud computing, they must inform the DNB of their prospective outsourcing arrangements to ensure that operational processes and risks are under control.

Guidelines on Outsourcing to Cloud Services Providers

The Guidelines on outsourcing to cloud services providers of the European Securities and Markets Authority (ESMA), published on 18 December 2020, are useful for both financial institutions as for cloud services providers when negotiating cloud outsourcing arrangements. The guidelines are intended to help identify, address and monitor the risks arising from cloud outsourcing arrangements. They provide guidance to the governance, organisational and technical frameworks to put in place to monitor the performance of the cloud service providers.

Good Practice Information Security 2019–20

The Good Practice Information Security, a guide drafted by the DNB, offers tools with which financial institutions can give practical substance to control measures in the areas of governance, organisation, people, processes, technology, facilities, outsourcing, testing and the risk management cycle. Good Practice sets out various recommendations for control measures which, in DNB's opinion, properly implement the requirement of Section 3.17 of the Financial Supervision Act, in conjunction with Section 20 of the Prudential Rules Decree and the Pensions Act. These guidelines are based on international standards such as COBIT (Control Objectives for Information and related Technology) of the ISACA, ISO27000 and the NIST Cybersecurity Framework.

Over the past decade, the use of "distributed ledger technology" has increased rapidly. A distributed ledger (also known as a general ledger, or distributed general ledger technology) is a technology that uses decentralised ledgers, also known as "nodes", to share, record and synchronise transactions across the distributed network. One of the most well-known types of distributed ledger technology is blockchain.

Risk and Liability

Even though blockchain has been praised as being safe and unhackable, practice has shown that this is not the case. Even blockchain can be subjected to malware, and even blockchain can, in the near future, be hacked by quantum computers.

Therefore, it is of utmost importance as a blockchain provider to implement proper organisational and technical security measures to be able to monitor potential (personal) data breaches. If the blockchain provider does not implement a level of security that is appropriate to the risks that are involved, the blockchain provider may be in violation of Article 32 of the GDPR, and thus liable for any (personal) data that has possibly been altered or deleted, also depending on the contractual clauses that have been concluded between the blockchain provider and the user.

Also, as with any technology service, blockchain services can suffer programming defects, which – depending on the type of defect – may trigger liability issues. Therefore, blockchain providers and customers should, prior to the purchase and use of blockchain, negotiate certain contractual rights and obligations, such as a contractual defects liability period, and include details of the scope and expectations regarding the blockchain application, such as detailed key performance indicators. In case of standard terms and conditions, it is also important to be aware of any limitation of liability, the governing law and jurisdiction, termination of the services, and the contractual possibility to block certain users that violate the guidelines or breach the terms and conditions.

Intellectual Property

There are two types of blockchain that can be distinguished: blockchain can be (i) "permissionless", which means that there is no special authority that is able to deny their permission to participate in the blockchain and to add any transactions to the ledger, or (ii) "permissioned", which means that there is a limited group of participants that retain the power to add transactions to the ledger. In the context of an infringement of an intellectual property right, permissionless blockchains can give rise to disputes. If an intellectual property protected work is recorded on the blockchain, it can be difficult in proving the relevant ownership and identifying any potential breaches, handling transfers or licences to third parties.

Prior to using blockchain, it must be taken into account what type of data will be shared, and whether this data is, for example, subject to any intellectual property rights or trade secrets, and whether any contractual rights and obligations of the blockchain provider may apply.

Privacy

The decentralised nature of the blockchain makes it difficult to identify the person responsible for processing, which in turn makes it impossible to guarantee a whole range of data subjects' rights. The distributed nature requires a high degree of transparency, which conflicts with the principle of data protection by design and default settings.

Finally, the permanent nature of blockchain prevents the possibility of guaranteeing various data subjects rights, such as the right to be forgotten, and clashes with a large number of general principles, including data minimisation and storage limitation.

Service Levels

The business processes built on blockchains may be vulnerable to technology and operational failures, as well as cyber-attacks. Blockchain users need to have a robust business continuity plan and governance framework to mitigate such risks.

Additionally, blockchain solutions shorten the duration of many business strategy processes, which means that it is of utmost importance to assess the (business critical) risks that are involved, and to mitigate any business continuity risks by concluding service level agreements, that detail specific adequate incident response and recovery times – for example, between participating nodes and the administrator of the network.

Jurisdictional Issues

If a dispute arises about blockchain – for example, between a blockchain supplier and a customer – it is important to determine which rules of which country apply. If a supplier and a customer are located in different countries, international private law should be invoked. On the basis of international private law, it should then be determined (i) which court is competent, and (ii) which law is applicable. Potential issues can be prevented by explicitly entering into an agreement or accepting terms and conditions that designates a competent court and governing law.

Big Data

Big data means a large amount of unstructured data, which grows exponentially and is processed at high speed. Big data can be obtained directly from the source, such as the person providing this data, but can also be obtained indirectly by linking data together.

Potential risks when collecting and using big data

When collecting big data, one of the issues that can arise is whether or not the data can be used to (in)directly identify an individual. If so, the data must be regarded as "personal data", which means that the GDPR and the Dutch GDPR Implementation Act applies. In such case, the legal grounds for processing personal data as mentioned in Article 6(1) of the GDPR must apply and, depending on the sensitive nature of personal data, one of the exemptions as mentioned in Article 9(2) of the GDPR must also be in place.

Storing big data is happening more often by using "data lakes", which means that raw data is being stored in a repository. Once the big data is stored in the repository, organisational and technical measures must be set in place to secure the big data and to prevent any data breaches. Even if the data does not contain personal data, the data itself can also be protected by intellectual property rights or can be protected under trade secrets. By protecting the data, cyber-attacks and other security incidents may be prevented. 

Artificial Intelligence (AI)

Artificial intelligence (AI) can be defined in many different ways. In general terms, however, we can say that artificial intelligence is the theory and practice of creating computers that can automate and perform activities in a "human-like" manner.

Machine learning

One of the key components of artificial intelligence is machine learning. Machine learning is essentially the study of algorithms, which are programmed to learn from (un)structured data and produce predictive models, that are constantly updated and refined.

To be able to train an algorithm and gain valuable insights from (un)structured data, (i) enough representative data is needed (ie, data quantity), (ii) this data also needs to be accurate, representing the aspects you wish to observe, with as little errors as possible (data quality), and (iii) sufficient computing power is needed.

Potential risks of implementing artificial intelligence and machine learning

When implementing or developing artificial intelligence, and in particular machine learning, there are a few privacy risks that developers, customers and lawyers should be mindful of.

Artificial intelligence, and in particular machine learning, can affect the privacy of individuals, as it is not always completely transparent to the individual what kind of personal data is being generated, collected and/or shared, or for which purposes the personal data will be used.

When algorithms process personal data in or from the European Economic Area, the GDPR and the GDPR Implementation Act applies. Also, if the personal data will be used for unsolicited communication or spam, the ePrivacy Directive and the Dutch Telecommunication Act (Telecommunicatiewet) applies.

In such cases, the outcome of the algorithm may be used for automated individual decision-making and profiling, which can have a significant adverse effect on the individual. Therefore, this type of processing is regarded as high risk and, prior to implementing and using algorithms, it is obliged to conduct a Data Protection Impact Assessment (DPIA), as mentioned in Article 35 (3) (a) of the GDPR and also in the European Data Protection Board Guidelines on Data Protection Impact Assessment.

By conducting a DPIA, potential risks to individuals can be assessed and ways can be identified to address and mitigate these risks. It is also important to note that automated processing, including profiling, which produces legal effects concerning individuals, may only be carried out if one of the three exceptions as set out in Article 22(2) of the GDPR applies, in addition to having a lawful basis for the processing of personal data as set out in Article 6 of the GDPR.

Based on Article 25 of the GDPR, it is also mandatory to adhere to the principles of "data protection by design" and "data protection by default". Data protection by design means that privacy and data protection issues must be addressed at the design phase and then throughout the life cycle, ideally at the earliest stages of the design of the processing operations, in order to safeguard privacy and data protection principles. Data protection by default means that, as a matter of course, safeguards must be put in place to ensure that the personal data that shall be processed is necessary to achieve the specific purposes.

By adhering to the principles of data protection by design and data protection by default, developers and users of artificial intelligence and machine learning applications are able to address privacy issues in a timely manner.

EU Data Initiatives

In addition to the GDPR, the Dutch Implementation Act, the ePrivacy Directive and the Dutch Telecommunication Act (Telecommunicatiewet), the European Commission has presented their Strategy on Data and Artificial Intelligence consisting of, among others, a white paper on artificial intelligence and a proposal for the Digital Services Act.

The Internet of Things (IoT) describes a system that consists of interrelated and internet-connected devices, in order to be able to connect and exchange (personal) data between these devices. When contemplating a project that revolves around the development or use of Internet of Things technologies, such as smart car software, smart security systems and connected health wearables, there are multiple legal restrictions and potential legal issues that must be taken into account when setting up these projects.

Privacy

Internet of Things devices collect high amounts of real-time data and share this between the different devices. If the data that is collected and shared relates to an identified or identifiable natural person – which is most likely the case due to the fact that multiple devices and datasets are being linked by different devices – the data must be considered to be personal data. When processing personal data in or from the European Economic Area, the GDPR and the Dutch GDPR Implementation Act applies. In such case, the principles of the GDPR must be taken into account prior to, and during, the project.

The European Data Protection Board Guidelines on Data Protection Impact Assessment (wp248rev.01) explicitly mentions that “innovative use or applying new technological or organisational solutions, like combining use of finger print and face recognition for improved physical access control”can trigger the need to carry out a DPIA. The reason is that it is a new way of collecting, using and sharing personal data.

The purposes for which the personal data is being processed are most often not transparent to the individual, which means that personal and social consequences are not always directly known and thus difficult to envisage. The deployment of Internet of Things devices may thus impose a high risk to the rights and freedoms of individuals. Therefore, the European Data Protection Board has decided that in such cases it is required to conduct a DPIA, in order to assess and mitigate any potential privacy risks.

It is also important to note that if Internet of Things technologies will be used for automated individual decision-making and profiling, which will produce legal effects concerning individuals, such processing may only be carried out if one of the three exceptions as set out in Article 22(2) of the GDPR applies, in addition to having a lawful basis for processing as set out in Article 6 of the GDPR.

Data Protection

Due to possible vulnerabilities of connected devices, cybersecurity is also a high priority. The organisational and technical measures that must be taken into account based on Article 32 of the GDPR, must take into account, among others, the costs of the implementation, the nature of the processing and the risks, and also the "state-of-the-art", which means that if there are certain relevant security standards and codes of practices that apply and are being used by other market participants, it can be mandatory to implement these standards. Furthermore, the principles of data protection by design and data protection by default, as mentioned previously, also applies to the implementation and use of Internet of Things devices.

Local Legislation

IT service agreements are not specifically regulated under Dutch law. Generally an IT service agreement falls under the scope of Articles 7:400 to 7:413 of the Dutch Civil Code (overeenkomst van opdracht). When a software solution is developed specifically for the customer (agile or waterfall), tailored to the intended use of the customer, it is more likely that the IT service agreements fall under the special scope of Articles 7:750 to 7:764 of the Dutch Civil Code (aanneming van werk). Both sections in the Dutch Civil Code, however, refer to general services and do not particularly govern IT services. Moreover, Dutch contract law is strongly influenced by the freedom of contract principle. This means that parties in the context of IT services are free to shape and determine the content of their arrangements, without prejudice to overriding mandatory Dutch law.

Duty of care

Dutch case law shows a development in which the content of duty of care is becoming more comprehensive. When the IT services consist of software development, configuration and implementation work, or application design, a certain duty of care applies to the IT supplier. Based on this duty of care, customers may hold the IT supplier accountable in the event of a failed IT project or default in the provision of IT services. This duty of care of IT suppliers may arise from the contract itself or tort.

An IT supplier will at least have to act in accordance with the efforts that can be required of a reasonably acting peer. The duties of care that can be distinguished are as follows:

  • the IT supplier must put the interest of the customer first;
  • the IT supplier must warn the customer if their instructions are not justified or if the intended execution of the assignment is not likely to lead to the intended result;
  • in the event of additions or changes to the work agreed (so-called “scope creep”), the IT supplier may only demand an increase in the price if they have informed the customer prior about the need for a price increase resulting from the additional work. (See also 7.1 Key Restrictions on "mission creep".)

Tenders

Additionally, in the context of IT Service Agreements, responding to a call of tender issued by a public entity or a listed company requires specific formal requirements for the submission and entails disclosure of specific documents from the IT supplier.

Data protection

Furthermore, due to the GDPR, privacy and data protection is also a frequently discussed topic during IT service negotiations, as IT suppliers that provide hosting services and maintenance and support services may have access to the production environment of the customer.

In these circumstances, the IT suppliers must be regarded as a data processor. In this scenario, the IT Service Agreement must contain contractual guarantees provided by the IT supplier. If the customer determines the purposes and means of processing and the IT supplier will process the personal data on behalf of and based on the instructions provided by the customer, the customer should be considered to be a data controller. In such case, a data processing agreement as mentioned in Article 28(3) of the GDPR must be concluded between the IT supplier and the customer.

Core Rules Regarding Data Protection

Players in the field should keep in pace with the broad range of policy measures geared toward Europe’s digital ambition that touches data protection and privacy, as well as cybersecurity in 2021, including current proposals on the:

  • Data Governance Act;
  • Digital Services Act; and
  • Digital Markets Act.

In most EU member states, including the Netherlands, there is no legal definition of "data" and no such thing as "data ownership". Dutch law merely recognises ownership of physical objects, which are defined as all "material objects which are susceptible to human control" (Article 3:2 of the Dutch Civil Code). In legal practice, this often results in challenging situations which are mostly resolved in legal contracts.

With regard to data protection, there are three pieces of EU legislation that are directly applicable in the Netherlands or have been implemented into Dutch law. Whilst the EU is still seeking consensus on a new ePrivacy Regulation governing, among others, electronic communications and the use of metadata, most recently the Free Flow Regulation ((EU) 2018/1807) entered into force. This regulation applies to electronic data, meaning all data other than personal data as defined in the GDPR and the Dutch GDPR Implementation Act, in order not to affect the existing framework for personal data protection. The Free Flow Regulation, GDPR and the ePrivacy Directive (2002/58/EC) eventually complement each other and currently create the comprehensive and coherent EU framework for the free movement of all data in the digital single market of the EU.

General Processing of Data

In general terms, it is important to grasp the interaction between the GDPR and the Free Flow Regulation, especially regarding datasets comprising of both personal and non-personal data. Examples include the following.

  • The GDPR’s free flow provision applies to the personal data part of the dataset. Information about legal entities is not considered personal data. However, information about sole traders and partnerships is likely to be considered as personal data.
  • The Free Flow Regulation applies to the non-personal data part of the dataset and aims at removing obstacles to the free movement of non-personal data across member states and IT systems in Europe.

The two regulations will function together to enable the free flow of any data, creating a common European space for data.

Mixed datasets

If a company processes mixed datasets, neither the Free Flow Regulation nor the GDPR obliges it to separate or store personal and non-personal data separately. If the company decides not to separate the datasets and processes them as mixed datasets, the data protection rules will apply to the entire mixed dataset. The Free Flow Regulation and the GDPR together create legal certainty for companies, and guarantee that personal and non-personal data (even when they are included in a mixed dataset) can move freely within the EU. Therefore, companies can decide to store, transfer or process the mixed dataset anywhere in the EU, wherever they consider is the most beneficial to them.

Examples of mixed datasets include:

  • a company’s tax record, mentioning the name and telephone number of the managing director of the company;
  • datasets in a bank, such as those with client information and transaction details;
  • a research institution’s anonymised statistical data and the raw data initially collected, such as the replies of individual respondents to statistical survey questions;
  • analysis of operational log data of equipment in the manufacturing industry

Processing of Personal Data

Territorial scope

As regard to its territorial scope in the Netherlands, the GDPR and Dutch GDPR Implementation Act simultaneously apply to the processing of personal data in the context of the activities of the establishment of a controller or a processor (see below) in the Netherlands (Article 3(1) of the GDPR).

It additionally applies to the processing by a controller or processor not established in the Netherlands of the personal data of data subjects who are in the Netherlands, where the processing activities are related to:

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Netherlands; or
  • the monitoring of their behaviour to the extent that their behaviour takes place within the Netherlands (Article 3(2) of the GDPR).

Controllers and processors

A controller is the entity deciding on the purposes and the means of the processing of personal data. A processor processes personal data on behalf of a controller, having generally no control over the purposes and the means of the processing. Controllers must conclude a data processing agreement with processors (Article 28 of the GDPR).

Legal grounds

Processing of personal data is only permitted if there is a legal ground for that processing activity. Legal grounds are:

  • consent;
  • the performance of a contract;
  • compliance with a legal obligation;
  • vital interests of the data subject;
  • task carried out in the public interest; and
  • legitimate interest. 

Consent must be freely given, specific, informed and unambiguous. Children below the age of 16 years (Article 5 of the GDPR Implementation Act) cannot give valid consent, consent must be given by their parents or guardians.

For the processing of special categories of personal data (eg, personal data revealing racial origin, political opinions and trade union membership) to be permitted, there must be a legal ground and one of the exceptions of Article 9(2) of the GDPR must apply. Besides the exceptions set forth in Article 9(2) of the GDPR, there are exceptions of national law set out in the GDPR Implementation Act – for example, exemptions for the processing of health data in Article 30 of the Dutch GDPR Implementation Act.

Accountability

The processing of personal data must meet the principles of Article 5 of the GDPR:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality.

Controllers and processors must maintain a record of processing activities (Article 30 of the GDPR), and, in case of a high-risk processing activity, a DPIA must be carried out based on Article 35 of the GDPR. In particular situations, a controller or processor must appoint a data protection officer (Article 37 of the GDPR).

Rights of data subjects

Data subjects have the right to be informed, therefore certain information (set out in Article 13/14 of the GDPR) must be provided to data subjects, usually by means of a privacy notice.

Controllers must be able to comply with data subject's request to exercise their rights, namely:

  • right to request access to personal data;
  • rectification of personal data; 
  • erasure of personal data;
  • restriction of processing;
  • right to object to the processing;
  • right to data portability; and
  • right to withdraw consent at any time. 

Data breaches

Data breaches are breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12) of the GDPR).

Data breaches that are likely to result in a risk to the rights and freedoms of natural persons must be notified to the Dutch DPA (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of it (Article 33 of the GDPR). When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, it must be communicated to the data subjects without undue delay (Article 34 of the GDPR).

To prevent a personal data breach and to protect personal data, controllers must implement technical and organisational measures to ensure an adequate level of security (Article 32 of the GDPR).

Transfer of personal data outside the EEA

Transfer of personal data to countries outside the EEA is not permitted unless:

  • there is an adequacy decision (Article 45 of the GDPR);
  • appropriate safeguards have been taken, such as binding corporate rules or standard contractual clauses (Article 46/47 of the GDPR);
  • one of the derogations for a specific situation applies (Article 49 of the GDPR).

In respect of Brexit, it remains to be seen when an adequacy decision permitting EEA to UK personal data transfers will be reached. In the meantime, interim periods apply, in which a transmission of personal data from the EEA to the UK shall not be considered as transfer to a third country under EU law.

Enforcement

The GDPR is intended to make data protection a boardroom issue. It introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or EUR20 million, whichever is the greater. These fines apply to breaches of many of the provisions of the GDPR, including failure to comply with the six general data quality principles or carrying out processing without satisfying a condition for processing personal data.

A limited number of breaches fall into a lower tier and so are subject to fines of up to 2% of annual worldwide turnover or EUR10 million, whichever is the greater. For example, failing to notify a data breach or failing to put an adequate contract in place with a processor fall into this lower tier.

In addition to the fines, the Dutch DPA (Autoriteit Persoonsgegevens) has a range of other powers and sanctions at its disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. It also has corrective powers enabling them to issue warnings or reprimands, to enforce an individual’s rights and to issue a temporary or permanent ban on processing.

In the Netherlands, the DPA has the power to enter residences without the consent of the owner. Furthermore, obligations of secrecy cannot be invoked against the DPA to the extent that information or co-operation is required regarding that organisation’s own involvement in data processing.

Finally, data subjects have a right to compensation in respect of material and non-material damages. In the Netherlands, we see litigation emerging on the basis of the new Act on collective damages claims (Wet afwikkeling massaschade in collectieve actie or WAMCA) that entered into force on 1 January 2020.

Restrictions on monitoring and limiting use by employees of company computer resources are predominantly driven by data protection laws.

Workplace monitoring will usually involve processing personal data and is therefore governed in the Netherlands by the GDPR and the Dutch GDPR Implementation Act.

Identify the Purpose of Monitoring

When considering whether or how to monitor employees, the starting point should be identifying the purpose and underlying interest of the employer. What is the employer trying to pursue, ensure or protect? Is it for efficiency purposes, or are there specific security concerns? Is it a one-off, incidental case of monitoring (such as a breach of company confidentiality by an employee and subsequent investigations) or is it a more general concern (data loss prevention tools, web traffic monitoring, extensive private email use, e-discovery tooling)? Would monitoring the flow of communications be sufficient or is actual content inspection intended?

Employers should conduct a thorough risk analysis and make sure that the monitoring chosen is proportionate to the risks employers are looking to mitigate. This risk analysis should help employers to meet legislative requirements. Once an employer has identified the reason or purpose for any monitoring, the next step should be to consider how the chosen monitoring addresses the concern or reason identified, and whether there are any alternative ways of meeting its purpose other than monitoring. This has a practical as well as legal purpose – if there is a less intrusive way to protect a business than monitoring employees, the courts and the Dutch DPA (Autoriteit Persoonsgegevens) would expect the employer to take it and doing so should lower the risk to the business.

GDPR Compliance

In order to carry out GDPR-compliant monitoring of employees, employers must identify a legal basis for carrying out and processing the monitoring information, and any exemptions for special category personal data such as data related to health, religion or ethnicity/race.

It is noteworthy that consent is not considered a proper legal basis for processing personal data in the employment context (especially for intrusive processing activities such as monitoring). In the Netherlands, in most cases employers will have to rely on the "legitimate interest" legal basis for processing. This means that a legitimate interests assessment (LIA) must be conducted to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated. Such limitations could be:

  • geographical (eg, monitoring only in specific places – monitoring sensitive areas such as religious places and, for example, sanitary zones and break rooms should be prohibited);
  • data-oriented (eg, personal electronic files and communication should not be monitored); and
  • time-related (eg, sampling instead of continuous monitoring).

Employee monitoring is considered to be "high risk" processing, according to the Dutch DPA. Consequently, a DPIA must also be conducted. The Dutch DPA distinguishes between general monitoring and covert monitoring. For covert monitoring to be lawful, employers must have a reasonable suspicion of a criminal offence or wrongful use of company information and where notifying concerned individuals would prejudice its detection or prevention.

Companies with a works council will also need to obtain prior consent from the works council before conducting employee monitoring based on the Dutch Works Counsel Act. Furthermore, it is of significant importance that such assessments are appropriately documented as (aside from demonstrating accountability with other data protection principles and requirements) the documentation will form the basis of the employer's defence in the event of a claim, complaint or Dutch DPA investigation.

Information and Transparency

Employers are obliged to inform employees in a transparent way of the purposes and means of the monitoring activities. This kind of information is often captured by means of a(n) (employee) privacy notice. This notice draws the relevant acceptable use and monitoring policies to the attention of the employees. Appropriate training for staff carrying out and using monitoring data is also key. 

Failure to do so may leave employers exposed to additional risk and claims. Depending on the circumstances, employees may also have grounds for an unfair dismissal or constructive dismissal claim, and might in some circumstances be able to establish a whistle-blowing aspect to such a claim. This could seriously impair the position of the employer, which could lead to significant financial and reputational damages. After all, employee communications are key to avoiding lasting damage to employee relations.

Access Limitation and Retention

Employers must ensure that they limit access to monitoring data. Only those who really need access should be able to access it (ie, on a need-to-know basis). This means assessing control access, permission grants/sign-off processes, etc, to facilitate access where necessary.

Furthermore, monitoring data should only be kept to the extent it is relevant to the purpose for which it is processed and whilst it remains accurate. Indefinite retention is never permissible. The period of retention will, to a certain extent, depend on the nature of the information collected and its usefulness. For example: CCTV images may, in principle, be retained for a maximum term of four weeks in the Netherlands. In addition, the employer is obliged to implement appropriate technical and organisational measures to ensure the safety and integrity of the data at all times. Once no longer needed, the data must be destroyed safely and securely.

Private Remains Private

Private and working lives are now more intertwined than ever. During the COVID-19 crisis, many more employees will be using their personal devices rather than work devices when working remotely. Employers need to be extremely careful of the following:

  • employees should be informed about their (lack of) privacy while using company systems/ devices (eg, use of personal email account on company devices or personal devices for work-related matters);
  • employers should disregard any data marked "private" or "personal" unless they have very good reasons;  
  • employers should treat private devices as out of bounds, unless such devices operate workplace systems and/or work-related communications (the employer must have clear policies that address monitoring such circumstances);

Additionally, accessing communications without grounds to do so could amount to criminal or other civil offences for the business and potentially its directors.

Location Data

Tracking of location data is seen by the Dutch DPA as a particularly invasive form of employee monitoring. Employers may feel the need to track company assets or equipment, such as laptops, tablets and phones. However, even if the employer can pass the legal hurdles, if it wants to use such data for the management and discipline of wayward employees it must spell this out clearly for employees, otherwise it will breach key provisions of the GDPR and employment legislation. Otherwise, it could set itself up for additional claims and risks.

Mission Creep

There will inevitably remain scenarios where an employer is tempted to use monitoring tools for wider purposes, particular in the COVID-19 context – for example, on the private use of company devices or on homeworking conditions and efficiency. However, risks remain significant and employers should beware of the so-called "mission creep" – ie, incremental expansion beyond the initial purpose of monitoring. Monitoring data should only be used for the purpose for which it is collected, and changing its purpose will raise further questions and compliance hurdles as to whether the monitoring was legitimate and employees were properly informed. Justifying employee monitoring is a hard task; using the same data for other purposes creates a new layer of risk.

Currently, there are multiple technologies that are deemed to fall within the scope of local telecommunications rules. Prior to bringing such technologies on the market, it is important to comply with the requirements as set out in local law.

Legislative Framework

The Dutch telecommunications sector is primarily governed by the Dutch Telecommunications Act (Telecommunicatiewet), which also incorporates multiple European Directives, such as the aforementioned ePrivacy Directive, the Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services (Framework Directive), and the Directive 2002/22/EC on communications networks and services (Universal Service Directive).

The Telecommunications Act requires registration with the Authority Consumers and Markets (Autoriteit Consument en Markt) for a provider of:

  • public electronic communications networks;
  • public electronic communication services; and/or
  • any services, physical infrastructures, and other facilities or elements belonging to an electronic communications network, or an electronic communications service, that makes it possible or supports the provision of services via that network/service or has the potential to do so.

Furthermore, when offering the aforementioned services, providers are obliged to solve and report any interruptions or technical failures and they may not impede or delay services or applications on the internet, including charging different rates for different internet applications.

In the Netherlands, there are two authorities that supervise the enforcement of the Telecommunications Act: the Authority Consumers and Markets (Autoriteit Consument en Markt), which is responsible for competition oversight, telecom-specific regulation and consumer protection, and the Dutch Radiocommunications Agency (Agentschap Telecom), which is responsible for obtaining and allocating frequency space and monitoring its use.

RFID

Radio Frequency Identification (RFID) are chips that use radio frequencies to collect (personal) data from uniquely identified tags and transfer the (personal) data over electronic communications networks.

Based on Article 3.4(1)(a) of the Telecommunications Act, Article 18 of the Frequency Decree (Frequentiebesluit) and the Regulation on the use of frequency space without a licence (Regeling gebruik van frequentieruimte zonder vergunning), RFID chips are exempted from the obligation to receive a permit prior to the use of frequency space.

However, collecting and transferring (personal) data with RFID chips may trigger privacy and security issues. The Directive 2009/136/EC, which amended the ePrivacy Directive and the Universal Service Directive, explicitly states that: use of such technologies can bring considerable economic and social benefit and thus make a powerful contribution to the internal market, if their use is acceptable to citizens. To achieve this aim, it is necessary to ensure that all fundamental rights of individuals, including the right to privacy and data protection, are safeguarded. When such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC (Directive on privacy and electronic communications), including those on security, traffic and location data and on confidentiality, should apply.” (Directive 2009/136/EC, consideration 56).

If RFID chips collect and transfer personal data, the GDPR and the Dutch GDPR Implementation Act shall apply. Therefore, when producing or using RFID chips, the principles of the GDPR and the Dutch GDPR Implementation Act must be taken into account. Furthermore, a Data Protection Impact Assessment as mentioned in Article 35 of the GDPR must be carried out. The European Data Protection Board adopted a specific Privacy and Data Protection Impact Assessment Framework for RFID applications on 12 January 2011, which can be used to conduct such assessment.

VoIP

Voice over Internet Protocol (VoIP) is the transmission of voice and multimedia communications over an internet connection. Based on the Telecommunications Act, a provider of VoIP services is regarded to be a provider of electronic communications services. Therefore, in the Netherlands, the Dutch Telecommunications Act applies and providers must register with the Authority Consumers and Markets (Autoriteit Consument en Markt) prior to providing such services to customers.

This has also been confirmed in the case C-142/18 Skype Communications Sarl v IBPT (5 June 2019). In this case, the European Court of Justice (ECJ) ruled that Microsoft’s Skype service, SkypeOut – which is an additional feature of the Skype software and allows Skype-users to make calls from a terminal to a fixed or mobile telephone line using VoIP – is an electronic communications service, as defined in the Framework Directive (Directive 2002/21/EC, as amended) and is therefore subject to European telecoms regulations.

In the Netherlands, any natural or legal person may in principle provide a commercial media service or solicitation, provided that they:

  • fall under the competence of the Netherlands;
  • are of age;
  • are not a national, regional or local public media institution.

On 1 November 2020, the new Dutch Media Act came into force due to the implementation of the revised Directive on Audiovisual Media Services (AVMSD, (EU) 2018/1808). The new Media Act contains, among others, provisions for public media services, commercial media services, video platform services, protection of young people, major events, use of broadcasting networks and supervision and enforcement by the Dutch Media Authority (Commissariaat voor de Media).

The new Media Act has major consequences for providers of commercial media services on demand, including online video channels. The following criteria are used to determine whether a provider qualifies as a media service on demand:

  • the main goal of the service is to show videos;
  • the service has a mass media character;
  • it is an economic service;
  • the provider of the service determines the content of the videos; and
  • the videos are available through a catalogue.

These criteria can be found in the Policy Rule Classification of Commercial Media Services on Demand. The Dutch Media Authority examines whether the notified service is actually a commercial on-demand media service on the basis of the Dutch Media Act. If that is the case, the media service is included in the Register Commercial Media Institutions. Media organisations providing on-demand commercial media services are required to pay an annual fee of EUR200 (plus indexation) for each media service.

Under the new Media Act, platforms such as YouTube are obliged to take adequate measures in order to clarify if the content shown contains advertisements, sponsorships or other kinds of commercial activities. The supervisory authority that is located in the same country as the video-sharing platform provider will be the competent authority and can issue fines or other measures.

The new Media Act prohibits influencers to encourage viewers to buy or hire products or services shown in the video through specific recommendations. They may not pay excessive attention to products in their videos, which must indicate whether any advertisement is included. Videos that target children younger than the age of 12 cannot show any sponsored content or advertisements. Such videos must be stored for at least two weeks in order for the Dutch Media Authority to be able to file request and check whether there have been any violations.

Furthermore, as far as online video channels are concerned, adequate measures must be taken to protect the interests of minors. This means that parents must be able to control what their minors watch via an accessible system. Measures must also be taken to protect minors from videos inciting violence or distributing videos containing criminal offences.

In the Netherlands, there are no formal legal requirements governing the use of encryption. Encryption supports respect for privacy and secure communication of individuals and companies by providing them a means to communicate protected data confidentially and with integrity. Encryption that cannot be hacked is considered vital to a company’s competitiveness in the global marketplace. According to the Dutch government, confidence in such secure communication and storage data is essential for the future growth potential of the Dutch economy, which is mainly in the digital economy.

In the GDPR, encryption is considered as a potential appropriate safeguard to mitigate risks. For example, it should be considered as a measure when processing personal data for a purpose other than that for which the personal data has been collected (Article 6 (4) (e) of the GDPR) or to comply with Article 32 of the GDPR regarding the security of processing.

Encryption is considered a (mere) security measure by the Dutch DPA (Autoriteit Persoonsgegevens) due to its reversible nature. By using the right key, the original information can be obtained (decryption). Encryption is used, among other things to secure data when transmitting data over the internet, when storing data on portable devices and on removable media such as USB sticks, and in other situations where data is vulnerable to unauthorised access.

When cryptographic operations like encryption are used, it is therefore critical to assess periodically whether reliability requirements are still met. Various (international) standards provide further guidelines in terms of using encryption methods, such as ISO:20001 and NEN7510 (applicable to the healthcare sector).

The Dutch government issued emergency legislation as well as initiating programmes and other initiatives to address the COVID-19 pandemic. Although they lack specific TMT sector focus, they are nevertheless relevant.

First of all, a set of financial measures to help entrepreneurs came into effect three times in 2020, with the last time being on 1 October. These measures, among other things, offer entrepreneurs relief for paying wages and offer compensation for self-employed professionals, thereby aiming to minimise lockdown effects in selected sectors. Other measures relate to tax, credit and guarantees relief and payment extensions. For a full overview, please refer to Corona: Dutch government measures overview.

On 2 December 2020, the temporary Corona Act entered into force. This legislation replaces former emergency legislation incorporating all temporary measures that had been issued by the government as of March 2020. As this is temporary legislation, it will only remain in force for three months, with a possible extension by an additional three months. This temporary legislation covers five separate arrangements, three specifically for the islands Bonaire, Sint Eustatius and Saba and two regarding the European part of the Kingdom of the Netherlands. These latter two refer to legislation based upon which the use of facial masks can be declared mandatory in public spaces and a law that implements “social distancing by law” – for example, maintaining 1.5-metre distancing between individuals, forbidding groups of more than four people in public spaces and the temporary closure of shops, restaurants, etc.

At the beginning of January 2021, the Dutch government started with a COVID-19 vaccination programme. Focussed on people working in healthcare and those in care for the elderly, in the course of the first part of 2021 the vaccine will become publicly available to all residents of the Netherlands. This vaccination is, at this time, not declared mandatory by the Dutch government and discussions have arisen as to whether employers can demand vaccination of its employees and customers. Up until now, it is the decision of the Dutch government, as well as the Dutch DPA, that in general such demand cannot be made from employees by employers unless there are specific circumstances that would make such vaccination absolutely necessary. Dutch law offers better possibilities to make such demands of customers (such as patients or visitors to private premises).

One of the challenges for employers in the Netherlands is the position of the Dutch DPA regarding the processing of medical information and also, therefore, information on vaccination. The Dutch DPA is adamant in its opinion that the processing of vaccination information of any data subject, including employees, is not allowed under the GDPR unless a legitimate ground and exception can be identified in Articles 6 and 9 of the GDPR, respectively. This position, combined with the strict view of the Dutch DPA on “legitimate interest”, means in practice that it will be challenging, even in situations where there is an urgent need for vaccination, to stay within both the GDPR and the Dutch DPA's view on the GDPR.

However, the position of the Dutch DPA is under scrutiny in the press as well, because of a recent ruling against their position by a Dutch Court in the VoetbalTV case (District Court Midden-Nederland, ECLI:NL:RBMNE:2020:5111, 23 November 2020). This case concerned an internet platform, VoetbalTV, on which amateur football matches was broadcasted. The DDPA imposed a fine of EUR575,000 because there would be no legal basis for recording and broadcasting football matches (and thus processing personal data). The DDPA argued that production and processing of recordings is an invasion of the privacy of a large number of the persons concerned and, because it also concerned underage football players, justified a significant fine. In this case, the DDPA had only examined in its investigation whether there was a legitimate interest. It was only after the decision on the fine had been taken that the DDPA reasoned that the legitimate interest requirements were not met. The court eventually came to the conclusion that because the investigatory report on the basis of which the fine decision was taken was incomplete and therefore negligent, it should be annulled.

Therefore, in conclusion, it remains highly advisable to keep a close watch on the actual position of the Dutch DPA in the Netherlands regarding the processing of COVID-19-related personal data.

Eversheds Sutherland

De Cuserstraat 91
1081 CN Amsterdam
The Netherlands

+31 20 5600 600

+31 20 524 1204

info@eversheds-sutherland.com www.eversheds-sutherland.com
Author Business Card

Trends and Developments


Authors



Greenberg Traurig, LLP is an international law firm with approximately 2,200 attorneys serving clients from 40 offices in the USA, Latin America, Europe, Asia, and the Middle East. The firm’s dedicated TMT team consists of more than 100 lawyers, of which seven are in Amsterdam. The firm's attorneys structure and negotiate a full spectrum of services for clients, from standard transactions to highly complex multinational transactions.

Brexit – Broadcasting and Video On-demand Services

The Audiovisual Media Services Directive

As of 1 January 2021, the UK is no longer part of the EU, and this has consequences for the broadcasting and video on-demand services from and to the EU. The Audiovisual Media Services Directive (AVMSD) sets out a country-of-origin principle, where providers of broadcasting channels and video on-demand services based in one country are only subject to the set of rules and regulations from that country of origin; in the other countries of the EU, the broadcasts or video on-demand services are not subject to secondary control.

The AVMSD and the country-of-origin principle in general no longer apply to services under UK jurisdiction broadcast into the EU.

Broadcasting and video on-demand services from the UK to the EU may, however, still qualify for the AVMSD, even if the head office is located in the UK. A service provider is deemed to be established within an EU country (Article 2 (3) AVMSD) when its head office is located in the EU and the editorial decisions for a service are taken within an EU country. If the head office is in one location but the editorial decisions are taken in another EU country, establishment is based on the location of the office where a significant part of the workforce is located. If the editorial decisions related to the broadcasting or video on-demand services are taken in an EU country and a significant part of its employees are located in that country, the provider of these services will be deemed to fall under the jurisdiction of that country.

If the broadcasting or video on-demand service does not have a significant workforce within an EU country, the AVMSD may still apply if a service is provided via a satellite uplink in an EU country or satellite capacity appertaining to an EU country. In such event, jurisdiction would fall to that country (Article 2 (4) AVMSD).

European Convention on Transfrontier Television

In the event the AVMSD does not apply anymore, the broadcasting or video on-demand services may rely on the European Convention on Transfrontier Television (ECTT) which came into force in 1993. Not all EU countries are a party to the ECTT, but 21 of the countries are. EU countries that have signed and ratified the ECTT are Austria, Bulgaria, Croatia, Cyprus, Czech Republic, Estonia, Finland, France, Germany, Hungary, Italy, Latvia, Lithuania, Malta, Poland, Portugal, Romania, Slovakia, Slovenia and Spain. The UK is also a party to the ECTT.

ECTT guarantees freedom of reception between parties to this convention and sets out that they must not restrict the retransmission of compliant programmes within their territories. (However, ECTT sets out that EU countries should apply the AVMSD not ECTT between each other. This means that even the EU countries who have signed ECTT observe only AVMSD rules inside the single market.)

The EU Satellite and Cable Directive

The EU Satellite and Cable Directive provides a country-of-origin principle for licensing of copyright material in cross-border satellite broadcasts. This means that when a satellite broadcaster transmits a copyright-protected work – for example, music or a film – from one EEA (European Economic Area) state to another, they are only required to obtain the copyright-holder’s permission for the state in which the broadcast originates. This avoids satellite broadcasters having to secure individual licences for every EU country in which their broadcasts are received.

UK broadcasters no longer benefit from the country-of-origin principle for broadcasts into the EEA from 1 January 2021. They need to obtain additional right-holder permissions covering the EEA states to which they broadcast.

In the UK, the country-of-origin principle will continue to be applied to broadcasts from any country. Legitimate satellite broadcasts of copyright protected works transmitted into the UK from abroad will not need specific right-holder permission for the UK, except where the broadcast is commissioned or uplinked to a satellite in the UK and it originates from a country that provides lower levels of copyright protection.

New EU Initiatives for Regulation of Platforms

On 15 December 2020, the European Commission published two new legal initiatives, the Digital Services Act and the Digital Markets Act. Both initiatives aim to create a safer digital environment where the rights of its user are protected while, at the same time, innovation and competitiveness in the European Single Market is fostered.

Digital Services Act

The Digital Services Act covers a wide range of digital service providers, such as intermediary services, hosting services, online platforms, and very large online platforms that pose specific risks in the "dissemination of illegal content and societal harms".

All different types of service providers must comply with the new act, though the obligations will depend on their ability and size to do so.

The new obligations include:

  • mechanisms to act against illegal goods, services or content online – for example, via mechanisms with which users can flag such illegal content and so that platforms can co-operate with these users;
  • practical safeguards for users, which also entails the option to challenge platforms’ content moderation decisions;
  • transparency obligations for online platforms for a wide range of issues, including on the algorithms used for recommendations;
  • measures taken by very large platforms, with the aim of preventing misuse of their systems and taking pro-active action – for example, via independent audits of their IT systems; and
  • access to key data for independent research of the very large platforms, in order to understand how online risks evolve.

Digital Markets Act

The Digital Markets Act aims to regulate gatekeeper platforms and restore balance to digital markets. Gatekeepers are platforms that have a strong economic and intermediation position and a durable position in the digital market. For gatekeepers, far-reaching obligations will apply in order to create a fairer and more competitive market. The relevant obligations can be divided into dos and don’ts.

Dos

The dos include allowing third parties to interoperate with the platform’s own services in specific situations as well as providing companies that advertise on their platform with tools and information required to verify and review their advertisements. Business users must also be allowed to promote and conclude contracts with their own customers outside of the platform. In addition, platform users must be allowed access to the data that they generate in their use of the gatekeeper’s platform.

Don’ts

The don’ts include preventing consumers from connecting with businesses outside their platforms and preventing users from uninstalling pre-installed software or apps if they wish to do so.

Next steps

At the time of writing this article (January 2021), both acts are under discussion by the European Parliament and the member states and it may take a number of years before they are adopted as regulations. If adopted, they will become directly applicable throughout the European Union.

Security

Cybersecurity continues to be a top priority. The SolarWinds attack sent shivers down the spine of the security community due to its sophistication and widespread effects, which did not leave Dutch entities untouched. It once more became evident that state actors are growing their cyber-arsenal and do not shy away from employing such weapons. However, attacks by private actors should not be underestimated, and neither should the need for effective cybersecurity practices. This was painfully demonstrated last October by a Dutchman that discovered that the password for Trump’s Twitter account was “maga2020!”

In December 2020, the European Commission launched its EU Cybersecurity Strategy for the Digital Decade. A key legal development is the revised Directive on Network and Information Systems (NIS Directive). The proposal aims to address the deficiencies of the existing NIS Directive and future-proof it. Going forward, the revised NIS Directive will include new sectors and classify entities either as essential (for the sectors of energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, public administration and space), or important (for the sectors of postal and courier services, waste management, manufacture, production and distribution of chemicals, food production, processing and distribution, manufacturing and digital providers).

The revised NIS Directive includes a clear size cap: all medium and large enterprises (as defined under EU law) that operate within these sectors will fall within its scope. Explicit governance requirements are introduced that require management of in-scope entities to supervise security risk management measures and to educate themselves through security training. The revised NIS Directive further expands reporting obligations and harmonised administrative fines up to the higher of EUR10 million or 2% of the total worldwide annual turnover.

New Advisory Committee for the Dutch State’s IT Projects

In 2014, a parliamentary committee published a report about the Dutch state’s grip on ICT projects. The conclusions were shocking: the Dutch state did not have sufficient control over large IT projects, many projects therefore failed and around than EUR15 billion was being wasted every year. The word "chaos" was used to describe the situation.

As a result, a committee (BIT) was established that would review the state’s IT projects. The BIT was dissolved on 31 December 2020. In January 2021, the government announced that a new Advisory Committee for IT has been established (Adviescollege ICT-Toetsing). All ministries must give notice to the Advisory Committee of all projects of which the IT component is higher than EUR5 million. The Advisory Committee will assess the risks and chances of successful completion prior to the start of the project.

However, the Advisory Committee may also proactively publish its opinion about IT matters. Later this year the government will send a proposal to Parliament to give the Advisory Committee a proper legal basis. This legislative proposal will contain more detail about the Advisory Committee’s role and powers.

In the meantime, the Dutch state’s IT projects continue to cause debate – Bits of Freedom, the privacy organisation, published a report on the basis of internal investigations by the Dutch police, in which the police concluded that none of their 36 mission-critical IT systems comply with the GDPR.

Bringing the Entire Application Landscape to the Cloud

In 2021, many companies will bring their entire IT environment, or the better part of it, to the cloud. We have seen such projects in 2020, but there are many more to come. COVID-19 has accelerated the convergence to online sales and the cloud is indispensable in terms of service levels, flexibility, volume-based pricing, capacity and security. These projects can be very challenging since several existing applications cannot be brought to the cloud and will need to be replaced. This may therefore require a partial overhaul of the application landscape. Only the best IT suppliers will be able to undertake these complex projects and we note their stance that it is often impossible to give a binding hard stop date for completion, since there will always be unexpected problems and delays.

Solving these problems requires a partnership approach and an agile way of working and contracting. This means that new contracting models will appear, in which governance and partnership are more important than specifications, binding dates and pricing. It also means that there may be more failed projects and disputes, especially if the supplier is mediocre and not really up to these complex projects or in case the realistic partnership approach is not agreed or, if agreed, is not complied with.

Landmark Case: District Court Overturns Decision of the DPA

On 23 November 2020, the Dutch District Court Midden Nederland rendered an important decision about a fine of EUR575,000 that was awarded under the EU General Data Protection Regulation 2016/79 (GDPR) by the Dutch Data Protection Authority (DPA).

The decision concerns the platform VoetbalTV, a company initiated by the Royal Dutch Football Association and Talpa Network. VoetbalTV is a video platform for amateur football. VoetbalTV makes video recordings of games in amateur football on behalf of football clubs. In 2020, 153 clubs joined VoetbalTV and about 2,500 to 3,000 matches were recorded and broadcast monthly. VoetbalTV also offers an app with which football moments can be watched, analysed and shared with others. VoetbalTV’s own editorial team also collects and displays "highlights" such as goals.

The DPA held the view that with these recordings the right to privacy of the individuals involved (eg, underage soccer players) was infringed as there was no legal basis for the processing of the related personal data. The legitimate interest of monetisation argued by VoetbalTV was not deemed valid by the DPA. The DPA was of the opinion that such interest must be designated as a legal interest in the relevant laws.

The "legitimate interest" is one of the six legal bases for the processing of personal data under the GDPR. The legitimate interests of a controller or of a third party may provide a legal basis for lawful processing, provided that the interests or fundamental rights and freedoms of the data subject do not outweigh this legitimate interest. In this regard, the reasonable expectations of the data subject based on his or her relationship with the controller should be taken into account. As this legal basis leaves room for interpretation, the extent of it continues to be a puzzle that must be assessed on a case-by-case basis.

The DPA’s reasoning, however – that the absence of a legal basis in relevant laws means the legitimate interest does not apply – entailed a strict interpretation of the legitimate interest. Indeed, this excludes all interests that are not specifically included in the relevant laws. The DPA also took the view that purely commercial interests cannot, in any case, be legitimate.

In the administrative appeal proceedings, VoetbalTV argued that this strict interpretation was not in line with the GDPR. The District Court Midden Nederland agreed with VoetbalTV and ruled that a correct interpretation of the legitimate interest entails a different test; if an envisaged interest is not illegitimate or against the relevant laws, it qualifies as legitimate interest under the GDPR. In this respect, it does not matter whether this interest is of a commercial nature.

This decision is expected to have a major impact on the use of the legitimate interest legal basis for the processing of personal data in the Netherlands. A win not only for parties such as VoetbalTV, but also for data subjects more broadly? This remains to be seen.

Greenberg Traurig, LLP

Leidseplein 29
1017 PS Amsterdam
The Netherlands

+31 20 301 7300

+31 20 301 7350

jongenh@gtlaw.com www.gtlaw.com
Author Business Card

Law and Practice

Authors



Eversheds Sutherland is a global top ten law practice, providing legal advice and solutions to an international client base which includes some of the world’s largest multinationals. The firm has over 100 dedicated TMT sector lawyers across 30 countries, who combine strategic understanding with technical excellence to ensure that their advice is commercial and pragmatic. In the Netherlands, its team of lawyers provides a fully integrated privacy, data protection and cybersecurity offering. The firm understands the sector-specific challenges TMT companies face, and is regularly engaged to guide clients on industry-leading matters. As its clients’ markets develop to adapt to new technologies, so too do Eversheds Sutherland's areas of expertise so that it continues to deliver practical advice in fast-developing and innovative areas of law. Acting for clients such as Comcast, CyrusOne, Intel, Microsoft and Nokia, the firm represents companies of all sizes, from promising start-ups to established domestic and global companies. It also advises institutional, venture capital, private equity and individual investors and lenders who invest in, buy, sell and finance TMT businesses.

Trends and Development

Authors



Greenberg Traurig, LLP is an international law firm with approximately 2,200 attorneys serving clients from 40 offices in the USA, Latin America, Europe, Asia, and the Middle East. The firm’s dedicated TMT team consists of more than 100 lawyers, of which seven are in Amsterdam. The firm's attorneys structure and negotiate a full spectrum of services for clients, from standard transactions to highly complex multinational transactions.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.