TMT 2022

Last Updated February 22, 2022

Netherlands

Law and Practice

Authors



Eversheds Sutherland is a global top ten law practice, providing legal advice and solutions to an international client base which includes some of the world’s largest multinationals. The firm has over 100 dedicated TMT sector lawyers across 30 countries. In the Netherlands, its team of lawyers provides a fully integrated privacy, data protection and cybersecurity offering. The firm understands the sector-specific challenges TMT companies face, and is regularly engaged to guide clients on industry-leading matters. As its clients’ markets develop to adapt to new technologies, so too do Eversheds Sutherland's areas of expertise so that it continues to deliver practical advice in fast-developing and innovative areas of law. Acting for clients such as Comcast, CyrusOne, Intel, Microsoft and Nokia, the firm represents companies of all sizes, from promising start-ups to established domestic and global companies. It also advises institutional, venture capital, private equity and individual investors and lenders who invest in, buy, sell and finance TMT businesses. The firm would like to thank Natalia Toeajeva, Nathalie Djojokasiran and Ilham Ezzamouri for their contribution to the chapter.

Cloud computing services comprise a wide range of services. The concept "cloud computing services" covers services that allow access to a scalable and elastic pool of shareable computing resources. In the Netherlands, the concept of cloud computing is governed by the NIS Directive (Security of Network and Information Systems Directive (EU) 2016/1148). The Directive was implemented into national law on 17 October 2018 by means of the Security of Network and Information Systems Act (SNISA).

The Directive offers provisions to boost the overall level of cybersecurity in the EU and secures the continuity of cloud computing services. Cloud service providers must comply with the security and notification obligations listed below. The following obligations are also applicable to essential services and digital services operators, and, therefore, have an impact on the services operators who use cloud services themselves.

  • Security: cloud service providers must identify possible risks to the network and information systems they use and take measures to ensure an appropriate level of security. When identifying the appropriate and proportionate technical and organisational measures, the cloud service provider should approach information security in a systematic way, using a risk-based approach. Network and information systems should contain precautions in order to protect the availability, integrity, confidentiality and authenticity of the stored, sent or processed data from those network and information systems.
  • Notification: cloud service providers are obliged to notify without delay incidents with a significant impact on the provision of the cloud computing services offered in the EU. The supervising authorities for the Netherlands are the Radiocommunications Agency Netherlands and the Cyber Security Incident Response Team.

In order to qualify as a cloud service provider as defined in the Directive, a provider must employ 50 employees or more and/or have a balance sheet total or turnover of EUR10 million or more on annual basis.

In the Netherlands cloud computing services are indirectly governed by the Dutch Civil Code (DCC) and the GDPR ((EU) 2016/679), as follows.

  • General: the DCC consists of general and specific provisions that apply to all particular agreements. As cloud computing agreements are not defined under Dutch law, merely the general provisions apply. Deviation from such general provisions by contracts (in accordance with the freedom of contract principle) is market practice.
  • Consumers: consumer contracts are subject to mandatory consumer protection provisions incorporated in the DCC, following the implementation of the Consumer Rights Directive and the Unfair Contract Terms Directive. These contain mandatory provisions that apply to all types of consumer contracts, including cloud computing contracts. Contractual provisions that contravene mandatory consumer protection legislation may be void or voidable in certain circumstances.
  • GDPR: when cloud services providers process any personal data, they are generally considered as "processors of personal data". Processors may not determine purposes and means of processing personal data, but they still need to demonstrate that their processing activities comply with the GDPR. Typical issues in this context arise when cloud service providers utilise personal data for their own purposes (eg, to analyse and/or improve their own services) and/or have a decisive say in the determination of applied means of processing.

On 20 May 2019, Directive 2019/770 regarding the supply of digital content and services was introduced. This Directive establishes a harmonised level of consumer protection for digital content, including games, streaming services and cloud computing services. The Directive is scheduled to be implemented into national law by the first quarter of 2022 and will be immediately effective after its publication in the Bulletin of Acts and Decrees (“Staatsblad”).

Cloud service providers should take into account EU cybersecurity strategy initiatives such as the proposal for a renewed NIS Directive (the “NIS2 Directive”) and a proposal for a directive on the resilience of critical entities, which offer an expansion in scope of the current directives.

Financial Supervision Act and Prudential Rules Decree

Financial institutions increasingly utilise cloud computing services. In this context, they remain responsible for complying with relevant financial legislation and must control their operational processes. Financial institutions must comply with the strict statutory (supervision) requirements as laid down in the Financial Supervision Act (Wet op het financieel toezicht) while using cloud computing services. This indirectly impacts the delivery of these cloud computing services.

Financial institutions may not enter into cloud computing agreements if this could impede the exercise of adequate supervision by the supervisory authority for Dutch banks. Consequently, financial institutions are obliged to have a range of obligations in their cloud computing contracts and must obtain the right for the supervisory authority to examine the cloud services.

The Cloud Computing Circular, issued by the Dutch National Bank (DNB), requires that before supervised Dutch financial institutions engage in cloud computing, they must inform the DNB of their prospective outsourcing arrangements to ensure that operational processes and risks are under control.

Guidelines on Outsourcing to Cloud Services Providers

The Guidelines on outsourcing to cloud services providers of the European Securities and Markets Authority (ESMA), published on 18 December 2020, are useful for both financial institutions as for cloud services providers when negotiating cloud outsourcing arrangements. The guidelines are intended to help identify, address and monitor the risks arising from cloud outsourcing arrangements. They provide guidance to the governance, organisational and technical frameworks to put in place to monitor the performance of the cloud service providers.

Good Practice Information Security

The Good Practice Information Security, a guide drafted by the DNB, offers tools with which financial institutions can give practical substance to control measures in the areas of governance, organisation, people, processes, technology, facilities, outsourcing, testing and the risk management cycle. Good Practice sets out various recommendations for control measures which, in DNB's opinion, properly implement the requirement of Section 3.17 of the Financial Supervision Act, in conjunction with Section 20 of the Prudential Rules Decree and the Pensions Act. These guidelines are based on international standards such as COBIT (Control Objectives for Information and related Technology) of the ISACA, ISO27000 and the NIST Cybersecurity Framework.

Over the past decade, the use of "distributed ledger technology" has increased rapidly. A distributed ledger (also known as a general ledger, or distributed general ledger technology) is a technology that uses decentralised ledgers, also known as "nodes", to share, record and synchronise transactions across the distributed network. One of the most well-known types of distributed ledger technology is blockchain.

Risk and Liability

Even though blockchain has been praised as being safe and unhackable, practice has shown that this is not the case. Even blockchain can be subjected to malware, and even blockchain can, in the near future, be hacked by quantum computers.

Therefore, it is of utmost importance as a blockchain provider to implement proper organisational and technical security measures to be able to monitor potential (personal) data breaches. If the blockchain provider does not implement a level of security that is appropriate to the risks that are involved, the blockchain provider may be in violation of Article 32 GDPR, and thus liable for any (personal) data that has possibly been altered or deleted, also depending on the contractual clauses that have been concluded between the blockchain provider and the user.

Also, as with any technology service, blockchain services can suffer programming defects, which – depending on the type of defect – may trigger liability issues. Therefore, blockchain providers and customers should, prior to the purchase and use of blockchain, negotiate certain contractual rights and obligations, such as a contractual defects liability period, and include details of the scope and expectations regarding the blockchain application, such as detailed key performance indicators. In case of standard terms and conditions, it is also important to be aware of any limitation of liability, the governing law and jurisdiction, termination of the services, and the contractual possibility to block certain users that violate the guidelines or breach the terms and conditions.

Intellectual Property

There are two types of blockchain that can be distinguished: blockchain can be:

  • "permissionless", which means that there is no special authority that is able to deny their permission to participate in the blockchain and to add any transactions to the ledger; or
  • "permissioned", which means that there is a limited group of participants that retain the power to add transactions to the ledger.

In the context of an infringement of an intellectual property right, permissionless blockchains can give rise to disputes. If an intellectual property protected work is recorded on the blockchain, it can be difficult in proving the relevant ownership and identifying any potential breaches, handling transfers or licences to third parties.

Prior to using blockchain, it must be taken into account what type of data will be shared, and whether this data is, for example, subject to any intellectual property rights or trade secrets, and whether any contractual rights and obligations of the blockchain provider may apply.

Privacy

The decentralised nature of the blockchain makes it difficult to identify the person responsible for processing, which in turn makes it impossible to guarantee a whole range of data subjects' rights. The distributed nature requires a high degree of transparency, which conflicts with the principle of data protection by design and default settings.

Finally, the permanent nature of blockchain prevents the possibility of guaranteeing various data subjects rights, such as the right to be forgotten, and clashes with a large number of general principles, including data minimisation and storage limitation.

Service Levels

The business processes built on blockchains may be vulnerable to technology and operational failures, as well as cyber-attacks. Blockchain users need to have a robust business continuity plan and governance framework to mitigate such risks.

Additionally, blockchain solutions shorten the duration of many business strategy processes, which means that it is of utmost importance to assess the (business critical) risks that are involved, and to mitigate any business continuity risks by concluding service level agreements, that detail specific adequate incident response and recovery times – for example, between participating nodes and the administrator of the network.

Jurisdictional Issues

If a dispute arises regarding blockchain – eg, between a blockchain supplier and a customer – it is important to determine which rules of which country apply. If a supplier and a customer are located in different countries, international private law should be invoked. On the basis of international private law, it should then be determined (i) which court is competent, and (ii) which law is applicable. Potential issues can be prevented by explicitly entering into an agreement or accepting terms and conditions that designates a competent court and governing law.

EU Initiatives

The European Commission has stated that it recognises the importance of legal certainty and a clear regulatory regime regarding blockchain-based applications, and that the EU supports the implementation of (EU-wide) rules for blockchain, to avoid any legal and/or regulatory fragmentation. As part of this objective, the European Commission has adopted a package of legislative proposals for the regulation of crypto-assets in order to increase investments and ensure consumer and investor protection, including a proposal for a regulation on Markets in Crypto-Assets (MiCA).

Furthermore, the countries in the EU (including Norway and Liechtenstein) and the European Commission have joined forces and have set up the European Blockchain Partnership, which is an initiative to develop an European strategy on blockchain. Another focus of the European Blockchain Partnership is to build a European Blockchain Services Infrastructure (EBSI). By using blockchain, cross-border services for public administrations and their ecosystems can be created, which makes information verifiable and services trustworthy.

Big Data

Big data means a large amount of unstructured data, which grows exponentially and is processed at high speed. Big data can be obtained directly from the source, such as the person providing this data, but can also be obtained indirectly by linking data together.

Potential risks when collecting and using big data

When collecting big data, one of the issues that can arise is whether or not the data can be used to (in)directly identify an individual. If so, the data must be regarded as "personal data", which means that the GDPR and the Dutch GDPR Implementation Act applies. In such case, the legal grounds for processing personal data as mentioned in Article 6(1) GDPR must apply and, depending on the sensitive nature of personal data, one of the exemptions as mentioned in Article 9(2) GDPR must also be in place.

Storing big data is happening more often by using "data lakes", which means that raw data is being stored in a repository. Once the big data is stored in the repository, organisational and technical measures must be set in place to secure the big data and to prevent any data breaches. Even if the data does not contain personal data, the data itself can also be protected by intellectual property rights or can be protected under trade secrets. By protecting the data, cyber-attacks and other security incidents may be prevented. 

Artificial Intelligence (AI)

Artificial intelligence (AI) can be defined in many different ways. In general terms, however, we can say that artificial intelligence is the theory and practice of creating computers that can automate and perform activities in a "human-like" manner.

Machine learning

One of the key components of artificial intelligence is machine learning. Machine learning is essentially the study of algorithms, which are programmed to learn from (un)structured data and produce predictive models, that are constantly updated and refined.

To be able to train an algorithm and gain valuable insights from (un)structured data:

  • enough representative data is needed (ie, data quantity);
  • this data also needs to be accurate, representing the aspects you wish to observe, with as little errors as possible (data quality); and
  • sufficient computing power is needed.

Potential risks of implementing artificial intelligence and machine learning

When implementing or developing artificial intelligence, in particular machine learning, there are some privacy risks that developers, customers and lawyers should be mindful of. For example, artificial intelligence, and in particular machine learning, can affect the privacy of individuals, as it is not always completely transparent to the individual for which purposes the personal data will be used.

When algorithms process personal data in or from the European Economic Area, the GDPR and the GDPR Implementation Act applies. Also, if the personal data will be used for unsolicited communication or spam, the ePrivacy Directive and the Dutch Telecommunication Act will apply. Furthermore, the Dutch Data Protection Authority has identified artificial intelligence and algorithms as one of their three focus areas and has published guidelines in relation to this focus area.

In such cases, the outcome of the algorithm may be used for automated individual decision-making and profiling, which can have a significant adverse effect on the individual. Therefore, this type of processing is regarded as high risk and, prior to implementing and using algorithms, it is obliged to conduct a Data Protection Impact Assessment (DPIA), as mentioned in Article 35 (3) (a) GDPR and also in the European Data Protection Board Guidelines on Data Protection Impact Assessment.

By conducting a DPIA, potential risks to individuals can be assessed and ways can be identified to address and mitigate these risks. It is also important to note that automated processing, including profiling, which produces legal effects concerning individuals, may only be carried out if one of the three exceptions as set out in Article 22(2) GDPR applies, in addition to having a lawful basis for the processing of personal data as set out in Article 6 GDPR.

Based on Article 25 GDPR, it is also mandatory to adhere to the principles of "data protection by design" and "data protection by default". Data protection by design means that privacy and data protection issues must be addressed at the design phase and then throughout the life cycle, ideally at the earliest stages of the design of the processing operations, in order to safeguard privacy and data protection principles. Data protection by default means that, as a matter of course, safeguards must be put in place to ensure that the personal data that shall be processed is necessary to achieve the specific purposes.

By adhering to the principles of data protection by design and data protection by default, developers and users of artificial intelligence and machine learning applications are able to address privacy issues in a timely manner.

EU Data Initiatives

In addition to the GDPR, the Dutch Implementation Act, the ePrivacy Directive and the Dutch Telecommunication Act and guidelines of the Dutch Data Protection Authority, the European Commission has presented their Strategy on Data and Artificial Intelligence. This consists of, among others, a white paper on artificial intelligence, a proposal for the Digital Services Act and a package of proposals on 21 April 2021 for the Artificial Intelligence Regulation promoting an European approach to AI. Following these new proposals, producers of AI will have to meet certain product safety requirements in the short term, such as:

  • the operation of the AI will have to be transparent;
  • the systems will have to include logging; and
  • human supervision is needed.

The Internet of Things (IoT) describes a system that consists of interrelated and internet-connected devices, in order to be able to connect and exchange (personal) data between these devices. When contemplating a project that revolves around the development or use of IoT technologies, such as smart car software, smart security systems and connected health wearables, there are multiple legal restrictions and potential legal issues that must be taken into account when setting up these projects.

According to the EU document, Shaping Europe's Digital Future: "Following from the success of the EU project Horizon 2020, Horizon Europe will contribute more than EUR150 billion into R&I under its 2021–22 Calls on 'World Leading Data and Computing Technologies: From Cloud to Edge to IoT for European Data'. Through these calls Horizon Europe will support the paradigm shift to the edge. Focus will be on the development and deployment of next generation computing components, systems and platforms. This will enable the transition to a compute continuum with strong capacities at the edge and far edge in an energy-efficient and trustworthy manner." For further details, see: www.digital-strategy.ec.europa.eu/en.

Unlike the UK and the USA, the Dutch legislator has not introduced plans for specific IoT security legislation. Regardless, IoT devices collect high amounts of real-time data and share this between the different devices. If the data that is collected and shared relates to an identified or identifiable natural person – which is most likely the case due to the fact that multiple devices and datasets are being linked by different devices – the data must be considered to be personal data.

The purposes for which the personal data is being processed by IoT devices are not always transparent to the individual, which means that personal and social consequences are not always directly known and thus difficult to envisage. The deployment of IoT devices may thus impose a high risk to the rights and freedoms of individuals. Therefore, the European Data Protection Board has considered that in such cases it is required to conduct a DPIA, in order to assess and mitigate any potential privacy risks.

It is also important to note that if IoT technologies will be used for automated individual decision-making and profiling, which will produce legal effects concerning individuals, such processing may only be carried out if one of the three exceptions as set out in Article 22(2) GDPR applies, in addition to having a lawful basis for processing as set out in Article 6 GDPR.

Due to possible vulnerabilities of connected devices, cybersecurity is also a high priority. The organisational and technical measures that must be taken into account based on Article 32 GDPR, must factor in the costs of the implementation, the nature of the processing and the risks, and also the "state-of-the-art" – which means that if there are certain relevant security standards and codes of practices that apply and are being used by other market participants, it can be mandatory to implement these standards. Furthermore, the principles of data protection by design and data protection by default, as mentioned previously, also applies to the implementation and use of IoT devices.

Local Legislation

IT service agreements are not specifically regulated under Dutch law. After all, IT law is not a clearly defined area of law, but covers all legally relevant topics relating to information technology. Generally an IT service agreement falls under the scope of Articles 7:400 to 7:413 of the Dutch Civil Code (overeenkomst van opdracht). When a software solution is developed specifically for the customer (agile or waterfall), tailored to the intended use of the customer, it is more likely that the IT service agreements fall under the special scope of Articles 7:750 to 7:764 of the Dutch Civil Code (aanneming van werk). Both sections in the Dutch Civil Code, however, refer to general services and do not particularly govern IT services. Moreover, Dutch contract law is strongly influenced by the freedom of contract principle. This means that parties in the context of IT services are free to shape and determine the content of their arrangements, without prejudice to overriding mandatory Dutch law.

Duty of care in cost control, testing of results and migration

Dutch case law shows a development in which the content of duty of care is becoming more comprehensive. When the IT services consist of software development, configuration and implementation work, or application design, a certain duty of care applies to the IT supplier. Based on this duty of care, customers may hold the IT supplier accountable in the event of a failed IT project or default in the provision of IT services. This duty of care of IT suppliers may arise from the contract itself or tort.

An IT supplier will, at least, have to act in accordance with the efforts that can be required of a reasonably acting peer. The duties of care that can be distinguished are as follows:

  • the IT supplier must put the interest of the customer first;
  • the IT supplier must warn the customer if their instructions are not justified or if the intended execution of the assignment is not likely to lead to the intended result;
  • in the event of additions or changes to the work agreed (so-called “scope creep”), the IT supplier may only demand an increase in the price if they have informed the customer prior about the need for a price increase resulting from the additional work. See also 7.1 Key Restrictions on "mission creep".

Tenders

Additionally, in the context of IT Service Agreements, responding to a call of tender issued by a public entity or a listed company requires specific formal requirements for the submission and entails disclosure of specific documents from the IT supplier.

Data protection

Furthermore, due to the GDPR, privacy and data protection is also a frequently discussed topic during IT service negotiations, as IT suppliers that provide hosting services and maintenance and support services may have access to the production environment of the customer.

In these circumstances, the IT suppliers must be regarded as a data processor. In this scenario, the IT Service Agreement must contain contractual guarantees provided by the IT supplier. If the customer determines the purposes and means of processing and the IT supplier will process the personal data on behalf of and based on the instructions provided by the customer, the customer should be considered to be a data controller. In such case, a data processing agreement as mentioned in Article 28(3) GDPR must be concluded between the IT supplier and the customer.

Core Rules regarding Data Protection

Players in the field should keep in pace with the broad range of policy measures geared toward Europe’s digital ambition that touches data protection and privacy, as well as cybersecurity in 2021, including current proposals on the:

  • Data Governance Act;
  • Digital Services Act; and
  • Digital Markets Act.

With regard to data protection, there are three pieces of EU legislation that are directly applicable in the Netherlands or have been implemented into Dutch law. Most recently, the Free Flow Regulation ((EU) 2018/1807) entered into force. This regulation applies to electronic data, meaning all data other than personal data as defined in the GDPR and the Dutch GDPR Implementation Act, in order not to affect the existing framework for personal data protection. The Free Flow Regulation, GDPR and the ePrivacy Directive (2002/58/EC) complement each other and currently create the comprehensive and coherent EU framework for the free movement of all data in the digital single market of the EU.

General Processing of Data

In general terms, it is important to grasp the interaction between the GDPR and the Free Flow Regulation, especially regarding datasets comprising of both personal and non-personal data. The two regulations will function together to enable the free flow of any data, creating a common European space for data.

Mixed datasets

If a company processes mixed datasets, neither the Free Flow Regulation nor the GDPR obliges it to separate or store personal and non-personal data separately. If the company decides not to separate the datasets and processes them as mixed datasets, the data protection rules will apply to the entire mixed dataset. Under the Free Flow Regulation and the GDPR together, companies can decide to store, transfer or process the mixed dataset anywhere in the EU, wherever they consider it the most beneficial to them.

Examples of mixed datasets include:

  • datasets in a bank, such as those with client information and transaction details;
  • a research institution’s anonymised statistical data and the raw data initially collected, such as the replies of individual respondents to statistical survey questions.

Processing of Personal Data

Territorial scope

With regard to its territorial scope in the Netherlands, the GDPR and Dutch GDPR Implementation Act simultaneously apply to the processing of personal data in the context of the activities of the establishment of a controller or a processor (see below) in the Netherlands (Article 3(1) GDPR).

It also applies to the processing by a controller or processor not established in the Netherlands of the personal data of data subjects who are in the Netherlands, where the processing activities are related to:

  • the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Netherlands; or
  • the monitoring of their behaviour to the extent that their behaviour takes place within the Netherlands (Article 3(2) GDPR).

Controllers and processors

A controller is the entity deciding on the purposes and the means of the processing of personal data. A processor processes personal data on behalf of a controller, having generally no control over the purposes and the means of the processing. Controllers must conclude a data processing agreement with processors (Article 28 GDPR).

Legal grounds

Processing of personal data is only permitted if there is a legal ground for that processing activity. Legal grounds are:

  • consent;
  • the performance of a contract;
  • compliance with a legal obligation;
  • vital interests of the data subject;
  • task carried out in the public interest; and
  • legitimate interest. 

For the processing of special categories of personal data (eg, personal data revealing racial origin, health data and political opinions) to be permitted, there must be a legal ground and one of the exceptions of Article 9(2) GDPR must apply. Besides the exceptions set forth in Article 9(2) GDPR, there are exceptions of national law set out in the GDPR Implementation Act.

Accountability

The processing of personal data must meet the principles of Article 5 GDPR:

  • lawfulness, fairness and transparency;
  • purpose limitation;
  • data minimisation;
  • accuracy;
  • storage limitation;
  • integrity and confidentiality.

Controllers and processors must maintain a record of processing activities (Article 30 GDPR), and, in case of a high-risk processing activity, a DPIA must be carried out based on Article 35 GDPR. In particular situations, a controller or processor must appoint a data protection officer (Article 37 GDPR).

Rights of data subjects

Data subjects have the right to be informed, therefore certain information (set out in Article 13/14 GDPR) must be provided to data subjects, usually by means of a privacy notice.

Controllers must be able to comply with data subject's request to exercise their rights, namely:

  • right to request access to personal data;
  • rectification of personal data; 
  • erasure of personal data;
  • restriction of processing;
  • right to object to the processing;
  • right to data portability; and
  • right to withdraw consent at any time. 

Data breaches

Data breaches are breaches of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed (Article 4(12) GDPR).

Data breaches that are likely to result in a risk to the rights and freedoms of natural persons must be notified to the Dutch DPA (Autoriteit Persoonsgegevens) within 72 hours of becoming aware of the breach (Article 33 GDPR). When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, it must be communicated to the data subjects without undue delay (Article 34 GDPR).

To prevent a personal data breach and to protect personal data, controllers must implement technical and organisational measures to ensure an adequate level of security (Article 32 GDPR).

Transfer of personal data outside the EEA

Transfer of personal data to countries outside the EEA is not permitted unless:

  • there is an adequacy decision (Article 45 GDPR);
  • appropriate safeguards have been taken, such as binding corporate rules or standard contractual clauses (Article 46/47 GDPR);
  • one of the derogations for a specific situation applies (Article 49 GDPR).

In respect of Brexit, the European Commission has reached two adequacy decisions permitting personal data transfers from the EEA to UK. From 1 January 2021 to 28 June 2021, an interim period applied. During this period, personal data could be transmitted to the UK as before. With the adequacy decisions, the European Commission has determined that the level of personal data protection in the UK is equivalent to that in the EU. The UK government has also announced that organisations in the UK can freely transfer personal data to organisations in the EU. Thus, Brexit will not affect the transfer of data from the EU to the UK or vice versa.

Also, in respect of standard contractual clauses (SCCs), the European Commission has approved new SCCs to securely transfer personal data to third countries. The new SCCs apply as of 27 June 2021 and there is a transitional period of 18 months ending on 27 December 2022, by which time the old SCCs for all ongoing data transfers have to be replaced.

The old SCCs required the data exporter to be a party established in the EU. Consequently, the old SCCs did not apply to data controllers which reside outside the EU but fall under the GDPR as they process personal data of data subjects residing in the EU (the GDPR's extraterritorial applicability). The new SCCs stipulate that the data exporter can be a non-EU entity and consequently be used for non-EU exporters to transfer data to another non-EU party.

Enforcement

The GDPR is intended to make data protection a boardroom issue. It introduces an antitrust-type sanction regime with fines of up to 4% of annual worldwide turnover or EUR20 million, whichever is greater. These fines apply to breaches under the GDPR, including failure to comply with the general data quality principles or carrying out processing without satisfying a condition for processing personal data.

In addition to the fines, the Dutch DPA has a range of other powers and sanctions at its disposal. This includes investigative powers, such as the ability to demand information from controllers and processors, and to carry out audits. It also has corrective powers enabling them to issue warnings or reprimands, to enforce an individual’s rights and to issue a temporary or permanent ban on processing.

Finally, data subjects have a right to compensation in respect of material and non-material damages. In the Netherlands, we see litigation emerging on the basis of the new Act on collective damages claims (Wet afwikkeling massaschade in collectieve actie or WAMCA) that entered into force on 1 January 2020.

Restrictions on monitoring and limiting use by employees of company computer resources are predominantly driven by data protection laws.

Workplace monitoring will usually involve processing personal data and is therefore governed in the Netherlands by the GDPR and the Dutch GDPR Implementation Act.

Identify the Purpose of Monitoring

When considering whether or how to monitor employees, the starting point should be identifying the purpose and underlying interest of the employer. What is the employer trying to pursue, ensure or protect? Is it a one-off, incidental case of monitoring (such as a breach of company confidentiality by an employee) or is it a more general concern (eg, web traffic monitoring, extensive private email use)? 

Employers should conduct a thorough risk analysis and make sure that the monitoring chosen is proportionate to the risks employers are looking to mitigate. This risk analysis should help employers to meet legislative requirements. Once an employer has identified the reason or purpose for any monitoring, the next step should be to consider how the chosen monitoring addresses the concern or reason identified, and whether there are any alternative ways of meeting its purpose other than monitoring. This has both a practical and legal purpose – if there is a less intrusive way to protect the business than through monitoring employees, the courts and the Dutch DPA would expect the employer to choose the less intrusive option.

GDPR Compliance

In order to carry out GDPR-compliant monitoring of employees, employers must identify a legal basis for carrying out and processing the monitoring information, and any exemptions for special category personal data such as data related to health, religion or ethnicity/race.

It is noteworthy that consent is not considered a proper legal basis for processing personal data in the employment context (especially for intrusive processing activities such as monitoring). In the Netherlands, in most cases employers will have to rely on the "legitimate interest" legal basis for processing. This means that a legitimate interests assessment (LIA) must be conducted to ensure a proper balance between the legitimate interest of the employer and the fundamental rights and freedoms of the employees. Such measures, depending on the form of monitoring, should include limitations on monitoring so as to guarantee that the employee’s privacy is not violated.

Such limitations could be:

  • geographical (eg, monitoring only in specific places – monitoring sensitive areas such as sanitary zones and break rooms should be prohibited);
  • data-oriented (eg, personal electronic files and communication should not be monitored); and
  • time-related (eg, sampling instead of continuous monitoring).

Employee monitoring is considered to be "high risk" processing, according to the Dutch DPA. Consequently, a DPIA must also be conducted. The Dutch DPA distinguishes between general monitoring and covert monitoring. For covert monitoring to be lawful, employers must have a reasonable suspicion of a criminal offence or wrongful use of company information and where notifying concerned individuals would prejudice its detection or prevention.

Companies with a works council will also need to obtain prior consent from the works council before conducting employee monitoring based on the Dutch Works Counsel Act. Furthermore, it is of significant importance that such assessments are appropriately documented as the documentation will form the basis of the employer's defence in the event of a claim, complaint or Dutch DPA investigation.

Information and Transparency

Employers are obliged to inform employees in a transparent way of the purposes and means of the monitoring activities. This kind of information is often captured by means of a(n) (employee) privacy notice. This notice draws the relevant acceptable use and monitoring policies to the attention of the employees. Appropriate training for staff carrying out and using monitoring data is also key.

Failure to do so may leave employers exposed to additional risk and claims. Depending on the circumstances, employees may also have grounds for an unfair dismissal or constructive dismissal claim, and in some circumstances might be able to establish a whistle-blowing aspect to such a claim. This could seriously impair the position of the employer and even result in significant financial and reputational damages. First and foremost, employee communications are key to avoiding lasting damages to employee relations.

Access Limitation and Retention

Employers must ensure that they limit access to monitoring data. Only those who really need access should be able to access it. This means assessing control access, permission grants/sign-off processes, etc, to facilitate access where necessary.

Furthermore, monitoring data should only be kept to the extent that it is relevant to the purpose for which it is processed and whilst it remains accurate. Indefinite retention is never permissible. The period of retention will, to a certain extent, depend on the nature of the information collected and its usefulness. For example: CCTV images may, in principle, be retained for a maximum term of four weeks in the Netherlands. In addition, the employer is obliged to implement appropriate technical and organisational measures to ensure the safety and integrity of the data at all times. Once it is no longer needed, the data must be destroyed in a safe and secure manner.

Private Remains Private

Private and working lives are now more intertwined than ever. During the COVID-19 crisis, many more employees will be using their personal devices rather than work devices when working remotely. Employers need to be extremely careful of the following:

  • employees should be informed about their (lack of) privacy while using company systems/devices (eg, use of personal email account on company devices);
  • employers should disregard any data marked "private" or "personal" unless they have very good reasons; 
  • employers should treat private devices as out of bounds, unless such devices operate workplace systems and/or work-related communications (the employer must have clear policies that address monitoring in such circumstances).

Additionally, accessing communications without grounds to do so could amount to criminal or other civil offences for the business and potentially its directors.

Location Data

Tracking of location data is seen by the Dutch DPA as a particularly invasive form of employee monitoring. Employers may feel the need to track company assets or equipment, such as laptops, tablets and phones. However, even if the employer can pass the legal hurdles, if it wants to use such data for the management and discipline of wayward employees, it must clearly explain this to employees. Otherwise it will violate key provisions of the GDPR and employment legislation. Based on such violations, it could set itself up for additional claims and risks.

Mission Creep

There will inevitably remain scenarios where an employer is tempted to use monitoring tools for wider purposes, particular in the COVID-19 context – for example, on the private use of company devices or regarding working at home conditions and efficiency. Risks remain significant and employers should beware of the so-called "mission creep" – ie, incremental expansion beyond the initial purpose of monitoring. Monitoring data should only be used for the purpose for which it is collected, and changing its purpose will raise further questions and compliance hurdles as to whether the monitoring was legitimate and employees were properly informed. Justifying employee monitoring is a difficult task; using the same data for other purposes creates a new layer of risk.

Requirements

Currently, there are multiple technologies that are deemed to fall within the scope of local telecommunications rules. Prior to bringing such technologies on the market, it is important to comply with the requirements as set out in local law.

Legislative Framework

The Dutch telecommunications sector is primarily governed by the Dutch Telecommunications Act (Telecommunicatiewet), which also incorporates multiple European Directives, such as the aforementioned ePrivacy Directive, the Directive 2002/21/EC on a common regulatory framework for electronic communications networks and services (Framework Directive), and the Directive 2002/22/EC on communications networks and services (Universal Service Directive).

The Telecommunications Act requires registration with the Authority Consumers and Markets (Autoriteit Consument en Markt) for a provider of:

  • public electronic communications networks;
  • public electronic communication services; and/or
  • any services, physical infrastructures, and other facilities or elements belonging to an electronic communications network, or an electronic communications service, that makes it possible or supports the provision of services via that network/service or has the potential to do so.

In the Netherlands, there are two authorities that supervise the enforcement of the Telecommunications Act: the Authority Consumers and Markets which is responsible for competition oversight, telecom-specific regulation and consumer protection, and the Dutch Radiocommunications Agency (Agentschap Telecom), which is responsible for obtaining and allocating frequency space and monitoring its use.

As of 1 July 2021, the updated Telecommunications Act came into effect. The most important change is that companies will no longer be able to approach end users, such as potential customers, in a random manner. Hence, the introduction of an opt-in system seems to put an end to so-called “cold calling” in the Netherlands.

However, the exceptions to this rule will continue to apply in full:

  • telemarketing is still permitted if the end-user has been a customer of the organisation within the last three years;
  • telemarketing is permitted if the consumer has given explicit permission to be called for telephone sales;
  • telemarketing is permitted for idealistic or charitable organisations if the consumer has donated to charity, done volunteer work or attended an event.

RFID

Radio Frequency Identification (RFID) are chips that use radio frequencies to collect (personal) data from uniquely identified tags and transfer the (personal) data over electronic communications networks.

Based on Article 3.4(1)(a) of the Telecommunications Act, Article 18 of the Frequency Decree (Frequentiebesluit 2013) and the Regulation on the use of frequency space without a licence (Regeling gebruik van frequentieruimte zonder vergunning 2015), RFID chips are exempted from the obligation to receive a permit prior to the use of frequency space.

However, collecting and transferring (personal) data with RFID chips may trigger privacy and security issues. The Directive 2009/136/EC, which amended the ePrivacy Directive and the Universal Service Directive, explicitly states that: “use of such technologies can bring considerable economic and social benefit and thus make a powerful contribution to the internal market, if their use is acceptable to citizens. To achieve this aim, it is necessary to ensure that all fundamental rights of individuals, including the right to privacy and data protection, are safeguarded. When such devices are connected to publicly available electronic communications networks or make use of electronic communications services as a basic infrastructure, the relevant provisions of Directive 2002/58/EC (Directive on privacy and electronic communications), including those on security, traffic and location data and on confidentiality, should apply.” (Directive 2009/136/EC, consideration 56.)

If RFID chips collect and transfer personal data, the GDPR and the Dutch GDPR Implementation Act shall apply and must be taken into account. Furthermore, a DPIA – as mentioned in Article 35 GDPR – must be carried out. The European Data Protection Board adopted a specific Privacy and Data Protection Impact Assessment Framework for RFID applications on 12 January 2011 to conduct such assessments.

VoIP

Voice over internet protocol (VoIP) is the transmission of voice and multimedia communications over an internet connection. Based on the Telecommunications Act, a provider of VoIP services is considered to be a provider of electronic communications services. Therefore, in the Netherlands, the Dutch Telecommunications Act applies and providers must register with the Authority Consumers and Markets prior to providing such services to customers.

This has also been confirmed in the case C-142/18 Skype Communications Sarl v IBPT (5 June 2019). In this case, the European Court of Justice (ECJ) ruled that Microsoft’s Skype service, SkypeOut – which is an additional feature of the Skype software and allows Skype-users to make calls from a terminal to a fixed or mobile telephone line using VoIP – is an electronic communications service, as defined in the Framework Directive (Directive 2002/21/EC, as amended) and is therefore subject to European telecoms regulations.

In the Netherlands, any natural or legal person may in principle provide a commercial media service or solicitation, provided that they:

  • fall under the competence of the Netherlands;
  • are of age;
  • are not a national, regional or local public media institution.

On 1 November 2020, the new Dutch Media Act came into force due to the implementation of the revised Directive on Audiovisual Media Services (AVMSD, (EU) 2018/1808). The new Media Act contains, among others, provisions for public media services, commercial media services, video platform services, protection of young people, major events, use of broadcasting networks and supervision and enforcement by the Dutch Media Authority (Commissariaat voor de Media).

The new Media Act has major consequences for providers of commercial media services on demand, including online video channels. The following criteria are used to determine whether a provider qualifies as a media service on demand:

  • the main goal of the service is to show videos;
  • the service has a mass media character;
  • it is an economic service;
  • the provider of the service determines the content of the videos; and
  • the videos are available through a catalogue.

These criteria can be found in the Policy Rule Classification of Commercial Media Services on Demand. The Dutch Media Authority examines whether the notified service is actually a commercial on-demand media service on the basis of the Dutch Media Act. If that is the case, the media service is included in the Register Commercial Media Institutions. Media organisations providing on-demand commercial media services are required to pay an annual fee of EUR200 (plus indexation) for each media service.

Under the new Media Act, platforms such as YouTube are obliged to take adequate measures in order to clarify if the content shown contains advertisements, sponsorships or other kinds of commercial activities. The supervisory authority that is located in the same country as the video-sharing platform provider will be the competent authority and can issue fines or other measures.

The new Media Act prohibits influencers to encourage viewers to buy or hire products or services shown in the video through specific recommendations. They may not pay excessive attention to products in their videos, which must indicate whether any advertisement is included. Videos that target children younger than the age of 12 cannot show any sponsored content or advertisements. Such videos must be stored for at least two weeks in order for the Dutch Media Authority to be able to file request and check whether there have been any violations.

This amendment to the Media Act prompted the Media Authority to revise the "Policy Rules on Classification of On-Demand Media Services". A draft has been published for this purpose and is expected to become definitive in early 2022. As a result, "influencers" (ie, those with more than 100,000 followers) can be qualified as a provider of a commercial media service on demand, with the consequence that they have to register with the Dutch Media Authority and comply with the rules of the Media Act.

Furthermore, as far as online video channels are concerned, adequate measures must be taken to protect the interests of minors. This means that parents must be able to control what their minors watch via an accessible system. Measures must also be taken to protect minors from videos inciting violence or distributing videos containing criminal offences.

Noteworthy in respect of service providers in the AVMS context is that on 25 November 2021, the Council of the European Union reached an agreement on the draft Digital Services Act (DSA) (EU Proposal, 18 November 2021 and EU Proposal, 24 November 2021 and the Digital Markets Act (DMA) EU Proposal, 16 November 2021) bringing them one step closer to adoption. The European Parliament is discussing the drafts and plans to announce its first reading position in early 2022, after which the Council and the Parliament will enter into negotiations with the goal of reaching an agreement on a final text for both acts.

The acts lay down rules for intermediary service providers (eg, internet access providers, cloud providers, search engines, social networks, and online marketplaces) covering the following areas:

  • liability of mere conduit, caching and hosting services;
  • content moderation;
  • transparency of services and electronic communications;
  • transparency of online advertising;
  • openness and interoperability of the services to businesses and consumers; and
  • fair competition between service providers.

Significantly, on 18 November 2021, the European Data Protection Board issued a Statement on the Digital Services Package and Data Strategy, in which it identified three main concerns with respect to the DSA:

  • lack of protection of individuals’ fundamental rights and freedoms;
  • fragmented supervision by competent regulatory authorities; and
  • the risk of inconsistencies between the DSA and EU data protection law.

The Council’s reactions to these recommendations have yet to be published.

On 28 October 2021, the European Parliament’s Committee on Industry, Research and Energy adopted a draft directive on cybersecurity. The NIS2 Directive will broaden the scope of the existing NIS Directive to apply to "important sectors" such as waste management, postal services, chemicals, food, medical device manufacturers, digital providers and producers of electronics, in addition to "essential sectors". The NIS2 Directive imposes specific cybersecurity requirements relating to incident response, supply chain security, encryption and vulnerability disclosure obligations. The NIS2 Directive also aims to establish better co-operation and information sharing between EU member states, and create a common European vulnerability database.

In the Netherlands, there are no formal legal requirements governing the use of encryption. Encryption supports respect for privacy and secure communication of individuals and companies by providing them a means to communicate protected data confidentially and with integrity. Encryption that cannot be hacked is considered vital to a company’s competitiveness in the global marketplace. According to the Dutch government, confidence in such secure communication and storage data is essential for the future growth potential of the Dutch economy, which is mainly in the digital economy.

In the GDPR, encryption is considered as a potential appropriate safeguard to mitigate risks. For example, it should be considered as a measure when processing personal data for a purpose other than that for which the personal data has been collected (Article 6 (4) (e) GDPR) or to comply with Article 32 GDPR regarding the security of processing.

Encryption is considered a (mere) security measure by the Dutch DPA due to its reversible nature. By using the right key, the original information can be obtained (decryption). Encryption is used, among other things to secure data when transmitting data over the internet, when storing data on portable devices and on removable media such as USB sticks, and in other situations where data is vulnerable to unauthorised access.

When cryptographic operations like encryption are used, it is therefore critical to assess periodically whether reliability requirements are still met. Various (international) standards provide further guidelines in terms of using encryption methods, such as ISO:27001 and NEN7510 (applicable to the healthcare sector).

The Dutch government issued emergency legislation as well as initiating programmes and other initiatives to address the COVID-19 pandemic. Although they lack specific TMT sector focus, they are of relevance.

First of all, a set of financial measures to help entrepreneurs were extended in 2021, with the last time being on 19 December. These measures, among other things, offer entrepreneurs relief for paying wages and offer compensation for self-employed professionals, thereby aiming to minimise lockdown effects in selected sectors. Other measures relate to tax, credit and guarantees relief and payment extensions. For a full overview, please refer to Corona: Dutch government measures overview.

On 19 December 2021, a regulation amending the temporary regulation on Covid-19 entered into force. This legislation replaces former emergency legislation incorporating all temporary measures that had been issued by the government. As this is temporary legislation, it will only remain in force for one month, with a possible extension depending on the number of infected persons in the ICU department of the Dutch hospitals. This temporary legislation covers arrangements in the Netherlands, such as a compulsory closing time and closure of primary education and out-of-school care.

At the beginning of January 2021, the Dutch government started with a COVID-19 vaccination programme. Focused on people working in healthcare and those in care for the elderly, in the course of the first part of 2021 the vaccine became publicly available to all residents of the Netherlands. This vaccination is not declared mandatory by the Dutch government and discussions have arisen as to whether employers can demand vaccination of its employees and customers. Up until now, it is the decision of the Dutch government, as well as the Dutch DPA, that in general such demand cannot be made from employees by employers unless there are specific circumstances that would make such vaccination absolutely necessary. Dutch law offers better possibilities to make such demands of customers (such as patients or visitors to private premises).

One of the challenges for employers in the Netherlands is the position of the Dutch DPA regarding the processing of medical information and also, therefore, information on vaccination. The Dutch DPA is adamant in its opinion that the processing of vaccination information of any data subject, including employees, is not allowed under the GDPR unless a legitimate ground and exception can be identified in Articles 6 and 9 GDPR, respectively.

In addition, the Dutch Minister of Health, Welfare and Sport has now announced that he wants to make it possible to mandate vaccination in the healthcare sector. The Minister also wants to investigate whether and how the corona or vaccination certificate can be used in the healthcare sector, but also in other employment situations.

In conclusion, it remains highly advisable to keep a close watch on the position of the Dutch DPA in the Netherlands regarding the processing of COVID-19-related personal data.

Eversheds Sutherland

De Cuserstraat 91
1081 CN
Amsterdam
The Netherlands

+31 20 5600 600

+31 20 524 1204

info@eversheds-sutherland.com www.eversheds-sutherland.com
Author Business Card

Trends and Developments


Authors



Greenberg Traurig LLP is an international law firm with approximately 2,300 attorneys serving clients from 40 offices in the USA, Latin America, Europe, Asia and the Middle East. The firm’s dedicated TMT team consists of more than 100 lawyers, of which seven are in Amsterdam. The Amsterdam team is well versed in representing clients around the world in domestic, national and international policy and legislative initiatives, as well as guiding them through the business growth cycle for a variety of technologies. As a result, it provides forward-thinking and innovative legal services to companies producing or using leading-edge technologies to transform and grow their businesses.

Introduction

As was the case prior to 2022, the Netherlands will continue to be governed by a centrist but overall progressive and generally pro-business coalition. The new coalition agreement suggests that we should expect a continuation in 2022 and beyond of prevailing trends in the TMT sector.

The Netherlands will remain a top jurisdiction for tech, media and telecommunications, and should be in any top three list for Europe. Its infrastructure and connectivity are top of the bill, hosting not only the AMS-IX internet exchange but also a multitude of data centres including Google and Microsoft. Its workforce is highly skilled in information technologies and media production, and its government, regulatory authorities and courts are competent, professional and generally pro-business. However, it is becoming more important than ever to act as a responsible corporate citizen: free passes for bad behaviour are no longer being handed-out liberally simply because a company is innovative.

At a high level, we discern a strong government push to speed up digitalisation throughout society to maintain the Netherlands’ competitive position. Simultaneously, there is a continued increase in civil society, judicial, regulatory and parliamentary action to reduce negative impacts from digitalisation, with a strong focus on big tech. There is also a continuing increase in attention to and understanding of digitalisation in Parliament and government – due, amongst other things, to the establishment of a permanent parliamentary committee for digitalisation – therefore, we expect an increasingly active role from government, both as a proponent of and watchdog for new technologies. At the same time, significant EU regulatory efforts are shrinking the scope of national parliamentary and regulatory powers, so that national efforts will need to concentrate more on enforcement than legislation. Below, we will discuss a number of current topics in detail.

5G Frequency Auction Delayed, Penetration of Fibre to the Home and Data Centre Push-Back Infrastructure

In June 2020, the Netherlands auctioned off its first sections of 5G spectrum, for 700 MHz frequencies. The second auction of 5G spectrum, for 3.5 GHz frequencies, was scheduled for early 2022 but has been delayed due to a court injunction issued in June 2021. As per this injunction, the relevant frequencies must be freed-up first, as they are currently in use for maritime and air emergency communications. The roll-out of significantly faster 5G networks in the third quarter of 2022 will, as a result, be delayed; this might mean that service providers who were expecting to rely on these services should review their plans.

Fibre to the home, on the other hand, is growing at pace, with approximately 50% of Dutch households having a connection in the second quarter of 2021, and full coverage expected around 2030. Growth in data centres has also continued unabated in the Netherlands, though it is now starting to draw significant criticism due to its energy and environmental impact. The recent approval for plans for a Meta (formerly Facebook) data centre led to both public outcry and a motion passing in the Dutch senate compelling the Dutch state to refuse to sell necessary agricultural land to Meta. As such, infrastructure providers considering planning large-scale computing facilities should ensure they tackle potential environmental impacts as part of their planning.

Increase in Collective Action Damage Claims

On 1 January 2020, the Dutch Act on Redress of Mass Damages in a Collective Action took effect, allowing for US-style class action lawsuits in the Netherlands. This has resulted in suits being brought against, amongst others, Apple, Facebook, TikTok, Oracle and Salesforce based on abuse of market power and unlawful processing of personal data. It is widely believed that more class action lawsuits for the protection of consumer rights will follow in the coming years. Initially, these cases will be brought by consumer watchdogs, but there is also an expectation that lawyers and others will view these types of class actions as an attractive business model and will set up legal entities specifically to pursue them. Companies should thus be aware that consumer protection laws that were previously harmless due to a lack of regulatory capacity and the weakness of individual private enforcement may become significantly more effective.

Increase in Regulatory Oversight in Respect of GDPR Compliance and AI

The Dutch Data Protection Authority (DPA) lobbied extensively in 2021 for a quadrupling of its budget and a trebling in personnel capacity. Though it has not materialised in the most recent budgets, this may change as the new coalition agreement specifies it will invest in a strong position for the DPA. Generally speaking, enforcement by the DPA is increasing steadily, as are the level and number of fines, with seven fines exceeding EUR400,000 and one fine exceeding EUR2 million. In addition to general GDPR compliance, the coalition agreement specifies that a new "algorithm regulator" will be created (either as part of an existing regulatory authority or as a separate entity), to ensure algorithms will be transparent, non-discriminatory and fair. 

For most companies, enforcement action is relatively unlikely if they can demonstrate they are making a reasonable effort to comply with applicable data protection regulation. However, companies working with very significant amounts of, or particularly sensitive types of, personal data should tread carefully and keep up to date on the DPA’s most relevant guidelines.

Increasing Protection for Gig Workers

The Netherlands saw the re-classification of gig workers from independent contractors to employees by courts in multiple separate cases. On 16 February 2021, the Amsterdam Court of Appeal upheld a verdict by the District Court of Amsterdam against Deliveroo, finding that its delivery workers were indeed employees. The District Court of Amsterdam also found Uber drivers qualify as employees in its verdict of 13 September 2021. Both cases were brought by the workers union FNV, and in both cases appeals have been filed.

As it stands, however, digital platforms that rely on a large force of workers to perform a key activity for their business and that are in a position to exercise real control over the way workers perform their labour – be it through algorithmically determined incentives or otherwise – or the conditions against which it is performed (eg, unilateral price adjustments) should assume there is a significant probability those workers may qualify as employees (regardless of the content of the contract parties have entered into).

In this respect it is also relevant that, in December 2021, the European Commission proposed the Platform Work Package (PWF) to improve the working conditions of persons working through platforms in the EU, and to support the sustainable growth of these platforms. The PWF will introduce harmonised measures to determine the employment status of individuals – as workers (ie, employees) versus solo self-employed persons (ie, independent contractors) – and new material rights for both workers and self-employed persons regarding algorithmic (ie, automated systems) management. If the proposed directive is adopted without change, which is expected to take approximately 18 months, the Netherlands will have two years to transpose the proposed directive into national law.

The impact of the directive on legislative developments in the Netherlands will be interesting to see. In particular, the proposed directive’s rebuttable legal presumption – with burden of proof on the platform – that the contractual relationship between a platform and an individual is one of employment would result in more gig workers needing to be treated as employees in the Netherlands.

Growing Pressure to Limit Market Power of Tech Platforms

As is the case in the wider European context, there is growing discomfort with the market power of large technology companies in the Netherlands. The new coalition agreement indicates the government will seek to modernise Dutch competition law to ensure the continued existence of a meaningful public media domain and to counteract the significant centralisation of media distribution in large tech companies. Similarly, the coalition agreement refers specifically to ensuring that tech giants do not abuse their market power, including their access to data, to stifle competition.

Although, in our view, there is only limited cause for concern for most technology companies, big tech should take care in how they structure their platforms to ensure they are not accused of abusing a dominant position. For instance, the Dutch Competition Authority (ACM) issued a decision in August of 2021 establishing that Apple is abusing its economic dominance – in breach of the EU and Dutch antitrust rules – by imposing unfair contractual terms on dating app providers. In particular, the ACM held that Apple’s conditions relating to the payment system of Apple and to anti-steering are causing harm to the dating app providers. In its decision, the ACM required Apple to amend the unreasonable terms in its App Store. This decision was contested by Apple. However, on 24 December 2021, the District Court Rotterdam largely rejected requests by Apple for preliminary injunctive relief.

In addition to these national developments, at an EU level there is a clear push to create a somewhat level playing field for businesses, consumers and governments in Europe, despite the enormous market power of tech giants. Of particular note are the EU Digital Services and Digital Markets Acts, the Data Governance Act (proposal still to be approved by European Council), the Data Act (proposal yet to be issued) and the EU regulatory framework for AI (proposal issued in April 2021).

This forthcoming legislation will have an enormous impact on technology companies operating throughout the EU. The framework set out in these legal instruments intends to circumscribe and limit the power of (big) tech companies, limit unfair business practices, protect users' fundamental rights, ensure data sharing between businesses, and between businesses and governments on fair terms, and will set limits on what AI can and cannot be utilised for in the EU. One should expect various parts of this legislation to take effect in member states between 2023 and 2026.

For the Netherlands, the foregoing may mean that we will see relatively limited efforts to adopt parallel national legislation pending the EU proposals, with most of the energy being directed towards influencing EU legislation. However, the EU proposals may nudge regulators and courts in the Netherlands towards taking a bolder stance in their interpretation of existing laws.

Cybersecurity a Key Topic for the Dutch Government and Expectations of Corporate Responsibility Increasing

Cybersecurity is a matter of increasing concern in the Netherlands and has become a clear government priority in the coalition agreement. This goes beyond just securing the public sector and critical infrastructure, and extends more broadly to the private sector.

To that end, the government’s National Cyber Security Centre has started sharing its threat updates with the private sector in general, rather than merely with providers of essential services. In addition to this kind of enablement, enforcement against lax security is also increasing, with security failures and data breaches leading to significant fines by the DPA. Prevention is also increasingly viewed as necessary. A recent report by the Dutch Safety Board urges the government to seriously regulate digital safety and security in the private sector through reporting and transparency obligations akin to current obligations for financial reporting. This dovetails well with an IT security certification audit being designed by the Dutch professional association for IT auditors.

Overall, the trend towards increasing scrutiny of cybersecurity presents both opportunities for technology companies that can support the push towards a more resilient ICT infrastructure and threats for those that lag behind. There is a strong talent pool in the Netherlands, with Dutch enforcement agencies frequently leading the pack on taking down hacking groups. This has translated into a strong growth of innovative cybersecurity companies (eg, HackerOne). The presence in the Netherlands of a highly digitalised government, an outsized financial sector, a high data centre density and key internet infrastructure means there is also a significant market to be claimed for fast movers.

Normalisation of Cryptocurrency in Ordinary Commerce and Protection of Consumers

Cryptocurrency and blockchain technologies are starting to be embedded in the formal economy and in the ordinary life of Dutch citizens, though mainly as a category of investment assets and a technology substrate for transaction platforms for financial assets. This increasing uptake is starting to pose practical problems in private law – for example, the fact that cryptocurrencies do not have a clear legal status, hobbling (eg, transactions, seizure, etc) – and the increase in investments by generally unskilled investors is an increasing cause for concern for regulators, who at this time do not have appropriate instruments to regulate consumer investments in cryptocurrency.

The Dutch approach in respect of cryptocurrency is to wait for EU legislation (the Markets in Crypto-Assets Regulation, which the Dutch Authority for the Financial Markets expects to enter into force in 2024) and other international developments (with respect to the private law treatment of cryptocurrency), rather than to implement legislation of its own.

Regulations for "Influencer" Marketing Incoming

The rise of social media platforms, such as Instagram, YouTube and Snapchat, has provided a stage to those with purported expert-level knowledge and/or social influence in their field ("influencers"). These influencers have a (seemingly) unlimited scope for sharing their vision, ideas, and other messages with their followers. However, they are also often of a commercial nature (eg, advertisement of products or services, offers of advice, and promoting political opinions). Given their large audience, influencers can be very effective in creating online engagement for the companies that employ their services, but also in manipulating the opinions and purchases of their followers, at least in part because followers are not always able to distinguish between genuine and sponsored advice.

At this moment the Dutch Media Authority (DMA) is in the process of setting policy rules with respect to influencers. These policy rules apply to influencers located in the Netherlands only. One of the main questions to be answered by the DMA is whether an influencer is merely an uploader of content, or should qualify as a commercial media service on demand. Should the latter be the case, the service is bound by the rules of the Dutch Media Act, and will be supervised by the DMA. An influencer qualified as a commercial media service on demand is also required to register with the Stichting Reclame Code and the Netherlands Institute for the Classification of Audiovisual Media. Moreover the influencer has to make clear in the broadcast that the programme is sponsored, or contains advertisements or product placement.

Once the policy rules are set, the DMA will observe a transition period. In this period the influencers that qualify as a commercial media service will have the time to comply with the policy rules. The policy rules are expected to be set in early 2022.

Unabated Move to Cloud and Schrems II poses a Serious Compliance Hazard

There is a continued and accelerating move towards the cloud happening across the private and public sector, providing a strong market opportunity. There are no particular Netherlands-specific legal developments of great moment here – the action is mainly occurring in the EU theatre (discussed in brief in the final section).

Worth noting briefly, however, is that the European Court of Justice’s Schrems II decision, which requires a data controller to judiciously review the actual protection of personal data in a non-EEA country before transferring, is being taken very seriously by Dutch government bodies and large corporates. That is to say, companies in the USA, and in major centres for outsourcing outside the EEA, must seriously consider how they can demonstrate that a data controller using their services can meet the requirements imposed by Schrems II.

FRAND Decisions

In Huawei v ZTE, the EU Court of Justice held that the holder of a standard essential patent (SEP) who has committed to license its SEP on fair, reasonable and non-discriminatory (FRAND) terms may violate EU competition laws on market power abuse if they seek an injunction against a potential licensee in certain circumstances. The court set out a roadmap outlining the circumstances in which a SEP holder can bring an injunction and recall action for infringing products without violating competition EU laws.

It is expected that important judgments in relation to this so-called FRAND defence are forthcoming in the Netherlands in 2022. For example, the Dutch Supreme Court’s judgment in Wiko v Philips is currently expected to be forthcoming in February 2022. This case and others merit close scrutiny for any holder of SEPs as the court is expected to provide further guidance on the ability to enforce these patents against potential licensees, as well as the expected behaviours of both the SEP holder and the implementer of a SEP. 

New Reporting Obligations for Platform Companies in Respect of Tax

In March 2021, the Council of the European Union adopted Directive 2021/514 with the aim of improving administrative tax co-operation – and countering tax fraud/tax evasion – and addressing the challenges posed by the digital platform economy. They include new rules extending the EU tax transparency requirements to “platforms” and introducing an obligation for “platform operators” to provide information on income derived by sellers through platforms. The rules affect platform operators offering sellers access to:

  • the rental of immovable property, including both residential and commercial property, as well as any other immovable property and parking spaces;
  • a personal service;
  • the sale of goods; and
  • the rental of any mode of transport.

The Netherlands must implement these rules into its local laws on 31 December 2022, so a proposal for the exact form of implementation is expected in the course of this year.

Simplification and Clarification of R&D Tax Rebate Scheme

As per 1 January 2022, the R&D tax rebate scheme, that may reduce the Dutch wage tax/national insurance contributions payable by employers, has been simplified. The amendments include that companies can now always submit a new application for a tax rebate starting in the next calendar month, even if an application for that calendar month has been submitted previously (albeit that the maximum number of applications will remain limited to four per year). In addition, flexibility is offered to employers in respect of reporting the costs incurred for R&D work at the end of the year since it is no longer necessary to specify to which application these costs relate. Furthermore, it has been clarified that in an R&D declaration only costs and expenses may be included that were already anticipated and that were included in the R&D application.

For 2022, the R&D tax rebate percentages are 32% (start-ups may be eligible to a rate of 40%) for the first EUR350,000 of R&D wage costs and 16% for the excess amount.

Introduction of Digital Services Tax

In the coalition agreement, the parliamentary parties set out the new government’s plans and ambitions for 2021–25. One of these plans and ambitions concerns the introduction of a digital services tax in the Netherlands. Since the coalition agreement only provides for a general outline of the intended measures, no further details with respect to the introduction of the digital services tax are available at this stage.

Greenberg Traurig LLP

Leidseplein 29
1017 PS
Amsterdam
The Netherlands

+31 20 301 7300

+31 20 301 7350

Herald.Jongen@gtlaw.com www.gtlaw.com
Author Business Card

Law and Practice

Authors



Eversheds Sutherland is a global top ten law practice, providing legal advice and solutions to an international client base which includes some of the world’s largest multinationals. The firm has over 100 dedicated TMT sector lawyers across 30 countries. In the Netherlands, its team of lawyers provides a fully integrated privacy, data protection and cybersecurity offering. The firm understands the sector-specific challenges TMT companies face, and is regularly engaged to guide clients on industry-leading matters. As its clients’ markets develop to adapt to new technologies, so too do Eversheds Sutherland's areas of expertise so that it continues to deliver practical advice in fast-developing and innovative areas of law. Acting for clients such as Comcast, CyrusOne, Intel, Microsoft and Nokia, the firm represents companies of all sizes, from promising start-ups to established domestic and global companies. It also advises institutional, venture capital, private equity and individual investors and lenders who invest in, buy, sell and finance TMT businesses. The firm would like to thank Natalia Toeajeva, Nathalie Djojokasiran and Ilham Ezzamouri for their contribution to the chapter.

Trends and Development

Authors



Greenberg Traurig LLP is an international law firm with approximately 2,300 attorneys serving clients from 40 offices in the USA, Latin America, Europe, Asia and the Middle East. The firm’s dedicated TMT team consists of more than 100 lawyers, of which seven are in Amsterdam. The Amsterdam team is well versed in representing clients around the world in domestic, national and international policy and legislative initiatives, as well as guiding them through the business growth cycle for a variety of technologies. As a result, it provides forward-thinking and innovative legal services to companies producing or using leading-edge technologies to transform and grow their businesses.

Compare law and practice by selecting locations and topic(s)

{{searchBoxHeader}}

Select Topic(s)

loading ...
{{topic.title}}

Please select at least one chapter and one topic to use the compare functionality.