Metaverse

The metaverse is generally used to describe a virtual 3D world in which users (represented by avatars) can communicate, interact and conclude transactions through various technologies (such as virtual or augmented reality, NFTs and blockchain), although there is no generally accepted definition.

There are no specific laws or regulations governing the metaverse in the Netherlands. The laws applicable to the “offline” world are generally applicable to the “online” metaverse. The metaverse does pose legal challenges, especially in relation to intellectual property rights (and intermediary liability) and data protection.

Intellectual Property (and Intermediary Liability)

In the metaverse, products and services can be displayed which are protected by intellectual property rights, such as copyrights and trademark rights. Although this brings new (business) opportunities, holders of such intellectual property rights are to carefully review the user terms of metaverse platforms prior to accessing and using the metaverse as these terms may contain broad licensing clauses or even result in a transfer of intellectual property rights. Furthermore, risks may occur relating to counterfeit products that are offered in the metaverse, such as NFTs. When counterfeit or infringing NFTs are sold, challenges arise in enforcing intellectual property rights and for example identifying the “infringers”. This also raises questions regarding the intermediary liability of the provider of the metaverse platform.

Data Protection

When personal data is processed relating to EU data subjects, the General Data Protection Regulation (GDPR) is generally applicable. Challenges may arise in determining the relevant actors, such as the (joint) data controller(s), the data processor(s), the supervisory authority and the data subjects. The extent to which the purposes and methods are determined by the provider of the metaverse platform and the actors in the metaverse should be assessed for each instance. In addition, special and sensitive personal data can be processed in the metaverse, such as payment or medical data. For special categories of personal data stricter rules apply, which are further detailed in the laws of each member state of the European Union. In the Netherlands, national identification numbers, such as a citizen service number, may only be processed if this is prescribed by law. It is therefore of importance to assess which personal data is processed and what the legal basis is that will be invoked. Considering the global reach of the metaverse, the applicability of other (local) data protection laws may also be triggered when processing personal data.

The digital economy is a driver of many new laws and regulations. The key laws and regulations in the Netherlands relating to the digital economy are:

• the e-Commerce Directive (2000/31/EC), which is implemented in the Dutch Civil Code; the e-Commerce Directive aims to establish harmonised rules on issues such as: (i) transparency and information requirements for online service providers; (ii) commercial communications; and (iii) the conclusion of electronic contracts and the liability exemption for intermediary service providers; and
• the Platform to Business Regulation ((EU) 2019/1150), which governs the relationship between online platforms and companies that use such platform for the selling of products or services.

An important recent development in the regulation of the digital economy is the entering into force of the EU Digital Markets Act (DMA) and the EU Digital Services Act (DSA).

The DMA aims to ensure that large online platforms that act as “gatekeepers” in digital markets behave in a fair way, while protecting European consumers and entrepreneurs and improving competition.

The DSA regulates different online intermediation services, aiming to safeguard a safe online environment, protect the rights of users, and create a level playing field for companies. In the Official Journal of the European Union a list was published of intermediary services qualifying as Very Large Online Platforms and Very Large Online Search Engines. These companies will also have to comply with the stricter obligations under the DSA.

In the Netherlands, the DSA will be further implemented in the DSA Implementation Act. Both the Authority for Consumers & Markets (ACM) and the Data Protection Authority (AP) will function as supervisory authorities. The ACM has recently published a guideline for the intermediary services that are governed by the DSA, setting out the applicable rules and obligations.

Possible challenges in this regard are the following. Distinguishing between different categories of intermediaries might prove challenging given the open and vague norms. Also, the roles and competencies of both supervisory authorities need to be further clarified. In the Netherlands, various parties reacted to the first proposal of the DSA Implementation Act, flagging various other challenges in relation to the DSA.

Laws and Regulations

In the Netherlands, there are no specific laws or regulations in relation to cloud and edge computing. Cloud and edge computing services are subject to (general) Dutch and European laws and legislation. Key laws and legislation are the Dutch Civil Code, the GDPR, the Dutch Telecommunications Act and the NIS directive, which is to be repealed by the NIS2 Directive (2022/2555) with effect from 18 October 2024. The NIS2 Directive is to be implemented in Dutch law. Pursuant to the NIS and NIS2 Directive, providers of critical and essential cloud or digital services are to comply with the security requirements set forth therein.

The concept of cloud computing is described in the NIS2 Directive, which aims to achieve a high level of cybersecurity across the member states for operators of critical infrastructure and essential services. The NIS2 Directive describes cloud computing services as “digital services that enable on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources, including where such resources are distributed across several locations.”

Regulated Industries

The following industries or sectors are subject to more stringent regulatory requirements, which can also relate to the use of cloud and edge computing services.

Financial services

The financial services sector is subject to stringent regulations related to cloud computing. The most notable development is that the Digital Operations Resilience Act for the Financial Sector (DORA), which entered into force on 16 January 2023, stipulates requirements to ensure digital resilience in the financial sector. DORA stipulates rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. The use of cloud computing services by financial institutions is subject to the Dutch Financial Supervision Act and to the further substantiation thereof by the supervisory authority, namely the Dutch Central Bank (De Nederlandsche Bank, or DNB), such as the “Circulaire Cloud Computing” and the “Good practices for managing outsourcing risks” as published by the DNB. The DNB further supervises compliance with the European Bank Authority Guidelines on outsourcing arrangements of 25 February 2019 (the “EBA Guidelines”). 

Healthcare

Specific provisions for the processing of medical (patient) data apply. As of 1 July 2017, the law on clients’ rights to electronic data processing in healthcare entered into force, regulating the secure exchange of medical (patient) data.

Other regulated industries

The other regulated industries are (i) electricity and (ii) telecoms.

Data Protection Issues

The main issues with cloud and edge computing from a data protection perspective relate to data transfers outside of the European Economic Area (EEA).

The transfer of personal data outside the EEA is generally only allowed if the third country in question ensures an adequate level of protection of personal data. The GDPR specifies under which circumstances personal data can be transferred to third countries, for instance in case of: (i) an adequacy decision (which has been adopted for the United Kingdom post-Brexit); (ii) appropriate safeguards (such as Binding Corporate Rules or Standard Contractual Clauses); or (iii) other specific derogations (such as the data subject’s consent).

Cloud providers often host personal data of customers in countries outside of the EEA, such as the United States. In the Schrems II decision of the ECJ, the transfer mechanism for EU-US data transfers (the Privacy Shield) was declared invalid. The use of Standard Contractual Clauses remains possible for EU-US data transfers, provided that a Data Transfer Impact Assessment (DTIA) is conducted prior to the transferring of personal data and (where necessary) additional measures are taken.

On 10 July 2023, the Data Privacy Framework entered into force, and constitutes a new EU-US data transfer mechanism. It succeeds the Privacy Shield and aims to facilitate legitimate transfers of personal data from the EU to the US, provided that the recipient in the US is acceded to the Data Privacy Framework. Critics argue that the Data Privacy Framework will also be invalidated by the ECJ due to similarities with previous frameworks like the Privacy Shield and Safe Harbour.

AI Act

On 14 March 2024, the AI Act was adopted by the European Parliament (EP). The AI Act consists of rules governing the use of Artificial Intelligence (AI) within the EU. The primary goal of the EP is to ensure that AI systems used within the EU are safe, transparent, traceable, non-discriminatory, and environmentally friendly. Additionally, the EP asserts that AI systems should never be fully automated and it advocates for a uniform definition of AI applicable to all future AI systems. The text adopted by the EP must now be formally adopted by the Council of the EU.

Until adoption by the Council of the EU, there is no specific legislation in the Netherlands concerning the complex landscape of AI. The Dutch government has in the meantime taken proactive steps to harness AI’s potential while mitigating associated risks. In October 2019 the Dutch government unveiled its Strategic Action Plan for Artificial Intelligence, a comprehensive framework outlining the nation’s ambitions to capitalise on AI’s socio-economic benefits. Central to this plan is fostering collaboration through the Dutch AI Coalition, a partnership between companies, government entities, and educational institutions aimed at implementing AI initiatives across various sectors.

The government’s strategic vision underscores AI’s role in addressing pressing societal issues such as population ageing, climate change, and healthcare. Nonetheless, it emphasises the imperative of safeguarding fundamental rights like privacy, non-discrimination, and autonomy in the face of AI advancements.

To promote ethical innovation, the Ministry of the Interior and Kingdom Relations introduced the Toolbox for Ethically Responsible Innovation. This toolbox provides developers with guidance on prioritising public values and fundamental rights in AI projects. Key principles within the toolbox stress the importance of incorporating safety measures into technology development, particularly concerning the processing of personal data.

The DNB issued guidelines in July 2019 outlining principles for responsible AI use for the Dutch financial sector. The DNB has highlighted the potential benefits AI offers to enhance business processes, while also underscoring the need for accountability, fairness, and transparency to mitigate risks such as reputational damage and harm to consumers.

Liability

While the Dutch Civil Code lacks specific provisions addressing AI, liability principles are still applicable. Manufacturers may be held liable for AI-related damages under existing product liability laws, contingent on factors like product safety expectations and defectiveness (Article 6:185 of the Dutch Civil Code). Moreover, fault-based liability (Article 6:162 of the Dutch Civil Code) may come into play in cases where neither product liability nor possessor liability (Article 6:173 of the Dutch Civil Code) applies.

Recognising the need for legal clarity in the digital economy, the European Commission proposed revisions to the Product Liability Directive in September 2022. These revisions aim to establish frameworks for AI-related liability, ensuring legal protection and accountability in AI deployment.

Data Protection

Data protection remains a paramount concern, with the GDPR and the Dutch Implementation Act providing the regulatory framework. The Dutch Data Protection Authority oversees compliance, emphasising the principles of lawfulness, fairness, and transparency in AI-related data processing activities.

Intellectual Property

Dutch patent law does not explicitly protect AI systems, but certain components such as software or training models may be patentable. Challenges may arise regarding inventorship with AI-generated inventions, as the European Patent Office has rejected AI as an inventor in patent applications. It is still unclear whether copyright protection applies to AI-generated works, although it is argued that copyright protection applies if human intervention significantly contributes to their creation, ensuring the preservation of creative rights.

The Trade Secrets Directive safeguards against unauthorised use and disclosure of confidential information, potentially encompassing AI systems as trade secrets if certain criteria are met.

Fundamental Rights

The Dutch government is acutely aware of AI’s implications for fundamental rights, as evidenced by the childcare benefits scandal in September 2018. This scandal underscored the discriminatory impact of AI algorithms and prompted a re-evaluation of AI governance practices. The government advocates for a human-centred approach to AI, prioritising respect for human rights and public values. To this end, it has issued guidelines for government agencies on algorithm use, emphasising transparency, accountability, and public engagement.

In conclusion, while adequate AI regulations are still lacking in the Netherlands, strategic initiatives, and collaborative efforts demonstrate a commitment to responsible AI deployment. By addressing ethical, legal, and societal considerations, the government seeks to maximise the benefits of AI while safeguarding fundamental rights and promoting public welfare.

The Internet of Things (IoT) is one of the main developments in our current digitalised society. From smart connected cars to smart cities, day-to-day objects and assets are now connected and equipped with data-driven technologies.

GDPR

On 25 May 2018, the GDPR came into effect. The GDPR has had major implications on all businesses in the EU, as well as all businesses that offer goods or services to EU-based customers and use their personal data. Challenges for providers of IoT solutions that may arise are to:

• properly inform the data subjects of the data processing;
• obtain freely given, specific and informed consent (both on the basis of the GDPR as well as the Dutch Telecommunication Act (implementing the e-Privacy directive (2002/58/EC));
• minimise the processing of personal data, which often conflicts with the data-driven services offered by the IoT provider;
• develop privacy friendly IoT solutions, meeting the principles of privacy-by-design and privacy-by-default; and
• conduct data protection impact assessments, prior to developing the IoT solution in order to timely flag the possible privacy risks.

The e-Privacy Regulation

The e-Privacy Directive (2002/58/EC) is expected to be repealed by the e-Privacy Regulation, which is not yet approved. The e-Privacy Regulation expressly regulates and applies to machine-to-machine (M2M) communications, in particular relating to the confidentiality of data of such communications, with certain exceptions possibly applying.

The Digital Content and Digital Services Directive (2019/770)

The Digital Content and Digital Services Directive is implemented in the Dutch Civil Code and applies in the Netherlands to certain aspects concerning contracts for the supply of digital content and digital services. The Directive aims to promote the internal market and achieve a high, and as uniform as possible, level of consumer protection by harmonising a number of aspects in consumer contract law. The Directive stipulates, for example, that consumers have the right to receive (security) updates for all digital content (such as games and applications), digital services (like streaming) and all goods incorporating technology (such as IoT devices) for as long as they can reasonably expect such updates.

The Dutch Media Act 2008 aims to ensure that a diverse range of radio and TV channels are accessible to the public. It lays down requirements for both public and commercial broadcasters. It mandates regulations for public broadcasters regarding programming and advertising on their channels.

Supervision of compliance with the Dutch Media Act 2008 falls within the purview of the Dutch Media Authority (Commissariaat voor de Media). This oversight extends to broadcasters (TV, radio), commercial video-on-demand services (VODs), and video-sharing platform services (VSPs), although large VSPs often operate outside Dutch jurisdiction.

Commercial video-on-demand services are assessed against five criteria, including their primary purpose, mass media nature, economic orientation, editorial responsibility, and cataloguing structure, to determine regulatory status. Notable examples within Dutch jurisdiction are Netflix and YouTube channels operated by uploaders.

Video-sharing platforms like YouTube offer audiovisual content without editorial responsibility, therefore falling outside Dutch jurisdiction. However, complaints regarding audiovisual media services registered in the Netherlands but available in other European countries can be lodged with the Dutch Media Authority.

The Dutch Media Act 2008 aims to protect audiences from harmful content, regulate commercial communication, promote European, national, and independent works, and address the specific nature of public service media. Broadcasters and video-on-demand service providers have the freedom to determine the form and content of their offerings within legal boundaries.

For commercial media service providers, advertising, sponsoring, and product placement rules are vital. Advertising should occur only during commercial breaks, with clear demarcations, and adherence to the Dutch Advertising Code Foundation is mandatory. Sponsoring and product placement disclosures must precede or follow sponsored content or programmes, with strict prohibitions on inducements and excessive product focus. Product placement is prohibited in programmes targeting children under twelve, news and current affairs, consumer issues, or religious or spiritual content. Stricter rules apply to advertising and commercial communication for public media service providers to maintain their public and independent nature.

To establish a commercial broadcasting station in the Netherlands, a license or registration from the Dutch Media Authority is necessary, along with potential requirements from the Dutch Authority for Digital Infrastructure or agreements with cable operators. Applications for renewal must be submitted five months before expiration, and licenses or registrations are valid for five years.

In summary, the Dutch Media Act 2008 plays a crucial role in regulating the audiovisual media landscape, ensuring accessibility, protecting audiences, and promoting diverse content while imposing strict standards on advertising and commercial communication. Compliance with this law is essential for broadcasters and media service providers to operate within Dutch jurisdiction.

The Dutch Telecommunications Act is applicable to electronic communication providers and distinguishes between:

• electronic communication networks (ECN); and
• electronic communication services (ECS).

In the Netherlands, communication providers (such as providers of landline or mobile telephony, internet access or an internet network, email or webmail services, video conferencing services and internet telephony) are granted general authorisation to operate, without needing specific licenses, permits, or consents. However, there is a requirement to register with the Authority for Consumers & Markets (Autoriteit Consument & Markt, or ACM) before commencing operations. Registration entails providing details about the provider’s corporate structure, turnover, and services offered in the country.

Upon successful registration, the provider is listed in the public register of communication companies and receives a unique registration number. Any subsequent changes to activities must be promptly notified to the ACM for updating the registration. Additionally, registered communication companies are obligated to annually report their turnover from communication services to the ACM. Based on this information, the ACM imposes an annual fee, which varies depending on the turnover. Companies with a turnover of EUR2 million or less are exempted from this fee.

However, mobile operators and other spectrum users are required to obtain a license to install or operate specific mobile network equipment.

Technology Agreements

The freedom of contract forms an important principle in Dutch contracting law. Therefore, parties are largely able to deviate from the Dutch Civil Code (unless specific mandatory provisions apply) and determine the contractual arrangements and remedies.

Prior to concluding a technology agreement, a letter of intent (also referred to as LOI, MOU, Heads of Terms etc) can be concluded. This can either be a binding or non-binding agreement setting out the process for the upcoming negotiations and the key elements of the technology agreement. Moreover, a letter of intent allows parties to terminate the negotiations without incurring liability (as pre-contractual liability can arise under Dutch law).

After the conclusion of a letter of intent (or variation thereof), parties shall generally negotiate a technology agreement (usually a Master Services Agreement (MSA), depending on the type and nature of the technology agreement). In technology agreements, the following matters are generally subject to negotiations:

• nature of obligations (effort obligations v result obligations);
• delivery dates/milestones (strict deadlines v indicative dates);
• service levels/KPI service credits;
• intellectual property rights/license provisions;
• charges and invoicing;
• change procedures;
• compliance with laws (including industry-specific regulations);
• security;
• data protection;
• audits;
• benchmarking;
• exit arrangements;
• termination for cause and convenience;
• (no) suspension rights;
• step-in rights;
• continuity arrangements (SaaS escrow);
• parent company guarantee;
• liability (liability caps, “supercaps” and exceptions, damages); and
• warranties and indemnities.

Regulated Industries

The following industries or sectors are subject to more stringent regulatory requirements (see also 3.1 Highly Regulated Industries and Data Protection):

• financial services;
• healthcare;
• electricity; and
• telecoms.

Laws and Regulations

The rules regarding digital signatures are outlined in the eIDAS Regulation (Regulation (EU) No. 910/2014) and Article 3:15a of the Dutch Civil Code (DCC). These provisions distinguish between three categories of electronic signatures, all generally considered equivalent to handwritten signatures.

The following three categories of electronic signatures are distinguished:

• the ordinary electronic signature;
• the advanced electronic signature; and
• the qualified electronic signature.

The ordinary electronic signature is qualified as such when data in electronic form is attached to or logically associated with other data in electronic form and used by the signatory to sign. This includes scanned signatures.

More requirements are placed on the advanced electronic signature. Such a signature must:

• be uniquely linked to the signatory;
• enable the signatory to be identified;
• be created using signature-creation data that the signatory, with a high level of confidence, can use under their sole control; and
• be so linked to the signed data that any subsequent changes to the data can be detected.

The qualified electronic signature, where the signature is verified using a certificate issued by a recognised certification service provider, is equated with a handwritten signature by the eIDAS Regulation. The qualified electronic signature provides the most guarantees and is equivalent to a handwritten signature, recognised throughout the EU.

The advanced and ordinary electronic signatures are equated with a handwritten signature under Article 3:15a DCC if the method used is sufficiently reliable. This is an open norm that must be assessed based on the specific circumstances of the case.

Evidential Value of Electronic Signatures

If the advanced or ordinary electronic signature is considered sufficiently reliable, it has the same legal effects as a handwritten signature, just like a qualified electronic signature. Evidentially, this means that the electronically signed document is a private document and generally carries conclusive evidential value according to Article 156a in conjunction with Article 157 of the Dutch Code of Civil Procedure. If the advanced or ordinary signature is not considered sufficiently reliable, the document has free evidential value, and its assessment is left to the discretion of the court.