January 2016 could be characterized as an interesting month for cybersecurity from a Dutch legal perspective. I will briefly discuss four developments that will further shape the Dutch cybersecurity landscape.
1. On January 1st, 2016, the Data Breach Notification Act (Wet meldplicht datalekken) came into force
A data breach in terms of this new law exists, when security measures have been breached and personal data are being exposed to (chances of) loss or illegal processing. Both lack of security and circumvention of in itself adequate security measures could be qualified as a ‘breach’. Notifications will have to me made to the Dutch Data Protection Authority (and under certain circumstances also to parties where the personal data relate to), to which is also attributed a new power to impose penalties that could amount to EUR 810.000 in case of non-compliance. The new law follows sector specific notification duties (Financial Sector and Telecom Sector) in case of incidents and breaches but has a wider reach.
2. Letter on Encryption to Parliament from the Ministers of Economic Affairs and Security & Justice, dated January 4, 2016
The Ministers set out the official point of view of the Dutch Government as regards Encryption. They recognize the importance of encryption for the Government, business and civilians when it comes to safe communications, economic growth and safeguards against espionage and cyber crime. Having said that, the Ministers also point out that encryption could complicate the work of criminal enforcement and intelligence agencies when it comes to combating serious crime, cyber attacks and terrorism. Balancing all the interests, the Dutch Government reaches the conclusion that at this point in time, it is considered advisable not to take any restrictive measures by law regarding the development, availability and use of encryption in the Netherlands. The Ministers endorse the relevance of strong encryption to support protection of privacy of civilians and confidential communications of the Government and the business sector.
3. Legislative Proposal of the Cybersecurity Breach Notification Act (Wet gegevensverwerking en meldplicht cybersecurity) sent to Parliament on January 21, 2016
This intended new law will be applicable to ‘vital providers’ of products and services in case of actual breaches of security or loss of integrity of electronic information systems. Vital providers will be found in both government and private sector. They will be designated by law, but they will in any event entail the following sectors: electricity, gas, nuclear energy, drinking water, telecom, finance, government and transport (Port of Rotterdam and Schiphol Airport). Breaches in ICT will have to be reported to the National Cyber Security Center (NCSC), a department of the National Coordinator Combating of Terrorism and Security (in Dutch: NCTV) which is a part of the Dutch Ministry of Security and Justice.
A notification duty only exists when availability or reliability of the product or service could be interrupted ‘to an important extent’, but it is still uncertain when this will actually be the case. According to the Government, DDoS attacks will not qualify as incident that will fall under the scope of the notification duty, because only the accessibility of the online service will be undermined and not the systems as such. The legislative proposal is in alignment with the EU Draft Network and Information Security (NIS) Directive (COM (2013) 48), but still a separate Dutch initiative. The Government did not want to wait for this Directive and acknowledges the fact that adjustments will have to be made in the future in the course of the implementation of the NIS Directive.
4. Public Prosecutions Office’ press release, January 27, 2016: ‘Cyber Crime Act III necessary for Investigation of criminals
In this press release on its website the Dutch Public Prosecutions Office implicitly refers to the Explanatory Memorandum to the Cybercrime Act III, that was sent to Dutch Parliament on December 22, 2015. This bill proposes new powers to the prosecutor and police authorities in terms of hacking and an order to make data inaccessible on the internet (taking the already existing Notice and Take Down protocols a step further). Also provisions to enhance the fight against ‘grooming’, fencing of stolen electronic data and online commercial fraud are part of the legistation initiatives.