The proposed Bill would require telecom and internet service providers to notify the Dutch Telecom Authority (the “OPTA”) without delay in the event of a security breach involving personal data. They also would be required to notify affected individuals without delay if the breach is likely to have an adverse effect on the protection of their personal data. The Bill does not affect initiatives to introduce a broader data breach notification regime applicable to other industries outside the telecom sector. The Dutch Minister of Justice recently stated that he expects to issue a proposal to implement a more general data breach notification law in 2011.
The Bill also would revise the current cookie consent regime to require a data subject’s prior consent to place cookies on his or her computer. The consent requirements are of particular relevance for third party cookies that are used, for example, to track web surfing activities for behavioral advertising purposes. A key issue is whether consent must be obtained for each individual cookie, or if consent can be implied by a data subject’s browser settings. A previous version of the Bill required “unambiguous consent,” suggesting that prior consent would be needed for each individual cookie. Following public consultation, however, the Bill was amended to require only “consent,” signaling that browser consent would be sufficient. The Bill’s Explanatory Notes (Memorie van Toelichting) confirm this interpretation, but caution that browser consent may not be appropriate in all cases.
The deadline for implementing the EU e-Privacy Directive into Dutch law is May 25, 2011. For more information, view the proposed Bill (in Dutch), and read our previous posts on the e-Privacy Directive.