On 8 May 2012, the Senate adopted a much anticipated bill which amends the Dutch Telecommunications Act (Telecommunicatiewet), and implements the revised EU Directives regarding the revised European Telecommunications Framework.[1] The approval puts an end to a fierce and long-drawn-out debate about e-privacy and end-user rights. In addition to a one-on-one implementation of the EU Directives, the amendment also introduces more stringent rules, especially for the Netherlands (as compared to other EU countries), as regards cookies and net neutrality.

The most important topics of the legislative changes to the amended Dutch Telecommunications Act are the new cookies regulation, the rules on net neutrality and the notification obligation for data leaks and data security breaches. These rules will enter into force as soon as the amended Act is published in the Government Gazette.

Cookie Regulation

The amended Dutch Telecommunications Act considerably tightens the rules concerning the use of cookies in order to protect the privacy of website users. The amendment requires anybody who wants to apply cookies, or who uses device fingerprinting on user-devices (such as computers, tablets or smartphones, but also digital television), to provide users with clear and unambiguous information about the purposes for which the cookies (or device fingerprinting) are placed. In addition, cookies may only be placed or accessed, after obtaining the prior and explicit consent of the user, i.e. prior to placing the cookies. Under the old "opt-out" rules it was considered sufficient to provide information in a privacy policy on how to remove cookies, thereby proving an opt-out of the placing of cookies. The Dutch legislature has not provided instructions or guidelines on how the opt-in consent should be obtained other than noting that the means of obtaining consent must be user-friendly. It is clear, however, that the required opt-in consent cannot be facilitated via the browser settings of current web-browsers.

The new opt-in regime applies to all categories of cookies, with the exception of cookies that are strictly necessary to carry traffic data over an electronic communication network or cookies that are necessary for a service that is requested by the user, e.g. cookies that facilitate online shopping baskets.

Legal presumption for tracking cookies

Another new provision that stirred up heavy public debates because it is more stringent than the EU Directives, is the swift in the burden of proof regarding tracking cookies. With regard to cookies used to analyse web surfing behavior, including e.g. Google Analytics cookies, the Dutch legislature introduced a legal presumption that such tracking cookies process personal data. As a result, the regime of the Dutch Data Protection Act (Wet bescherming persoonsgegevens) is presumed applicable to tracking cookies. As a result, the burden of proof will shift from the Dutch Data Protection Authority (College Bescherming Persoonsgegevens) to the party placing the tracking cookie, to prove that the tracking cookie does not process personal data. The Dutch government has stated that the sole purpose of this legal presumption is to facilitate enforcement capabilities of the Dutch Data Protection Authority and does not materially change the applicability of the Dutch Data Protection Act to tracking cookies.

Although the amendment has been adopted in Parliament and will enter into force immediately, a motion was proposed to postpone the entry into force of the shift in the burden of proof to 31 December 2012. This motion will be put to a vote on 15 May 2012 together with the correction of some minor technical errors in the bill. We will issue a further legal alert after the motion has come to vote.

The European Union lead by Digital Agenda Commissioner Neelie Kroes is currently closely working with the W3C on a Do Not Track standard that should provide for a practical implementation of the European cookie rules. As soon as we know more about this, we will update you. 

Notification Obligation Data Security Breaches

The proposed amendment also introduces a notification obligation for security breaches related to personal data held by telecommunication network providers. Typical providers of such services are internet access providers or providers of public telephone services. Security breaches should be notified to the Dutch Independent Postal and Telecommunications Authority (Onafhankelijke Post en Telecommunicatie Autoriteit). If a security breach is likely to have a negative impact on the privacy of an individual, the provider should in addition notify the individual(s) concerned. As yet, the notification obligation applies to telecommunication network providers only. However, the Dutch government has recently started to prepare a legislative proposal introducing in the Dutch data protection Act a general notification obligation for all data controllers for data security breaches.

Net Neutrality

Another amendment to the Dutch Telecommunications Act concerns net neutrality. Internet service providers are now required to treat all internet data equal (net neutrality). The principle of net neutrality is laid down in two new articles which complement each other. A new article 7.4a Dutch Telecommunications Act safeguards that all businesses and consumers can freely use the internet. This means that providers cannot distinguish between various types of (mobile) internet services, such as WhatsApp or Skype, e.g. for the purpose of levying services (including third party services that may compete with the service provider's own services). A new article 11.2a Dutch Telecommunications Act ensures the confidentiality of communication by businesses and consumers through the internet and other electronic communication services or networks. It prohibits providers to tap, monitor or otherwise intercept communication e.g. by means of data analysis tools.

The new net neutrality regime does leave room for telecom providers to manage the traffic going over their networks and to safeguard the integrity and security of their networks and services.