On the 5th of June 2012, the revised Dutch Telecommunications Act (Telecommunicatiewet), based upon the revised European Telecommunications Framework, has entered into force. The most relevant changes are the new cookies regulation, the rules on net neutrality and the notification obligation for data leaks and data security breaches.

Anyone who wishes to use cookies should provide website users with clear and unambiguous information about the purposes for which the cookies are used. Cookies can only be placed or accessed when the user has given its prior and explicit consent. This means that the old opt-out regime, in which the information on the use of cookies could be laid down in a privacy policy together with a possibility to opt-out, is replaced by an opt-in regime. This opt-in regime applies to all categories of cookies. Only cookies that are necessary for a service requested by the user or cookies that are strictly necessary to carry traffic data over an electronic communication network are exempted. It is not yet clear in which way the opt-in consent should be obtained. It is however clear that consent cannot be obtained via the browser settings.

With regard to tracking cookies, the revised Act introduces the legal presumption that all tracking cookies are process personal data and will therefore be subject to the Dutch Data Protection Act (DDPA). Therefore, in order to fall outside of the scope of the DDPA the party that uses a tracking cookie must prove that it does not process personal data.

The new Act also lays down the principle of net neutrality. This principle has a dual character. Providers are not allowed to distinguish (i.e. to levy) between the various types of internet services which are used by businesses and consumers. Furthermore, providers are prohibited to tap or monitor communication. The Netherlands are the first country within the EU to implement the principle of net neutrality into national legislation.

The Act also introduces a notification obligation for telecommunication network providers to notify security breaches to the Dutch Independent Postal and Telecommunications Authority (OPTA). Non-compliance can lead to significant fines (up to EUR 450.000,-). (FVDJ)