This country-specific Q&A provides an overview to technology laws and regulations that may occur in the The Netherlands.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the technology market.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
The Dutch Telecommunications Act (Telecommunicatiewet) regulates the provision of electronic communications networks (ECNs) and electronic communications services (ECS). These categories are then further sub-divided into public and private providers.
Subject to certain exemptions (mostly concerning the use of spectrum), private and public communications providers have a general authorization to operate in the Netherlands and do not require a licence, permit, consent etc. The concept of general authorization is derived from the European Authorisation Directive which has been implemented in the EU Member States.
There is however an obligation to register with the Dutch telecoms regulator (see question 2 below) if one of the following activities are carried out in the Netherlands:
- Providing public electronic communications networks;
- Proving public electronic communications services;
- Implementing or providing related facilities for the above.
An "electronic communications network" is defined as:
a) a transmission system for the conveyance, by the use of electrical, magnetic or electro-magnetic energy, of signals of any description; and
b) such of the following as are used, by the person providing the system and in association with it, for the conveyance of the signals:
(i) apparatus comprised in the system;
(ii) apparatus used for the switching or routing of the signals; and
(iii) software and stored data.
An "electronic communications service” means a service consisting in, or having as its principal feature, the conveyance by means of an electronic communications network of signals (except in so far as it is a content service).
An electronic communications network or service is qualified as being "public" if the network or service is provided to the general public and available for anybody who desires to use it. The fact that an entity provides a service to a specialized group of users does not in itself imply that the service is not public. The District Court of Rotterdam has held that it is not relevant whether a service only targets corporations that use the service for their employees. Also, the fact that a provider provides a service to a specific group of users under special conditions, does not imply that the service cannot be considered public.
To be considered a "provider" of a public electronic communications network or service, that party should be responsible for the transmission of signals through an electronic communications network, regardless of the nature of the service or the infrastructure used. In accordance with case-law of the European Court of Justice, the Dutch Trade and Industry Appeals Tribunal (College van Beroep voor het bedrijfsleven, the highest administrative court in these matters) has held that e-mail providers, such as Gmail or Hotmail, cannot be qualified as providers of electronic communications services, as these entities are not responsible for the transfer of signals through electronic communications networks that is required to make use of their e-mail services.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The Dutch telecoms regulator is the Consumers and Markets Authority (Autoriteit Consument en Markt; "ACM"). ACM is a so-called autonomous administrative authority (zelfstandig bestuursorgaan) under Dutch law. It falls under responsibility of the Ministry of Economic Affairs, but the Minister may only provide general rules to be followed by ACM (such as regulations and policy rules). The Minister may not provide instructions or directions in individual cases, which are up to the ACM Board to decide independently.
The roles and responsibilities of ACM in the field of telecoms are codified in the Dutch Telecommunications Act.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
From a telecoms regulatory perspective, there are no requirements for a communications provider to be domiciled in the Netherlands prior to or during the provision of services, and there are no foreign ownership restrictions.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
There is a general obligation for all providers of public electronic communications networks or services who control the connectivity to end users, to negotiate in good faith with other communication providers in order to ensure interoperability and end-to-end connectivity. Subjects on which agreement may need to be reached include technical aspects of the connection to networks, tariffs and quality of services. Providers are to enter into these negotiations proactively. Although the underlying principle for these negotiations is the freedom of contract, ACM may be requested to intervene if a dispute arises that stands in the way of reaching an agreement. In such case, ACM will review whether the requests of either party can be considered objective, transparent, reasonable, proportional and non-discriminatory. ACM may impose obligations on providers to instate the requested end-to-end connectivity and it may, if necessary, impose the commercial conditions, including maximum tariffs, to be applied by the providers.
In addition, ACM has a duty to periodically review the structure of the telecoms markets recommended for review by the European Commission, and where it finds that one (or more) operators have significant market power (aanmerkelijke marktmacht), ACM may impose obligations on such operator. These obligations should be aimed at resolving (potential) problems resulting from the lack of effective competition on such market, and may relate to providing access, tariff setting and charging reasonable tariffs, accounting standards and separate bookkeeping for separate services, preventing discrimination or providing information (transparency). Measures imposed by ACM should be proportionate.
In addition to these specific powers provided to ACM by the Dutch Telecommunications Act, also the general Dutch and EU competition rules apply in respect of anti-competitive agreements and the abuse of dominant positions.
What are the principal consumer protection regulations that apply specifically to telecoms services?
The Dutch Telecommunications Act provides a number of specific obligations relating to consumers, including the following:
- conditions relating to term, renewal and termination of consumer contracts;
- requirements to include certain terms in consumer contracts;
- requirements to make certain information available to customers, such as a description of the services offered, the quality of services and standard tariffs;
- access to certain information numbers and the national alarm number;
- providing number portability;
- restrictions on specific sales and marketing activities.
In addition to specific telecoms regulations, provisions of general consumer law also apply such as rules concerning unfair contract terms.
What legal protections are offered in relation to the creators of computer software?
The Dutch copyright act 1912 offers protection to creators of computer software. Chapter 4 of the Dutch copyright act implements council directive (91/250/EEC) on the legal protection of computer programs. Copyrights arise through the creation of a work. No registration is required.
The protection given by the Dutch copyright act 1912 covers all forms of computer programs. Computer software is eligible for copyright protection if it has its own, original character and bears the personal stamp of the maker. This implies that the creation must be a result of creative human labour and thus of creative choices, so that it is a production of the human mind. All works that are eligible for copyright protection, including computer programs, are protected for 70 years commencing January 1st following the death of the author.
Do you recognise specific intellectual property rights in respect of data/databases?
Databases are protected under the Dutch database act 1999. A database is defined as a collection of independent works, data or other materials arranged in a systematic or methodical way and individually accessible by electronic or other means. A database is eligible for protection if the database was the result of a substantial investment in obtaining, verifying or presenting the contents of the database. The creator of the database has the exclusive right to retrieve and reproduce a substantial part of the database which cannot be circumvented by repeatedly and systematically retrieving or reproducing parts of the database by third parties.
The actual data can be eligible for copyright protection if the data meets the requirements for copyright protection, meaning that the data has its own, original character and bears the personal stamp of the maker. The data must be the result of creative human labour and thus of creative choices. In absence of eligibility for copyright protection, protection of data can be sought through the use non-disclosure agreements.
What key protections exist for personal data?
The processing of personal data (i.e., any information relating to an identified or identifiable natural person) is subject to the rules laid down in the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens, "Wbp").
On 25 May 2018, the Wbp will be replaced by the General Data Protection Regulation (GDPR). Under the Wbp, data controllers may only process personal data when certain specific conditions are met, including:
- Personal data may only be processed if there is a lawful basis to such processing activity (e.g., consent of the individual, the performance of a contract or the legitimate interests of the data controller);
- Personal data may only be processed for well-defined purposes;
- Personal data may not be kept longer than necessary in view of the purposes for which the data were collected;
- Appropriate technical and organisational measures should be implemented to safeguard personal data;
More stringent rules apply to "sensitive" personal data, such as health data or data related to criminal convictions. Also, under the Wbp mandatory notification duties may apply in case of unauthorised or unlawful processing, and against accidental loss of or destruction of personal data. Notification may have to be submitted to the Dutch Personal Data Protection Authority and the individual to which the personal data relates.
Are there restrictions on the transfer of personal data overseas?
Yes. A transfer of personal data to a country outside the EEA that does not provide for an adequate level of protection may only take place if additional requirements have been met. For example, a data transfer agreement based on EC Model Clauses or other additional safeguards may be necessary.
What is the maximum fine that can be applied for breach of data protection laws?
Currently in the Netherlands the maximum fine that can be levied by the Dutch Personal Data Protection Authority is € 820,000 or 10% of the violators turnover. This will, however, change in 2018, when the GDPR goes live. At that point, the maximum fines will increase to €20m / 4% of worldwide turnover.
Are there any restrictions applicable to cloud-based services?
There are no specific 'Cloud laws', indeed a recent study for the European Commission (http://ec.europa.eu/justice/contract/cloud-computing/studies-data/index_en.htm) found that in general, no specific "cloud laws" exist in the 28 investigated countries. Nonetheless, many sector-specific regulatory initiatives (either issued by administrative or supervisory authorities or by the industry itself) have been issued which may further fuel the drive towards national cloud regulations. Some of these initiatives are binding, such as the guidelines issued by several financial supervisory bodies, whereas the guidelines of data protection authorities may not as such be binding but nonetheless tend to lead to a best practice standard.
For example, in the financial services sector, the Dutch central bank De Nederlandsche Bank (DNB) has stated that financial institutions can make use of cloud-based services without falling foul of regulatory obligations. The published guidance (http://www.toezicht.dnb.nl/binaries/50-224828.pdf) stipulates a number of requirements (such as reporting and auditing obligations).
Aside from sector-specific guidance, the key restriction applicable to cloud-based services will depend upon the nature of the data being placed in the cloud. In the event that the data is personal data then the points made at 8 and 9 above will apply.
Are there specific requirements for the validity of an electronic signature?
As a rule, Dutch law does not require agreements to be in written form, or to be signed. Generally, agreements can be entered into 'form-free' (exceptions apply for example to certain real estate agreements and share transactions). In principle, there is no distinction in validity or enforceability between handwritten ('wet') signatures and electronic signatures.
EU Regulation 910/2014 ("Electronic Identification Regulation"), which has direct effect in the Netherlands, sets out the validity requirements for electronic signatures. Under the Electronic Identification Regulation, a 'qualified electronic signature' has the same effect as a handwritten signature (Article 25(2)) as long as it was created by a qualified electronic signature device and based on a qualified certificate for electronic signatures (Article 3(12)). The validity requirements for a qualified electronic signature are set out in Article 26 and Annexes I and II of the Electronic Identification Regulation and include the following: the signature must be uniquely linked to the signatory (Article 26(a)), the qualified electronic signature creation device must have appropriate technical and procedural measures to ensure that the confidentiality of the signature is assured (Paragraph 1(a), Annex II) and the qualified certificate for electronic signatures must clearly indicate the name or pseudonym of the signatory (Paragraph (d), Annex I).
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
No transfers of assets or third-party contracts would occur automatically. However, there will frequently be detailed Contract provisions negotiated between the parties to the outsourcing arrangement to facilitate this. In the case of the other signatories to the third-party contracts, their consent to the proposed transfer of their contracts to the new outsource service provider will ordinary be required.
If there are individuals who are wholly or substantially engaged in the services/functions which are being outsourced, however (and whether they be employed by the customer entity or its other service providers), then their contracts of employment may transfer automatically to the outsource service provider by virtue of the Transfer of Undertakings (Protection of Employment) Regulations 2006 (TUPE). In such event, all of their rights and obligations (including claims arising from employment related mistreatment by their previous employer) will transfer to the outsource service provider.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
Under certain circumstances, the supply of a software program can qualify as a sale of goods. The buyer can claim breach of contract if the software program is not in conformity with the agreement. The software program is not in conformity with the agreement if it does not have the qualities that the buyer, given the nature of the object and the statements of the seller about it, could have expected on the basis of the agreement. In case of a non-conform delivery, the seller can be held liable vis-à-vis the buyer for malfunctions in the A.I. functionality.
Liability can also be based on general rules of unlawful conduct or certain strict liabilities. Art. 6:162 of the Dutch Civil Code qualifies an unlawful act as – amongst other – an act or omission in violation of a duty of care. If a person/entity fails to observe a duty of care and as a result brings certain risks to existence, said person/entity can be held liable for damages is said risks actually materialize. In relation to A.I. software programs, a duty of care rest on a number parties, such as the creator, reseller or the party actually using the A.I. software. The Dutch Civil Code also provides for certain types of strict liabilities which can also apply in case of A.I. software malfunctions. In this respect reference is made to strict liability on the part of a possessor of a movable thing if the A.I. software forms part of such a movable thing (i.e. as part of a robot, self-driving car etc.) (art. 6:173 of the Dutch Civil Code). Strict liability can also arise from the EU Product Liability Directive 85/374/EEC as implemented in the articles 6:185 et seq of the Dutch Civil Code.
What key laws exist in terms of obligations as to the maintenance of cyber security?
The key laws imposing obligations on companies to maintain cybersecurity include general provisions in the Dutch Penal Code ("Wetboek van Strafrecht"), the Dutch Code on Criminal Procedures ("Wetboek van Strafvordering"), the Dutch Data Protection Act ("Wet bescherming persoonsgegevens") and the specific provisions of the Dutch Law on Computer Crime ("Wet Computercriminaliteit") which is incorporated in the Dutch Code of Criminal Procedures.
On 11 July 2017 the Senate of the Dutch Parliament has passed a bill regarding the processing of data and cybersecurity notification ("Wet gegevensverwerking en meldplicht cybersecurity" ("Wgmc")). This new law, that will likely come into force late 2017, states the obligation to notify the Dutch authorities in case of serious IT breaches. This notification obligation will only be applicable to product or service providers of which the availability or dependability is of vital importance to the Dutch society.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The Dutch Law on Computer Crime ("Wet Computercriminaliteit") which is incorporated in the Dutch Code of Criminal Procedure also covers criminality relating to hacking/DDOS attacks.
What technology development will create the most legal change in your jurisdiction?
It is anticipated that smart contracts will have a substantial impact on – amongst other – real estate transactions, payment transactions and financial instruments such as letters of credit. An increased use of smart contracts could trigger a fundamental change in the way Dutch contract law is applied to such contracts. Traditional contract law concepts may not necessarily work in case of self-executing contracts which enable to execution of complex financial transactions without any intervention. In this respect, the manner in which Dutch law deals with the interpretation and performance of agreements and the remedies available to claimants in case of non-performance by the other party may need to be revisited.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
As contract law is not harmonized within the EU, it is still very difficult to offer a one-stop shop offering throughout the EU. Uncertainty as to the applicable legal framework when entering new markets within the EU and the legal risks involved may hamper economic growth as it raises the threshold for entering new markets.
Do you believe your legal system specifically encourages or hinders digital services?
In general, Dutch law does encourage the provision of digital services by trying to treat digital services – to the extent possible – the same as more traditional “off-line” services. The Dutch government has also undertaken numerous initiatives to stimulate digitalization and to create prerequisites. These prerequisites range from investments in education, IT-Telecom infrastructures, network security and the limiting regulatory burden.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
Dutch law does not provide for specific legislation dealing with artificial intelligence. However, given that the Dutch Civil Code contains numerous open norms and that it is technology agnostic, the Dutch legal framework is fairly well equipped to deal with the legal implications of emerging technologies such as artificial intelligence.