Netherlands

[NL] Amendment of the Telecommunications Act

IRIS 2012-7:1/32

Manon Oostveen & Frederik Zuiderveen Borgesius

Institute for Information Law (IViR), University of Amsterdam

On 8 May 2012 the Netherlands adopted a legislative proposal amending the Telecommunicatiewet (Telecommunications Act), thereby laying down the principle of net neutrality (Article 7.4a) in Dutch law. The Netherlands is only the second country in the world (the first was Chile) to adopt net neutrality in its legislation.

The principle of net neutrality means that all Internet traffic should be treated as equal by Internet access providers. It secures consumers’ free access to the Internet and prohibits blocking services or prioritising certain types of Internet traffic. In the Netherlands concerns about net neutrality arose after it became known that Dutch mobile operators used Deep Packet Inspection to analyse electronic traffic, as they planned on charging users extra for using services like WhatsApp and Skype.

The Dutch regulation on net neutrality is part of an amendment to the Dutch Telecommunications Act implementing the revised European telecommunications legislative acts (Directive 2009/136/EC, Directive 2009/140/EC and Regulation (EC) 1211/2009). The proposal to include net neutrality in the new Dutch Telecommunications Act was filed by members of the Democratic Party D’66 on 31 May 2011 (see IRIS 2011-7/33).

The Act has been adopted as proposed. Accordingly, under Dutch law, Internet access providers may not slow down or block services or applications on the Internet, save when an exception applies. The exceptions concern inter alia congestion, security and spam. Blocking particular websites or content by order of the court remains possible under the new legislation.

Apart from net neutrality the Amendment of the Dutch Telecommunications Act also features rules on cookies, data breaches and frequency policy. Parts of the amendment entered into force on 5 June 2012, however the net neutrality rules will not come into effect before 1 January 2013.

Concerning cookies, Article 11.7a of the Dutch Telecommunications Act implements Article 5.3 of the e-Privacy Directive (Directive 2002/58/EC, amended by Directive 2009/136/EU), sometimes called the cookie clause.

In short, Article 11.7a only allows the storing and reading of cookies after obtaining the informed consent of the user. Consent cannot be inferred from browser settings, unlike what appears to be the case in some other member states. Furthermore, the Dutch legislator added a legal presumption about tracking cookies and similar technologies. Such use of cookies is presumed to entail the processing of personal data.

For ease of reading the word “cookies” is used below. But the scope of the provision is broader. It applies to any “storing of information” or “accessing information already stored” in the terminal equipment of a user. The Dutch legislative history shows that the provision also applies to technologies such as flash cookies or device fingerprinting. Terminal equipment includes for example computers and phones.

The general rule of Article 11.7a is as follows. Anyone, whether based in the Netherlands or not, that stores a cookie on a user’s device must obtain the prior informed consent of the user. The user must be provided with clear and complete information.

Consent is defined as any freely given, specific, and informed expression of will. During the Dutch legislative history it was noted that consent for cookies cannot be inferred from browser settings, because current browsers are not suitable for expressing consent. For instance, most browsers accept all cookies by default. A party that obtained consent to store a cookie on a user’s device does not have to ask consent again when accessing the cookie. According to the Dutch National Regulatory Authority (OPTA), consent can be obtained through a pop-up window.

Two categories of functional cookies are exempt from the consent requirement. First, no consent is needed for cookies having the sole purpose of carrying out a communication over an electronic communications network. Second, no consent is needed for a cookie that is strictly necessary for providing a service that the user requested. An example is a cookie for a digital shopping cart.

The Dutch provision adds a legal presumption about tracking cookies and similar technologies for behavioural targeting, the tracking of people’s online behaviour for targeted advertising. Such use of cookies is presumed to entail the processing of personal data. In most cases this means that the prior “unambiguous” consent of the user is required. In principle, a party using tracking cookies could prove it does not process personal data. This legal presumption enters into effect on 1 January 2013. The rest of the provision entered into effect on 5 June 2012.