Netherlands

[NL] Proposed amendments to telecommunications law affecting public broadcaster’s website cookies

IRIS 2014-10:1/28

Youssef Fouad

Institute for Information Law (IViR), University of Amsterdam

On 15 July 2014, the Dutch authority for consumers and markets (Autoriteit Consument en Markt) (ACM) imposed an order for periodic penalty payments on the Dutch public broadcaster NPO (Nederlandse Publieke Omroep) (see IRIS 2014-8/33). The NPO placed tracking cookies on end-user devices without correctly informing the end-user. Therefore, according to the ACM, the requisite consent for the placing of the tracking cookies was not in accordance with Article 11.7a of the Dutch telecommunications act (Telecommunicatiewet) and the Dutch data protection act (Wet bescherming persoonsgegevens). In order to comply with these laws, consent from the end-user is required in order to place a (non-functional) cookie on their device. Furthermore, the consent has to be given voluntarily and unambiguously, based on information that discloses the specific pre-determined purposes for the placing of the cookie.

Also, the NPO’s modus operandi concerning cookies and obtaining the requisite consent had raised further controversy, when the Dutch Data Protection Authority (College bescherming persoonsgegevens) (CBP) held that the NPO’s so-called ‘cookiewall’ did not meet the requirements under the telecommunications act and data protection act (see IRIS 2014-8/33). This was due to the fact that the requisite consent, in order to place a cookie on the terminal of an end-user, has to be given freely and unambiguously. In order to access the audio-visual content on the website of the NPO, end-users had no choice but to accept the cookies. By restricting access to the audio-visual content on the website, the CBP was of the opinion that consent, for the placing of the cookies, was not given freely and unambiguously and was therefore not in compliance with the law.

The Dutch parliament is now in the process of amending Article 11.7a of the telecommunications act, which governs the placing of cookies on the terminals of end-users (for previous amendments, see IRIS 2012-7/32). The current Article 11.7a exempts functional cookies, which are technically indispensable in order to provide a requested service to an end-user, from the consent requirement. However, consent is still required for analytical cookies that have little or no impact on the privacy of end-users. The amendment will amend Article 11.7a to exempt cookies from the consent requirement, which are solely used for analytical purposes. The amendment is designed to make the legal regime less strict for cookies that can be deemed non-privacy invasive, reducing the regulatory burden for the placing of cookies on end-users devices by websites.

Furthermore, the amendment provides that access to websites run by public bodies cannot be made dependent on a user consenting to privacy-invasive cookies. The explanatory memorandum states that a ‘cookiewall’ can be deemed to comply with the law, unless end-users are dependent on the information which is disseminated by the website. Thus, a ‘cookiewall’ as was used by the NPO for the placing of privacy-invasive cookies, is not compliant with the requirement of consent, due to the fact that there is no alternative for this public service. According to the explanatory memorandum, the rationale behind this is that public services are already paid for via public taxes. Individuals should not be forced to trade their privacy in order to access a public service.