WorldLII [Home] [Databases] [WorldLII] [Search] [Feedback]

EPIC --- Privacy and Human Rights Report

You are here:  WorldLII >> Databases >> EPIC --- Privacy and Human Rights Report >> 2006 >>

[Database Search] [Name Search] [Recent Documents] [Noteup] [Help]

EPIC --- Privacy and Human Rights Report 2006

Title Page Previous Next Contents | Country Reports >Kingdom of the Netherlands

Kingdom of the Netherlands

Constitutional Privacy Framework

The Constitution grants citizens an explicit right to privacy.[3690] Article 10 states: "(1) Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by, or pursuant to, Act of Parliament. (2) Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data. (3) Rules concerning the rights of persons to be informed of data recorded concerning them, of the use that is made thereof, and to have such data corrected shall be laid down by Act of Parliament." Article 12 states: "(1) Entry into a home against the will of the occupant shall be permitted only in the cases laid down by, or pursuant to, Act of Parliament, by those designated for this purpose by, or pursuant to, Act of Parliament. (2) Prior identification and notice of purpose shall be required in order to enter a home under the preceding paragraph, subject to the exceptions prescribed by Act of Parliament. A written report of the entry shall be issued to the occupant." Article 13 states, "(1) The privacy of correspondence shall not be violated, except in the cases laid down by Act of Parliament or by order of the courts. (2) The privacy of the telephone and telegraph shall not be violated, except in the cases laid down by Act of Parliament, by or with the authorization of those designated for this purpose by Act of Parliament."

In May 2000, the government-appointed Commission for Constitutional Rights in the Digital Age presented proposals to make existing constitutional rights more technology-independent. According to this proposal, Article 10 will be expanded to the right of persons to be informed about the origin of data recorded about them and the right to correct that data. Article 13 would be made technology-neutral and would give the right to confidential communications. In November 2004, the Dutch government announced that proposals to amend the Constitution would be delayed in order to incorporate upcoming international developments regarding human rights and the information society such as the Council of Europe's recommendation "Human Rights and the Rule of Law in the Information Society." The recommendation was adopted by the Council of Europe on May 13, 2005.[3691]

The Personal Data Protection Act of 2000[3692] (PDPA) is a revised and expanded version of the Data Registration Act of 1998 that brings Dutch law in line with the European Union Data Protection Directive (95/46/EC) and regulates the disclosure of personal data to countries outside of the European Union.

Data Protection Authority

The Dutch data protection authority (College Bescherming Persoonsgegevens or CBP) exercises supervision of the operation of personal data files in accordance with the PDPA.[3693] Previously known as the Registratiekamer, the CBP's functions have remained largely the same with the implementation of the PDPA, although it has been given new powers of enforcement. It can now apply administrative measures and impose fines for non-compliance with a decision. It can also levy fines, of up to EUR 4,540, for breach of the notification requirements. Otherwise, the CBP advises the government, deals with complaints submitted by data subjects, institutes investigations and makes recommendations to controllers of personal data files.

In 2006, the CBP investigated 394 complaints. The CBP also dealt with 42 ex-officio investigations, three complaints concerning codes of conduct, and 40 advisories to government on new legislation. These numbers have remained roughly static for the past three years. The Dutch CBP has 70 full-time positions. The CBP generally relies on a network of privacy officers within companies and (government) institutions to produce annual privacy reports and discuss procedures with the CBP. The number of privacy officers in the Netherlands has been steadily increasing at a rate of approximately 10 per year. Currently, there are 195 privacy officers in the Netherlands.[3694] The CBP issues reports on a regular basis about the implementation of and compliance with privacy regulations. In 2006, the CBP worked with employees from a range of social services to prepare a brochure answering privacy questions in the social services sector. According to the CBP, “the Ten Golden Rules are designed primarily to provide a practical handbook to the employees who are responsible for intake and for assisting clients.”[3695]

In its 2006 annual report, the CBP noted that European data protection authorities have been carrying out coordinated research into the processing of personal data by the private health care insurance sector.[3696] The results of the investigation are expected to be published in 2007. The Dutch CBP and the Inspector for Healthcare signed a collaborative protocol in November 2006 to achieve effective supervision of the use of personal data in the healthcare sector, including electronic patient files.[3697] The CBP and the Inspector for Healthcare are expected to carry out wider-ranging joint investigations into the security of information at hospitals in 2007.[3698] Also mentioned in the 2006 annual report was the CBP’s research into the transparency of general practitioners, education institutions and housing associations in complying wit the duty to provide information under the PDPA.[3699] The CBP hopes the research will result in better awareness and compliance with PDPA.[3700]

In 2007, the CBP plans to publish guidelines on the requirements imposed by the PDPA for publication of personal information on the Internet.[3701] The CBP also plans to research how to protect the privacy of patients who have electronic patient files, looking at access to data, system security and the accuracy of information contained in the electronic files.[3702] Among other objectives for 2007, the CBP plans to educate the educational sector on the rules governing computerized student files and to continue its research into the privacy issues surrounding combating fraud in social security.[3703]

Pursuant to the PDPA, the Decree on Regulated Exemption[3704] has been enacted to exempt certain organizations from the registration requirements of the PDPA. There are also sectoral privacy laws regulating the Dutch police,[3705] medical exams,[3706] medical treatment,[3707] social security,[3708] the search of private homes,[3709] and the employment of minorities.[3710]

Wiretapping and Surveillance Rules

Interception of communications is regulated by the Criminal Code and requires a court order.[3711] The intelligence services do not need a court order for interception, but obtain their authorization from the Minister of Interior. The Special Investigation Powers Act, which came into effect in February 2000, streamlines criminal investigatory methods.[3712] A Telecommunications Act was approved in December 1998, requiring all telecommunication providers to have the capability to intercept all traffic (phone and Internet) with a court order.[3713] The Netherlands Radiocommunications Agency is responsible for enforcing the wiretap capabilities of the telecommunication sector.[3714] Internet provider XS4ALL launched a court case in March 2005 against the Dutch State, seeking compensation for the cost of making its network ready for wiretaps. XS4ALL claims to have invested about EUR 500,0000 since the end of 2001 to comply with the requirements for lawful interception, a significant percentage of its net profit. XS4ALL considers it unreasonable that these costs are not reimbursed, because these investments are made purely in the general interest of law enforcement and do not benefit the provider in any way. According to XS4ALL, the law requiring providers to pay for the costs of wiretapping is a violation of property rights and an obstruction to freedom of speech. Moreover, the cost division also violates the principle of equal discharge of public burdens and European rules on free movement of services.[3715] By a decree,[3716] the government ordered a dramatic reduction in cost reimbursement to telecommunication companies for the handover of personal data or wiretaps. Since April 1, 2005, the companies only receive EUR 13 for a wiretap and EUR 6.75 for an extensive investigation into historical traffic data.

In September 2004, a new Act came into force that amends the powers to request telecommunications data. The law (Vorderen gegevens telecommunicatie) enables the public prosecutor to request traffic data from providers of public telecommunications networks and services. This power may be applied in cases where there is suspicion of a serious offense on which a term of imprisonment of four years or more may be imposed. A subscriber's information can be requested by any investigating officer in the event of a suspicion of a criminal offense. A proposal to notify suspects after the subscriber's data was requested was not accepted by Parliament. Members of the Senate questioned the scope of the powers requested and required mandatory registration of all data retrievals in order to review their proportionality and effectiveness.

Anti-terrorism Measures

In August 2004, the Crimes of Terrorism Act came into force. Recruitment of fighters for the Islamic armed struggle or jihad and conspiracy to commit a serious act of terrorism will each be a separate punishable criminal offense under the Act. The maximum prison sentences for crimes such as homicide, gross maltreatment, hijacking or kidnapping will be higher if they have been committed with a "terrorist purpose." In addition, the conspiracy to commit serious acts of terrorism will be made a separate punishable criminal offense.

On April 4, 2007, the Dutch Cabinet agreed to proposed legislation designed to implement the European Directive on Data Retention, a directive that requires member countries to set statutory retention of telephone and Internet data.[3717] The legislative proposal sets the retention period at eighteen months, a period the Ministry of Justice says is needed to accommodate the needs of police and judicial authorities.[3718] The CBP has criticized the proposed legislation, saying the need for a retention period of 18 months has not been demonstrated satisfactorily.[3719] The CBP argues, “retaining historical telephone and Internet information on every citizen in the Netherlands is an extremely radical measure, whose need must be demonstrated irrefutably.”[3720] The CBP has also criticized other aspects of the proposed legislation, including the categories of information that must be retained, the parameters for access to information currently in the bill and the lack of control mechanisms for the lawful use of information.[3721]

There have been several proposals over past years to grant law enforcement increased authority. In 2001 the Mevis Committee issued a report proposing a wide range of increased powers for police to allow them to carry out "pro-active investigations" (verkennend onderzoek). The proposals would grant police access, without the need to obtain judicial warrants, to the personal information of whole groups of citizens stored by a wide variety of private entities, such as banks, telephone companies, credit card companies, hospitals and travel agents, in order to determine crime patterns.[3722] The Mevis Committee specifically recommended that telecommunications data be excluded from the constitutional right to confidential communications, stating that it should not be necessary for police to always obtain a warrant to intercept communications.[3723] A draft law incorporating the Mevis proposals (Wet vorderen gegevens) passed the House of Representatives in 2005. The Federation of Organisations of Libraries (FOBID) asked the Senate in an April 2005 letter not to pass the law fearing a chilling effect on the use of libraries when law enforcement is able to seize library records.

The Intelligence and Security Services Act also authorizes the interception, search and keyword scanning of satellite communications. It allows intelligence services to store intercepted communications for up to one year. Previously, irrelevant communications had to be deleted immediately. Encrypted data can be stored for an unlimited time to facilitate possible decryption in the future. In 2003, the National SIGINT Organization (NSO) was established. The NSO operates all satellite communications interception by the Dutch intelligence services. The interception capabilities expanded from two satellite dishes at Zoutkamp to 20 dishes at Burum.

Recent Developments Related to Privacy

The CBP has been tracking progress on the implementation of an electronic child file (the EKD), which will record a child’s development from birth and also the child’s environmental indicators.[3724] Bringing the EKD online for youth healthcare was postponed until January 1, 2008, and it is not expected to be compulsory law until 2009.[3725] The CBP is particularly concerned about whether the data will be used outside the healthcare sector, for example, to create a national reference index of young people at risk.[3726]

In March 2007, Justice Minister Ernst Hirsch Ballin submitted a bill that would expand the use of photos and fingerprints to determine the identity of suspects and convicted persons to authorities for their opinion.[3727] The bill would require all suspects to be immediately photographed and digitally fingerprinted on arrest.[3728] The bill is designed to prevent suspects and prisoners from withholding their identity and from hiding behind someone else’s identity.[3729] While the bill attempts to prevent identity theft, whenever new information is collected and stored about a person, new privacy concerns surface as to the access and retention of the data.

The Netherlands have seen little public debate about the use of RFID technology in retail and supermarkets until recently. The main reason is that very few pilot projects in stores exist that make use of RFID tags with unique serial numbers (such as the Electronic Product Code, the EPC). ECP.NL, an e-commerce industry platform, has begun to write a first report on the privacy implication of RFID (the report is expected in June 2005). Bits of Freedom has published a position paper on RFID,[3730] as has the small ChristenUnie faction in Parliament.[3731] The CBP published a discussion document in October 2006 “in order to further stimulate the debate about the benefits and drawbacks of RFID.”[3732] The document discusses privacy concerns, the technology’s effect on society and general awareness of the issue.[3733]

In February 2005, the DNA Testing of Convicted Persons Act came into force. The law makes it possible to take DNA samples of all persons that are convicted of crimes carrying a maximum penalty of four years or more. The mouth swab sample will be investigated by the Netherlands Forensic Institute (NFI) in order to determine the DNA profile.[3734]

In January 2005, compulsory identification[3735] for all persons from the age of 14 came into force. The Extended Compulsory Identification Act is intended to increase general public safety. Many critics have stated that the government failed to clarify the need to broaden the identification requirements. The proposal is widely seen as a symbolic gesture to satisfy public concerns about security and crime and will have huge civil liberties consequences. The new law will not require citizens to carry identification but to show one if asked by police. No new identification card will be introduced; the existing passport and driver license will be used. About 5,300 persons a month are fined for not being able to show their ID, mostly because of minor offenses such as bicycling without a light.[3736]

Like all EU countries the Netherlands provides biometric information in its passport. Both fingerprints and facial images are used in a contactless chip in the Dutch passport.[3737] In January 2005, the Minister of the Interior announced plans to also store the biometric data in a central database, enabling the identification of persons that do not carry a passport[3738] through fingerprints or face recognition. The CBP held a meeting in February 2006 to discuss the potential disadvantages of this large-scale storage of data.[3739] The results of the meeting were ambiguous: “central collation of biometric data can on the one hand protect identities by having one central reference point, but on the other hand they can undermine that protection as a result of security risks and potential use of biometric data for other purposes.”[3740] Those present at the meeting pointed out to the government the risks of identity fraud and inadequate security associated with biometrics.[3741]

Since 2004, the use of covert video surveillance in public places requires notice. The Hidden Camera Surveillance Act 2003 (Heimelijk Cameratoezicht) makes it unlawful to use hidden cameras in public places without notification. The use of hidden cameras in the workplace remains lawful if there is a suspicion of criminal behavior and if workers are notified of the likelihood of video surveillance. Journalists can still use hidden cameras for their work. In April 2005, the House of Representatives passed the Camera Surveillance Act, which enables the retention of images up to four weeks and also facilitates the use of cameras for law enforcement purposes, whereas before the main purpose of camera surveillance was keeping public order.

In May 2004 the EU Directive on Privacy and Electronic Communications (2002/58/EC) was partly implemented by outlawing spam. Senders of commercial electronic messages will need prior consent of the e-mail address holder. During a hearing in Dutch Parliament in August 2003, Bits of Freedom asked for an obligation for senders to prove prior consent. An amendment including this proof of consent was added into the law. The ban on spam does not cover work e-mail addresses, a concession made after a fierce industry lobby to prevent such a proposal. Several persons and companies have since been fined for spamming. Also, proposals have been announced to include work e-mail addresses in the law, after the direct-marketing industry failed to agree on self-regulation regarding business-to-business e-mail marketing. The Dutch Telecom Regulator, OPTA, has been very active in banning spam sent from the Netherlands since May 2004.[3742] Through the website, OPTA has collected 20,000 complaints made by consumers since 2004.[3743] OPTA has issued 60 warnings and 12 fines based on the complaints, with the highest fine as a March 2007 being 42,500 euros.[3744]

In May 2004, the Parliament passed the law on e-commerce (Wet elektronische handel) that implements the EU E-Commerce Directive (2000/31/EC). Under the law, hosting providers risk liability for apparently illegal content from their customers. Once they are notified, and the unlawfulness is "apparent," providers should take immediate action to block or remove the content. There is no unified notice and takedown procedure in the Netherlands that implements these legal obligations.

Major Privacy Case Law

On August 24, 2006, the Subdistrict Court of Amsterdam ruled that an Internet Service Provider (ISP) can in certain circumstances be required to release the name, address and domicile data of a subscriber (referred to as “NAW-data”).[3745] BREIN, a Dutch foundation that protects the rights of the entertainment industry, requested NAW-data on the top three uploaders on Dikke Donder, a Bit Torrent network where films, television series, music, software and games were being offered without permission from their right holders.[3746] The court ruled in favor of BREIN and required the ISP to provide the requested data as long as two conditions were met: (1) it must be sufficiently plausible that the unlawful act has been committed; and (2) there must be no reasonable doubt that it was committed by the subscriber whose NAW-data is being requested.[3747]

BREIN announced in April 2005 it would start 32 court cases against individual alleged peer-to-peer users. In order to obtain the identifying data of the users behind IP addresses from which music was unlawfully uploaded, BREIN has sued five Dutch Internet providers. The providers had agreed to forward complaints from the copyright holders to their customers but refused to reveal the customers' identities. In total, BREIN sent 50 cease and desist letters, demanding the recipient identify him- or herself, agree to pay an average fine of EUR 2,100, and sign a unlimited binding agreement to never "directly or indirectly be involved in any way or have an interest in unlawfully distributing materials on the Internet." If ever again caught in such a very broadly defined act, the signed agrees to pay a fine of EUR 5,000 per day.[3748] In June 2004, the Appeals Court of Amsterdam ruled in the case Lycos v. Pessers against webportal Lycos where the identity of one of its customers was demanded for alleged defamation.[3749] Although the Appeals Court acknowledged that the content on the website was not "apparently unlawful," the court nevertheless felt that Lycos was required to hand over the user's identity. On November 25, 2005, the Dutch Supreme Court upheld the appeals court’s decision, requiring Lycos to disclose the name of an anonymous website owner.[3750] The Register reported that BREIN, who paid the legal bill of Pessers, was delighted with the verdict, believing the ruling would be beneficial to its case against ISPs who refused to identify illegal file swappers.[3751] Legal experts fear the ruling can have consequences for anonymous whistleblowers who want to put up a website and speak out without reprisal.[3752]

Open Government

The Government Information (Public Access) Act of 1991 is based on the constitutional right of access to information. It creates a presumption that documents created by a public agency should be available to everyone. Information can be withheld if it relates to international relations of the state, the "economic or financial interest of the state," investigation of criminal offenses, inspections by public authorities, or personal privacy. However, these exemptions must be balanced against the importance of the disclosure. Requesters can appeal denials to an administrative court that renders the final decision.[3753]

NGO Advocacy Work

In January 2006, Bits of Freedom organized the fourth annual Dutch Big Brother Awards.[3754] The group gave a negative Big Brother Award to Dutch Minister for Integration and Immigration Rita Verdonk because she gave the status of rejected asylum seeker applicants to their country of origin.[3755] She also repeatedly denied her actions in Parliament and attempted to minimize the impact of the information she gave.[3756] In addition to a negative award, a positive award was given for the first time to Hans Franken, a professor of Law and Information Science at the University of Leiden and member of the Senate for the Christian-democrat party, for his consistent resistance in the Senate to mandatory data retention.[3757]

International Obligations

The Netherlands is a member of the Council of Europe (CoE) and has signed and ratified the CoE's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[3758] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. In November 2001, the Netherlands signed the CoE's Convention on Cybercrime.[3759] It ratified the Convention on Cybercrime on November 16, 2006,[3760] and the Convention was scheduled to go into force on January 3, 2007.[3761] It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.

[3690] Constitution of the Kingdom of the Netherlands 2002, available at

[3691] Warsaw Summit Council of Europe, 2005, Declaration of the Committee of Ministers on Human Rights and the Rule of Law in the Information Society, CM(2005)56 final, May 13, 2005, available at <>.

[3692] Dutch Data Protection Authority, Personal Data Protection Act(Unofficial translation), July 6, 2000, available at <>.

[3693] <>.

[3694] CBP, Annual Report for the Year 2006, April 2007, with English summary 82, available at <>.
[3695] CBP, Annual Report for the Year 2006, supra at 92.

[3696] 90.
[3697] Id.
[3698] Id.
[3699] Id.
[3700] Id.

[3701] Id. at 94.
[3702] Id.
[3703] Id.

[3704] Decree on Regulated Exemption, May 7, 2001.
[3705] Dutch Police Registers Act 1990.
[3706] Dutch Medical Examinations Act 1997.
[3707] Dutch Medical Treatment Act 1997.
[3708] Dutch Social Security System Act 1997, Compulsory Identification Act.
[3709] Dutch Act on the Entering of Buildings and Houses 1994.
[3710] Dutch Act on the Stimulation of Labor by Minorities 1994.

[3711] Article 125m of the Code of Criminal Procedure.
[3712] See Ministry of Justice Fact Sheet, Special Powers of Investigation Act, August 8, 2006, available at <>.
[3713] Telecommunications Act 1998.
[3714] Home Agentschap Telecom homepage <>.
[3715] XS4ALLl subpoena, English translation available at: <>.
[3716] Ministry of Economic Affairs, Decree on Cost Reimbursement for Legal Access to Telecommunications, April 1, 2005 <> (in Dutch).

[3717] Press Release, Ministry of Justice, “Dutch cabinet: telecommunications data to be retained for one and a half years,” April 4, 2007 <>.
[3718] Id.
[3719] Press Release, CBP, “European Directive on Data retention,” January 24, 2007 <>.
[3720] Id.
[3721] Id.

[3722] Jelle van Buuren, "Dutch Law Enforcement Should Get Easier Access to Personal Data Stored by Companies," Telepolis, May 21, 2001.
[3723] Report of the Mevis Commission, May 2001.

[3724] CBP, Annual Report for the Year 2006, supra.
[3725] Id.
[3726] Id.

[3727] Press Release, Ministry of Justice, “No Longer Possible to Hide Behind Another Person’s Identity,” March 4, 2007 <>.
[3728] Id.
[3729] Id.

[3730] RFID position paper, Bits of Freedom, December 2004, available at <>.
[3731] Report on RFID, ChristenUnie, May 2005, available at <> (in Dutch).
[3732] CBP, “RFID: Promising or Irresponsible,” October 2006, <>.
[3733] Id.

[3734] "DNA Samples to be Taken from Convicted Persons," Ministry of Justice, February 2005, available at <>.

[3735] Compulsory Identification, Ministry of Justice, October 2004, available at <>.
[3736] Identificatieplicht: 5300 boetes per maand, Bits of Freedom, May 2005, available at <>.

[3737] Biometry in passports, page maintained by Professor of Software Security and Correctness Bart Jacobs, available at <>.
[3738] Databank vingerafdrukken alle Nederlanders, Bits of Freedom, February 2005, available at <>.
[3739] CBP, Annual Report for the Year 2006, supra.
[3740] Id. at 88.
[3741] Id. at 91.

[3742] Gerit-Jan Zwenne, Dutch Telecoms Regulator Fights Spam, 7 BNA International World Data Protection Report 3, 10 (March 2007).
[3743] Id.
[3744] Id.

[3745] Dutch ISP Ordered to Release Personal Data of a Subscriber, 23 Computer Law & Security Report 2, 145 (2007).
[3746] Id.
[3747] Id.

[3748] "New Wave of Lawsuits against European P2P Users," EDRI-gram, Number 3.8, April 20 2005, available at <>.
[3749] "Court attacks Dutch internet anonymity," EDRI-gram, July 2004, <>
[3750] Jan Libbenga, “Lycos Loses Dutch ID Disclosure Case,” The Register, November 25, 2005, <>.
[3751] Id.
[3752] Id.

[3753] Available at <>.

[3754] Big Brother Award for Dutch Immigration Minister, January 28, 2006 <>.
[3755] Id.
[3756] Id.
[3757] Id.

[3758] Signed May 7, 1982; ratified May 28, 1993; entered into force September 1, 1993.
[3759] Signed November 23, 2001.
[3760] Archives 2006 on Changes Concerning Treaties, Council of Europe <>.
[3761] Convention on Cybercrime CETS No. 185 <>.

WorldLII: Copyright Policy | Disclaimers | Privacy Policy | Feedback