Netherlands: More Obligations For Electronic Communication Providers By Implementation Of New European Framework In Telecommunications Act

Prologue: Cookie Rules Too Strict?

Early November of this year, the bill to amend the Dutch Telecommunications Act ("TA") was sent to the Lower House of Parliament (TK 2010-2011, no. 32549). This bill aims to implement the amended European regulatory framework (Directive 2009/140/EC and Directive 2009/136/EC).
This summer, the bill already caused a stir when it was presented in draft form for consultation via the Internet. The bill provided for an opt-in for cookies, which means that before placing and reading each separate cookie, users would have to give their explicit and unambiguous consent. The response from the market was that this provision went beyond the Directive and the implementation in other Member States. The bill was called user-unfriendly, and would cause more personal data to be stored. Thus, the bill would overreach itself, while its aim is to improve protection of personal data and privacy. The protests from the market have caused the 'cookie regulations' in this bill to be adapted. In this article, we will discuss the new cookie regulations and several other important changes in the bill. In our July newsletter we already discussed the opinion (dated 22 June 2010) of the Article 29 Data Protection Working Party 2010 on this topic.

Security

Pursuant to Section 11.3 of the TA, providers shall take appropriate technical and organizational measures to ensure the safety and protection of the networks and services they provide. The existing obligation to inform subscribers of special risks of breach of the security, and what measures will be taken in that case, continues to apply. The proposal to add a paragraph j to Section 7.1 (1) of the TA is new. In this paragraph it is stated that the provider must specify in the contract with the subscriber what measures he will take in the event of security breaches and vulnerabilities. The provider may specify, for example, what measures he will take in case of hacking. Furthermore, a new second paragraph will be added to Section 11.3 of the TA which will obligate the provider to develop a security policy as part of the technical and organizational measures.

The bill also contains a twofold duty for providers to report any breaches of security measures. Providers have to notify OPTA of a breach if it has adverse effects on the protection of personal data. If the breach is likely to have negative effects on the protection of the privacy of the subscriber(s) whose personal data it concerns, the provider must also notify this subscriber of the security breach (Article 11.3a of the bill). Currently, no such duties to report 'security breaches' exist yet in the Netherlands. The duty is limited to providers of public electronic communication services; it does not include, for example, providers of information services.

Access

If a restriction to the access to certain services (specifically: the Internet) or to the use of certain (internet) services applies, the bill compels providers to report this to consumers, so that consumers may consider switching providers. Should the access to specific services be compromised at any time, this bill allows the Minister to set requirements on the providers in order to ensure access. This way the bill makes it possible to lay down rules for the purpose of net neutrality (Article 7.4a of the bill). Should the legislator wish to use this option, it will have to report this long in advance to the European Commission and the new body for electronic communication, BEREC, to ensure that the envisaged requirements do not adversely affect the functioning of the internal market.

Cookies

The rules for gaining access to information stored at the peripherals and for placing information (such as cookies) on the peripherals will be tightened. In practice this means that the user will have to give prior consent for the placing of cookies etc., and that the user must be given clear and comprehensive information about the purpose of the access or storage by means of the cookies. If it concerns personal data, then the information obligation of article 33 and 34 of the Dutch Data Protection Act must be respected. If no personal data are involved, then in any case the purposes of the access or storage must be notified. Incidentally, the bill does not seem to stipulate that this information must always be provided in advance, as was feared; the duty to notify can also be complied with simultaneously while the cookie is read or placed. No "unambiguous" consent of the user will be required either, as had been announced earlier.

Users with Physical Disabilities

The bill aims to realize equal access to users with a handicap. Supplementary services will have to be created for these users, allowing them access to universal services in a way equivalent to that of other users (this is an adaptation of Section 9.1 of the TA). Furthermore, by changing Section 7.8 the bill provides the option of introducing rules to further the availability to people with physical disabilities of public electronic communication services not included in universal service-providing, which are bought by the majority of users. At the moment, there are no concrete plans to lay down rules of the latter kind.

Conclusion

If this bill is adopted, providers will have to perform a number of new obligations, including several obligations to report. The most striking of these is the obligation to report security breaches, which will probably demand the greatest effort on the part of providers. When this bill is adopted, providers will have to examine the sufficiency of their personal data security to prevent negative publicity and possible claims for damages from users after reporting a security breach. The bill also provides that more openness should be given to subscribers about security, which may possibly result in contract amendments.

But first the Lower House of Parliament will have to examine this bill. In the debate, the new cookies regulations will certainly be discussed too. The new framework should officially be implemented by 25 May 2011. Time will tell if that date will be respected.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.