Online Privacy Law: Netherlands*
The Netherlands has a high percentage of general Internet, social network site, and smartphone users. The Dutch Constitution contains a provision on the protection of privacy of personal data. The Personal Data Protection Act broadly governs the protection of personal data; online privacy is addressed in particular by the Telecommunications Act, which was recently amended to incorporate privacy provisions deemed by some commentators to be stricter than those of the EU. The Netherlands has incorporated key European Union directives on privacy, such as the Directive on Personal Data, the Data Retention Directive, and the Privacy and Electronic Communications Directive, into its national law.
The processing of any personal data in the Netherlands requires the data subject’s unambiguous consent; certain types of personal data, such as that concerning a person’s religion may not be processed, however. Internet service providers have an obligation to protect the privacy of users and subscribers. The Dutch Data Protection Authority is a key agency involved in the protection of personal data, but two other agencies play a role in supervising telecommunications service providers and the telecom market. Among possible future changes in the Dutch legal framework of online privacy is the adoption of a constitutional amendment on the protection of digital rights.
According to statistics published by the Organisation for Economic Cooperation and Development (OECD), in 2010 nearly 91% of Dutch households had access to the Internet. The Netherlands ranked third among thirty-five OECD Member States (including the European Union as a whole) surveyed, after Korea and Iceland.  Nearly 80% of households in the Netherlands had access to broadband as of that year, placing the country sixth among forty-one jurisdictions surveyed for this feature. As of December 2011, there were over fifteen million Internet users in the country, almost 90% of the population. In terms of frequency of Internet visits, the Netherlands ranked highest among European countries, with 78.2 visits per visitor in a study conducted for the month of September 2010. In 2011, 53% of Internet users reported being active on social networking sites like the Dutch network Hyves, Facebook, and Twitter in the previous three months, with 88% of those users under the age of twenty-five. Reportedly, the Internet penetration in the Netherlands of two key global social networking sites, Twitter and LinkedIn, is the highest worldwide.
I. Legal Framework
The Constitution of the Kingdom of the Netherlands provides for the protection of privacy in article 10, which states as follows:
- Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by or pursuant to Act of Parliament.
- Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data.
- Rules concerning the rights of persons to be informed of data recorded concerning them and of the use that is made thereof, and to have such data corrected shall be laid down by Act of Parliament.
The Constitution also provides for the inviolability of the person and the home and protects against the violation of the privacy of correspondence and of the telephone and telegraph, except as otherwise provided by acts of Parliament.
The Telecommunications Act  is of major importance in the governance of online privacy in the Netherlands. In order to implement revised EU electronic communications, privacy, and telecom directives,  on June 22, 2011, the House of Representatives (Tweede Kamer) of the Dutch Parliament (States-General, or Staten-Generaal) adopted ten proposed amendments to the Telecommunications Act, rejecting only an eleventh proposed revision concerning Internet access as a universal service. The Senate (Eerste Kamer) adopted the proposed changes on May 8, 2012, including new provisions on online privacy. Of related significance are the Telecommunications Data Retention Act (Wet bewaarplicht telecommunicatiegegevens) of August 28, 2009, and the Media Act (Mediawet) of December 29, 2008.
Another key item of legislation governing the recording and use of personal data in the Netherlands is the Personal Data Protection Act (Wet bescherming persoonsgegevens) (PDPA), which came into force on September 1, 2001. This Act covers “every use—‘processing’—of personal data, from the collection of these data up to and including the destruction of personal data.” The PDPA, together with the PDPA Exemption Decree (Vrijstellingsbesluit) of May 7, 2011, transpose in the Netherlands the Data Protection Directive of the European Union. In connection with the PDPA, the Ministry of Security and Justice has also published Guidelines for Personal Data Processors. There are also codes of conduct that might apply to the handling of personal data on the Internet. For example, in 2008 the Dutch government and the private sector adopted a non-legally binding Notice-and-Take-Down Code for handling reports of unlawful Internet content.
II. Current Law
A. Scope of Application
The Telecommunications Act covers electronic communications networks, electronic communications services, public electronic communications services, and public electronic communications networks.
The PDPA applies to “the fully or partly automated processing of personal data, and the non-automated processing of personal data entered in a file or intended to be entered therein,” with a file being “any structured set of personal data.”  The Act is not applicable to the processing of personal data that is “for exclusively journalist, artistic or literary purposes,” except as otherwise provided in the Act and/or under conditions set forth under certain provisions of the Act. The PDPA applies to personal data processing carried out by responsible parties established in the Netherlands, as well as by or for responsible parties not established in the European Union that use “automated or non-automated means situated in the Netherlands, unless these means are used only for forwarding personal data.” Such non-EU responsible parties are prohibited from processing personal data unless they designate a person or body in the Netherlands to act on their behalf.
B. Prohibition on Processing Without Consent
Processing of personal data is permissible only under certain conditions. Most important, perhaps, is that the data subject’s unambiguous consent (ondubbelzinnige toestemming) is required. It is also allowed where the processing is necessary for, among other purposes,
- the performance of a contract to which the data subject is party, or for actions to be carried out at the request of the data subject and which are necessary for the conclusion of a contract;
- compliance with a legal obligation to which the responsible party is subject;
- protection of a vital interest of the data subject; or
- upholding the legitimate interests of the responsible party or of a third party to whom the data are supplied, except where the data subject’s interests or fundamental rights and freedoms, in particular the right to protection of individual privacy, prevail.
The PDPA prohibits, except as otherwise provided in the Act, the processing of personal data “concerning a person’s religion or philosophy of life, race, political persuasion, health and sexual life, or personal data concerning trade union membership.” The ban also applies to personal data related to criminal behavior or to prohibited unlawful or objectionable conduct.
In addition, the PDPA provides protection of data transferred to third countries, i.e., countries outside the EU. Personal data subject to or intended for processing after such a transfer will only be transferred if the third country guarantees an adequate level of protection, without prejudice to the PDPA’s provisions. By way of derogation from this provision, personal data can be transferred if that country is party to the May 2, 1992, Oporto Agreement on the European Economic Area (Netherlands Treaty Series (TRACTATENBLAD) 1992, No. 132)), unless a decision of the European Commission or the Council of the European Union results in such transfer being limited or forbidden. An assessment of the adequacy of the level of protection given the personal data is to take into account the circumstances affecting the transfer operation or the category of data transfer operations, and in particular the type of data, the purpose or purposes and the duration of the planned processing, the applicable legal provisions in the third country concerned, and so on.
The above provisions regarding third-party transfers notwithstanding, transfers to a third country that does not provide guarantees for an adequate level of protection can take place if certain conditions apply. For example, it may occur if the data subjects have unambiguously consented to it, if the transfer is necessary for the performance of a contract between the data subjects and the responsible parties or in order to protect a vital interest of the data subjects, or if the transfer is made on the basis of a model contract as referred to in article 26(4) of EU Directive 95/46/EG on the processing of personal data and the free movement of such data. Moreover, notwithstanding this provision, the Minister of Security and Justice, after consulting the Dutch Data Protection Authority (DPA), may issue a permit for personal data transfer or category of transfer to a third country that does not provide the adequate level of guarantees, but the permit must have attached to it “the more detailed rules required to protect the individual privacy and fundamental rights and freedoms of persons and to guarantee implementation of the associated rights.”
C. Safeguards and Transparency Obligations of Providers
The Telecommunications Act prescribes a general obligation for providers of public telecommunications networks and services to “ensure the protection of the personal data and the protection of the privacy of subscribers to and users of its network or services.” To that end, such providers must “take appropriate technical and organization measures to ensure the safety and protection of the networks and services they provide,” at a level proportionate to the risks involved, while taking into account the state of technology and the costs involved.
The Telecommunications Act provides for a general level of transparency in connection with data subjects, stipulating that network and service providers are to ensure that subscribers are informed of (a) special risks of breach of the security or protection of the network or service provided, and (b) any means, other than the technical and organizational measures referred to above (i.e., under article 11.3(1)) that the provider concerned must take in order to counter such risks, as well as an estimate of the likely expense involved.
D. Limits on the Creation of Personal Profiles
Building up a personal profile with data on surfing behavior through the use of tracking cookies, such as Google Analytics cookies, is in violation of privacy laws.  The Telecommunications Act makes the PDPA applicable to the use of all tracking cookies, through the introduction of “the legal presumption that the use (placing and reading the file on the device of an end user) of a tracking cookie constitutes processing of personal data.” This therefore also means that the consumer’s “unambiguous consent” is required in order for cookies to be placed. Additionally, it will result in a shift of the burden of proof from the DPA to the party that places the tracking cookie, to prove that its cookie does not process personal data. Thus, if an online company does not specifically request unambiguous consent to use tracking cookies, it must prove that its cookies are not handling personal data, and failure to do so may result in its activities being deemed unlawful by supervisory authorities and made subject to fines.
The new provision on tracking cookies, article 11.7a, which has been called the Cookiewet (Cookie Act) created heated public debate because it is stricter than the relevant EU Directives 2009/136/EC  (Privacy and Electronic Communications Directive) and 2009/140/EC (Better Regulation Directive). According to the Dutch government, however, the sole purpose of the legal presumption is to facilitate the DPA’s enforcement capabilities, andit does not materially change the applicability of the PDPA to tracking cookies. The legal presumption article of the Act might not be enforced until December 31, 2012, if a motion to that effect is adopted by the Dutch Senate. The motion of Member of Parliament C.S. Franken calls upon the government to actively support the EU development of a “Do Not Track” standard andto facilitate dialogue between the supervisors, the advertising industry, and consumers to achieve maximum clarity about the scope of the provision and, if necessary, lay down detailed rules for it; these are the reasons behind seeking a delay in the enforcement of article 11.7a./p>
Article 11.7a of the Telecommunications Act states in item 1:
Without prejudice to the Personal Data Protection Act, anyone who by means of electronic communications networks wishes to obtain access to data stored in a user’s peripherals or who wishes to store data in the user’s peripherals shall:
- provide the user clear and complete information in accordance with the PDPA, and in any case, concerning the purposes for which one wishes to obtain access to the relevant data or for which one wishes to store data, and
- obtain the consent of the user for the relevant action.
E. Smartphone Applications Data Collection
In 2011, mobile Internet usage in the Netherlands “skyrocketed.”  According to a European Parliament study of the Internet and citizens’ privacy, moreover, “De Randstad, the industrial and service agglomeration encompassing the four largest cities of the Netherlands, is the third-largest site of intense mobile traffic in the world.” Although as of this writing no specific legal provisions were found governing smartphone applications and data collection, it would appear that data collection by smartphone apps would fall under article 11.7a of the Telecommunications Act, in particular. Smartphones might also be covered under the definition of “terminal equipment” (randapparaten) in article 1.1 of the Act:
[Terminal equipment is] equipment intended for connection to a public telecommunications network in such a way that it: can be connected directly to network termination points, or can be used for interaction with a public telecommunications network via direct or indirect connection to network termination points for the purpose of the transmission, processing or reception of data.
F. Limits on Geodata
Article 11.5a of the Telecommunications Act deals specifically with location data. It stipulates that the processing of such data, with the exception of traffic data related to subscribers or users of a public electronic communications network or service, is permitted only if the data is made anonymous or if the given subscriber or user has given consent to the processing for the purpose of the supply of a value-added service. The processing of location data for this purpose is permissible only to the extent and for the duration that is necessary for the supply of the service in question.
Before obtaining the consent of the subscriber or user, the supplier of the value-added service to the subscriber or user must provide the following information: (1) the type of location data that will be processed, (2) the purposes for which the location data is processed, (3) the duration of the processing, and (4) whether the data will be provided to a third party for the purpose of supplying a value-added service. A subscriber or user can revoke at any time the consent for the processing of the data concerning him.
G. Protection of Minors
The PDPA stipulates that if the data subjects are minors under sixteen years of age, or if they are persons under guardianship on whose behalf a mentorship has been instituted, instead of the data subject’s consent, that of a legal representative is required.  The PDPA further provides that “the data subjects or their legal representative may withdraw consent at any time.”
Under article 37(3) of the PDPA, such legal representatives also have the authority to make requests in regard to whether the personal data of the persons they represent are being processed (and related matters), and upon being informed about that data, to request that the responsible party correct, supplement, delete, or block it (except in the case of public registers set up by law) if the data “is factually inaccurate, incomplete or irrelevant to the purpose or purposes of the processing, or is being processed in any other way which infringes a legal provision.” The information requested will be provided to the legal representative.
H. Technical and Organizational Security Measures to Protect Data
The PDPA requires the implementation of measures to protect personal data. It states that “[t]he responsible party must implement appropriate technical and organizational measures to secure personal data against loss or against any form of unlawful processing.”  Such measures are to “guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation” as well as “the risks associated with the processing and the nature of the data to be protected,” while seeking to prevent “unnecessary collection and further procession of personal data.” The agreement governing processing of personal data made between a responsible party and a processor must set down in written form, or the equivalent, the security measures, for purposes of maintaining proof.
If a responsible party has personal data processed for it, it must ensure “that the processor provides adequate guarantees concerning the technical and organizational security measures for the processing to be carried out,” and that such measures are complied with. The responsible party must also make sure that the processor complies with the above-stated technical, organizational, and security obligations incumbent upon the responsible party. This duty of the responsible party notwithstanding, if the processor is established in another EU Member State, the responsible party must ensure that the processor complies with the laws of that Member State.
I. User Anonymity
Under the Telecommunications Act, network and service providers are to delete or anonymize traffic data processed and stored by them relating to subscribers or users once this traffic data is no longer needed for the purpose of the transmission of communications, without prejudice to certain other provisions of the Act. For example, a service provider may process traffic data to the extent and duration necessary for: (a) market research or sales activity relating to electronic communications services, or (b) the supply of value-added services, provided that the subscriber or user to whom the traffic data relates has given his consent, and the subscriber or the user may at any time revoke the consent given for such processing.
J. Data Protection Agencies
The Dutch Data Protection Authority (DPA) (College Bescherming Persoonsgegevens) administers personal data protection-related matters in the Netherlands by authority of the PDPA. The Radiocommunications Agency Netherlands (Agentschap Telecom) (RCA) supervises the obligations of Internet access and telecom providers. The Independent Post and Telecommunications Authority (Onafhankelijke Post en Telecommunicatie Autoriteit, OPTA) is oriented toward promoting investment in the communications sector while protecting consumer interests. Some features and functions of these agencies will be discussed in more detail below.
K. Rights of and Remedies for Users
Under article 35 of the PDPA, data subjects have the right, “freely and at reasonable intervals,” to request the responsible party to inform them as to whether personal data related to them are being processed. The responsible party must inform data subjects in writing within four weeks as to whether such data are being processed. Data subjects may also request responsible parties to provide information on the logic that underlies the automated processing of data concerning them (de logica die ten grondslag ligt aan de geautomatiseerde verwerking van hem betreffende gegevens).
Users also have the right to request changes in the data. Article 36 of the PDPA prescribes that persons informed of their personal data in accordance with the above provision “may request the responsible party to correct, supplement, delete or block the said data in the event that it is factually inaccurate, incomplete or irrelevant to the purpose or purposes of the processing, or is being processed in any other way which infringes a legal provision.”
1. Decisions Taken by Administrative Bodies Regarding Requests for Information
Certain decisions taken in response to requests concerning the processing of personal data fall under the rubric of administrative decisions. These include decisions made in response to requests having to do, for example, with the provision of information on data processing that is exempt from the notification requirement; with whether or not a data subject’s personal data is being processed or with the underlying logic of the data processing of such data); with requests for correction, supplements, etc.; and with the provision of information on the parties to whom information has been provided.
2. Court Petitions
For decisions other than those made by administrative bodies, the PDPA allows suits for injunctive relief and damages. Thus, the party concerned can submit a written petition requesting the district court to order the responsible party to grant or reject a request having to do with the matters stated in the preceding paragraph, or to recognize or reject an objection of the kind indicated above. The petition must be submitted within six weeks of receipt of the reply from the responsible party; where the responsible party has not replied within the time limit to the party concerned’s request for information, etc., the petition must be submitted within six weeks of the expiry of that time limit. According to the PDPA, the court will find in favor of the request “where it is ruled to be well-founded,” but before issuing a ruling, it will when necessary give the parties concerned an opportunity to present their views. The section on penalty payments (dwangsom) of the Code of Civil Procedure applies. The court may also request the parties and others to provide it with written information; the responsible party and the party concerned are required to comply with such requests.
The party concerned may also apply to the DPA to mediate or to give an opinion in the dispute with the responsible party, provided the application is made within the lawful time limits.
3. Right to Fair Compensation
Persons who have suffered harm as a result of acts concerning them that infringe the provisions of the PDPA have the right to fair compensation for harm not constituting property damage. Responsible parties are liable for the damage or harm resulting from noncompliance with those provisions, and processors are liable for the damage or harm incurred insofar as it resulted from their operations. If they can prove that the harm cannot be attributed to them, the responsible parties or the processors may be exempted in whole or in part from liability.
When responsible parties or processors act in contravention of the PDPA and another party suffers or may suffer damage as a result, the court may, on the petition of the injured party, impose a ban on such conduct and order them to take measures to remedy the consequences of the conduct. However, legal persons cannot base a petition on the processing of personal data if the persons affected by the processing object.
L. Administrative and Criminal Sanctions
The DPA has the authority to apply administrative sanctions, including constraint measures and administrative fines, pursuant to obligations laid down in the PDPA.  In particular, the DPA may impose an administrative fine not to exceed €4,500 (about US$5,626) in respect of the violation “of, by, or under” articles 27 (on notification of the DPA before processing of personal data commences), 28 (on the particulars to be included in the notification, etc.), or 79(1) (on the time limit of bringing into conformity with the Act the processing already taking place before the Act’s entry into force). A DPA decision imposing an administrative fine will be inoperative until the deadline for making objections has expired or, if an objection has been made, until a decision has been rendered on the objection. (For criminal offenses, see immediately below).
M. Cross-border Application
Responsible parties who contravene the provisions laid down by or under the three articles cited in the paragraph immediately above, or articles 4(3) (the prohibition against processing of personal data by responsible parties not established in the EU unless they designate a person or body in the Netherlands to act on their behalf) or 78(2) of the PDPA, will be subject to a fine of the third category. Article 78(2) prescribes that, pursuant to a decision of the European Commission or the Council of the European Union, the Dutch Minister of Security and Justice will lay down a ministerial ruling or decision to the effect that (a) the transfer to a third country (i.e., a country outside the EU) is prohibited, or (b) a permit issued under the PDPA for personal data transfer or a category of transfers to a third country that has not provided guarantees for an adequate level of protection is withdrawn or modified. Responsible parties that deliberately commit offenses under these various articles will be punished with a prison sentence of up to six months or a fourth-category fine.
N. Data Retention
The Netherlands has transposed the EU Data Retention Directive into its national law through the adoption of the 2009 Telecommunications Data Retention Act (TDRA) amending the Telecommunications Act and the Act on Economic Offenses.  Authorities in the Netherlands allow data retention for the purpose of investigation and prosecution of serious offenses (e.g., terrorism) for which custody may be imposed under the Dutch Code of Criminal Procedure. The investigating police officer, by order of a prosecutor or an investigating judge, is the competent authority that has access to retained data. The retention period for all types of retained data is one year. The TDRA provides for observation by operators of the four data security principles covered by the Directive, i.e., that the retained data shall be (1) of the same quality and subject to the same security and protection as network data; (2) subject to appropriate measures to protect the data against unlawful destruction, loss, etc.; (3) subject to appropriate measures to ensure authorized access only; and (4) destroyed at the end of the period of retention, with certain exceptions.
Recently, the Dutch Independent Post and Telecommunications Authority (OPTA) stated, after receiving an “unspecified complaint,” that some hotels that provide free Wi-Fi to guests must register as ISPs, which would thereby make them “subject to the E.U.’s stringent rules on data retention.”  The Telecommunications Act requires ISPs to be registered, for purposes of monitoring crime and terrorism. Thus far, there has been no comment on the legality of the OPTA’s move, “which has raised questions about whether small hotels have the resources to comply” with the EU Directive.
III. Role of Data Protection Agencies
The Dutch Data Protection Authority is the main agency generally in charge of personal data processing. The Radiocommunications Agency Netherlands (Agentschap Telecom) (RCA) supervises the obligations of Internet access and telecom providers. The Independent Post and Telecommunications Authority (OPTA) “is an independent administrative body and works closely with its fellow international regulators. Three of its departments act to promote competition and protect consumers.”
The Dutch Data Protection Authority (DPA) began operations in September 2001, with the entry into force of the PDPA, under which it was established, and succeeding the previous agency in charge of data protection. The DPA, which is covered under articles 51–61 of the PDPA, is headed by a Chairman and two Commissioners; special members may also be appointed, with an effort made “to reflect the various sectors of society.” The Chairman is appointed by royal decree, on the proposal of the Minister for Security and Justice, for a six-year, renewable term; the two Commissioners and special members are similarly appointed, for four- year renewable terms. The Chairman directs the work of the DPA and its secretariat. The support staff comprises about seventy employees, serving in one of four major divisions: the supervisory departments (subdivided into private sector, public sector, and international sections), the Legal Affairs Department, the Communication Department, and Operational Management Department.
The PDPA provides that responsible parties or the organizations with which they are affiliated may appoint their own data protection officer (de functionaris voor de gegevensbescherming), who are to register with the DPA. For example, police officials, under the Police Data Act, are to appoint a chief privacy officer (privacyfunctionaris) to oversee the processing of police data; that officer reports to the chief privacy officer of the DPA. Among other tasks, the DPA oversees the legal processing of personal data and monitors such processing done in the Netherlands in accordance with the law of another EU Member State; makes recommendations on relevant legislative proposals; enforces implementation of the law by imposing fines, using administrative coercion, or detecting criminal offenses against the PDPA;  tests codes of conduct for the handling of personal data by various sectors of society; handles the notification and preliminary examination procedures connected with the processing of personal data; mediates disputes over the exercise of rights related to personal data protection; handles requests on how to interpret the privacy legislation; advises the Minister of Security and Justice on the granting of permits for transfer of personal data when a third country lacks an adequate level of protection;  and provides an annual report on its activities. The DPA also has the power to grant exemptions from the prohibition against the processing of sensitive data. The extent to which the DPA focuses on online service providers in carrying out its functions is unclear.
The RCA is a specialized body under the Ministry of Economic Affairs, Agriculture and Innovation. Its three main tasks are “to obtain, allocate and protect frequency space,” and its day-to-day work “covers the entire field of wireless and wired communication.” A protocol specifies the nature of cooperation between the DPA and the RCA.
The Independent Post and Telecommunications Authority of the Netherlands (OPTA) was established in the Netherlands on August 1, 1997. Its duties and scope of authority are laid down in the Independent Post and Telecommunications Authority Act (OPTA wet), the Postal Act (Postwet), and the Telecommunications Act.  Among its functions are stimulating investment in fiber optic networks, securing Internet safety, promoting competition in the communications sector, and protecting consumers.  Because OPTA is an independent government agency, the Minister of Economic Affairs does not directly control its decisions, but the Minister does appoint the members of the OPTA commission and approve OPTA’s budget and its continued existence. Moreover, under the Independent Post and Telecommunications Authority Act, the Minister is required to evaluate OPTA every year.
IV. Administrative Decisions and Court Cases
A. DPA Investigations
1. TomTom N.V.
In late December 2011, the DPA issued a report on its official investigation of the processing of geolocation data by TomTom N.V. TomTom collects personal data worldwide through its “TomTom” devices that have a screen and builtin GPS sensor to use in planning road routes; the route planner is also available as a smartphone (iPhone) application. The investigation was launched based on media reports that appeared in late April 2011 alleging that TomTom had “provided geolocation data from users of TomTom devices to third parties,” particularly to the police “but also directly to commercial parties such as Eindhoven Airport.” At issue was whether TomTom processed personal data as defined under article 1, introduction and (a), of the PDPA; whether TomTom had grounds for processing personal data as referred to in article 8 of the Act on unambiguous user consent; and whether TomTom had provided personal data to third parties, and if so, whether that additional processing was consistent with the purpose for which the personal data was acquired, as required by article 9 of the Act.
The report noted that TomTom does not request separate consent for collecting and processing realtime geolocation data before its service is used on online devices and a smartphone application. As a result, “[t]he data subject only sees a general reference to the TomTom privacy statement if he creates an account, that is at the moment that he links the device to the TomTom servers via his (own) computer connection,” but the DPA “has decided on several occasions that consent for the processing of personal data cannot be obtained via general terms and conditions.” Because there was no “unambiguous consent for the processing of historical and realtime geolocation data on current offline and online devices and the smartphone application,” the report concluded, TomTom was acting in contravention of article 8. On the issue of further processing of personal data in connection with article 9 of the PDPA, the report found that “TomTom provides historical journey data only in aggregated form to third parties” and in that form the data cannot be “reasonably directly or indirectly traced to natural persons, either by TomTom or another party, and so this is not personal data as defined under the PDPA and the PDPA does not apply to the provision of such data.
2. Google Penalty Order
The DPA imposed a penalty order on Google on March 23, 2011, after an investigation indicated that the company had used its Street View vehicles to collect data on more than 3.6 million Wi-Fi routers in the Netherlands, both secured and unsecured, during the period March 4, 2008, to May 6, 2010, and had also calculated a geolocation for each router. Such acts constituted a violation of the PDPA. According to a DPA press release, “MAC [media access control] addresses combined with a calculated geolocation constitute personal data in this context, because the data can provide information about the owner of the WiFi router in question.”
Subsequently, the DPA verified Google’s compliance with all the requirements of the order, one of which was to offer an opt-out option enabling people to object to the processing of data on their WiFi routers. Beginning in mid-November 2011, “Google has offered users the option to add ‘_nomap’ to the network name of their WiFi router to stipulate their refusal to let Google process their information”; in the DPA’s view, “Google now provides those involved with a free and effective opt-out possibility.” Google also indicated that it was destroying all data collected in the Netherlands by means of the Street View vehicles and would be implementing that step globally. The DPA further determined that Google had complied with the requirements to irreversibly delete network names (SSIDs) and to report its data processing to the DPA.
3. 2005 Court Case
The Supreme Court of the Netherlands issued a decision on November 25, 2005, in a dispute between the ISP Lycos and Pessers, a stamp seller via e-Bay. A Lycos-hosted website entitled “Stop the fraud” called Pessers a swindler. The attempt by Pessers to contact the holder of the website failed. Pessers contacted Lycos and requested that the website be removed and its holder’s name and address revealed, but Lycos refused to provide the information. Pessers’ argument before the court was “that Lycos should reveal the identity of the holder of the website and that Lycos’ refusal to do so could be considered unlawful.” On the basis of the EU’s E-Commerce Directive, the Dutch Court of Appeal held that it is not justifiable for an ISP to remove “information that cannot be considered to be manifestly unlawful,” but that the request to reveal the website holder’s identity “should be judged independently of the ISP’s liability” based on that Directive, and that, in some circumstances refusal to reveal the website holder’s identity “might constitute an unlawful act.” The Court of Appeal decided, therefore, “that an ISP, such as Lycos, should provide the name and address of the holder of the website,” on the basis of four circumstances enumerated in the ruling, e.g., the possibility that it “can to a reasonable extent be assumed” that “the information, in itself, may be unlawful and harmful towards the third party,” and “[t]he third party has a concrete interest in obtaining the name and address of the website holder.”
The Supreme Court upheld the Court of Appeal decision, ruling in part that
- the Lycos argument that a third party can obtain a website holder’s name and address only “when it is obvious to the ISP that a certain act is manifestly unlawful” or when a case that the criminal authorities are willing to prosecute is involved “would lead to a situation in which the group of persons able to obtain the name and address of a holder of a website would be fairly small”;and
- the circumstances set forth by the Court of Appeal “do not automatically lead to the conclusion that an ISP must reveal” a website holder’s identity, even though its “conclusion that Lycos should provide the name and address of the holder of the website could be justified.” Nevertheless, “[t]he balancing of interests might lead to a different result in other circumstances.”
The legal documents cited by the court decision include the Dutch Civil Code, the EU e- Commerce Directive, the PDPA, and the European Convention on Human Rights.
V. Public and Scholarly Opinion
Before the amendment of the Telecommunications Law to conform to the EU directive on online privacy, “website developers and publishers . . . warned that such a move would not only be a drag on their operations but would also cause troubles for users as they will have to deal with more pop-up windows.” Moreover, ISPs cautioned that the new measures might force them to move some of their operations outside the Netherlands.
Dutch lawyers have reported that in the Netherlands, as in other countries, the incautious use of social media has created an increase in lawsuits. A Dutch cyclist who was receiving disability benefits had to repay part of the benefits when his messages on the Hyves social network website about his grueling cycling trip across the French Alps were spotted and reported to the authorities. According to a Dutch labor law attorney, the authorities are allowed to use the social network sources “because they are in the public domain,” and “[u]nless the employee’s account is password protected, the employer has the right to read what the employee says. However, this does not negate freedom of speech.”  An Internet lawyer sees the issue differently, arguing that insurance companies that search the Facebook pages of their clients violate privacy laws, and that while the DPA “has ruled that information published on the Internet is in the public domain, . . . Facebook is not the same thing as a blog, where things are intentionally published.”
According to the Dutch legal scholar Colin Prins, certain recent developments in online technology trigger various concerns about privacy. These developments include the popularity of tailored and individualized services using numerous personal data and “ubiquitous computing” (whereby “numerous systems scan our environment for data and serve us with particular information, based on certain notions about what is appropriate for us as unique individual persons given the particulars of daily life and context”). These developments, in his view, may profoundly affect relationships between individuals, organizations, and/or communities, and of particular concern is the issue of user identification, which
raises privacy problems as well as concerns with respect to inclusion and exclusion. Personalisation may be a threat to a user’s privacy because it provides companies and organisations with a powerful instrument to know in detail what an individual wants, who he is, whether his conduct or behaviour shows certain symptoms, and so forth. Also, personalisation may be disturbing because it facilitates the selected provision to specific users only and may thus diminish certain preferences, differences and values.
Prins therefore believes that the debate on how to deal with the above-mentioned developments should not be limited to a discussion on how to protect individual data, but should encompass the impact on people’s identity. He further notes:
A key feature of personalisation is that individuals are given new ways to present and profile themselves . . . in certain roles or “identities”. They act as a certain type of citizen, consumer, patient, voter, etc. As a result, the growing importance of the context-specific concept of online identity raises challenging new questions with regards to the role and status of identity and identification.
He calls for redirection of the debate towards “how individuals are typified . . . and who has the instruments and power to do so,” and for privacy protection in present-day society to “cover the capability to know and to control how our identities are constructed.”
VI. Recent Developments and Future Reforms
A. Constitutional Amendment Proposed to Protect Digital Rights
In July 2009, the government had appointed a new state commission to draft a bill to amend the Constitution, “inter alia in order to improve the accessibility of the Constitution and to adapt constitutional rights and freedoms to the digital age.” In February 2012, the Senate indicated that it wanted more changes in the Constitution than the government intends, but less than the state commission proposed in November 2010. In regard to the issue adapting the Constitution to the digital age, it was noted that article 13 of the Constitution on the privacy of correspondence and of the telephone and telegraph offers “no or insufficient protection to new means of communication in the digital age.”
The Dutch Christian-Democratic Party (Nederlandse christendemocratische partij) (CDP) proposed, instead of the wording on amending article 13 put forward by government, that a new paragraph 3 be added, to read: “All other means of communication are inviolable, except in cases determined by law or by or with the authorization of those designated for that purpose by law.” Senator Swagerman of the People’s Party for Freedom and Democracy (Volkspartijvoor Vrijheid en Democratie, or VVD) wished to add protection of both confidentialcommunication and the confidentiality of the communication itself, and asked whether the government was planning to introduce a notification requirement, to the effect that anyone whose right to confidentiality will be limited be informed of that restriction as soon as possible.
A report on the adjustment of article 13 of the Constitution appeared on the Dutch House of Representatives website on May 23, 2012. Among other views put forward, the report suggested that it was not sufficient to revise article 13 alone, and that articles 7 through 10 of the Constitution should also be amended in order to meet the needs of the digitial age. According to a House news item about the report, the government is preparing a bill on the revision of article 13, to be drafted by the Minister of the Interior and Kingdom Relations before the 2012 summer legislative recess. The final bill must be adopted by the House, reconsidered by the new House after the elections, and adopted on the second ballot by a two-thirds majority.
B. Deep Packet Inspection
In 2011, questions arose over the use of Deep Packet Inspection (DPI), software ISPs deploy to scan all the data packets—packages of information sent and received online by users, the labels on which Internet routers read to “determine what they are, who they’re from, and where they’re going”—that pass through its network. After the contents have been scanned (and sometimes logged), they are blocked or routed to the appropriate destination. In May 2011, the Dutch telecom provider KPN revealed that it had used DPI to track the use of certain applications such as Whatsapp (“a free alternative to text messaging”) and Skype (“a free alternative for voice telephony and chat”).This gave rise to concerns about potential invasion of privacy and possible contravention of the net neutrality principle (due to prioritizing of certain modes of Internet traffic). As a result, telecom regulator OPTA launched an investigation into providers’ possible infringement “of specific articles of Dutch telecommunication law relating to personal data and privacy protection (secrecy of correspondence), security measures and delivery guarantees.” The OPTA concluded a month later that, while there were grounds for concern, more specific research was necessary, and so it turned the investigation over to the DPA.
C. Hotline for Reporting Online Privacy-Related Incidents
On April 6, 2012, it was announced that OPTA and RCA have established a hotline for reporting by ISPs of privacy-related incidents and malfunctions, so that all breaches of protection of personal data must be reported to OPTA.
D. Merger of OPTA and Other Agencies into New Consumer Authority
The OPTA itself will be undergoing a change. By January 1, 2013, three regulators—the OPTA, the Netherlands Consumer Authority, and the Netherlands Competition Authority—are to be merged into one new authority, the Netherlands Authority for Consumers and Markets (ACM). This is the name stipulated in a bill on the establishment of the new agency, “the proposal for which is currently at [the] advisory stage.” Two separate bills will be considered in order to achieve consolidation of the three current authorities. The bill on the ACM’s establishment will ensure the independent position of the new authority. Moreover,
[t]he new authority will be run by a board, consisting of three members, and governing in a spirit of collegiality. It will focus on three main themes: consumer protection, industry- specific regulation, and competition oversight. Governance anchored in collegiality will safeguard the coherence between these three themes. The [second,] substantive bill will simplify procedures, and streamline powers.
Prepared by Wendy Zeldin
Senior Legal Research Analyst
[*] This report was prepared on the basis of English-language materials, machine-assisted translations, and online Dutch-English dictionaries.
 Netherlands, NEW MEDIA TREND WATCH (last updated May 9, 2012), http://www.newmediatrendwatch.com/markets-by-country/10-europe/76-netherlands.
 Id. (citing Press Release, comScore, Turkey Has Third Most Engaged Online Audience in Europe (Oct. 18, 2011) (presenting Europe-wide data)).
 Id. (citing Press Release, Statistics Netherlands, Substantial Growth Mobile Internet Usage (Oct. 25, 2011)).
 THE CONSTITUTION OF THE KINGDOM OF THE NETHERLANDS 2008 (as last amended June 27, 2008, in force on July 15, 2008), http://www.rijksoverheid.nl/documenten-en-publicaties/brochures/2008/10/20/the-constitution-of-the-kingdom-of-the-netherlands-2008.html; Grondwet voor het Koninkrijk der Nederlanden van 24 augustus 1815 (as last amended June 27, 2008, in force on July 15, 2008), http://wetten.overheid.nl/BWBR0001840/geldigheidsdatum_02-05-2012.
 Id. art. 11.
 Id. art. 12.
 Id. art. 13.
 Telecommunicatiewet [Telecommunications Act] (Oct. 19, 1998, as last amended by an amendment law in force on June 5, 2012), http://wetten.overheid.nl/BWBR0009950/Hoofdstuk1/Artikel11/geldigheidsdatum
_21-05-2012. See Wet van 10 mei 2012 tot Wijziging van de Telecommunicatiewet ter Implementatie van de Herziene Telecommunicatierichtlijnen [Act of May 10, 2012, to Amend the Telecommunications Act for Implementation of the Revised Telecommunications Directives], 235 STAATSBLAD (June 4, 2012), https://zoek.officielebekendmakingen.nl/stb-2012-235.html.
 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 Amending Directive 2002/22/EC on Universal Service and Users’ Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector and Regulation (EC) No 2006/2004 on Cooperation Between National Authorities Responsible for the Enforcement of Consumer Protection Laws, 2009 O.J. (L 337) 11, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L: 2009:337:0011:0036:En:PDF.
 Wet bewaarplicht telecommunicatiegegevens [Telecommunications Data Retention Act] (hereinafter TDRA) (July 18, 2009, in force on Sept. 1, 2009), http://wetten.overheid.nl/BWBR0026191/geldigheidsdatum_15-02-2010.
 Mediawet [Media Act] (in force on Jan. 1, 2009) (as last amended May 10, 2012), https://zoek.officielebekendmakingen.nl/stb-2012-235.html; Joost Gerritsen, Netherlands: Media Act 2008, IRIS MERLIN 2009-3:18/29 http://merlin.obs.coe.int/iris/2009/3/article29.en.html(last visited June 6, 2012).
 Wet bescherming persoonsgegevens (July 6, 2000) (as last amended effective Feb. 9, 2012), http://wetten.overheid.nl/BWBR0011468/geldigheidsdatum_03-05-2012; see Wet van 26 januari 2012 tot wijziging van de Wet bescherming persoonsgegevens in verband met de vermindering van administratieve lasten en nalevingskosten, wijzigingen teneinde wetstechnische gebreken te herstellen en enige andere wijzigingen [Act of January 26, 202, Amending the Personal Data Protection Act in Connection with the Reduction of Administrative Charges and Compliance Costs, Amendments to Repair Legal Technical Flaws, and Certain Other Amendments], 33 STAATSBLAD (Feb. 8, 2012), https://zoek.officielebekendmakingen.nl/stb-2012-33.html; Personal Data Protection Act (PDPA) (unofficial translation), available at Institute for Information Law, http://www.ivir.nl/legislation/nl/personaldataprotectionact.html (updated Dec. 15, 2005).
 Wet bescherming persoonsgegevens (Wbp; Dutch Data Protection Act), COLLEGE BESCHERMING PERSOONSGEGEVENS [DATA PROTECTION AUTHORITY, DPA], http://www.dutchdpa.nl/Pages/en_ind_wetten_wbp.aspx (last visited May 3, 2012).
 The Netherlands, LINKLATERS (last updated Nov. 2011), https://clientsites.linklaters.com/Clients/dataprotected/Pages/TheNetherlands.aspx
#nationalleg; Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML.
 L.B. Sauerwein & J.J. Linnemann, HANDLEIDING VOOR VERWERKERS VAN PERSOONSGEGEVENS: WET BESCHERMING PERSOONSGEGEVENS (Ministry of Justice, Apr. 2002), http://www.rijksoverheid.nl/documenten-en-publicaties/brochures/2006/07/13/handleiding-wet-bescherming-persoonsgegevens.html.
 New Dutch Notice-and-Take-Down Code Raises Questions, EUROPEAN DIGITAL RIGHTS (EDRI) (Oct. 22, 2008), http://www.edri.org/edri-gram/number6.20/notice-take-down-netherlands; Esther Janssen, Netherlands: Dutch Code for Notice-and-Take-Down, IRIS 2009-1:17/28, http://merlin.obs.coe.int/iris/2009/1/article28.en.html; NOTICE-AND-TAKE-DOWN CODE OF CONDUCT, ECP (Version 1, Oct. 2008), http://www.ecp.nl/sites/default/files/NTD_Gedragscode_Engels_0.pdf.
 Telecommunications Act art. 1.1(e)–(h).
 PDPA art. 2(1).
 Id. art. 1(c).
 Id. art. 3(1).
 Id. art. 4 (1) & (2).
 Id. art. 4(3).
 Id. art. 8(a).
 Id. art. 8(b)–(f).
 I. art. 16.
 Id. art. 76(1).
 Id. art. 76(2). This provision was added in the 2012 amendment of the PDPA.
 Id. art. 76(3).
 Id. art. 77(1)(a), (b), (e), (g). See Directive 95/46/EG of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf.
 PDPA art. 77(2).
 Telecommunications Act art. 11.2; PETER V. EIJSVOOGEL & HENDRIK JAN DE RU, DUTCH TELECOMMUNICATIONS LAW 169 (2000); Arjen van Rijn, Arnoud Boorsma, Jannetje Bootsma, Michiel Hes, Jeannette van Breugel, & Sandra van Heukelom-Verhage, Telecommunications Law in the Netherlands, 30 COMPARATIVE LAW YEARBOOK OF INTERNATIONAL BUSINESS 537 (2008).
 Telecommunications Act art. 11.3(1); EIJSVOOGEL & JAN DE RU, supra note 36.
 Id. art. 11.3(2)(b).
 Nieuwe Cookiewetgeving: We Kunnen Er Niet Meer Omheen [New Cookie Legislation: We Can No Longer Ignore It], PERPLEX.NL (May 11, 2012), http://www.perplex.nl/blog/2012/nieuwe-cookiewetgeving-we-kunnen-er-niet-meer-omheen; Legal Alert – Dutch Senate Finally Adopts New Rules on Cookies, Net Neutrality and Data Security Breach Notifications, DE BRAUW [law firm] (May 2012), http://www.debrauw.com/News/LegalAlerts/Pages/LegalAlert-DutchSenatefinallyadoptsnewrulesoncookies,netneutralityanddatasecuritybreachnotifications.aspx.
 Van der Veen, supra note 14.
 DE BRAUW, supra note 39.
 Id. Despite the delayed date of enforcement, there is some concern, according to van der Veen, that the measure may place Dutch Internet companies at a competitive disadvantage with foreign companies. See van der Veen, supra note 14.
 Directive 2009/136/EC, supra note 12.
 Directive 2009/140/EC of the European Parliament and of the Council of 25 November 2009 Amending Directives 2002/21/EC on a Common Regulatory Framework for Electronic Communications Networks and Services, 2002/19/EC on Access to, and Interconnection of, Electronic Communications Networks and Associated Facilities, and 2002/20/EC on the Authorisation of Electronic Communications Networks and Services, 2009 O.J. (L 337) 37, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ%3AL%3A2009%3A337%3A
 DE BRAUW, supra note 39; Eerste Kamer Behandelt ‘Cookiewet’ en Neemt het Voorstel aan [The Senate Discussed the ‘Cookie Act’ and Received a Proposal on It], LEGAL EXPERIENCE ADVOCATEN (May 9, 2012), http://www.legalexperience.nl/nl/actueel/eerste-kamer-behandelt-cookiewet-en-neemt-het-voorstel-aan.
 DE BRAUW, supra note 39.
 I Motie van het Lid Franken C.S.: Voorgesteld 8 mei 2012 [Motion of the Member C.S. Franken, Introduced 8 May 2012], http://www.eerstekamer.nl/motie/motie_franken_cda_c_s_over_het_2/document
 Press Release, 2011 OPTA Annual Report and Market Monitor (May 7, 2012), http://www.opta.nl/en/news/all-publications/publication/?id=3590.
 EUROPEAN PARLIAMENT, DOES IT HELP OR HINDER? PROMOTION OF INNOVATION ON THE INTERNET AND CITIZENS’ RIGHT TO PRIVACY, IP/A/ITRE/ST/2011-10 (Dec. 2011), at 42, n.61, http://www.europarl.europa.eu/committees/fr/studiesdownload.html?language
 Telecommunications Act art. 1.1(jj)(1).
 Id. art. 11.5a(1)(a) & (b).
 Id. art. 11.5a(3). See also van Rijn et al., supra note 36, at 538.
 Telecommunications Act art. 11.5a(2)(a)–(d).
 Id. art. 11.5a(4).
 PDPA art. 5(1).
 Id. art. 5(2).
 Id. art. 37(3), with reference to arts. 35–36. “Responsible party” means “the natural person, legal person, administrative body or any other entity which, alone or in conjunction with others, determines the purpose of and means for processing personal data.” Id. art. 1(d).
 Id. art. 37(3).
 Id. art. 13.
 Id. art. 14(3) & (5).
 Id. art. 14(1).
 Id. art. 14(3)(b).
 Id. art. 14(4).
 Telecommunications Act art. 11.5(1).
 Id. art. 11.5(3).
 PDPA art. 35(1).
 Id. art. 35(4).
 Id. art. 36(1). The request is to contain the modifications that should be made.
 Id. art. 30(3).
 Id. art. 35(4).
 Id. art. 36.
 Id. art. 38(2).
 Id. art. 46(1).
 Id. art. 46(2).
 Id. art. 46(3).
 Id. art. 46(5) (citing WETBOEK VAN BURGERLIJK RECHTSVORDERING [CODE OF CIVIL PROCEDURE] (as last amended Dec. 22, 2011), Book II, Title 5 (on constraint and its implementation and on penalty payments), § 3, http://wetten.overheid.nl/BWBR0001827/TweedeBoek/Vijfdetitel/
geldigheidsdatum_18-05-2012). There are more recent amendments to the Code of Civil Procedure, dated March 15, 2012, but they will not enter into force until July 1, 2012.
 Id. art. 46(6).
 Id. art. 47(1).
 Id. art. 49(1) & (2).
 Id. art. 49(3).
 Id. art. 49(4).
 Id. art. 50(1).
 Id. art. 50(2).
 Id. art. 65 (under § 1, “Administrative Measures of Constraint” of Ch. 10, “Sanctions”).
 Id. art. 66. Note that former additional paragraphs of article 66, as well as articles 67–70 and 72–73 of the PDPA, have been repealed.
 Id. art. 71.
 Id. art. 75(1). The punishable offenses listed under article 75(1) are petty offenses. Id. art. 75(3). As of January 1, 2012, third-category fines are €7,800 (about US$9,752). WETBOEK VAN STRAFRECHT [CRIMINAL CODE] (Mar. 3, 1881, as last amended Apr. 5, 2012), art. 23(4), http://wetten.overheid.nl/BWBR0001854/EersteBoek/TitelII/Artikel23/
 PDPA art. 75(2). The punishable offenses listed under article 75(2) are indictable offenses. Id. art. 75(3). As of January 1, 2012, fourth-category fines are €19,500 (about US$24,380). WETBOEK VAN STRAFRECHT art. 23(4), http://wetten.overheid.nl/BWBR0001854/EersteBoek/TitelII/Artikel23/
 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ%3AL%3A2006%3A105%
 TDRA, supra note 15. For what appears to be a comparison of retained data under the EU directive and under Dutch law, as well as interpretation and examples, see Toelichting bewaring gegevens internet [Sample Retained Internet Data], RIJKSOVERHEID [GOVERNMENT OF THE NETHERLANDS] (Dec. 21, 2010), http://www.rijksoverheid.nl/documenten-en-publicaties/richtlijnen/2010/12/21/toelichting-bewaring-gegevens-internet.html.
 Report from the Commission to the Council and the European Parliament: Evaluation Report on the Data Retention Directive (Directive 2006/24/EC) § 4.1, COM (2011) 225 final (Apr. 18, 2011), http://ec.europa.eu/commission_2010-2014/malmstrom/archive/20110418_data_retention_evaluation_en.pdf. According to the TDRA, the relevant articles of the Criminal Procedure Code are 126n, 126na, 126u, and 126ua, 126hh, 126ii, 126nc-126ni, and 126uc-126ui. TDRA, supra note 15, arts. 1 D & 1 E(b).
 Report from the Commission to the Council and the European Parliament, supra note 93, § 4.3.
 Id. § 4.5.
 Id. § 4.6 (Table 4); TDRA art. 1 F (amending art. 13(5) of the Telecommunications Act, on the obligation of telecom providers of networks and services to protect information on the basis of the Law on the Intelligence and Security Services 2002, as referred to in article 13.2 of the Telecommunications Act).
 Hotels May Be Subject to Strict EU Rules for Providing Wi-Fi, WHOLESALE ELECTRONICS (May 10, 2012), http://www.ocpol.com/hotels-may-be-subject-to-strict-eu-rules-for-providing-wi-fi_2588.html.
 OPTA Is an IAB, OPTA, http://www.opta.nl/en/organisation-opta/opta-is-an-iab/ (last modified Nov. 23, 2009) (see left-hand column, “Organisation OPTA”).
 PDPA art. 53(1).
 Id. art. 53(3).
 Id. art. 56(2).
 Organisation, DPA, http://www.dutchdpa.nl/Pages/en_ind_cbp_organisatie.aspx (last visited May 29, 2012).
 PDPA arts. 62 & 63(3).
 Wet Politiegegevens [Police Data Act] (July 21, 2007), art. 34(1) & (4), http://wetten.overheid.nl/BWBR0022463/geldigheidsdatum_19-05-2012.
 PDPA art. 51(1). It also has the authority to institute, on its own initiative, investigations of compliance with the law. Id. art. 60.
 Id. arts. 65, 66, & 75(4).
 Id. art. 25.
 Id. arts. 27–30 (notification), 31–32 (preliminary examination).
 Id. art. 47.
 Id. art. 64(4); see also The Dutch DPA’s Tasks, DPA, http://www.dutchdpa.nl/Pages/en_ind_cbp_taken.aspx (last visited May 29, 2012).
 PDPA art. 77(2).
 Id. art. 58.
 Id. art. 23.
 Id. For the text of the cooperation protocol, see Samenwerkingsovereenkomst Tussen Agentschap Telecom en het College Bescherming Persoonsgegevens met het Oog op de Wijzigingen in de Telecommunicatiewet naar Aanleiding van de Wet Bewaarplicht Telecommunicatiegegevens [Cooperation Agreement Between the Telecommunications Agency and the DPA in View of the Amendments to the Telecommunications Act Following the Data Retention Communications Law] (Sept. 15, 2009), http://www.cbpweb.nl/downloads_pb/pb_20090915_samenwerkingsove
 Tomorrow Is Made Today, OPTA, http://www.opta.nl/en/about-opta/tomorrow-is-made-today/ (last visited June 4, 2012).
 OPTA, supra note 100.
 DPA, REPORT OF FINDINGS: OFFICIAL INVESTIGATION BY THE CBP INTO THE PROCESSING OF GEOLOCATION DATA BY TOMTOM N.V. (Dec. 20, 2011), http://www.dutchdpa.nl/downloads_overig/en_pb_20120112_investigation-tomtom.pdf.
 Id. at 2.
 Id. at 3.
 Id. The report cites, by way of examples, CBP, Ruling on Complaint [in Dutch], No. z2003-0316 (Apr. 8, 2003), www.cbpweb.nl/downloads_uit/z2003-0163.pdf, & CBP, Investigation into the Processing of Personal Data by Advance Concepts B.V. [in Dutch] (Dec. 2009), in particular pp. 27 & 28, http://cbpweb.nl/downloads_pb/pb_20091218_advance_bevindingen.pdf.
 DPA, supra note 122, at 3.
[1278 Id. at 24 & 25.
 Press Release, DPA, Google Has Complied with Dutch DPA Requirements (Apr. 5, 2012), http://www.dutchdpa.nl/Pages/en_pb_20120405_google-complies-with-Dutch-DPA-requirements.aspx.
 Institute for Information Law (IViR), University of Amsterdam, Netherlands: Internet Service Provider Ordered to Reveal Personal Data of Website Holder (2006), available at http://merlin.obs.coe.int/iris/2006/2/article101.en.html (citing Ruling by the Dutch Supreme Court [Hoge Raad], Lycos Netherlands B.V/Pessers of 25 November 2005, C04/234HR, LJN AU4019, http://zoeken.rechtspraak.nl/detailpage.aspx?ljn=AU4019).
 Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on Certain Legal Aspects of Information Society Services, in Particular Electronic Commerce, in the Internal Market (Directive on Electronic Commerce), 2000 O.J. (L 178) 1, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ%3AL%3A2000%3A178%3
 See IViR, supra note 133.
 Ruling by the Dutch Supreme Court, supra note 133. The Court considered the applicability of article 8 of the PDPA under section 62.
 Netherlands Likely to Give Green Light to Controversial Web Privacy Law, INTERNET BUSINESS NEWS (June 22, 2011), available at http://www.thefreelibrary.com/-Netherlands+likely+to+give+green+light+to+controversial+web+privacy...-a0259452302.
 Belinda van Steijn, Fired Because of Facebook, RADIO NETHERLANDS WORLDWIDE (Feb. 12, 2012), http://www.rnw.nl/english/article/fired-because-facebook.
 Id. at 10.
 Netherlands, PRIVACY INTERNATIONAL (Jan. 1, 2011), https://www.privacyinternational.org/reports/netherlands. For this information about the new commission, the report cites the Decision of 3 July 2009, No. 09.0018252.
 Senaat wil meer wijzigen in Grondwet [Senate Wants More Change in Constitution], EERSTE KAMER [DUTCH SENATE] (Feb. 8, 2012), http://www.eerstekamer.nl/nieuws/20120208/senaat_wil_meer_wijzigen_in.
 Conceptverslag van een Algemeen Overleg over: Kabinetsstandpunt Rapport Staatscommissie Grondwet en Aanpassing Artikel 13 van de Grondwet [Concept Report of a General Discussion About: Cabinet Position Report, State Constitution Commission and Adaptation [of] Article 13 of the Constitution] (May 23, 2012), http://www.tweedekamer.nl/ao_repo/biza/20120523_Kabinetsstandpunt%20
 Kabinetsstandpunt Rapport Staatscommissie Grondwet [Cabinet Position Report State Constitution Commission], TWEEDE KAMER [Dutch House of Representatives], http://www.tweedekamer.nl/kamerstukken/dossiers/kabinetsstandpunt_rapport_
staatscommissie_grondwet.jsp (last visited June 6, 2012). This overview has links to other relevant documents.
 Alex Wawro, What Is Deep Packet Inspection, PC WORLD (Feb. 1, 2012), http://www.pcworld.com/article/249137/what_is_deep_packet_inspection.html.
 EUROPEAN PARLIAMENT, supra note 50.
 Id. It is unclear at this time what conclusions were reached by the DPA. However, as indicated above, the Dutch Telecommunications Act now has provisions on net neutrality.
 OPTA en Agentschap Telecom openen meldpunt voor nieuwe meldplichten aanbieders [OPTA and Radiocommunications Agency Open Hotline for New Reporting Requirements [for] Providers], OPTA (Apr. 6, 2012), http://www.opta.nl/nl/actueel/alle-publicaties/publicatie/?id=3593.
 Press Release, OPTA, New Dutch Regulator to Be Called ACM, the Netherlands Authority for Consumers and Markets, Merger of Three Regulators to Be Completed January 1, 2013 (Oct. 4, 2011), http://www.opta.nl/en/news/all-publications/publication/?id=3487.
Last Updated: 06/05/2015