Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy and data protection framework

The Constitution grants citizens an explicit right to privacy.1 Article 10 states: "(1) Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by, or pursuant to, Act of Parliament. (2) Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data. (3) Rules concerning the rights of persons to be informed of data recorded concerning them, of the use that is made thereof, and to have such data corrected shall be laid down by Act of Parliament." Article 12 states: "(1) Entry into a home against the will of the occupant shall be permitted only in the cases laid down by, or pursuant to, Act of Parliament, by those designated for this purpose by, or pursuant to, Act of Parliament. (2) Prior identification and notice of purpose shall be required in order to enter a home under the preceding paragraph, subject to the exceptions prescribed by Act of Parliament. A written report of the entry shall be issued to the occupant." Article 13 states, "(1) The privacy of correspondence shall not be violated, except in the cases laid down by Act of Parliament or by order of the courts. (2) The privacy of the telephone and telegraph shall not be violated, except in the cases laid down by Act of Parliament, by or with the authorisation of those designated for this purpose by Act of Parliament."

In May 2000, the government-appointed Commission for Constitutional Rights in the Digital Age presented proposals to make existing constitutional rights more technology-independent. According to this proposal, Article 10 will be expanded to include the right of persons to be informed about the origin of data recorded about them and the right to correct that data. Article 13 would be made technology-neutral and would give the right to confidential communications. In November 2004, the Dutch government announced that proposals to amend the Constitution would be delayed in order to incorporate upcoming international developments regarding human rights and the information society such as the Council of Europe's recommendation "Human Rights and the Rule of Law in the Information Society." The recommendation was adopted by the Council of Europe on 13 May 2005.2

In 2009, the results of the evaluation of the Dutch Constitution were published.3 The evaluation states that the role and importance of the Dutch Constitution has been under pressure, especially because of the growing role of the European Convention of Human Rights and its interpretation by the European Court of Human Rights. In particular, in the Netherlands less value has been attached to the right to privacy than before. This development is generally attributed to the terrorist attacks of 11 September 2001 in New York but, seen from a more general point of view, the Dutch general public has developed a different approach towards privacy that amounts essentially to the willingness to trade privacy for safety (leaving aside the question whether such a trade-off exists).4

In July 2009 a new Commission was appointed by the government. Its assignment is to draft a Bill amending the Constitution inter alia in order to improve the accessibility of the Constitution and to adapt constitutional rights and freedoms to the digital age. The Commission was due to present its proposals before 1 October 2010.5

Privacy and data protection laws and regulations

Comprehensive law

The European Union Data Protection Directive 1995/46/EC was established as national law by the Act of 2000 (Dutch Personal Data Protection Act or PDPA).6 The PDPA is a revised and expanded version of the Data Registration Act of 1998 that brings Dutch law in line with the EU Directive and regulates the transfer of personal data to countries outside of the European Union.

Pursuant to the PDPA, the Decree on Regulated Exemption was enacted to exempt certain organisations from the registration requirements of the PDPA.7

In 2007, the report of the first stage of the evaluation of the PDPA was published, followed in 2008 by the report of the second stage of the evaluation.8 The evaluation reports concluded that the PDPA leads to administrative burdens.9

On 5 February 2009 the bill to amend the PDPA was submitted to Parliament.10 In the explanation of the amendment to the bill after investigation and consultation with the parties involved (including the CPB and the Dutch Association of Entrepreneurs and Employers), a number of its proposals appeared not to be feasible.11 Overall, it was determined that completing many of the act's new proposals imposes a serious administrative burden.12

One of the amendment clauses aims to remove the permit obligation for third-country transfers. In the Netherlands a transfer permit is required even if the transfer is made under the standard contractual clause for the transfer of personal data to third countries.13 The bill explaining the amendment makes it clear that the cancelled obligation only occurs when the standard contractual clauses are applied unaltered.14 This means that no clauses in the model contract may be altered.15

A second amendment mitigates the controller's obligation to provide information to data subjects16 if personal data are used for direct marketing.17 For example, a data controller intending to provide data to third parties so that they can use the data for direct marketing purposes must now inform the data subjects of the transfer and give them the opportunity to raise an objection by advertising in one or more newspapers or free local papers.18

In addition, as of 1 October 2009 there is an explicit obligation for those engaging in the widespread and largely detested practice of telemarketing to include in each unsolicited telephone call information about the existence of the "do-not-call registry" (i.e., an opt-out register).19 Further, as of the same date the anti-spam rules for e-mail and other forms of electronic communications, which previously protected only natural persons, have been extended to provide protection to other subscribers (i.e. legal persons, companies etc.). As a result, commercial unsolicited emails, SMS, and other forms of electronic communication to consumers and businesses fall within an opt-in regime. An important exemption applies to electronic contact details (i.e., email addresses, SMS numbers, etc.) that are collected while selling services or products. Such contact details may be used to inform the recipient about the sellers' own similar products. On its website, telecoms regulator OPTA (Onafhankelijke Post en Telecommunicatie Autoriteit or Independent Post and Telecoms Authority) has published guidelines and answers to frequently asked questions explaining its interpretation of the telemarketing and anti-spam rules.20

Sector-based laws

In the Dutch legal order, there are also sector-based privacy laws regulating the Dutch police,21 medical exams,22 medical treatment,23 social security,24 and the search of private homes.25 A series of laws concerning the Dutch social security number regulates the allowable uses of this number for identifying citizens and for general administrative purposes, as well as in health care (regarding electronic patient records).26

Data protection authority

The Dutch data protection authority (College Bescherming Persoonsgegevens or CBP) supervises the operation of personal data files in accordance with the PDPA.27 Previously known as the Registratiekamer, the CBP's functions have remained largely the same since the implementation of the PDPA, although it has been given new powers of enforcement. It can now apply administrative measures and impose fines for non-compliance. It can also levy fines, of up to €4,500 for breaches of the notification requirements.28 Otherwise, the CBP advises the government, deals with complaints submitted by data subjects, institutes investigations, and makes recommendations to controllers of personal data files.

On 28 January 2008, the chairman of the CBP called for an increase in its supervisory power to strengthen the enforcement of the data protection law and to take direct actions regarding investigations and fines.29 In November 2009, the Minister for Justice announced that the CBP would be awarded more powers, particularly the power to impose fines for violations of the PDPA. A bill to that effect has not yet been published.

The Dutch CBP has 84 full-time positions.30 The CBP generally relies on a network of privacy officers within companies and (government) institutions to produce annual privacy reports and discuss procedures with the CBP. In 2009, the CBP performed 108 investigations, a slight increase over 2007 and 2008. It performed 188 prior investigations, almost doubling the figures of 2007 and 2008.31

In the previous version of this report, several cases were described in which the CBP had serious doubts about compliance with the PDPA. These cases concerned the public transport chipcard, the exchange of financial records via SWIFT, and the electronic patient file.32 Further cases are outlined below.

The CBP also condemned the illegal transfer of financial records of European citizens to the United States via SWIFT.33

In December 2007, the CBP approved guidelines on the processing of personal data in publications on the Internet based on the Dutch Data Protection Act.34 They explain whether, when, and in what format online publications containing personal information are permitted. The guidelines also advise citizens on what options are available when their personal data is misused.35 Subsequently, in August 2009, the CBP publicised new guidelines for active publication of governmental information containing personal data such as citizens' service numbers.36 As publishing such information could lead to identity fraud, the CBP recommends adhering to strict guideline whose objective is to enable administrative authorities to make a good judgment as to the extent to which the information can be published.

The BSN (Burger Service Number or Citizen's Service Number) was introduced at the end of November 2007.37 "At the BSN management facility, a personal public service point will be created that local authorities and citizens can approach with questions."38 The CBP is the authority with competence to intervene in the event of real problems with implementation of the Act.39

The CBP has expressed criticism of the proposal for a verwijsindex risicojongeren (VIR or national reference index of young people at risk).40 The CBP wants to achieve better and faster help for children and young people with problems, "but it is not yet clear whether the sole objective of the reference index is the provision of assistance, or whether its aim is also to help maintain public order."41

In January 2009, the CBP published guidelines for the application of automatic number plate recognition in the Netherlands.42 In its report, the CBP concludes that this method of obtaining personal information can only be used when the police detects a "hit" between the number plates it scans and the reference file against which it is comparing the scans. The CBP argues that if "non-hits" are stored by the police, everyone who uses that particular road is treated as a suspect, leading to an invasion of personal privacy that the CBP considers unlawful.43

In January 2010, the CBP concluded that two police agencies, Rotterdam-Rijnmond44 and Ijsselland,45 had violated the PDPA by processing "non-hits" from an automatic licence plate recognition system. They are only allowed to process "hits", i.e., licence plates that, scanned, matched a licence in the database.

Major privacy and data protection case law

In July 2008, the judge in the preliminary injunction Court in Arnhem ruled that the research group of the University of Nijmegen could publish their paper on the security breaches found in the Mifare Classic chip.46 The chip, which was intended for use in a national public transportation card, has severe security flaws such as an "easy method to retrieve cryptographic keys."47 In March 2008, the University researchers claimed that: "Because some cards can be cloned, it is in principle possible to access buildings and facilities with a stolen identity. This has been demonstrated on an actual system."48 After the manufacturer of the chip, NXP, sued the University, "the Rechtbank Arnhem court decided that prohibiting the publication of the article would violate the researchers freedom of expression covered by article 10 of the European Convention of Human Rights. Restrictions in such matters are applicable only in order to protect a pressing social need, which has to be convincingly demonstrated."49 The judge's opinion was that "the potential damage that NXP claims is not a result of the publication of the research results but of the production of a chip that has shown deficiencies, which is the responsibility of NXP itself."50

On 24 August 2006, the Subdistrict Court of Amsterdam ruled that an Internet Service Provider (ISP) can in certain circumstances be required to release the name, address, and domicile data of a subscriber (referred to as "NAW-data").51 BREIN, a Dutch foundation that protects the rights of the entertainment industry, requested NAW-data on the top three uploaders on Dikke Donder, a BitTorrent network where films, television series, music, software, and games were being offered without the permission of the rights holders.52 The court ruled in favour of BREIN and required the ISP to provide the requested data as long as two conditions were met: (1) it must be sufficiently plausible that the unlawful act has been committed; and (2) there must be no reasonable doubt that it was committed by the subscriber whose NAW-data is being requested.53

BREIN announced in April 2005 it would launch 32 court cases against individuals who were allegedly peer-to-peer file-sharing users. In order to obtain the identifying data of the users behind IP addresses from which music was unlawfully uploaded, BREIN sued five Dutch ISPs who had agreed to forward to their customers complaints from the copyright holders but refused to reveal the customers' identities. In total, BREIN sent 50 cease-and-desist letters demanding that the recipients identify themselves, agree to pay an average fine of €2,100, and sign an unlimited, binding agreement never to "directly or indirectly be involved in any way or have an interest in unlawfully distributing materials on the Internet". If ever again caught in such a broadly defined act, the signed agrees to pay a fine of €5,000 per day.54 In June 2004, the Appeals Court of Amsterdam ruled against Lycos in Lycos v. Pessers; Lycos had refused to disclose the  identity of one of its customers when it was demanded for alleged defamation.55 Although the Appeals Court acknowledged that the content on the website was not "apparently unlawful", the court nevertheless felt that Lycos was required to hand over the user's identity. On 25 November 2005, the Dutch Supreme Court upheld the appeals court's decision, requiring Lycos to disclose the name of the previously anonymous website owner.56 The Register reported that BREIN, who paid the legal bill of Pessers, was delighted with the verdict, believing the ruling would be beneficial to its case against ISPs who refused to identify illegal file swappers.57 Legal experts fear the ruling may have consequences for anonymous whistleblowers who want to put up a website and speak out without reprisal.58