III. Privacy topics
Internet and consumer privacy
In May 2004 the EU Directive on Privacy and Electronic Communications (2002/58/EC) was partly implemented by outlawing spam. Senders of commercial electronic messages will need prior consent from the email address holder. During a hearing in the Dutch Parliament in August 2003, the NGO Bits of Freedom asked for an obligation for senders to prove prior consent. An amendment including this proof of consent was added into the law. The ban on spam does not cover work email addresses, a concession made after fierce industry lobbying to prevent such a proposal. Several persons and companies have since been fined for spamming. More recently, proposals have been announced to include work email addresses in the law after the direct-marketing industry failed to agree on self-regulation regarding business-to-business e-mail marketing. The Dutch Telecom Regulator, OPTA, has been very active in banning spam sent from the Netherlands since May 2004.1 Through the website www.spamklacht.nl, OPTA collects over 20,000 consumer complaints annually.2 In 2009 OPTA initiated 68 investigations, issued 51 warnings, and imposed several fines, with the highest of these in the amount of â‚¬250,000.
In May 2004, the Parliament passed the law on e-commerce (Wet elektronische handel) implementing the EU E-Commerce Directive (2000/31/EC). Under the law, hosting providers risk liability for illegal content posted by their customers. Once service providers have been notified, and the unlawfulness is "apparent," they should take immediate action to block or remove the content. There is no unified notice-and-takedown procedure in the Netherlands that implements these legal obligations.
No specific information has been provided under this section.
Online behavioural marketing and search engine privacy
On 14 July 2008, the European Data Protection Supervisor, Peter Hustinx, awarded the first European Union (EU) Privacy Seal by EuroPriSe to the Dutch search engine Ixquick.3 The European Privacy Seal ensures that Internet technology products and services comply with EU laws and regulations on privacy and data security.
Online social networks and virtual communities
In December 2008, the CBP investigated alleged illegal data collection by Advance Concepts. This company owned multiple online Web quizzes, for example for people to determine their "real age". The agency concluded that Advance Concepts used these tests to obtain personal information such as medical histories, and without the users' consent sold on the data to third parties for marketing purposes.4 In response to the findings of the CBP, Advance Concepts changed its policies and implemented an opt-in policy.5
Online youth safety
With regard to personal data that is published via the Internet in the Netherlands, the CBP developed and published guidelines in order to clarify what is and is not permitted.6 Regarding minors, "the Dutch DPA takes a proactive stance in providing the rules applicable for social networking and for online marketing."7
In March 2009, the CBP investigated the practices of youth social network site Zikle. In a letter to the site's owner, the CBP concluded that the website did not provide enough information to its users about the purposes of personal data collection and did not have enough security measures in place to restrict the publication of usersâ€™ data on the Internet.8
The CBP ruled in 2006 that in the event of a transition from one occupational health and safety service provider to another employees' records couldnâ€™t be transferred to the new service provider without a legal framework.9 Further, the CBP did research in 2007 to determine whether a different approach is possible within the existing statutory framework.10 The outcome was to distinguish, "â€¦between data that is not subject to medical professional secrecy and data that is."11 The final determination was that data that is not subject to medical professional secrecy may be transferred and data that is subject to medical professional secrecy may only be transferred under certain conditions.12
Health and genetic privacy
The CBP has been tracking the progress of the implementation of an electronic child file (the Elektronisch Kind Dossier or EKD) which will record a child's development and environmental indicators from birth.13 Bringing the EKD online for youth health care was postponed until 1 January 2008 and is not expected to become compulsory until 2010.14 The CBP is particularly concerned about whether the data will be used outside the health care sector, for example to create a national reference index of young people at risk.15
In the health sector, the CBP earlier issued an advisory on the draft legislation that introduces the electronic patient file (EPD). The CBP argues, "Making patient files available to all care providers is far too risky, partly with a view to the protection required for particularly sensitive personal data. With the exception of emergency situations, only care providers with a treatment relationship with a patient ought to have access to the record in question."16 The first parts of the electronic patient file infrastructure are now in place, but actual access to patient files is still beyond only those providers that have a treatment relationship with patients. When balancing the usability of the system and the need to retain the confidentiality of patient records, the former still prevails, although there is a post hoc control mechanism enabling patients to check who accessed their files. (for more information see Guido van 't Noordende, "Security in the Dutch electronic patient record system", ACM 2nd annual workshop on security and privacy in medical and home-care systems (SPIMACS), Chicago, USA, Oct 2010.)
In February 2010, the CBP advised the Minister to regulate health insurers' access to the EPD by taking out the section that let health insurance companies access them as electronic patient file users.17 The Minister responsible for health care implemented this advice.18 Additionally, the CBP investigated two regional private EPD initiatives and concluded that both were in violation of Dutch privacy law.19 The authority found that there were no appropriate access controls to prevent doctors from looking into files of patients they were not treating, that the log files were not used to deter wrong use of personal data, and that the patients were not informed about the use of their data for the EPD.20
In June 2009, the CBP ordered four hospitals to make periodic penalty payments, in order to force them to improve the level of security of their health data.
In February 2005, the DNA Testing of Convicted Persons Act came into force. The law makes it possible to take DNA samples from all persons who are convicted of crimes carrying a maximum penalty of four years or more. The mouth swab sample will be investigated by the Netherlands Forensic Institute (NFI) in order to determine the DNA profile.21
In March 2010, the CBP advised the Minister of Finance to include a privacy paragraph in a new legal proposal that would regulate the use of the Burger Service Number within financial institutions to prevent money laundering and terrorism. Because the proposal would govern all bank accounts in the Netherlands, the CBP said the privacy paragraph should enumerate all the specific circumstances under which financial data would be attached to a citizen's BSN.22
- 1. Cf. Gerit-Jan Zwenne, Dutch Telecoms Regulator Fights Spam, 7 BNA International World Data Protection Report 3, 10 (March 2007).
- 2. Id.
- 3. http://english.justitie.nl/currenttopics/pressreleases/archives2007/-Dut...
- 4. CBP, "Onderzoek door het College bescherming persoonsgegevens (CBP) naar de verwerking van persoonsgegevens door Advance Concepts B.V." ("Investigation into Processing of Personal Data by Advance Concepts B.V."), 15 December 2009, available in Dutch at http://cbpweb.nl/downloads_pb/pb_20091218_advance_bevindingen.pdf.
- 5. "CBP: internetbedrijf Advance in overtrading" ("CBP: Internet Company Advance Breaks the Law"), De Telegraaf, 18 December 2009, available in Dutch at http://www.telegraaf.nl/digitaal/5601197/__CBP__internetbedrijf_Advance_....
- 6. Dutch DPA Publication of Personal Data on the Internet, supra.See also 11th Annual Report of the Article 29 Data Protection Working Party, supra.
- 7. Id.
- 8. CBP, Letter of final decision regarding data collectin practice www.zikle.nl, 19 March 2009, available in Dutch at http://www.cbpweb.nl/downloads_pb/pb_20090324_eindbeslissing_zikle.pdf. See also CBP, "Bijlage definitieve bevindingen onderzoek naar het door Diginus via de website www.zikle.nl verzamelen en verwerken van persoonsgegevens" ("Appendix Final Findings Research by Diginus into Personal Data Collection and Processing at www.zikle.n l"), 22 September 2008, available in Dutch at http://www.nrc.nl/binnenland/article1856515.ece/Privacy_kilometerheffing....
- 9. 11th Annual Report of the Article 29 Data Protection Working Party, supra.
- 10. Id.
- 11. Id.
- 12. Id.
- 13. CBP Annual Report for the Year 2006, supra.
- 14. Id.
- 15. Id.
- 16. CBP Annual Report for the Year 2009, supra at 75.@@
- 17. CBP, "Aanvullingen concept wijziging Besluit gebruik BSN in de zorg" ("Additions to Concept Change in Decree to Use SSN in Healthcare"), 28 May 2009, available in Dutch at http://www.cbpweb.nl/downloads_med/med_20100209_epd.pdf. See also "Advies van het College bescherming persoonsgegevens (CBP) over aanvullende bepalingen in het voorstel tot wijziging van het Besluit gebruik BSN in de zorg" ("Advice of the CBP on Additions to Concept Change in Decree to Use BSN in Health Care"), 14 July 2009, available in Dutch at http://www.cbpweb.nl/downloads_med/med_20100209_epd_bijlage.pdf.
- 18. Id.
- 19. CBP, "Definitieve bevindingen SPITZ Midden-Holland" ("Final Recommendations SPITZ Midden-Holland"), 18 May 2009, available in Dutch at http://www.cbpweb.nl/downloads_pb/pb_20090527_chp_gorinchem_def_bevindin.... CBP, "Definitieve bevindingen Centrale Huisartsenpost Gorinchem" ("Final Recommendations Central General Practitioners Office Gorinchem"), 18 May 2009, available in Dutch at http://www.cbpweb.nl/downloads_pb/pb_20090527_spitz_mh_def_bevindingen.pdf.
- 20. Id.
- 21. "DNA Samples to be Taken from Convicted Persons," Ministry of Justice, February 2005, available at http://english.justitie.nl/currenttopics/pressreleases/archives2005/Dna-....
- 22. CBP, "Wetgevingsadvies â€“ Wet gebruik BSN in de financiÃ«le sector" ("Legal Proposal Advice â€“ Law Regulating the Use of the BSN in the Financial Sector"), 23 March 2010, available in Dutch at http://www.cbpweb.nl/downloads_adv/z2010-00096.pdf.