Notifications data security breaches - The Netherlands

01 February 2007

Gerrit-Jan Zwenne, Huub de Jong

Relevant current legislation

Dutch law does not explicitly require network operators and Internet Service Providers to notify national regulatory authorities and their customers of any security breach. However, as a result of the implementation of the Data Protection Directive (1995/46/EC) and the Privacy and E-Communication Directive (2002/58/EC), Dutch law already contains relevant legislation regarding security breaches.

Telecom Act

Public network operators and Internet Service Providers are subject to the Dutch Telecom Act (“DTA”). Articles 11.2 and 11.3 of the DTA implement article 4 of the Privacy and E-Communication Directive and impose obligations on both providers of public electronic communication networks and providers of public communication services.

Providers must ensure that personal data of subscribers and network/service users is protected. As a result, providers must take appropriate technical and organisational security measures to ensure the safety and security of the networks and services provided by them. Such measures must ensure an appropriate level of security, taking into account the level of risk, the state of the art and the costs of implementing the security measures.

In addition, providers should inform their subscribers about “special risks” to the security of their data. Special risks are those risks that fall outside the remit of the provider’s duty to protect their subscribers. As part of this obligation, providers should state what steps may be taken to avoid the risks, and the likely cost of the preventative measures.

Article 18.8 of the DTA also gives the Minister of Economic Affairs at his discretion, the power to create rules relating to the safety and security of public electronic communication networks and public communication services.

Data Protection Directive

As well as the DTA , the Dutch Data Protection Act (“DPA”) applies to network operators and Internet Service Providers. The DPA implements the Data Protection Directive and applies to almost any processing of personal data, where the data controller is established in The Netherlands.

Article 13 of the DPA states that a controller must implement appropriate technical and organisational measures to secure personal data against loss or against any form of unlawful processing. These measures must guarantee an appropriate level of security. This appropriate level is determined by taking into account the available technology, the costs of implementation, the risks associated with the processing and the nature of the data to be protected. Furthermore, Article 76 DPA prohibits the transfer of data to a third country (outside the European Economic Area), if such a country does not guarantee an appropriate level of protection.

The predecessor of the Dutch Data Protection Authority, the Registration Board, published a report in April 2001, in which it formulated some more practical requirements which expand on article 13 DPA (Blarkom, G.W. van , Borking, drs. J.J., Beveiliging van persoonsgegevens Registratiekamer, April 2001. Achtergrondstudies en Verkenningen 23).

Other legislation

Under the Dutch Penal Code it is illegal to unlawfully access a computer system, or delete or damage data stored on, or processed or transferred by an automated system or telecommunication. A consequence of this is that companies need to ensure some degree of security over their networks and internet service.

As part of their report to the managing board and supervising board, accountants are obliged to report their findings as to the reliability and continuity of automated systems (2:393 of the Dutch Civil Code).

It could also be argued that a provider has a duty of care towards its users, and that by not providing an adequate level of security the provider is in breach of that duty of care.

The Dutch response to the Commission’s proposal

In its response to the European Commission’s proposal for reviewing the EU regulatory framework for electronic communications the Dutch Ministry of Economic Affairs gave its opinion as to how to strengthen consumer and user rights and improve security (Letter of Minister of Economics Affairs with reference: ET/TM/6073383 available at http://europa.eu.int/).

The Dutch government agrees in the main with the European Commission's proposals relating to the protection of consumers and security, and believes that it is important to strengthen the consumer's position. However, the government considers that there is still scope to lay down additional rules to further protect the consumer at the national level. Accordingly, it proposes that the European Commission provides for a minimum level of harmonisation.

Relation to liability

The Dutch government wants the revised framework to emphasise the ISP's liabilities and responsibilities in ensuring secure and reliable services. In this way, providers will be further encouraged to fulfill their obligations of providing a more secure service.

The Dutch government considers that the solution to the problem of internet security is hindered by the exclusion of liability for intermediaries pursuant to the E-Commerce Directive (2000/31/EC), as well as the ban on general supervisory obligations. The government therefore proposes that an exception to these rules should be carved out, which would specifically impose liability for security deficiencies. Currently, national authorities have great difficulty in making intermediaries accountable.

Scope of notification duty

The Dutch government notes that the European Commission uses the term security in its proposals in two different ways. First and foremost it is used in the broad sense: spam, spyware, malware, viruses and suchlike. Besides that it is also used in the narrow sense: safeguarding personal data and the continuity of service provision. The Dutch government agrees with the European Commission that notification should be possible for all security breaches.

According to the European Commission, notification should be made by the providers of electronic communication services and by providers of electronic communication to both their clients and to the national regulatory authorities. The national security advisors can then in turn inform the general public. The Dutch government's view is that it is not always appropriate to notify security breaches to all. It believes that in some cases, notifying everyone through the national regulatory authorities is too wide a response to security breaches. The Dutch government contends that it would be better to inform just the injured party. This is not necessarily always the client. The government wants to avoid bombarding the public or clients with notifications of security breaches, as this may distress or injure them. It concludes therefore, that the aim should always be for the notified party to be able to take appropriate action as a result of a notification.

To assist the national regulatory authorities in enforcing the provisions protecting user security, the Dutch government takes the view that users should be able to report security breaches to a national regulatory authority in a straightforward way.

Exception for investigating and prosecuting criminal offences

The Dutch government also suggests that an exception to the obligation to notify should be made for the purposes of investigating and prosecuting criminal offences.