Tag Archive: Telecommunications Act

THE NETHERLANDS: new cookie legislation entered into effect

By Richard van Schaik and Róbin de Wit

 

Today, the amendments to the current Dutch cookies regulation in Article 11.7a Telecommunications Act (TA) entered into force.

In short, amendments provide for:

1. an additional exception to the required prior informed consent rule for the placement of cookies and similar software. This means that both cookies that are strictly necessary for the provision of an information society service (functional cookies), as well as cookies that have little or no impact on the privacy of the internet user (e.g. first party analytic cookies), do not require prior informed consent of the user. The prior informed consent- instrument is now restricted to serious privacy cases and does not apply to cases which do not infringe users’ privacy;

and

2. a ban on the use of cookie walls by public agencies. With this amendment, public agencies cannot refuse users who do not wish to pay for access to public services, by giving away their personal data.

For more detailed information about the new legislation, please click here.

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-new-cookie-legislation-entered-into-effect/

NETHERLANDS: Cookies regulation: Dutch Parliament agrees on exceptions and bans

By: prof. mr. J.J.C. Kabel

Last Tuesday, the Dutch Parliament agreed on amendments to the current cookies regulation in Article 11.7a Telecommunications Act (TA). Art. 11.7a TA contains the Dutch implementation of Article 5, par. 3 Directive 2002/58/EG. The amendments provide for (a) one more explicit exception to the required prior informed consent rule for the placing of cookies and similar software and for (b) a ban on the use of cookie walls by public agencies.  These amendments must still be approved by the Senate. 

(a) Current legislation provides for one exception only:  cookies which are strictly necessary for the provision of an information society service requested by the subscriber or user. All cookies that are not strictly necessary for the essential operation of the service required prior informed consent. Current legislation therefore did not further differentiate between cookies with no or little impact on the user’s privacy and other cookies. Placing of both cookies required prior consent.

The new exception relates to cookies that have little or no impact on the privacy of the internet user. One may think of first party analytic cookies, affiliate or performance cookies used for the purpose of paying affiliates or cookies used for testing the effectiveness of certain banners. These cookies are not strictly necessary for the operation of the service but they are useful for the provision of information about the quality or the effectiveness of these services and, if not used for other purposes, will have little impact on the privacy of the user.  The exception values the significance of consent, by restricting this instrument to serious cases and not for cases which do not infringe the privacy of the user.

Serious cases concern tracking cookies placed by third parties. An amendment requiring explicit consent for the placing of these cookies was rejected by Parliament. Consent must be informed and prior to the placing of cookies. It can be fulfilled by further clicking on parts of the website after the user is completely informed about the placing of cookies and its purposes. If the party responsible for the placing of cookies aims at collecting, combining or analysing data about the use of different information services by the user in order to treat these users differently, the said data are, subject to presumption of rebuttal, supposed to be personal data in the sense of the Dutch Data Protection Act (DPA). Consent then must comply with the requirements of the DPA which could imply explicit consent.

(b) the Parliament also accepted an amendment by one of its members on the use of cookie walls. According to the new Article 11.7a, par. 4a TA access to services of the information society delivered by public agencies shall not be dependent of prior consent. With this amendment, public agencies cannot refuse users who do not wish to pay for access to public services, by giving away their personal data.  As these services are already paid for by public resources, users should not, according to the explanatory note at this amendment, be forced to pay twice with their personal data. 

For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com), Jan Kabel (jan.kabel@dlapiper.com) and Róbin de Wit (robin.dewit@dlapiper.com)

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/cookies-regulation-dutch-parliament-agrees-on-exceptions-and-bans/

THE NETHERLANDS: Public service broadcasting modifies its cookie policy after fine threat

By Richard van Schaik and Róbin de Wit

 

The Dutch telecommunications supervisory authority, the Authority for Consumers & Markets (“ACM”), has established that the Netherlands Public Broadcasting (“NPO”) violated the rules for placing cookies. On various websites managed by the NPO, the NPO places cookies at user’s devices without having obtained their priot informed opt-in consent. By doing so, the NPO violates Dutch cookie law as laid down in the Telecommunications Act (Telecommunicatiewet “Tw”). Under the Tw, it is prohibited to place cookies without having informed users properly and without having obtained their prior opt-in consent.

 

Background decision ACM

In 2012, the ACM sent letters to a large number of Dutch government websites or websites linked to the government on the compliance with Dutch cookie law. The ACM holds the opinion that now that the government is (indirectly) involved, it is of importance that these websites set a good example in this respect. Therefore, the ACM currently takes enforcement action where government websites are concerned.

The websites managed by the NPO fall within the scope of government websites. According to the ACM, it had confronted the NPO with its violating behavior several times. Since the NPO failed to come up with a satisfactory response and in order to force the NPO to adjust its current policy, the ACM imposed an order subject to a penalty for noncompliance amounting to EUR 25,000 per week with a maximum of EUR 125,000.

 

Background Dutch cookie law

Under Dutch cookie law, website operations need to consider the application of article 11.7a of the Tw for the use of cookies. Cookies that are placed on, or read from, a user’s computer require informed prior opt-in consent before being placed. The principle of informed prior consent does not apply where functional cookies are concerned, i.e. cookies that are strictly necessary for the provision of an information society service requested by the user. For example, tracking cookies do not fall under this “strictly necessary”. On the contrary: tracking cookies or similar data files placed or accessed, are considered to be personal data, unless the party placing such cookies or information can prove otherwise. If the placement of cookies – like tracking cookies – also involves the processing of personal data, the Dutch Personal Data Protection Act (Wet bescherming persoonsgegevens “Wbp”) also applies. Under the Wbp, a legal basis for the processing of personal data is required, which can often be found in the unambiguous consent of the user. Currently, the Dutch cookie legislation is being reviewed and it is very likely that after the summer holidays, new legislation comes into force.

In reply to ACM’s decision, NPO confirmed it will change its policies.

For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) or Róbin de Wit (robin.dewit@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-public-service-broadcasting-modifies-its-cookie-policy-after-fine-threat/

The Netherlands: Dutch websites massively violate privacy laws by unsolicitedly placing tracking cookies

 

Dutch newspapers report that Dutch websites massively violate privacy laws by passing on information about surf and click behavior of visitors to advertising companies, without permission of the visitors involved. Such information is collected through so-called tracking cookies.

Under Dutch cookie law, website operators need to consider the application of article 11.7a Telecommunications Act (Telecommunicatiewet) for the use of cookies, except for those which are “strictly necessary for the provision of an information society service requested by the subscriber or user”. This means that all cookies that are not strictly necessary for the essential operation of the website require prior informed (opt-in) consent. Tracking cookies do not fall under this “strictly necessary” exemption. On the contrary: tracking cookies or similar data files placed or accessed, are considered to be personal data, unless the party placing such cookies or information can prove otherwise.

Rules on cookie consent are subject to new legislation under which the required opt-in consent may be changed to implied consent. However, because of the privacy sensitivity the this new legislation will not apply to tracking cookies. This means that the required opt-in consent remains unchanged so that even after a legislative change Dutch websites will still be in violation of the Telecommunications Act. Therefore, parliamentary questions are currently asked to the Dutch state secretary of Justice, Fred Teeven.

Although no sanctions have been imposed yet by the Dutch supervisory authority (Authority for Consumers & Markets (“ACM”)), the ACM does acknowledge that not every website complies with Dutch cookie laws. Currently, the ACM is investigating companies that violate the laws so it is likely that the first fine will be imposed soon.

For further information, please contact Richard van Schaik (richard.vanschaik@dlapiper.com) or Róbin de Wit (robin.dewit@dlapiper.com).

Permanent link to this article: http://blogs.dlapiper.com/privacymatters/the-netherlands-dutch-websites-massively-violate-privacy-laws-by-unsolicitedly-placing-tracking-cookies/