New Dutch Data Surveillance Law Worries Digital Companies

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

Companies operating in the Netherlands are concerned that a new government surveillance law may undermine the country’s status as an internet hub, digital communications and privacy professionals told Bloomberg BNA.

The updated Dutch Information and Security Services Act, which will greatly expand the powers of security services to intercept personal and communications data, takes effect Jan. 1, 2018. Companies are worried that they will be forced to hand over more customer personal data, undercutting people’s trust in digital communications, the privacy and communications pros said.

The law could lead to internet users “suspecting their information is not safe,” Tim Toornvliet, a spokesman for Nederland ICT, which represents more than 550 information and communication companies operating in the Netherlands, including U.S.-based computer networking services company Juniper Networks Inc. and Taiwanese multinational hardware and electronics company Acer Inc., told Bloomberg BNA.

U.S.-based tech giants Alphabet Inc.'s Google and Amazon.com Inc. operate cloud service data centers in the Netherlands. Google Netherlands spokesman Rachid Finge told Bloomberg that Nederland ICT spoke for the company on the issue.

The law will directly impact internet service providers and data centers, and “We fear that this will impact the trust in ICT in general and will not improve our global position,” Toornvliet said.

Under the law, which was passed by the Dutch Senate July 11, the Dutch security service and its military intelligence counterpart will be authorized to require companies to provide access to large data sets for analysis purposes and to order decryption of encrypted communications, where possible. The law would also make it possible for security services to tap into the communications and digital devices of friends or associates of suspects in criminal cases, rather than only the devices of suspects themselves, as is currently allowed.

Legal Challenge Planned

Jelle Klaas, an attorney with Fischer Groep and coordinator of the Public Interest Litigation Project, which pursues human rights cases, told Bloomberg BNA that the group is preparing a legal challenge to the amended law. The complaint will be filed soon after the law’s effective date, Klaas said.

There is opposition because the new law will create a “dragnet” for personal data, Klaas said. Several companies were “very, very critical” of the law but reluctant to join a legal action against the government, he said.

When the draft amendments were opened for public comments in late 2015, they drew more than 550 contributions—an unusually large number for a draft law in the Netherlands, Klaas said. The comments included critical remarks from such large companies as Google and Vodafone Group plc, he said.

The Dutch Data Protection Authority was also critical, saying in a December 2016 opinion there was insufficient justification for the new surveillance powers, and that privacy oversight mechanisms were lacking.

Dutch privacy office spokeswoman Merel Eilander told Bloomberg BNA that the DPA had no further comment on the final act.

Toornvliet said the act as finally approved had “improved a little” compared to its draft version. “There are some oversight measures but we have to see how it works out in practice,” he said. “Fundamentally the scope is still very wide.”

To contact the reporter on this story: Stephen Gardner in Brussels at correspondents@bna.com

To contact the editor responsible for this story: Donald G. Aplin at daplin@bna.com

For More Information

Further information on the amended Information and Security Services Act is available, in Dutch, at http://src.bna.com/qRZ.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.