The Internet: a global free space with limited state controlMarch 17, 2015 - nr.92
Summary, conclusions and recommendations
Summary and conclusions
Chapter II explains that the internet, as represented by the internet community, has broken free of the traditional structure of the telecommunication sector under international law, namely a convention (recording global agreements about telecommunications) and an international organisation (the International Telecommunication Union) in which national states work together. This structure has been replaced by a multistakeholder model, partly under private law, consisting of ICANN (domain names and addressing) and a range of technical groups that regulate the internet’s standards and protocols. This change has been accompanied by a technical revolution in the manner in which data are transmitted and a social revolution in the manner of communication. ICANN still has formal ties with the US Department of Commerce. The prevailing view since the Snowden affair is that these ties can no longer be maintained. Ways of basing a new structure on the multistakeholder model are now under consideration.
This form of governance is limited to the technical layers of the digital network, although there is no consensus within the internet community about this narrow interpretation of governance (see section V.2). Alongside this new internet structure, an old organisation – the ITU – is still trying to extend its sphere of influence, most recently by an attempt to modify the International Telecommunications Regulations at the World Conference on International Telecommunications in Dubai. Hitherto, its efforts have been unsuccessful. Within the ITU, countries such as Russia and China are attempting to get a tighter grip on internet communications, including content. Some time ago, however, the UN established a new global organisation known as the Internet Governance Forum (IGF). In this framework, states are attempting to cooperate with other stakeholders to reach consensus on the concept of internet governance. Hitherto, this has met with only partial success because, quite apart from the more technical issues, it is very difficult to reach consensus on subjects about which the parties hold such widely differing views. This is the background against which the AIV has answered the government’s questions.
The government’s first question was how can it ensure that internet freedom is embedded and further operationalised in Dutch domestic and foreign policy as effectively as possible. This question has been discussed at a conceptual level in chapter III. First, it is explained that the existing framework of communication and privacy-related fundamental rights is no longer in keeping with the current state of the technology. It is also apparent that any measures to change this should be taken only after proper consideration and with due caution, in order to avoid lowering the level of protection. This is demonstrated by reference to factors such as traffic data and the privacy of communication. Privacy of communication is no longer a static given in a network society, but is instead about the protection for how and in what connection an individual can communicate freely. A second important point is that the legal concepts have either been developed for a technical reality different from the current internet (e.g. the concept of processing in data protection law) or are based on a situation in which a clear distinction can be made between the transport and expression of the message (from media and telecommunication law). Another important and related question concerns the divide between international jurisdiction and the universality principle on the one hand and national sovereignty on the other. This divide is reflected, above all, in the difficult negotiations between the EU and the United States on the safe harbour principles in relation to data protection. Another matter deserving consideration is the ongoing erosion of the concept of personal data due to developments such as Big Data and the mass or targeted surveillance of citizens. Many people wrongly assume that traffic data are not, by definition, personal data, but it has to be realised that individual profiles can be compiled from a collection of traffic data. So the assumption that it is acceptable for anonymous data to be collected on a massive scale without effective supervision is also incorrect.
It is also noted that security should be viewed in the context of the rule of law. Striving to achieve the impossible ideal of precluded event security can lead to the adoption of disproportionate measures that harm the balance under the rule of law.
This advisory report also describes the clash of views on the broadening of the definition of internet governance, which has a bearing on the embedding of internet freedom in domestic and foreign policy. One of the places in which this clash is most visible is the ITU (section II.3). The debate about the new organisation to replace ICANN is also of great importance because control of the root is critical to internet freedom and ICANN can be seen as the spider at the centre of the internet governance web (section V.1). The Internet Governance Forum (IGF) appears to be a suitable organisation in which to debate issues connected with the operationalising of internet freedom, but its secretariat is understaffed and underfunded.
The government can also make a contribution to promoting internet freedom by applying the same normative principles in policy debates in the Netherlands as it advocates broad. If constitutional democracies fail to do this, they risk being seen by the world as Janus-faced, paying lip service to one set of values (the rights and freedoms guaranteed under the rule of law) while actually implementing another (restrictions on freedoms that do not meet the safeguards required under the rule of law), as explained in section V.2. This is the very problem which is currently detracting from the credibility of the United States at home and was criticised by Richard Haass, president of the US Council on Foreign Relations, in his study entitled Foreign Policy Begins at Home.1
The second question was whether Dutch jurisdiction over internet freedom is limited to activities in the Netherlands, or whether it extends, by virtue of the increased technological possibilities, to situations outside the country. The second part of the question was how the Dutch government could help to effectively safeguard internet freedom beyond the country’s borders if such jurisdiction does not extend this far. On the internet the production, storage and distribution of information is no longer bound by place and time. The internet has no national borders. However, although the technological possibilities have indeed increased, this does not mean that the powers too are broader. In section V.2.2 this question is focused on the draft of the Computer Crime III Bill which has been the subject of consultation. In the AIV’s opinion, the powers created in this draft bill are wider than permitted under international law.
Nonetheless, the national states continue to play an important role because the physical infrastructure of the internet begins and ends in an area over which they have de facto and de jure jurisdiction. Questions about access and free and unchecked communication are therefore still concentrated within the national legal sphere. It becomes apparent in chapters III and V, which deal with issues of access, surveillance and censorship, that these are national decisions which are assessed in the light of international or regional (ECHR and EU) conventions. By contrast, section V.4 explains that the major international internet companies which play a role in internet access and the free use of the internet fall under Dutch jurisdiction only to a limited extent, namely if the acts in question are performed within that jurisdiction. In addition, there is regular discussion about when exactly this occurs in the case of internet services. The Google Spain judgment of the European Court of Justice represents a breakthrough in this respect.
The third question was to what extent businesses are responsible for protecting citizens’ internet freedom in countries where they operate, and how the Dutch government, both by itself and in cooperation with other countries, can encourage businesses to assume such responsibility. This advisory report explains that the electronic communication industry is now organised very differently than in the period when the main means of communication were telephone and telex. The system of state monopolies in an international framework under public law has been replaced by a system consisting of many players. In this system, the private sector plays a major role. This has been discussed at various places in this report, particularly in chapter II and section V.4. The private sector plays an important role in the governance of the internet, and internet companies provide a variety of services such as search engines, cloud computing (sections III.4.1 and IV.3.2) and email. Sometimes they are compelled to act as extensions of the authorities, as in the case of data retention (section III.2) or censorship, which is something to which they may or may not raise objections (section V.3). The private sector therefore has considerable influence over internet freedom.
It should be noted that the position of internet companies is not always legally clear. For example, it is not clear in the Netherlands whether the social media come under telecommunication law or media law. The answer to this question has a major bearing on the extent to which they can be held liable for the content of communications and publications. Moreover, companies can find themselves backed into a corner by national jurisdictions with different legal regimes. Commercial considerations are normally decisive for internet companies, both generally and as regards the collection, processing and storage of data of internet users. As yet, it is unclear in law to what extent businesses are responsible for protecting internet freedom. This question must be viewed within the broader context of corporate social responsibility. The UN’s Guiding Principles on Business and Human Rights, which have been drawn up for this purpose and are currently the subject of international consultation, are of special relevance in this area.
Sections III.2, III.4 and IV.3.2 explain that data of Dutch internet users are often stored on servers outside Dutch jurisdiction (cloud computing). The states where the servers are located are usually authorised to demand access to those data on certain conditions. As computers cannot process encrypted data very well, and the servers on which the data are stored are often located in jurisdictions where Dutch citizens have no legal protection, the system is potentially as leaky as a sieve. Nor do safe harbour agreements provide sufficient protection since they are ineffective, hard or impossible to enforce and contain unduly wide national security exceptions. These risks deserve the government’s full attention.
The Dutch government’s policy is to arrange for all dealings between government and citizen to take place online: by 2017 all government files, records and transactions must be electronic as part of the nationwide digital programme. In the AIV’s opinion, it is necessary to establish as a matter of urgency whether, during storage and processing, these data may end up outside Dutch jurisdiction where they cannot be sufficiently protected, technically and legally. Policy and legislative measures must be taken to prevent such a situation, or at least to create legal safeguards to ensure that access to the data is subject to the same legal safeguards that apply in the Netherlands (see sections III.5.1 and III.5.2). Sufficient guarantees of legal protection are also important.
The Netherlands is well placed to build on its thriving internet economy. It can capitalise on this by creating a positive business climate, particularly by providing optimal protection of internet freedom in all the ways discussed in the present report. Organising international conferences and hosting international institutes have a positive spin-off, but will yield only fleeting benefits if they are not embedded in the Dutch internet community. As part of the international efforts to promote optimal internet freedom, the Netherlands could create a positive business climate for internet companies and encourage the formation of innovative internet centres staffed by specialists within the universities. Moreover, the Ministry of Economic Affairs, which plays a key role in this, should arrange for better coordination between the departments responsible for internet-related issues.
A basic aim of Dutch human rights policy and also a cornerstone of its foreign policy is to set an example (without pretending to be perfect), particularly in terms of openness and accountability: democracy and freedom in the Netherlands are the criteria. It follows that the Netherlands must also strive for the same high level of internet protection nationally as it promotes internationally. This is a responsibility of all ministries, especially those currently responsible for internet matters.
A matter deserving special consideration in relation to the pending constitutional amendment, the proposed revision of the Dutch Intelligence and Security Services Act 2002 and the draft Computer Crime III Bill is whether the policies and legislation introduced by the Netherlands are consistent with the image it wishes to convey internationally.
The need to ensure effective and independent oversight of the intelligence and security services has received huge coverage in the United States since the Snowden affair, and the subject has also been raised in the Netherlands in the course of the evaluation of the Dutch Intelligence and Security Services Act 2002, for example in a motion filed by the Christian Democratic Alliance (CDA) party in the Senate and adopted on 7 October 2014 (Senate of the States General, 2014-2015, CVIII, D). The resolution on the promotion, protection and enjoyment of human rights on the internet, which was adopted by the UN Human Rights Council in July 2012 and under which individuals have the same rights online as they have offline, should serve as the touchstone for Dutch policy. If, because of the permanent terrorist threat, measures must be taken against persons or categories of persons not suspected of any specific offence, this can be justified under the rule of law only if effective and independent oversight exists. The AIV believes that strengthening effective and independent oversight of the lawful and proportionate use of investigative and preventive measures by the Dutch Data Protection Authority and the Intelligence and Security Services Review Committee (CTIVD) is of great importance to internet freedom, as defined in this advisory report, given the current state of the technology and the changes in international relations.
The Netherlands will spend approximately €53.5 million on human rights policy (including Radio Netherlands Worldwide) in 2014. Part of that is allocated to the promotion of internet freedom. The Netherlands is providing manpower and funding to support various important projects concerning internet freedom. However, there is no evidence that it has a coherent vision of the internet and the various aspects that must be distinguished and emphasised. Before it is decided what activities should be supported, the government should conduct a survey to identify what aspects of the problem are relevant to the Netherlands and what priorities should be set. It could, in consultation with organisations working in the field, take specific measures to promote internet freedom and security, for example by developing and publishing open source software. The failure to consider ways of improving international policy-making (the operation of the Internet Governance Forum and the reorganisation of ICANN) is regarded by the AIV as a clear omission.
Much can also be said about the Dutch role in relation to the EU’s involvement in matters of internet governance. The Netherlands has adopted a wait-and-see attitude on whether or not the Safe Harbour Agreement should be renewed and on the negotiations about the Umbrella Agreement. However, the Netherlands possesses more than sufficient know-how to play a more leading role in relation to these topics. The government should take the position that unless far-reaching improvements are made to the Safe Harbour Agreement it can no longer serve as the basis for the exchange of data with the United States in the private sector. The Netherlands can use its Presidency of the EU in 2016 to make proposals to update the existing legislation relating to internet freedom.
Something which deserves special consideration is the provision of better privacy safeguards for the exchange of data between national intelligence and security services within Europe and beyond. When the Intelligence and Security Services Act 2002 is revised, the exchange of data between Dutch and foreign intelligence and security services should be regulated by law, with sufficient safeguards for the privacy of citizens, as explained in section III.2.
The activities of the private sector and internet organisations in which the internet companies play a dominant role can have a significant impact on internet freedom. Internet companies are mainly motivated by profit considerations and have to deal with divergent national and international statutory frameworks. The government’s role is to monitor hether new software, protocols and the like infringe the European interpretation of the freedom of expression, privacy and data protection. NGOs can play a signalling role here.
The question of how international companies can be involved in implementing Dutch human rights policy has long been under consideration. This issue is very urgent in the context of this advisory report since just a few international companies are responsible for the transmission of information internationally (both confidential and public communications) and for the safeguards that should be provided. The government must therefore raise the issue of the responsibility of these companies in international forums and enter into a dialogue with them about human rights, just as it does with foreign governments.
As seen in numerous places in this advisory report, issues of internet freedom are not the responsibility of any single government ministry and are also increasingly connected with responsibilities that must be borne by the private sector and other stakeholders. This means that the implementation of Dutch human rights policy, particularly in this field, is a shared responsibility. The AIV therefore recommends that the formulation and preparation of policy on internet-related matters should be coordinated and constitute a shared responsibility.
The Netherlands must pursue a more consistent policy on the positions it wishes to take in the different international forums and the partners with which it wishes to form coalitions. The Ministry of Foreign Affairs must invest more money and manpower in the Internet Governance Forum. It could also advocate privacy-enhancing measures within ICANN and other internet organisations. An example was given in section V.1: the WHOIS database of the Dutch Internet Domain Registration Foundation (SIDN), which registers domain names for the .nl country code domain, does not reveal the address information of the domain name holder, other than, on request, to bailiffs and lawyers. The Netherlands could press for the adoption of such a solution internationally.
Various ministries are involved in formulating policy on internet freedom. These are the Ministry of Foreign Affairs, the Ministry of Security and Justice, the Ministry of Economic Affairs, the Ministry of the Interior and Kingdom Relations and the Ministry of Defence. The Ministry of Economic Affairs regularly consults with Dutch stakeholders in preparation for international meetings. This is an example that could be followed by other ministries. From its interviews with experts, the AIV has the impression that the Ministry of Foreign Affairs is rather out of touch with the Dutch internet community. It would be desirable for this ministry to make more personnel available to bring its knowledge of the internet, including EU-related issues, up to standard and establish closer contact with the internet community in the Netherlands and abroad.
1 Richard N. Haass, Foreign Policy Begins at Home. The Case for Putting America’s House in Order, New York: Basic Books, 2014.
Mr J.G. de Hoop Scheffer
Chairman of the Advisory Council
on International Affairs
P.O. Box 20061
2500 EB The Hague
Date 20 February 2014
Re Request for advice on internet freedom
Dear Mr De Hoop Scheffer,
‘Internet freedom’ is a major priority of Dutch human rights foreign policy. The basic principle of internet freedom is that fundamental rights offline should also apply online. The rights to privacy, data protection, confidential communications and freedom of expression are particularly notable examples.1 The recent UN resolution on the right to privacy in the digital age, which was co-sponsored by the Netherlands, articulates this principle clearly.2 To reinforce the principle, the Netherlands is developing initiatives on its own and with other countries. Two years ago, for instance, the Netherlands established the Freedom Online Coalition (FOC). The FOC now numbers 22 countries and is dedicated to promoting internet freedom across the globe. The coalition organises a multi-stakeholder conference each year and provides financial assistance to bloggers and cyber activists under threat through the Digital Defenders Partnership.
The FOC, and also the International Conference on Cyberspace, which will be held in the Netherlands in 2015, demonstrate that the Netherlands is an international leader when it comes to internet freedom. A growing number of countries, however, want to exert more control over the internet (and its infrastructure) and are developing initiatives to that end. Governments around the world, including the Dutch government, also face the challenge of striking a good balance between freedom and security in different contexts, while respecting citizens’ privacy rights. These trends are putting pressure on internet freedom.
The recent revelations surrounding the US National Security Agency (NSA) have brought the debate on security and internet freedom to a head. One issue is how rights which apply online can be embedded as effectively as possible in national and international legislation and policy. This discussion is being guided by, inter alia, the above-mentioned UN resolution on the right to privacy. In addition, the ‘Necessary and Proportionate’ principles3 may serve as inspiration.4 This document, which was drawn up on the initiative of civil society organisations, sets forth the 13 principles which, in the initiators’ view, ought to apply to modern types of surveillance.5
An advisory report by the Advisory Council on International Affairs (AIV) could fuel and illuminate the debate, which, as is well known, is also being conducted intensely in the Netherlands.
The government would therefore like to present the following questions to the AIV:
1. How can the Dutch government ensure that internet freedom6 is embedded and further operationalised in Dutch domestic and foreign policy as effectively as possible, against the background of:
- the challenge facing governments, including the Dutch government, in weighing the right to privacy – as formulated in the UN resolution on this right7 – against other interests to be protected by those governments as they look for solutions to issues raised by digital communications;
- the leading role of the Netherlands in foreign policy concerning internet freedom, as illustrated by the FOC, and the opportunities which the Netherlands has to influence the international debate, including the International Conference on Cyberspace in the spring of 2015;
- an international playing field in which more and more countries are seeking to exert tighter control over the internet (and its infrastructure) and are developing initiatives to that end;
- the right to protection of personal data, which is addressed in different ways by the UN, the Council of Europe and the EU.
2. Is Dutch jurisdiction over internet freedom limited to activities in the Netherlands, or does it, by virtue of the increased technological possibilities, extend to situations outside the country?8 If such jurisdiction does not extend this far, how can the Dutch government help to effectively safeguard internet freedom beyond the Netherlands’ borders?
3. To what extent are businesses responsible for protecting citizens’ internet freedom in countries where they operate, and how can the Dutch government, both by itself and in cooperation with other countries, encourage businesses to assume such responsibility?9
I look forward to receiving your advisory report.
Minister of Foreign Affairs
1 See articles 10, 13 and 7 of the Dutch Constitution, articles 8 and 10 of the European Convention on Human Rights (ECHR) and articles 17 and 19 of the International Covenant on Civil and Political Rights (ICCPR).
2 Resolution by the General Assembly of the United Nations of 1 November 2013 (A/C.3/68/L.45).
3 Other examples include the ECHR and resolutions by the Council of Europe.
4 The ECHR and resolutions by the Council of Europe can similarly provide guidance.
5 See https://necessaryandproportionate.org/text. These principles have been endorsed by more than 350 organisations and more than 50 independent experts throughout the world. Sweden has also embraced seven of the principles (https://www.privacyinternational.org/blog/swedens-foreign-minister-declares-his-support-for-principles to-protect-privacy-in-the-face-of).
6 See footnote 1.
7 See footnote 2.
8 See preamble, tenth paragraph, of the UN resolution mentioned in footnote 2.
9 For example, through the Freedom Online Coalition and the Council of Europe.
Government’s response to the AIV’s advisory report ‘The internet, a global free space with limited state control’ and the WRR’s advisory report ‘The public core of the internet: an international agenda for internet governance’
It is very difficult to make predictions, especially about the future
Niels Bohr, physicist and Nobel Prize winner
The world is digitalising at an ever faster pace, and this process is being driven by the internet. The internet is generating new opportunities for economic growth, innovation and social development, but is also posing new challenges for our economy, security and freedom. People often look to government to take suitable measures to meet these challenges.
In the recent past various reports have been published on the role of government in relation to the internet. December 2014 saw the publication of a report by the Advisory Council on International Affairs (AIV) entitled ‘The internet, a global free space with limited state control’. This was followed in March 2015 by a report by the Scientific Council for Government Policy (WRR) on ‘The public core of the internet: an international agenda for internet governance’.
The government notes that the Netherlands has already taken key steps to ensure that it is well-placed to capitalise on the opportunities offered by the internet. It therefore views the reports of the AIV and the WRR as an encouragement to continue along the present path and redouble these efforts. This requires a robust national approach designed to utilise the opportunities the internet offers for innovation and economic growth, and to guarantee security and human rights in the cyber domain. It also requires an international cybersecurity strategy to engage with the difficulty of reconciling the internet (which is by definition end-to-end open and without borders) with an existing international legal order based on a system of sovereign states. The development of the internet requires continuous assessment and reappraisal of states’ room for manoeuvre and capacity to act, in both the national and the international domains. In light of these developments the Dutch government continues working to achieve a free, open and secure internet.
In this letter the government responds to both reports. It will first address the challenges which government authorities face in adapting to the digital reality. In its general response to the analysis of the issues in the two reports, the government will also consider the three main themes dealt with by the WRR and the AIV: internet governance, security and human rights. Finally, the letter will examine the specific recommendations made in the two reports.
This response is presented on behalf of the government by the Ministers of Foreign Affairs, Economic Affairs, Defence and the Interior & Kingdom Relations and the State Secretary for Security and Justice.
2. Response to the analysis
A continual challenge for government is the need to adapt its activities to the digital reality in order to ensure peace, security and prosperity in the Netherlands and elsewhere both now and in the future. Just as these aims create challenges and require the various interests to be carefully weighed in the offline world, this also holds true for the online world. It is hardly surprisingly, therefore, that states worldwide have differing views on internet governance. The government’s aim is to safeguard a free, open and secure internet that provides scope for social development, economic activity and innovation.
An important term in the WRR report is the ‘public core’ of the internet, in other words the core protocols that form the basis of a properly functioning internet, including the internet protocol suite, or TCP/IP suite. The AIV describes the internet as a mare liberum, within which the state should confine itself to safeguarding the legal framework of the rule of law and protecting civil liberties. The government endorses the importance of maintaining the free and open character of the internet as a platform for unrestricted data traffic in order to stimulate economic growth and innovation. Although the mare liberum comparison offers some valuable points of reference, it is not entirely appropriate because security and respect for human rights are necessary conditions for economic growth and innovation.
The state is responsible for protecting its citizens, including in an online environment, by furthering protection of their personal data, promoting cybersecurity and preventing or combating cybercrime and threats to national security. International cooperation is becoming ever more important in order to protect these interests in a borderless digital environment. As a consequence, agreements about cooperation and standards of conduct should preferably be made in a European and broader international context.
The above-mentioned interests require an integrated approach. In the government’s opinion, liberty and security are not in conflict, but are complementary interests. The dynamic balance between security, freedom and economic growth must be achieved and maintained through constant open dialogue between all stakeholders, both nationally and internationally. This view of the interplay between security, freedom and economic growth as the basis for policy decisions is underpinned in the National Cyber Security Strategy 2.0.1 In the period ahead, the government will develop a vision for Dutch international cyber policy. This is explained in section 3.1 below.
The government emphasises that it is important for domestic and foreign policy to be consistent. The positions taken by the Netherlands internationally should therefore be in line with national practice and based on the principle of ‘preach what you practise’. By the same token, proposed national measures that deviate from the positions taken by the Netherlands at international level or from international treaty obligations undermine the credibility and effectiveness of Dutch efforts to promote an international order in cyberspace. Hence ‘practise what you preach’ is also a principle that underlies national policy. Naturally, the Netherlands is bound by international legislation only after international agreement has been reached and the Netherlands has committed itself to the obligation concerned.
The government endorses the AIV’s analysis that an open model of governance has been crucial to the development of the internet. The WRR differentiates between governance of the internet’s infrastructure and governance using the internet’s infrastructure. The government will consider this distinction and the state’s role in these two types of governance. Decisions on changing the governance structure of the internet could have a major impact on how the internet as a system evolves further in the future.
The Netherlands has adopted a circumspect approach to what the WRR understands by governance using the internet’s infrastructure, namely use of the infrastructure as a tool for restricting or influencing online content and behaviour. The government’s guiding principle is that fundamental rights such as freedom of expression are just as applicable online as offline. Nonetheless, the authorities can still carry out investigations on the internet to safeguard these freedoms and combat crime, for example in order to tackle the spread of hate speech or discriminatory content on the internet.
The aim of the government’s policy on internet governance is to safeguard the development, accessibility, availability, reliability and integrity of the internet. The government shares the view of the WRR and the AIV that the present governance system has proved capable of guaranteeing the internalisation of these principles in the development of the internet. To safeguard this system in the future, the role of the technical community, including the Internet Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), must be preserved and strengthened. It is particularly important that decisions on technical aspects of the internet be taken by those who have knowledge of the technology and the capacity to devise solutions beneficial to the development of the internet, without being influenced by political agendas.
Thanks to the effective forms of self-organisation and self-regulation which characterise the internet’s open governance structure, the internet has grown to become a single shared and accessible infrastructure that spans the globe. The multistakeholder approach has proved its effectiveness by successfully utilising the expertise of a variety of stakeholders. However, this approach does not mesh well with the multilateral negotiation model traditionally used by states. In this respect, the strength of the multistakeholder model is also its weakness: in its purest form, the model functions primarily to resolve problems, for example in how engineers solve a technical problem. However, since there is no agreement on the division of roles and responsibilities when stakeholders meet in different international forums, the model can be at odds with more traditional decision-making models. This was seen again recently during the negotiations on the final declaration of the World Summit on the Information Society (WSIS) +10 Review Process, where widely varying views were expressed on the role of states and other stakeholders in internet governance. The only reference to this theme in the outcome document was ultimately a confirmation of the principles agreed in the Tunis Agenda of 2005: ‘We reiterate the working definition of internet governance, […], as the development and application by governments, the private sector and civil society, in their respective roles, of shared principles, norms, rules, decision-making procedures and programmes that shape the evolution and use of the internet.’2
The Internet Governance Forum (IGF) is the global forum in which these parties debate, exchange information and try to reach consensus on the structure of the governance model. However, the IGF does not have a mandate to take binding decisions on these matters. In the internet governance field there is a need for the current cooperation and decision-making models to be developed and improved in such a way as to bring state and non-state actors together in a productive manner. Automatic reliance on traditional governance models is not possible given the architecture of the internet, the wide variety of governance topics and the large number of technical, administrative and political actors involved. Now that its mandate has been renewed for 10 years,3 the main challenge facing the IGF in the years ahead is to focus more on achieving tangible and visible results.4
The AIV and WRR reports deal with the role of states, mainly in the context of the Internet Corporation for Assigned Names and Numbers (ICANN). This is the California-based non-profit organisation which carries out operational and coordinating tasks for a number of (logical) functions of the internet and decides on the establishment of new internet domains (such as ‘.com’). ICANN’s functions are of great importance not only technically and economically but also politically, and they directly affect public interests such as the privacy of domain name holders, the protection of intellectual property, the enhancement of internet security and observance of human rights. In addition, ICANN seeks to maintain a single unfragmented and open internet, an aim the government endorses. It is expected that by the end of 2016 ICANN will no longer be subject to the oversight currently exercised by the US authorities. This will be a major step towards the internationalisation of ICANN, which is something the Netherlands has been advocating for years. The AIV report rightly emphasises that the future structure of ICANN is a matter deserving of the government’s full attention, given the implications for the current debate on internet governance.
As ICANN will now continue to exist as an autonomous organisation, its accountability structure must be improved and the role of government in the proposed new mechanisms must be redefined. The future oversight of ICANN is a subject of debate between those states that wish to have multilateral supervision by the UN and those states, such as the Netherlands, that would prefer the existing multistakeholder model to be expanded and strengthened. The Netherlands advocates a more active – albeit still advisory – role for the committee of national governments (the Governmental Advisory Committee; GAC) in the decisions of the ICANN Board. The multistakeholder structure of the organisation and the decision-making powers of the ICANN Board must not be undermined or politicised. Any change to the system of internet governance should not be at the expense of the flexibility, security and stability of the internet or of the promotion of digital rights. The Netherlands is convinced that the internet functions best if all stakeholders can have a say and play a role in its governance. The present system of governance has been a factor in the successful development of the internet and in the resulting economic and social benefits.
Cybersecurity and other forms of security
While the internet creates many opportunities for economic growth and innovation, it also poses challenges for the legal order and security at both national and international level. In section 3.3 below, the government considers the various forms of security mentioned in both reports. In its response to the reports’ general analysis, the government views the security challenge from the perspective of the tension between the internet as a worldwide network and the international legal order, which is based on the sovereignty of democratic nation states governed by the rule of law
The internet is abused by malicious actors for criminal activities which, regardless of their origin, can cause serious disruption to Dutch society.5 This international dimension assumes two forms: first, foreign actors target victims in the Netherlands and, second, Dutch internet facilities are used for activities aimed at foreign targets. This involves threats emanating from both state and non-state actors such as cybercriminals and terrorist movements. The National Cyber Security Strategy 2 describes how the Dutch authorities view and tackle the task of providing cybersecurity for the Dutch public and business community. Their integrated approach includes improving knowledge and intelligence concerning cyber threats, tracking criminals, enhancing resilience and defensive capacity, enhancing military capabilities and actively engaging in cyberdiplomacy.
Given the cross-border and global character of the internet, any security challenges that occur must be tackled internationally. As the international legal order is based on the principle of sovereignty, national authorities have only limited capacity to act alone in tackling security challenges on the internet. This requires international cooperation, for example within the EU, the UN and the Council of Europe. The Netherlands therefore contributes actively to international discussions and to measures to strengthen the international legal order. Nonetheless, many matters that are regulated nationally have yet to be fleshed out at international level.
In tackling cybercrime the Netherlands works actively with international partners in the framework of, for instance, Interpol, the EU (e.g. Eurojust and Europol) and the Budapest Convention on Cybercrime. Combating cybercrime is making new demands on the police and justice system, particularly their capacity to act quickly and exchange information. These developments in the digital domain may also necessitate a reassessment of the legal framework. The Netherlands plays an active role in the debate on the effectiveness of the international legal framework for cross-border investigation of offences in cyberspace and is itself developing new instruments and legislation to improve its own capacity for action. It goes without saying that any new legislation would be tested for compatibility with obligations under international law. The draft of the Computer Crime III Bill, to which the AIV referred in its report, has now been submitted to parliament.
Protection of the public core of the internet
The government endorses the WRR’s view that the economic and social benefits of the internet are dependent on the reliable, predictable, stable and secure functioning of its core protocols. The government recognises that what the WRR refers to as the ‘public core’ exhibits characteristics of an international public good that transcends individual sovereign- and private interests. However, the WRR report does not provide a conclusive answer to what precisely is meant by the ‘public core’. Nor is there agreement about this at international level. The government is proceeding on the principle that the core protocols of the internet form the public core.
The Netherlands recognises that given the nature and interdependence of the digital domain (and the world’s dependence on it), care should be taken to avoid activities that could impact on the public core. State interventions that are in themselves lawful may have damaging effects on the public core of the internet, and this may result in adverse repercussions for other states.
The government’s position is that the maintenance and development of the public core should as far as possible remain a matter for the technical community, while the role of the state should focus as much as possible on supporting that process. As noted above, the present governance structure ensures a depoliticised process aimed at solving problems and facilitating the development of the internet in a broad sense.
Another aim of the government is to promote the international legal order in cyberspace in a similar fashion as it does in the offline world. Protecting the public core of the internet may be a matter of international security in cases where cyber operations by state or non-state actors may impair the functioning of the core.
Despite some concrete results such as the reports of the United Nations Group of Governmental Experts (GGE) and the publication of the Tallinn Manual on the International Law Applicable to Cyber Warfare, the development of an international order in cyberspace is still in its infancy. Hitherto, most attention has been focused on protecting critical infrastructure at national level, in particular for the support of vital public services. The basic assumption is that this critical infrastructure is protected by the prohibition on the use of force and on violation of the sovereignty of other states. The principles and rules of international humanitarian law may also be expected to afford a degree of protection for critical, non-military infrastructure. The Netherlands is actively seeking to achieve more clarity on how existing international law applies to cyber operations and to reach broad agreement on this issue.
Preventing and regulating cyber attacks is a subject of international consultation and academic research aimed at clarifying how international law applies and at developing additional norms of behaviour between states. The introduction of a framework of norms could reduce the room for manoeuvre of malicious state and non-state actors that refuse to abide by international agreements, and could increase international solidarity in condemning such activities. The government sees this as an essential first step towards creating an international order in cyberspace.
The very nature of the cyber domain makes it difficult to conclude verifiable agreements about the activities of states. However, developing norms of behaviour that enjoy wide support does provide opportunities for introducing a common international order based on a shared interest in ensuring that the internet functions effectively and reliably. Such norms can increase the political, diplomatic and economic cost of engaging in harmful activities. States recently reached consensus on one such norm of behaviour at UN level. According to the GGE recommendation in question, ‘[A] State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public.’6 The government regards this recommendation as a first step towards protecting infrastructure, including information infrastructure.
The Netherlands is actively involved in the international debate on possible norms of behaviour to protect – or even ban intervention in – the public core of the internet (or sections of it) and wishes to carry out further study to determine how such standards can be achieved. The government will also investigate whether it is possible to enhance its support for groups that play an important role in maintaining the technical infrastructure. An example is the work done, often pro bono, by the open source community in maintaining, developing and expanding important sections of the public core of the internet. This work could be facilitated through financial support, such as support for strengthening encryption via open source projects.7
Digital rights and internet freedom
Digital rights is another field in which national governments face challenges that exceed their own individual capabilities. The protection of human rights in an online environment requires international cooperation within regional and international organisations.
In its advisory report the AIV addresses the main themes dominating the discussion on online rights, namely the right to protection of privacy, freedom of expression and the role of the law enforcement authorities. As the internet evolves, it is necessary to reassess the legal frameworks that were developed to protect rights in a different era when technology was much less advanced. The government considers it important that the core values of Dutch society, as set out in the Dutch constitution and international human rights conventions, form the basis for the legal framework for safeguarding human rights in the digital society. The government seeks to ensure that these fundamental rights are adequately protected in the digital domain and to promote the application of comparable standards in international law.
An example is the Council of Europe’s Guide to Human Rights for Internet Users.8 Restriction of a fundamental right is permitted only if there is a statutory basis and the minimum requirements of proportionality and necessity are met. Recent case law of the European Court of Human Rights (ECtHR) and the European Court of Justice (ECJ) relating to the digital domain provides an opportunity to more closely define the requirements of necessity and proportionality, including safeguards relating to the nature, scope and duration of measures that restrict the right to privacy.9 In the Dutch context, restriction of these fundamental rights is possible only if there is a compelling societal interest, for example preventing, investigating and prosecuting offences. In addition, there should be adequate legal protection for individuals whose fundamental rights are infringed.
As regards the work of the intelligence and security services, the Dessens Committee10 has concluded that technology has changed to such an extent in the past 10 years that the Intelligence and Security Services Act 2002 should be amended to reduce dependence on technology and introduce a stronger framework of oversight and control. The government intends to rectify this deficiency by amending the legislation and strengthening the safeguards for the protection of private life. As the amendment process is already under way, further discussion of the revised legislation falls outside the scope of this letter. However, in response to the reports it can be said that this process too will include careful consideration of the different interests within the above-mentioned legal frameworks and will be in keeping with the government’s aim of achieving a free, open and secure internet.
3. Response to the WRR’s recommendations
3.1 Towards an international cyber policy
Both the AIV and the WRR advocate the formulation of an integrated international cyber strategy. The government accepts this recommendation. The Netherlands will benefit from performing a careful assessment of Dutch interests in the internet domain and using this as a basis for an international strategy that takes due account of the different interests involved. The manner in which the Netherlands makes these choices has a direct bearing on its position as a host country, its investment climate, and its ability to lead by example.
Although intensive international cooperation is already taking place in various policy fields, more can be done to strengthen coordination between policy fields to allow a better overall assessment of the different interests at play. A coordination structure has been established for various policy fields, including cybersecurity and the digital agenda, to determine joint positions and make decisions. The Ministries of Economic Affairs, Security & Justice, Defence, Foreign Affairs and the Interior & Kingdom Relations all play an active part in this structure. Even prior to this, in fact, cooperation between the ministries had been greatly strengthened in the run-up to the Global Conference on Cyberspace in April 2015. The government endorses the importance of good interministerial coordination in allowing a comprehensive assessment of Dutch interests with respect to the internet.
In the period ahead, the government will work to develop an integrated international cyber strategy which complements and reflects national policy choices in the cyber domain. The strategy will map international developments and provide a framework for decisions on how the Netherlands can best achieve its national objectives in the international arena. For this purpose, broad consultations will be held with a range of stakeholders. Without wishing to encroach on the policy remit of the various ministries, the government is seeking to develop an approach that reflects the interwoven nature of the various internet-related themes, as rightly noted by the AIV and the WRR. The strategy will also foster better coordination of Dutch activities in various international forums such as the UN, NATO, the OSCE, the EU and the Council of Europe. Moreover, the government is working continuously to strengthen systematic coordination between government ministries and implementing organisations to ensure that Dutch activities in the international forums are always coherent, clear and effective.
The government is of the opinion that the international cyber strategy of the Netherlands should be based on its national interests. At the same time, it should also take account of international developments in the fields of technology, international law, geostrategy and diplomacy, and it could serve as a tool for dealing with the impact of such developments on national interests. Such interplay between national and international developments is particularly crucial in the cyber domain. As a consequence, the international strategy should complement the existing national strategy documents in particular fields, such as the National Cyber Security Strategy 2.0 and the Digital Agenda.nl, which also cover aspects of international policy. The policy initiatives resulting from the Global Conference on Cyberspace 2015 (GCCS 2015) and the Freedom Online Coalition, which the Netherlands helped to establish in 2011, will be taken into account in the strategy. Dutch efforts in this area will continue to be based on the vision of a free, open and secure internet. The themes on which the Netherlands will focus are economic growth and social development, internet governance, cybersecurity, international peace and security in the cyber domain, digital rights, tackling cybercrime and building cyber capacity. The government wishes to capitalise on the Netherlands’ existing strengths in these fields and use them both to represent national interests and to enhance the international legal order.
The international strategy will set out the Netherlands’ vision on international cooperation in the digital domain. Policy development and implementation in the various sub-fields will remain the responsibility of the relevant ministries.
3.2 Building coalitions
In its advisory report, the WRR recommends broadening the diplomatic arena. These efforts should mainly be directed at persuading countries known as ‘swing states’ that protecting the internet is in the interests of all states.
The digital domain is a relatively new policy field in which little has yet been decided internationally in the form of agreements, conventions or treaties and in which both public and private actors are active and a new balance of power is emerging. We can no longer assume that the post-1945 world order will be decisive in agreeing the design of new forms of cooperation and regulation.
Almost all international discussions on the digital domain reveal a sharp divide between the multistakeholder-oriented countries such as the Netherlands, which wish to protect the integrity of the internet, and the more state-oriented countries which seek to control and restrict material disseminated on the internet. Between these opposite ends of the spectrum is a large group of countries which have not yet made a clear choice based on their own political, economic and social interests. These are known as ‘swing states’. The government is operating entirely in accordance with the WRR’s recommendation in this regard. The Netherlands seeks to convince swing states that a free, open and secure internet is in their own national interests. Only if there is enough support for this vision of the internet will it be possible to work with confidence towards, for example, international agreements on cyber issues. Up until now, this coalition of countries has been too small.
The Netherlands is working to build coalitions in three ways:
- broadening the participation of countries and businesses in international discussions on cyber issues;
- strengthening public-private partnerships and multistakeholder decision-making so that national authorities, the private sector, civil society, the technical community and academics worldwide can participate in cyber-related consultations relevant to them;
- developing cyber-related knowledge and expertise in third countries so that they are able to implement the vision of a free, open and secure internet.
At the GCCS 2015, for example, the Netherlands arranged for broad geographical representation to ensure that countries experiencing the internet boom could be involved in the discussions on internet governance, security and privacy. Achieving a good geographical balance is also an ongoing aim of the Freedom Online Coalition established by the Netherlands.
The Netherlands views capacity-building as a way of facilitating dialogue with swing states suffering from a lack of capacity, policy or strategy. Helping to strengthen countries’ capabilities in the fields of cybersecurity and countering cybercrime will enable cross-border digital threats to be tackled more effectively. The Global Forum on Cyber Expertise (GFCE) is an important new tool in strengthening cyber capabilities worldwide. It is an informal platform which can be used by countries, businesses and international organisations to establish initiatives in cooperation with civil society to bridge the digital gap. For example, the Netherlands is working with Senegal to develop cybersecurity strategies for West Africa. The GFCE is also working to combat fragmentation by bringing together disparate global initiatives.
Interstate relations are not the only important factor in building coalitions. Representatives of civil society organisations are also instrumental in developing a free, open and secure internet and in promoting the multistakeholder model, which enables all relevant stakeholders to play a role in decision-making. However, there is often no place for non-state actors in international decision-making processes at the point when agreements are made on the regulation and future of the internet. The Netherlands facilitates and promotes the role of civil society – NGOs, the internet community and academics – in order to make cyber debates more inclusive.
For example, the Netherlands went to great lengths to ensure that civil society was broadly represented at the GCCS: it held a two-day capacity-building training session prior to the conference and helped to fund the participation of civil society representatives, particularly from the Global South. It demonstrated its commitment again in the run-up to the second round of negotiations in the World Summit on the Information Society +10 Review Process. The Netherlands financed a two-day meeting in New York to ensure that representatives of developing countries could have their say on this UN agenda and also coordinate their input to the outcome document.
The Dutch authorities also consult national and international NGOs before reaching a position on various processes such as the Internet Governance Forum, ICANN and the negotiations on the World Summit on the Information Society (WSIS+10), as well as during the Freedom Online Coalition (FOC) consultation sessions. Under Dutch co-chairmanship, the FOC’s ‘An Internet Free and Secure’ working group is exploring a new form of cooperation between states (the Netherlands, Canada and the United States), the private sector and civil society. The working group provides a unique platform for an open and honest dialogue on cyber-related topics. Recommendations on how cooperation can be structured at national and international level are a valuable outcome of this initiative.
3.3 Different forms of security and division of roles among actors
Security and trust are essential if citizens, businesses and authorities are to be able to use the internet. The WRR calls for clear differentiation between various forms of internet security and for a clear division of responsibilities and tasks among the various actors. There are many different forms of security. Both reports mention economic security, protection from cybercrime, consumer protection, information security (with regard to both data and data collection), protection of national security by preventing social disruption, and various forms of ICT security (intended above all to ensure internet availability, confidentiality and integrity).
The government carries out the following tasks: investing in awareness-raising, resilience and national cybersecurity, detection, investigation and prosecution, putting in place response mechanisms, diplomacy and promoting internet freedom and international security. These tasks are entrusted to various parts of central government and to implementing organisations such as the National Cyber Security Centre (NCSC) (which falls under the Ministry of Security and Justice), the intelligence and security services, the law enforcement authorities, various ministries responsible for parts of the Netherlands’ critical infrastructure, the Ministry of Foreign Affairs, the Ministry of Defence, the Ministry of Security & Justice and the Ministry of Economic Affairs and the Ministry of the Interior & Kingdom Relations for central government operational management and safeguarding human rights. In this context, the WRR deals specifically with the division of responsibilities between the Computer Security Incident Response Teams and the intelligence and security services.
It should be noted here that as cybersecurity threats often cannot be neatly categorised, it is difficult and indeed undesirable to completely separate the different domains. The intelligence and security services work to protect national security, for example by investigating espionage and sabotage in the digital domain. However, the threat-related information they obtain from their investigations can ultimately also benefit the digital resilience of individual businesses and citizens. For example, the General Intelligence and Security Service (AIVD) and the Defence Intelligence and Security Service (MIVD) often become aware earlier than other parties of new and more advanced threats and attacks, since they alone have the statutory task and statutory powers laid down in the Intelligence and Security Services Act 2002. Detailed information about the trends is given in the annual Cyber Security Assessment Netherlands (CSBN), which is publicly available. The security services work with the NCSC in the National Detection Network, in which information about hitherto unknown advanced persistent threats and their signatures is shared, wherever possible, with public and private partners to increase their resilience.
Where different forms of security overlap and the interests at play do not entirely correspond, the government tries to protect both national security and the security of individual citizens and businesses as effectively as possible. Both the AIV and the WRR mention the dilemma facing the authorities in connection with the use of encryption. On the one hand, encryption is important for system and information security and for the constitutional protection of private life and privacy of communication. On the other hand, encryption can make it difficult for the state to discharge its responsibility for investigating serious crime and protecting national security. The government’s recently published position paper on encryption clearly illustrates the considerations the government weighs in its efforts to keep the internet open, free and secure. In this position paper the government concludes that it has the ‘task of safeguarding national security and investigating offences’. The government recognises the need for lawful access to data and communication. At the same time, it would point out that public authorities, businesses and citizens all benefit from the maximum security of digital systems. The government endorses the importance of strong encryption for internet security to protect the personal privacy of citizens, for confidentiality of communication for the authorities and the private sector, and for the Dutch economy. The government is therefore of the opinion that at this point in time it is not desirable to take restrictive legal measures as regards the development, availability and use of encryption in the Netherlands. The Netherlands will disseminate this conclusion and the underlying assessment internationally.11
The various security organisations work together where necessary as well, for example during a crisis. Responsibility for coordination lies with the Ministry of Security & Justice. The NCSC is the national centre of expertise for digital security and acts as the Computer Emergency Response Team (CERT) for central government and vital industries. Together with its public sector partners, such as the National Police, the AIVD and the Ministry of Defence (including the MIVD), research institutions and the private sector, the NCSC works to ensure that the critical infrastructure of the Netherlands is kept secure, as specified in the Cybersecurity Data Processing and Reporting Duty Bill.12
4. Response to the AIV’s recommendations
4.1 Data protection
Internet users must be able to trust government authorities and organisations to protect their personal and other data properly. The criteria applied when formulating data protection policy and legislation in the EU are user trust, transparency, a risk-oriented approach and the need to minimise regulatory pressure for internet service providers. This is also the position taken by the government in debating the various data protection instruments in Europe, for example the General Data Protection Regulation, the Directive on personal data protection for the purposes of investigation and prosecution of criminal offences, and the recent framework agreement concluded by the European Commission with the United States on a successor to the Safe Harbour Treaty.
The government attaches great importance to legal certainty in connection with international data transmissions and is therefore pleased that the European Commission announced on 2 February that a political agreement had been reached between the EU and the United States on a new framework for transatlantic data flows: the EU-US Privacy Shield. The process of drafting the detailed provisions is expected to take until June. Although circumstances may still change during this period, the Netherlands welcomes the improvements that have been made in terms of stronger monitoring and enforcement. According to the Commission, the new framework serves two aims, namely to protect the fundamental rights of EU citizens and to provide legal certainty for businesses. This therefore seems to end the uncertainty faced by businesses since October about the lawfulness of data storage by internet companies in the United States.
Striking a good balance between commercial interests and privacy is important both for public trust in online services and for economic growth. Rather than being a hindrance, respect for privacy should serve as a framework that challenges businesses to develop innovative solutions and new services and applications. If the digital economy is to grow, it is essential that people should trust innovative services. Better privacy protection in the United States could help to create an international level playing field, thereby strengthening the position of European technology companies in relation to major players in the United States. The Netherlands trusts in the value of written representations of the United States concerning the safeguards surrounding the lawful access to transmitted data for law enforcement and national security purposes. It awaits the follow-up steps with interest.
4.2 Economic potential / foreign investment climate
The government agrees with both reports that the internet is of major importance to the Dutch economy and that the Netherlands has carved out a leading international position, as evidenced, for example, by its high position in the various international rankings. The Netherlands has excellent networks, a well-educated population and a high internet penetration rate, and it leads the field in terms of data centres and internet hubs, including intercontinental and transatlantic connections. The Dutch economy ranks alongside that of the United Kingdom as the most ICT-intensive in Europe. Its ICT turnover accounts for 5% of GDP, and this does not even include other ICT-dependent sectors. A quarter of Dutch economic growth in the past 10 years is attributable to ICT, and 25% of foreign investment in the Netherlands is ICT-related.
The government has integrated the full spectrum of the digital economy into its policy in order to preserve and expand ICT-related growth potential. In its letter to parliament13 on its medium-term vision on telecommunications, media and the internet, the government explains how it is working to improve the security and reliability of the internet and promote freedom in the digital domain, with particular emphasis on:
- an internet economy that is free from improper influence of public authorities, businesses and other lobby groups on the freedom of choice of users; this will both protect civil liberties and benefit the free market;
- the integrity, continuity and protection of personal data as a basis for trust in data-driven markets.
The government has documented its efforts to strengthen opportunities for economic growth, innovation and entrepreneurship through the internet and ICT in various policy papers, such as the Digital Agenda.nl – ICT and Innovation for Economic Growth (2011) and the Digital Implementation Agenda.nl (2011).14 An evaluation and update of the Digital Agenda was sent to the House of Representatives on 5 July 2016. This also addressed the motion of 15 October 2015 by Dutch MP Kees Verhoeven,15 in which the government was requested to recognise digital infrastructure as the country’s third ‘main port’ (in addition to the Port of Rotterdam and Amsterdam Airport Schiphol) and to develop and implement an economic vision to strengthen this role.
Specific attention is also paid to the role which ICT and the internet can play in new developments in all sectors, for example healthcare. The role of the internet and Big Data in the healthcare sector is growing all the time and opportunities abound. Thanks to these developments, healthcare is growing ever more international. It is important for data to be well protected and for the privacy of the patient to be guaranteed. Making data both accessible and secure will ensure that people have greater control over their own health, methods of treatment can be improved (partly through international data collection), the quality of care can be enhanced, transparency can be increased and the door can be opened to innovative technological advances and products.
A policy of targeted incentives for the ICT and internet sector is helping to create a positive foreign investment climate for internet companies. For example, ICT is a theme that cuts across all sectors included in the government’s ‘top sector’ policy and has its own knowledge and innovation agenda, for which the Netherlands Organisation for Scientific Research (NWO), the Netherlands Organisation for Applied Scientific Research (TNO) and the Ministry of Economic Affairs have reserved €40 million for ICT-related knowledge and innovation in the context of public-private cooperation. The Ministry of Economic Affairs has commissioned research into opportunities for the cybersecurity sector in the Netherlands, and policy recommendations will be based on the ICT sector’s contribution to the business climate and on the foreign investment climate.
4.3 Intelligence and security services: role and oversight
The AIV recommends ensuring effective and independent oversight of the intelligence and security services and providing better safeguards for the exchange of data between national intelligence and security services within Europe and beyond.
The Intelligence and Security Services Act 2002 describes how effective and independent oversight of the activities of the intelligence and security services is carried out by various bodies. As noted above, a review of the 2002 Act is currently being prepared, and this opportunity will be taken to review the conditions under which the restriction of fundamental rights is considered justified. After all, even once this review has been completed the system of oversight must continue to comply with the requirements laid down by the European Court of Human Rights (ECtHR) regarding the activities of the intelligence and securities service that infringe fundamental rights.
The AIV rightly refers in its advisory report to the Dessens Committee’s report, in response to which the government indicated that it would take the Committee’s oversight recommendations into account when framing the new Intelligence and Security Services Act. This is about striking the right balance between, on the one hand, modifying and, in some respects, expanding the special competences of the services and, on the other hand, strengthening the system of safeguards, including oversight. At present, the government is using the response from its online consultations and the Privacy Impact Analysis to draft a new bill, which will be submitted to the Advisory Division of the Council of State before the summer recess. As the review is still under way, the government considers that discussion of the new legislation is beyond the scope of this response.
When working with their foreign counterparts, the intelligence and security services apply various criteria, such as the democratic accountability of the foreign organisations and the human rights policy of the country concerned. These are important factors in deciding on the intensity of cooperation with a partner. This procedure is in line with the recommendations in oversight report 38 (2014) of the Intelligence and Security Services Review Committee (CTIVD). The criteria will also be incorporated in the amended Intelligence and Security Services Act 2002.
4.4 Leading role played by the Netherlands in an EU context
The Netherlands aims to play a leading role as the ‘digital gateway to Europe’ and as a safe place to live and do business. During its current Presidency of the Council of the European Union the Netherlands is paying explicit attention to cybersecurity, cybercrime and digital issues such as the Digital Single Market. The priorities are to achieve progress on free data traffic and internet governance (in which the Netherlands will work for a free and open internet) and to strengthen the framework for cross-border access to data for the purposes of investigating cybercrime.
In the Friends of the Presidency Group on Cyber Issues (FoP), the Netherlands is addressing the topic of the EU’s Cybersecurity Strategy and the accompanying Roadmap. The matters covered include operational cooperation and information-sharing, public-private cooperation, cyber diplomacy, capacity-building in countries outside the EU, digital rights, anti-cybercrime measures and best practices in cybersecurity, such as vulnerability disclosure. The Netherlands is involving private partners in its Presidency, for example by giving the Cyber Security Council a role in the High-Level Meeting on Cybersecurity in May 2016.
Operational cooperation is also part of the EU Network and Information Security Directive. Implementation of the directive will start during the Dutch Presidency.
Export controls on dual-use ICT goods and software
The AIV recommends that the Netherlands use its Presidency of the European Union to develop proposals for updating outdated legislation that curbs internet freedom. In line with this recommendation and with the discussions during the GCCS, the Netherlands will seek during its Presidency to tighten up the provisions resulting from the current revision of the EU Dual-Use Regulation. This involves stricter controls on the export of dual-use surveillance technologies. An effective and proportionate export control regime is necessary in order to prevent the export of surveillance technology from the EU to repressive regimes which have inadequate safeguards for human rights and could use this technology for human rights violations. The Netherlands is aware of the complexity of formulating technical proposals in this field. It therefore supports the research currently being done for the European Commission and looks forward to receiving the Commission’s proposal based on this study. The Netherlands is trying to gain support for this approach in other multilateral forums as well.
The Netherlands pioneered net neutrality legislation in the EU and has played an active part in the European debate on net neutrality based on its own national legislation. The House of Representatives, the Dutch government and Dutch members of the European Parliament have all been instrumental in bringing about the EU net neutrality regulation. Various European civil society organisations (including consumer organisations) have repeatedly endorsed Dutch practice and the Dutch position.16
4.5. Dialogue with the private sector
As both the WRR and the AIV note in their reports, there are two sides to the relationship between public authorities and the private sector. Although the private sector works with the authorities to safeguard such public interests as privacy, security and freedom in the digital domain, some companies can have a negative influence on such interests, partly due to their global market dominance. In view of the key role played by the latter companies in the digital domain, serious diplomatic efforts must undoubtedly be made to engage with them.
The authorities are working closely with the private sector to improve digital skills and emphasise the duty of care that businesses and authorities have towards their clients. ICT products and services must be secure too. It must be possible to hold businesses and authorities accountable for their responsibilities. They must also be transparent about the cybersecurity measures they take and how they deal with user data. As outlined in the coalition agreement, the government aims to ensure that businesses and citizens can manage their affairs with the authorities securely online.
All ministries are in constant dialogue with the private sector about a wide range of subjects, such as adopting positions within ICANN and the ITU (Ministry of Economic Affairs), coordinating the approach to all aspects of internet governance in the annual Dutch Internet Governance Forum (Ministries of Economic Affairs, Foreign Affairs, Security & Justice and the Interior & Kingdom Relations), consulting about the design of policy on privacy, data protection and the role of intermediaries as building blocks for the European digital single market (Ministry of Economic Affairs), public-private cooperation (Ministry of Security & Justice), and developing standards for responsible state behaviour in cyberspace, particularly in relation to capacity-building and human rights (Ministry of Foreign Affairs).
The role, duty of care and shared responsibility of businesses, individuals and the authorities in relation to online security has been defined by the government in the National Cyber Security Strategy 2.0, and is also an issue covered by the Cyber Security Council.
1 ‘National Cyber Security Strategy 2.0: From awareness to capability’, National Coordinator for Security and Counterterrorism, https://www.ncsc.nl/actueel/nieuwsberichten/samenwerking-overheid-en-bedrijfsleven-versterkt-in-nieuwe-cybersecurity-strategie.html.
2 Outcome document of the high-level meeting of the General Assembly on the overall review of the implementation of the outcomes of the World Summit on the Information Society, UN Doc. A/70/L.33, 13 December 2015, para. 58.
3 Pursuant to UNGA Resolution A/RES/70/125.
4 A UN Working Group made recommendations in 2012 on this and other desired improvements to the IGF, for example as regards the participation of relevant stakeholders from developing countries. The UNGA took note of those recommendations in Resolution A/RES/68/198 of 20 December 2013.
5 Cyber Security Assessment Netherlands 2015.
6 Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UNGA Doc. No. A/70/174, para. 13(f).
8 Recommendation CM/Rec(2014)6 of the Committee of Ministers to Member States on a Guide to Human Rights for Internet Users. Adopted by the Committee of Ministers on 16 April 2014. See http://www.coe.int/en/web/internet-users-rights/guide.
9 See, for example, ECJ, 8 April 2014, C-293/12 and C-594/12 (Digital Rights Ireland Ltd. v. Ireland); ECJ, 6 October 2015, C-362/14 (Schrems v. Data Protection Commissioner); ECtHR 12 January 2016, no. 37138/14 (Szabó and Vissy v. Hungary).
11 Letter to parliament on the government’s position on encryption, Parliamentary Paper 26643-383, 4 January 2016, https://www.rijksoverheid.nl/documenten/kamerstukken/2016/01/04/tk-kabinetsstandpunt-encryptie.
12 ‘Rules on the processing of data to promote the security and integrity of electronic information systems of vital importance to Dutch society and rules on reporting serious breaches (Cybersecurity Data Processing and Reporting Duty Bill)’, Parliamentary Papers, House of Representatives 343882, Bill presented to parliament on 21 January 2016.
15 Motion 34300-XIII-45.
16 On this point see also the Letter to parliament about the Regulation on the single market for telecommunications and roaming in the Benelux of 9 November 2015.