arrow-right-alt INTERNATIONAL MEDIA LAW GUIDE

Netherlands Media Law Guide

Defamation, Privacy and Data Protection

Authors

Remco Klöters

Remco Klöters

Partner - Van Kaam

NETHERLANDS MEDIA LAW GUIDE

Defamation and Privacy Law in the Netherlands

Contributor: Remco Klöters (Partner, Van Kaam IP Media & Privacy)

Defamation and Slander

The Dutch system

Slander and defamation are punishable under the Dutch Criminal Code, however, someone who commits an act of slander or defamation is also committing a wrongful act under the Dutch Civil Code. When determining whether something constitutes a wrongful act, the case law of the European Court of Human Rights (‘ECtHR’) is considered. The Netherlands is a member of the Council of Europe and therefore party in the European Convention on Human Rights (‘ECHR’). The ECHR provides both the right to freedom of expression (Article 10) as well as the right to respect for private life (Article 8). Part of the private life is also one’s reputation (ECtHR 15 November 2007, no. 12556/03 (Pfeifer/Austria)). Defamation or slander can be an infringement to the right to private life and, therefore, be considered a wrongful act under the Dutch Civil Code.

Criminal Law

The Dutch Criminal Law seeks to protect the moral integrity of a person by forbidding slander and defamation (Articles 261 and 262 of the Dutch Criminal Code). Both slander and defamation consist of an intention to impugn the honor or reputation of another person by accusing a person of a fact in the public eye. The accusation has to be severe, for instance accusations of crimes or other morally objectionable behavior. Knowing the information you publicize is untrue is slanderous, while information you might deem true, but is intentionally impugning the honor or good name is considered a defamation. Prosecution can only take place if the victim of the slander or defamation files a report with the police. Prison sentences are possible, but are rarely imposed, fines and community service are the most regular punishments.

Civil Law

Slander and defamation are also considered a wrongful act in the Dutch Civil Code (Article 6:162). In civil proceedings, a judge has to decide if either the freedom of expression or the right to privacy / protection of one’s reputation has to prevail. In the Netherlands, the statute of limitation for bringing a claim pertaining to an unlawful act is five years after the day that the injured party became aware of the damage and the person responsible for the damage (Article 3:310 Dutch Civil Code). For some remedies though judges demand a more quick response, especially when a plaintiff is looking for rectification.

The burden of proof with unlawful act claims normally lies with the claimant. He or her should state why an act was unlawful and what damage is done. However, since it is hard to prove that statements are not true, the burden of proof can be reversed, such that it can be up to the defending party to prove the truth of the statements, by proving that the accusation was supported by the available (factual) evidence, or that he or she did not make the accusation lightly (see ECtHR 15 February 2005, no. 68416/01 (Steel & Morris/VK)). The claimant is nonetheless obliged to set out what statements are defaming and or slanderous and why (Court of Appeal of ‘s-Hertogenbosch 23 February 2011, ECLI:GHSHE:2011:BP3921).

Claimants can claim various remedies. These remedies include monetary compensation, removal of the statement(s) from online sources, an injunction prohibiting the repetition, republication or broadcasting of the statement, rectification of the statement, etc. In the most obvious cases it could also be possible to get a preliminary injunction against an intended statement, publication or broadcast, but it is more common to look for remedies after the publication. Monetary remedies are limited to what is deemed to be proportionate to the infringement (ECtHR 15 June 2017, no. 28199/15 (Independent Newspapers/Ireland)). There is no maximum level of financial compensation in place.

European Court of Human Rights

As a member of the Council of Europe, the Dutch judges are – as mentioned above – bound by European rules. The ECHR articles contain a test for cases in which the respective fundamental right is to be overridden by another competing fundamental right. Although a judge would strictly test whether there are reasons to interfere with the freedom of expression of the defendants (Article 10 ECHR), this test would not be any different under Article 8 ECHR. There is no hierarchy between these rights and they are equally as fundamental, so therefore it is irrelevant whether an interference with Article 10 or with Article 8 is being judged. (ECtHR 16 June 2015, no. 64569/09 (Delfi/Estonia) and Dutch Supreme Court 18 January 2008, ECLI:NL:HR:2008:BB3210 (Van Gasteren/Hemelrijk)).

When a Dutch court has to decide whether an interference with the freedom of expression is necessary in order to guarantee the right to protection of the privacy or reputation, it has to perform a test whether the claims meet the conditions of article 10 ECHR. These conditions are whether the interference:

  • is prescribed by law
  • has a legitimate aim as set out in article 10.2 ECHR
  • is necessary in a democratic society

Since the sections of the Dutch Civil Code – and more specific: the Dutch rules about wrongful acts – are regarded to be ‘prescribed by law’ and the protection of the reputation of others is set out as a legitimate aim in Article 10.2, the most important test is whether an interference is necessary in a democratic society.

Necessity in a democratic society

The ECtHR explained the concept of a democratic society in its landmark Handyside case (ECtHR 7 December 1979, no. 5493/72 (Handyside/UK)). It deems this freedom to also be applicable to information and ideas that offend, shock or disturb. In order to deem a particular interference necessary in a democratic society, there needs to be a ‘pressing social need’. That is more compelling than ‘admissible’, ‘ordinary’, ‘useful’, ‘reasonable’ or ‘desirable’ (ECtHR 26 April 1979, no. 6538/74 (Sunday Times/UK)). The more severe an interference is (i.e. criminal punishment), the stronger the pressing social need to legitimize the interference has to be.

Traditionally the ECtHR requires a strong pressing social need for interferences in cases concerning political speech and matters of public interest. The ECtHR wants to prevent a chilling effect on politicians and journalists who need to have the freedom to express themselves in politics as well as about matters of public interest.

Ethics

Another relevant aspect is that of ethics and good faith. The ECtHR requires authors and media to act in good faith and on an accurate factual basis and provide reliable and precise information in accordance with the ethics of journalism. (ECtHR 21 January 1999, no. 29183/95 (Fressoz & Roire/France)). In the Dutch courts, this means that journalistic principles (in addition to legal principles) are relevant in judging an alleged wrongful act.

Balancing exercise

Since all measures taken against the media and/or journalist after a violation of the fundamental right to the protection of privacy or reputation, in themselves characterize an interference with their right to freedom of expression, and since both fundamental rights are equally respected, the ECHR and the Dutch Supreme Court prescribe a balancing exercise to decide whether such interference is necessary in a democratic society (ECtHR 24 June 2004, no. 59320/00 (Von Hannover/Germany 1)). For this balancing exercise the ECtHR grants the courts of the member states a wide margin of appreciation (ECtHR 7 February 2012, no. 40660/08 (Von Hannover/Germany 2)).

Privacy and Data Protection

The Dutch system

As a member of the European Union, the Dutch privacy rules are governed by the EU General Data Protection Regulation (‘GDPR’), that was implemented in May 2018. It is designed to give individuals greater control over their personal data, which means any information relating to an identified or identifiable natural person (Article 4 GDPR). Therefore, the GDPR has an extensive scope and applies to (i) the processing of personal data wholly or partly by automated means and (ii) the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system (article 2 GDPR). The rules are not only applicable to data controllers and data processors based in the EU, but also to all data controllers and data processors outside the EU who process personal information of EU citizens.

Aside from the direct effect of the GDPR, it is also implemented in Dutch national law for further regulation through the GDPR Implementation Act (Uitvoeringswet AVG, ‘UAVG’). As a main rule, the UAVG applies in all cases in which the GDPR also applies. There are a few exceptions, for example regarding to processing personal data in the context of the Election Act and the Population Register Act (Article 2 UAVG). The Dutch implementation also expanded the scope of the GDPR to include personal data processing that does not fall under the scope of EU regulation (Article 3 UAVG).

One of the base principles of the GDPR is that personal data shall be processed lawfully, fairly and in a transparent manner (Article 5 and 6 GDPR). This includes, amongst other things, that processing of personal data is only lawful when the processing can be based on a legal ground as mentioned in Article 6 GDPR. The legal grounds serve as the foundation for organizations to lawfully process personal data under the GDPR and are: (i) permission of the data subject, (ii) contractual necessity, (iii) necessity for compliance with a legal obligation (iv) necessity to protect vital interests of the data subject, (v) legitimate interests of the data controller or a third party, and (vi) performance of a task carried out in the public interest. Processing of special categories of personal data such as racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation know a stricter protection regime than other personal data. This is also the case for criminal records.

Not only is a legal ground required for the processing of personal data, the processing itself is also bound by other rules. For example, personal data may only be used for the purposes as explicitly described prior to the processing and only the data necessary for those purposes may be processed (Article 6 GDPR). In addition, the data may not be stored longer than necessary and if possible with as little identification as possible (Article 5 GDPR).

Data subjects have multiple rights under the GDPR. They have a right of access to the data that is stored and processed combined with a right to rectify the information (Article 15 and 16 GDPR). The GDPR also grants a right to erasure, or ‘right to be forgotten’ (Article 17 GDPR), such that data subjects can demand that all of their personal data will be erased by the controller. This can limit the freedom of expression of others, for example in the case of search engines – erasure of the data can limit the accessibility of a publication. This aspect is therefore considered when evaluating the data subject’s request. Another important right is the right to data portability, by which a data subject must be able to transfer his or her personal data from one service to the other (Article 20 GDPR).

While the main responsibility to comply with the GDPR lies with the actual data controller, they frequently make use of third-party services to process the data (data processors). Data processors also have obligations under the GDPR, such as making arrangements when personal data is processed on behalf of the data controller (often in a Data Processing Agreement). Data controllers and processors also have to make sure the data is subject to appropriate security measures (Article 32 GDPR), and in case of a data breach, are obliged to notify the supervisory authority no later than 72 hours after becoming aware of the breach.

The GDPR includes certain exceptions to balance the right to privacy with other fundamental rights, such as freedom of expression and information. The journalistic exception (Article 85 GDPR) applies to processing personal data for journalistic purposes. Although this exception provides some flexibility for journalists, they are still required to comply with the overarching principles and obligations of the GDPR. In the Netherlands, additional specifications concerning the journalistic exception are regulated by Article 43 UAVG.

Compliance with the GDPR is being monitored by the supervisory authority. In the Netherlands, this is the Autoriteit Persoonsgegevens (‘AP’).  The AP is an independent organization tasked with all matters involving compliance monitoring. The AP is actively monitoring companies, public institutions and other data controllers. It is also a place where data subjects can report non-compliant controllers. The AP can impose fines when privacy regulations are being violated. These administrative fines can be up to 20 million euros or 4% of the total worldwide turnover in case of an undertaking (Article 83 GDPR).

The GDPR further provides for remedies, liability and penalties. It gives the data subject the right to lodge a complaint with a supervisory authority, for instance. It also gives a right to effective judicial remedies to either a controller or processor as to the supervisory authority as well. Where the supervisory authority has a right to impose fines, persons who have suffered material or non-material damages as a result of infringement of the GDPR, have the right to compensation. For the determination of the amount to be awarded by way of compensation, a Dutch judge has to look at the Dutch legal principles and case law, in order to determine a proportionate amount of compensation.

European Court of Justice / European Court of Human Rights

The Dutch judges are also bound by case law of the European Court of Justice (‘CJEU’). The CJEU, particularly through the preliminary questions presented, provided much clarification on the application of the standards of the GDPR, for example on the right of access by the data subject (Article 15 GDPR).

Furthermore, the Dutch Supreme Court ruled that the clauses of the former Personal Data Protection Act, which was substituted by the UAVG following the introduction of the GDPR, ought to be construed in alignment with the European Convention on Human Rights, thus taking into account the jurisprudence of the ECHR (Dutch Supreme Court 9 September 2011, ECLI:NL:HR:2011:BQ8097 (Santander)).

Contributor: Remco Klöters (Partner)
Van Kaam advocaten
Oosteinde 3
1017 WT Amsterdam
Netherlands

The material in this Guide is for general information only and does not constitute legal advice.

Our Newsletter