AVT16/BZ119746 1
Government’s response to the AIV’s advisory report ‘The internet, a global free space
with limited state control’ and the WRR’s advisory report ‘The public core of the
internet: an international agenda for internet governance’
1. Introduction
It is very difficult to make predictions, especially about the future
Niels Bohr, physicist and Nobel Prize winner
The world is digitalising at an ever faster pace, and this process is being driven by the
internet. The internet is generating new opportunities for economic growth, innovation and
social development, but is also posing new challenges for our economy, security and
freedom. People often look to government to take suitable measures to meet these
challenges.
In the recent past various reports have been published on the role of government in relation
to the internet. December 2014 saw the publication of a report by the Advisory Council on
International Affairs (AIV) entitled ‘The internet, a global free space with limited state control’.
This was followed in March 2015 by a report by the Scientific Council for Government Policy
(WRR) on ‘The public core of the internet: an international agenda for internet governance’.
The government notes that the Netherlands has already taken key steps to ensure that it is
well-placed to capitalise on the opportunities offered by the internet. It therefore views the
reports of the AIV and the WRR as an encouragement to continue along the present path
and redouble these efforts. This requires a robust national approach designed to utilise the
opportunities the internet offers for innovation and economic growth, and to guarantee
security and human rights in the cyber domain. It also requires an international cybersecurity
strategy to engage with the difficulty of reconciling the internet (which is by definition end-to-
end open and without borders) with an existing international legal order based on a system of
sovereign states. The development of the internet requires continuous assessment and
reappraisal of states’ room for manoeuvre and capacity to act, in both the national and the
international domains.
In light of these developments the Dutch government continues working to achieve a free,
open and secure internet.
AVT16/BZ119746 2
In this letter the government responds to both reports. It will first address the challenges
which government authorities face in adapting to the digital reality. In its general response to
the analysis of the issues in the two reports, the government will also consider the three main
themes dealt with by the WRR and the AIV: internet governance, security and human rights.
Finally, the letter will examine the specific recommendations made in the two reports.
This response is presented on behalf of the government by the Ministers of Foreign Affairs,
Economic Affairs, Defence and the Interior & Kingdom Relations and the State Secretary for
Security and Justice.
2. Response to the analysis
A continual challenge for government is the need to adapt its activities to the digital reality in
order to ensure peace, security and prosperity in the Netherlands and elsewhere both now
and in the future. Just as these aims create challenges and require the various interests to
be carefully weighed in the offline world, this also holds true for the online world. It is hardly
surprisingly, therefore, that states worldwide have differing views on internet governance.
The government’s aim is to safeguard a free, open and secure internet that provides scope
for social development, economic activity and innovation.
An important term in the WRR report is the ‘public core’ of the internet, in other words the
core protocols that form the basis of a properly functioning internet, including the internet
protocol suite, or TCP/IP suite. The AIV describes the internet as a mare liberum, within
which the state should confine itself to safeguarding the legal framework of the rule of law
and protecting civil liberties. The government endorses the importance of maintaining the
free and open character of the internet as a platform for unrestricted data traffic in order to
stimulate economic growth and innovation. Although the mare liberum comparison offers
some valuable points of reference, it is not entirely appropriate because security and respect
for human rights are necessary conditions for economic growth and innovation.
The state is responsible for protecting its citizens, including in an online environment, by
furthering protection of their personal data, promoting cybersecurity and preventing or
combating cybercrime and threats to national security. International cooperation is becoming
ever more important in order to protect these interests in a borderless digital environment. As
a consequence, agreements about cooperation and standards of conduct should preferably
be made in a European and broader international context.
AVT16/BZ119746 3
The above-mentioned interests require an integrated approach. In the government’s opinion,
liberty and security are not in conflict, but are complementary interests. The dynamic balance
between security, freedom and economic growth must be achieved and maintained through
constant open dialogue between all stakeholders, both nationally and internationally. This
view of the interplay between security, freedom and economic growth as the basis for policy
decisions is underpinned in the National Cyber Security Strategy 2.0.1 In the period ahead,
the government will develop a vision for Dutch international cyber policy. This is explained in
section 3.1 below.
The government emphasises that it is important for domestic and foreign policy to be
consistent. The positions taken by the Netherlands internationally should therefore be in line
with national practice and based on the principle of ‘preach what you practise’. By the same
token, proposed national measures that deviate from the positions taken by the Netherlands
at international level or from international treaty obligations undermine the credibility and
effectiveness of Dutch efforts to promote an international order in cyberspace. Hence
‘practise what you preach’ is also a principle that underlies national policy. Naturally, the
Netherlands is bound by international legislation only after international agreement has been
reached and the Netherlands has committed itself to the obligation concerned.
Internet governance
The government endorses the AIV’s analysis that an open model of governance has been
crucial to the development of the internet. The WRR differentiates between governance of
the internet’s infrastructure and governance using the internet’s infrastructure. The
government will consider this distinction and the state’s role in these two types of
governance. Decisions on changing the governance structure of the internet could have a
major impact on how the internet as a system evolves further in the future.
The Netherlands has adopted a circumspect approach to what the WRR understands by
governance using the internet’s infrastructure, namely use of the infrastructure as a tool for
restricting or influencing online content and behaviour. The government’s guiding principle is
that fundamental rights such as freedom of expression are just as applicable online as
offline. Nonetheless, the authorities can still carry out investigations on the internet to
1 ‘National Cyber Security Strategy 2.0: From awareness to capability’, National Coordinator for
Security and Counterterrorism, https://www.ncsc.nl/actueel/nieuwsberichten/samenwerking-overheid-en-bedrijfsleven-versterkt-in-nieuwe-cybersecurity-strategie.html.
AVT16/BZ119746 4
safeguard these freedoms and combat crime, for example in order to tackle the spread of
hate speech or discriminatory content on the internet.
The aim of the government’s policy on internet governance is to safeguard the development,
accessibility, availability, reliability and integrity of the internet. The government shares the
view of the WRR and the AIV that the present governance system has proved capable of
guaranteeing the internalisation of these principles in the development of the internet. To
safeguard this system in the future, the role of the technical community, including the Internet
Engineering Task Force (IETF) and the World Wide Web Consortium (W3C), must be
preserved and strengthened. It is particularly important that decisions on technical aspects of
the internet be taken by those who have knowledge of the technology and the capacity to
devise solutions beneficial to the development of the internet, without being influenced by
political agendas.
Thanks to the effective forms of self-organisation and self-regulation which characterise the
internet’s open governance structure, the internet has grown to become a single shared and
accessible infrastructure that spans the globe. The multistakeholder approach has proved its
effectiveness by successfully utilising the expertise of a variety of stakeholders. However,
this approach does not mesh well with the multilateral negotiation model traditionally used by
states. In this respect, the strength of the multistakeholder model is also its weakness: in its
purest form, the model functions primarily to resolve problems, for example in how engineers
solve a technical problem. However, since there is no agreement on the division of roles and
responsibilities when stakeholders meet in different international forums, the model can be at
odds with more traditional decision-making models. This was seen again recently during the
negotiations on the final declaration of the World Summit on the Information Society (WSIS)
+10 Review Process, where widely varying views were expressed on the role of states and
other stakeholders in internet governance. The only reference to this theme in the outcome
document was ultimately a confirmation of the principles agreed in the Tunis Agenda of
2005: ‘We reiterate the working definition of internet governance, […], as the development
and application by governments, the private sector and civil society, in their respective roles,
of shared principles, norms, rules, decision-making procedures and programmes that shape
the evolution and use of the internet.’2
2 Outcome document of the high-level meeting of the General Assembly on the overall review of the
implementation of the outcomes of the World Summit on the Information Society, UN Doc. A/70/L.33, 13 December 2015, para. 58.
AVT16/BZ119746 5
The Internet Governance Forum (IGF) is the global forum in which these parties debate,
exchange information and try to reach consensus on the structure of the governance model.
However, the IGF does not have a mandate to take binding decisions on these matters. In
the internet governance field there is a need for the current cooperation and decision-making
models to be developed and improved in such a way as to bring state and non-state actors
together in a productive manner. Automatic reliance on traditional governance models is not
possible given the architecture of the internet, the wide variety of governance topics and the
large number of technical, administrative and political actors involved. Now that its mandate
has been renewed for 10 years,3 the main challenge facing the IGF in the years ahead is to
focus more on achieving tangible and visible results.4
The AIV and WRR reports deal with the role of states, mainly in the context of the Internet
Corporation for Assigned Names and Numbers (ICANN). This is the California-based non-
profit organisation which carries out operational and coordinating tasks for a number of
(logical) functions of the internet and decides on the establishment of new internet domains
(such as ‘.com’). ICANN’s functions are of great importance not only technically and
economically but also politically, and they directly affect public interests such as the privacy
of domain name holders, the protection of intellectual property, the enhancement of internet
security and observance of human rights. In addition, ICANN seeks to maintain a single
unfragmented and open internet, an aim the government endorses. It is expected that by the
end of 2016 ICANN will no longer be subject to the oversight currently exercised by the US
authorities. This will be a major step towards the internationalisation of ICANN, which is
something the Netherlands has been advocating for years. The AIV report rightly
emphasises that the future structure of ICANN is a matter deserving of the government’s full
attention, given the implications for the current debate on internet governance.
As ICANN will now continue to exist as an autonomous organisation, its accountability
structure must be improved and the role of government in the proposed new mechanisms
must be redefined. The future oversight of ICANN is a subject of debate between those
states that wish to have multilateral supervision by the UN and those states, such as the
Netherlands, that would prefer the existing multistakeholder model to be expanded and
strengthened. The Netherlands advocates a more active – albeit still advisory – role for the
committee of national governments (the Governmental Advisory Committee; GAC) in the
decisions of the ICANN Board. The multistakeholder structure of the organisation and the
3 Pursuant to UNGA Resolution A/RES/70/125.
4 A UN Working Group made recommendations in 2012 on this and other desired improvements to the
IGF, for example as regards the participation of relevant stakeholders from developing countries. The UNGA took note of those recommendations in Resolution A/RES/68/198 of 20 December 2013.
AVT16/BZ119746 6
decision-making powers of the ICANN Board must not be undermined or politicised. Any
change to the system of internet governance should not be at the expense of the flexibility,
security and stability of the internet or of the promotion of digital rights. The Netherlands is
convinced that the internet functions best if all stakeholders can have a say and play a role in
its governance. The present system of governance has been a factor in the successful
development of the internet and in the resulting economic and social benefits.
Cybersecurity and other forms of security
While the internet creates many opportunities for economic growth and innovation, it also
poses challenges for the legal order and security at both national and international level. In
section 3.3 below, the government considers the various forms of security mentioned in both
reports. In its response to the reports’ general analysis, the government views the security
challenge from the perspective of the tension between the internet as a worldwide network
and the international legal order, which is based on the sovereignty of democratic nation
states governed by the rule of law
The internet is abused by malicious actors for criminal activities which, regardless of their
origin, can cause serious disruption to Dutch society.5 This international dimension assumes
two forms: first, foreign actors target victims in the Netherlands and, second, Dutch internet
facilities are used for activities aimed at foreign targets. This involves threats emanating from
both state and non-state actors such as cybercriminals and terrorist movements. The
National Cyber Security Strategy 2 describes how the Dutch authorities view and tackle the
task of providing cybersecurity for the Dutch public and business community. Their integrated
approach includes improving knowledge and intelligence concerning cyber threats, tracking
criminals, enhancing resilience and defensive capacity, enhancing military capabilities and
actively engaging in cyberdiplomacy.
Given the cross-border and global character of the internet, any security challenges that
occur must be tackled internationally. As the international legal order is based on the
principle of sovereignty, national authorities have only limited capacity to act alone in tackling
security challenges on the internet. This requires international cooperation, for example
within the EU, the UN and the Council of Europe. The Netherlands therefore contributes
actively to international discussions and to measures to strengthen the international legal
order. Nonetheless, many matters that are regulated nationally have yet to be fleshed out at
international level.
5 Cyber Security Assessment Netherlands 2015.
AVT16/BZ119746 7
In tackling cybercrime the Netherlands works actively with international partners in the
framework of, for instance, Interpol, the EU (e.g. Eurojust and Europol) and the Budapest
Convention on Cybercrime. Combating cybercrime is making new demands on the police
and justice system, particularly their capacity to act quickly and exchange information. These
developments in the digital domain may also necessitate a reassessment of the legal
framework. The Netherlands plays an active role in the debate on the effectiveness of the
international legal framework for cross-border investigation of offences in cyberspace and is
itself developing new instruments and legislation to improve its own capacity for action. It
goes without saying that any new legislation would be tested for compatibility with obligations
under international law. The draft of the Computer Crime III Bill, to which the AIV referred in
its report, has now been submitted to parliament.
Protection of the public core of the internet
The government endorses the WRR’s view that the economic and social benefits of the
internet are dependent on the reliable, predictable, stable and secure functioning of its core
protocols. The government recognises that what the WRR refers to as the ‘public core’
exhibits characteristics of an international public good that transcends individual sovereign-
and private interests. However, the WRR report does not provide a conclusive answer to
what precisely is meant by the ‘public core’. Nor is there agreement about this at international
level. The government is proceeding on the principle that the core protocols of the internet
form the public core.
The Netherlands recognises that given the nature and interdependence of the digital domain
(and the world’s dependence on it), care should be taken to avoid activities that could impact
on the public core. State interventions that are in themselves lawful may have damaging
effects on the public core of the internet, and this may result in adverse repercussions for
other states.
The government’s position is that the maintenance and development of the public core
should as far as possible remain a matter for the technical community, while the role of the
state should focus as much as possible on supporting that process. As noted above, the
present governance structure ensures a depoliticised process aimed at solving problems and
facilitating the development of the internet in a broad sense.
Another aim of the government is to promote the international legal order in cyberspace in a
similar fashion as it does in the offline world. Protecting the public core of the internet may be
AVT16/BZ119746 8
a matter of international security in cases where cyber operations by state or non-state
actors may impair the functioning of the core.
Despite some concrete results such as the reports of the United Nations Group of
Governmental Experts (GGE) and the publication of the Tallinn Manual on the International
Law Applicable to Cyber Warfare, the development of an international order in cyberspace is
still in its infancy. Hitherto, most attention has been focused on protecting critical
infrastructure at national level, in particular for the support of vital public services. The basic
assumption is that this critical infrastructure is protected by the prohibition on the use of force
and on violation of the sovereignty of other states. The principles and rules of international
humanitarian law may also be expected to afford a degree of protection for critical, non-
military infrastructure. The Netherlands is actively seeking to achieve more clarity on how
existing international law applies to cyber operations and to reach broad agreement on this
issue.
Preventing and regulating cyber attacks is a subject of international consultation and
academic research aimed at clarifying how international law applies and at developing
additional norms of behaviour between states. The introduction of a framework of norms
could reduce the room for manoeuvre of malicious state and non-state actors that refuse to
abide by international agreements, and could increase international solidarity in condemning
such activities. The government sees this as an essential first step towards creating an
international order in cyberspace.
The very nature of the cyber domain makes it difficult to conclude verifiable agreements
about the activities of states. However, developing norms of behaviour that enjoy wide
support does provide opportunities for introducing a common international order based on a
shared interest in ensuring that the internet functions effectively and reliably. Such norms can
increase the political, diplomatic and economic cost of engaging in harmful activities. States
recently reached consensus on one such norm of behaviour at UN level. According to the
GGE recommendation in question, ‘[A] State should not conduct or knowingly support ICT
activity contrary to its obligations under international law that intentionally damages critical
infrastructure or otherwise impairs the use and operation of critical infrastructure to provide
services to the public.’6 The government regards this recommendation as a first step towards
protecting infrastructure, including information infrastructure.
6 Group of Governmental Experts on Developments in the Field of Information and
Telecommunications in the Context of International Security, UNGA Doc. No. A/70/174, para. 13(f).
AVT16/BZ119746 9
The Netherlands is actively involved in the international debate on possible norms of
behaviour to protect – or even ban intervention in – the public core of the internet (or sections
of it) and wishes to carry out further study to determine how such standards can be achieved.
The government will also investigate whether it is possible to enhance its support for groups
that play an important role in maintaining the technical infrastructure. An example is the work
done, often pro bono, by the open source community in maintaining, developing and
expanding important sections of the public core of the internet. This work could be facilitated
through financial support, such as support for strengthening encryption via open source
projects.7
Digital rights and internet freedom
Digital rights is another field in which national governments face challenges that exceed their
own individual capabilities. The protection of human rights in an online environment requires
international cooperation within regional and international organisations.
In its advisory report the AIV addresses the main themes dominating the discussion on
online rights, namely the right to protection of privacy, freedom of expression and the role of
the law enforcement authorities. As the internet evolves, it is necessary to reassess the legal
frameworks that were developed to protect rights in a different era when technology was
much less advanced. The government considers it important that the core values of Dutch
society, as set out in the Dutch constitution and international human rights conventions, form
the basis for the legal framework for safeguarding human rights in the digital society. The
government seeks to ensure that these fundamental rights are adequately protected in the
digital domain and to promote the application of comparable standards in international law.
An example is the Council of Europe’s Guide to Human Rights for Internet Users.8 Restriction
of a fundamental right is permitted only if there is a statutory basis and the minimum
requirements of proportionality and necessity are met. Recent case law of the European
Court of Human Rights (ECtHR) and the European Court of Justice (ECJ) relating to the
digital domain provides an opportunity to more closely define the requirements of necessity
and proportionality, including safeguards relating to the nature, scope and duration of
7 https://zoek.officielebekendmakingen.nl/kst-34300-XIII-160.html.
8 Recommendation CM/Rec(2014)6 of the Committee of Ministers to Member States on a Guide to
Human Rights for Internet Users. Adopted by the Committee of Ministers on 16 April 2014. See http://www.coe.int/en/web/internet-users-rights/guide.
AVT16/BZ119746 10
measures that restrict the right to privacy. 9 In the Dutch context, restriction of these
fundamental rights is possible only if there is a compelling societal interest, for example
preventing, investigating and prosecuting offences. In addition, there should be adequate
legal protection for individuals whose fundamental rights are infringed.
As regards the work of the intelligence and security services, the Dessens Committee10 has
concluded that technology has changed to such an extent in the past 10 years that the
Intelligence and Security Services Act 2002 should be amended to reduce dependence on
technology and introduce a stronger framework of oversight and control. The government
intends to rectify this deficiency by amending the legislation and strengthening the
safeguards for the protection of private life. As the amendment process is already under way,
further discussion of the revised legislation falls outside the scope of this letter. However, in
response to the reports it can be said that this process too will include careful consideration
of the different interests within the above-mentioned legal frameworks and will be in keeping
with the government’s aim of achieving a free, open and secure internet.
3. Response to the WRR’s recommendations
3.1 Towards an international cyber policy
Both the AIV and the WRR advocate the formulation of an integrated international cyber
strategy. The government accepts this recommendation. The Netherlands will benefit from
performing a careful assessment of Dutch interests in the internet domain and using this as a
basis for an international strategy that takes due account of the different interests involved.
The manner in which the Netherlands makes these choices has a direct bearing on its
position as a host country, its investment climate, and its ability to lead by example.
Although intensive international cooperation is already taking place in various policy fields,
more can be done to strengthen coordination between policy fields to allow a better overall
assessment of the different interests at play. A coordination structure has been established
for various policy fields, including cybersecurity and the digital agenda, to determine joint
positions and make decisions. The Ministries of Economic Affairs, Security & Justice,
Defence, Foreign Affairs and the Interior & Kingdom Relations all play an active part in this
9 See, for example, ECJ, 8 April 2014, C-293/12 and C-594/12 (Digital Rights Ireland Ltd. v. Ireland);
ECJ, 6 October 2015, C-362/14 (Schrems v. Data Protection Commissioner); ECtHR 12 January 2016, no. 37138/14 (Szabó and Vissy v. Hungary). 10
http://www.tweedekamer.nl/kamerstukken/brieven_regering/detail?id=2014Z04529&did=2014D08958.
AVT16/BZ119746 11
structure. Even prior to this, in fact, cooperation between the ministries had been greatly
strengthened in the run-up to the Global Conference on Cyberspace in April 2015. The
government endorses the importance of good interministerial coordination in allowing a
comprehensive assessment of Dutch interests with respect to the internet.
In the period ahead, the government will work to develop an integrated international cyber
strategy which complements and reflects national policy choices in the cyber domain. The
strategy will map international developments and provide a framework for decisions on how
the Netherlands can best achieve its national objectives in the international arena. For this
purpose, broad consultations will be held with a range of stakeholders. Without wishing to
encroach on the policy remit of the various ministries, the government is seeking to develop
an approach that reflects the interwoven nature of the various internet-related themes, as
rightly noted by the AIV and the WRR. The strategy will also foster better coordination of
Dutch activities in various international forums such as the UN, NATO, the OSCE, the EU
and the Council of Europe. Moreover, the government is working continuously to strengthen
systematic coordination between government ministries and implementing organisations to
ensure that Dutch activities in the international forums are always coherent, clear and
effective.
The government is of the opinion that the international cyber strategy of the Netherlands
should be based on its national interests. At the same time, it should also take account of
international developments in the fields of technology, international law, geostrategy and
diplomacy, and it could serve as a tool for dealing with the impact of such developments on
national interests. Such interplay between national and international developments is
particularly crucial in the cyber domain. As a consequence, the international strategy should
complement the existing national strategy documents in particular fields, such as the
National Cyber Security Strategy 2.0 and the Digital Agenda.nl, which also cover aspects of
international policy. The policy initiatives resulting from the Global Conference on
Cyberspace 2015 (GCCS 2015) and the Freedom Online Coalition, which the Netherlands
helped to establish in 2011, will be taken into account in the strategy. Dutch efforts in this
area will continue to be based on the vision of a free, open and secure internet. The themes
on which the Netherlands will focus are economic growth and social development, internet
governance, cybersecurity, international peace and security in the cyber domain, digital
rights, tackling cybercrime and building cyber capacity. The government wishes to capitalise
on the Netherlands’ existing strengths in these fields and use them both to represent national
interests and to enhance the international legal order.
AVT16/BZ119746 12
The international strategy will set out the Netherlands’ vision on international cooperation in
the digital domain. Policy development and implementation in the various sub-fields will
remain the responsibility of the relevant ministries.
3.2 Building coalitions
In its advisory report, the WRR recommends broadening the diplomatic arena. These efforts
should mainly be directed at persuading countries known as ‘swing states’ that protecting the
internet is in the interests of all states.
The digital domain is a relatively new policy field in which little has yet been decided
internationally in the form of agreements, conventions or treaties and in which both public
and private actors are active and a new balance of power is emerging. We can no longer
assume that the post-1945 world order will be decisive in agreeing the design of new forms
of cooperation and regulation.
Almost all international discussions on the digital domain reveal a sharp divide between the
multistakeholder-oriented countries such as the Netherlands, which wish to protect the
integrity of the internet, and the more state-oriented countries which seek to control and
restrict material disseminated on the internet. Between these opposite ends of the spectrum
is a large group of countries which have not yet made a clear choice based on their own
political, economic and social interests. These are known as ‘swing states’. The government
is operating entirely in accordance with the WRR’s recommendation in this regard. The
Netherlands seeks to convince swing states that a free, open and secure internet is in their
own national interests. Only if there is enough support for this vision of the internet will it be
possible to work with confidence towards, for example, international agreements on cyber
issues.
Up until now, this coalition of countries has been too small.
The Netherlands is working to build coalitions in three ways:
broadening the participation of countries and businesses in international discussions on
cyber issues;
strengthening public-private partnerships and multistakeholder decision-making so that
national authorities, the private sector, civil society, the technical community and
academics worldwide can participate in cyber-related consultations relevant to them;
developing cyber-related knowledge and expertise in third countries so that they are able
to implement the vision of a free, open and secure internet.
AVT16/BZ119746 13
At the GCCS 2015, for example, the Netherlands arranged for broad geographical
representation to ensure that countries experiencing the internet boom could be involved in
the discussions on internet governance, security and privacy. Achieving a good geographical
balance is also an ongoing aim of the Freedom Online Coalition established by the
Netherlands.
The Netherlands views capacity-building as a way of facilitating dialogue with swing states
suffering from a lack of capacity, policy or strategy. Helping to strengthen countries’
capabilities in the fields of cybersecurity and countering cybercrime will enable cross-border
digital threats to be tackled more effectively. The Global Forum on Cyber Expertise (GFCE)
is an important new tool in strengthening cyber capabilities worldwide. It is an informal
platform which can be used by countries, businesses and international organisations to
establish initiatives in cooperation with civil society to bridge the digital gap. For example, the
Netherlands is working with Senegal to develop cybersecurity strategies for West Africa. The
GFCE is also working to combat fragmentation by bringing together disparate global
initiatives.
Interstate relations are not the only important factor in building coalitions. Representatives of
civil society organisations are also instrumental in developing a free, open and secure
internet and in promoting the multistakeholder model, which enables all relevant
stakeholders to play a role in decision-making. However, there is often no place for non-state
actors in international decision-making processes at the point when agreements are made on
the regulation and future of the internet. The Netherlands facilitates and promotes the role of
civil society – NGOs, the internet community and academics – in order to make cyber
debates more inclusive.
For example, the Netherlands went to great lengths to ensure that civil society was broadly
represented at the GCCS: it held a two-day capacity-building training session prior to the
conference and helped to fund the participation of civil society representatives, particularly
from the Global South. It demonstrated its commitment again in the run-up to the second
round of negotiations in the World Summit on the Information Society +10 Review Process.
The Netherlands financed a two-day meeting in New York to ensure that representatives of
developing countries could have their say on this UN agenda and also coordinate their input
to the outcome document.
The Dutch authorities also consult national and international NGOs before reaching a
position on various processes such as the Internet Governance Forum, ICANN and the
negotiations on the World Summit on the Information Society (WSIS+10), as well as during
the Freedom Online Coalition (FOC) consultation sessions. Under Dutch co-chairmanship,
AVT16/BZ119746 14
the FOC’s ‘An Internet Free and Secure’ working group is exploring a new form of
cooperation between states (the Netherlands, Canada and the United States), the private
sector and civil society. The working group provides a unique platform for an open and
honest dialogue on cyber-related topics. Recommendations on how cooperation can be
structured at national and international level are a valuable outcome of this initiative.
3.3 Different forms of security and division of roles among actors
Security and trust are essential if citizens, businesses and authorities are to be able to use
the internet. The WRR calls for clear differentiation between various forms of internet security
and for a clear division of responsibilities and tasks among the various actors. There are
many different forms of security. Both reports mention economic security, protection from
cybercrime, consumer protection, information security (with regard to both data and data
collection), protection of national security by preventing social disruption, and various forms
of ICT security (intended above all to ensure internet availability, confidentiality and integrity).
The government carries out the following tasks: investing in awareness-raising, resilience
and national cybersecurity, detection, investigation and prosecution, putting in place
response mechanisms, diplomacy and promoting internet freedom and international security.
These tasks are entrusted to various parts of central government and to implementing
organisations such as the National Cyber Security Centre (NCSC) (which falls under the
Ministry of Security and Justice), the intelligence and security services, the law enforcement
authorities, various ministries responsible for parts of the Netherlands’ critical infrastructure,
the Ministry of Foreign Affairs, the Ministry of Defence, the Ministry of Security & Justice and
the Ministry of Economic Affairs and the Ministry of the Interior & Kingdom Relations for
central government operational management and safeguarding human rights. In this context,
the WRR deals specifically with the division of responsibilities between the Computer
Security Incident Response Teams and the intelligence and security services.
It should be noted here that as cybersecurity threats often cannot be neatly categorised, it is
difficult and indeed undesirable to completely separate the different domains. The
intelligence and security services work to protect national security, for example by
investigating espionage and sabotage in the digital domain. However, the threat-related
information they obtain from their investigations can ultimately also benefit the digital
resilience of individual businesses and citizens. For example, the General Intelligence and
Security Service (AIVD) and the Defence Intelligence and Security Service (MIVD) often
become aware earlier than other parties of new and more advanced threats and attacks,
AVT16/BZ119746 15
since they alone have the statutory task and statutory powers laid down in the Intelligence
and Security Services Act 2002. Detailed information about the trends is given in the annual
Cyber Security Assessment Netherlands (CSBN), which is publicly available. The security
services work with the NCSC in the National Detection Network, in which information about
hitherto unknown advanced persistent threats and their signatures is shared, wherever
possible, with public and private partners to increase their resilience.
Where different forms of security overlap and the interests at play do not entirely correspond,
the government tries to protect both national security and the security of individual citizens
and businesses as effectively as possible. Both the AIV and the WRR mention the dilemma
facing the authorities in connection with the use of encryption. On the one hand, encryption is
important for system and information security and for the constitutional protection of private
life and privacy of communication. On the other hand, encryption can make it difficult for the
state to discharge its responsibility for investigating serious crime and protecting national
security. The government’s recently published position paper on encryption clearly illustrates
the considerations the government weighs in its efforts to keep the internet open, free and
secure. In this position paper the government concludes that it has the ‘task of safeguarding
national security and investigating offences’. The government recognises the need for lawful
access to data and communication. At the same time, it would point out that public
authorities, businesses and citizens all benefit from the maximum security of digital systems.
The government endorses the importance of strong encryption for internet security to protect
the personal privacy of citizens, for confidentiality of communication for the authorities and
the private sector, and for the Dutch economy. The government is therefore of the opinion
that at this point in time it is not desirable to take restrictive legal measures as regards the
development, availability and use of encryption in the Netherlands. The Netherlands will
disseminate this conclusion and the underlying assessment internationally.11
The various security organisations work together where necessary as well, for example
during a crisis. Responsibility for coordination lies with the Ministry of Security & Justice. The
NCSC is the national centre of expertise for digital security and acts as the Computer
Emergency Response Team (CERT) for central government and vital industries. Together
with its public sector partners, such as the National Police, the AIVD and the Ministry of
Defence (including the MIVD), research institutions and the private sector, the NCSC works
11
Letter to parliament on the government’s position on encryption, Parliamentary Paper 26643-383, 4 January 2016, https://www.rijksoverheid.nl/documenten/kamerstukken/2016/01/04/tk-kabinetsstandpunt-encryptie.
AVT16/BZ119746 16
to ensure that the critical infrastructure of the Netherlands is kept secure, as specified in the
Cybersecurity Data Processing and Reporting Duty Bill.12
4. Response to the AIV’s recommendations
4.1 Data protection
Internet users must be able to trust government authorities and organisations to protect their
personal and other data properly. The criteria applied when formulating data protection policy
and legislation in the EU are user trust, transparency, a risk-oriented approach and the need
to minimise regulatory pressure for internet service providers. This is also the position taken
by the government in debating the various data protection instruments in Europe, for
example the General Data Protection Regulation, the Directive on personal data protection
for the purposes of investigation and prosecution of criminal offences, and the recent
framework agreement concluded by the European Commission with the United States on a
successor to the Safe Harbour Treaty.
The government attaches great importance to legal certainty in connection with international
data transmissions and is therefore pleased that the European Commission announced on 2
February that a political agreement had been reached between the EU and the United States
on a new framework for transatlantic data flows: the EU-US Privacy Shield. The process of
drafting the detailed provisions is expected to take until June. Although circumstances may
still change during this period, the Netherlands welcomes the improvements that have been
made in terms of stronger monitoring and enforcement. According to the Commission, the
new framework serves two aims, namely to protect the fundamental rights of EU citizens and
to provide legal certainty for businesses. This therefore seems to end the uncertainty faced
by businesses since October about the lawfulness of data storage by internet companies in
the United States.
Striking a good balance between commercial interests and privacy is important both for
public trust in online services and for economic growth. Rather than being a hindrance,
respect for privacy should serve as a framework that challenges businesses to develop
12
‘Rules on the processing of data to promote the security and integrity of electronic information systems of vital importance to Dutch society and rules on reporting serious breaches (Cybersecurity Data Processing and Reporting Duty Bill)’, Parliamentary Papers, House of Representatives 343882, Bill presented to parliament on 21 January 2016.
AVT16/BZ119746 17
innovative solutions and new services and applications. If the digital economy is to grow, it is
essential that people should trust innovative services. Better privacy protection in the United
States could help to create an international level playing field, thereby strengthening the
position of European technology companies in relation to major players in the United States.
The Netherlands trusts in the value of written representations of the United States
concerning the safeguards surrounding the lawful access to transmitted data for law
enforcement and national security purposes. It awaits the follow-up steps with interest.
4.2 Economic potential / foreign investment climate
The government agrees with both reports that the internet is of major importance to the
Dutch economy and that the Netherlands has carved out a leading international position, as
evidenced, for example, by its high position in the various international rankings. The
Netherlands has excellent networks, a well-educated population and a high internet
penetration rate, and it leads the field in terms of data centres and internet hubs, including
intercontinental and transatlantic connections. The Dutch economy ranks alongside that of
the United Kingdom as the most ICT-intensive in Europe. Its ICT turnover accounts for 5% of
GDP, and this does not even include other ICT-dependent sectors. A quarter of Dutch
economic growth in the past 10 years is attributable to ICT, and 25% of foreign investment in
the Netherlands is ICT-related.
The government has integrated the full spectrum of the digital economy into its policy in order
to preserve and expand ICT-related growth potential. In its letter to parliament13 on its
medium-term vision on telecommunications, media and the internet, the government explains
how it is working to improve the security and reliability of the internet and promote freedom in
the digital domain, with particular emphasis on:
- an internet economy that is free from improper influence of public authorities, businesses
and other lobby groups on the freedom of choice of users; this will both protect civil
liberties and benefit the free market;
- the integrity, continuity and protection of personal data as a basis for trust in data-driven
markets.
The government has documented its efforts to strengthen opportunities for economic growth,
innovation and entrepreneurship through the internet and ICT in various policy papers, such
as the Digital Agenda.nl – ICT and Innovation for Economic Growth (2011) and the Digital
13
https://www.rijksoverheid.nl/documenten/richtlijnen/2013/12/23/visie-op-telecommunicatie-media-en-internet-verdieping.
AVT16/BZ119746 18
Implementation Agenda.nl (2011).14 An evaluation and update of the Digital Agenda was sent
to the House of Representatives on 5 July 2016. This also addressed the motion of 15
October 2015 by Dutch MP Kees Verhoeven,15 in which the government was requested to
recognise digital infrastructure as the country’s third ‘main port’ (in addition to the Port of
Rotterdam and Amsterdam Airport Schiphol) and to develop and implement an economic
vision to strengthen this role.
Specific attention is also paid to the role which ICT and the internet can play in new
developments in all sectors, for example healthcare. The role of the internet and Big Data in
the healthcare sector is growing all the time and opportunities abound. Thanks to these
developments, healthcare is growing ever more international. It is important for data to be
well protected and for the privacy of the patient to be guaranteed. Making data both
accessible and secure will ensure that people have greater control over their own health,
methods of treatment can be improved (partly through international data collection), the
quality of care can be enhanced, transparency can be increased and the door can be opened
to innovative technological advances and products.
A policy of targeted incentives for the ICT and internet sector is helping to create a positive
foreign investment climate for internet companies. For example, ICT is a theme that cuts
across all sectors included in the government’s ‘top sector’ policy and has its own knowledge
and innovation agenda, for which the Netherlands Organisation for Scientific Research
(NWO), the Netherlands Organisation for Applied Scientific Research (TNO) and the Ministry
of Economic Affairs have reserved €40 million for ICT-related knowledge and innovation in
the context of public-private cooperation. The Ministry of Economic Affairs has commissioned
research into opportunities for the cybersecurity sector in the Netherlands, and policy
recommendations will be based on the ICT sector’s contribution to the business climate and
on the foreign investment climate.
4.3 Intelligence and security services: role and oversight
The AIV recommends ensuring effective and independent oversight of the intelligence and
security services and providing better safeguards for the exchange of data between national
intelligence and security services within Europe and beyond.
14
https://zoek.officielebekendmakingen.nl/kst-26643-217.html. 15
Motion 34300-XIII-45.
AVT16/BZ119746 19
The Intelligence and Security Services Act 2002 describes how effective and independent
oversight of the activities of the intelligence and security services is carried out by various
bodies. As noted above, a review of the 2002 Act is currently being prepared, and this
opportunity will be taken to review the conditions under which the restriction of fundamental
rights is considered justified. After all, even once this review has been completed the system
of oversight must continue to comply with the requirements laid down by the European Court
of Human Rights (ECtHR) regarding the activities of the intelligence and securities service
that infringe fundamental rights.
The AIV rightly refers in its advisory report to the Dessens Committee’s report, in response to
which the government indicated that it would take the Committee’s oversight
recommendations into account when framing the new Intelligence and Security Services Act.
This is about striking the right balance between, on the one hand, modifying and, in some
respects, expanding the special competences of the services and, on the other hand,
strengthening the system of safeguards, including oversight. At present, the government is
using the response from its online consultations and the Privacy Impact Analysis to draft a
new bill, which will be submitted to the Advisory Division of the Council of State before the
summer recess. As the review is still under way, the government considers that discussion of
the new legislation is beyond the scope of this response.
When working with their foreign counterparts, the intelligence and security services apply
various criteria, such as the democratic accountability of the foreign organisations and the
human rights policy of the country concerned. These are important factors in deciding on the
intensity of cooperation with a partner. This procedure is in line with the recommendations in
oversight report 38 (2014) of the Intelligence and Security Services Review Committee
(CTIVD). The criteria will also be incorporated in the amended Intelligence and Security
Services Act 2002.
4.4 Leading role played by the Netherlands in an EU context
EU Presidency
The Netherlands aims to play a leading role as the ‘digital gateway to Europe’ and as a safe
place to live and do business. During its current Presidency of the Council of the European
Union the Netherlands is paying explicit attention to cybersecurity, cybercrime and digital
issues such as the Digital Single Market. The priorities are to achieve progress on free data
traffic and internet governance (in which the Netherlands will work for a free and open
AVT16/BZ119746 20
internet) and to strengthen the framework for cross-border access to data for the purposes of
investigating cybercrime.
In the Friends of the Presidency Group on Cyber Issues (FoP), the Netherlands is
addressing the topic of the EU’s Cybersecurity Strategy and the accompanying Roadmap.
The matters covered include operational cooperation and information-sharing, public-private
cooperation, cyber diplomacy, capacity-building in countries outside the EU, digital rights,
anti-cybercrime measures and best practices in cybersecurity, such as vulnerability
disclosure. The Netherlands is involving private partners in its Presidency, for example by
giving the Cyber Security Council a role in the High-Level Meeting on Cybersecurity in May
2016.
Operational cooperation is also part of the EU Network and Information Security Directive.
Implementation of the directive will start during the Dutch Presidency.
Export controls on dual-use ICT goods and software
The AIV recommends that the Netherlands use its Presidency of the European Union to
develop proposals for updating outdated legislation that curbs internet freedom. In line with
this recommendation and with the discussions during the GCCS, the Netherlands will seek
during its Presidency to tighten up the provisions resulting from the current revision of the EU
Dual-Use Regulation. This involves stricter controls on the export of dual-use surveillance
technologies. An effective and proportionate export control regime is necessary in order to
prevent the export of surveillance technology from the EU to repressive regimes which have
inadequate safeguards for human rights and could use this technology for human rights
violations. The Netherlands is aware of the complexity of formulating technical proposals in
this field. It therefore supports the research currently being done for the European
Commission and looks forward to receiving the Commission’s proposal based on this study.
The Netherlands is trying to gain support for this approach in other multilateral forums as
well.
Net neutrality
The Netherlands pioneered net neutrality legislation in the EU and has played an active part
in the European debate on net neutrality based on its own national legislation. The House of
Representatives, the Dutch government and Dutch members of the European Parliament
have all been instrumental in bringing about the EU net neutrality regulation. Various
AVT16/BZ119746 21
European civil society organisations (including consumer organisations) have repeatedly
endorsed Dutch practice and the Dutch position.16
4.5. Dialogue with the private sector
As both the WRR and the AIV note in their reports, there are two sides to the relationship
between public authorities and the private sector. Although the private sector works with the
authorities to safeguard such public interests as privacy, security and freedom in the digital
domain, some companies can have a negative influence on such interests, partly due to their
global market dominance. In view of the key role played by the latter companies in the digital
domain, serious diplomatic efforts must undoubtedly be made to engage with them.
The authorities are working closely with the private sector to improve digital skills and
emphasise the duty of care that businesses and authorities have towards their clients. ICT
products and services must be secure too. It must be possible to hold businesses and
authorities accountable for their responsibilities. They must also be transparent about the
cybersecurity measures they take and how they deal with user data. As outlined in the
coalition agreement, the government aims to ensure that businesses and citizens can
manage their affairs with the authorities securely online.
All ministries are in constant dialogue with the private sector about a wide range of subjects,
such as adopting positions within ICANN and the ITU (Ministry of Economic Affairs),
coordinating the approach to all aspects of internet governance in the annual Dutch Internet
Governance Forum (Ministries of Economic Affairs, Foreign Affairs, Security & Justice and
the Interior & Kingdom Relations), consulting about the design of policy on privacy, data
protection and the role of intermediaries as building blocks for the European digital single
market (Ministry of Economic Affairs), public-private cooperation (Ministry of Security &
Justice), and developing standards for responsible state behaviour in cyberspace,
particularly in relation to capacity-building and human rights (Ministry of Foreign Affairs).
The role, duty of care and shared responsibility of businesses, individuals and the authorities
in relation to online security has been defined by the government in the National Cyber
Security Strategy 2.0, and is also an issue covered by the Cyber Security Council.
16
On this point see also the Letter to parliament about the Regulation on the single market for telecommunications and roaming in the Benelux of 9 November 2015.