Netherlands

Overview

EU Member State: The Netherlands is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page. This page covers national laws, intelligence and surveillance, and the Netherlands’ role in international data sharing.

Two events define the Dutch privacy story. First, the Sleepwet referendum (March 2018): a majority of Dutch voters rejected a broad surveillance law, only for the government to implement it with minor amendments. Second, the childcare benefits scandal (toeslagenaffaire): the Dutch Tax Administration used nationality as an algorithmic risk indicator to wrongly accuse ~26,000 families of fraud, causing the resignation of the entire cabinet in January 2021.^[1][2]

The Netherlands operates the JSCU (Joint Sigint Cyber Unit), a joint AIVD-MIVD venture conducting bulk cable interception at AMS-IX (one of the world’s largest internet exchanges, 900+ networks, 14 Tbps peak). As a Nine Eyes and Maximator member, the Netherlands has deep intelligence-sharing ties — but in October 2025, both Dutch intelligence directors confirmed they are sharing less intelligence with the United States, citing concerns about politicisation under the current US administration.^[3][4]

Privacy Framework

The Autoriteit Persoonsgegevens (AP) has imposed significant fines including Uber EUR 290M (US data transfers), Clearview AI EUR 30.5M (biometric scraping), Dutch Tax Administration EUR 6.45M (toeslagenaffaire discrimination + FSV fraud blacklist), and Experian EUR 2.7M (unlawful credit scoring, October 2025). 2024 budget: EUR 45.2M; ~320 FTE; the AP says it needs EUR 100M+ to fulfill all statutory tasks. The AP is also designated as the Dutch EU AI Act supervisory authority.^[5][6]

The UAVG (2018) supplements the GDPR with strict BSN (Burgerservicenummer) processing restrictions (functionally stricter than GDPR special category data), age of consent maintained at 16 (GDPR default), and specific rules on criminal conviction data. The Telecommunications Act implements ePrivacy with cookie consent and breach notification requirements.^[7]

The Childcare Benefits Scandal (Toeslagenaffaire)

The Tax Administration used automated risk models where dual nationality or “foreign-sounding names” served as fraud indicators, processing nationality data of 1.4 million citizens that should have been deleted in 2014. Repayment demands averaged EUR 20,000–60,000; 2,000+ children were placed in foster care. Amnesty International’s Xenophobic Machines report concluded it constituted institutional racism. The scandal influenced the EU AI Act’s provisions on high-risk AI in public administration and remains a defining reference point for algorithmic accountability in Europe.^[2][8]

Surveillance and Intelligence

Wiv 2017 and the Sleepwet Referendum

The Wiv 2017 authorises bulk interception of cable-bound communications (earning it the “Sleepwet”/dragnet nickname), extended hacking powers (including third-party device compromise), DNA collection, raw intelligence data sharing with foreign services, and expanded metadata analysis. On March 21, 2018, 49.44% of voters voted against the law (51.5% turnout), but the government proceeded with implementation, passing 2021 amendments requiring operations be “as targeted as possible” — changes critics call cosmetic.^[1][9]

Temporary Cyber Operations Act (July 2024)

Expanded AIVD/MIVD capabilities for investigating countries with offensive cyber programmes. Most controversially, weakened the oversight framework by shifting from binding prior authorisation (TIB) to binding supervision during/after deployment (CTIVD) for certain powers. Former TIB member Bert Hubert publicly warned this erodes civil liberties oversight.^[10][11]

Intelligence Agencies

AIVD: Civilian intelligence (domestic/foreign) and SIGINT, headquartered in Zoetermeer. MIVD: Military intelligence under Ministry of Defence. JSCU (Joint Sigint Cyber Unit, ~350 employees): joint AIVD-MIVD SIGINT organisation, the Netherlands’ primary contribution to Nine Eyes.^[12]

Oversight

CTIVD: Ex post oversight with binding powers; can “walk in, pull open drawers, and log into networks.” In 2024–2025, confirmed AIVD/MIVD had recruited journalists as paid agents and reprimanded AIVD for conducting organised crime investigations outside its mandate. TIB: Ex ante binding prior authorisation for special intelligence powers (partially weakened by the Temporary Cyber Operations Act).^[13][14]

Encryption Policy

The Netherlands has maintained a consistently pro-encryption stance. In January 2016, the government formally stated it would not take restrictive legal measures on encryption, even as Five Eyes partners pushed for backdoors. Dutch law provides no general compelled decryption authority; intelligence agencies use targeted hacking (Wiv 2017 endpoint exploitation) to bypass encryption rather than mandating providers to build backdoors.^[15]

The Netherlands is among only six EU member states explicitly opposing mandatory scanning of encrypted communications under the EU CSA Regulation (Chat Control). Dutch opposition was instrumental in forcing the November 2025 compromise removing mandatory client-side scanning. The AIVD, together with TNO and CWI, published a Post-Quantum Cryptography Migration Handbook (2024) to prepare for quantum computing threats.^[16][17]

This creates a paradox: the Netherlands protects encryption architecturally while simultaneously deploying targeted hacking to bypass it at the endpoint and conducting bulk cable interception under the Wiv 2017 to capture communications before or after encryption is applied.

Commercial Surveillance Procurement

NSO Group Pegasus

The Netherlands is a confirmed Pegasus customer. Once deployed, Pegasus provides unrestricted access to all device data, with no technical mechanism to limit collection. This creates a layered surveillance approach: bulk cable interception at scale (Wiv 2017/JSCU) combined with targeted endpoint exploitation (Pegasus) when targets use end-to-end encryption.^[18]

Palantir Technologies

The Netherlands has a long-standing Palantir relationship dating to 2010 (Ministry of Defence) and 2011 (National Police, contract signed by then-Police Commissioner Henk Schoof, who became Prime Minister in 2024). Additional customers include the NCTV (National Coordinator for Security and Counterterrorism) and the Openbaar Ministerie (Public Prosecution Service). A 2023 court ruling forced partial disclosure of 45,000 procurement documents, the overwhelming majority heavily redacted or entirely blacked out. Palantir’s US corporate structure creates CLOUD Act exposure for all data processed through its platforms.^[19]

Internet Infrastructure and Cable Surveillance

AMS-IX (Amsterdam Internet Exchange): one of the world’s largest IXPs, 900+ connected networks, 14 Tbps peak traffic. Also operates exchanges in Mumbai, Hong Kong, Chicago, and the Caribbean. NL-ix provides a commercial alternative. Submarine cables land at Beverwijk, Katwijk, and Zandvoort, connecting the Netherlands to the UK and beyond.^[20][21]

The Wiv 2017 authorises JSCU bulk cable interception, and the Temporary Cyber Operations Act (2024) further expanded cable access for investigating state cyber threats while weakening TIB prior authorisation. AMS-IX’s massive traffic volume gives Dutch intelligence access to a significant portion of European internet traffic — a key reason the Netherlands maintains Nine Eyes membership despite its small population.^[1]

Data Retention

The Dutch data retention law was declared inoperative by The Hague District Court on March 11, 2015, following the CJEU’s Digital Rights Ireland ruling. The Netherlands has not enacted replacement legislation. Proposed revisions requiring prior judicial authorisation and limiting access to offences carrying 4+ years imprisonment remain unadopted. Intelligence services access communications data through Wiv 2017 bulk interception, effectively bypassing restrictions that would apply to law enforcement.^[22]

International Data Sharing Agreements

Mutual Legal Assistance: Layered Framework

EU Member States (26 countries): EU MLA Convention 2000, Schengen Convention, EIO. The Netherlands was an original Prüm Convention signatory (2005); Prüm II (2024) adds facial images and police records. The Benelux Treaty on Extradition and Mutual Assistance in Criminal Matters (1962, amended 1974) provides a special streamlined framework with Belgium and Luxembourg.

Council of Europe (50 signatory states): European Convention on MLA 1959 + Additional Protocols.

Bilateral MLAT with the United States: Signed June 12, 1981, the Netherlands was one of the first three countries (alongside Switzerland and Turkey) to sign a modern MLAT with the US, including defence counsel evidence access. The Netherlands has also signed “many bilateral agreements with different countries all over the world” (per the UNODC G20 MLA Guide). AIRS (Department of International Affairs and Legal Assistance in Criminal Matters, Ministry of Justice and Security) serves as central authority, also covering the Caribbean Netherlands (Bonaire, Sint Eustatius, Saba); Aruba, Curaçao, and Sint Maarten have their own central authorities.^[23]

Non-treaty cooperation: The Netherlands can execute MLA requests even without a treaty, under Dutch domestic criminal procedure code. Non-treaty requests must be sent through diplomatic channels to AIRS. Dual criminality is only required if the applicable convention so requires.

Nine Eyes Alliance and the 2025 Intelligence-Sharing Shift

The JSCU is the primary vehicle for Nine Eyes participation, sharing SIGINT with NSA, GCHQ, and other Five Eyes partners. The framework creates reciprocal bypass: NSA can collect on Dutch persons and share with AIVD/MIVD; Dutch intelligence can collect on Five Eyes persons and share back.^[24]

In October 2025, AIVD Director-General Akerboom and MIVD Director Reesink confirmed the Netherlands is sharing less intelligence with the United States, redirecting cooperation toward the UK, Germany, France, Poland, and Nordic services. Reesink: “That we sometimes no longer tell certain things, that’s true.” Concerns centre on potential “politicisation” of shared intelligence. A northern European intelligence group is now exchanging more data, including raw data, driven by Russia’s war in Ukraine.^[3][4]

Maximator Alliance

The Netherlands joined Maximator in 1978 (founded 1976 by Denmark, Sweden, Germany; France joined 1985). The five-nation encryption-defeat cooperative pooled cryptanalytic effort against third-country government communications. The alliance was not publicly revealed until 2020.^[25]

EU and Multilateral Frameworks

SIS II: Real-time query and alerts across Schengen. EU-US Umbrella Agreement: Dutch citizens get judicial redress before US courts. SWIFT/TFTP: International wire transfers subject to US Treasury subpoena. PNR: Passenger data for NL-US flights. Europol: The Netherlands hosts Europol headquarters in The Hague, a major contributor; FBI cooperation channel. Interpol I-24/7: 195-country network. Egmont Group: FIU-Nederland shares financial intelligence across 164+ FIUs.

The Privacy Backdoor Effect

Despite the Wiv 2017’s judicial authorisation requirements, CTIVD/TIB oversight, and AP GDPR enforcement, international agreements create alternative access pathways:

• Nine Eyes Laundering: NSA/GCHQ can collect on Dutch persons and share with AIVD/MIVD, bypassing Wiv 2017 judicial authorisation
• EU Framework Sharing: Dutch person data in SIS II, Prüm, or EIO channels accessible to 27 EU states and through Europol (headquartered in The Hague) to US FBI
• MLAT: US requests through one of the oldest bilateral MLATs, with potentially different evidentiary standards
• SWIFT/PNR: Financial transactions and air travel data subject to US access
• Palantir CLOUD Act: Dutch security data processed through Palantir potentially accessible to US authorities without Dutch legal process

Recent Developments

Intelligence-Sharing Pivot (October 2025): AIVD and MIVD directors confirmed reduced US intelligence sharing, redirecting cooperation toward European partners. A geopolitically significant development within the Nine Eyes framework.^[3]

Odido Data Breach (February 2026): Potentially the largest Dutch breach in history, exposing 6.2 million customers (~one-third of population), including names, IBANs, and government ID numbers. Reporting revealed Odido retained data “much longer than claimed.”^[26]

Expanded Espionage Law (May 2025): Broadened criminal definition to cover digital espionage and diaspora espionage (targeting diaspora communities for foreign states), penalties up to 8–12 years.^[27]

Chat Control Opposition Strengthened: The Netherlands is among only six EU states explicitly opposing mandatory encrypted scanning. Dutch opposition was instrumental in forcing the November 2025 compromise.^[28]

Digital Sovereignty Push (March–December 2025): Parliament voted to move away from US cloud services and establish national cloud infrastructure. The Netherlands joined the Digital Commons EDIC (December 2025) with eight other EU states for open-source European digital infrastructure.^[29]

CTIVD: Journalist Recruitment Confirmed (2024–2025): AIVD and MIVD recruited journalists as paid agents, raising serious press freedom concerns.^[14]

Wiv 2017 Reform Discussion: Independent evaluation concluded the law is “too restrictive” in certain operational aspects, recommending greater flexibility — in tension with civil liberties advocates who argue the Sleepwet already grants overly broad surveillance powers.

Cyberbeveiligingswet (NIS2 Transposition) — March 2026: The Cyberbeveiligingswet (Cbw) and the Wet weerbaarheid kritieke entiteiten (Wwke, CER Directive transposition) underwent plenary debate in the Tweede Kamer on March 23–24, 2026. The government targets simultaneous entry into force of both laws in Q2 2026 (July 1, 2026). Some uncertainty arose from an EU simplification proposal (COM(2026)13, January 2026) that could affect NIS2 implementation across all member states.^[30]

Sources