Netherlands

EU Member State: The Netherlands is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers the Netherlands’ national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and its role in the Nine Eyes intelligence alliance.

Overview

The Netherlands operates an active data protection authority, the Autoriteit Persoonsgegevens (AP), which has imposed tens of millions of euros in GDPR fines on companies including Clearview AI, Uber, and TikTok. The country is also a core member of the Nine Eyes intelligence alliance and operates a sophisticated signals intelligence apparatus through its Joint Sigint Cyber Unit (JSCU), a joint venture of the AIVD (civilian intelligence) and MIVD (military intelligence).^[1]

Two events define the Dutch privacy story more than any others. First, the Sleepwet referendum of March 2018, in which a majority of Dutch voters rejected a broad new surveillance law, only for the government to implement it anyway with minor amendments.^[2] Second, the childcare benefits scandal (toeslagenaffaire), in which the Dutch Tax Administration used nationality as an algorithmic risk indicator to wrongly accuse approximately 26,000 families of fraud, causing the resignation of the entire Dutch cabinet in January 2021 and a major example of discriminatory algorithmic data processing with severe consequences for affected families.^[3]

As of 2025, the Netherlands is navigating a shift in intelligence-sharing priorities. Citing concerns that classified information could be “politicized” under the current U.S. administration, the directors of both Dutch intelligence services confirmed in October 2025 that the Netherlands is sharing less intelligence with the United States and redirecting cooperation toward European partners, a significant shift within the Five/Nine Eyes framework.^[4]

Data Protection Authority: Autoriteit Persoonsgegevens (AP)

The Autoriteit Persoonsgegevens (Dutch Data Protection Authority, or AP) is the independent supervisory authority responsible for monitoring compliance with the GDPR, the UAVG (the Dutch GDPR Implementation Act), and other data protection legislation. It has the power to investigate, issue binding orders, and impose administrative fines of up to EUR 20 million or 4% of global annual turnover.^[5]

The AP’s 2024 budget stood at EUR 45.2 million with approximately 320 full-time equivalent staff. The 2025 budget is projected at approximately EUR 49 million. The AP has publicly stated, however, that it requires EUR 100 million or more to properly fulfill all of its statutory tasks, a gap that highlights the chronic underfunding of data protection enforcement across Europe.^[5]

For 2024, the AP identified five enforcement priorities: algorithms and AI, Big Tech, freedom and security, data trading, and digital government. The EU AI Act, which came into force in August 2024, has been designated to the AP as the Dutch supervisory authority, further expanding its mandate.^[6]

Notable Enforcement Actions

The Childcare Benefits Scandal (Toeslagenaffaire)

No discussion of Dutch data protection can omit the toeslagenaffaire, the childcare benefits scandal, a major failure of algorithmic governance that had far-reaching political and human consequences. Between 2013 and 2019, the Dutch Tax and Customs Administration (Belastingdienst/Toeslagen) wrongly accused approximately 26,000 families of fraudulently claiming childcare benefits, though some estimates place the number of affected families as high as 35,000.^[3]

The mechanism was algorithmic profiling with nationality as a core variable. The Tax Administration used automated risk models in which having a dual nationality or a “foreign-sounding name” served as indicators of potential fraud. The dual-nationality data of approximately 1.4 million citizens was processed for this purpose, data that should have been deleted in 2014 under existing retention rules but was retained and actively used for years afterward.^[10]

The consequences for affected families were devastating. Parents were ordered to fully reimburse childcare allowances, with repayment demands averaging between EUR 20,000 and EUR 60,000. Many families were plunged into debt, lost their homes, or saw their marriages collapse under the financial strain. In the most harrowing dimension of the scandal, more than 2,000 children were placed in foster care after their parents were branded as fraudsters by the state.^[11]

Amnesty International published a report titled Xenophobic Machines in October 2021, concluding that the Tax Administration’s algorithms constituted institutional racism and violated the right to non-discrimination under international human rights law.^[12] The scandal was also raised before the European Parliament, which examined the case as a cautionary example of algorithmic harm within the EU.^[13]

The political fallout was unprecedented. On January 15, 2021, the entire Dutch cabinet under Prime Minister Mark Rutte resigned over the scandal, the first time a sitting government fell as a direct result of data protection failures. The AP imposed the fines detailed in the enforcement table above, totaling EUR 6.45 million, for the “unlawful, discriminatory and therefore improper” processing of personal data and the related FSV fraud blacklist.^[9]

The toeslagenaffaire has become a defining reference point in European policy debates about algorithmic accountability. It directly influenced the drafting of the EU AI Act’s provisions on high-risk AI systems used in public administration, and it is frequently cited in EU policy discussions as an example of algorithmic harm occurring within the legal framework of an established European democracy.

National Legislative Framework

UAVG – GDPR Implementation Act (Uitvoeringswet AVG, 2018)

The Netherlands implemented the GDPR through the Uitvoeringswet Algemene Verordening Gegevensbescherming (UAVG), which has applied since May 25, 2018. The UAVG supplements the GDPR in areas where the regulation permits or requires national implementing legislation.^[14]

Key provisions of the UAVG include:

Citizen Service Number (BSN): Article 46 of the UAVG strictly limits the processing of the Burgerservicenummer (BSN), the unique national identification number assigned to every Dutch resident. The BSN may only be processed where explicitly authorized by law or by an Order in Council (Algemene Maatregel van Bestuur). Government agencies may use the BSN for their statutory tasks; private-sector organizations may only process it where specific legislation permits, such as in healthcare and education. The BSN is not classified as “special category” data under the GDPR, but its processing is subject to restrictions that are functionally even stricter.^[15]

Age of consent: The Netherlands maintains the GDPR’s default age of consent at 16 years for children’s data in information society services, opting not to lower it as some other member states have done.

Special categories of data: The UAVG provides additional rules on the processing of special categories of personal data, including criminal conviction data and national identification numbers, and specifies the conditions under which derogations from GDPR prohibitions on processing such data are permitted under Dutch law.^[14]

Telecommunications Act (Telecommunicatiewet)

The Dutch Telecommunications Act implements the EU ePrivacy Directive and contains rules on cookies, direct marketing, and the confidentiality of electronic communications. Under this act, consent is required for the placement of tracking cookies and similar technologies, and service providers are subject to data breach notification obligations to both the AP and affected individuals.

Surveillance and Intelligence

The Wiv 2017 and the “Sleepwet” Referendum

The Intelligence and Security Services Act 2017 (Wet op de inlichtingen- en veiligheidsdiensten 2017, or Wiv 2017) replaced the 2002 Intelligence and Security Services Act and represents a substantial expansion of Dutch surveillance powers. The law earned the popular nickname “Sleepwet” (dragnet law) because of its most controversial provision: the authorization of bulk interception of cable-bound communications, meaning the intelligence services can intercept internet traffic and telephone communications on a massive scale, from large groups of people, without any prior criminal suspicion.^[2]

Beyond bulk interception, the Wiv 2017 introduced:

• Extended hacking powers, including the ability to compromise third-party devices to reach targets
• Broadened DNA collection authorities
• Facilitated sharing of raw intelligence data with foreign intelligence services
• Expanded metadata analysis capabilities

The law provoked significant public opposition. Five Dutch students launched a campaign that gathered enough signatures to trigger an advisory referendum under the then-existing Dutch Advisory Referendum Act. On March 21, 2018, 49.44% of voters voted against the law, with turnout at 51.5%, well above the 30% threshold required for the result to be valid.^[2]

Despite the referendum result, the government declared in advance that it planned to proceed with the law regardless. The Wiv 2017 entered into force on May 1, 2018. The government did acknowledge the referendum outcome to the extent that it passed 2021 amendments requiring that surveillance operations be “as targeted as possible” and bolstering the capacity of the oversight committee (TIB) to appoint additional members. Critics argued these changes were cosmetic and failed to address the fundamental concern: that the Dutch state had empowered itself to conduct mass surveillance of its own citizens’ internet traffic.^[16]

Temporary Cyber Operations Act (Tijdelijke wet, July 1, 2024)

In July 2024, the Temporary Cyber Operations Act (Tijdelijke wet onderzoeken AIVD en MIVD naar landen met een offensief cyberprogramma) entered into force, further expanding the powers of Dutch intelligence services. The law was adopted by the Senate on March 12, 2024, and grants the AIVD and MIVD enhanced capabilities to collect data en masse on internet cables specifically for investigating countries that conduct offensive cyber operations against the Netherlands.^[17]

Most controversially, the Temporary Cyber Operations Act weakened the oversight framework. For certain surveillance authorities, the law shifted from the established model of binding prior authorization by the TIB (Toetsingscommissie Inzet Bevoegdheden) to a model of binding supervision during and after the deployment of powers by the CTIVD. Experts from Radboud University and the University of Groningen expressed strong reservations about this change, arguing it fundamentally undermined the prior-authorization safeguard that was the Wiv 2017’s most important privacy protection.^[18] Bert Hubert, a former TIB member and respected technologist, publicly voiced his concerns that the shift represented a meaningful erosion of civil liberties oversight.^[19]

Intelligence Agencies

AIVD (Algemene Inlichtingen- en Veiligheidsdienst): The General Intelligence and Security Service is the Netherlands’ primary civilian intelligence agency, responsible for both domestic and foreign intelligence as well as signals intelligence (SIGINT). It is headquartered in Zoetermeer and led by Director-General Erik Akerboom as of 2025. The AIVD’s mandate encompasses national security threats, counterterrorism, counter-proliferation, and cybersecurity.^[20]

MIVD (Militaire Inlichtingen- en Veiligheidsdienst): The Military Intelligence and Security Service operates under the Ministry of Defence and is responsible for military intelligence, counterintelligence within the armed forces, and signals intelligence. It is led by Director Peter Reesink as of 2025. The MIVD shares its SIGINT capabilities with the AIVD through the JSCU.

JSCU (Joint Sigint Cyber Unit): Founded in 2013 and fully operational since June 15, 2014, the Joint Sigint Cyber Unit is a shared organization of the AIVD and MIVD with approximately 350 employees headquartered at the AIVD building in Zoetermeer. The JSCU is the Netherlands’ primary SIGINT capability, responsible for intercepting radio and satellite traffic and conducting cyber-intelligence operations. It represents the technical backbone of Dutch contributions to the Nine Eyes intelligence-sharing framework.^[1]

Oversight Bodies

CTIVD (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten): The Review Committee on the Intelligence and Security Services provides ex post (after-the-fact) oversight of the AIVD and MIVD. The CTIVD has access to all documents, systems, and premises of both services; it can, in its own words, “walk in, pull open drawers, and log into networks.” Since the 2018 Wiv reforms, the CTIVD has binding powers, meaning the services must comply with its findings.^[21]

Recent CTIVD investigations have revealed significant issues. In 2024–2025, the committee confirmed that the AIVD and MIVD had recruited journalists as paid agents, raising serious concerns about press freedom. The CTIVD also reprimanded the AIVD for improperly conducting organized crime investigations that fell outside its statutory intelligence mandate.^[22]

TIB (Toetsingscommissie Inzet Bevoegdheden): The Investigatory Powers Committee provides ex ante (prior) oversight by issuing binding judgments on ministerial authorizations for the use of special intelligence powers. If the TIB rules that a proposed operation is unlawful, the intelligence services may not proceed. This binding prior-authorization mechanism was the principal privacy safeguard introduced by the Wiv 2017, and the one partially weakened by the Temporary Cyber Operations Act described above.

Nine Eyes Alliance and the 2025 Intelligence-Sharing Shift

The Netherlands is a core member of the Nine Eyes intelligence alliance, which adds Denmark, France, the Netherlands, and Norway to the inner Five Eyes partnership of the United States, United Kingdom, Canada, Australia, and New Zealand. The JSCU is the primary vehicle for Dutch participation in this framework, and the Netherlands has historically maintained close SIGINT cooperation with the NSA and GCHQ.

In October 2025, however, the Dutch intelligence community publicly acknowledged a historic shift. In a joint interview with de Volkskrant, AIVD Director-General Erik Akerboom and MIVD Director Peter Reesink confirmed that the Dutch services are now sharing less intelligence with the United States and redirecting cooperation toward European partners, particularly the United Kingdom, Germany, France, Poland, and the Nordic countries.^[4]

Reesink stated plainly: “That we sometimes no longer tell certain things, that’s true.” Akerboom added: “Sometimes you have to think case by case: can I still share this information or not?”^[23]

The reasons are geopolitical. Dutch intelligence leaders expressed concern that classified information shared with U.S. agencies could be “politicized” under the Trump administration, potentially used to benefit Russia or in ways that violate human rights norms. Reesink described the April 2025 firing of NSA Director Timothy Haugh as a source of “great sadness.” The concern is not merely theoretical: a leading group of northern European intelligence services, including the Netherlands, Britain, Germany, the Scandinavian services, France, and Poland, are now exchanging more information, including raw data, driven in part by Russia’s war in Ukraine.^[24]

In April 2025, however, Dutch privacy advocates raised concerns that Dutch services were continuing to share some data with U.S. counterparts despite the stated reservations, highlighting the gap between public assurances and operational reality.^[25]

This development represents a significant shift within the Nine Eyes framework and reflects a broader European reassessment of transatlantic intelligence relationships. For Dutch citizens, the practical question is whether reduced U.S. sharing will translate into stronger privacy protections or whether the shift will simply redirect bulk intelligence flows toward European partners operating under their own expansive surveillance mandates.

Cryptography and Encryption Policy

The Netherlands has maintained a consistently pro-encryption stance, positioning itself alongside Germany as one of the European Union’s strongest defenders of strong cryptography and opponents of government-mandated backdoors.

Government Statement on Encryption (January 2016)

In January 2016, the Dutch government issued a formal statement clarifying that it would not take restrictive legal measures concerning the development, availability, and use of encryption within the Netherlands. The statement explicitly affirmed:^[28]

“The government believes that it is currently not desirable to take legal measures against the development, availability and use of encryption within the Netherlands.”

The 2016 statement was issued amid a global resurgence of the “crypto wars,” with governments in the United States, United Kingdom, and Australia calling for mechanisms to ensure lawful access to encrypted communications. The Dutch government’s rejection of encryption restrictions was significant, particularly given the Netherlands’ role as a Nine Eyes intelligence partner and its participation in the Maximator SIGINT alliance.

Compelled Decryption Under Intelligence Law

While the Dutch government has rejected general restrictions on encryption, current Dutch law provides limited forms of compelled decryption for intelligence purposes:^[28]

• Targeted hacking: The Wiv 2017’s hacking powers described earlier include deploying malware to exfiltrate data or bypass encryption at the endpoint
• Targeted interception: Lawful interception powers can be exercised against specific targets, including interception before or after encryption is applied

Crucially, these powers are targeted rather than systemic. Dutch law does not require telecommunications providers or technology companies to engineer backdoors into their encryption systems or to maintain the capability to decrypt user data on demand.

Rejection of EU Chat Control (2024)

In October 2024, the Netherlands announced that it would abstain from supporting the August 2024 version of the European Commission’s proposed Child Sexual Abuse Regulation (commonly known as Chat Control) at the European Council. The Dutch Ministry of Justice and Security cited concerns that the regulation’s client-side scanning provisions would pose unacceptable threats to end-to-end encryption.^[29]

The Dutch abstention was part of a broader blocking minority that included Germany, Poland, Austria, and other member states. This coalition forced the European Commission to withdraw mandatory client-side scanning from the proposal in October 2025, marking a significant victory for encryption advocates.

Quantum-Safe Cryptography Initiative

The AIVD, in collaboration with research organization TNO and the Centrum Wiskunde & Informatica (CWI), published the Post-Quantum Cryptography Migration Handbook in 2024 to help Dutch organizations transition to quantum-resistant cryptographic algorithms. The initiative reflects the Netherlands’ strategic commitment to maintaining strong encryption in anticipation of quantum computing threats.^[30]

The handbook provides practical guidance for migrating to NIST-standardized post-quantum algorithms, emphasizing that organizations should begin migration planning now to avoid “harvest now, decrypt later” attacks in which adversaries collect encrypted data today for decryption once quantum computers become available.

International Context

The Netherlands’ consistent pro-encryption stance places it in direct opposition to several of its intelligence-sharing partners. The United Kingdom’s use of Technical Capability Notices to block Apple’s Advanced Data Protection, Australia’s TOLA Act encryption backdoor mandates, and ongoing U.S. debates over lawful access highlight a fundamental divergence among Western democracies on encryption policy.

Within Europe, the Netherlands has aligned with Germany, Poland, and Austria in opposing encryption-weakening measures, positioning the Dutch government as a defender of strong cryptography despite its intelligence agencies’ expansive surveillance powers under the Wiv 2017. This creates a paradox: the Netherlands protects encryption architecturally while simultaneously deploying targeted hacking to bypass encryption at the endpoint.

Commercial Surveillance Procurement

NSO Group Pegasus

The Netherlands has been confirmed as a customer of NSO Group’s Pegasus spyware, though the full extent of its use remains classified. Pegasus is a sophisticated mobile device exploitation tool capable of remotely accessing encrypted communications, activating cameras and microphones, and extracting all data from targeted smartphones.^[37]

The procurement of Pegasus by Dutch authorities raises fundamental questions about oversight and proportionality. When AIVD or MIVD conduct surveillance under the Wiv 2017, those activities require ministerial authorization and are subject to review by the CTIVD. But Pegasus operates as a total compromise tool: once deployed, it provides unrestricted access to all communications, photographs, location data, passwords, and encrypted messaging, with no technical mechanism to limit collection to what is necessary and proportionate for a specific investigation.

The use of Pegasus alongside the Wiv 2017’s bulk interception capabilities described earlier demonstrates the layered nature of modern surveillance: bulk cable-bound collection at scale, combined with targeted endpoint exploitation when bulk collection is insufficient or when targets use end-to-end encrypted communications that resist cable tapping.

The Oversight Gap

The Netherlands’ procurement of commercial spyware creates a regulatory asymmetry similar to what exists in other countries. When AIVD or MIVD deploy capabilities developed domestically, those systems are designed with CTIVD oversight in mind and technical safeguards can be built into the collection architecture. When agencies purchase Pegasus from NSO Group, they acquire a system designed for global sale to dozens of governments (including authoritarian regimes) with minimal built-in oversight mechanisms.

The result is that Dutch intelligence agencies can access capabilities through commercial procurement that would be difficult or impossible to build domestically while complying with the Wiv 2017’s necessity and proportionality requirements. This market-based expansion of surveillance powers operates largely outside public and parliamentary visibility, as procurement contracts are classified and the use of commercial tools is rarely disclosed in CTIVD public reports.

Data Retention

The Netherlands’ experience with data retention law illustrates the ongoing tension between law enforcement demands and fundamental rights protections across the EU.

The Dutch Telecommunications Data Retention Act (Wet bewaarplicht telecommunicatiegegevens), enacted in 2009 to implement the EU Data Retention Directive, required telecommunications providers to retain call metadata for 12 months and internet metadata for 6 months. On March 11, 2015, the District Court of The Hague declared the law inoperative, following the Court of Justice of the European Union’s April 2014 annulment of the underlying EU Data Retention Directive in Digital Rights Ireland.^[26]

The Dutch court identified multiple deficiencies: there was no requirement for data to be stored within the EU, no prior judicial authorization was needed to access retained data, and the law permitted access even for minor offenses, well below the “serious crime” threshold that the CJEU had identified as the minimum justification for blanket retention.^[27]

As of early 2026, the Netherlands has not enacted comprehensive replacement data retention legislation. Proposed revisions that would require prior judicial authorization and limit access to offenses carrying penalties of four or more years of imprisonment have been drafted but not adopted. The Netherlands thus finds itself in the same legal vacuum as several other EU member states, without a general data retention regime but with intelligence services that can access communications data through the Wiv 2017’s bulk interception powers described earlier, effectively bypassing the restrictions that would apply to law enforcement.

International Data Sharing Agreements

Despite the Netherlands’ robust privacy framework (including GDPR enforcement by the AP, judicial review requirements under the Wiv 2017, and oversight by the CTIVD and TIB), the Netherlands participates in extensive international data sharing frameworks that provide foreign agencies with pathways to access Dutch person data through processes that often operate outside these domestic safeguards.

Mutual Legal Assistance Treaty with the United States

The Netherlands was one of the first three countries (along with Switzerland and Turkey) to sign a modern MLAT with the United States that included provisions granting defense counsel access to evidence. The bilateral MLAT allows Dutch law enforcement to request data on US persons, and US law enforcement to request data on Dutch persons, through diplomatic channels with average processing times of 10 months.^[38]

The Ministry of Justice and Security serves as the Netherlands’ central authority for processing MLAT requests. Despite the Netherlands’ domestic requirement for judicial authorization under the Wiv 2017 for intelligence collection, MLAT requests may involve different evidentiary standards and oversight mechanisms.

Nine Eyes Intelligence Sharing

As noted above, the Netherlands is a member of the Nine Eyes intelligence alliance. The AIVD and MIVD share signals intelligence with Five Eyes partners, though with less privileged access than core Five Eyes members.^[39]

The Nine Eyes framework creates a reciprocal surveillance mechanism: Dutch intelligence services can collect data on US, UK, or other partner nations’ persons and share it with those countries’ agencies, while NSA, GCHQ, and other Five Eyes agencies can collect on Dutch persons and share with Dutch intelligence. According to Privacy International, data collected via intelligence sharing programs can be shared with law enforcement, potentially bypassing the Wiv 2017’s judicial authorization requirements.

EU Law Enforcement Data Sharing Frameworks

Schengen Information System (SIS II): The Netherlands participates in the EU’s largest law enforcement database, processing hundreds of thousands of queries daily. Dutch police can query SIS II in real time and contribute alerts visible to law enforcement across all Schengen countries.

European Investigation Order (EIO): The Netherlands participates in the EIO framework, allowing Dutch judges and magistrates to make binding requests to other EU member states for evidence, witness hearings, telephone interceptions, banking information, and other investigative measures based on mutual recognition.

Prüm Convention: The Netherlands was an original signatory of the Prüm Convention (2005) and participates in automated DNA, fingerprint, and vehicle registration data comparison across EU member states. The Prüm II Regulation (2024) expands this to include facial images and police records.

EU-US Data Sharing Frameworks

EU-US Umbrella Agreement: Entered into force February 1, 2017, this agreement governs personal data exchanged between EU and US law enforcement for criminal investigations. It grants Dutch citizens equal treatment with US citizens for judicial redress rights before US courts.

SWIFT/TFTP Agreement: Under the Terrorist Finance Tracking Program, the US Treasury can subpoena SWIFT for financial transaction data, with Europol verification. This affects Dutch persons’ international wire transfers and financial messaging data.

PNR Agreements: The Netherlands participates in the EU-US PNR agreement, enabling transfer of passenger data from Dutch air carriers to US Customs and Border Protection. Every passenger on Netherlands-US flights has comprehensive personal data (name, itinerary, payment, contacts) shared with US authorities.

Joint Operations and Case Studies

In 2023, a joint FBI-Europol-Dutch National Police investigation dismantled a major ransomware group, dependent on an MLAT request from the United States to the Netherlands. The operation demonstrated both the operational benefits of international cooperation and how MLATs enable US law enforcement to access data held in the Netherlands that would require Dutch judicial authorization if sought by Dutch authorities domestically.^[40]

Dutch law has no express provision allowing organizations to invoke foreign government access requests as a legitimate basis for data collection or transfer, except for secret services and governmental agencies with specific rights to share with foreign agencies. This creates a legal tension: While Dutch companies cannot generally rely on foreign law enforcement demands as a legal basis under GDPR, the Netherlands participates in frameworks (MLATs, EU-US Umbrella Agreement, Nine Eyes) that facilitate such access.

Multilateral Frameworks

Interpol I-24/7: The Netherlands participates in Interpol’s secure global communications network, processing over 100,000 messages daily across 195 member countries for Red/Blue notices, biometric data, and criminal intelligence.

Egmont Group: The Dutch Financial Intelligence Unit (FIU-Nederland) participates in the Egmont Group network of 164+ Financial Intelligence Units, sharing financial intelligence on money laundering and terrorist financing under bilateral and multilateral agreements.

Europol: The Netherlands hosts Europol headquarters in The Hague and is a major contributor to Europol data sharing. Europol has cooperation agreements with the US FBI, with intelligence sharing increased 30% in recent years, creating a pathway for Dutch person data to flow to US authorities.

The Privacy Backdoor Effect

Despite the Wiv 2017’s requirements for judicial authorization (Review Board and TIB approval for bulk interception), CTIVD oversight, and AP enforcement of GDPR, international data sharing agreements create alternative pathways for accessing Dutch person data:

• Nine Eyes Laundering: NSA/GCHQ can collect on Dutch persons and share with AIVD/MIVD, potentially bypassing Wiv 2017 judicial authorization; Dutch intelligence can collect on US/UK persons and share with partner agencies
• EU Framework Sharing: Dutch person data entered into SIS II, Prüm, or EIO channels becomes accessible to 27 EU member states, and through Europol cooperation (headquartered in The Hague), to US FBI
• MLAT Bypass: US authorities can request data via MLAT with Ministry of Justice processing, potentially with lower evidentiary standards than Dutch judicial warrants
• SWIFT/PNR Dragnet: All international financial transactions and air travel subject to US access via TFTP and PNR agreements

For Dutch persons, this means data nominally protected by GDPR, the Wiv 2017’s judicial authorization requirements, and CTIVD oversight can be accessed through Nine Eyes intelligence sharing (default exchange with no notification), MLAT channels (diplomatic processing), EU law enforcement frameworks (SIS II, EIO, Prüm, Europol), SWIFT/TFTP financial surveillance, or PNR passenger data agreements. The Wiv 2017’s rigorous oversight framework applies to Dutch intelligence collection but does not extend to data obtained through international sharing agreements or data shared by Dutch authorities with foreign partners.

Recent Developments

Clearview AI Fine (September 2024): The AP imposed its largest-ever fine of EUR 30.5 million on Clearview AI for the illegal biometric data processing detailed in the enforcement table above, along with penalty payments of up to EUR 5.1 million for continued non-compliance.^[7]

Temporary Cyber Operations Act (July 2024): The Tijdelijke wet described earlier entered into force, expanding AIVD/MIVD capabilities for investigating state-sponsored cyber threats while weakening the prior-authorization oversight framework.^[17]

AIVD Journalist Recruitment (2024–2025): As noted in the oversight section above, the CTIVD confirmed that Dutch intelligence services had recruited journalists as paid agents.^[22]

Intelligence-Sharing Pivot (October 2025): The reduced U.S. intelligence sharing described in the Nine Eyes section above represents a geopolitically significant development with direct implications for transatlantic data flows and the operational integrity of the alliance.^[4]

EU AI Act Designation (2024): The AP’s designation as the Dutch supervisory authority for the EU AI Act, noted earlier, significantly expanded its regulatory mandate at a time when the authority says it lacks the resources to fully deliver on existing responsibilities.^[6]

Freedom on the Net (2024): Freedom House’s 2024 assessment rated the Netherlands’ internet freedom as “free” but noted ongoing concerns about the bulk surveillance powers under the Wiv 2017 and the weakened oversight introduced by the Temporary Cyber Operations Act.^[16]

2025–2026 Developments

Odido Data Breach (February 2026): On February 7–8, 2026, Dutch telecommunications provider Odido suffered what may be the largest data breach in Netherlands history, exposing the personal data of approximately 6.2 million customers—roughly one-third of the Dutch population. The compromised data included names, phone numbers, addresses, dates of birth, IBANs, and government-issued identification numbers. In the aftermath, reporting revealed that Odido had been retaining customer data “much longer than claimed,” raising additional GDPR compliance concerns. Significant numbers of customers have since switched providers.^[41][42]

NIS2 Implementation – Cyberbeveiligingswet: The Dutch bill transposing the EU NIS2 Directive (the Cyberbeveiligingswet, or Cybersecurity Act) was submitted to Parliament in June 2025, with plenary debate scheduled for March 23, 2026. The Netherlands missed the EU-wide October 17, 2024 transposition deadline, prompting the European Commission to issue a reasoned opinion on May 7, 2025. Once enacted, the law will bring more than 8,000 organizations into scope of cybersecurity obligations, including critical infrastructure operators, essential service providers, and important entities across a wide range of sectors.^[43]

Digital Services Act Implementation (February 4, 2025): The Dutch DSA Implementation Act entered into force, designating the Authority for Consumers and Markets (ACM) as the Digital Services Coordinator and the Autoriteit Persoonsgegevens (AP) as co-supervisor for data protection aspects. Platforms in violation face fines of up to 6% of worldwide turnover. By early 2026, the ACM had received approximately 300 reports under the new framework.^[44][45]

Experian EUR 2.7 Million Fine (October 17, 2025): The AP fined credit bureau Experian EUR 2.7 million for illegal data processing related to credit scoring practices in the Netherlands. Experian had already ceased Dutch operations as of January 1, 2025, and announced plans to delete its entire Dutch database. The case underscores the AP’s willingness to pursue enforcement even against entities withdrawing from the market.^[46]

Expanded Espionage Law (May 15, 2025): New legislation entered into force that significantly broadens the criminal definition of espionage in the Netherlands. The law now covers digital espionage and diaspora espionage (the targeting of diaspora communities on behalf of foreign states), with penalties of up to 8 years’ imprisonment, increasing to 12 years if the offense results in a death.^[47]

AP 2026–2028 Strategic Focus: The Autoriteit Persoonsgegevens announced its strategic priorities for the 2026–2028 period, focusing on three core themes: mass surveillance, AI, and digital resilience. Notably, the AP also entered into a toezichtarrangement (supervisory arrangement) with the Belastingdienst (Tax and Customs Administration) to provide ongoing oversight of data processing reforms in the wake of the toeslagenaffaire, reflecting how the childcare benefits scandal continues to shape Dutch data governance.^[48]

Dutch Digital Sovereignty Push (March 2025): The Dutch Parliament voted on a series of motions calling on the government to move away from U.S. cloud services, establish a national cloud infrastructure, and repatriate the .nl domain to Dutch-controlled servers. On December 12, 2025, the Netherlands joined the Digital Commons EDIC (European Digital Infrastructure Consortium) alongside eight other EU member states, an initiative to develop open-source European digital infrastructure as an alternative to U.S. Big Tech dependencies.^[49][50]

Chat Control – Strengthened Opposition: Minister of Justice and Security David van Oosten confirmed that the Netherlands opposes mandatory scanning of encrypted communications under the EU’s proposed Child Sexual Abuse Regulation (Chat Control). The Netherlands is among only six EU member states to explicitly oppose the measure. Dutch opposition was instrumental in forcing the November 2025 compromise text that removed mandatory client-side scanning requirements for end-to-end encrypted services.^[51]

AP Generative AI Vision Paper (February 4, 2025): The AP published its vision document Moving Forward Responsibly, outlining its regulatory approach to generative AI. The paper identifies three scenarios the AP seeks to avoid: a “Wild West” of unregulated AI deployment, regulatory “paralysis” that stifles beneficial innovation, and a “bunker” mentality where organizations abandon AI development entirely out of legal uncertainty. The AP also launched an AI helpdesk to assist developers in navigating GDPR compliance for AI systems.^[52]

EU Data Act Application (September 12, 2025): The EU Data Act became applicable across all member states, with the ACM designated as the primary Dutch enforcer. The ACM published draft guidance on the new data-sharing obligations, which affect connected device manufacturers, cloud service providers, and data holders across the Dutch economy.

Dual AI Act Supervisory Model: The Netherlands adopted a dual-coordinator model for supervising the EU AI Act, with the AP and the Rijksinspectie Digitale Infrastructuur (RDI) serving as co-coordinators. A regulatory sandbox for AI innovation is planned to be operational by August 2026, allowing companies to test AI systems under supervised conditions.

Telemarketing Opt-In Law (Effective July 1, 2026): The Netherlands will replace its existing Do Not Call Register (Bel-me-niet Register) system with a stricter opt-in regime for telemarketing, effective July 1, 2026. Under the new rules, companies may only contact consumers by telephone for marketing purposes if the consumer has given prior explicit consent, reversing the current opt-out model.

Wiv 2017 Reform Discussion: Independent evaluation committees reviewing the performance of the Wiv 2017 since its enactment concluded that the law is “too restrictive” in certain operational aspects, recommending reforms to give the AIVD and MIVD greater flexibility. The findings stand in tension with civil liberties advocates who argue the Sleepwet already grants overly broad surveillance powers.

AP Data Breach via Ivanti Vulnerability: In an ironic turn, the Autoriteit Persoonsgegevens itself suffered a data breach through a vulnerability in Ivanti networking software that was exploited before patches were available. Employee personal data was exposed in the incident, highlighting the cybersecurity challenges faced even by the regulators tasked with enforcing data protection standards.

Clinical Diagnostics Breach (July 2025): A data breach at a Dutch clinical diagnostics laboratory exposed the personal and medical data of more than 485,000 participants in the national cervical cancer screening program. The incident raised questions about the security of health data processed for population-level screening programs and the adequacy of cybersecurity requirements for entities handling sensitive medical data at scale.

Sources