Rb. Rotterdam - ROT 20/1275

From GDPRhub
Revision as of 23:46, 9 June 2021 by Kave (talk | contribs) (→‎Comment)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Rb. Rotterdam - ROT 20/1275
Courts logo1.png
Court: Rb. Rotterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law:
Bvgt
Decided: 27.06.2021
Published: 27.05.2021
Parties: Unknown telecommunication carrier
Agentschap Telecom
National Case Number/Name: ROT 20/1275
European Case Law Identifier: ECLI:NL:RBROT:2021:4427
Appeal from:
Appeal to: Unknown
Original Language(s): Dutch
Original Source: Court ruling (in Dutch)
Initial Contributor: Kave Noori

The District Court of Rotterdam set aside a €5000 administrative fine imposed by the Dutch Telecommunications Authority against a telecommunications provider that failed to make its customer database available, since the authority had not properly clarified the provider's legal liability.

English Summary

Facts

The Dutch Telecommunications Authority (Agentschap Telecom) fined an unidentified telecommunications provider for failing to make its customer database available to the authorities as required. The provider was fined €5000 and ordered to provide data on its customers to the authorities again. The provider was also threatened with further fines if it failed to comply in the future.

According to the Dutch Decree on the Provision of Telecommunications Data (Bvgt) and Article 13.4 of the Telecommunications Act, telecommunications providers must connect to an automated system called CIS, which is operated by the Central Information Point for Investigation of Telecommunications (CIOT). The CIS acts as an automated middleman between telecom and internet providers, who must submit certain information, and government agencies, which can request information from the databases. Every 24 hours, service providers must provide an updated database of their clients via the CIS.[1]

Since 2013, the telecom provider had sought to obtain satisfactory answers to its questions and guarantees about the handling of the requested data before submitting the information. The telecommunications provider stopped providing data to CIS in the summer of 2016. The CIOT complained to Dutch Telecommunications Authority in December 2017 that the provider was not cooperative in providing information.

Dispute

The telecommunications provider believed that it was the government's fault that it could not comply and that it should not be fined. The telecommunications provider considered itself to be under conflicting obligations and argued that it had not received satisfactory answers from the government to its questions to clarify the situation. The telecom provider considered that the Dutch law under which the request was made conflicted with several international treaties and the telecom provider's obligations under the GDPR.

The provider also raised concerns from a societal perspective. The provider argued that, since the adoption of the Intelligence and Security Services Act of 2017 (Wiv 2017), it has been possible to conduct mass surveillance that is not backed by the same safeguards that were intended when the CIS system was introduced.

The telecommunications provider argued that it could be held liable as a data processor if the government's data collection was overbroad. The telecom provider relied on several international legal instruments, including EU treaties, and claimed that the surveillance violated them in its view. In summary, it considered that the surveillance violated the right to privacy and freedom of expression/information/assembly, as well as having a chilling effect on journalists avoiding certain topics or their sources no longer wanting to talk.

As a result, the telecommunications provider sent a series of questions to the CIOT to which it wanted satisfactory answers before releasing the data. The provider received no clear answers. Also, given that audit reports from 2015 and 2016 showed that 10% of all government requests did not comply with legal requirements, and a December 2019 report that rated the risk of requested data being mishandled as "average," the provider believed it had reasonable doubt about the security of the data and its actions were justified.

Holding

No conflicting obligations

The court first considered the question of conflict with international treaties. The court relied on the principle of relativity in Article 8:69a of the Dutch Administrative Act (AwB). The principle of relativity states that a judge may not set aside a decision of an authority that is contrary to an uncodified or codified rule of law if that rule does not appear to be intended to protect the interests of the claimant. The court held that a telecommunications provider cannot invoke the rights of others (such as the privacy of citizens or the protection of journalists' sources) because it is not an NGO working for a particular cause.

Further, the court held that the telecom provider was not a data controller with respect to the personal data it was required to transmit to the CIS system. The purpose of the data collection in this case was determined by the Dutch legislator and the law does not define the telecom provider as a data controller. This means that the company is only responsible for the subscriber data it collects. However, the act of providing the legally required data to the authorities is not the responsibility of the provider. This means that the telecommunications provider is neither legally liable for providing the data to the authorities, nor responsible for what the authorities do with the data.

Based on the above, the court found that there were no conflicting obligations. This also meant that the telecommunications company could not have relied on Article 5:5 of the Dutch Administrative Act (Awb), which prohibits the authorities from imposing a fine when a breach of the law was justified.

Not at fault for breaking the law

Furthermore, the court considered whether the telecom company could rely on Article 5:41 of the Dutch Administrative Act (Awb). This article states that someone who breaks the law cannot be fined if it is not his fault that the law was broken.

In this regard, the court considered several factors. During the trial, the telecommunications provider claimed that an earlier version of the data processing agreement stated that the CIOT would not be liable for fines imposed on the provider for violations of privacy laws. Since the telecommunications authority did not dispute this statement, the court did not question it and took it into account.

Further, the court found that it would have been reasonable if the telecommunications provider had concluded, based on its correspondence with the CIOT and the old data processing agreement, that it would be liable for any violations of data protection laws.

In addition, the court held that the telecommunications authority did not clarify the liability issues that the telecommunications provider had repeatedly asked about, either before or during the fine proceedings. The court found that the Telecommunications Authority repeatedly failed to address where the telecommunications provider's legal responsibility ended and that the CIOT failed to provide satisfactory answers to this question during the trial.

The court ruled on the basis of Article 5:41 of the Dutch Administrative Act (Awb) that no fine should be imposed on the provider. The contested decision was annulled in part to set aside the fine. The Telecommunications Authority's order that the provider must resume sharing customer data to the CIS-system remained in place.

Comment

Since the telecommunications provider could not invoke the interests of third parties, such as privacy protection or source protection for journalists as valid reasons, it would be interesting to examine the legislative history and reasoning behind the principle of relativity. The principle of relativity in Article 8:69a of the Dutch Administrative Act (AwB) was introduced by an amendment. The following is based on the explanatory memorandum of the bill (kst-32450-3).[2]

Prior to the introduction of this provision, Dutch administrative law allowed a person to challenge an administrative decision that violated any provision, even if the provision did not serve to protect the interests of the complainant. The Memorandum of Understanding drafted by the then Minister of Justice gave two examples:

In the first example the residents of a residential area can oppose the construction of a caravan park in the immediate vicinity of that area, arguing that the caravan's occupants will be too exposed to the noise of a nearby swimming pool or railway line.

In the second example a businessman challenges the permit to build a supermarket because he fears a reduction in his turnover/profit, arguing that the construction of the supermarket will lead to a deterioration in local air quality.

Although the Memorandum of Understanding states that the Administrative Law Divisions of the courts only had to deal with the relativity problem in 1 out of 15 cases, it was still considered a problem by the Minister of Justice. The Minister of Justice believed that the cases in which the relativity problem played a role often involved decisions with large social or economic impacts. Also, because the decisions often attracted media attention, keeping the rule could affect the legitimacy of administrative law in the eyes of the public.

The Minister of Justice considered that while an authority must always obey the law, this did not mean that every citizen should have the right to ask a judge to set aside every decision of an authority, even decisions that had no effect on his legal position. According to the Minister of Justice, it would be more appropriate to deal with legally questionable decisions through supervisory authorities.

Further Resources

Share blogs or news articles here!

Footnotes

  1. https://www.rijksoverheid.nl/binaries/rijksoverheid/documenten/brochures/2010/07/01/factsheet-ciot/Informatieblad+CIOT.pdf
  2. https://zoek.officielebekendmakingen.nl/kst-32450-3.html

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.


                                
                            
        



    Body
    Court of Rotterdam
    Date of judgment
    27-05-2021

    Date of publication
    
27-05-2021

    Case number
    
ROT 20/1275

    
    Jurisdictions
    
 Administrative criminal law
 European administrative law
    
    Special characteristics
    
First instance - single
    
    Content indication
    
The fine imposed by the State Secretary for Economic Affairs and Climate on a telecom provider because it did not make its database with customer data available for investigative purposes has been reversed by the Rotterdam court. All telecom providers are obliged to make their customer data available for the purpose of fighting crime and protecting national security. This telecom provider refused because, in its view, the customer data might also be viewed in violation of the law by the police, the judiciary and the security services. She was also afraid of being held liable for unlawful consultation of her customer data. The court rules that privacy protection or source protection of journalists are not interests of the telecom provider itself. The treaty rights that it has invoked in that regard do not protect the telecom provider itself and cannot therefore lead to annulment of the fine. Furthermore, the court is of the opinion that the telecom provider cannot be held liable for unlawful consultation of its customer data. The telecom provider had several times asked the Central Information Point for Telecommunications Research (CIOT), which manages the information system for telephone data and internet data, and the State Secretary whether it could be held liable for unlawful consultation. The CIOT and the State Secretary did not provide any clarity about this prior to the court proceedings. Therefore, the court is of the opinion that the telecom provider cannot be blamed for not sharing its customer data. Because the telecom provider cannot be blamed, no fine can be imposed on it. However, the court is of the opinion that the State Secretary was right to impose an order subject to periodic penalty payments on the telecom provider in order to induce it to make its customer data available after all. Fulfilling this obligation is important for the fight against crime and the protection of national security. The telecom provider has now met that burden and the State Secretary has not proceeded to collect penalty payments.

    Locations
    
Rechtspraak.nl
    
        
        
            Enhanced pronunciation
        





    
        Share pronunciation
        
    
    
        print
        Save as PDF
        Copy link

    


        
            Statement
        
        
  
    Court of Rotterdam
    
    
      Administrative law
     
    
    
      case number: ROT 20/1275
     
    
    judgment of the single chamber of 27 May 2021 in the case between
    
    
      [Name of company], at [place], plaintiff,
    authorized representative: mr. H.W.J. melting head,
    
    
      and
     
    
    
      
        the State Secretary for Economic Affairs and Climate (Telecom Agency), defendant,
      authorized representatives: mr. J. Sijbrandij and mr. S.P. Janssen.
     
    
    
  
  
    Process sequence
    
    
      By decision of 8 May 2019 (the primary decision), the respondent imposed an administrative fine of €5,000 on the claimant and ordered her to take the technical measures as referred to in Article 3, first paragraph, of this decision within two months of the date of this decision. the Telecommunications Data Provision Decree (Bvgt) in order to comply with the specifications as referred to in the Annex to Article 3, paragraph 1, of the Bvgt, subject to a penalty of € 5,000 per detected violation, per month, with a maximum of €100,000.
     
    
    
      By decision of 20 December 2019 (the contested decision), the defendant upheld the claimant's objection in so far as it concerns the beneficiary period, determined that the beneficiary period of two months only starts after the date of this decision, and the objections before the others declared unfounded.
     
    
    
      Plaintiff has appealed against the contested decision to the Northern Netherlands District Court.
     
    
    
      Pursuant to Article 6:15 of the General Administrative Law Act (Awb), the registrar of the District Court of the Northern Netherlands has forwarded the notice of appeal to the Rotterdam District Court (the District Court) in a letter dated 6 March 2020, because the District Court has jurisdiction to hear the dispute.
     
    
    
      Defendant filed a statement of defense and an additional statement of defense.
     
    
    
      The court asked the defendant questions in two letters dated 14 April 2021. Defendant responded to this by e-mail dated April 21, 2021.
     
    
    
      The hearing at the hearing took place on April 22, 2021. Plaintiff was represented by her authorized representative. Furthermore, on behalf of the plaintiff,
      
        [Name], [Name], [Name], [Name] and [Name]. Defendant was represented by his attorneys.
     
    
    
  
  
    Considerations
    
    
      
        Legal framework, history and decision-making of the defendant
      
    
    1. The relevant legal framework is included in the appendix to this judgment.
    
    2. Plaintiff is a telecom provider to whom Article 13.4 of the Telecommunications Act (Tw) applies. Briefly, on the basis of this article, it is under an obligation to comply without delay with claims made on the basis of the provisions of the Code of Criminal Procedure and the Intelligence and Security Services Act 2017 (Wiv 2017) with regard to certain data about a user of to provide a public telecommunications network or a public telecommunications service (and the telecommunications traffic relating to that user). It follows from Article 2 of the Bvgt, based on Article 13:4(4) of the Tw, that the Minister of Justice and Security is charged with the automated transmission of requests for and provision of this information and that he carries out this task by through the Central Information Point for Telecommunications Research (CIOT). In view of Article 3, paragraph 1, of the Bvgt, the CIOT, the competent authority (as referred to in Article 1, subsection, of the Bvgt) and the telecom provider must each take the technical measures necessary to implement the forwarding requests for and disclosures of this information by automated means. This will be the Central
    Called Information System (CIS).
    
    3. In a letter dated 11 December 2017, the CIOT complained to the Telecom Agency (the Agency) that the plaintiff has not yet complied with the obligations under the Tw in connection with the Bvgt, despite the (repeated) reminders from the CIOT for this. The CIOT therefore requests the defendant to proceed with enforcement against the plaintiff. This letter contains a large amount of correspondence between the CIOT and the claimant from October 2013. It emerges from this that the claimant does not wish to cooperate until the CIOT has answered her questions and has given guarantees, because she is concerned that unlawful inquiries have been made. are carried out by the police forces.
    
    4. A supervisor of the Agency subsequently opened an investigation into a violation of Article 3, first paragraph, of the Bvgt by the Plaintiff. It emerges from this that Plaintiff first wants to see two questions answered before she wants to connect to the information system. These questions concern the chain liability for the data to be supplied to the CIOT and the guarantees for the legality of the queries. On the basis of the information provided by the CIOT and after a spokesperson for the claimant was heard, the supervisor has established that from the start (June
    
      2016) of the connection route, the route was discontinued after the exchange of the
      confidentiality statement and the information package B in August 2016 and that to date Plaintiff has not provided any information to the information system of CIOT, so that it is in violation of Article 13.4, paragraph 4 of the Tw in conjunction with Article 3, paragraph 1 of the Bvgt.
     
    
    5. After an intention to impose a fine and an order, followed by a view of the plaintiff, the defendant imposed a fine and an order on the plaintiff. Both sanctions were maintained in the contested decision, on the understanding that a new beneficiary period has been set because pending the objection procedure, an employee of the CIOT has informed the plaintiff that the previously sent processing agreement does not need to be signed because a new processing agreement is being sent and Plaintiff was allowed to wait for this, while that transmission first took place on September 25, 2019. In this regard, the defendant considered that the burden is separate from the notification about the processing agreement, because it is only aimed at ensuring that the plaintiff takes the necessary technical measures, but that the defendant is nevertheless of the opinion that communication about this could have been better and that he therefore sees reason to set a new beneficiary period. In the contested decision, the defendant considered, among other things, the following with regard to (the culpability of) the violation:
    
    
      “As I have already considered in my primary decision, your (continuing) questions and doubts about the lawfulness of the CIOT inquiries cannot be grounds for invoking the absence of all blame for the violation. There is a legal obligation to connect which applies to all providers of public telecommunications services. (…) By violating Article 3(1) of the Bvgt, [plaintiff] has already acted culpably. In this regard, I refer you to the judgment of the District Court in Rotterdam of 12 January 2010 (ECLI:NL:RBROT:2010:BK8888) (…)
     
    
    
      The absence of culpability has not been demonstrated by [plaintiff], with her reservations regarding the consultation of the CIS. Moreover, these concerns are not objectified and are not current. The picture you paint that police officers browse through customer files behind terminals without any form of control, you have not made plausible and is also not relevant in this case.
     
    
    
      After all, the inquiries by the needs assessors are based on the articles referred to in Article 13.4 of the Tw. These inquiries are based on statutory powers and the legitimate use of those powers is guaranteed in numerous special laws and regulations. In any criminal proceedings, the lawfulness of an interrogation can be assessed by the court. (…)
     
    
    
      The foregoing means that the legality of queries is not in this
      objection can be raised because this decision is not based on the
      articles in the Code of Criminal Procedure or the Intelligence and Security Act
      security services 2017, referred to in Article 13.4 Tw.”
     
    
    
      
        Professional grounds
      
    
    6. Plaintiff argues that she cannot be blamed for the violation. It points out that there are conflicting obligations. Plaintiff points out in this regard that it follows from previous audit reports that 10% of the requests do not meet the conditions set for this, that audit reports from 2015 and 2016 show that the system can still be improved and that in the most recent December 2019 report, the risk of wrongful acts is still assessed as 'average'. Plaintiff therefore has well-founded doubts with regard to the guarantees and security of the data that it must provide to the CIOT as a processor within the meaning of Regulation (EU) 2016/679 (General Data Protection Regulation; hereinafter: AVG). In the eyes of the claimant, CIOT has still not been able to answer these questions satisfactorily. According to the claimant, she made sufficient efforts to have her questions answered by the CIOT. Plaintiff also notes in this regard that the CIS is intended to be able to interrogate the system in individual cases, which in principle takes place with the correct permission of the Public Prosecution Service. However, since the entry into force of the ISS Act 2017, it is also possible to process bulk requests (mass surveillance) that are not covered by the same guarantees as intended when the CIS was set up. According to the claimant, the ISS Act 2017 conflicts with the right to respect for private life and correspondence as laid down in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (Charter) and Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Plaintiff also invokes the freedom of expression, the freedom of communication and, as part of this, the right to source protection, as laid down in Article 10 of the ECHR, Article 11 of the Charter and Article 19 of the ICCPR. The fact that data from journalists can be requested entails the risk that they will avoid certain topics or that sources no longer dare to turn to journalists. There is therefore a danger of a 'chilling effect'. In this regard, Plaintiff also invokes the right to an 'effective remedy' and the right to a fair trial, as laid down in Articles 6 and 13 of the ECHR, Article 47 of the Charter and Article 14 of the ICCPR. Plaintiff points out that restrictions of these fundamental rights provided for in the ISS Act 2017, in view of Article 52 of the Charter, must respect the essential content of those fundamental rights, while this requirement is not met. In line with this, Plaintiff points out that in her capacity as processor, sanctions can be imposed if irregularities occur with regard to so-called name and address data. All the more important is the fact of a sound processing agreement between the plaintiff and the CIOT, as well as an equally sound service agreement above that.
    
    7. The Plaintiff further argues that the Defendant is acting contrary to the principle of legitimate expectations. It points out the following in this regard. To date, there is no signed processing agreement and service agreement between the plaintiff and the CIOT. Plaintiff had previously established that the previous versions sent to her by the CIOT were not compliant with the GDPR. For example, these still contain outdated terminologies and definitions and they also had other significant shortcomings, so that the Claimant did not dare to sign these agreements. Plaintiff formulated a number of questions and sent them on November 13, 2019 to the Judicial Information Service of the Ministry of Justice and Security. An employee of the CIOT has already indicated that there would be an improved system. This means that the current system is not adequate and Plaintiff was entitled to rely on this. According to the claimant, it is also a factor in this regard that the GDPR has been in force since 25 May 2018 and that this has resulted in stricter privacy legislation, so that it is also not justified to sign an earlier version of an agreement. The CIOT recognizes this and is investigating a few things. This also justifies the plaintiff's attitude and therefore an appeal must be made to
    
      the principle of legitimate expectations are applied to its advantage. Furthermore, Plaintiff believes that she could derive confidence from the statements of the CIOT that for the time being would not be enforced and that statements are binding on the Defendant. Defendant's assertion that it is immaterial whether an agreement has been signed because the primary decision is only
      focuses on taking the technical measures in order to be able to comply with the
      Plaintiff cannot follow articles 4 and 5 of the Bvgt in this regard. These technical preparations have been made and in order for a long time, but it was not possible to
      connection because the agreements had not yet been signed. This was also communicated to the claimant by the OCT. Plaintiff could not sign these, because they were not available. And when the claimant did receive these, they turned out to be not in order and not compliant. This is communicated at the same time as the CIOT. The defendant's position is therefore contrary to the communication and conduct of the CIOT and therefore conflicts with the principle of legitimate expectations.
     
    
    8. Furthermore, the claimant argues that the contested decision is contrary to legal certainty and that there is scope for the contra legem application of the regulations.
    
    
      
        Rating
      
    
    9. Insofar as the treaty rights invoked by the claimant are not intended to protect its interests, Article 8:69a of the General Administrative Law Act precludes the contested decision from being annulled on the sole ground that an obligation underlying the contested decision may be is contrary to those treaty rights. Although the claimant is an interested party as referred to in the first paragraph of Article 1:2 of the Awb, because its interest is directly involved in the sanctions imposed on it by the defendant, it is not an interest group as referred to in the third paragraph of that article. It is not the case that, by virtue of its objectives, it promotes general or collective privacy interests of its customers or that it has the general objective of defending the right to source protection of journalists. Because the claimant, as a telecom provider, does not invoke treaty rights insofar as they protect her interest, but for the benefit of others, this cannot benefit her in view of the principle of relativity.
    
    10. In the first place, therefore, it remains to be assessed whether Plaintiff was allowed to refuse to fulfill its obligation to make its customer data available to the CIS because Plaintiff is responsible and therefore liable on the basis of the AVG or the Wbp. would be for any illegitimate consultations of the CIS. If that question must be answered in the negative, the question arises as to whether sanctions should nevertheless not have been imposed on it.
    
    
      11.1
      In Article 4, second paragraph, of the GDPR, processing is understood to mean, among other things: an operation or a set of operations relating to personal data or a set of personal data such as recording, providing or otherwise making data available. It follows from the definition of Article 4, seventh paragraph, of the GDPR that, in short, a controller is a (legal) person, body or service that, alone or together with others, determines the purpose and means of the processing of personal data. In addition, when the purposes and means of this processing are established in Union or Member State law, it may be determined who the controller is or according to which criteria it is designated. Article 1, preamble, and under b and d, of the Wbp had the same definition of processing (of personal data) as the AVG and contained a definition of controller that in essence does not differ from that of controller in the AVG, with the exception of what is determined in the final part of the seventh paragraph of Article 4 of the GDPR.
      
    
    
      11.2
      The claimant has the obligation laid down in Article 13.4 of the Tw to provide customer data under the conditions set out in that provision. The way in which the claimant must do this is detailed in the Bvgt. The purpose of and the means for this processing of personal data have thus been determined by the legislator and not by the claimant. Now that Plaintiff has not been designated as a controller in Section 13.4 Tw or in the Bvgt either, she cannot be regarded as controller for the provision of her customer data for the benefit of the CIS. This does not alter the fact that the collection of customer data in itself is also a processing of personal data and that the plaintiff is responsible for that processing, for which it does determine the purpose and means. However, now that the claimant is not responsible for the provision of its customer data for the benefit of the CIS, it is also not responsible for processing that takes place afterwards in the form of consulting the CIS. Any unlawful consultation of the CIS therefore does not constitute the claimant's responsibility and therefore does not entail any liability on the part of the claimant. This is also apparent from the explanatory memorandum accompanying the amendment to the Bvgt (Stb. 2006, 426, p. 10):
      
      
        “(…)
        Questions and comments were placed in the public consultation, mainly related to:
        (…)
        c. indemnification companies from liability
        (…)
        ad c
        The processor agreement contains provisions that adequately regulate the responsibility for processing data. Companies are responsible for the correct supply of data and remain legally responsible for the data supplied to the Central Information Point. Companies are not liable for unlawful querying of the data, nor for incorrect interpretation of correctly supplied data. A company is, however, liable for the correct statement of data, as it is present in its administration.”
       
      
    
    
      11.3.
      Plaintiff is therefore responsible for the correctness of the customer data it has collected, but not for making it available to the CIS, nor for consulting those customer data via the CIS. It follows that there are no conflicting obligations. Plaintiff cannot therefore invoke Article 5:5 of the Awb, which, incidentally, it has not done in so many words.
      
    
    
      12.1.
      Plaintiff does, however, believe that she can invoke Article 5:41 of the Awb, because she cannot be blamed because the defendant and the CIOT were unclear about the plaintiff's liability.
      
    
    
      12.2.
      
        During the hearing, Plaintiff pointed out, without being contradicted, that it was included in the previous processing agreement that the CIOT is not liable for any fines imposed on Plaintiff due to the violation of privacy rules.
        According to the claimant, she thus ran the risk of being held responsible for unlawful data processing in the event that unlawful inquiries were made by the police or the intelligence services. That, as the defendant explained in this regard, inter alia in its e-mail of 21 April 2021, the first paragraph of Article 3, first paragraph, of the Bvgt can also be complied with without a processing agreement having been concluded, because that is only necessary if the claimant chooses to have the data stored in the CIOT system, does not alter this. After all, the point is that on the basis of its correspondence with the CIOT and the processing agreement offered by the CIOT, the claimant could reasonably conclude that it would run a reasonable chance that it could be held liable by unlawful requests, regardless of whether the equipment in which the files are stored is managed by the information point or by the claimant himself. In addition, the defendant did not provide the plaintiff with clarity prior to or during its decision-making process, but only in the appeal phase regarding the question it repeatedly asked about the definition of responsibility. Although the defendant took the position in his decision-making that he himself should start from the lawfulness of the inquiries and is therefore not authorized to say anything about the lawfulness of specific inquiries by the intelligence services and the police, he has repeatedly failed to comment to the question where the responsibility of the claimant ends, while the CIOT also failed to adequately answer that question. Furthermore, the respondent failed to submit the correspondence between the claimant and the CIOT in order to substantiate its position that the claimant can be blamed.
       
      
    
    
      12.3.
      Under these circumstances, the court is of the opinion that Article 5:41 of the Awb precludes the imposition of an administrative fine. The appeal is therefore well founded.
      
    
    
      13.1.
      In view of Article 5:31d of the Awb, the order subject to a penalty is a remedial sanction, so that the absence of guilt does not preclude its imposition. After all, Article 5:41 of the Awb, unlike Article 5:5 of the Awb, only applies to punitive sanctions, as follows from Articles 5:41 and 5:54 of the Awb. It has been considered in this regard that there is no justification for not complying with Article 3(1) of the Bvgt.
      
    
    
      13.2.
      Furthermore, the court is of the opinion that the claimant cannot successfully invoke the principle of legitimate expectations. Although the court is of the opinion, unlike the defendant, that statements by the CIOT can indeed give the plaintiff expectations to be honored by law, precisely because this concerns a connection with the CIS, this cannot nevertheless lead to a successful invocation of the principle of legitimate expectations. After all, with regard to the imposition of orders, the contested decision offers a new favoring period, that is at a time when the confidence that was previously generated no longer played a role, because the announced new processing agreement was sent to the plaintiff prior to the contested decision. In the opinion of the court, legal certainty does not preclude the order and the new grace period granted in the objection. There is also no reason for the contra legem effect of legal principles envisaged by the claimant.
      
    
    
      13.3.
      In the opinion of the court, the defendant could reasonably decide to impose an order subject to penalty on the plaintiff. Respondent has rightly pointed out in this regard that it is of great social importance that every provider is affiliated with the CIOT. This is necessary for the effective investigation of criminal offences. If, in a hypothetical situation, all providers decide not to connect to the CIS, the investigative services will have to search for the proverbial 'needle in the haystack' to identify the person with an IP address or telephone number. This would make the investigation of criminal offenses seriously more difficult.
      
    
    
      13.4.
      Plaintiff has not submitted any grounds on appeal against the new benefit period and the amount of the charge. In addition, the court notes that the respondent noted at the hearing that collection is not being taken now that the claimant has meanwhile been connected to the CIS. The grounds of appeal against the order subject to periodic penalty payments fail.
      
      
        
          Final Considerations
        
      
      14. As has been considered above, the appeal is well founded in connection with the imposition of the fine. Pursuant to Article 8:72a of the Awb, the court itself will settle the case by revoking the primary decision insofar as the fine is concerned.
      
      15. Because the District Court declares the appeal well-founded, the District Court determines that the defendant will reimburse the plaintiff for the court fees it has paid.
      
      16. The court orders the defendant to pay the costs incurred by the plaintiff. Based on the Administrative Costs Decree, the court sets these costs for legal assistance provided professionally by a third party at €2,136 (1 point for submitting the notice of objection and 1 point for appearing at a hearing, 1 point for submitting the notice of appeal and 1 point for appearing at the hearing with a value per point of € 534 and weighting factor 1) as well as an amount of € 137 in travel expenses, so a total of € 2,273.
      
      
        
          What does this statement mean?
        
      
      17. Plaintiff is partially right. The fine cannot stand, but the order subject to a penalty can. A court order for costs will also follow.
      
      
    
  
  
    Decision
    
    
      The court:
    
    
      -
        declares the appeal well-founded;
      
      -
        annul the contested decision in so far as it upholds the fine;
      
      -
        revokes the primary decision to the extent that the fine was imposed;
      
      -
        provides that that decision supersedes the contested decision to that extent;
      
      -
        otherwise uphold the contested decision;
      
      -
        determines that the defendant will reimburse the plaintiff for the court fee of €354 paid;
      
      -
        orders the defendant to pay the plaintiff's legal costs to an amount of € 2,273.
      
    
    
    
    
      This decision was made by mr. A.C. Rop, judge, in the presence of mr. R. Stijnen, clerk of the court. The ruling was made public on May 27, 2021.
     
    
    
    
    
      
        The registrar and the judge are prevented from signing the decision
      
     
    
    
      Registrar Judge
     
    
    
    
      A copy of this ruling has been sent to the parties at:
     
    
    
  
  
    Remedy
    An appeal can be lodged against this decision to the Trade and Industry Appeals Tribunal within six weeks of the date on which it was sent.
    
  
  
    Appendix
    
    
      
        Convention for the Protection of Human Rights and Fundamental Freedoms (translation)
      
      Article 8. Right to respect for private and family life
    
    1. Everyone has the right to respect for his private and family life, his home and his correspondence.
    2. No interference by any public authority is permitted in the exercise of this right, except to the extent provided for by law and necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country , the prevention of disorder and crime, the protection of health or morals or the protection of the rights and freedoms of others.
    
    
      
        Regulation (EU) 2016/679 (General Data Protection Regulation)
      
      Article 2
      
        Material application area
      
    
    1. This Regulation shall apply to processing wholly or partly by automated means, as well as to the processing of personal data entered in a file or intended to be entered therein.
    2. This Regulation does not apply to the processing of personal data:
    (…)
    (d) by the competent authorities for the purposes of the prevention, investigation, detection and prosecution of criminal offenses or the execution of criminal penalties, including protection against and prevention of threats to public security.
    
    
      Article 4
      
        Definitions
      
      For the purposes of this Regulation:
      1) “personal data” means any information relating to an identified or identifiable natural person (“the data subject”); an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more elements characteristic of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person;
      2) “processing” means an operation or a set of operations on personal data or a set of personal data, whether or not carried out by automated means, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting , use, provide by transmission, dissemination or otherwise make available, align or combine, shield, erase or destroy data;
      (…)
      7) “controller” means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are established in Union or Member State law, they may determine who the controller is or the criteria according to which it is designated;
      8) “processor” means a natural or legal person, a public authority, a service or other body that processes personal data on behalf of the controller;
      (…)
      12) “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, data transmitted, stored or otherwise processed;
      (…)
     
    
    
      Article 6
      
        Lawfulness of the processing
      
    
    1. Processing is only lawful if and insofar as at least one of the following conditions is met:
    a. a) the data subject has consented to the processing of his/her personal data for one or more specific purposes;
    b) the processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract;
    c) the processing is necessary for compliance with a legal obligation to which the controller is responsible;
    d) the processing is necessary to protect the vital interests of the data subject or of another natural person;
    e) the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority conferred on the controller;
    f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where the interests or fundamental rights and freedoms of the data subject which require the protection of personal data outweigh those interests, in particular when the person concerned is a child.
    
      Point (f) of the first subparagraph shall not apply to processing by public authorities in the performance of their duties.
      (…)
    
    3. The legal basis for the processing referred to in points (c) and (e) of paragraph 1 shall be determined by:
    a. a) Union law; or
    b) Member State law applicable to the controller.
    
      The purpose of the processing shall be determined in that legal basis or, in relation to the processing referred to in point (e) of paragraph 1, it is necessary for the performance of a task carried out in the public interest or for the exercise of official authority conferred on the controller . That legal basis may contain specific provisions to adapt the application of the rules of this Regulation, including the general conditions on the lawfulness of processing by the controller; the types of data processed; The involved; the entities to which and the purposes for which the personal data may be provided; the target limitation; the storage periods; and the processing activities and procedures, including measures to ensure lawful and fair processing, such as those for other specific processing situations referred to in Chapter IX. Union or Member State law must meet an objective of public interest and must be proportionate to the legitimate aim pursued.
      (…)
     
    
    
      Article 99
      
        Entry into force and application
      
    
    1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
    2. It shall apply from 25 May 2018.
    
    
      
        Personal Data Protection Act (expired on 25 May 2018)
      
      Article 1
      In this Act and the provisions based on it, the following definitions apply:
    
    a. personal data: any data concerning an identified or identifiable natural person;
    b. processing of personal data: any act or set of acts relating to personal data, including in any case the collection, recording, organization, storage, updating, modification, retrieval, consultation, use, disclosure by transmission, dissemination or any other form of making available, bringing together, relating to each other, as well as blocking, erasing or destroying data;
    c. file: any structured set of personal data, regardless of whether this set of data is centralized or distributed in a functionally or geographically determined manner, which is accessible according to certain criteria and relates to different persons;
    d. controller: the natural person, legal person or any other person or administrative body that, alone or together with others, determines the purpose and means of the processing of personal data;
    e. processor: the person who processes personal data on behalf of the controller, without being subject to his direct authority;
    (…)
    
    
      Article 2
    
    1. This law applies to the fully or partially automated processing of personal data, as well as the non-automated processing of personal data that are included in a file or that are intended to be included therein.
    2. This law does not apply to the processing of personal data:
    (…)
    b. by or for the benefit of the intelligence and security services, as referred to in the Intelligence and Security Services Act 2017;
    c. for the purpose of carrying out the police duties referred to in Articles 3 and 4, paragraph 1, of the Police Act 2012;
    (…)
    
    
      Article 8
      Personal data may only be processed if:
    
    a. the data subject has given his unambiguous consent for the processing;
    b. the data processing is necessary for the performance of a contract to which the data subject is a party, or for taking pre-contractual measures in response to a request from the data subject and which are necessary for the conclusion of a contract;
    c. the data processing is necessary to comply with a legal obligation to which the controller is subject;
    d. the data processing is necessary to safeguard a vital interest of the data subject;
    e. the data processing is necessary for the proper performance of a public law task by the relevant administrative body or the administrative body to which the data is provided, or
    f. the data processing is necessary for the representation of the legitimate interest of the controller or of a third party to whom the data is disclosed, unless the interest or the fundamental rights and freedoms of the data subject, in particular the right to privacy, prevails.
    
    
      
        General Administrative Law Act
      
      Article 1:2
    
    1.
    (…)
    3. With regard to legal persons, their interests are also considered to be the general and collective interests that they promote in particular by virtue of their objectives and as evidenced by their actual activities.
    
    
      Article 5:5
      The administrative authority does not impose an administrative sanction insofar as there was a justification for the violation.
     
    
    
      Article 5:31d
      An order subject to a penalty is understood to mean: the recovery sanction, containing:
    
    a. an order for full or partial remedy of the violation, and
    b. the obligation to pay a sum of money if the order is not carried out or is not carried out on time.
    
    
      Article 5:32
    
    1. An administrative body authorized to impose an order subject to administrative coercion may instead impose an order subject to penalty on the offender.
    (…)
    
    
      Article 5:32b
    
    1. The administrative authority shall set the penalty payment either at a lump sum or at an amount per unit of time in which the order was not executed, or per violation of the order.
    2. The administrative authority also determines an amount above which no penalty payment will be forfeited.
    3. The amounts are in reasonable proportion to the gravity of the harmed interest and to the intended effect of the penalty payment.
    
    
      Article 5:41
      The administrative body does not impose an administrative fine insofar as the violation cannot be attributed to the offender.
     
    
    
      Article 5:54
      This Title applies mutatis mutandis to other punitive sanctions, to the extent provided for by law.
     
    
    
      Article 8:69a
      The administrative court will not annul a decision on the ground that it is in conflict with a written or unwritten rule of law or a general principle of law, if this rule or principle is manifestly not intended to protect the interests of the person who invokes it.
     
    
    
      
        Intelligence and Security Services Act 2017
      
      Article 55
    
    1. The services are authorized to contact a provider of a communication service with the order to provide information about a user and about the communication traffic with regard to that user that took place before or at the time of the assignment or that will take place after that time. take place. The data to which the assignment may relate shall be designated by order in council.
    2. The power referred to in the first paragraph may only be exercised with the consent of Our concerned Minister or, on his behalf, the head of the relevant service.
    (…)
    
    
      Article 56
    
    1. The services are authorized to contact a provider of a communication service with the order to provide data with regard to:
    a. name, address, postcode, place of residence, number, technical characteristic and type of service of a user, as well as
    b. name, address, postal code, place of residence of the person who pays the bill for the communication service that the user has or has had available and the bank account number or payment method used for this purpose.
    (…)
    
    
      
        Telecommunications Act
      
     
    
    
      Article 1.1
      In this Act and the provisions based on it, the following definitions apply:
      offering an electronic communications network: building, operating, managing or making available an electronic communications network;
      (…)
      public telecommunications network: electronic communications network that is wholly or partly used to provide public telecommunications services, insofar as the network is not used for the distribution of programmes;
      (…)
      public telecommunications service: service available to the public that consists wholly or partly in the transmission of signals via an electronic communications network, insofar as this service does not consist of the distribution of programmes;
      (…)
     
    
    
      Article 13.4
    
    1. Providers of public telecommunications networks and public telecommunications services shall immediately comply with a claim under Article 126n or Article 126na, or Article 126u or Article 126ua, of the Code of Criminal Procedure or an order under Article 55 of the intelligence and security services 2017 to provide data about a user of a public telecommunications network or a public telecommunications service and the telecommunications traffic relating to that user.
    2. Providers of public telecommunications networks and public telecommunications services comply with a claim based on Article 126na, first paragraph, 126ua, first paragraph, or 126zi of the Code of Criminal Procedure or an order based on Article 56 of the Information Act. and security services 2017 to provide information regarding the name, address, zip code, place of residence, number and type of service of a user of a public telecommunications network or a public telecommunications service.
    3. Providers of public telecommunications networks and public telecommunications services comply with a claim based on Article 126na, second paragraph, 126ua, second paragraph, or 126zi of the Code of Criminal Procedure or an order based on Article 56 of the Information Act. and security services 2017 to find out and provide the data referred to in the first paragraph in a manner to be determined by order in council. In order to be able to comply with these obligations, the providers keep the data to be designated by order in council for a period of twelve months, from the time this data was processed for the first time.
    4. Rules may be laid down by order in council, on the recommendation of Our Minister of Security and Justice, Our Minister, Our Minister of the Interior and Kingdom Relations and Our Minister of Defense with regard to the way in which the providers meet a claim or a request, referred to in the first, second and third paragraph, the registration of statistical data and the periods within which those data are made available and the manner in which the data, referred to in the second and third paragraphs, are kept available. The nomination for an order in council to be adopted pursuant to the first sentence shall not be made earlier than four weeks after the draft has been submitted to both Houses of the States General.
    
    
      Article 15.1
    
    1. The officials designated by decision of Our Minister are charged with supervising compliance with the provisions of or pursuant to this Act and the EIDAS Ordinance, insofar as it concerns the provisions relating to:
    (…)
    h. authorized wiretapping and retention of data as regulated in Chapter 13;
    (…)
    
    
      Article 15.2
    
    1. Our Minister is authorized to:
    a. imposition of an order under administrative coercion to enforce the obligations imposed by or pursuant to the provisions referred to in Article 15.1, first paragraph;
    (…)
    
    
      Article 15.4
    
    1. In the event of a violation of a statutory provision with the supervision of compliance with which he is charged pursuant to Article 15.1, paragraph 1, or in the event of a violation of Article 5:20 of the General Administrative Law Act, our Minister may impose an administrative fine not exceeding € 900,000.
    (…)
    
    
      
        Decree on provision of telecommunications data
      
      Article 1
      In this decision, the following definitions apply:
    
    a. law: Telecommunications Act;
    b. information point: the Central Information Point for Telecommunications Research, referred to in Article 2;
    c. provider: the provider of a public telecommunications network or a public telecommunications service;
    d. competent authority:
    
      1°. the examining magistrate in criminal matters, the public prosecutor, the chief of police, as referred to in Article 27 of the Police Act 2012, or the head of an investigative service, or the investigating officer designated by the chief of police for his force or by the head for his service,
      2°. the head of the General Intelligence and Security Service, or the official designated by him,
      3°. the head of the Military Intelligence and Security Service, or the official designated by him;
    
    e. information: the information referred to in Article 13.4, second paragraph, of the Act, insofar as this information does not relate to a number other than the connection number for fixed or mobile public telephone networks, and does not relate to a number other than the login name or user name, an e-mail address, terminal device identification numbers or an assigned Internet protocol number for public telecommunications networks and public telecommunications services consisting solely in the provision of access to the Internet or the services to be provided or to be performed by means of the Internet;
    (…)
    
    
      Article 2
      Our Minister of Justice and Security is charged with the automated forwarding of requests for and provision of information. He performs this task through the Central Information Point for Telecommunications Research.
     
    
    
      Article 3
    
    1. The information point, the competent authority and the provider shall each take the technical measures necessary to implement the second, third and fourth paragraphs. The technical provisions meet the conditions referred to in Articles 4 and 5 and the specifications included in the Annex to this Decree.
    2. The competent authority shall request the provision of information contained in the file referred to in Article 4 through the information point. The competent authority shall make the request by automated means.
    3. The provider provides the information through the information point. To this end, the provider grants the information point direct access to the files referred to in Article 4, paragraphs 1 and 2, by automated means, 24 hours a day.
    4. The information point will automatically compare the data to which the request relates with the data in the files referred to in Article 4, first and second paragraph. When the data to which the request relates are present in the files, they are forwarded by the information point to the competent authority by automated means.
    5. At the request of the competent authority, the provider will provide correction or explanation of the data referred to in the fourth paragraph, second sentence, without the intervention of the information point.
    6. A provider and the information point agree that the information point will act as processor of the files referred to in Article 4, if the equipment in which the files are stored is managed by the information point.
    
    
      Article 4
    
    1. The provider of fixed public telephone networks or fixed public telephone services, or of mobile public telephone networks or mobile public telephone services, shall have a file containing the following details of the persons who use a service or network of the provider:
    a. the name, address with number and any additions, postal code and place of residence;
    b. the telecommunications service that is purchased and,
    c. the connection number that or the connection numbers that have been issued to a user;
    d. the name of the provider of the fixed public telephone network or the mobile public telephone network through which the provider of fixed public telephone services or mobile public telephone services has provided the services to the user.
    2. The provider of public telecommunications networks or of public telecommunications services consisting solely of providing access to the Internet and of the services to be provided or to be provided by means of the Internet has a file containing the following data of the users of a network or service of the provider:
    a. the name, address with number and any additions, postal code and place of residence,
    b. the telecommunications service that is purchased, which also includes the type of connection,
    c. the user name, login name and e-mail addresses of a user, the identification numbers of a user's peripherals, and the Internet Protocol numbers assigned to a user at the time the file data is updated for the provision of access to the Internet or the services to be provided or to be performed by means of the Internet, and
    d. the name of the provider of the public telecommunications network through which the provider of the public telecommunications service has provided the services to the user.
    3. The provider will update the data in the file referred to in the first and second paragraphs, respectively, at least every 24 hours, by adapting the data to the most current data that it uses for its business operations.
    
    
      Article 7
    
    1. Our Minister of Justice and Security shall ensure that the information point records a characteristic for each provision of information, on the basis of which it can be traced back to which provider, to which competent authority and on what legal basis information was provided. The record is kept for three years.
    2. Our Minister of Justice and Security shall ensure that the information point does not store any data as referred to in Article 4, paragraphs 1 and 2, unless the data is stored under the responsibility of the provider on the basis of an agreement as referred to in Article 3, sixth member. The recording referred to in the first paragraph shall be made in such a way that no data is included that can be traced back to persons to whom a request for information relates.
    
    
      
        Annex to the Decree of 26 January 2000, containing rules for the provision of data by providers of public telecommunications networks and services for the purpose of investigating telecommunications (Decree on provision of telecommunications data)
      
      Specification interface for supplying data to the information point
     
    
    1. Data provision
    1. The provider provides the following data relating to the user:
    a. name;
    b. address;
    c. residence;
    d. Postal Code;
    e. connection number for fixed or mobile public telephone networks, and a user's login name, user name and e-mail addresses, peripheral device identification numbers, and Internet Protocol numbers that are used at the time the file data is updated, allocated to a user, for public telecommunications networks and public telecommunications services that consist solely in the provision of access to the Internet and the services to be provided or to be performed by means of the Internet;
    f. type of telecommunications service, which also includes the type of connection (such as cable, ADSL, dial-up connection);
    g. the identity of the telecommunications provider.
    2. Numbers also include: shielded and secret numbers.