There are generally no infrastructural limitations restricting access to the internet in the Netherlands, though some problems persist on its associated Caribbean islands.

According to 2023 data from the International Telecommunication Union (ITU), 96.9 percent of households have access to the internet, and 92.5 percent of people use the internet.1 The Organisation for Economic Co-operation and Development (OECD) reported that the country’s fixed-line broadband penetration rate was 44.2 percent as of June 2023, while the mobile broadband penetration rate was 123.2 percent.2

As of April 2024, Ookla’s Speedtest recorded median mobile download speeds of 130.61 Mbps (megabits per second) and median fixed-line broadband download speeds of 190.96 Mbps.3

Digital infrastructure is still a matter of concern on the Dutch Caribbean islands of Bonaire, Saba, and St. Eustatius, which are governed as special municipalities and known collectively as the Caribbean Netherlands (see A2). (Three more populous islands—Aruba, Curaçao, and Sint Maarten—have greater autonomy as constituent countries within broader Kingdom of the Netherlands.) Hurricanes threaten the islands’ connectivity infrastructure and make them more susceptible to power outages.4

The cost of internet access in the Netherlands is not prohibitive. In 2023, the ACM concluded that internet service is readily available and mostly affordable.5 According to 2023 data from the ITU, 5 GB of fixed-line broadband internet service a month costs 1 percent of gross national income (GNI) per capita, while a monthly 2 GB mobile data plan costs 0.41 percent of GNI per capita.6 In 2024, people paid €138 ($151) more per year for their internet connection than in 2022.7

In September 2023, municipalities and telecommunications service providers launched a year-long Digital Participation Package pilot program designed to supply financially vulnerable households with internet connections, a device, and other support to reduce digital barriers.8 Upon the conclusion of the pilot, participating providers and municipalities planned to evaluate the program’s efficacy in addressing disparities in access.

While overall coverage has continued to increase in the country,9 more than 31,000 households in rural areas still lacked internet connections of at least 100 Mbps, according to a July 2023 letter from the minister of economic affairs and climate policy.10 For approximately 25,000 of these homes, connection speeds remained below 30 Mbps. High-quality internet service is available in almost all of the Netherlands, though residents of North-Holland, Limburg, and Groningen provinces have less access to fiber-optic cables than those in other parts of the country.

Residents of the Caribbean Netherlands islands face greater financial barriers to internet access. Compared with other countries in the Caribbean, the islands tend to have higher average prices for fixed-line broadband plans.11 The government offers a monthly subsidy per user on Bonaire, St. Eustatius, and Saba. A January 2024 report from the Ministry of Economic Affairs and Climate Policy announced plans to reduce the cost of access in the year to come.12

The price-to-quality ratio of internet subscriptions on the Caribbean Netherlands islands has improved, but challenges remain. Households on the three islands largely feature copper or coaxial rather than fiber-optic connections, which provide higher internet speeds.13 To better connect its overseas territories, the Dutch government announced in early 2024 that it would make €3 million ($3.3 million) available for the roll-out of fiber-optic cables during the year.14 The Ministry of Economic Affairs and Climate Policy also said it would examine international access to its overseas territories via undersea cables.15

The government has not taken measures to restrict internet connectivity. All major social media platforms and communication applications are accessible. No restrictions are placed on service providers.

There is no central internet backbone. The largest exchange operating in the Netherlands is AMS-IX, which is run by a private membership-based association of the same name.16

There are few legal limits on businesses’ ability to provide fixed-line or mobile broadband internet access, though the market has become more concentrated due to recent mergers. Companies providing telecommunications services must register with the ACM and are subject to rules on availability, net neutrality, data security, and privacy protection. While registration is free, providers earning more than €2 million ($2.2 million) pay an annual fee to the ACM.17

According to 2023 first-quarter data from the ACM, KPN and VodafoneZiggo are the largest providers of fixed-line broadband internet, with market shares ranging from 40 to 45 percent and 35 to 40 percent, respectively. T-Mobile and Delta Fiber each control 5 to 10 percent of the market, and other providers have shares of less than 5 percent. 18 In addition, about three million households, concentrated in large cities such as Amsterdam, can only obtain high-speed fixed-line internet service through cable networks. As only one operator, VodafoneZiggo, offers cable service, consumer choice is limited in these areas.19 In the mobile market, Odido controls a share of between 30 and 35 percent, while KPN and VodafoneZiggo each control 20 to 30 percent. 20

In March 2024, the ACM decided that KPN could acquire the smaller mobile provider Youfone. The ACM determined that the acquisition would not result in major price increases for consumers and was unlikely to produce competition concerns.21 Similarly, in 2018, the European Commission approved the acquisition of Tele2 NL, the fourth-largest mobile provider at the time, by T-Mobile Netherlands, which later rebranded as Odido.22

A 2023 investigation by the ACM concluded that providers offering fiber-optic internet connections have to open their networks to competitors, but providers of cable-based service do not.23 The ACM determined that there is sufficient competition overall because of the rollout of fiber-optic networks.24

The Authority for Digital Infrastructure (RDI), the ACM, and the Data Protection Authority (DPA), which together ensure that service providers and digital platforms adhere to telecommunications law, are administrative bodies and not subordinate to a government minister. The RDI oversees implementation of laws and regulations concerning communication networks, the ACM enforces market regulation, and the DPA ensures compliance with privacy legislation. The ACM has been tasked with leading the implementation of the EU’s DSA, which came into effect for platforms with over 45 million monthly users in August 2023 and other platforms, intermediaries, and service providers in February 2024 (see B2 and B3). The DPA will also play a role in implementing and enforcing the regulation.

The RDI and ACM both function as agencies within the Ministry of Economic Affairs and Climate Policy.25 The RDI features three substantive directorates that specialize in digital infrastructure, equipment, and digital resilience.26 The ACM’s board has three members who finalize all decisions issued by the authority.27 The DPA’s board consists of a chairperson and two members, all of whom are appointed by the minister of justice and security. Board members serve five-year terms, which can be renewed for another five years after reappointment.28

In accordance with Article 12.1 of the Telecommunications Act, telecommunications service providers are required to join an arbitration committee to resolve disputes.29 NLconnect,30 a trade association for the telecommunications industry, and the Telecommunications Services Disputes Committee each have their own active committees for resolving out-of-court disputes concerning consumers and providers of telecommunications services.31

There have been no incidents that cast doubt on the independence of these bodies. However, both civil society and the DPA itself have routinely noted that the authority is given insufficient resources to fulfill its mandate.32 This has raised further concerns about its capacity to assume its new duties as a regulator responsible for coordinating algorithm oversight and as an implementing and enforcement agency under the DSA (see C6). The DPA argues that it needs to increase its staff significantly to perform these new duties.33

The state generally does not block or filter content, nor does it compel service providers to do so.

However, in March 2022, after the Russian military’s full-scale invasion of Ukraine, the European Council’s Regulation 2022/350 ordered member states to suspend the broadcasting activities and websites of the Russian state media outlets RT and Sputnik.34 In response, representatives from VodafoneZiggo, KPN, and Odido said they would comply with the bans.35 In May 2022, the Freedom of Information Coalition (FOIC), an alliance of ISPs and internet and press freedom organizations, filed a petition asking the Court of Justice of the European Union (CJEU) to rule on the legality of the blocking. A hearing date for the case had not been set by the end of the coverage period.36 The EU issued additional bans against Rossiya RTR/RTR Planeta, Rossiya 24/Russia 24, and TV Centre International in June 2022.37 In May 2024, the EU also ordered the blocking, and suspended the broadcasting licenses, of Russian outlets Voice of Europe, RIA Novosti, Izvestiya, and Rossiyskaya Gazeta.38

The government utilizes several legal and administrative means to compel digital platforms to remove specific content, most of which are subject to oversight.

The public prosecutor can order the removal of a piece of content if a crime is suspected, if it is necessary to stop a crime or prevent new crimes, and if a magistrate judge has approved the prosecutor’s order and given the online platform an opportunity to be heard.39 If all of these conditions are met, the platform is obliged to comply with the demand or risk losing its liability exemption.

The Fiscal Information and Investigation Service (FIOD) investigates and prosecutes serious copyright infringements under national copyright law (see B3). For instance, in May 2023 it took down a major illegal Internet Protocol television (IPTV) provider,40 collaborating with the public prosecutor and Europol. In 2023, a 14-year legal battle between the Foundation for the Protection of the Rights of the Entertainment Industry of the Netherlands (BREIN) and Usenet, a discussion platform, came to an end. The Supreme Court cleared Usenet of all copyright infringement charges, ruling that it could not be held liable for content shared by third parties on its platform.41

The DSA mandates that platforms and intermediaries operating in the EU establish mechanisms for taking action against illegal content and provide more transparency on platform functions and decision making (see A5 and B3).42 Compliance with the DSA in the Netherlands is supervised by the ACM and supported by the DPA,43 though a national law transposing the DSA into the country’s legal framework had not entered into force by the end of the coverage period. Prior to the DSA, online platforms operating in the EU designated certain entities as “trusted flaggers,” a status that is now legislated through the DSA. In November 2023, the Ministry of the Interior, a trusted flagger designated by an online platform, issued an order to the social media application X (known as Twitter until mid-2023) to remove posts that encouraged people to vote for different candidates from a combined list, which would invalidate citizens’ votes.44

Since its establishment in September 2023, the Authority for the Prevention of Online Terrorist Content and Child Pornography has issued removal orders in keeping with the EU regulation on addressing the dissemination of terrorist content. In July 2024, after the coverage period, it also became responsible for removing child sexual abuse material (see B3).45

Between October 2023 and March 2024, the government submitted 28 orders to Meta—parent company of Facebook and several other social media platforms—to act against illegal content under the DSA.46 The government did not submit any orders to the short-video platform TikTok during that period.47

In 2023, the government sent Google 44 requests to remove 346 items from its services, the majority of which concerned alleged copyright infringements. Google removed 82.4 percent of the items covered in the 22 requests between January and June 2023, and 90.7 percent of the items covered in 22 requests in the latter half of the year.48 Similarly, between January and June 2023 Meta restricted access to 287 pieces of content—a marked increase from the 165 posts taken down during the same period in 2022—for alleged violations of local laws. Between July and December 2023, Meta restricted access to 208 pieces of content, which included 100 items from Russian state-controlled media that were restricted across the EU.49

In 2023, the Netherlands Domain Registration Foundation (SIDN), which abides by the Notice-and-Take-Down Code of Conduct (see B3), reported that it had received 60 requests and disabled 38 of the domain names in question.50

Laws mandating the removal or restriction of online content are generally transparent and proportional.

The Digital Services Implementation Act, which was sent to the House of Representatives in April 2024 but remained a draft at the end of the coverage period, would incorporate the EU’s DSA into national law and establish rules for the division of authority between the DPA and ACM in supervising DSA compliance.51 The ACM actively participates in the European Board for Digital Services, established by the DSA, and already offers users the opportunity to submit reports of alleged DSA violations through its website.52 The out-of-court dispute settlement (ODS) bodies established by Article 21 of the DSA were not yet in place during the coverage period,53 and potential trusted flaggers—the entities that will have priority in reporting illegal content—could not yet register with the ACM.54 In July 2024, after the coverage period, the European Commission opened an infringement procedure and sent a letter of formal notice to the Netherlands for failing to empower its digital services coordinator with “the necessary powers and competences” to carry out its duties.55

The Dutch contributors to the Civil Liberties Union for Europe’s 2024 rule of law report described the DSA as an “important step forward” in protecting press freedom and journalist safety online.56 Meanwhile, a coalition of civil society organizations and journalists, led by the digital rights organization Bits of Freedom, has spearheaded a campaign to inform citizens of their new rights under the DSA (see B8).57

The EU Directive on Copyright in the Digital Single Market came into force in 2019, with the aim of harmonizing copyright law across member states.58 The directive was transposed into national law in December 2020, and the majority of its provisions went into effect in 2021.59 National law stipulates that online platforms are obliged to filter and remove content, including pictures, music, and videos, if permission from rightsholders has not been acquired.60

The Netherlands also employs several measures to remove content from platforms in the context of counterterrorism. The EU regulation on addressing the dissemination of terrorist content online, adopted in 2021, mandates that hosting services in member states remove or disable access to content that incites or glorifies terrorist activities.61 The Netherlands’ “Integrated Approach to Jihadism,” formulated in 2014, established a specialist team from the National Police that informs the public prosecutor of potentially criminal online communications. If the content is not voluntarily removed, the offender may be criminally charged.62 In addition, platforms that persist in “facilitating” terrorist organizations are addressed on the basis of the Netherlands’ terrorism sanctions regulations.63

In 2008, a public-private partnership led by the government and broadband and cable providers drafted the Notice-and-Take-Down Code of Conduct. It is a voluntary and self-regulatory measure that explains how intermediaries can deal with complaints about illegal content on the internet.64 The code provides clarity in determining whether a complaint is justified, and what steps should be followed to ensure that reports are always processed. In 2018, the code was amended to include agreements on the handling of child sexual abuse content reports originating from Offlimits (formerly the Online Child Abuse Expertise Bureau, or EOKM).65

Mayors have attempted to issue “online area bans,” or decisions that would prevent particular residents from using communications platforms, by claiming that chat and social media spaces constitute “online public spaces.” In 2021, after an Utrecht resident called for disruptions to public order in response to a fireworks prohibition, the city’s mayor issued an order banning the individual from Telegram under threat of a fine.66 In February 2023, a district court ruled that the mayor did not have the authority to issue such a ban, finding that statements—including online posts—giving rise to disorder may be “undesirable” but are still protected by the constitutional freedom of expression. Amsterdam mayor Femke Halsema notably disagreed with the ruling,67 while digital rights organizations, including Bits of Freedom, have argued that online area bans would weaken public trust in the government.68

Online self-censorship is not widespread, though members of marginalized communities and journalists do self-censor in certain situations. In 2023, focus groups organized by the Public Interest Litigation Project and Bits of Freedom found that activists reported adjusting their speech and self-censoring to reach wider audiences and protect themselves and others from being targeted with hate speech, doxing, and threats.69

Over 90 percent of editors and nearly 50 percent of journalists in the Netherlands have reported legal intimidation due to a publication, according to a 2023 study by the National Association for Journalists and PersVeilig, a collaborative initiative between the media sector and law enforcement agencies.70

Concerns about content manipulation in the Netherlands have increased in recent years.

Political figures have spread false and misleading information, including during electoral periods. For example, the European Digital Media Observatory (EDMO) reported that ahead of the November 2023 general elections, political actors posted false information that exaggerated the number of people entering the EU and associated migrants with crime to stoke anti-immigration narratives.71 In one instance, days ahead of the elections, Geert Wilders of the far-right Party for Freedom (PVV) misleadingly claimed on X that asylum seekers had received a credit card with “free money” while millions of citizens struggled to make ends meet.72 Despite such cases, in April 2024, the Ministry of Interior and Kingdom Relations of Netherlands reported no signs of coordinated disinformation or interference campaigns during the elections.73

To address the spread of misleading information during elections, the government established a voluntary code of conduct in February 2021. Signatories committed to promote the transparency of online political advertisements and “avoid the dissemination of misleading content, hate speech, and messages that incite violence.”74 The far-right Forum for Democracy (FvD) and PVV were the only parties that did not sign.

During a week-long sex education campaign for students across the Netherlands in March 2023, leaders of the FvD party wrote and shared false and homophobic posts claiming that young children were being groomed and sexually abused.75

False and misleading information has also been spread by foreign actors. A March 2024 investigation conducted by the Czech Republic’s Security Information Service (BIS) reported on a Russian campaign that had allegedly approached and paid European politicians, including Dutch representatives, to question the “territorial integrity, sovereignty, and freedom of Ukraine” on the news site Voice of Europe.76 As of the end of the coverage period, authorities in the Czech Republic and the Netherlands had not released the names of the politicians who were alleged to be involved, citing national security concerns. The EU imposed sanctions on Voice of Europe in May 2024 due to its role in promoting Russian disinformation campaigns (see B1).77

A July 2023 report by the Dutch National Coordinator for Counterterrorism and Security (NCTV) noted that Russian influence operations had been using disinformation tactics in an attempt to undermine public support in Europe and the United States for the defense of Ukraine. However, the report found that no such disinformation campaigns had specifically targeted the Netherlands.78

There are few legal constraints on individuals’ ability to publish online, though market concentration in the media sector presents a concern.79

The Dutch Media Authority (CvdM) monitors compliance with the 2008 Media Act and aims to protect the quality, independence, and diversity of public and commercial media, including radio, television, and online platforms.

In January 2023, the ACM blocked a proposed merger between the media groups Talpa and RTL Nederland, claiming that the deal would result in unfair control of the advertising industry.80 Also that year, DPG Media announced a planned acquisition of RTL Nederland, citing a need to increase its market share to compete with the advertising dominance of major social media platforms and search engines. In response, experts on the media, competition, and digital rights spoke out about the potential implications for consumer privacy and the concentration of power in the hands of advertisers.81 In May 2024, the ACM announced a deeper investigation into DPG Media’s proposed acquisition of RTL Nederland, noting concerns regarding the quality and accessibility of general news services, competition in the advertising market, DPG Media's bargaining position, and conditions for journalists.82

The European Media Freedom Act (EMFA), which aims to protect journalists from interference and harmonize the EU’s approach to media pluralism and editorial independence across member states, entered into force in May 2024.83 The act recognizes that recipients of media services have the right to access a wide variety of content, and it requires member states to provide the necessary framework to accomplish this objective (see C1). As of the end of the coverage period, the EMFA had not been transposed into Dutch law.

In December 2020, the Netherlands transposed the EU Directive on Copyright in the Digital Single Market into national law (see B3),84 including an ad hoc liability system for platforms that host copyrighted content.

In 2013, the Netherlands became the first European country to codify the principle of net neutrality into law, prohibiting ISPs from selectively slowing or speeding up internet traffic for different sites or services.85 The EU later passed the Net Neutrality Regulation in 2015, and it is enforced by the ACM in the Netherlands. However, Dutch ISPs have tested the limits of these rules. For example, in 2017, a Dutch court ruled that T-Mobile’s 2016 launch of a data-free music service broke a national law against zero-rating. A subsequent investigation by the ACM determined that T-Mobile’s service did not violate the EU regulation on net neutrality.86 After a 2021 CJEU ruling prohibited zero-rating under the net neutrality regulation, T-Mobile and the ACM reversed course and agreed that the provider would entirely phase out its data-free music service by April 2023.87

A wide range of news outlets and sources are available in the Netherlands. However, the CvdM’s 2023 Media Monitor report found that mergers and acquisitions have resulted in a less diverse information landscape, listing five major media companies in 2022, compared with 11 in 2011.88 The CvdM has also expressed concern about the lack of quality information on social media, and particularly its impact on younger generations.89

Misinformation concerning health and climate change are common on popular social media platforms in the Netherlands.90 A 2023 study by Pointer and Sound & Vision, analyzing TikTok videos watched by students at a secondary school, determined that 30 percent of the videos addressing climate issues contained misinformation.91 The videos featured narratives ranging from climate change denial to the exaggeration and misinterpretation of climate change effects.

In its 2023 annual report, the General Intelligence and Security Service (AIVD) determined that right-wing extremist groups were increasingly spreading nationalistic and anti-immigrant ideologies on social media to attract new followers.92 For instance, the report found that these organizations disseminated posts about the “Great Replacement,” a racist and antisemitic conspiracy theory claiming that a Jewish elite is attempting to “replace” the White population with people of color.

Civil society and academic initiatives have attempted to raise awareness about more misleading posts in the wake of the October 7, 2023, Hamas-led attack on Israel and the Israeli military’s subsequent invasion of the Gaza Strip. For instance, Leiden University’s fact-checking project identified fake images and false information that were spread online during the war.93

Websites and online organizing tools for civic campaigning are widely available in the Netherlands, and there is a small but effective community of rights-focused groups that advocate for privacy and internet freedom.94

However, state surveillance, including the use of social media monitoring tools and the infiltration of group chats in messaging applications, has presented obstacles to online organizing. A 2023 Amnesty International report found that law enforcement agencies’ surveillance of peaceful protesters had chilled freedom of assembly.95 According to a 2023 investigation by Dutch news sources Investico, De Groene Amsterdammer, and Trouw, police obtain data on demonstrators by retrieving information from the country’s Personal Records Database (see C5 and C6).96 Protesters, especially those from climate-related and antiracism movements,97 have expressed fears that their personal data were being readily accessed by the police.

In July 2023, the Marechaussee—the country’s gendarmerie or military police force—used facial-recognition systems to identify protesters who had attended a November 2022 Extinction Rebellion demonstration at Schiphol Airport, and cross-referenced those pictures with online images, including those in the climate activist movement’s Facebook group.98 The Marachausse sent 176 people a letter informing them that they had attended the demonstration and warning them against future participation in similar protests, but not all letter recipients had actually attended. For instance, Kirsten Verdel, who received a letter but did not participate in the protest, was required to prove that she had not been involved in the airport event and was informed that she would remain in the Marechaussee's database.99 Members of parliament questioned the minister of justice and security about the investigation of protesters, the use of facial-recognition technology, and the processing of people’s personal data.100 Ahead of a separate January 2023 rally on the A12 highway, seven Extinction Rebellion organizers were arrested for sedition based in part on messages obtained from their online group chats (see C3).

The constitution protects the freedoms of speech, association, and assembly, as well as press freedom and the right to submit petitions. The judiciary is generally independent.

In 2022, the Open Government Act (Woo) replaced the Government Information Act (Wob), requiring a broader range of public authorities to disclose information and introducing a general obligation to actively disclose certain types of information. Decisions about requested disclosures must be made within four weeks, and a searchable online platform has been established for the centralized publication of disclosed documents.101 However, the government has faced difficulties in abiding by information access standards set in the Woo. In 2023, the government answered 83 percent of Woo requests late, taking an average of 172 days to respond —well above the legal maximum of 42 days.102 A December 2023 implementation review featured recommendations that would weaken the Woo by limiting the amount of documentation made public and differentiating between the rights of journalists and those of nonjournalists.103

In April 2024, the European Parliament approved Directive 2024/1069, establishing safeguards to address cross-border strategic litigation against public participation (SLAPP), a type of lawsuit intended to chill critical speech by journalists (see C3).104

With the EMFA coming into effect in May 2024 (see B6), some nongovernmental organizations (NGOs) and journalists raised questions about the act’s ability to truly protect independent media, citing concerns about the scope of permissible wiretapping, measures that could compel journalists to disclose sources, and a national security exemption for the use of spyware.105

Certain types of speech can draw criminal or civil penalties in the Netherlands. Defamation and slander are both illegal under the criminal code and the civil code. Defamation is punishable by up to two years in prison or a €20,500 ($22,400) fine, while an individual can be imprisoned for up to six months or fined €8,200 ($9,000) for slander.106 Fines and community service are the most common punishments.107 These laws continue to be a concern for press freedom organizations, which argue that criminalization of defamation and slander jeopardizes the safety of journalists.108

Dutch law criminalizes hate speech, which is defined as public, oral or written incitement of hatred, discrimination, or violence against others or their property based on their race, religion, belief system, sex, sexual orientation, or disability. Penalties include up to one year in prison or a fine of up to €8,200 ($9,000), increasing to two years in prison or a fine of up to €20,500 ($22,400) if the offender operates in an organized manner.109 The incitement of, as well as the threat to commit, terrorism is also penalized, whether the offense is committed offline or online.110

Individuals rarely face arrest or detention in retaliation for online activity that is protected under international human rights standards. However, rights organizations, including Free Press Unlimited, have raised concerns about the impact of SLAPP suits targeting news outlets and civil society organizations in the Netherlands.111

A joint investigation by Trouw, De Groene Amsterdammer, and Investico found that the police had received help from an informant and surveilled two Signal chats used by the climate activist movement Extinction Rebellion to coordinate protests held in November 2022 and January 2023, during previous coverage periods (see B8 and C5). The monitoring made police aware of the movement’s plans for a blockade on the A12 highway, to be implemented on January 28.112 On January 26, police arrested seven of Extinction Rebellion’s climate activists for sedition.113 All seven were sentenced to 30 to 60 hours of community service, and two also had to pay €9,000 ($9,800) to the municipality of The Hague. The arrests were widely criticized by civil society groups.114

In June 2023, member of parliament Gideon van Meijeren of the FvD was sentenced to 200 hours of community service for sedition because of two instances in which he used his position as an elected representative to incite farmers to violence, including a 2022 interview on the Belgian YouTube channel “Compleetdenkers.” The interview followed the government’s decision to invest €24.3 billion ($26.6 billion) in reducing the amount of nitrogen and ammonia pollution in the country,115 which would cause some farms to close, according to the government’s own estimates. In response to the plan, farmers blocked roads with their tractors, employing a common form of protest. Meijeren said he hoped instead for a “revolutionary movement that would differentiate itself clearly from a protest movement and would, so to speak, march to parliament.”116

The government has officially supported the development and use of encryption services to protect individuals’ communications.

In May 2022, the European Commission proposed the CSA Regulation, which was meant to prevent and combat child sexual abuse by requiring online platforms—including those with end-to-end encryption services—to scan for abuse and grooming content.117 Civil society groups, technology companies, and academics warned that the regulation would have adverse consequences for user privacy and child safety. More than 130 organizations, including the European Digital Rights Initiative, Article 19, and the Electronic Frontier Foundation, urged the European Commission to withdraw the proposed regulation, as it would violate protections for speech, expression, and online security.118 In November 2023, the European Parliament came to an agreement on a set of amendments to the original proposal, stipulating that nothing in the regulation was to be interpreted as “weakening or undermining” end-to-end encryption, and that detection orders for child sexual abuse material would not apply to end-to-end encryption.119

Although the Ministry of Justice and Security continued to support the European Commission proposal affecting end-to-end encryption as it was considered by the EU Council,120 the Dutch House of Representatives adopted two motions, in April 2023 and again in October 2023,121 instructing the government not to support any EU legislation that would restrict the use of encryption or allow client-side device scanning. Representatives of the country’s child sexual abuse hotline came out repeatedly against the proposal and client-side scanning in particular.122 As of the end of the coverage period, the EU Council had not yet reached an agreement on the measure.

In August 2023, researchers at the Netherlands Forensic Institute (NFI), among others, succeeded in cracking hundreds of encrypted phones.123 Between 2020 and 2023, the police and the Public Prosecution Service shut down seven encrypted communication providers, including EncroChat, Sky ECC, and Exclu, that were primarily used by criminal groups; in some cases they worked in collaboration with other countries’ law enforcement bodies.124

In 2022, the government examined the possibility of banning prepaid SIM cards and encouraging mobile service providers to monitor the content of text messages on a voluntary basis, through an amendment to the Telecommunications Act.125 As of the end of the coverage period, the Netherlands did not require users to show proof of identity before purchasing a SIM card.126

The constitution protects privacy of correspondence,127 but certain laws grant state agencies the ability to conduct online surveillance. Civil society groups have raised concerns about disproportionate surveillance.

The 2017 Intelligence and Security Services Act (Wiv) regulates the AIVD, which is tasked with gathering domestic and foreign intelligence as well as protecting national security. The act also regulates the AIVD’s military counterpart, the Military Intelligence and Security Service (MIVD), which is tasked with gathering military intelligence and protecting the armed forces. Under the Wiv, the AIVD has the authority to monitor and tap telecommunications, though it is not permitted to take any action “likely to seriously infringe personal privacy” without receiving prior permission from the government minister responsible.128

The Wiv introduced bulk surveillance powers as well as the possibility for the prime minister and a number of other ministers to issue specific research assignments to the intelligence services (see C6).129 Details about these assignments, including the basis and depth of the investigation, are not disclosed to the public. Surveillance that infringes on citizens’ fundamental rights must satisfy several conditions: it must be related to a research assignment, there must be a threat to national security at stake, the privacy infringement must be proportionate to the goal, and there must be no alternative means of obtaining the information in question.130 In a 2018 referendum, the majority of citizens voted against the Wiv, which led to 2021 amendments to ensure that surveillance operations are “as targeted as possible” and to give an oversight committee—the Investigatory Powers Committee (TIB)—the authority to bolster its own capacity by appointing deputy members, among other provisions.131

The Temporary Cyber Operations Act came into force in July 2024, after the coverage period. The act, which was approved by the Senate in March, was intended to bolster cybersecurity in the face of foreign threats by giving the intelligence services increased powers to respond to such cases (see C8).132 Notably, the act increased the AIVD’s mass surveillance powers, did not provide general protections for Dutch or EU citizens, and weakens oversight by replacing the necessity to get prior authorization from the TIB for the deployment of certain powers. Under the law, the CTIVD can still conduct ad hoc sample-based auditing, if needed and demand the deployment of a particular power is stopped.133 In September 2022, a member of the TIB resigned to protest an earlier version of the law, arguing that it would give security services excessive power.134 The Court of Audits, a judicial body that audits government spending, also raised concern about whether the law was actionable and enforceable.135

In 2021, the NCTV introduced a bill that would expand the agency’s intelligence powers. The proposal was strongly opposed by civil society groups, both because of the way it was introduced and because of its content.136 The bill was eventually amended, and the suggested powers were withdrawn.137

In November 2023, an Amsterdam court ruled in favor of Frank van der Linde, who was surveilled by the NCTV and Dutch police, finding that the NCTV’s labeling of his activities as “extremist” was unjustified, and advising the NCTV to financially compensate him.138 The NCTV and police had started surveilling van der Linde online in 2014, using fake Twitter, Facebook, and Instagram accounts. His personal data were then passed on to 26 municipalities, foreign security services, Europol, and Interpol,139 and he was placed on a suspected terrorist list that resulted in travel restrictions.140

During Extinction Rebellion protests in November 2022 and March 2023, law enforcement agencies reportedly monitored protesters’ Signal chats (see B8 and C3).141 According to documents obtained by NRC, a Dutch newspaper, in May 2022, the NCTV also monitored the online activities dozens of civil society groups and individuals associated with climate, women’s rights, and antiracism movements from 2017 to 2021 (see B8).142 The NCTV reportedly stopped monitoring these activists in March 2021 due to a “lack of sufficient legal basis.”143 Civil society organizations including Bits of Freedom condemned the NCTV’s monitoring practice due to its chilling effect on freedom of assembly and its violation of privacy rights.

According to Muslim Rights Watch and the Public Interest Litigation Project,144 Muslims and immigrants have been disproportionately surveilled by authorities. In 2021, the media reported that the NCTV had paid a research agency to discretely interact with Muslim community members across 10 municipalities.145

The DPA enforces the EU’s General Data Protection Regulation (GDPR), which entered into force in 2018. The GDPR was designed to strengthen the rights of individuals in controlling their online data, oblige businesses to establish data processing security measures, and standardize data protection laws across the EU.146 Law enforcement agencies are additionally subject to the Police Data Act (Wpg), which regulates police data processing and affords individuals the right to access or rectify their police data.147

Understaffing and underfunding have undermined the effectiveness and public perception of the DPA (see A5). In 2021, the national ombudsman issued a report criticizing the DPA for deterring, rather than handling, public complaints about data privacy and infringements of the GDPR; the report offered recommendations on how to ensure that citizens’ concerns are addressed by the DPA.148 Civil society groups have raised questions about whether the DPA will be able to successfully fulfill its new role in monitoring algorithms that use personal data, as established under the coalition agreement that led to the formation of a new government in January 2022.149

Telecommunications providers are required to hand over user information upon presentation of a warrant by government entities, including judicial authorities, law enforcement agencies, and the intelligence services.150 Telecommunications providers are also required to submit certain subscriber information to the Central Telecommunications Research Information Point (CIOT) every 24 hours, and this information can be accessed by authorized agencies.

The Wiv considerably expanded the intelligence services’ powers with respect to the use of informants (see C5). Under Article 39, informants may include a person working for a company who can provide intelligence services with real-time, automated access to the company’s databases. The measure does not require the same safeguards as other rules governing the use of bulk data.151 Furthermore, in a 2020 oversight report, the CTIVD warned that the law did not sufficiently protect the fundamental rights of people who are not under investigation.152

In July 2023, a Dutch district court ruled that Meta had to provide an anonymous Facebook user’s phone number, internet protocol (IP) address, and email address to the plaintiff in a lawsuit; the anonymous Facebook user had posted screenshots and photos alleging that the plaintiff had mistreated and recorded images of women without their consent. The plaintiff requested an injunction against Meta to force the company to remove the posts and reveal the anonymous user’s identity. While the court rejected the demand to take down the posts, it found that the plaintiff’s interests outweighed the Facebook user’s right to anonymity due to the severity of the allegations. Meta decided not to appeal the decision.153

Over the past several years, companies including Google, Meta, TikTok, Avast, Amazon, Salesforce, Oracle, and Adobe have been taken to court in the Netherlands over privacy violations. In May 2023, an Amsterdam district court found that Facebook Ireland, a European subsidiary of Meta, had unlawfully used citizens’ personal data for advertising purposes from 2010 to 2020.154 The case had been brought before the court by the Data Privacy Foundation and the Consumers’ Association, which claimed that Facebook had violated the EU’s GDPR. In March 2024, the Data Privacy Foundation and the Consumers’ Association filed a new lawsuit requesting that the Dutch Facebook consumers be “appropriately compensated for the harmful consequences of the violation of their privacy rights.”155

Physical attacks in retaliation for online activity are rare, but online harassment is common, particularly targeting marginalized communities.

Activists and members of civil society groups have faced abusive messages, threats, and doxing after demonstrations.156 Journalists covering protests also routinely encounter online harassment.157 In July 2023, the Netherlands outlawed doxing through an amendment to the criminal code, and the move received praise from press freedom and digital rights organizations.158

Members of certain communities in the Netherlands may be more likely to face online harassment (see B4). Research in 2023 by De Groene Amsterdammer found that LGBT+ people are increasingly subject to transphobic and homophobic messages on the internet.159 According to a 2021 collaborative investigation by De Groene Amsterdammer and the Stem op een Vrouw Foundation, women politicians have also experienced greater online threats and organized hate campaigns, which have become a barrier to women’s participation in the public sphere.160

The AIVD’s 2023 annual report found that foreign intelligence groups have used the internet to intimidate and harass exiled dissidents residing in the Netherlands.161 Political opponents of authoritarian regimes received online abuse and threats, particularly on social media channels. The report identified the governments of China, Russia, and Iran as having been involved in such acts of transnational repression.

State institutions have experienced significant cyberattacks in recent years.

The Ministry of Justice and Security’s National Cyber Security Centre (NCSC) is responsible for ensuring digital security and guarding against cyberattacks in the Netherlands. The NCSC identifies cyber threats including viruses and website attacks, updates security systems, and organizes public information campaigns.162 In March 2024, the parliament approved the Temporary Cyber Operations Act with the aim of better protecting the Netherlands against cyberattacks from countries with an offensive cyber strategy. The law granted intelligence services greater power to intercept internet traffic and strengthen digital infrastructure (see C5).163

In June 2024, after the coverage period, a pro-Russian hacking group launched distributed denial-of-service (DDoS) attacks against several political parties, including the Christian Democratic Appeal (CDA), the PVV, and the FvD, on the eve of the European Parliament elections that month.164 In February 2024, the MIVD and AIVD reported that hackers linked to China had accessed a network of the Defense Ministry.165

In September 2023, the International Criminal Court (ICC), which is based in The Hague, suffered a cyberattack of unknown scale. A source told the public broadcaster Nederlandse Omroep Stichting (NOS) that the attacker gained access to a large number of sensitive documents, but this was not confirmed by the court.166 In May 2024, Britain’s Guardian newspaper and the Israeli outlets +972 and Local Call reported that Israeli intelligence agencies had intercepted the phone calls of and attempted to hack the ICC and its partners for nearly a decade. In several cases the Israeli agencies reportedly intercepted phone calls between the ICC and Palestinian NGOs by accessing the telecommunications infrastructure in the West Bank, while in other cases they were said to have hacked the emails of partners communicating with the ICC.167

Government and public institutions, affiliated groups, and businesses are prone to experiencing cyberattacks. In February 2023, the websites of several government organizations and companies were struck with DDoS attacks, allegedly in response to a January incident in which a Dutch far-right protester destroyed a Quran in The Hague.168 In September 2022, the identification passes of about 3,500 people—including members of parliament—were hacked by a criminal group.169 Medical institutions, including hospitals, dental practices, and vaccine developers, have also fallen victim to ransomware and DDoS attacks in the past.170