Annual review of IT 2022

The year 2022 shows a multitude of legislative and policy initiatives related to IT and data at the European and national levels. The European Commission took seriously its President’s 2021 call to shape digital transformation, especially in the areas of data, artificial intelligence and cybersecurity. At the national level, we also saw a lot happening in those areas in 2022.

In the IT jurisprudence there is again a focus on the duty of care and there seems to be a lot of litigation about the release of data. Purely contract law rulings relevant to IT practice are also included in this annual review.

European level

Digital rights and principles

The principles of the European Commission’s digital transformation are laid out in the Digital Compass 2030 and Digital Rights and Principles. The Digital Compass identifies four key points against which to measure the goals of digital transformation in 2030: a) a digitally capable population and highly skilled digital professionals, b) secure, high-performing and sustainable digital infrastructures, c) digital transformation of businesses and d) digitization of public services.   

On January 26, 2022, the European Commission released a declaration for digital rights and principles. This declaration is based on the existing Charter of Fundamental Rights in the EU. The declaration sets out how fundamental rights and European values should be applied in a digital world. Member states, the European Council and the European Parliament are expected to sign the declaration in January 2023. 

Digital rights should include the right to adequate protection in a digital environment, the right to freedom of online expression, the right to online protection of personal data and the digital right to confidential communications. The principles list various forms of online access such as universal access to affordable digital connections, online access to public services, access to the benefits of using AI and free choice in online services, among others.

Digital Services Act & Digital Markets Act

On April 23, 2022, a political agreement was reached between the European Commission and European Member States on the Digital Services Act (DSA) and the Digital Markets Act (DMA).  

On October 12, 2022, the Digital Services Act was published in the official journal of the European Union and subsequently came into force on November 1, 2022. Online service providers falling within the scope of the Digital Services Act then have until January 1, 2024, to comply with the obligations under the Regulation. The Digital Markets Act was also published in the official journal of the European Union on October 12, 2022, and came into force on November 1, 2022. Large online platforms and search engines that fall within the scope of the Digital Markets Act are expected to be designated by the European Commission in mid-2023 and then have four months to comply with the obligations under this Regulation.   

The Digital Services Act provides a framework of tiered responsibilities for online services which concept is broad such as intermediaries, social media, hosting services and online platforms. In part, the DSA is an extension of the E-commerce Directive (2000/31/EU) which provides rules for online business and the liability of online intermediaries. In addition, the DSA contains broader rules for online services, addressing the influence and power of platforms, the role of platforms as key infrastructures, and the dependencies of these platforms. For example, the DSA contains rules that address protecting the rights of consumers, dealing with illegal content, democratic control of “system” platforms (including by the DMA) and mitigating the risks of manipulation and disinformation.   

The Digital Markets Act introduces obligations for the 10 to 15 largest global online platforms with a gatekeeper function. Aimed at enabling open and fair digital markets, the DMA provides rules on the decision power that gatekeepers have over admitting other service providers. For example, access must be possible to the data generated from the use of the gatekeeper’s platform. Moreover, Companies must be able to offer their offerings beyond the gatekeeper’s platform, and gatekeepers must not favor their own services over other providers. Nor should gatekeepers hinder consumers from engaging with a provider outside the platform. 

Artificial Intelligence

On April 12, 2021, the European Commission proposed an Artificial Intelligence Act (AI Regulation), establishing rules for the use of Artificial Intelligence (AI) and the development of AI systems. In addition, on Sept. 28, 2022, the Commission presented a package of two proposals related to liability rules for AI. First, it concerns the directive on the adaptation of legal rules regarding non-contractual liability to AI (the AI Liability Directive). Second, it is a proposal for a revision of the Product Liability Directive (Product Liability Directive Revision), which modernizes current product liability rules for application in the digital age. These directives are closely linked and complement each other to form an effective civil liability system. 

In the AI Regulation, the European Commission provides a technology-neutral definition for AI systems within European law. Furthermore, the AI Regulation works with a classification for AI systems with different requirements and obligations depending on the risk linked to the classification. AI systems that pose ‘unacceptable risks’ can be banned. ‘High risk’ AI systems can be allowed within the European Market provided they meet requirements and obligations set by the AI Regulation. A lighter regime for access to the EU Market applies to ‘limited risk’ AI systems, in which certain transparency rules must be met. The last category are the “minimal risk” AI systems. It is sufficient for providers of these systems to draw up codes of conduct. 

Each member state will have its own AI supervisory body. There will be a European AI board that can also fine European institutions. Authorized “high risk” applications will be CE marked for up to 5 years, which can be extended. All approved high risk applications will be stored in a public European database. 

The AI Liability Directive (in conjunction with the Product Liability Directive revision) aims to help ‘victims’ of damage caused by (all types of) AI systems, without prejudice to existing liability regimes within member states. The Directive proposes a presumption of proof: if a fault is established that is relevant to the damage and a causal link to the AI system used is reasonably likely, then the manufacturer is liable (who can of course rebut the presumption). The Directive further allows “victims” to ask the court to provide information about high-risk AI systems. With this information, victims can then better assess who can be held liable and what went wrong. If the manufacturer of the AI system does not provide this information or provides it incompletely then the defectiveness of the AI system is presumed. Finally, the Revision Directive gives new opportunities to lighten the burden of proof in general and in particular also with complex products such as AI systems.

Data Act & Data Governance Act

Two regulations that play an important role in the European Commission’s data strategy and should remove barriers to the use of data are the Data Act (DA or Data Regulation) and the Data Governance Act (DGA or Data Governance Regulation). On February 23, 2022, the European Commission issued its proposal for the Data Act that provides rules for the fair access to and use of data within the European Union. It is closely linked to the Data Governance Act, for which the European Commission already proposed in November 2020. In May 2022, the DGA was adopted by the European Council and the European Parliament in its final form, and the final text was published on June 3, 2022. This Regulation aims to promote data sharing within the EU and across sectors.

The Data Act contains harmonized rules to: a) make data generated by the use of a product or service accessible to the user of a product or service, b) make data available by (private) data holders to data users, and c) make data from private data holders available to governments in case of an extraordinary need in the public interest. Furthermore, the Data Act sets requirements to remove barriers to changing data processing service, provides rules to promote interoperability, and rules for international access to non-personal data. Finally, the DA clarifies how it relates to data right holders as regulated in the Database Directive

The Data Governance Act aims to increase the amount of data available for (re)use of data. Primarily, this involves regulating the reuse of government data (those outside the scope of the Open Data Directive). These include government data subject to confidentiality, personal data and data subject to third-party intellectual property. Member States should designate one or more competent organizations to support government data holders, for example in processing requests for use. There should be a central information point where anyone can find the conditions and costs of use for datasets and where anyone can submit applications.

Completely new concepts are “data sharing services” and “data altruism”. A data sharing service should ensure that the exchange of data between organizations is accomplished through intermediaries. An intermediary or “data sharing service” must use data and associated metadata only for the data sharing service, not for other purposes, and must therefore be in a separate legal entity. Data sharing services must provide equal access to the data to all. A competent organization to be designated will keep track of whether data sharing services meet their requirements and can take action if they do not. Data altruism is the giving of consent for the use of personal data by individuals or of non-personal data by other organizations, for use in the public interest, such as scientific research or improving public services. A competent organization to be designated shall maintain a public national registry of authorized users of data obtained through data altruism.

Data Spaces

The European single market for data should take shape in so-called “Data Spaces”. Within such Data Spaces, both data users and data providers should be able to share, exchange and use data. The intention is that in the Data Spaces the (abstract) aspects from the above mentioned Regulations will be worked out in practical terms. The 2020 European Data Strategy named 10 sectors within which Data Spaces should be created including health, agriculture, energy, mobility and sustainability. On February 23, 2022, the European Commission published an overview of the current state of Data Spaces being developed in the various areas.  

Most advanced is the Health Data Space: the European Health Data Space. On May 3, 2022, a proposal for a Regulation on the European Health Data Space was published. The purpose of this Regulation is to give individuals greater ability to access and control their electronic medical data through digital means, both at a national and EU level. This should promote the free movement of medical personal data, as well as the creation of a European single market of electronic health records, relevant medical devices and high-risk AI systems. To this end, the Regulation contains specific rules that take into account the high sensitivity of medical personal data.  


In the field of cybersecurity, major steps were taken in 2022 to replace the 2018 NIS Directive (NIS-1) with a new NIS Directive (NIS-2). Likewise, a regulatory framework for enhancing the digital resilience of the financial sector moved a step closer in 2022 with the Digital Operational Resilience Act (DORA). Also in 2022, a proposal by the European Commission for enhanced security of hardware and software products through the Cyber Resilience Act (CRA).

On May 13, 2022, the European Commission and the European Parliament agreed on the text of the NIS-2 Directive. On November 28, 2022, the European Council adopted the NIS-2 Directive, and on December 14, 2022, the Directive was published in the official journal of the European Union. This means that from the 20th day after this publication, the NIS-2 Directive must be implemented in national legislation within 21 months. The Netherlands has until October 3, 2024 to implement this directive. The main differences with the NIS-1 Directive are the expansion of sectors and parties (“Essential Entities” and “Important Entities”) to which the (security) obligations will apply. The security measures will be tightened with a list of 7 basic security elements, the rules for reporting obligations will be clarified, and strict sanctions (similar to the GDPR) will take effect.  

In last year’s annual report, we already wrote about the Digital Operational Resilience Act (DORA). This regulation aims to increase the digital resilience of the financial sector and thus mitigate cyber threats. DORA sets requirements for the security of network and information systems of financial firms. On November 10, 2022, the European Parliament approved DORA and the Amendment Directive requirements Digital Operational Resilience. Then, on November 28, 2022, the Council adopted DORA and the Directive. The Council’s adoption of the Directive is the final step in the legislative process. Now that DORA has been formally adopted, member states will have to transpose the necessary aspects of it into national legislation. In addition, the relevant European regulators will simultaneously develop technical standards to which all financial service providers must adhere. 

The European Commission presented the proposed Cyber Resilience Act (CRA) on September 15, 2022. The Commission notes that products with digital elements are vulnerable to cyber attacks. This regulation introduces a duty of care for manufacturers regarding the cyber security of products with digital elements for the entire lifetime of the products. The obligations for manufacturers can be divided into ex ante obligations and ex post obligations. For example, manufacturers must consider cybersecurity from the planning and development phase to the end of the product’s life cycle and must document all cybersecurity risks. Furthermore, manufacturers must report vulnerabilities and incidents that have been realized. Manufacturers must also ensure that vulnerabilities are effectively handled during the expected product life cycle or else at least in the first five years of the product’s release. Finally, manufacturers must provide clear and understandable instructions for using the products and must make security updates available to users for a minimum period of five years.

National level

Sale of goods and Delivery of digital services and digital content

Last year, we already wrote about the Implementation Act for the Sale of Goods and Delivery of Digital Services & Digital Content Directives. The expected effective date of the Implementation Act was January 1, 2022, but it did not enter into force until April 27, 2022. The purpose of the directives is to give more legal certainty to consumers and to provide businesses with a clear contractual framework in the area of the sale of goods and delivery of digital services and digital content. An important innovation compared to the current consumer law is that for digital content (e.g. games, applications), digital services (e.g. streaming), as well as goods with a digital element (e.g. a smart TV), consumers will be entitled to (security) updates as long as they can reasonably expect them.

Artificial Intelligence

AI also received attention at the national level. In a letter from 2021, the government noted that the current national (general) legal framework (including human rights treaties, the Constitution, the General Administrative Law Act (Awb), the Civil Code (Dutch BW), equal treatment legislation, and the General Data Protection Regulation (GDPR) can provide sufficient safeguards. However, a number of bottlenecks and issues related to these frameworks have been identified. It has also been noted that these frameworks mostly consist of open standards, leaving uncertainty about the practical interpretation of these standards when an organization deploys AI.  

The letter prompted a number of (continued) actions in 2022. These include the establishment of guidelines for the application of algorithms by the government and the performance of data analysis by the government. Another action is the creation of so-called algorithm registries with which transparency about the use of algorithms by governments can be increased. In that context, the National Office for Identity Data has placed the algorithms it uses in an algorithm register. Previously, the municipalities of Amsterdam, Rotterdam and Utrecht as well as the Netherlands Employees Insurance Agency published such algorithm registers.

State Secretary Van Huffelen (Kingdom Relations and Digitalization) announced in a letter to the House of Representatives that from January 2023 the algorithm regulator will start at the Dutch data protection authority  to check algorithms for transparency, discrimination and arbitrariness. 

Arbit terms

On September 10, 2022, the new Arbit (General Government Conditions of IT Procurement) terms and conditions came into effect. These Arbit 2022 replace the earlier version from 2018. The terms and conditions are used by the central government, such as ministries, independent administrative bodies and regulators, as well as other governments for the procurement of IT services and IT products. Topics on which the Arbit 2022 should have been particularly updated are Agile, Cloud services and Artificial Intelligence. Upon closer examination, the elaboration in the Arbit 2022 of those topics is limited. However, changes were made on the topics of quality assurance and auditing, processing of personal data, information security, exit and compliance with service levels.   


At the national level, a number of issues have been published in the field of cybersecurity. On June 29, 2022, Minister Adriaansens informed the House of Representatives in a letter about the evaluation report Roadmap Digitally Secure Hardware and Software, prepared by KWINK Group. The purpose of this Roadmap is to offer measures to ensure secure hardware and software. A number of recommendations were made in the evaluation report regarding the focus of the Roadmap.  According to the evaluation report, more attention should be paid to chains and chain security, connection between measures, actions and parties involved, prioritization of measures, participation of the Ministry of Economic Affairs in Europe and finally, the focus should be on manufacturers and suppliers. In addition to adjusting the Roadmap’s current focus, recommendations were also made on topics that were missing from the Roadmap’s focus: data protection, privacy legislation, valorization and transparency. 

These recommendations were incorporated by the government into the Dutch Cybersecurity Strategy 2022-2028 (NLCS) and the accompanying Dutch Cybersecurity Strategy 2022-2028 Action Plan published on October 10, 2022. This strategy builds on previously published cybersecurity strategies. This strategy describes the government’s vision of the digital society and the role of government, businesses and citizens. Four pillars have been drawn up to realize the government’s vision. The first pillar is to increase the digital resilience of the government, businesses and organizations. For example, the government is expected to provide information on cyber threats, incidents, trends and vulnerabilities through up-to-date knowledge. The second pillar in the strategy is secure and innovative products and services. This will include requirements for the design, development and manufacture of products with digital elements. Suppliers must also provide information about the security of their products and services. The third pillar is countering threats from states and criminals, and finally, the fourth pillar is a commitment to training cybersecurity specialists and education to promote digital security and resilience of citizens. 

The Cybersecurity Regulation Implementation Act entered into force on April 9, 2022, along with an implementing regulation and an implementing decree. This legislation provides for the operationalization of the Cybersecurity Regulation 2019/881

In addition, on March 2, 2022, the Act amending the Telecommunications Act in connection with the implementation of Directive (EU) 2018/1972 (Telecom Code) entered into force. The purpose of the Telecom Code is to improve the framework conditions for achieving high-speed digital communication links (connectivity) in the EU. The main change brought about by the law is a broader scope of telecom regulation. Indeed, electronic communication services now include number-independent interpersonal communication services, such as WhatsApp, Gmail and Teams. 

Finally, the National Cyber Security Center (NCSC) has prepared a Ransomware Incident Response Plan for ransomware attacks. The document serves as inspiration for one’s own response plan for organizations that have been or think they may be affected by ransomware attacks. For example, the NCSC provides tips on how to respond to ransomware incidents, how companies can prepare for such incidents, how to recognize these incidents and how to recover from them. 

Healthcare and ICT

Also on November 22, 2022, the Authority for Consumers & Markets (ACM) published the Guideline “Well-Functioning Markets for Healthcare”. In this Guideline, the ACM notes that in Healthcare ICT, which healthcare institutions use to regulate healthcare processes and relationships with patients and other healthcare stakeholders, there is a risk of a Vendor Lock-in. In such a Vendor Lock-in, a customer is so dependent on a supplier that switching to another supplier is not possible without major risks or switching costs. This may be due to the structure of the market or behaviors of IT vendors, as well as the contract terms used by IT vendors. 

One of the possible ways to limit these risks for the customer, according to the ACM, is therefore to make good contractual agreements and contract management. The ACM refers to agreements on implementation, maintenance and dispute resolution. But also agreements around the termination of an agreement, data portability, data access and exit agreements. For the possibilities of switching to other suppliers or links with other suppliers, the ACM also points to the importance of connecting to (international) healthcare standards for data storage and data exchange. Cooperation agreements for interoperability and possibilities for (purchasing) cooperation between buyers of Healthcare ICT are also mentioned as options for reducing dependency.      

Consumer protection modernization proposal

On May 28, 2022, the Implementation Act for the Modernization of Consumer Protection Directive entered into force. The law will ensure better enforcement of European consumer rules and will adjust and add some rules to be used effectively in light of new (digital) developments. In particular, this Implementation Act will clarify and expand the rules applicable to online merchants and providers of online marketplaces. The law will be implemented in the following national legislation: Book 6 of the Civil Code (amendments unfair commercial practices and consumer rights), the Dutch ‘Prijzenwet’ and the Consumer Protection Enforcement Act (Whc).

The law entails, among other things, a ban on fake reviews and an obligation for merchants to inform consumers whether, and if so how, they check themselves whether reviews actually come from consumers who bought the product or service. Also, merchants must inform consumers if there is a personalized price offer that was created through automated decision-making. In addition, merchants must provide information about who is responsible for delivery and further handling of returns. New information obligations are also in place for providers of free digital services where consumers must provide or undertake to provide their personal data for access to the digital service. For example, these providers must provide information on the duration of the contract and the various ways of terminating the contract. In the case of these free digital services, consumers have the right to terminate the contract during the first 14 days in which the merchant must also immediately stop processing the consumer’s personal data.

Case Law

European level

European Court of Justice

Poland’s request to annul the “upload filter” in Article 17 of the DSM Directive was rejected by the European Court of Justice (ECJ), as the regulation contains clear and precise rules on the scope and application of the upload filter, and is surrounded by appropriate safeguards to protect freedom of expression.

When assessing whether an order button, in line with Article 8(2) of Directive 2011/83 EU, unambiguously states that the consumer is entering into an obligation to pay, only the wording on that button should be considered, and the context of the ordering process need not be taken into account.

National legislation may provide that the home copying exception also applies to the making by natural persons of backup copies of copyrighted works in the cloud for private purposes. The condition is that the rightsholders receive fair compensation.

National level

Contract Law

A clause from general terms and conditions cannot be nullified – despite the fact that the general terms and conditions have not been handed over – if the other party was or should have been familiar with that clause in some other way, for example if the general terms and conditions had already been handed over correctly in an earlier agreement between the parties. In addition, the Supreme Court ruled that it is not necessary for the user of the general terms and conditions to have become aware of the clause.

The Supreme Court confirmed that the duty to complain should not be applied ex officio. The Court of Appeal had wrongly applied the duty to complain by denying the buyer the right to invoke the deficiencies under Article 7:23 of the Civil Code, while the seller had failed to raise the defense that the complaint was not timely.

According to the Arnhem-Leeuwarden Court of Appeal, software did not qualify as an object within the meaning of Section 3:2 of the Dutch Civil Code because no work of a material nature was created. The agreement between the parties therefore qualified as a contract for services and not as a contract for work.

The Arnhem-Leeuwarden Court of Appeal ruled that an unused complaint period with respect to invoices sent could not be held against the customer who was dissatisfied with the course of the implementation process as a whole.

Default / Explanation of agreement

The Supreme Court has again confirmed that a seller’s obligation to provide information takes precedence over the buyer‘s obligation to investigate, even if the contract includes an option to inspect the goods, which the buyer did not make use of. The Supreme Court also ruled that minor defects and the fact that they have been repaired do not in themselves prevent a successful reliance on non-conformity under Article 7:17 of the Dutch Civil Code.

Since the plaintiff could not substantiate that the agreed deadlines were fatal, the defendant could assume that these deadlines were target dates. The schedule submitted by the plaintiff, which indicated a go live date, did not mean that this constituted a fatal deadline. As a result, there was no default either.

The customer did not have to understand on the basis of the contract that if it was not prepared to adjust the wishes it had stated in the contract, this would lead to serious budget and time overruns. The customer was entitled to expect that the IT supplier would realize – at least for the most part – the expressly formulated requirements and wishes as estimated, also in light of the extensive pre-contractual research that had been carried out. The customer’s legitimate expectations at the start of the contract were not affected by the subsequent warnings about budget overruns, because they were made once the contract had been entered into.

The Rotterdam District Court found that Microsoft had not sufficiently substantiated that the plaintiff’s OneDrive account contained an image that was inappropriate, exploitative and harmful to children. As a result, it was not established that the plaintiff had violated the Microsoft service agreement, so Microsoft had wrongfully blocked the OneDrive account and wrongfully terminated the agreement.

Duty of Care

An IT supplier had not failed in its special duty of care, because the problems that had arisen were inherent in IT projects with a new product that had to be implemented in a very short time, something that the customer itself had requested. It was clear that the IT vendor had made every effort to achieve the desired rapid go live. In that light, the IT vendor could not be blamed for anything about its approach to the project.

Although no contractual agreements had been made regarding the provision of security for the IT infrastructure to be built, the District Court of Overijssel ruled that the IT supplier had failed in its special duty of care, since the IT supplier would provide a ‘total package’. The customer could assume that this included security and if that was not the case, the IT supplier should have warned about it.

Another IT supplier violated its special duty of care because it had not warned sufficiently in advance (at delivery) that if the customer’s wishes were honored, a complete redevelopment of the platform would be necessary. According to the court, as an expert party, the IT supplier could reasonably see that the changes desired by the customer would affect the architecture of the platform to such an extent that it would no longer function.

The Rotterdam court ruled in counterclaim that there was no special duty of care for IT supplier, since the IT supplier had the role of developer and not that of consultant. It could only be expected to act as a reasonably acting and reasonably competent web shop supplier.

Termination of agreement

Since the parties had concluded an exit agreement, there was no question of a non-cancellable agreement. After all, through the exit agreement the parties had taken into account the possibility of termination of the cooperation.

According to the Amsterdam Court of Appeal, the IT supplier did not have to observe a notice period because, due to the disrupted relationship and the customer’s continued refusal to comply with the agreement, it could not reasonably be required to do so.

Unlawful act

Damage incurred at Catherina Hospital as a result of a subcontractor’s error due to incorrect software setting was unlawful against Catherina Hospital. The court ruled that the subcontractor relied on assumptions when setting the software that were insufficiently validated. The assumption that installing a software update and then removing it again results in the unchanged presence of the software setting in the old version was not obvious, according to the court. The subcontractor invoked a limitation of liability from the general terms and conditions that the general contractor had agreed with Catherina Hospital. This is possible, according to the court, because if the subcontractor had contracted directly with Catherina Hospital, the same terms and conditions would also have been declared applicable.

IP law

The Amsterdam District Court in preliminary relief proceedings ruled that the failure to pass on the applicable open source license terms on which a crypto currency was based when sublicensed constituted a violation of the copyrights – common but separately enforceable – to the open source software product. Under Section 26 of the Copyright Act, Jelurida was also entitled to take action against a copyright infringement by co-copyright owner Apollo, as Apollo allowed third parties to use its adaptation of the Nxt Software under different license terms than previously allowed by the joint copyright owners.

As the provisions in the general terms and conditions regarding the protection of Creditsafe’s IP rights were excluded between the parties, the Hague District Court ruled that reasonableness and fairness precluded Creditsafe’s reliance on copyright and database rights.


In late 2021, the Supreme Court ruled that the information duties of online stores must be tested ex officio. If the information duties are not met, the court can annul the contract in whole or in part. As a result of this, and the previously discussed ECJ EU ruling on information duties in distance selling, there was quite a bit of case law in 2022 assessing whether this information duty had indeed been fulfilled.

A consumer must be made sufficiently clear when they enter into an obligation to pay. The Noord-Holland court ruled that an order button with the words: ‘place order’ combined with the other information on that page makes the payment obligation sufficiently clear.

The Noord-Holland court found an order button with ‘Send request’ insufficiently clear and therefore the agreement was voidable. The texts ‘confirm your request‘ and ‘confirm order‘ were also insufficiently clear.

Capayable had not sufficiently informed about additional costs of a purchase, which therefore also did not have to be paid. Moreover, the consumer should be made aware of the right of rescission from Section 6:230m (1) of the Civil Code during the ordering process, without having to look for it himself.

Issue data

Client claimed in counterclaim pursuant to Section 7:403(2) of the Dutch Civil Code the surrender of all e-mail addresses and digital items and data that Contractor – which performed administrative work for Client – had in its possession under the contract terminated between the parties. The claim was granted. It also included digital data that the contractor itself compiled in order to perform the assignment.

Pursuant to Section 7:401 of the Civil Code (duty of care on the part of the contractor), the developer who developed a game had to provide online access to that game at the time the client wanted to resume its development.

In the context of a terminated cooperation, the respondent demanded release of the data of the customers he had previously brought in. It was clear that the terminated cooperation had yet to be settled. It could not be ruled out that the customers in question had come to the conclusion that they had become customers of the appellant and no longer of the respondent and that they had (tacitly) agreed to this. As a result, the processing responsibility under the General Data Protection Regulation (GDPR) might have passed to the appellant. As a result, the customer data could not simply be made available again (exclusively) to the respondent.

Microsoft had to provide the trustees of the bankrupt Amsterdam Trade Bank with unhindered access to that bank’s records stored “in the cloud” by Microsoft. The trustees had a statutory duty under the Bankruptcy Act and, by virtue thereof, were required to have access to the entire administration of the bankrupt. Microsoft was prohibited from destroying or making inaccessible the online environment of the bankrupt.

Platform liability

The Arnhem-Leeuwarden Court of Appeal has ruled that a website on which reviews can be left is not liable for posting a review. The website was only liable for keeping the review posted for some time, after the website was informed of its (alleged) illegality.

Bogus ads were distributed via both Twitter and Google in which well-known Dutch people touted investment in crypto currencies. Google was not liable because the advertiser is primarily so for the content of an advertisement. Google’s liability required additional circumstances, consisting of Google’s own culpable acts or omissions, according to the Amsterdam District Court. The exclusion of liability of Section 6:196c of the Dutch Civil Code was therefore disregarded, according to the District Court. Based on the Lycos/Pessers test, Google did have to provide identifying details of the advertiser in question. Twitter was also not liable, but did not have to provide identifying data because this claim was insufficiently substantiated.

The preliminary relief judge of the Noord-Holland District Court ruled that LinkedIn was obliged to reactivate a user profile, as the termination of the user agreement had taken place negligently. The indirect effect of Article 10 ECHR included a duty of care. There was no clear policy, there was little or no communication, and to the extent that there was communication at all, it contained no reasoning beyond a mere reference to the user agreement.

The claim to actively track down and remove all messages related to an alleged pedo-satanic network in Bodegraven was rejected by the preliminary relief judge of The Hague. In doing so, the interim relief judge considered – with reference to the ECJ Glawischnis/Facebook ruling – that an order to remove similar information can only be granted if that similar information contains specific data duly designated by the person issuing the injunction such as names and circumstances and can be found by automated techniques. An autonomous assessment of the search result could not be required of Twitter.

The District Court of Amsterdam has awarded a mass claim against the operator of an erotic website for posting certain visual material online without permission. The operator of the website could not invoke the hosting services liability exception because it did not merely play a neutral and passive role regarding the content of the website. In fact, the operator preemptively screened the visual material that was uploaded and disapproved a substantial portion of the visual material. Thereby, the website operator has knowledge of the material posted on the website.


The harmful event had occurred in the Netherlands, Amsterdam because the unlawful disclosure of photos occurred through a website that can be accessed in the Netherlands (and thus also in Amsterdam) and the homepage refers to the Amsterdam branch where products can be picked up. The Amsterdam court therefore considered itself to have relative jurisdiction under Section 102 Civil Procedure Code.

Want to know more?

Contact one of our specialists.

*Thanks to Quinten Salari