Readers are reminded that this work is protected by copyright. While they are free to use the ideas expressed in it, they may not copy, distribute or publish the work or part of it, in any form, printed, electronic or otherwise, except for reasonable quoting, clearly indicating the source. Readers are permitted to make copies, electronically or printed, for personal and classroom use.
.1Introduction: Cybercrime and Cybercrime Legislation in the Netherlands
.1.1.Background and Aim
In the history of cybercrime legislation, the Council of Europe’s Cybercrime Convention presents a landmark effort to harmonise national criminal law in the area of cybercrime. Its wide range of substantive, procedural, and mutual-assistance provisions as well as its supra-European scope – having been ratified, for example, by the United States – make it a potentially very valuable instrument in the fight against the intrinsically cross-border phenomenon of cybercrime. The Convention, however, allows for reservations and variations in national implementation. Moreover, a series of other supranational instruments exist that also aim at harmonising specific aspects of cybercrime, including several EU Framework Decisions and EC Directives. We therefore face a patchwork of national implementations of various international legal instruments, which may result in gaps in harmonisation, variations in implementation, and a consequent lack of clarity on national standards when mutual legal assistance is being sought.
To get a grip on this international patchwork of national cybercrime laws, and to overcome undesirable divergences among countries that hamper mutual legal assistance, it is important to comprehensively map national cybercrime laws. To contribute to that mapping, this chapter provides a country report for the Netherlands, written at the occasion of the Cybercrime Section of the 2010 International Academy of Comparative Law Congress. In this report, I aim to give a comprehensive overview of Dutch cybercrime legislation, both substantive and procedural, as of December 2009. I will particularly focus on the questions how Dutch law regulates cybercrime and cyber-investigation, whether any shortcomings exist in the legislation, and how the legislation relates to the international harmonisation instruments in the area of cybercrime. This analysis will articulate in which respects the Dutch implementation falls short of its obligations under international legal instruments, and, conversely, suggest elements from Dutch cybercrime legislation that are as yet unaddressed by the international cybercrime harmonization effort.
.1.2.General Characteristics of Dutch Criminal Law
For a good understanding of cybercrime legislation, some general characteristics of Dutch criminal law may be useful to mention. Criminal law is primarily codified in the Dutch Criminal Code (Wetboek van Strafrecht, hereafter: DCC) and the Dutch Code of Criminal Procedure (Wetboek van Strafvordering, hereafter: DCCP).1 Substantive law distinguishes between crimes (Second Book DCC), to which almost all cybercrimes belong, and misdemeanours (Third Book DCC). The Criminal Code has a system of maximum penalties, but does not use minimum penalties. Another important characteristic of Dutch criminal law is the right to exercise prosecutorial discretion (opportuniteitsbeginsel). This means that the Public Prosecutor decides whether or not it is expedient to prosecute someone for an offence. A consequence of this principle for substantive law is that criminal provisions may be formulated broadly, covering acts that may not in themselves be very worthy of criminal prosecution; for example, changing without authorisation a single bit in a computer already constitutes damage to data (Article 350a DCC), but will usually not be prosecuted.
The sources of Dutch law are domestic statutes and international treaties. The Dutch Constitution is not a direct source, since the courts are not allowed to determine the constitutionality of legislation (Article 120 Dutch Constitution).2 Courts can, however, apply standards from international law, most visibly the European Convention of Human Rights and Fundamental Freedoms (ECHR), when deciding cases. For the interpretation of domestic statutes, the parliamentary history is a leading source, followed by case law3 (particularly from the Dutch Supreme Court) and by doctrinal literature.
.1.3.History of Dutch Cybercrime Legislation
With respect to cybercrime legislation in the Netherlands,4 the most important laws are the Computer Crime Act (Wet computercriminaliteit) of 19935 and the Computer Crime II Act (Wet computercriminaliteit II) of 2006.6 Both are not separate Acts, but laws that adapted the Criminal Code and the Code of Criminal Procedure. As can be observed, the term most often used in the Netherlands to indicate crimes committed with computers as a target or substantial tool is ‘computer crime’ rather than cybercrime, which was not yet in use at the time legislation was initiated in the 1980s.
The Computer Crime Act was the result of an extensive legislative process, which started in 1985 with the establishment of a Computer Crime Committee (Commissie computercriminaliteit), also named, after its chairman Hans Franken, the Commissie-Franken. The committee made a thorough analysis of both the Criminal Code and the Code of Criminal Procedure, and presented an extensive report and recommendations in 1987.7 This led to the Computer Crime Bill that was submitted to Parliament on 16 May 1990. The Bill largely followed the committee’s recommendations, except for the search and seizure provisions.8 Various amendments and a heated debate in Parliament led to the definitive version of the Computer Crime Act that came into effect on 1 March 1993.
One of the most fundamental choices in this Act, and one of the most heatedly discussed topics in the literature in the 1980s and 1990s, was the choice to consider data as falling outside of the scope of the term ‘good’ (goed).9 After all, a good in the criminal law need not be tangible as such, but it is definitely unique: only one person has possession of money in a bank account or electricity at the same time. Data, on the other hand, are multiple: when you ‘take away’ data from someone, you usually copy them and the original owner may still have access to them. Likewise, goods are the subject of property law, but data are the subject of intellectual property law. Therefore, the Dutch legislator decided that computer data were not to be considered as a ‘good’, so that all provisions in the DCC and DCCP were reconsidered when they contained an element of ‘good’, such as theft, damage to property, and seizure. It was not until 1996 that a case reached the Dutch Supreme Court for a final verdict on the matter, and it determined that data indeed are not a ‘good’.10
In July 1999, a new bill was introduced in Parliament, the Computer Crime II Bill.11 This was intended to refine and update several provisions of the Computer Crime Act. The parliamentary handling of the Bill was slowed down because of the drafting of the Cybercrime Convention (hereafter: CCC), since it was thought wiser to integrate the Computer Crime II Bill with the implementation of this convention. On 15 March 2005, a bill to ratify the Convention was submitted to Parliament,12 and a week later a Memorandum of Amendments to the Computer Crime II Bill was published, that implemented, where necessary, the CCC.13 The Computer Crime II Act (Wet computercriminaliteit II) was accepted by Parliament on 1 June 2006 and entered into force on 1 September 2006.14 The Cybercrime Convention Ratification Act was accepted at the same time;15 it entered into force for the Netherlands on 1 March 2007.
In terms of other relevant international cybercrime instruments, the Netherlands, being member of the European Union, has implemented the EU Framework Decision 2005/222/JHA on attacks against information systems (hereafter: FD-AIS) in the Computer Crime II Act. It has signed but not yet ratified the Additional Protocol to the Cybercrime Convention on racist and xenophobic acts (CETS 189); it is generally felt that Dutch law already conforms to the Protocol provisions given the technology neutrality of the Dutch provisions criminalising racism. The Netherlands has also signed but not yet ratified the Lanzarote Convention on the protection of children against sexual exploitation and sexual abuse (CETS 201); a Bill is pending to implement this Convention.16