Answer ... (a) Internet (e-commerce)
Fintech companies use the Internet mainly as a channel through which innovative new financial services and/or products can be offered to their clients. In addition to IP laws, the legal framework for platform-driven business models enabled by the Internet focuses on consumer protection and privacy. Use of the Internet triggers the application of an additional set of e-commerce rules. Depending on the types of services or products offered, e-commerce platforms can be subject to financial regulatory laws (eg, the second Payment Services Directive). E-commerce has some civil law implications to mitigate the risks involved with contracting online. Examples include:
- the applicability of additional information requirements (eg, pre and post-contractual information obligations, language requirements and an information obligation regarding the existence of the Online Dispute Resolution Platform); and
specific consumer rights if contracts are concluded online without physical interference (a so-called ‘distance contract’, overeenkomst op afstand), such as the right to withdraw from the contract within 14 days.
If the Internet is used to provide financial services on a cross-border basis in different EU member states, the online service generally qualifies as a ‘information society service’. Irrespective of passporting rights offered under European legislation to most regulated financial companies, the local rules in respect of information society services may be a very interesting way of entering a new market within the European Union if no such passport is available.
(b) Mobile (m-commerce)
Mobile phones are becoming more multifunctional with the introduction of new apps which allow users to pay with their mobile phones, to shop on their mobile phones and/or to view their bank statements on their mobile phones, among many other things. In general, all of these apps are accessible via a mobile phone through the use of the Internet. The mere use of the mobile phone does not alter the legal framework that applies to these services. As such, the legal framework applicable to m-commerce is comparable to that applicable to e-commerce. However, the use of a certain device, such as a mobile phone, could result in increased risk with regard to cybersecurity and data privacy, for example.
M-commerce is proving popular in the Netherlands. The Dutch Payment Association regularly publishes factsheets and figures showing continued growth in mobile payments (www.betaalvereniging.nl/actueel/feiten-cijfers/). These factsheets and figures show that nine out of ten Dutch banking customers use online banking facilities(such as an app on the mobile device or an internet banking environment on a computer or laptop), and that 98% of cashless payment transactions in the Netherlands are made electronically via a computer, laptop or mobile device (www.betaalvereniging.nl/wp-content/uploads/Infographic_Betalingsverkeer_2018.pdf).
(c) Big data (mining)
The legal framework applicable to ‘big data’ depends on, among other things, the type of data involved, the parties that process such data, the way in which the data is structured and, where data is stored in a database, whether a substantial investment was made to create the database.
If a Dutch fintech company processes personal data of natural persons who are residing in the European Union, the General Data Protection Regulation (GDPR) will apply. Under the GDPR, a fintech company must be transparent about, for example, the purposes for which it will use the collected data. Personal data may be collected only for specified, explicit and legitimate purposes, and may not be further processed in a manner that is incompatible with those purposes. This is one example of the requirements under the GDPR that may hinder fintech companies. Another is the requirement to provide suitable safeguards with the aim of protecting the fundamental rights of data subjects (ie, natural persons) with regard to the processing of their data. Depending on its structure and the investment made in its creation and maintenance, a ‘big data’ database may be protected by copyright (auteursrecht) or the database right (databankenrecht).
Legal issues concerning big data specifically arise in the case of issues not addressed by the existing legislation, such as the transparency requirements regarding the algorithms used to analyse big data and how to prevent discrimination within big data analysis.
(d) Cloud computing
Cloud computing services support users with their core business. Examples of cloud computing services are software as a service, platform as a service and infrastructure as a service.
One of the main issues relating to cloud computing is security. The Dutch Act on Security Network and Information Systems(Wet beveiligingnetwerk- eninformatiesystemen) applies to providers of cloud computing services that offer their services in the European Union, have their main establishment in the Netherlands and have at least 50 or more employees and/or generate a revenue of at least €10 million. Based on the act, a provider of cloud computing services has a duty of care and must take adequate technical and organisational measures to control identified security risks. This includes a reporting obligation in respect of security incidents within the meaning of the act to the relevant supervisory authority. Such reporting obligation applies in addition to any reporting obligations that may already apply based on other applicable legislation, such as the GDPR.
Another important issue is the protection of personal data. For example, cloud computing infrastructure may involve the transfer of data outside the European Union. If personal data is involved, the controller of such data must take additional measures to safeguard the protection of the data subjects.
(e) Artificial intelligence
The use of artificial intelligence (AI) and machine learning as such is not regulated in the Netherlands. However, it is attracting growing interest from the Dutch regulators. Self-learning algorithms can develop continuously based on data input, resulting in output which is generated incredibly fast. Humans cannot compete with the pace of this technology. This not only offers incredible potential, but also bears risks and raises ethical questions. Data input must still be provided through human interference, which could result in biased or incorrect output. Bad input can never become good output.
The Dutch financial regulators have published initial guidelines relating to the use of AI and self-learning algorithms in the financial sector. For example, the Netherlands Authority for the Financial Markets published guidelines on the duty of care involved in semi-automated asset management and its views on roboadvice (www.afm.nl/en/nieuws/2018/mrt/doorontwikkeling-roboadvies). The Dutch Central Bank (DNB) also recently published guidelines for the use of AI (www.dnb.nl/en/news/news-and-archive/DNBulletin2019/dnb385020.jsp). The acronym of these DNB guidelines is ‘SAFEST’, which hints at their main message. The guidelines urge financial undertakings to use AI responsibly. AI applications in the financial sector should be Sound; someone must be Accountable; the outcome of AI should be Fair and Ethical; only sufficiently Skilled people should be involved in developing AI applications; and the use of AI should be Transparent and explainable. Responsible use of AI is key to prevent incidents which could have a substantial impact on financial stability.
(f) Distributed ledger technology (Blockchain, cryptocurrencies)
Except for the new Fifth Anti-money Laundering Directive (2018/843) which has introduced a registration requirement for so-called ‘custodial wallet providers’ and providers engaged in exchange services between virtual currencies and fiat currencies, no legal framework for distributed ledger technology (DLT), blockchain and/or cryptocurrencies exists as yet. The directive must be implemented in Dutch law by 10 January 2020. As a result, Dutch crypto exchanges and custodial wallet providers will fall under the integrity supervision of DNB. DNB has urged these ‘crypto operators’ to notify it as soon as possible, to ensure timely compliance with the new law, which is still in draft form (www.dnb.nl/en/news/news-and-archive/Persberichten2019/dnb385424.jsp).
DLT can be used in many different ways and for many different purposes. The use of DLT in itself does not cause a company to fall under the scope of Dutch financial regulatory laws. However, products or services offered on the basis of DLT could fall under financial supervision. For example, the offering of security tokens or trading in securities tokens could trigger the application of Dutch securities laws and European laws such as the Prospectus Regulation and the second Markets in Financial Instruments Directive.
DLT or blockchain-based products and services present multiple potential legal implications. The existing laws do not apply neatly to innovations based on this technology. Examples include privacy-related issued such as the right to be forgotten under the GDPR, property law consequences (are tokens goods that can be pledged?) and questions regarding private international law.