Today – European Data Protection Day – the Dutch Privacy Awards were handed out during the National Privacy Conference, a joint initiative by Privacy First and Dutch Platform for the Information Society ECP. The winners of the 2022 Dutch Privacy Awards are:
- Street Art Museum Amsterdam (SAMA)
- Quodari
- Summitto
- Center for Information Security and Privacy Protection (CIP).

The Dutch Privacy Awards provide a platform for companies and government agencies that see Privacy as an opportunity to positively stand out and make privacy-friendly entrepreneurship and innovation the norm. "These Awards have been handed out each year since 2015 and every time the jury nominated special, innovative and inspiring candidates. That’s been no different in 2022. Most of the time, privacy becomes a news item only when things have gone terribly wrong, when hefty fines are issued or certain parties incur serious reputational damage in court. In this respect, it would be a good thing if more attention would go out to ‘the bright side of privacy’ – to solutions that save time and money, strengthen trust, offer insights to people who need it and increase the overall effectiveness of various sorts of applications. The Dutch Privacy Awards are there to put the most inspiring initiatives in the spotlight and give these the recognition they deserve," said Awards jury chairman Wilmar Hendriks.

Nominations  

There are four categories in which applicants are awarded:

1. the category of Consumer solutions (business-to-consumer)

2. the category of Business solutions (within a company or business-to-business)

3. the category of Public services (public authority-to-citizen)

4. The incentive Award for a groundbreaking technology or person.

From the various entries, the independent expert panel chose the following nominees per category (listed in arbitrary order):

1. Scoor voor je Club
2. Summitto
3. Privacy Rating
4. PiM, the Personal identity Manager by KPN
5. Street Art Museum Amsterdam (SAMA) 
6. Quodari
7. Shuttercam. 

During the National Privacy Conference all nominees presented their projects to the digital audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (pdf in Dutch), which includes participation criteria and explanatory notes on all the nominees and winners.

WINNER Consumer solutions: Street Art Museum Amsterdam (SAMA) 

Connecting privacy and art in a project that aims to raise awareness among neighborhood residents is unique and pleasantly surprised the jury. With its Privacy Project, SAMA allows such themes as privacy, digital rights, anonymity on the internet and the impact of technology on society to capture the imagination. More than 80 artists were invited to create a design for a mural, and out of their designs three were chosen to actually be produced on the streets. Local residents were involved in the choice for the design through voting.

Offering critical reflections through their art, artists encouraged residents to think about the issue of privacy. Raising awareness was in fact one of the main goals of this project. For SAMA, the project was a new adventure that saw murals being created in three vulnerable districts in Amsterdam: Nieuw-West, Noord and Zuidoost.

The jury believes that this project shows that graffiti-art murals can help raise awareness among residents about privacy issues. The whole process whereby residents think about both these issues as well as the realization of the murals equally contributes to give meaning to an abstract concept like privacy.

The jury expresses the wish that this project will be replicated in many other cities and especially in vulnerable neighborhoods where residents are still insufficiently aware of what happens to their personal data, and how important it is to be able to make choices about who you share these data with.

WINNER Business solutions: Quodari

Quodari is a privacy-friendly social media platform that puts users in control of their own data and content. It enables users to share collections of data online with friends, but also to make these data public. Taking European values as point of departure, Quodari aims to be a privacy-friendly alternative to existing social media platforms. Quodari’s business model is based on providing true value for users through additional storage space and other features for business or personal use. Quodari does not aim to attract users to its platform for as long as possible, does not exploit personal data and is free of advertising. In this way, privacy risks on the platform are reduced and financial conflicts of interest are avoided. Quodari is a Dutch initiative launched in 2021. The company expects a European rollout as well as the start to a new marketing campaign this year.

In the jury’s opinion, Quodari is a successful attempt to provide an alternative to existing social media platforms, where privacy is paramount and users truly control their own data. With Quodari, users who attach great importance to their privacy have a fair alternative to what Big Tech has to offer. That was the primary reason for the jury to grant Quodari a Dutch Privacy Award.

WINNER Public services: Summitto 

Summitto develops software for tax authorities to combat VAT fraud. Whereas existing solutions collect massive amounts of data that are often stored in plain text in a centralized way, this solution ensures that VAT fraud can be fought without actually storing data. Summitto’s method is based on modern cryptography to optimally protect invoicing. The product is a commercial off-the-shelf product that is open-source and can help tax authorities digitize VAT in a privacy-friendly way. Summitto has received grants from Horizon 2020, the EU program for research and innovation. The company is in close contact with a number of key players which in one way or another deal with VAT, including the European Commission, various government bodies and the International Bureau of Fiscal Documentation (IBFD).

With its original approach, Summitto links the social importance of combating VAT fraud with high privacy values. The approach has drawn a lot of attention from experts throughout Europe. The jury is impressed with the practical applicability of the software in combination with its high privacy standards and has therefore declared Summitto the winner in the public services category.

WINNER Incentive Award: Centrum Informatiebeveiliging en Privacybescherming (CIP) 

This year, the jury chose to present the Incentive Award to the Dutch Center for Information Security and Privacy Protection (CIP).

In spite of the pandemic, CIP has over the past year made a tremendous effort to keep its network updated through digital webinars, podcasts, workshops and games that span a range of topics. The center has built up a remarkable database of videos that are accessible to everyone on YouTube. Privacy is an important topic for CIP: up until now it has made public 22 different sorts of productions on this issue.

CIP is a public-private network organization that operates on the basis of the principle "for all, by all". It is made up of a team of passionate professionals who work together with the members of the network and its partners on practical and usable products in the field of privacy protection, ethics and information security. CIP is also on top of the news and is constantly coming up with new hot topics that are proposed by its participants and partners.

The jury expresses its great appreciation for the achievements of CIP and encourages the center to continue with the important work it is doing. Not least because the results of this work are freely accessible to public authorities, industry, organizations and citizens.

National Privacy Conference

The Dutch National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, the conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy by design is key.

These were the speakers during the 2022 National Privacy Conference in successive order:

Marjolijn Bonthuis (ECP deputy director)
Monique Verdier (Dutch Data Protection Authority vice chairwoman)
Martin Vliem (National Security Officer, Microsoft)
Max Schrems (founder of None of Your Business - NOYB)
Haroon Sheikh (senior scientist, Dutch Advisory Council on Government Policy, WRR)
Gry Hasselbalch (cofounder of European ThinkDoTank DataEthics)
Paul Korremans (Privacy First chairman)
Wilmar Hendriks (chairman of the expert panel of the Dutch Privacy Awards).

Both the conference as well as the Awards session – which were livestreamed from Nieuwspoort in The Hague: https://www.nieuwspoort.nl/stream/privacy-first-ecp/ – were moderated by Dutch television host Tom Jessen.

Expert panel Dutch Privacy Awards

The independent expert Award panel consists of privacy experts from different fields, all of whom participated in their personal capacity:

• Wilmar Hendriks, founder of Control Privacy, chairman of CUIC and Privacy First board member (panel chairman)
• Paul Korremans (Privacy First chairman)
• Melanie Rieback, CEO and cofounder of Radically Open Security
• Nico Mookhoek, legal expert in the field of privacy and founder of DePrivacyGuru
• Rion Rijker, privacy and IT security expert, partner at Fresa Consulting
• Magdalena Magala, privacy officer at the municipality of Zaanstad
• Mathieu Paapst, university lecturer IT law at the University of Groningen and projectlead of cookiedatabase.org
• Jaap van der Wel, IT expert and legal expert in the field of privacy, managing partner at Comfort Information Architects
• Erik Bruinsma, legal expert; director Strategy and management advice, Statistics Netherlands (CBS). 

In order to make sure that the Award process is run objectively, panel members may not judge on any entry from their own organization or an organization in which a panel member has an interest.

In collaboration with the Dutch Platform for the Information Society (ECP), Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and The Privacy Factory.

Preregistrations for the 2023 Dutch Privacy Awards are welcome!

Would you like to become a sponsor or (media) partner of the Dutch Privacy Awards? Then please get in touch with Privacy First! 

Recently, the Netherlands Standardisation Forum issued an advice to the government to ensure that public Wi-Fi networks for guest use are always secure. The independent advisory body recommends improving Wi-Fi security by using the WPA2-Enterprise standard. This recommendation applies to all public and semi-public institutions in the Netherlands and therefore has an impact on thousands of Wi-Fi networks.

The Standardisation Forum facilitates digital cooperation (interoperability) between government organizations and between government, businesses and citizens. It is the advisory body for the public sector regarding the use of open standards. According to its own website, all standards that the Forum recommends have been thoroughly tested, lower costs and reduce the risk of internet fraud and data abuse. The recent recommendation came after a request over a year ago by Privacy First and Wi-Fi roaming provider Publicroam. Privacy First and Publicroam requested the Forum to mandate WPA2-Enterprise as the standard for access to guest Wi-Fi. The Standardization Forum then decided to conduct further research, resulting in its current opinion.

Stop offering insecure guest Wi-Fi 

Privacy First chairman Paul Korremans is delighted with the advice: "It took a while, but now there is a clear recommendation. The Standardisation Forum calls for the secure provision of guest Wi-Fi, preferably using the WPA2-Enterprise standard. This recommendation creates clarity for all parties involved in setting up and managing public Wi-Fi networks within government institutions. Moreover, the recommendation will likely have a broader effect: in our view, the Forum is saying that we need to stop offering insecure guest Wi-Fi altogether." 

The Netherlands at the vanguard 

The Standardisation Forum made its decision in the summer of 2021 after several expert meetings and a public consultation. The recommendation was added to the existing obligation around WPA2-Enterprise in early September. The Netherlands is one of the first countries to have such an obligation.

WPA2-Enterprise 

Experts consider the standard WPA2-Enterprise (and its successor WPA3-Enterprise) to be the most suitable method for achieving secure Wi-Fi access. The standard is mandatory for Wi-Fi access for government employees and is widely used by businesses and educational institutions among others. Because it is a long-standing open standard, it is widely available and easy to implement.

Today – on European Data Protection Day – the 2021 Dutch Privacy Awards were handed out during the Dutch National Privacy Conference, a joint initiative by Privacy First and the Dutch Platform for the Information Society (ECP). These Awards provide a platform for companies and governments that see privacy as an opportunity to distinguish themselves positively and to make privacy-friendly entrepreneurship and innovation the norm. The winners of the Dutch Privacy Awards 2021 are STER, NLdigital, Schluss, FCInet and the Dutch Ministry of Justice and Security.

Consumer solutions

Winner: STER

Advertising without storage of personal data, contextual targeting: proven effectiveness

The Dutch Stichting Ether Reclame (Ether Advertising Foundation), better known as STER, was one of the first organizations in the Netherlands to abandon the common model of offering advertisements based on information collected via cookies. STER has developed a procedure that only uses relevant information on the webpages visited. No personal data are collected at all (data such as browser version, IP address and click-through behaviour). Advertisers submit their advertisements to STER, which are then put on the website in conformity with the protocol developed by STER, which is based on a number of simple categories. These categories are linked to the information that is shown, such as a TV program that someone has selected. The protocol has been built up and refined over the past period and now works properly.

In this way, STER kills several birds with one stone. Most importantly, initial applications show that this approach is at least as effective for advertisers as the old cookie-based way. Secondly, the approach removes parties from the chain. Data brokers who played a role in the old system are now superfluous. Apart from the financial gain for the chain, this also prevents data coming into the possession of parties the data should not end up with. And thirdly, STER stays in control of its own advertising campaigns.

This makes STER a deserved winner of the Dutch Privacy Awards. The concept developed is innovative and helps to protect the privacy of citizens without them having to make any effort. STER is also investigating the possibility of using the approach more broadly. This too is an innovation that the expert panel applauds.

In that sense STER’s approach is also a well-founded response to the data-driven superpowers on the market as it demonstrates that the endless collection of personal data is not at all necessary to get your message across, whether it is commercial or idealistic.

STER could perhaps also have been submitted as a Business-to-Business entry, but the direct interests of consumers meant that it was listed in the category of consumer solutions.

Business solutions

Winner: NLdigital

Organisational innovation and practical application: Data Pro Code

Entries for the Dutch Privacy Awards often relate to technical innovations. At NLdigital it is not the technology, but the approach that is innovative. It has given concrete meaning to GDPR obligations through agreements and focuses mainly on data processors, not on the responsible parties. This enables processors to make agreements more quickly, practically and with sufficient care – agreements which are also verifiable in this regard. Many companies provide services by making applications available which involve data processing. And that requires processing agreements, which are not easy to apply for every organization. Filling in the corresponding statement leads to an appropriate processing agreement for clients.

NLdigital’s code of conduct called Data Pro Code is a practical instrument tailor made for the target group: IT companies that process data on behalf of others. With the help of (600) participants/members, the Code is drawn up as an elaboration of Art. 28 of the GDPR. It has been approved by the Dutch Data Protection Authority and has led to a publicly accessible certification.

Public services

Winner: FCInet & Ministery of Justice and Security

Ma³tch, privacy on the government agenda: innovative data minimization

FCInet is innovative, privacy-enhancing technology that was developed by the Dutch Ministry of Justice and Security and the Dutch Ministry of Finance. It is meant to assist in the fight against (international) crime. Part of FCInet is Ma³tch, which stands for Autonous Anonymous Analysis. With this feature the Financial Criminal Investigation Services (FCIS) can share secure and pseudonymized datasets on a national level (for example with the Financial Intelligence Unit-Netherlands and the Fiscal Information and Investigation Service), but also internationally. Ma³tch is a technology that supports and enforces parties concerned to make careful considerations per data field. This is possible with regard to the question of which data these parties want to compare and on the basis of which conditions. This ensures that parties can set up the infrastructure in such a way that it can be technically enforced that data are exchanged only on a legitimate basis.

Through hashing, organization A encrypts (bundles of) personal data in such a way that receiving party B has the possibility to check whether a person known to organization B is also known to organization A. Only if it turns out that there is a match (because the list of known persons in hashed form of organization B is checked against the list of persons in the sent list) does the next step take place whereby organization B actually requests information about the person concerned from organization A. The check takes place in a secure decentralized environment, so organization A does not know whether there is a hit or not. The technology thus prevents the unnecessary perusal of personal data in the context of comparisons.

The open source code technology of FCInet offers broader possibilities for application, which is encouraged by the expert panel and was an important reason for the submission: it can be reused in many other organizations and systems. The panel therefore assessed this initiative as a good investment in privacy by the government, where, clearly, the issue of privacy really is on the agenda.

Incentive Award

Winner: Schluss

Schluss applied for the Dutch Privacy Awards in 2021 for the third time. That is not the reason for the Incentive Award, even though it may encourage others to persevere in a similar way.

The reason is that it is a very nice initiative, focused on the self-management of personal data. In the form of an app, private users are offered a vault for their personal data, whether they are of a medical, financial or other nature. Users decide which people or organizations gets access to their data. The idea is that others who are allowed to see the data no longer need to store these data themselves. Schluss has no insight into who uses the app, its role is only to facilitate the process. The technology, which is open source, guarantees transparency about the operation of the app.

Schluss won the prestigious Incentive Award because thus far the app has had only a beta release. However, promising projects have been started with the Volksbank and there is a pilot in collaboration with the Royal Dutch Association of Civil-law Notaries. With the mission statement (‘With Schluss, only you decide who gets to know which of your details’) in mind, Schluss chose to become a cooperation, an organizational form that appealed to the expert panel. With this national Incentive Award the panel hopes to encourage the initiators to continue along this path and to persuade parties to join forces with Schluss.

Nominations  

There are four categories in which applicants are awarded:

1. the category of Consumer solutions (business-to-consumer)

2. the category of Business solutions (within a company or business-to-business)

3. the category of Public services (public authority-to-citizen)

4. the incentive award for a ground breaking technology or person.

From the various entries, the independent expert panel chose the following nominees per category (listed in arbitrary order):

During the National Privacy Conference all nominees presented their projects to the audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (pdf in Dutch), which includes participation criteria and explanatory notes on all the nominees and winners.

National Privacy Conference

The Dutch National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, the conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy by design is key.

These were the speakers during the 2021 National Privacy Conference in successive order:
- Monique Verdier (vice chairwoman of the Dutch Data Protection Authority)
- Judith van Schie (Considerati)
- Erik Gerritsen (Secretary General of the Dutch Ministery of Health, Welfare and Sport) 
- Mieke van Heesewijk (SIDN Fund) 
- Peter Verkoulen (Dutch Blockchain Coalition)
- Paul Tang (MEP for PvdA)
- Ancilla van de Leest (Privacy First chairwoman)
- Chris van Dam (Member of the Dutch House of Representatives for CDA)
- Evelyn Austin (director of Bits of Freedom)
- Wilmar Hendriks (chairman of the expert panel of the Dutch Privacy Awards).

The entire conference was livestreamed from Nieuwspoort in The Hague: see https://www.nieuwspoort.nl/agenda/overzicht/privacy-conferentie-2021/stream and https://youtu.be/asEX1jy4Tv0.

Dutch Privacy Awards expert panel

The independent expert Award panel consists of privacy experts from different fields:

• Wilmar Hendriks, founder of Control Privacy and member of the Privacy First advisory board (panel chairman)
• Ancilla van de Leest, Privacy First chairwoman
• Paul Korremans, partner at Comfort Information Architects and Privacy First board member
• Marc van Lieshout, managing director at iHub, Radboud University Nijmegen
• Alex Commandeur, senior advisor BMC Advies
• Melanie Rieback, CEO and co-founder of Radically Open Security
• Nico Mookhoek, privacy lawyer and founder of DePrivacyGuru
• Rion Rijker, privacy and data protection expert, IT lawyer and partner at Fresa Consulting.

In order to make sure that the Award process is run objectively, the panel members may not judge on any entry of his or her own organization.

In collaboration with the Dutch Platform for the Information Society (ECP), Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and The Privacy Factory.

Pre-registrations for the 2022 Dutch Privacy Awards are welcome!

Would you like to become a sponsor of the Dutch Privacy Awards? Please contact Privacy First! 

In the context of the National Privacy Conference organized by Privacy First and the Dutch Platform for the Information Society (ECP), today the Dutch Privacy Awards have been handed out. These Awards offer a podium to organizations that consider privacy as an opportunity to positively distinguish themselves and want privacy-friendly entrepreneurship and innovation to become a benchmark. The winners of the 2020 Dutch Privacy Awards are Publicroam, NUTS and Candle.

Winner: Publicroam

Safe and easy access to WiFi everywhere for guest users

Most people in libraries, hotels, coffee bars and other public places log onto the local WiFi network in order to save on mobile data and to not rely on mobile networks which indoors may not be available everywhere. Often, WiFi networks operate on the basis of a single, local password, indicated on tables and screens. This makes the digital activities of users vulnerable in more ways than one, with all the ensuing nasty consequences. On top of that, users may not be informed about what the internet provider does with their personal data. It is said that the trade in personal data is by now more profitable than the trade in oil.

These risks were first identified by educational institutions and later by public authorities. This led to the creation of international roaming services like Eduroam and Govroam. But why aren’t such services available everywhere and to everyone? Publicroam set out to change just that and is being welcomed in more and more places. And rightfully so, according to the Privacy Awards expert panel. Several large municipalities and organizations (all libraries in the Netherlands among them) are already connected to Publicroam, or will be soon. In and of itself this facility is not a completely new solution, but the expert panel is particularly impressed by the fact that it can offer great advantages to literally everyone in the country – and possibly beyond – and can therefore have a huge impact on what we’re used to: one account which allows all users to go online automatically and securely, with serious respect for privacy ensured.

It’s possible after all: sound business initiatives that respect privacy; Publicroam is proof of this.

Winner: NUTS

Decentral infrastructure for privacy-friendly communication in healthcare

The NUTS Foundation is an initiative which aims to offer a privacy-friendly solution to identity management and sharing personal data in healthcare environments. It entails that individuals keep control over which healthcare data may be shared between healthcare providers. The NUTS Foundation has laid down its principles in a manifesto which all participants should ascribe to and which states that all software that’s being developed should meet the demands of open source. The result that the NUTS Foundation is striving for is a decentral system which keeps control over personal health information in the hands of the people involved.

The services offered by the decentral network are based on the principles of privacy by design. Identity management solutions contribute to irrefutably establishing the identity of individuals concerned. The decentral approach is in line with the digital healthcare architecture which is currently in the making and is also partly being introduced already. In this way, healthcare information components can use the decentral facilities that are being realized through NUTS.

In the eyes of the expert panel, the NUTS Foundation is a strong example of an initiative which not only looks at privacy issues in a comprehensive way but creates concrete solutions to these issues as well. The open source community that the NUTS Foundation is bringing to fruition, prevents vendor-lock-in in crucial areas of the digital healthcare infrastructure. Emerging digital Personal Healthcare Areas can equally make use of the decentral administrative provisions which NUTS is working towards. The rationale behind NUTS – creating a utility for a crucial part of the digital healthcare architecture – particularly appeals to the expert panel. Expanding the foundation, which currently by and large relies on a single company, will further increase the support for this initiative.

In order to give the NUTS Foundation the opportunity to further realize its ideals and to propagate these more widely, the expert panel has decided to confer this year’s Dutch Privacy Award for business solutions to the NUTS Foundation.

Winner: Candle

Privacy-friendly smart home solution

Candle is a reaction to a risk analysis (privacy by design) to Internet of Things products which unnecessarily connect to a cloud server. It’s a project which concentrates on developing alternative smart systems in and around the home, based on the principle that connection to the internet is unnecessary. Candle started off as a project organization run by students from universities and colleges of higher education as well as by artists’ collectives who aimed at developing practical hardware solutions combined with open source software. Various domestic appliances such as central heating, cameras, CO2 sensors and other applications can easily be connected with one another. A switch is used to make contact with an external network. Users make a deliberate choice when they import and export emails and other data.

Candle shows that it’s very well feasible to create a Smart solution without Big Tech companies and their data driven models. Meanwhile, there are various concept solutions which companies can actually put into practice. In its core, Candle is privacy by design and it opens people’s eyes to alternative smart systems.

"The market for ethical technology will grow in much the same way as the market for biological food has grown enormously. But how do we boost this market? That’s the challenge. The GDPR has ploughed the earth. Now it’s time to sow and entrust this concept to consumers", comments Candle.

Nominations

There are four categories in which applicants are awarded:

1. the category of Consumer solutions (business-to-consumer)

2. the category of Business solutions (within a company or business-to-business)

3. the category of Public services (public authority-to-citizen)

4. The incentive prize for a ground breaking technology or person.

From the various entries, the independent expert panel chose the following nominees per category:

During the National Privacy Conference the nominees presented their projects to the audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (pdf), which includes participation criteria and explanatory notes on all the nominees and winners.

National Privacy Conference

The National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, the conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy by design is key.

These were the speakers during the 2020 National Privacy Conference in successive order:

- Monique Verdier (vice chairman of Dutch Data Protection Authority)
- Richard van Hooijdonk (trendwatcher/futurist) and Bas Filippini (founder and chairman of Privacy First)
- Tom Vreeburg (IT-auditor)
- Coen Steenhuisen (privacy advisor at Privacy Company)
- Peter Fleischer (global privacy counsel at Google)
- Sander Klous (professor in Big Data Eco Systems, University of Amsterdam)
- Kees Verhoeven (Member of the Dutch House of Representatives for D66).

Expert panel of the Dutch Privacy Awards

The independent expert award panel consists of privacy experts from different fields:

• Bas Filippini, founder and chairman of Privacy First
• Paul Korremans, partner at Comfort Information Architects and Privacy First board member
• Marie-José Bonthuis, owner of IT’s Privacy
• Esther Janssen, attorney at Brandeis Attorneys specialized in information law and fundamental rights
• Marc van Lieshout, managing director at iHub, Radboud University Nijmegen
• Melanie Rieback, CEO and co-founder of Radically Open Security
• Nico Mookhoek, privacy lawyer and owner of NMLA
• Wilmar Hendriks, founder of Control Privacy and member of the Privacy First advisory board
• Alex Commandeur, senior advisor at BMC Advies.

In order to make sure that the award process is run objectively, the panel members may not judge on any entry of his or her own organization.

Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and in collaboration with ECP. Would you like to become a partner of the Dutch Privacy Awards? Then please contact Privacy First!

PSD2 opt-out register

Is it possible to have innovation in the field of payment data while preserving privacy? Under the new European banking law PSD2, payment data can be shared with non banking parties. The legislator has, however, failed to implement privacy by design. Therefore, the Privacy First Foundation has taken the initiative to launch a PSD2 opt-out register in the Netherlands. We are happy to report that the SIDN Fund is supporting us in this. With this opt-out register bank account numbers can be filtered. This can be useful in case bank account numbers are linked to sensitive personal data, such as a payment to a trade union, a healthcare insurer, a political party or an organization that reveals one’s sexual preference. It can also be useful when consumers wish to filter their contra accounts. The Dutch PSD2 opt-out register could become trendsetting at a European level.

Source: https://www.sidnfonds.nl/nieuws/de-eerste-pioniers-van-2019, 22 May 2019 (in Dutch).

Follow https://psd2meniet.nl for updates and become a member of our PSD2 Privacy Panel! (in Dutch)

For all its projects and affiliated activities, Privacy First is largely dependent on donations. The more financial support and donations we receive, the sooner Privacy First will be able to launch the PSD2 opt-out register.

In the context of the National Privacy Conference organized by Privacy First and ECP today the Dutch Privacy Awards have been handed out. These Awards offer a podium to organisations that consider privacy as an opportunity to positively distinguish themselves and want privacy-friendly entrepreneurship and innovation to become a benchmark. The winners of the 2019 Dutch Privacy Awards are Startpage.com as well as Privacy Company & SURF. PublicSpaces received the incentive prize.

Winner: Startpage.com

With Private Search 2.0, Startpage.com allows those who find profiling and targeting on the basis of search queries oppressing, to breathe a little more freely again. The basic promise of Startpage is that its users can question Google Search without having to fear that Google accords a permanent data trail to every single query. Moreover, Startpage.com enables searching through an anonymizing proxy. It therefore meets the needs of anyone who doesn’t want to be confronted with targeted ads on the basis of search queries. Think of people who search for information related to financial, relationship or health problems. And naturally any other person who, by default, wishes to stay clear of foreign companies that trade in personal data (based in Silicon Valley and elsewhere). Startpage.com thus offers people an important and very privacy-friendly opportunity to visit websites without having to worry about unwanted profiling and without being confronted with one’s own search behavior.

Winner: Privacy Designer (Privacy Company and SURF)

Privacy Designer is a Privacy Company and SURF web app which helps SMEs, associations and NGOs to identify privacy risks. The app has been co-financed by the SIDN Fund and can be used free of charge.

The expert panel was deeply impressed by this solution. It’s a practical and innovative app which has a large impact on society because research points out that the target group is often insufficiently aware of the privacy risks to which it is exposed and doesn’t quite know how to deal with such risks appropriately. Another advantage of Privacy Designer is the fact that all data is stored on one’s own device and the use of personal data is kept to a minimum. In short, this entry can potentially improve the privacy of a large group of people in an effective and accessible way.

Winner: PublicSpaces

There is a lot that goes on online that internet users can’t see and are not aware of. Advertising displayed on the basis of search behavior can be a great annoyance. Meanwhile, we become increasingly dependent on online information gathering, navigation and cloud storage. This makes a few dominant commercial companies ever more powerful.

PublicSpaces is a coalition of public broadcasters and cultural organizations that aim to ‘repair’ the internet by restoring it to a community of users. They try to do so by collaborating with a number of relevant parties and by offering alternatives. In particular, the fact that data so easily ends up across different platforms is a thorn in the eye of PublicSpaces. With open source initiatives and the use of IRMA (‘I Reveal my Attributes’, an open source identity platform which won a Dutch Privacy Award last year), the coalition attempts to improve online privacy. The expert panel wholeheartedly encourages PublicSpaces’ mission.

Nominations

There are four categories in which applicants are awarded:

1. the category of Consumer solutions (business-to-consumer)

2. the category of Business solutions (within a company or business-to-business)

3. the category of Public services (public authority-to-citizen)

4. The incentive prize for a ground breaking technology or person.

From the various entries, the independent expert panel chose the following nominees per category:

During the Dutch National Privacy Conference the nominees presented their projects to the audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (Dutch pdf), which includes participation criteria and explanatory notes on all the nominees and winners.

National Privacy Conference

The National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, this conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy and data protection. To this end, privacy by design is key.

These were the speakers during the 2019 National Privacy Conference in successive order:

Aleid Wolfsen (chairman of the Dutch Data Protection Authority)
Sophie in ‘t Veld (Member of the European Parliament)
Tijmen Schep (PrivacyLabel)
Brenno de Winter (IT researcher)
Jeroen Terstegge (Privacy Management Partners).

Expert panel of the Dutch Privacy Awards

The independent expert Award panel consists of privacy experts from different fields:

• Bart van der Sloot, senior researcher at Tilburg University (panel chairman)
• Bas Filippini, founder and chairman of Privacy First
• Paul Korremans, data protection & security professional at Comfort Information Architects (and Privacy First board member)
• Marie-José Bonthuis, IT’s Privacy owner
• Esther Janssen, attorney specialized in information law and fundamental rights, Brandeis Attorneys
• Esther Keymolen, philosopher of technology, TILT, Tilburg University
• Matthijs Koot, senior security specialist, Secura BV
• Marc van Lieshout, senior researcher at TNO and managing director at PI.lab
• Wendeline Sjouwerman, privacy specialist who focuses on local governments and health care.

In order to make sure that the Award process is run objectively, the panel may not judge on any entry of his or her own organization.

Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and in collaboration with ECP. Would you like to become a partner or sponsor of the Dutch Privacy Awards? Then please contact Privacy First!

New European PSD2 legislation in force

At the start of 2019, the Payment Service Directive 2 will enter into force in the Netherlands. Under this new European banking law, consumers can share their banking details with parties other than their own bank. This first requires their explicit consent, upon which banks must share all transactional data[1] of the consumer (account holder) with an external party (financial service provider) for a period of 90 days, after which the consumer can renew his consent. The consumer can also withdraw his consent at all times.

PSD2 is a great concern to Privacy First

Privacy First is very worried about PSD2. The law focuses too much on improving competition and innovation while the privacy interest of account holders is overlooked. These are Privacy First’s greatest concerns:

• Consumers are not in a position to limit the amount of banking details. Even in case a financial service provider does not need these details, all data are shared just the same once the account holder has issued his consent.
• The bank details of a consumer include the details of contra accounts. Holders of such accounts are unaware of the fact that their details may be shared and are not in a position to prevent that. As transactional data will be analyzed much more widely with the use of Big Data and data analyses than before the introduction of PSD2, there will be a much greater risk of privacy violations.
• Banking details contain ‘sensitive personal data’ that may only be issued under strict conditions.[2] A subscription payment to a trade union, political party or organization that reveals one’s sexual preferences, should be considered sensitive personal data according to Privacy First. The same applies to transactions with health insurance companies and pharmacists. Currently, there is no way to filter out these data and they are being issued to parties that are not allowed to process them.

During an episode of the Dutch television program Radar that was broadcast on Monday 7 January 2019, Privacy First drew particular attention to these issues.

PSD2 quality label aims for transparency

Privacy First wants consumers to get honest and transparent information on what happens to their data. We advocate not for lengthy privacy statements, but rather for information that fits on a single sheet of paper. This information should not come from the financial industry, but from consumers themselves. After all, they can best decide which information they find valuable when making a choice. During 2018, Privacy First worked on this initiative along with the Volksbank and other partners from the financial sector.

PSD2 opt-out register

Privacy First is surprised that no attention has been paid to the role of ‘sensitive personal details’ in transactional data. Such details may only be shared under strict conditions and therefore have to be filtered out. Equally, consumers who do not want others to share their data with financial service providers should have the opportunity to prevent this. That is why Privacy First would like to see an opt-out register, similar to the do-not-call-me register which has been around in the Netherlands for many years. During the Radar broadcast, Privacy First announced it would bring forward this proposal, hoping to be able to develop it further together with the financial sector and policy makers. The aim is to have a compulsory opt-out register. This will, however, require amending the European PSD2 directive.

[1] Additional information: it concerns all transactional data. The extent to which these data go back in time varies per bank. See the overview (in Dutch) of the Dutch consumer association: The majority of account holders saves their bank statements for at least five years https://www.consumentenbond.nl/betaalrekening/meerderheid-bewaart-rekeningafschriften-ten-minste-5-jaar.
[2] Additional information: this is included in Article 9 of the GDPR and in Article 22 of the Dutch GDPR implementation Act. In short, processing sensitive personal data is unlawful, with a few exceptions. See (in Dutch) https://wetten.overheid.nl/BWBR0040940/2018-05-25.

During a Dutch press meeting about the new Payment Service Directive 2 (PSD2), an initiative to launch a privacy quality label for payment services was announced. This quality label should encourage financial service providers and fintech companies to focus on the privacy of consumers.

Volksbank

If you struggle to make ends meet, sooner or later you will get physical complaints, two Utrecht physicians wrote in Dutch newspaper AD/Utrechts Nieuwsblad of 7 March 2018. Those who want to lead a healthy life, will first have to make sure they’re in a healthy financial position. Being in control of your own finances and all related data is a part of that. De Volksbank offers a helping hand in both these areas.

The new European Payment Service Directive 2 (PSD2) paves the way for payment apps of new parties. Banks no longer have the exclusive right to offer payment services. This appears to be good news for consumers. But there is a downside too. Customers who share their data with any such new service provider, should take into account that part of those data are privacy-sensitive. A bank cannot recover such data once in the hands of other financial service providers, so the consumer cannot resort to anyone but himself if he regrets his decisions.

The Dutch Consumers' Association (Consumentenbond) has recently warned that personal data are already being collected on a large scale for commercial reasons. With the introduction of PSD2, this will only increase. Ninety days of access to personal information is sufficient for service providers to create digital profiles that can be traded. De Volksbank does not want to create profiles and is of the opinion that client information should be secure in the hands of the bank: ‘‘That means that we don’t sell information of clients, neither on an individual nor on an aggregated level. We earn our money as a bank, not by selling the data of our clients.'’

De Volksbank considers it to be its role of helping clients deal with their data in a secure and deliberate way in an environment that has changed. By providing information (free is never really free), but also by encouraging clients to take additional measures:

• When it comes to taking deliberate decisions on sharing data, clients should increase their self-awareness by operating a Main Switch. The default setting of the Main Switch should be ‘off’. Before a client is able to authorize the bank to share his data with third parties, he should first flick the Main Switch. The client should then authorize the sharing of data for each party. In so doing, he can stop sharing his data with any party at any moment. Alternatively, he can flick the Main Switch, blocking the access to his data of all parties in a single instant.
• In cooperation with De Volksbank, several other banks, KPMG and fintech companies, Privacy First is developing a PSD2 quality label. This should answer the call of the Central Bank of the Netherlands (DNB), which ascertained that as of yet there is no such quality label, while there is the need to have one. As far as we know, the Netherlands is the first country to be working on this issue. Thanks to the PSD2 quality label, consumers should at once be able to tell which parties they can or cannot entrust their data to. De Volksbank is working hard on further developing the quality label in order for it to be ready as soon as the Payment Service Directive 2 has been transposed into Dutch legislation.

Privacy First

The Privacy First Foundation supports the PSD2 privacy quality label. Privacy First would like it to become an international label which is recognized and supported by banks, fintech companies, financial service providers, regulators and consumer organizations.

PSD2 offers advantages, but also puts people’s privacy at risk. People are more than just consumers. Privacy First doubts whether the measures laid down in PSD2 to protect the data and therewith the privacy of people, will be sufficient. For the protection of personal data, PSD2 relies heavily on the new General Data Protection Regulation (GDPR). This regulation has not yet come into force and we don’t know which effects PSD2 will have in practice and what the monitoring of it will look like. Many organizations are not yet ready to comply with all of the GDPR requirements. However, they will not hold off providing their services. In turn, regulators are not yet ready to enforce all aspects of the GDPR. Introducing PSD2 is like going out to fly without checking the parachute.

We hope that the quality label will encourage financial service providers and fintech companies to start considering consumers as human beings. We want the requirements of the label to be set higher each year. We also want service providers to consider the ‘information behind the information’:

• The disclosure of behavior and data by others
• Services with the underlying aim of collecting data (improper application)
• Deducting data, such as transaction data from which sensitive personal data can be deduced.

We call on fintech companies to continue to explore ways to limit the amounts of data they collect and store. Think of excluding transaction data that could indicate religion, political preference or health status. Limiting the retention period of transaction data is another measure to take into consideration.

This article has also been published on privacy-web.nl.

IRMA and ‘referendum students’ win Dutch Privacy Awards

In the context of the National Privacy Conference organized by Privacy First and ECP, today the very first Dutch Privacy Awards have been awarded. These Awards offer a podium to companies and governments that consider privacy as an opportunity to positively distinguish themselves and want privacy-friendly entrepreneurship and innovation to become a benchmark. The great winner of the 2018 Dutch Privacy Awards is IRMA (I Reveal My Attributes). The students who organized the Dutch referendum about the controversial Tapping law received the incentive prize.

Winner: IRMA (I Reveal my Attributes)

IRMA (I Reveal my Attributes) is a state of the art, open source identity platform which allows users to authenticate themselves by using an app on the basis of one or several attributes related to their different roles (contextual authentication). This form of authentication does not reveal one’s identity: a one-to-one relation between the user and the service provider makes brokers redundant and allows the former to use services anonymously, without a password and with minimal attributes.

The system has been developed by the Digital Security Research Group of the Radboud University Nijmegen. Since the end of 2016, IRMA is part of the independent Dutch Privacy by Design foundation.

The Awards panel praises the academic community for developing IRMA as a general purpose privacy-by-design application intended for both the private as well as the public sector. As a means of privacy-friendly authentication, the panel regards the innovative capacity of the open source technology used, the instant deployability and the potential impact on society of IRMA as great assets. That is why the panel unanimously chose IRMA as the winner of the 2018 Dutch Privacy Awards.

Winners: ‘Tapping law students’

On the initiative of five University of Amsterdam students, a national referendum about the new and controversial Dutch Intelligence and Security Services Act (‘Tapping law’) will be held on 21 March 2018. Regardless of the outcome of the referendum, one of its results will be a heightened awareness of and a more critical stand towards privacy issues among the Dutch. This fact alone was sufficient ground for the panel to unanimously reward the students with a Dutch Privacy Award (incentive prize).

Nominations

There are four categories in which applicants are awarded:

1. the category of Consumer solutions (from companies for consumers)

2. the category of Business solutions (within a company or business-to-business)

3. the category of Public services (public authorities to citizens)

4. The incentive prize for a ground breaking technology or person.

Out of the various entries, the independent expert panel chose the following nominees per category:

During the National Privacy Conference the nominees have presented their projects to the audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire Award panel report (pdf in Dutch), which includes participation criteria and explanatory notes on all the nominees and winners.

From left to right: Paul Korremans (panel member), Luca van der Kamp (‘referendum student’), Esther Bloemen (Personal Health Train), Nina Boelsums (‘referendum student’), Bas Filippini (panel chairman), Bart Jacobs (IRMA), Arjan van Diemen (TrustTester), Marie-José Hoefmans (Schluss) and Wilmar Hendriks (Youth Privacy Implementation Plan (municipality of Amsterdam). Photo: Maarten Tromp.

National Privacy Conference

The National Privacy Conference is an initiative of ECP (Dutch Platform for the Information Society) and Privacy First. From now on, the conference will bring together once a year Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy-by-design is key.

The speakers during the 2018 National Privacy Conference were, in successive order:

Aleid Wolfsen, chairman of the Dutch Data Protection Authority,
Gerrit-Jan Zwenne, professor of Law and the Information Society (University of Leiden),
Jaap-Henk Hoepman, associate professor Privacy by Design (Radboud University Nijmegen),

Ulco van de Pol, chairman of the Amsterdam Data Protection Commission,
Tim Toornvliet, Netherlands ICT,
Lennart Huizing, Privacy Company.

Aleid Wolfsen, chairman of the Dutch Data Protection Authority. Photo: Maarten Tromp.

Panel of the Dutch Privacy Awards

The independent expert Award panel consists of privacy experts from different fields:
• Bas Filippini, founder and chairman of Privacy First (panel chairman)
• Paul Korremans, data protection & security professional at Comfort Information Architects
• Marie-José Bonthuis, owner of IT’s Privacy
• Bart van der Sloot, senior researcher at Tilburg University
• Marjolein Lanzing, PhD Philosophy & Ethics, Eindhoven University of Technology.

In order to make sure that the award process is run objectively, the panel members may not judge on any entry of his or her own organization.

Privacy First organized this first edition of the Dutch Privacy Awards in collaboration with ECP, with the support of the Democracy & Media Foundation and the Adessium Foundation. Would you like to become a partner of the Dutch Privacy Awards? Then please contact Privacy First!