Financial privacy must not remain underexposed
The practices of advertising companies such as Google and Facebook often give rise to discussions about data protection and privacy. The operations of secret services and similar organizations such as the Dutch National Coordinator for Counterterrorism and Security (NCTV) equally draw attention and criticism.
There is a growing trend – remaining largely under the radar – towards general financial surveillance, whereby a number of large companies can follow citizens and organizations in detail on the basis of payment data. This is encouraged by public authorities and is spreading throughout society for all sorts of reasons, causing major data protection risks for citizens.
Privacy First would like to pay more attention to what it calls financial privacy in the period ahead.
What is financial privacy?
Financial privacy relates to the following:
- Detailed personal financial data in the hands of banks and other large parties. Nowadays, payments are made digitally for the most part; cash payments are becoming ever less common. As a result, parties involved in processing payments (banks, payment service providers and account information service providers) have detailed information about all their customers, including consumers, companies and various sorts of organizations. This means that these parties know a great deal about their customers. Financial data are becoming more and more detailed for all kinds of reasons and ever more companies can access these data. iDEAL 2.0, for example, is expected to cause further proliferation of personal financial data. In the past, banks have tried to monetize the financial data of customers, in the way that American advertising companies do, think of the ING affair in the Netherlands. This was stopped at the time, but could come back.
- New PSD2 services. The European Payment Services Directive 2 (PSD2) was intended to allow new services to be developed around the financial data of customers of payment institutions, including account information services. However, insufficient thought has been given to data protection, putting citizens at risk. Privacy First has been working on a campaign called Don’t-PSD2-me for several years now.
- Cash payments are disappearing, and so is this method of last resort to evade being tracked by banks from hour to hour. The European digital currency that is being developed is unlikely to be completely anonymous to enable crime fighting.
B. Privatization of crime fighting and the provision of services to public authorities
- Crime fighting duties of banks and other financial institutions (‘anti-money laundering’). These duties result in the collection of additional personal data of citizens. This concerns not only the identification of natural persons, but also the collection of data on and from natural persons involved in organizations. This may include directors and representatives of legal entities as well as the ultimate stakeholders. Customers often find themselves having to share confidential data with financial institutions in an insecure way. Please note that this is not only about crimes that can harm the customer or the financial institution. Institutions must actively check whether their own customers are holding criminal money and must report any suspicions of crime (‘unusual transactions’) to a section of the Dutch police: the Financial Intelligence Unit (FIU). The EU is currently working on a set of regulations, also known as the Anti-Money Laundering (AML) package, which will radically change the way in which companies combat crime. As a result of new regulations, more and more financial data will be transfered by companies to public authorities.
- Identification through biometrics among other ways. Banks and other financial institutions have to identify their customers, first and foremost to find out (under private law) with whom they are entering into an agreement, and secondly because anti-money laundering rules require it. There is some fuss about identification efforts, partly because banks now want to ‘re-identify’ existing customers, sometimes requiring biometric data in the process.
- UBO Register. Part of the crime-fighting duties of banks and designated enterprises, is that they must identify the ultimate beneficial owners (UBOs) of their customers and verify the accuracy of their customers’ registration with the UBO Register. Privacy First has litigated against the UBO Register and is now awaiting the outcome of similar cases pending before the European Court of Justice.
- Black lists. As part of crime fighting efforts and in order to protect financial interests, blacklists of ‘suspicious’ and convicted customers are created in the financial sector. There are two such lists, known as the internal referral register (Dutch abbreviation: ‘IVR’) and the external referral register (‘EVR’). The rules for these registers are laid out in ‘PIFI’, the Protocol Incident Warning System for Financial Institutions. Insurers have a complete overview of all claims that insurees have submitted to them. Increasingly, other companies with crime-fighting duties also want to create blacklists.
- Provision of data to public authorities (data reporting). Financial institutions, employers and, in the future, platforms too are required to provide data to public authorities. Within the framework of the obligation to provide information, many confidential data are collected from customers. One particular example is the obligation of financial institutions to collect customer data for the purpose of taxation by other countries. In this respect, the Foreign Account Tax Compliance Act (FATCA) is well known. It’s the US law that requires financial institutions around the world to provide free services to the US tax authorities, which relates not only to tax residents of the US and persons with property in or income from the US, but also anyone who has US citizenship (even if these people are without any real ties to the country, so-called ‘accidental Americans’). The Netherlands has entered into a FATCA treaty with the US and also participates in the ‘Common Reporting Standard’ (CRS), that many (EU) countries have implemented.
- Merchants in financial (personal) data. A number of very large and little-known parties are active on behalf of financial institutions, collecting financial and other data on both consumers and the natural persons involved in various organizations. These data are sold to financial institutions, among others, as credit information and as anti-money laundering information. Although these merchants must comply with the General Data Protection Regulation, they usually don’t, so the people whose data are being sold are not aware of the presence of their data with those merchants, nor can they verify whether the data are accurate and whether they were obtained lawfully. In other words, these people cannot exercise their GDPR rights. According to Privacy First, these merchants should be required to be licensed, just as financial institutions are, with a strong regulator and a strict review of executives.
- The Dutch Credit Registration Office (Bureau Kredietregistratie, BKR). This is a foundation recognized by the government and established by the financial sector to register data for the benefit of that sector.
What will Privacy First be doing?
Financial privacy covers a wide and complex area, which makes it difficult to tackle the issues surrounding this topic. In recent years, Privacy First has been active on the following subtopics:
- The UBO Register;
- The preservation of cash and anonymous means of payment.
 See for example https://ellentimmer.com/2015/12/23/gegevensuitwisseling/ (in Dutch).
Renewed attempt by the Dutch Ministry of the Interior to introduce a centralized biometric database
Over a decade ago, around the years 2009-2011, there was enormous social resistance in the Netherlands to a centralized database containing the biometric data (fingerprints and facial scans) of all Dutch citizens. The development of that database was halted in early 2011 over privacy concerns. However, the Dutch State Secretary for Digital Affairs, Alexandra van Huffelen, now seems intent on introducing such a database after all. Below you find the first response of Privacy First to the recent internet consultation on this wretched plan:
The Privacy First Foundation was perplexed to learn of your intention to amend the Dutch Passport Act in order to create a centralized database of everyone's biometric data (including facial scans and – for the time being – ‘temporary’ fingerprints). This comes after the original plan for such a database was binned in 2011, and rightly so, following two years of large-scale resistance from all sections of Dutch society and all sorts of legal, political, administrative and technical objections. Back then, not a single public official could be found even within the Dutch Ministry of the Interior who dared to openly advocate the development of such a database. In the years since, this ‘progressive insight’ within your ministry has apparently disappeared entirely, which is remarkable at a time when international developments compel you not to forget the historical lessons about the risks of centralized population registers. A centralized biometric database inevitably creates an extremely risky target for people with malicious intent. The necessity and proportionality of such a database are not amply elaborated in the draft Explanatory Memorandum to the current Bill, in fact, are not elaborated at all and, for that matter, are inconceivable. Moreover, experience has shown that such databases will always be used and abused over time for all kinds of unforeseen purposes (function creep) and that original retention periods will be stretched further and further. In this context, Privacy First would like to remind you of the fact that the previously planned centralized biometric database included clandestine, secluded access to the Dutch secret services (who, to this end, were also involved in the development of this database), one of which – the General Intelligence and Security Service (AIVD) – in the end considered the realization of this database too hazardous. There is no reason to believe the considerations of that time should not apply today.
Ever since Privacy First was founded in 2008, we have opposed the mandatory collection of fingerprints for passports and identity cards. Since the introduction of the new Passport Act in 2009, Privacy First has done this through lawsuits, campaigns, Freedom of Information Act requests, political lobbying and outreach to the media. Despite the subsequent termination of the (planned) centralized storage of fingerprints in both a national and municipal databases in 2011, fingerprints are still taken of everyone applying for a passport and again also for Dutch identity cards (under the new EU regulation on strengthening the security of identity cards), after this requirement was abolished in 2014. To date, however, all of the millions of fingerprints collected from virtually the entire Dutch adult population have in practice not been used, or have hardly been used as this had already proved to be technically unsound and unworkable in 2009. The compulsory collection of everyone’s fingerprints under the Passport Act is therefore still the most massive and longest-lasting privacy violation that the Netherlands has ever known. Against this background, we request you to withdraw the present draft bill and to replace it with a new bill to abolish the taking of fingerprints under the Passport Act, even if that runs counter to European policy. Please take the following into account:
1. Already in May 2016, the Dutch Council of State (Raad van State) ruled that fingerprints in Dutch identity cards violate the right to privacy due to a lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956.
2. Freedom of Information Act requests from Privacy First have shown that the phenomenon to be defeated (lookalike fraud through passports and identity cards) is so small in scale that the compulsory taking of everyone’s fingerprints to make an end tot this problem, is completely disproportionate and therefore unlawful. See https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.
3. The fingerprints in passports and identity cards previously had a biometric error rate of no less than 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (State Secretary Fred Teeven, January 31, 2013). Before that, Minister Piet Hein Donner admitted there’s an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (27 April, 2011). How high are these error rates in 2022?
4. Partly because of the aforementioned high error rates, the fingerprints in passports and identity cards have hardly been used to date, neither in the Netherlands nor at the national borders or airports.
5. Because of these high error rates, former State Secretary Ank Bijleveld instructed all Dutch municipalities as early as September 2009 to refrain in principle from fingerprint verifications when issuing passports and identity cards. In the event of a ‘mismatch’, the ID document concerned would have to be returned to the passport manufacturer, which would lead to rapid social disruption if the number of such cases were high. In this context, the Ministry was also concerned about possible large-scale unrest and even violence at municipal counters. These concerns and the instruction of State Secretary Bijleveld still apply today.
6. A statutory exception must still be created for people who, for whatever reason, do not wish to have their fingerprints taken (biometric conscientious objectors, Article 9 ECHR).
For further background information on the biometric passport, see the report by the Advisory Council on Government Policy (WRR) titled ‘Happy Landings’, written in 2010 by the undersigned. Partly as a result of this critical report (and large-scale legal action by Privacy First against the Passport Act), the decentralized (municipal) storage of fingerprints was largely abolished in 2011 and the planned centralized storage of fingerprints was discontinued.
We sincerely hope that it will not have to come to another lawsuit by Privacy First to turn the tide.
If desired, we would be happy to elaborate on the above aspects in greater detail.
Privacy First Foundation
Source: https://www.internetconsultatie.nl/biometrischegegevenspaspoortwet/b1 --> reacties --> reactie directeur Privacy First (Vincent Böhre) dated May 31, 2022.
Privacy First warns Dutch Senate about fingerprints in identity cards
The controversial and compulsory inclusion of fingerprints in passports has been in place in the EU since 2009. From that year on, fingerprints were also included in Dutch identity cards, even though under EU law there was no such obligation. While the inclusion of fingerprints in identity cards in the Netherlands was reversed in January 2014 due to privacy concerns, there is now new European legislation that will make the inclusion of fingerprints in identity cards compulsory as of August 2, 2021.
Dutch citizens can apply for a new identity card without fingerprints until August 2. After that, only people can do so who are ‘temporarily or permanently unable physically to have fingerprints taken’.
The Dutch Senate is expected to debate and vote on the amendment of the Dutch Passport Act in connection with the reintroduction of fingerprints in Dutch identity cards on July 13. In that context, Privacy First sent the following email to the Dutch Senate yesterday:
Dear Members of Parliament,
Since Privacy First was founded in 2008, we have opposed the mandatory collection of fingerprints for passports and identity cards. Since the introduction of the new Passport Act in 2009, Privacy First has done so through lawsuits, campaigns, freedom of information requests, political lobbying and by activating the media. Despite the subsequent Dutch discontinuation of the (planned) central storage of fingerprints in both national and municipal databases in 2011, everyone’s fingerprints are still taken when applying for a passport, and soon (as a result of the new European Regulation on ID cards) again for Dutch ID cards after this was retracted in 2014.
To date, however, the millions of fingerprints taken from virtually the entire adult population in the Netherlands have hardly been used in practice, as the biometric technology had already proven to be unsound and unworkable in 2009. The compulsory collection of everyone’s fingerprints under the Dutch Passport Act therefore still constitutes the most massive and longest-lasting privacy violation that the Netherlands has ever known.
Having read the current report of the Senate on the amendment of the Passport Act to reintroduce fingerprints in ID cards, Privacy First hereby draws your attention to the following concerns. In this context, we ask you to vote against the amendment of the law, in contravention of European policy. After all:
- As early as May 2016, the Dutch Council of State (Raad van State) ruled that fingerprints in Dutch identity cards violated the right to privacy due to a lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956 (in Dutch).
- Freedom of information requests from Privacy First have revealed that the phenomenon to be tackled (look-alike fraud with passports and identity cards) is so small in scale that the compulsory collection of everyone’s fingerprints is completely disproportionate and therefore unlawful. See: https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.
- In recent years, fingerprints in passports and identity cards have had a biometric error rate as high as 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (Dutch State Secretary Teeven, January 31, 2013). Before that, Minister Donner (Security & Justice) admitted an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (April 27, 2011). How high are these error rates today?
- Partly because of the high error rates mentioned above, fingerprints in passports and ID cards are virtually not used to date, either domestically, at borders or at airports.
- Because of these high error percentages, former Dutch State Secretary Bijleveld (Interior and Kingdom Relations) instructed all Dutch municipalities as early as September 2009 to (in principle) refrain from conducting biometric fingerprint verifications when issuing passports and identity cards. After all, in the event of a ‘mismatch’, the ID document concerned would have to be returned to the passport manufacturer, which would lead to rapid societal disruption if the numbers were high. In this respect, the Ministry of the Interior and Kingdom Relations was also concerned about large-scale unrest and even possible violence at municipal counters. These concerns and the instruction of State Secretary Bijleveld still apply today.
- Since 2016, several individual Dutch lawsuits are still pending at the European Court of Human Rights in Strasbourg, challenging the mandatory issuing of fingerprints for passports and ID cards on the grounds of violation of Art. 8 ECHR (right to privacy).
- In any case, an exception should be negotiated for people who, for whatever reason, do not wish to give their fingerprints (biometric conscientious objectors, Art. 9 ECHR).
- Partly for the above reasons, fingerprints have not been taken for the Dutch identity card since January 2014. It is up to your Chamber to maintain this status quo and also to push for the abolition of fingerprints for passports.
For background information, see the report ‘Happy Landings' by the Scientific Council for Government Policy (WRR) that Privacy First director Vincent Böhre wrote in 2010. Partly as a result of this critical report (and the large-scale lawsuit brought by Privacy First et al. against the Passport Act), the decentralized (municipal) storage of fingerprints was largely abolished in 2011 and the planned central storage of fingerprints was halted.
For further information or questions regarding the above, Privacy First can be reached at any time.
The Privacy First Foundation
The Corona crisis underlines the importance of privacy
The world is hit exceptionally hard by the coronavirus. This pandemic is not only a health hazard, but can also lead to a human rights crisis, endangering privacy among other rights.
The right to privacy includes the protection of everyone’s private life, personal data, confidential communication, home inviolability and physical integrity. Privacy First was founded to protect and promote these rights. Not only in times of peace and prosperity, but also in times of crisis.
Now more than ever, it is vital to stand up for our social freedom and privacy. Fear should not play a role in this. However, various countries have introduced draconian laws, measures and infrastructures. Much is at stake here, namely preserving everyone’s freedom, autonomy and human dignity.
Privacy First monitors these developments and reacts proactively as soon as governments are about to take measures that are not strictly necessary and proportionate. In this respect, Privacy First holds that the following measures are in essence illegitimate:
- Mass surveillance
- Forced inspections in the home
- Abolition of anonymous or cash payments
- Secret use of camera surveillance and biometrics
- Every form of infringement on medical confidentiality.
Privacy First will see to it that justified measures will only apply temporarily and will be lifted as soon as the Corona crisis is over. It should be ensured that no new, structural and permanent emergency legislation is introduced. While the measures are in place, effective legal means should remain available and privacy supervisory bodies should remain critical.
Moreover, in order to control the coronavirus effectively, we should rely on the individual responsibility of citizens. Much is possible on the basis of voluntariness and individual, fully informed, specific and prior consent.
As always, Privacy First is prepared to assist in the development of privacy-friendly policies and any solutions based on privacy by design, preferably in collaboration with relevant organizations and experts. Especially in these times, the Netherlands (and the European Union) can become an international point of reference when it comes to fighting a pandemic while preserving democratic values and the right to privacy. This is the only way that the Corona crisis will not be able to weaken our world lastingly, and instead, we will emerge stronger together.
Dutch Council of State: mass storage of fingerprints in databases unlawful
Mass storage of fingerprints violates the right to privacy
Following the Court of Appeal of The Hague, today the Dutch Council of State (Raad van State) judged that municipal (‘decentral’) storage of fingerprints under the Dutch Passport Act is unlawful on account of violation of the right to privacy. The Council of State reached this conclusion in seven administrative law cases of Dutch individual citizens (supported by civil organization Vrijbit). At the start of 2014, the Court of Appeal of The Hague handed down a similar ruling in the civil Passport case by the Privacy First Foundation and 19 (other) citizens against the Dutch government. Subsequently however, our Passport trial was declared inadmissible by the Dutch Supreme Court and was redirected to the administrative judge: the Dutch Council of State. Privacy First then submitted its entire case file to the Council of State in order to reinforce the individual passport cases pending before this body. The Council of State (the supreme administrative court of the Netherlands) now rules similar to the way the Court of Appeal of The Hague has done before. Notwithstanding the later inadmissibility before the Supreme Court, the ban on the storage of everyone’s fingerprints in databases thus stands firm once again.
Faulty judgement and procedure
As was the case with the previous judgement by the Court of Appeal of The Hague, Privacy First regrets that the Council of State was unwilling to declare the storage of fingerprints unlawful on strictly principal grounds (that is, because of a lack of societal necessity, proportionality and subsidiarity), but merely on the basis of technical imperfections. Therefore, Privacy First will advise the concerned citizens to keep on litigating all the way up to the European Court of Human Rights (ECtHR) in Strasbourg. Considering the existing Strasbourg case law, there is a high likeliness that the Netherlands will still be condemned on principal grounds on account of violation of the right to privacy (art. 8 European Convention on Human Rights, ECHR). Privacy First also expects a condemnation on account of violation of the right of access to justice and an effective legal remedy (art. 6 and 13 ECHR). After all, civil litigation against the Dutch Passport Act proved to be impossible, and administrative legal action was possible only indirectly after the rejection of individual requests for new passports or ID cards (in case the applicants refused to have their fingerprints taken). In order to obtain their current victory before the Council of State, these citizens thus have had to get by for years without passports or ID cards, with all the problems and risks this entailed.
Exceptions for conscientious objectors
In today’s judgement, the Council of State also decided that the compulsory taking of two fingerprints for a new passport applies equally to everyone and that there can be no exceptions for people who do not want to have their fingerprints taken out of conscientious objections. Privacy First is doubtful whether this verdict will stand the scrutiny of the ECtHR. Apart from a violation of the right to privacy, it seems this decision is also in breach of the freedom of conscience (art. 9 ECHR). The fact that the European Passport Regulation does not include such an exception is irrelevant as this Regulation is subordinate to the ECHR.
RFID chips and facial scans
Privacy First also deplores the fact that the Council of State was not prepared to make a critical assessment of the risks of Radio Frequency Identification (RFID) chips (which include sensitive personal data that can be read remotely) in passports and ID cards. The same goes for the compulsory storage of facial scans in municipal databases. But these aspects, too, can still be challenged in Strasbourg.
Municipalities’ own responsibility
A small ray of hope in the judgement by the Council of State is that municipalities and mayors have their own responsibility to respect human rights (including the right to privacy) independently, even if this means independently refraining from applying national legislation because it violates higher international or European law:
"Insofar as the mayor claims that there is no possibility to deviate from the provisions (laid down in national law), the [Council of State] holds that pursuant to Article 94 of the [Dutch] Constitution, current statutory provisions within the Kingdom [of the Netherlands] do not apply if such application is not compatible with any binding provisions of treaties and of resolutions of international organizations.’’ (Source in Dutch, paragraph 6.)
This decision by the Council of State applies to all domains and could have far-reaching consequences in the future.
New ID cards for free
The ruling of the Council of State entails that for applications of new ID cards, fingerprints have been taken (and stored) on a massive scale but without a legal basis since 2009. Accordingly, Privacy First advises everyone in the possession of an ID card with fingerprints to change it (if desired) at his or her municipality for a free new one without fingerprints. If municipalities refuse to offer this service, Privacy First reserves the right to take new legal steps in this regard.
Dutch Supreme Court passes on Passport Trial to Council of State
After years of legal proceedings against the storage of fingerprints under the Dutch Passport Act — one of the gravest privacy violations in the Netherlands — Privacy First and 19 co-plaintiffs were declared inadmissible by the Dutch Supreme Court.
Since May 2010, a large-scale lawsuit against the central storage of fingerprints under the Dutch Passport Act by Privacy First and 19 co-plaintiffs (Dutch citizens) has been under way. This so-called 'Passport Trial' was a civil case because with regard to the merits of the case, individual citizens were not able to turn to an administrative court.
Citizens could only go to an administrative court if they would first provoke an individual decision: an administrative refusal to issue a passport or ID card after an individual refusal to give one's fingerprints. Hence, they could only litigate on an administrative level if they were prepared to live without a passport or ID card for years.
Moreover, the provision in the Passport Act on the central storage of fingerprints (Article 4b) still hasn't entered into force. Therefore, the administrative courts were unauthorized to assess this provision. Moreover, contrary to other countries, a direct administrative appeal against Dutch law (Acts and statutes) isn't possible in the Netherlands.
Subsequently, an administrative court would only have been able to individually and indirectly ("exceptionally") assess this provision on the basis of higher privacy legislation after that same provision would have entered into force, that is to say, after the central storage (and exchange) of everyone's fingerprints would have become a fait accompli.
To prevent such a massive violation of privacy, only the civil courts were authorized to rule in the case of Privacy First et al. For many years civil courts have been the perfect type court for the direct assessment of national legislation on the basis of higher (privacy) legislation, even if the national legislation in question has not yet entered into force but does entail an imminent privacy violation.
As a relevant foundation, Privacy First was able to take civil action in the general interest, on behalf of the Dutch population at large. Since the early 90s this is possible via a special procedure under Article 3:305a of the Dutch Civil Code: the so-called "action of general interest." Up until May 2010, when Privacy First et al. summoned the Dutch government, the Dutch Supreme Court seemed to have given the green light for this.
However, in July 2010, the Supreme Court disregarded its earlier case law by declaring that interest groups can only turn to a civil court if individual citizens cannot pursue legal proceedings before an administrative court. But in Privacy First's Passport Trial, citizens could not apply to an administrative court. So Privacy First et al. still had a very strong case. What's more, the admissibility criteria of the Supreme Court seemed not to apply to actions of general interest, but merely to 'group actions' that are organized on behalf of a specific group of people instead of the entire population.
In February 2011, the district court of The Hague wrongly declared our Passport Trial inadmissible. This decision was subsequently appealed by Privacy First et al. Courtesy also of the pressure exerted by this appeal, the central (as well as municipal) storage of fingerprints was largely discontinued in the summer of 2011 and the taking of fingerprints for Dutch ID Cards was halted altogether at the start of 2014.
In February 2014, The Hague Court of Appeal declared Privacy First — in the general interest — admissible after all and judged that the central storage of fingerprints under the Passport Act was in violation of the right to privacy. The Dutch Minister of the Interior, Ronald Plasterk, was not amused and demanded an appeal in cassation before the Dutch Supreme Court.
Against all odds (as Privacy First had virtually all Dutch legislation, legislative history, case law and legal literature on its side), on May 22, 2015, the Dutch Supreme Court declared Privacy and its 19 co-plaintiffs inadmissible once more. According to the Supreme Court, the citizens can turn to an administrative court, which has also blocked the road to a civil court for Privacy First.
All this while in the last few years it had been established that the co-plaintiffs could not turn to an administrative court, at least not for the review of Article 4b of the Passport Act concerning the central storage of fingerprints. In innumerable administrative cases over the past few years, judges of various Dutch administrative courts have declined jurisdiction in this respect. That meant that for Privacy First as an interested organization, the road to an administrative court was equally blocked.
The fact that the Supreme Court rules as if that isn't so is simply incomprehensible. Furthermore, litigating citizens can neither be expected to get by without a passport for years, nor can they be expected to first let their privacy be violated (giving up fingerprints, even for storage) before a judge can determine whether this is legal. The fact that the Supreme Court seems to require this just the same is not just inconceivable (as well as in breach of its own case law) but also reprehensible.
Gap in the legal protection
The ruling by the Dutch Supreme Court creates a legal vacuum in the Netherlands: if citizens or organizations want massive and imminent privacy violations, such as the central storage of fingerprints under the Passport Act, to be reviewed, then they may not be able to turn to either a civil or an administrative court. This creates a gap in the legal protection that has been in place in the Netherlands over the past few decades.
The Supreme Court may now have passed on this case to the highest Dutch administrative court (the Council of State), but it's all but certain that the Council of State is able and still prepared to review the central storage of fingerprints under the Passport Act. In light of this, the Supreme Court should have waited for the ruling by the Council of State in four current and parallel administrative cases revolving around the Passport Act, prior to coming up with its ruling in Privacy First's Passport Trial. By not doing this, the Supreme Court has taken a huge risk, has prematurely stepped into the shoes of the Council of State and has put the Council of State under severe pressure.
If the Council of State were soon to judge differently than the Supreme Court (that is to say, if the Council of State would judge that it is equally unauthorized to rule in this matter), the two institutions would make an enormous blunder and would create a huge gap in the legal protection in the Netherlands, in contravention of the European Convention on Human Rights (ECHR)
Multiple ECHR violations
Privacy First et al. await the ruling of the Council of State with considerable anticipation. In the meantime, Privacy First et al. will already prepare to file a complaint with the European Court of Human Rights in Strasbourg on account of a breach of Article 8 ECHR (right to privacy) and Articles 6 and 13 EHCR (right to access to justice and an effective legal remedy). Despite the Kafkaesque anti-climax before the Dutch Supreme Court, a European conviction of the Netherlands would thus be on the cards once the complaint has been filed.
Read the entire judgment by the Dutch Supreme Court HERE (in Dutch).
Click HERE for our entire case file.
A similar version of this article was published on http://www.liberties.eu/en/news/bad-day-for-privacy-in-the-netherlands.
EU Court leaves judgment on storage of fingerprints to national judge
Today, the European Court of Justice in Luxembourg (EU Court) has come up with its long awaited judgment in four Dutch cases related to the storage of fingerprints under the Dutch Passport Act. The EU Court did so at the request of the Dutch Council of State. The EU Court deems the storage of fingerprints in databases to fall outside the scope of the European Passport Regulation. Therefore, the Court leaves the judicial review of such storage to national judges and the European Court of Human Rights.
Cause for the ruling
In all four Dutch cases citizens refused to give their fingerprints (and facial scans) when they requested a new Dutch passport or ID card. For this reason, their requests for a new passport or ID card were rejected. In 2012, their subsequent lawsuits ended up before the Dutch Council of State (Raad van State), which decided to ask the EU Court to clarify relevant European law (European Passport Regulation) before coming up with its own ruling. Subsequently, in 2013, the EU Court judged in a similar German case that the obligation to give ones fingerprints under the Passport Regulation is not unlawful. However, in this case, the EU Court failed to carry out a thorough review on the basis of the privacy-related legal requirements of necessity and proportionality. Moreover, the EU Court refused to merge the (more substantiated) Dutch cases with the German one, even though this was an explicit request from the Council of State. The ruling of the EU Court in the German case presented the Council of State (along with 300 million European citizens) with a disappointing fait accompli. During the case before the EU Court at the end of 2014, new arguments and new evidence in the Dutch cases fell on deaf ears: the EU Court wished not to deviate from the German case and appeared uninterested in the, by now, proven lack of necessity and proportionality of taking fingerprints (low passport fraud rates) and the enormous error rates when it comes to the biometric verification of fingerprints (25-30%). In that sense, the current ruling of the EU Court comes as no surprise to the Privacy First Foundation.
Bright spot: ID card without fingerprints
The only chink of light in the ruling of the EU Court is the confirmation that national ID cards don't fall within the scope of the European Passport Regulation. The Dutch government seemed to have already been anticipating this judgment by ending the compulsory taking of fingerprints for ID cards as of January 20, 2014. In this respect, the ruling of the EU court doesn't bring any change to the current situation in the Netherlands, but it does confirm that the introduction of ID cards without fingerprints at the start of 2014 was the right choice of the Dutch government. Most other EU Member States have never actually had ID cards with fingerprints; under the European Passport Act, the compulsory taking of fingerprints only applied to passports. The fact that in between 2009 and 2014 the Netherlands wished to go further than the rest of Europe, was therefore at its own risk.
EU Court leaves judgement on database storage of fingerprints to national judges and the European Court of Human Rights
The EU Court in Luxemburg rules that possible storage and use of fingerprints in databases doesn't fall within the scope of the European Passport Regulation and leaves the judicial review of such storage to national judges and the European Court of Human Rights in Strasbourg. However, in various (over a dozen) pending individual cases in the Netherlands against the Dutch Passport Act, administrative judges have so far always decided that such judicial review falls outside of their powers, as the relevant provisions of the Passport Act have not (yet) entered into force. It's now up to the Council of State to adjudicate on this matter. At the same time, the Dutch Supreme Court is currently looking into the collective civil Passport Trial of Privacy First and 19 co-plaintiffs (citizens), where such judicial review has already successfully been carried out by the Hague Court of Appeal and is now before the Supreme Court. In February 2014, the Hague Court of Appeal rightly judged that central storage of fingerprints is in breach of the right to privacy. In that sense the case of Privacy First is in line with the EU Court: review of database storage by a national judge, possibly followed by the European Court of Human Rights. Current individual cases before the Council of State may soon be resumed before the European Court of Human Rights as well. Privacy First hopes that this complex interaction between different judges will lead to the desired results with regard to privacy: a repeal of the taking and storage of fingerprints for passports!
Read the entire ruling of the EU Court HERE.
Update 17 April 2015: unfortunately, the ruling of the EU Court led to a lot of misleading media reporting in the Netherlands through Dutch press agency ANP (for example in Dutch national newspaper Volkskrant). Better comments can be found at the website of SOLV Attorneys, in this blog post by British professor Steve Peers and in Dutch newspaper Telegraaf, translated below:
A database with fingerprints, relinquished by people who request a new passport, seems to have come a step closer. This could be deduced from a ruling of the European Court of Justice.
The Council of State asked the judges in Luxembourg for an opinion on four cases of citizens who refused to give their fingerprints. They appealed not getting a passport because of this. In a similar German case, the EU Court ruled that the compulsory taking of fingerprints isn't unlawful under European law.
Yesterday, the EU Court ruled in the Dutch case that the storage of fingerprints is a responsibility of the Member States. So the national judge will have to review this. As the only Member State, the Netherlands wanted a central register of fingerprints: a register that would even be accessible by secret services. The Passport Act that regulated this has not yet entered into force and last year the Hague Court of Appeal ruled that the central storage is in breach of the right to privacy.
Research points out that such a database brings along many risks, varying from security leaks to improper use and criminal manipulation. This proves that the whole system is a monstrosity that should never be introduced."
Source: Telegraaf 17 April 2015, p. 2.
Lexology (United Kingdom), 15 July 2014: 'Dutch government violated article 8 ECHR by requesting and saving personal data in central register'
"Recently, the Court of Appeal of The Hague held that the storage of Dutch citizens' personal data in a central register is an unjustified violation of the right to privacy.
In light of, amongst other things, the implementation of the European regulation on standards for security features and biometrics in passports and travel documents, and to comply with this regulation, the Dutch Passport Act was amended in 2009. This new Passport Act states that future passports would have to contain a chip with a digital facial image and two fingerprints of each applicant. The Dutch government therefore planned to create a central register to hold the facial image files and four fingerprints of each applicant (two of which are included in the passport for identity verification). This new register would also serve other purposes: it would help passport fraud control, and it would allow applicants to renew their passport in any municipality in the Netherlands. The national government acknowledged that the request and saving of these personal data would form a violation of the right to privacy of Dutch citizens, but the government stated that the data storage was proportionate and justified, considering the intended purposes.
The interest group Privacy First disagreed with the government. This group, which seeks to publicly promote the enhancement and preservation of the right to privacy, believed that the creation of this central register violates this fundamental right enshrined in several international laws and regulations. The group launched legal proceedings against the Dutch government. The district court of The Hague ruled that Privacy First did not have a cause of action. Privacy First then appealed against this verdict.
Remarkably, the government meanwhile reviewed their amendments to the new Passport Act. The government concluded that the storage of these personal data in a central register did not achieve its purpose, namely passport fraud control via one's identity verification. Therefore, the Act's provisions that related to the storage of personal data in a central register would be suspended. Furthermore, the number of fingerprints to be taken for the filing would be reduced from four to two in accordance with European regulation.
On appeal, the Court of Appeal ruled that since Privacy First and the government now share the same views about the central register, Privacy First would have lost its standing in their cause of actions, so it dismissed the interest group's claims. However, the Court of Appeal found that the district court had erred when it held that Privacy First did not have a cause of action at the time. Since Privacy First is an interest group advocating the protection of the general interest of Dutch nationals' right to privacy, it should have been able to bring proceedings before the civil court according to Article 3:305 of the Dutch Civil Code (Burgerlijk Wetboek). This would only have been different if the interest group had represented the combined interest of individuals. The Court of Appeal further ruled that Privacy First incurred a financial risk.
The Court of Appeal also ruled that in view of all the circumstances of the case at first instance, the district court should have ruled in favour of Privacy First concerning their arguments against the setting up of a central register. This central register's storage of Dutch citizens' personal data is an unjustified violation of one's right to privacy enshrined in Article 8 ECHR because it did not fulfill its purpose. The Court of Appeal understands that this was a violation from the start, but this had only become evident after the first ruling."
Source: http://www.lexology.com/library/detail.aspx?g=27bf8f03-ada9-47d4-ac7f-4e4aece29cd3, 15 July 2014.
ZDNet, 19 Feb. 2014: 'No, you can't store people's fingerprints in a central database, Dutch court rules'
"The Court of Justice in the Hague has ruled that fingerprints gathered from individuals getting a new passport can't be held centrally and used in criminal investigations.
Dutch authorities have been prevented from storing citizens' fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.
In the Netherlands, individuals' fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.
However, the system turned out to be far from perfect — 21 percent of fingerprints collected by the authorities in the Netherlands were unusable to identify individuals.
The court found such a high level unacceptable: "This can mean nothing other than the storage of fingerprints in a central register is not suitable for the purpose originally envisioned, that is, the determination and verification of one's identity.
"This means that it is also not suitable for the prevention of identity fraud or for the process of requesting a new travel document or using a travel document, which is one of the main purposes of the Act [the legislation which requires fingerprints in Dutch passports]. Therefore the conclusion is that the invasion of privacy formed by the central storage of fingerprints is unjustified."
No immediate effect
Although the ruling is a significant victory for Privacy First, the privacy group that brought the case before the Court of Justice, it won't have immediate consequences for the Dutch government.
The European Court of Justice had already ruled in October last year that the directive requiring European member states to include two fingerprints in their passports did not provide a legal basis for then also including all citizens' prints in a central repository.
In addition, the court stipulated that fingerprints given by individuals for such purposes could not to be used for criminal investigations.
However, according to Christiaan Alberdingk Thijm, the lawyer representing Privacy First, the ruling will have a bearing on any future government attempts to collect sensitive data, such as photos.
"This is not only good news for those opposing plans of a central fingerprint database, but for those opposing any central government owned database," he said."
Source: http://www.zdnet.com/no-you-cant-store-peoples-fingerprints-in-a-central-database-dutch-court-rules-7000026505/, 19 February 2014.
Hague Court of Appeal: central storage of fingerprints unlawful
In a groundbreaking judgment, the Hague Court of Appeal has today decided that centralised storage of fingerprints under the Dutch Passport Act is unlawful. The Privacy First Foundation and 19 co-plaintiffs (Dutch citizens) had put forward this legal issue to the Court of Appeal in a so-called 'action of general interest' ("algemeen-belangactie"). In February 2011, the district court of The Hague had declared Privacy First inadmissible. Because of this, the district court couldn't address the merits of the case. The Court of Appeal has now declared Privacy First to be admissible after all and has quashed the judgment of the district court. Moreover, the Appeals Court deems centralised storage of fingerprints under the Dutch Passport Act to be unlawful since it violates the right to privacy. Therefore it seems that centralised storage of fingerprints under the Dutch Passport Act will be shelved once and for all.
In May 2010, Privacy First et al. took the Dutch government (Ministry of Home Affairs) to court on account of the centralised storage of fingerprints under the new Dutch Passport Act. Such storage had mainly been intended to prevent small-scale identity fraud with Dutch passports (look-alike fraud).
Partly due to the pressure exerted by this lawsuit of Privacy First, central storage of fingerprints was brought to a halt in the Summer of 2011. The judgment by the Hague Court of Appeal has now made any future centralised storage of fingerprints legally impossible: the Court deems centralised storage of fingerprints an "inappropriate means" to prevent identity fraud with travel documents. According to the Court "this cannot but lead to the conclusion that the infringement upon the right to privacy caused by centralised storage of fingerprints is not justified. In that regard the district court should have awarded the claim of Privacy First." (Para. 4.4.)
This is a great victory for Privacy First and for all the citizens who have stood up against centralised storage of fingerprints under the Dutch Passport Act in recent years. The judgment by the Court also paves the way for Privacy First (and other civil society organizations) to continue to initiate lawsuits in the general interest for the preservation and promotion of the right to privacy, for example the new lawsuit by Privacy First et al. against the Dutch government on account of illegal data espionage (NSA case). Recently the Dutch State Attorney deemed Privacy First to be admissible in this case too. These developments are a great impetus for Privacy First to continue to take legal steps in the coming years for the sake of everyone's right to privacy.
Read the entire judgment by the Hague Court of Appeal HERE (pdf in Dutch; for a text-version on the website of the Netherlands Judiciary, click HERE).
Click HERE for the press release by our attorneys of Bureau Brandeis.
Update 21 May 2014: the Dutch government appears to be a sore loser: earlier this week the State Attorney has lodged an appeal (in Dutch: 'cassatie') against the ruling of the Hague Court of Appeal at the Supreme Court of the Netherlands; click HERE (pdf in Dutch) for the appeal summons. The Dutch government wants Privacy First to be declared inadmissible after all and calls on the Supreme Court to still declare central storage of fingerprints lawful. This must not happen. Privacy First is considering its options in its own defence.
Update 21 November 2014: today Privacy First et al. have submitted to the Supreme Court their statement of defence against the appeal summons; click HERE for the document (pdf in Dutch). In the appeal, Privacy First et al. are being represented by Alt Kam Boer Attorneys in The Hague; this law-office is specialised in Supreme Court litigation. On behalf of the Dutch government (Ministry of Home Affairs) the State Attorney has today submitted a written explanation to the previous appeal summons; click HERE (pdf in Dutch). The next steps could consist of a written reply and rejoinder, followed by advice (''conclusion'') from the Procurator General at the Supreme Court (to which Privacy First et al. would be able to respond) and a judgment by the Supreme Court midway through 2015.
Update 5 December 2014: today Privacy First et al. have delivered an early Christmas present to the Dutch Minister of Home Affairs: our written reply (rejoinder) to the recent explanation of the Ministry of Home Affairs to the previous appeal summons. Click HERE for the document (pdf in Dutch). The Dutch government, in turn, submitted a short reply to the recent statement of defence by Privacy First et al.; click HERE (pdf in Dutch). On 9 January 2015 the Supreme Court will set a date on which the Procurator General will issue his advice.
Update 12 January 2015: the Procurator General at the Supreme Court will issue his advice ("conclusion") on 10 April 2015.
Update 12 March 2015: Much earlier than expected, Advocate General Mr. Jaap Spier delivered his advice (''conclusion'') in the case to the Supreme Court on 20 February 2015; click HERE (pdf in Dutch, 7 MB). Its conservative contents and tone are notable aspects of his advice. Furthermore, the Advocate General wrongfully assumes that the contested provisions of the Dutch Passport Act had never become legislation. While he upholds Privacy First's admissibility, he does so on the wrong legal grounds. Moreover, the Advocate General does not touch on the substance of the privacy issues at all, is incorrect in his view that proceedings could have taken place before an administrative judge and, erroneously, wants Privacy First et al. to still pay for the legal costs of the proceedings. In response to the advice of the Advocate General, within the formal term of two weeks Privacy First submitted a response letter ("Borgers brief") to the Supreme Court; click HERE (pdf in Dutch). No such letter has been submitted by the Dutch State Attorney. Therefore, Privacy First has had the final say in this case. We will now have to wait for the Supreme Court ruling, which is expected later this year.