Under the Corona Pandemic Emergency Act, the Dutch government has the option to introduce all kinds of restrictive measures, including the wide-ranging and mandatory use of face masks. This is unless the Dutch House of Representatives rejects this measure later this week. In this context, Privacy First today has sent the following email to the House of Representatives:
Dear Members of Parliament,
On 19 November, the government submitted to you the Regulation concerning additional requirements for face masks under COVID-19. Under this regulation, wearing a face mask will become mandatory in numerous places (including shops, railway stations, airports and schools) as of 1 December 2020. This obligation can be periodically extended by the government without the consent of Parliament. Based on the Corona Pandemic Emergency Act, you currently have seven days to exercise your right of veto and prevent the entry into force of a wide-ranging face mask obligation. By 26 November at the latest, you will be able to vote on this issue and reject this measure.
The wearing of face masks has been the subject of much public debate for months. Both the government and the National Institute for Public Health and the Environment (RIVM) have repeatedly stated that wearing non-medical face masks is hardly effective in combating the coronavirus. Scientists seem to be divided on this. At the same time, wearing a face mask can also have the opposite effect, i.e. harm people's health. There is a consensus, however, that in a legal sense the compulsory use of face masks is an infringement of the right to privacy and self-determination.
This accordingly falls within the scope of Privacy First. The right to privacy is a universal human right that is protected in the Netherlands by international and European treaties and by our national Constitution. Any infringement of the right to privacy must therefore be strictly necessary, proportionate and effective. If that is not the case, it is an unjustified breach and therefore a violation of the right to privacy, both as a human right and as a constitutional right. As long as the wearing of non-medical face masks to deafeat the coronavirus has not proven effective and can even have adverse health effects, there cannot be any social necessity for the introduction of a general face mask obligation. Such an obligation would thus amount to a social experiment with unforeseen consequences. This is not in keeping with a free and democratic constitutional society under the rule of law. Privacy First therefore advises you to reject the proposed regulation for the introduction of compulsory face masks and instead propose to continue wearing them on a voluntary basis.
The Privacy First Foundation
In the fight against the coronavirus, the Dutch government this week made clear that the introduction of a curfew is imminent. Because of this, Privacy First today has sent the following appeal to the Dutch House of Representatives:
Dear Members of Parliament,
This week the Netherlands finds itself at a historical human rights crossroads: is a nation-wide curfew going to be introduced for the first time since World War II? For Privacy First such a far-reaching, generic measure would be disproportionate and far from necessary in virtually every situation. Moreover, in the fight against the coronavirus the effectiveness of such a measure remains unknown to this date. For that alone, there can be no legally required social necessity of a curfew. A curfew could in fact also be counterproductive, as it would harm the mental and (therefore also) physical health of large groups in society. Besides, a curfew in the Netherlands is yet another step towards a surveillance society. The use of lighter, targeted and more effective measures is always preferable. Should a curfew nonetheless be introduced, Privacy First would consider it a massive violation of the right to privacy and freedom of movement. Privacy First therefore calls on you to not let this happen and to thwart the introduction of a curfew.
The Privacy First Foundation
Update 17 February 2021: this week, in summary proceedings, the district court of The Hague handed down a ground-breaking ruling that says that the curfew was wrongly introduced under the Dutch Extraordinary Powers Act. The current Dutch curfew is therefore unlawful. Moreover, the court found that there are "major question marks regarding the factual substantiation by the State of the necessity of the curfew. (...) Before a far-reaching restriction such as a curfew is introduced, it must be clear that no other, less far-reaching measures are available and that the introduction of the curfew will actually have a substantial effect", stated the court, without the conviction that this was the case. In addition, the court raised the question of why an urgent (but voluntary) curfew advice had not been chosen. The court also noted that "the Dutch Outbreak Management Team, according to the team itself, has no evidence that the curfew will make a substantial contribution to reducing the spread of the virus." All this "makes the State's assertion that a curfew is inevitable at least debatable and without convincing justification", the court concluded. (See judgment (in Dutch), paragraphs 4.12-4.14.)
The judgment of the district court of The Hague is in line with Privacy First’s earlier position. Privacy First hopes that this will be confirmed on appeal by the Hague Court of Appeal and that it will also lead to the rejection of the curfew by both the Dutch House of Representatives and the Senate.
This week the Dutch House of Representatives will debate the ‘temporary’ Corona emergency law under which the movements of everyone in the Netherlands can henceforth be monitored ‘anonymously’. Privacy First has previously criticized this plan in a television broadcast by current affairs program Nieuwsuur. Subsequently, today Privacy First has sent the following letter to the House of Representatives:
Dear Members of Parliament,
With great concern, Privacy First has taken note of the ‘temporary’ legislative proposal to provide COVID-19 related telecommunications data to the Dutch National Public Health Institute (RIVM). Privacy First advises to reject this proposal on account of the following fundamental concerns and risks:
Violation of fundamental administrative and privacy principles
- There is no societal necessity for this legislative proposal. Other forms of monitoring have already proven sufficiently effective. The necessity of this proposal has not been demonstrated and there is no other country where the application of similar technologies made any significant contribution.
- The proposal is entirely disproportionate as it encompasses all telecom location data in the entire country. Any form of differentiation is absent. The same applies to data minimization: a sample would be sufficient.
- The proposal goes into effect retroactively on 1 January 2020. This violates legal certainty and the principle of legality, particularly because this date is long before the Dutch ‘start’ of the pandemic (11 March 2020).
- The system of ‘further instructions from the minister’ that has been chosen for the proposal is completely undemocratic. This further erodes the democratic rule of law and the oversight of parliament.
- The proposal does not mention 'privacy by design' or the implementation thereof, while this should actually be one of its prominent features.
Alternatives are less invasive: subsidiarity
- The State Secretary failed to adequately investigate alternatives which are more privacy friendly. Does she even have any interest in this at all?
- Data in the possession of telecom providers are pseudonymized with unique ID numbers and as such are submitted to Statistics Netherlands (CBS). This means that huge amounts of sensitive personal data become very vulnerable. Anonymization by CBS happens only at a later stage.
- When used, the data are filtered based on geographical origin. This creates a risk of discrimination on the basis of nationality, which is prohibited.
- It is unclear whether the CBS and the RIVM intend to ‘enrich’ these data with other data, which could lead to function creep and potential data misuse.
Lack of transparency and independent oversight
- Up until now, the Privacy Impact Assessment (PIA) of the proposal has not been made public.
- There is no independent oversight on the measures and effects (by a judge or an independent commission).
- The GDPR may be applicable to the proposal only partially as anonymous data and statistics are exempt from the GDPR. This gives rise to new risks of data misuse, poor digital protection, data breaches, etc. General privacy principles should therefore be made applicable in any case.
Structural changes and chilling effect
- This proposal seems to be temporary, but the history of similar legislation shows that it will most likely become permanent.
- Regardless of the ‘anonymization’ of various data, this proposal will make many people feel like they are being monitored, which in turn will make them behave unnaturally. The risk of a societal chilling effect is huge.
Faulty method with a significant impact
- The effectiveness of the legislative proposal is unknown. In essence, it constitutes a large scale experiment. However, Dutch society is not meant to be a living laboratory.
- By means of data fusion, it appears that individuals could still be identified on the basis of anonymous data. Even at the chosen threshold of 15 units per data point, the risk of unique singling out and identification is likely still too large.
- The proposal will lead to false signals and blind spots due to people with several telephones as well as vulnerable groups without telephones, etc.
- There is a large risk of function creep, of surreptitious use and misuse of data (including the international exchange thereof) by other public services (including the intelligence services) and future public authorities.
- This proposal puts pressure not just on the right to privacy, but on other human rights as well, including the right to freedom of movement and the right to demonstrate. The proposal can easily lead to structural crowd control that does not belong in a democratic society.
Specific prior consent
Quite apart from the above concerns and risks, Privacy First doubts whether the use of telecom data by telecom providers, as envisaged by the legislative proposal, is lawful in the first place. In the view of Privacy First, this would require either explicit, specific and prior consent (opt-in) from customers, or the possibility for them to opt-out at a later stage and to have the right to have all their data removed.
It is up to you as Members of Parliament to protect our society from this legislative proposal. If you fail to do so, Privacy First reserves the right to take legal action against this law.
The Privacy First Foundation
Writing a New Year’s Column about the state of affairs concerning the protection of everyone’s privacy weighs me down this year. With the exception of a few bright spots, privacy in the Netherlands and the rest of the world has greatly deteriorated. For a while it seemed that the revelations of Edward Snowden in 2013 about secret services tracking everyone’s online behavior would be a rude wake-up call for the world. It was thought that an increasing number of data breaches and a rising number of governments and companies getting hacked, would make people realize that large amounts of data stored centrally is not the solution. The Arab Spring in 2015 would bring about major change through the unprecedented use of (social) media.
The European Union successfully voted against the exchange of data relating to travel movements, paved the way for the current General Data Protection Regulation and seemed to become the shining alternative example under the guidance of Germany, a country known for its vigilance when it comes to privacy. Unfortunately, things turned out differently. Under the Obama administration, Snowden was shunned as a traitor and other whistleblowers were clamped down on harder than ever before. Julian Assange was forced into exile while murdering people with the use of drones and without any form of trial was implemented on a large scale. Extrajudicial killings with collateral damage... While the discussion was about waterboarding... Discussions on such ‘secondary topics’ have by now become commonplace in politics, and so has the framing and blaming of opponents in the polarized public debate (the focus is usually on the person rather than on the argument itself).
Looking back on 2018, Privacy First identifies a great number of areas where the breakdown of privacy is evident:
Government & privacy
In March, an advisory referendum in the Netherlands was held on the introduction of the so-called Tapping law. Immediately after that, the referendum was abrogated. This happened in a time of unprecedented technological possibilities to organize referendums in various ways in a shared democracy. That’s outrageous. The outcome of the referendum was not taken into account and the Tapping law was introduced just like that. Moreover, it turned out that all along, the Dutch Minister of the Interior had withheld an important report on the functioning of the Dutch General Intelligence and Security Service.
Apparently this was nothing to worry about and occurred without any consequences. The recent report by the Dutch State Commission on the (re)introduction of referendums will likely end up in a drawer, not to be looked at again.
Fear of losing one’s role and the political mood of the day are all too important in a culture in which ‘professional politicians’ are afraid to make mistakes, but which is full of incidents nonetheless. One’s job or profession comes first, representing citizens comes second. Invariably, incidents are put under a magnifying glass in order to push through binding legislation with a broad scope. Without the review of compliance with guiding principles such as necessity, purpose limitation, subsidiarity and proportionality. There is an ever wider gap between government and citizens, who are not trusted but are expected to be fully transparent towards that self-same government. A government that time and again appears to be concealing matters from citizens. A government that is required by law to protect and promote privacy, but is itself still the most prominent privacy-violator.
The medical establishment & privacy
In this area things got really out of hand in 2018. Through various coordinated media offensives, the EU and the member states are trying to make us believe in the advantages of relinquishing our right to physical integrity and our humanity. Sharing biometric data with the United States continues unabatedly. We saw the police calling for compulsory DNA databases, compulsory vaccination programs, the use of smart medicines with microchips and the phasing out of alternative therapies. Furthermore, health insurance companies cautiously started to cover genetic testing and increasingly doing away with medical confidentiality, the Organ Donation Act was introduced and microchips implanted in humans (the cyborg as the highest ideal in Silicon Valley propaganda) became ever more popular.
How long before microchips become compulsory for all citizens? All (domestic) animals in the EU have already preceded us. And then there’s the Electronic Health Record, which was first rejected in the Dutch Senate but has reappeared on the minister’s agenda via a detour. Driven by commercial interests, it is being rammed down the throats of general practitioners while alternatives such as Whitebox are not taken seriously. The influence of Big Pharma through lobbying with government bodies and participating in government working groups is particularly acute. They closely cooperate with a few IT companies to realize their ideal of large and centralized networks and systems. It’s their year-end bonus and growth at the expense of our freedom and well-being.
Media & privacy
Naturally, we cannot overlook ‘fake news’. One of the premises for having privacy is being able to form your own opinion and respect and learn from the opinions of others. Furthermore, independent left and right-wing media are essential in a democratic constitutional State. It's their task to monitor the functioning of elected and unelected representatives in politics and in government. Journalists should be able to penetrate into the capillaries of society in order to produce local, national and global news.
Ever since free news gathering came about, it has been a challenge to obtain news based on facts. It’s not always easy to distinguish a press service, PR and propaganda from one another. In times of rapid technological changes and new opportunities, they should be continuously reviewed according to the principles of journalism. That’s nothing new. What is new, however, is that the European Union and our own Minister for the Interior, Kajsa Ollongren, feel they’re doing the right thing by outsourcing censorship to social media companies that are active on a global scale and have proven to be unreliable.
While Facebook and Google have to defend themselves in court for spreading fake news and censoring accounts, the governments hand over the monitoring task to them. The privacy violators and fake news distributors as the guardians of our privacy and journalism. That’s the world upside down. By so doing, this minister and this government undermine the constitutional State and show disdain for intelligent citizens. It’s time for a structural change in our media system, based on new technologies such as blockchain and the founding of a government media office whose task is to fund all media outlets through citizens’ contributions, taking into account the media’s scope and number of members. So that concerns all media, including the so-called alternative media, which should not be censored.
Finance & privacy
The erosion of one’s privacy increasingly manifests itself at a financial level too. The fact of the matter is, that the tax authorities already know in detail what the spending pattern of all companies and citizens looks like. Thanks to the Tapping Law, they can now pass on this information in real-time to the secret services (the General Intelligence and Security Service is watching along). Furthermore, a well-intended initiative such as PSD2 is being introduced in a wholly improvident and privacy-unfriendly way: basic conditions relating to the ownership of bank details (of citizens, account holders) are devoid of substance. Simple features such as selective sharing of banking details, for example according to the type of payment or time period, are not available. What’s more, payment details of third parties who have not given their consent, are sent along.
In the meantime, the ‘cash = criminal’ campaign goes on relentlessly. The right to cash and anonymous payment disappears, despite even the Dutch Central Bank now warning that the role of cash is crucial to our society. Privacy First has raised its opinion on this topic already in 2016 during a public debate. The latest development in this regard is the further linking of information through Big Data and profiling by debt-collecting agencies and public authorities. Excluding citizens from the electronic monetary system as a new form of punishment instead of letting them pay fines is a not so distant prospect. In this regard, a lot of experimentation is going on in China and there have been calls in Europe to move in the same direction, supposedly in order to fight terrorism. In other words, in the future it will become increasingly difficult to raise your voice and organize against abuse of power by governments and companies: from on high it takes only the press of a button and you may no longer be able to withdraw cash, travel or carry out online activities. In which case you have become an electronic outcast, banished from society.
Public domain & privacy
In 2018, privacy in public space has all but improved. Whereas 20 years ago, the Netherlands was deemed too small to require everyone out on the streets to be able to identify themselves, by now, all governments and municipalities in Europe are developing ‘smart city’ concepts. If you ask what the benefits and use of a smart city are (beyond the permanent supervision of citizens), proponents will say something vague about traffic problems and that the 'killer applications' will become visible only once the network of beacons is in place. In other words, there are absolutely no solid figures which would justify the necessity, subsidiarity and proportionality of smart cities. And that’s not even taking basic civil rights such as privacy into consideration.
Just to give a few examples:
- ANPR legislation applies from 1 January 2019 (all travel movements on public roads will be stored in a centralized police database for four weeks)
- A database consisting of all travel movements and stays of European citizens and toll rates as per 2023
- Emergency chips in every vehicle with a two-way communication feature (better known as spyware) as per 1 January 2019
- Cameras and two-way communication in public space, built into the lampposts among other objects as part of smart city projects
- A decision to introduce additional cameras in public transport as per 2019
- The introduction of Smart Cities and the introduction of unlimited beacons (doesn’t it sound so much better than electronic concentration camp posts?)
- Linking together all traffic centers and control rooms (including those of security companies operating on the private market)
- Citizens are permanently monitored by invisible and unknown eyes.
Private domain & privacy
It’s well known that governments and companies are keen to take a peek in our homes, but the extent to which this was being advanced last year, was outside of all proportion. Let’s start with energy companies, who foist compulsory smart meters on citizens. By way of ‘appointment to install a smart meter’, which you didn’t ask for, it’s almost impossible to stay clear of red tape. After several cancellations on my part and phone calls to energy provider Nuon, they simply continued to push forward. I still don’t have a smart meter and it will stay like that.
Once again Silicon Valley featured prominently in the news in 2018. Unelected dictatorial executives who are no less powerful than many a nation state, promote their utopias as trendy and modern among citizens. Self-driving cars take the autonomy and joy away from citizens (the number of accidents is very small considering the millions of cars on the road each day), while even children can tell that a hybrid approach is the only option. The implementation of smart speakers by these social media companies is downright spooky. By bringing smart toys onto the market, toy manufacturers equally respond to the needs that we all seem to have. We can all too readily guess what these developments will mean for our privacy. The manipulation of facts and images as well as distortion, will starkly increase.
Children & privacy
Children and youths represent the future and nothing of the above bodes well for them. Screen addiction is sharply on the rise and as children are being raised amidst propaganda and fake news, much more attention should go out to forming one’s own opinion and taking responsibility. Centralized pupil monitoring systems are introduced indifferently in the education system, information is exchanged with parents and not having interactive whiteboards and Ipads in the classroom has become unthinkable. The first thing children see every single day, is a screen with Google on it... Big Brother.
Dependence on the internet and social media results in impulsive behaviour among children, exposes them to the madness of the day and affects their historical awareness and ability to discern underlying links. The way of thinking at universities is becoming increasingly one-sided and undesirable views are marginalized. The causes of problems are not examined, books are not read though there is certainly no lack of opinions. It’s all about making your voice heard within the limits of self-censorship that’s in force in order to prevent becoming the odd one out in the group. The same pattern can be identified when it comes to forming opinions in politics, where discussing various issues based on facts seems no longer possible. Not to mention that the opinions of citizens are considered irrelevant by our politicians. Good quality education focused on forming opinions and on creating self-reflective minds instead of a robot-way of thinking, is essential for the development of a healthy democracy.
Are there any positive developments?
It's no easy task to identify any positive developments in the field of privacy. The fact is that the introduction of the GDPR and the corresponding option to impose fines has brought privacy more sharply into focus among companies and citizens than the revelations of Snowden have been able to do. The danger of the GDPR, however, is that it narrows down privacy to data protection and administrative red tape.
Another positive development is the growing number of (as of yet small) initiatives whereby companies and governments consider privacy protection as a business or PR opportunity. This is proved by the number of participants in the 2019 Dutch Privacy Awards. Recurring themes are means of anonymous communication (email, search engines, browsers), possible alternatives to social networks (messaging services like WhatsApp, Facebook, Instagram and Twitter) on the basis of subscriptions, blockchain technology and privacy by design projects by large organizations and companies.
Privacy First has teamed up with a few top quality pro bono attorneys who are prepared to represent us in court. However, judges are reluctant to go off the beaten track and come up with progressive rulings in cases such as those concerning number plate parking, average speed checks, Automatic Number Plate Recognition, the Tapping Law, etc. For years, Privacy First has been suffering from a lack of funding. Many of those who sympathize with us, find the topic of privacy a bit eerie. They support us morally but don’t dare to make a donation. After all, you draw attention to yourself when you’re concerned with issues such as privacy. That’s how bad things have become; fear and self-censorship... two bad counsellors! It’s high time for a government that seriously deals with privacy issues.
Constitutional reform should urgently be placed on the agenda
Privacy First is a great proponent of constitutional reform (see our 2017 New Year’s column about Shared Democracy), based on the principles of the democratic constitutional State and the European Convention on Human Rights (ECHR). Our democracy is only 150 years old and should be adapted to this current day and age. This means that the structure of the EU should be changed. Citizens should take on a central and active role. Government policies should focus on technological developments in order to reinforce democracy and formulate a response to the concentration of power of multinational companies.
Privacy First argues that the establishment of a Ministry of Technology has the highest priority in order to be able to stay up to date with the rapid developments in this field and produce adequate policies accordingly. It should live up to the standards of the ECHR and the Dutch Constitution and avoid becoming a victim of the increasing lobbying efforts in this sector. Moreover, it is time for a Minister of IT & Privacy who stays up to date on all developments and acts with sufficient powers and in accordance with the review of a Constitutional Court.
The protection of citizens’ privacy should be facilitated and there should be privacy-friendly alternatives for current services by technology companies. For 2019, Privacy First has a few tips for ordinary citizens:
- Watch out for and stay away from ‘smart’ initiatives on the basis of Big Data and profiling!
- Keep an eye on the ‘cash = criminal’ campaign. Make at least 50% of your payments anonymously in cash.
- Be cautious when communicating through Google, Apple, Facebook and Microsoft. Look for or develop new platforms based on Quantum AI encryption and use alternative browsers (TOR), networks (VPN) and search engines (Startpage).
- Be careful when it comes to medical data and physical integrity. Use your right for there to be no exchange of medical data as long as initiatives such as Whitebox are not used.
- Be aware of your right to stay anonymous, at home and in public space. Campaign against toll payment, microchips in number plates, ANPR and number plate parking.
- Be aware of your legal rights to bring lawsuits, for example against personalized waste disposal passes, camera surveillance, etc.
- Watch out for ‘smart’ meters, speakers, toys and other objects in the house connected to the internet. Purchase only privacy by design solutions with privacy enhanced technology!
The Netherlands and Europe as guiding nations in the field of privacy, with groundbreaking initiatives and solutions for apparent contradictions concerning privacy and security issues - that’s Privacy First's aim. There’s still a long way to go, however, and we’re being blown off course ever more. That’s due in part because a comprehensive vision on our society and a democracy 3.0 is lacking. So we continue to drift rudderless, ending up in the big manipulation machine of large companies one step at a time. We need many more yellow vests before things change. Privacy First would like to contribute to shaping and promoting a comprehensive, positive vision for the future. A future based on the principles that our society was built on and the need for greater freedom, with all the inevitable restrictions this entails. We will have to do it together. Please support Privacy First actively with a generous donation for your own freedom and that of your children in 2019!
To an open and free society! I wish everyone a lot of privacy in 2019 and beyond!
Bas Filippini, Privacy First chairman
On November 2nd 2016, the Dutch House of Representatives will address a controversial legislative proposal that will introduce four week storage of the travel movements of all motorists in the Netherlands. In case both chambers of Dutch Parliament adopt this proposal, Privacy First will try to overturn this in court.
Large scale breach of privacy
It is Privacy First’s constant policy to challenge large scale privacy violations in court and have them declared unlawful. Privacy First successfully did so with the central storage of everyone’s fingerprints under the Dutch Passport Act and the storage of everyone’s communications data under the Dutch Telecommunications Retention Act. A current and similar legislative proposal that lends itself for another major lawsuit is legislative proposal 33542 (in Dutch) of the Dutch Minister of Security and Justice, Ard van der Steur, in relation to Automatic Number Plate Recognition (ANPR). Under this legislative proposal, the number plate codes of all motorists in the Netherlands, i.e. everyone’s travel movements, will be collected through camera surveillance and stored for four weeks in police databases for criminal investigation purposes. As a result, every motorist will become a potential suspect. This is a completely unnecessary, wholly disproportionate and ineffective measure. Therefore the proposal is in breach of the right to privacy and thus unlawful.
The current ANPR legislative proposal was already submitted to the Dutch House of Representatives in February 2013 by the then Minister of Security and Justice, Ivo Opstelten. Before that, in 2010, Opstelten’s predecessor Hirsch Ballin had the intention to submit a similar proposal, albeit with a storage period of 10 days. However, back then the House of Representatives declared this subject to be controversial. Opstelten and Van der Steur have thus now taken things a few steps further. Due to privacy concerns, the parliamentary scrutiny of this proposal was at a standstill for several years, but now seems to be reactivated and even reinforced through a six-fold increase of the proposed retention period, courtesy of the ruling parties VVD and PvdA.
Under current Dutch national law, ANPR data of innocent citizens must be erased within 24 hours. In the eyes of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), all number plate codes that are not suspect (so-called ‘no-hits’) are to be removed from relevant databases immediately. Van der Steur’s plan to also store the number plate codes of unsuspected citizens for four weeks directly flies in the face of this. VVD and PvdA are even willing to increase this retention period to six months. The inevitable consequence, a haystack of data, would constitute a blatant violation of the right to privacy of every motorist. Any possible judicial oversight of the use of these data would do nothing to alter this.
UN Human Rights Council
In recent years, Privacy First has repeatedly expressed this position to both the House of Representatives (standing committee on Security and Justice) as well as to relevant MPs personally. Privacy First has also made its stance clear in personal meetings with Minister Opstelten (July 2012) and Minister Van der Steur (July 2014, at that time still a VVD MP). Moreover, Privacy First has recently raised this issue with the United Nations. In May 2017, the Dutch government can be held accountable for this at the UN Human Rights Council in Geneva.
In case both the House of Representatives and the Dutch Senate will adopt the ANPR legislative proposal in its current form, Privacy First (in a broad coalition together with other civil organizations) will immediately summon the Dutch government in order to render the law inoperative on account of violation of the right to privacy. If necessary, Privacy First and co-plaintiffs will litigate all the way up to the European Court of Human Rights in Strasbourg. Considering the European and Dutch case law on the subject, Privacy First rates its chances of legal success very high.
Update 20 December 2018: today the Dutch government has announced that the ANPR Act will enter into force on 1 January 2019. The summary proceedings of Privacy First against the ANPR Act will soon take place at the District Court of The Hague.
Privacy First New Year’s column
Looking back on 2016, Privacy First perceives a renewed attack on our democratic constitutional State from within. Incident-driven politics based on the everyday humdrum prevails and the Dutch government’s frenzy efforts to control the masses is relentless, arrogant and driven by industry and political lobbying. The democratic principles of our constitutional State are being lost out of sight ever more while the reversion of legal principles has become commonplace. Every (potential) attack thus becomes an attack on our civil rights.
Current constitutional State unable to defend itself
Barely a single day has gone past in the current mediacracy and governors without any historical or cultural awareness hand us, our children and our future over to a new electronic dictatorship fenced off by 4G masts. Citizens who autonomously seek to inform themselves have become ‘populists that spread fake news’. It’s not just the government that has lost its way, but so have the mainstream media, so it seems. The model characterized by fear, hate and control adopted by many authoritarian states headed by a strong leader is increasingly seen as the way to go.
Privacy First has said it before but will reiterate: we are of the opinion that State terrorists who continuously change legislation restricting civil liberties are ultimately much more harmful to our society than a single ‘street terrorist’, however terrible and shocking an attack is for those directly involved. The galling thing is that our constitutional State cannot adequately defend itself against the erosion of democratic principles from within: among other things, there is a lack of independent review of our Constitution. Therefore we are very happy that the European Court of Justice has recently ruled all forms of trawl net technology unlawful in advance. A great verdict that has far-reaching consequences for the State terrorists among our politicians and civil servants. A clear line in the sand.
Our democratic constitutional State came into existence out of the 19th century way of thinking and will have to be reshaped through a public debate, provided this is done taking into account the basic principles of living together - a human experience that goes back thousands of years. Love, trust en freedom are fundamental pillars. Privacy First discerns a number of changes over the past 150 years to which our constitutional State has no adequate answer, if any answer at all. These changes will have to be integrated into a newly structured democratic constitutional State which will have to be partly parliamentary and partly shared. In other words: the democratic foundation is there, but will have to be adapted to the desires and developments of our time.
Towards a Shared Democracy: adjusting parliamentary democracy to our present time
Privacy First calls on (and challenges, if necessary) every Dutch citizen to participate in a broad public discussion in order to shape a democracy 3.0. After Athens (1.0) and our parliamentary democracy from the 19th century onwards (2.0), in our eyes it’s time for the concept of a Shared Democracy (3.0), which is both a disruptive way of thinking as well as a social model for which we identify seven big drivers that help adjust our current 19th century system. Privacy First notices that these seven drivers are currently undermining our model from the inside and the outside. But by thinking differently, one will find that these pillars also offer an opportunity to move towards a new form for the future: the so-called Shared Democracy.
1. Changing role of the media; towards a mediacracy
Originally, in the 19th century model, the media didn’t yet have the scale and level of outreach today’s media have. The influence of the media has become large to the extent it will have to be one of the pillars of the future Shared Democracy.
2. Changing role of citizens
The enormous financial and social emancipation, the elevated level of education and the individualization of citizens is currently leading to huge tensions in the democracy of parliamentary representation. As part of the old way of thinking, citizens are still regarded as an unassertive, inferior, necessary evil. However, citizens want to have decision-making power on numerous issues and this – supported by the newest technologies and means of communication - will have to be structurally implemented in the Shared Democracy on the basis of various structures of representation and participatory leadership based on personal responsibility, an area in which politics and the government are still falling far behind in their relationship with citizens.
3. Scientific, technological and information revolution
These revolutions create new opportunities and offer an almost real-time insight in the developments and events within society. Moreover, the internet and associated infrastructures enable completely new forms of exchange and marketplaces of ideas and decisions. This happens on a worldwide scale between like-minded people and people who hold different views. Where supply and demand are ill-aligned, new services that have a disruptive effect on old structures pop up. Think of the clear imbalance between citizens and politics. A solution for that problem can be found in completely new and invigorating systems and structures, set up with an open and free attitude, with privacy by design enshrined in legislation and with the application of advanced technology - all elements that distinguishes the Shared Democracy.
4. Unrestrained proliferation of public authorities
The house is ready to move into, but the contractor keeps coming back every day to see whether there are still tasks to be done... likewise our government exerts its influence on our daily life and on today’s economy. The unrestrained proliferation of public authorities has got to stop immediately and the government has to be brought back to normal proportions, in line with a standard that has yet to be established. By now, citizens serve the government instead of the other way around. The power of (central) public authorities is no longer commensurate with those of individual citizens. A key trait of the Shared Democracy will be the size, power and scope of the government.
5. Lifelong professional politicians
Another thing the founders of the 19th century model didn’t take into account (despite the seperation of powers) is the fact that many current (national) representatives are fulltime politicians, some of whom carry out public sector activities quite directly related to their political function. Particularly these latter ones have lost all connection to society and virtually live off taxpayers’ money without any risks. In the Shared Democracy we envisage, we advocate that representatives of citizens make clear choices and are in favour of all possible mixed forms of citizens and representatives in order to create a much larger engagement and responsibility among individual citizens when it comes to being active politically.
6. Financial sector, upscaling and mass control
The centralization and management of financial flows disconnected from the underlying value, erodes both the economy and society. The human dimension is disappearing into the background in upscaling and efficiency models dominated by financial flows. By introducing mantras such as ‘cash is criminal’, paying anonymously is being phased out while bank runs that could endanger and destabilize the system are being prevented. Here too, the web continually gets tighter around citizens and money no longer belongs to them, but to banks and the government. With a view to the future and on the basis of current and future technological possibilities, in the Shared Democracy, ownership relationships and the right to anonymous means of payment will have to be firmly embedded in law.
7. Supranational elite of individuals and companies
One of the effects of globalization is the rise of a large group of supranational companies and individuals that are disconnected from their nation-states and societies, benefitting from the rights they have but not fulfilling the duties that society equally brings along. Now that information and power are concentrated within a few very large, global conglomerates, there are many financial corporations and companies that have become larger than nation-states. The intransparent power of lobbygroups backing these conglomerates thrives under the old, authoritarian pyramid structure of centralized political representation. In the Shared Democracy, special attention will have to go out to democratic shaping and modelling on all levels, while the centralized and decentralized power structures have to be continually in balance and be measurable with the most advanced technology.
How will the Shared Democracy deal with all this? How much more freedom are we prepared to give up for the sake of (false) security? 100% security = 0% freedom. How are we going to restructure our society and democratic system in order to hold on to our principles with the seven drivers of development in mind? And on which scale are we willing to do so?
To better define these questions and look for answers, Privacy First will organize a New Year's Reception on 19 January 2017, at 7:30 pm in the Volkshotel in Amsterdam. The reception (in Dutch) will revolve around the Shared Democracy.
Privacy First encourages everyone to contribute to this new movement towards a Shared Democracy in an open and free debate on all available communication channels!
Privacy First Foundation chairman
Christmas column by Bas Filippini,
Chairman of the Privacy First Foundation
Principles of our democratic constitutional State are still very relevant
‘‘Your choice in a free society’’ is the slogan of the Privacy First Foundation. Privacy First has defined its principles on the basis of universal human rights and our Dutch Constitution and is reputed for professional and, if necessary, legal action in line with our free constitutional State. The mere fact that Privacy First exists, means that in recent years the aforementioned principles have come under increasing pressure. We base our (legal) actions and judgements on thorough fact-finding, to the extent possible in our working area.
‘The Netherlands as a secure global pioneer in the field of privacy’, that’s our motto. This country should also serve as an example of how to use technology whilst maintaining the principles of our open and free society. This can be achieved through legislative, executive and IT infrastructures, starting from privacy by design and making use of privacy enhanced technology.
Whereas the industrial revolution has environmental pollution as a negative side effect, the information revolution has the ‘pollution of privacy and freedom’ as an unwanted side effect.
Therefore, the question is how to preserve the basic principles of our democratic constitutional State and how to support new structures and services towards the future. As far as we’re concerned, these basic principles are neither negotiable nor exchangeable. Yet time and again we see the same incident-driven politics based on the misconceptions of the day strike at times when the constitutional State is at its most vulnerable and cannot defend itself against the emotional tide of the moment.
Paris as yet another excuse to pull through ‘new’ laws
Various politicians feed on the attacks in Paris and tumble over one another to express Orwellian macho talk, taking things further and further in legislative proposals or in emotional speeches characterized by belligerence and rhetoric. And it’s always so predictable: further restraining existing freedoms of all citizens instead of focusing further on the group of adolescents (on average, terrorist attackers are between 18 and 30 years old) that intelligence agencies already have in sight. Instead of having a discussion about how intelligence agencies can more effectively tackle the already defined group that needs to be monitored and take preventive measures in the communication with and education of this target group, the focus too easily shifts to familiar affairs whereby necessity, proportionality and subsidiarity are hard to find.
So in the meanwhile we’ve witnessed the prolonged state of emergency in France, the far reaching extension of powers of the police, the judiciary and intelligence services (also to the detriment of innocent citizens), extra controls in public space, the retention of passenger data, etc., etc. All this apparently for legitimate reasons in the heat of the moment, but it will be disastrous for our freedom both in the short as well as in the long run. In this respect the blurring definition of the term ‘terrorism’ is striking. Privacy First focuses on government powers in relation to the presumption of innocence that citizens have. We’re in favour of applying special powers in dealing with citizens who are under reasonable suspicion of criminal offences and violate the rights of others with their hate and violence. In fact, that’s exactly what the law says. Let’s first implement this properly, instead of introducing legislative proposals that throw out the baby with the bathwater.
The governments is committed to impossible 100 per cent security solutions
What often strikes me in conversations with civil servants is the idea that the government should provide 100 per cent solutions for citizens and applies a risk exclusion principle. This leads to a great deal of compartmentalization and paralyzation when it comes to possible government solutions in the area of security. Technology-based quick fixes are adhered to by default, without properly analyzing the cause of problems and looking at the implementation of existing legislation.
The government way of thinking is separate from citizens, who are not trusted in having legal capacity and are regarded as a necessary evil, as troublesome and as inconvenient in the performance of the government’s tasks. The idea that the government, serving its citizens, should offer as high a percentage as possible but certainly not a 100 per cent security (the final 10 per cent are very costly on the one hand and suffocating for society on the other) is not commonly shared. No civil servant and no politician is prepared to introduce policies to maintain an open society today (and 50 years from now) that entail any risk factors. However, in reality there will always be risks in an open society and it should be noted that a society is not a matter of course but something we should treat with great care.
Here in the Netherlands we’ve seen other forms of government before: from rule by royal decree to a bourgeoisie society and an actual war dictatorship. Every time we chose not to like these forms of society. What could possibly be a reason to be willing to go back to any of these forms and give up our freedoms instead of increasing them and enforcing them with technology? Especially in a society that has high levels of education and wherein citizens show to be perfectly able to take their own decisions on various issues. We hire the government and politics as our representatives, not the other way around. However, we’re now put up with a government that doesn’t trust us, is only prepared to deliver information on the basis of FOIA requests and requires us to hand over all information and communications about us and our deepest private lives as if we were prima facie suspects. That puts everything back to front and to me it embodies a one way trip to North Korea. You’ll be more than welcome there!
Political lobby of the industry
The industry’s persistence to overload the government and citizens with ICT solutions is unprecedented. Again and again here in the Netherlands and in Silicon Valley the same companies pop up that want to secure their Christmas bonus by marketing their products in exchange for our freedom. We’re talking about various electronic health records like the Child record and the Orwellian and centralized electronic patient record, the all-encompassing System Risk-Indication database, travel and residency records, road pricing, chips in number plates and cars, so-called automated guided vehicles (including illegal data collection by car manufacturers), number plate parking, automatic number plate recognition cameras, facial recognition in public space and counter-hacking by government agencies while voting computers are back on the agenda. Big Data, the Internet of things, the list goes on.
With huge budgets these companies promote these allegedly smart solutions, without caring about their dangers for our freedom. It’s alienating to see that the reversal of legal principles is creeping in and is being supported by various government and industry mantras. It’s as if a parasitic wasp erodes civil liberties: the outside looks intact but the inside is already empty and rotten.
From street terrorism to State terrorism
As indicated above, the information revolution leads to the restriction of freedom. It’s imperative to realize that after 4000 years of struggle, development and evolution we have come to our refined form of society and principles that are (relatively) universal for every free citizen. Just as most of us are born out of love, freedom and trust, to me these are also the best principles with which to build a society. We’re all too familiar with societies founded on hate, fear and government control and we have renounced them not so long ago as disastrous and exceptionally unpleasant. At the expense of many sacrifices and lives these principles have been enshrined in treaties, charters and constitutions and are therefore non-negotiable.
It’s high time to continue to act on the basis of these principles and make policy implementation and technology subordinate to this, taking into account the people’s needs and their own responsibility. In my eyes, a civil servant in the service of the people who places security above everything else, is nothing more than a State terrorist or a white collar terrorist who in the long term causes much more damage to our constitutional State and freedom than a so called street terrorist. The government and industry should have an immediate integrity discussion about this, after which clear codes can be introduced for privacy-sustainable governing and entrepreneurship.
Towards a secure global pioneer in the field of privacy
Privacy First would like to see government and industry take their own responsibility in protecting and promoting the personal freedom of citizens and in so doing use a 80/20 rule as far as security is concerned. By focusing on risk groups a lot of money and misery can be saved. Exceptions prove the rule, which in this case is a free and democratic constitutional State and not the other way around. Say yes to a free and secure Netherlands as a global pioneer in the field of privacy!
By now basically everyone is aware of the far-reaching eavesdropping practices by the American National Security Agency (NSA). For years the NSA has been secretly eavesdropping on millions of people around the world, varying from ordinary citizens to journalists, politicians, attorneys, judges, scientists, CEOs, diplomats and even presidents and heads of State. In doing so, the NSA has completely ignored the territorial borders and laws of other countries, as we have learned from the revelations by Edward Snowden in the PRISM scandal. Instead of calling the Americans to order, secret services in other countries appear to be all too eager to make use of the intelligence that the NSA has unlawfully obtained. In this way national, European and international legislation that should safeguard citizens against such practices is being violated in two ways: on the one hand by foreign secret services such as the NSA that collect intelligence unlawfully, and on the other hand by secret services in other countries that subsequently use this intelligence. This constitutes an immediate threat to everyone’s privacy and to the proper functioning of every democratic constitutional State. This is also the case in the Netherlands, where neither the national Parliament nor the responsible minister (Mr. Ronald Plasterk, Home Affairs) has so far taken appropriate action. This situation cannot continue any longer. Therefore a national coalition of Dutch citizens and organizations (including the Privacy First Foundation) has today decided to take the Dutch government to court and demand that the inflow and use of illegal foreign intelligence on Dutch soil is instantly brought to a halt. Furthermore, the coalition demands that the Dutch government notifies all citizens whose personal data have been illegally obtained. These data must also be deleted.
These legal proceedings by the Privacy First Foundation primarily serve the general interest and aim to restore the right to privacy of every citizen in the Netherlands. The lawsuit is conducted by bureau Brandeis; this law firm also represents Privacy First and 19 co-plaintiffs (Dutch citizens) in our Passport Trial against the Dutch government. Privacy First is confident it will soon have positive outcomes in both of these cases.
Click HERE to read the subpoena as it was presented to minister Plasterk today. (Dutch only)
Apart from Privacy First, the coalition of plaintiff parties consists of the following organizations and citizens:
- The Dutch Association of Defence Counsel (Nederlandse Vereniging van Strafrechtadvocaten, NVSA)
- The Dutch Association of Journalists (Nederlandse Vereniging van Journalisten, NVJ)
- The Dutch chapter of the Internet Society (ISOC.nl)
- Jeroen van Beek
- Rop Gonggrijp
- Bart Nooitgedagt (represented by the NVSA)
- Matthieu Paapst (represented by ISOC.nl)
- Brenno de Winter (represented by the NVJ).
Update 5 February 2014: today the Dutch government (Ministries of Home Affairs and Defence) has responded to the subpoena in a comprehensive statement of defence; click HERE for the entire document (pdf; MIRROR) and HERE for the press release by our attorneys of bureau Brandeis (in Dutch). It is remarkable that the State Attorney only deems the Privacy First Foundation admissible (see p. 31). This means that Privacy First is only one step away from standing before the judges of the district court of The Hague. This development is also of great importance for our Passport Trial, in which that same court at an earlier stage deemed Privacy First et al. inadmissible. The Hague Court of Appeal is currently looking into this legal issue once more. In the point of view of Privacy First, the court should declare all plaintiffs (citizens and organizations) admissible in both the court case concerning the NSA as well as our lawsuit regarding the Dutch biometric passport.
Earlier this year the Dutch Minister of Justice and Security Ivo Opstelten came up with the miserable plan to authorize the Dutch police force to hack into your computer (both at home and abroad!) and to enable the police to demand that you decrypt your encrypted files in the presence of a policeman and obediently hand them over to the State. In the context of an online consultation (in Dutch), Privacy First notified to the Minister that it has a number of principal objections against his plans:
The Privacy First Foundation hereby advises you to withdraw the legislative proposal ‘enforcement of the fight against cybercrime’ on the basis of the following eleven principal grounds:
- In our view, this legislative proposal forms a typical building block for a police State, not for a democratic constitutional State based on freedom and trust.
- The Netherlands has a general human rights duty to continuously fulfil the right to privacy instead of restricting it. With this legislative proposal the Netherlands violates this general duty.
- This legislative proposal is not strictly necessary (contrary to possibly being ‘useful’ or 'handy') in a democratic society. Therefore the legislative proposal is in breach of Article 8 of the European Convention on Human Rights.
- Moreover, this legislative proposal violates the prohibition of self-incrimination (nemo tenetur se ipsum accusare).
- Function creep is a universal phenomenon. This will also apply to this legislative proposal, which will form the basis for future abuse of power.
- This legislative proposal puts the relationship of trust between the Dutch government and the Dutch people to the test. This will lead to a chilling effect in Dutch society.
- Through this legislative proposal age-old assets such as freedom of the press and the protection of journalistic sources, whistleblowers, freedom of speech, free information gathering, freedom of communication and the right to a fair trial are put under severe pressure. This is detrimental to the dynamics within a free democratic constitutional State.
- This legislative proposal and the accompanying technology will be imported and abused by less democratic governments abroad. Therefore the legislative proposal forms an international precedent for a worldwide Rule of the Jungle instead of the Rule of Law.
- As of yet the legislative proposal lacks a thorough and independent Privacy Impact Assessment.
- This legislative proposal stimulates suboptimal (i.e. crackable by the government, because otherwise illegal?) instead of optimal (‘uncrackable’) ICT security.
- Fighting cybercrime demands multilateral cooperation and coordination instead of unilateral panic-mongering as is the case with this legislative proposal.
The Privacy First Foundation
On June 11, 2012, the long-awaited National Privacy Debate took place in The Hague. Privacy First summarizes the most noteworthy aspects for you, starting with the striking plea (in Dutch) for a Privacy Delta Plan by Brenno de Winter:
"The National Privacy Debate is a unique opportunity to start something beautiful and to challenge people into engaging in open discussion. Let us seize this opportunity and work on a Delta Plan. To make the Netherlands a guiding country again. A model for the rule of law as to the protection of the citizen. That's what we are best at!"
The floor was then given to Anthony House (Google), who at the end of his keynote speech posed the following question to the audience:
“Are the principles of data protection that were developed in the 1970s still good today? Do we need to start from scratch on privacy principles?”
From the silence in the audience and some answers that followed, it could (fortunately) be inferred that the classic privacy principles still suffice today, at least to a large extent.
The event then turned to the first panel discussion, which was focused on the question of what is currently preferred most: more legislation or more self-regulation? The responses from the panel and from the audience showed a predominant preference for both options together instead of just one or the other. As in the financial sector, good laws and strict enforcement have become a bitter necessity for the ICT sector. However, such laws only represent a rapidly aging minimum level of privacy protection. It follows that it is up to the ICT sector itself to operate continuously at the highest, most privacy-friendly (i.e. customer-friendly) level. This is an important selling point which offers significant competitive advantages. In this sense, legislation and self-regulation can complement each other well.
Then there was a speech by Joost Farwerck (KPN) who stated, inter alia, that privacy now has a high priority among a broad Dutch audience: research by KPN had shown that the public attaches most value to this after good healthcare and education. Therefore, KPN has set up an internal Privacy Awareness program and an external Privacy Mission. Farwerck finally pleaded to make the National Privacy Debate a recurring event. (So did Arie van Bellen (ECP-EPN) later that day.) Privacy First is happy to join this plea.
During the second panel session (on privacy and security) some interesting parallels were drawn with security in other sectors such as the food industry and the aviation industry, both in terms of legislation and self-regulation as well as supervision and enforcement. Earlier in the day, Vincent Böhre (Privacy First) had drawn a similar parallel with past developments in the field of environmental protection. Many participants in the debate agreed that, on the one hand, the Dutch Data Protection Authority (DPA) lacks adequate resources and powers, while on the other hand its enforcement of existing privacy laws is too weak. In addition, Walter van Holst (Mitopics) rightly noted from the audience that more emphasis should be put on data minimization. Indeed, without any data no security is needed.
The floor was then given to Bart de Koning: journalist and author of the Dutch book 'Alles onder controle, de overheid houdt u in de gaten' ("Everything under control, the government is watching you"). In his speech, De Koning pointed out some positive recent developments, such as the Dutch resistance to passport fingerprinting, the new Dutch law on cookies, net neutrality and political attention to the risks of the U.S. Patriot Act. At the same time he warned about negative developments such as the Dutch proposal to provide all car number plates with RFID chips. Furthermore, the Netherlands is still champion in eavesdropping. In addition, De Koning noted that Dutch media (including Elsevier magazine) are devoting more attention to privacy than before and that citizens are increasingly keeping an eye on their government instead of vice versa. "The citizen peeks back" and this can have "a disciplining effect on the State", De Koning said. As to the future, De Koning suggested the following guidelines to the audience: 1) think before you act, 2) data minimization, 3) transparancy, 4) effectiveness, 5) sunset clauses and 6) an ongoing debate. De Koning further argued for the introduction of Dutch constitutional review (at the judiciary), a Constitutional Court and stronger oversight by the Dutch DPA. In this connection he made a comparison with Germany, where ANPR (automatic number plate recognition) is prohibited.
Then there was room for discussion with the audience, at which point Joyce Hes (Foundation for the Protection of Civil Rights) made an especially important remark: many public debates (including the periodic Privacy Cafes in Felix Meritis) are conducted with privacy advocates. Politicians and officials who are critical of privacy rarely show up at these debates. This is not good for the discussion.
Finally, Bart de Koning stated that the ethnic 'underclass' has become the main victim of systematic privacy violations, including preventive home visits. Privacy First endorses all of these points.
The topic of the third panel session was "privacy and government":
On behalf of Privacy First, Bas Filippini kicked off as follows:
"What we focus on are private choices in a free environment. Private choice means the freedom to choose, and a free environment means that we endeavor to keep society as free as possible for the average citizen in the Netherlands. This unless you are suspected of a crime: then privacy can be exchanged for security. That is our philosophy. We argue things from principles first, tested against the Constitution. Then we look at the implementation: are there sufficient checks and balances? How is policy being set and how is it applied? Only finally we look at technology. I always use the following example: "With a knife you can stab someone, but you can also make a sandwich." For many people, technology is the "holy grail" to which everything is connected, without first having taken these three steps: 1) principles , 2) policy, 3) implementation, followed by smart use of technology. Often the principles of subsidiarity and proportionality are breached, which is very unfortunate. In government, there are many people who would like to do things differently, but if they disagree with something, they are quickly seen as whistleblowers, which has a stigmatizing effect. So the Titanic keeps on sailing towards the iceberg, currently resulting in more and more profiling. By that we don't mean targeted profiling in case of a reasonable suspicion of a criminal offence, but surveillance of an entire population to see if there is "anything wrong" somewhere, based on outliers, the deviations from the median. We consider this a great danger, because everyone will become suspect. This creates a lot of self-censorship among people, officials and citizens alike."
During the remainder of the panel debate, the observations by Ronald Leenes (Tilburg University) stood out: Leenes warned about loss of confidence among citizens in their government if that government didn't take the right to privacy seriously. "The consideration whether or not an infringement of privacy is necessary in a democratic society is hardly made by the Dutch government in a number of cases", Leenes said. According to Leenes, data are being collected simply "because it's possible", there is huge confidence in technology, it is thought that more information leads to better decisions, insufficient attention is paid by the government to alternatives to reach the same goals, and there is ignorance. Leenes warned about current plans to register prostitutes in a central database. He also stressed that privacy is not only an individual right, but that it also has a social function.
Others in the panel pointed to the dangers of risk profiling. Furthermore, the fallacy "if you have nothing to hide, you have nothing to fear" was unanimously invalidated: everyone has the right to keep his or her private life simply to themselves. Moreover, a core element of freedom is precisely that you may have something to hide. It was further noted that hard work must be made to increase privacy knowledge and awareness in government. Some in the panel emphasized incompetence in government rather than intent. Bas Filippini replied that there is often an agenda behind things, namely policy from the United States and the European Union. "How do you shape your society? Do you do that on a basis of fear, hatred and control, or on a basis of trust, freedom and love?", Filippini said.
Then there was a discussion with the audience, in which Jeroen Terstegge (PrivaSense) rightly stated that one should be wary of Privacy Impact Assessments (PIAs) conducted by directly involved officials rather than an independent regulator, such as a Chief Privacy Officer. In this field there should be more self-criticism in government, aside from the Dutch DPA's external role. Another striking remark from the audience was made at the end of the panel session by Dimitri Tokmetzis (Sargasso): insurance was originally intended to spread risk, but through profiling risks are being individualized. This comes at the expense of solidarity in our society.
Thereafter Pim Takkenberg (National Police Services Agency, KLPD) held a speech on the theme of privacy and criminal investigation, in which he specifically discussed the dilemmas around dismantling a so-called botnet: a network of hijacked computer systems. According to Takkenberg, the legal framework in this context is sometimes "insufficiently specific", e.g. in case of 1) remotely "entering" (or hacking) computer systems by the police and 2) international cooperation in fighting cybercrime. Also in public-private partnerships, the police in this context are still "walking on eggshells", Takkenberg noted. In reply to a question from the audience about the effectiveness of data retention, Takkenberg said that "sometimes you have to give things some time in order to see what they yield in the long-term". This strengthens the position of Privacy First that this measure should never have been introduced. Finally, Takkenberg rightly stated that the police does not benefit from too much information gathering and that one must be very selective.
The panel discussion on privacy and criminal investigation that followed took an unexpected turn due to the comments of Jan Grijpink (Utrecht University, formerly also Ministry of Justice) on the recent complications surrounding the Dutch biometric passport. When asked which aspect of the privacy debate annoyed him, Grijpink answered as follows:
"The discussion about the biometric passport, which I find a good example of how too persistent nagging - if I may say so - on the privacy side impairs the security side. If we have now come to the point of saying "let's remove the fingerprints from the passport", then I am satisfied. Back in 2002, I would have liked to avoid putting fingerprints on the passport, because it is unnecessary to use fingerprints to verify the holder. That has just been superfluous. But the moment you put fingerprints on the passport, you must be able to check whether those fingerprints are still the correct fingerprints and whether the person who says he belongs to them is truly that person. This has led to a decision by various [Dutch] ministers who were responsible for storing four fingers in a municipal database, and if you don't have that, then the citizen is actually lawless when he carries a document with two fingers, because that document is also intended to show to others. If it is just for yourself, then so be it, but a passport is meant to hand over to an authority. When we distribute a passport, we do not even check with the same biometrics whether it's really being distributed to the person who's the official holder. Either no fingerprints, or completely correct. Both these aspects are now threatened to be destroyed through a persistent nagging to one aspect of privacy only. That's what I worry about."
This led Vincent Böhre (Privacy First) to ask Grijpink about his assessment of the risk of function creep in the storage of fingerprints in municipal databases.
Grijpink answered as follows:
"If you put the fingers on the passport only, you just lose all control for the protection of the individual. I have always made the case for storing four fingers - two on the passport and two extra - with the municipality in order to be able to check whether it is still the right person and whether anything in the document has changed. This can also exonerate yourself if you're accused of something with such a document. Whether that can lead to function creep: yes, everything can lead to function creep. But I think that if you organize it well, and I'm naturally a strong supporter of that, also because of the fact that we build large-scale infrastructures with chain-computerization to manage it well, then I think you also have to put some confidence in the government in a certain sense. I have been part of it for 40 years. In my view, some sort of a ghost is often made of the government in privacy debates. I don't recognize that. Many government officials do their work faithfully."
It is up to the reader to draw his own conclusions from this... ;)
During the panel discussion another central issue concerned the question whether or not to release figures on Dutch telephone and internet wiretaps. On behalf of Bits of Freedom Simone Halink rightly pleaded for more transparency in this respect. From the KLPD corner (and a former AIVD intelligence officer in the audience) however, it quickly became clear that there was complete unwillingness to provide any openness. This then led to a hardening of the discussion in which privacy advocates and (former) representatives of police and justice became diametrically opposed to each other. During this discussion Grijpink made the following remarks:
"I want to bring attention to an aspect as to why you should also be careful with making such hard calls for data and surveys. Especially, very clear in my file, identity fraud, then you make use of someone else's identity. When successful, it is invisible. And if the person is dead, then he won't notice anything. So that's a good example that if you start measuring, you get the wrong answer. And false conclusions and false images may even be worse for criminal investigation than if something gets known. In the case of identity fraud it is quite clear. I was asked: "How bad is the problem?" I replied: "Asking that question means that you don't understand. You must first have a situation in which you are sure to have the person who succeeded in committing identity fraud." There is only one situation that I know: the prison cells of the Justice department. Then minister Donner said: "Let's have a look." And guess what: 15% had the wrong identity. Half of those we didn't even know. And those people are in jail. In other words: figures are only really useful to some extent, and in the public debate they often go wrong."
This led Böhre to emphasize the importance of the notion that privacy is a human right, in which the question of proportionality in both individual and collective sense is fundamental. The discussion should therefore always be based on hard facts and figures. Vague assumptions about look-alike fraud are no excuse to impose biometric passports on an entire population. No negative reaction to this followed from the panel. The importance of further discussions based on facts and figures also seemed to be recognized by the audience. In that sense, the National Privacy Debate hopefully marked the end of an era of fact-free politics.
Privacy First will be happy to actively attend the next National Privacy Debate. In the meantime, the debate between all relevant stakeholders should be permanent.
A full video recording of the whole (6.5 hour) National Privacy Debate can be viewed online HERE.
More pictures of the event can be found HERE and HERE.
Postscript: the above report has also been published in the Dutch journal Privacy & Compliance 3-4/2012, p. 46-49.