The world is hit exceptionally hard by the coronavirus. This pandemic is not only a health hazard, but can also lead to a human rights crisis, endangering privacy among other rights.
The right to privacy includes the protection of everyone’s private life, personal data, confidential communication, home inviolability and physical integrity. Privacy First was founded to protect and promote these rights. Not only in times of peace and prosperity, but also in times of crisis.
Now more than ever, it is vital to stand up for our social freedom and privacy. Fear should not play a role in this. However, various countries have introduced draconian laws, measures and infrastructures. Much is at stake here, namely preserving everyone’s freedom, autonomy and human dignity.
Privacy First monitors these developments and reacts proactively as soon as governments are about to take measures that are not strictly necessary and proportionate. In this respect, Privacy First holds that the following measures are in essence illegitimate:
- Mass surveillance
- Forced inspections in the home
- Abolition of anonymous or cash payments
- Secret use of camera surveillance and biometrics
- Every form of infringement on medical confidentiality.
Privacy First will see to it that justified measures will only apply temporarily and will be lifted as soon as the Corona crisis is over. It should be ensured that no new, structural and permanent emergency legislation is introduced. While the measures are in place, effective legal means should remain available and privacy supervisory bodies should remain critical.
Moreover, in order to control the coronavirus effectively, we should rely on the individual responsibility of citizens. Much is possible on the basis of voluntariness and individual, fully informed, specific and prior consent.
As always, Privacy First is prepared to assist in the development of privacy-friendly policies and any solutions based on privacy by design, preferably in collaboration with relevant organizations and experts. Especially in these times, the Netherlands (and the European Union) can become an international point of reference when it comes to fighting a pandemic while preserving democratic values and the right to privacy. This is the only way that the Corona crisis will not be able to weaken our world lastingly, and instead, we will emerge stronger together.
The coronavirus has plunged the whole world into a deep crisis and governments do their utmost to control the dissemination. As I wrote in my previous column, it is important especially now to keep our heads cool and to protect our civil rights and privacy. A short and temporary infringement of our privacy in the general interest may be legitimate. The western model should imply a partial, temporary lockdown, lasting at most twice the incubation period so as to control the spread of the virus based on increased testing, and to facilitate the healthcare system, augmenting the number of critical care beds.
Moreover, this should be a participatory lockdown, based on voluntary participation and citizens’ individual responsibility. This is only logical, as trust is the cornerstone of our democratic society, even though at times there is a lack of it. This concerns trust in fellow citizens, the government and first of all, oneself. At this point in time I have a lot of confidence in the Dutch approach, which is a combination of common sense and relying on healthcare experts. Ultimately, we will have to learn to live with this virus and control potential outbreaks.
To measure is to know and therefore it is essential to scale up the number of tests with the right test equipment without delay. There are tests which can indicate quickly whether someone is infected. It is interesting to note that in Germany, where practically everyone with symptoms is being tested, the percentages of gravely ill and deceased people are considerably lower than in countries where testing is very limited. For policy makers and politicians it is thus very important to take the right decisions on the basis of facts.
If not, there will be a long-standing and emotionally-driven struggle, the encroachment on our freedom will not be short and temporary and power will shift disproportionately into the hands of the State. Such a scenario will see us move towards a forced surveillance society (see the current situation Israel is in, the newly introduced legislation in the UK as well as EU proposals with regard to telecom location data), characterised by the abolishment of anonymous (cash) payments (see the current guidelines in the Dutch retail sector), the dissolution of medical confidentiality and physical integrity in the context of potential virus infections (compulsory vaccinations and apps) and censorship of any alternative or undesired sources of information that counter the prevailing narrative. Besides, commercial interests of IT and pharmaceutical companies would come to dominate even more.
In the best case scenario, both society and the economy will soon be able to revive on the basis of individual and aggregate test results, with this lesson to bear in mind: let’s not lose the importance of our freedom, health and individual responsibility out of sight. All of a sudden, citizens have been left to their own devices and this experience will make them realize that life is not malleable and our society is not a mere paper exercise. This situation could lead to increased civic participation and less government, i.e. greater focus on critical functions. When we take a look around now, we see positive-minded, well-informed and responsible citizens and there is no need to keep focusing on a handful of exceptions. That is, as long as the measures in place are comprehensible, measurable and very temporary, and are not packaged into structural legislation, thereby misusing the crisis in order to grant certain organizations and sectors greater influence and power.
Finally, it’s worth realizing that all entrepreneurial Dutchmen without whom we would not be able to pay our fine public services, also deserve a round of applause. And perhaps the idea of a basic income for every citizen could be reviewed once more. In other words: let’s aim for more individual decisions in a freer society that is supported by technology and common sense!
Here’s to a free 2020!
Privacy First chairman
(in personal capacity)
Many questions have been raised about Privacy First’s point of view in relation to the protection of privacy in crisis situations, such as the one we’re currently experiencing as a result of the coronavirus. As indicated previously, I support the precautionary principle, i.e., we don’t know what we don’t know and what in fact is effective. A strict, western-style approach on the basis of a temporary (partial) lockdown for a (very) short period of time will drastically flatten the coronavirus curve and will make sure the healthcare system does not collapse. This also allows us to gain time to find a vaccine or medicine. We still don’t know exactly what kind of virus we’re dealing with, how it came into existence and how to control it.
Our society is built on trust. In a crisis situation like we’re in now, authorities will have to take temporary crisis measures which allow citizens to do the right thing voluntarily and on the basis of trust. This may temporarily restrict privacy, such as freedom of movement and/or physical integrity (think of being in quarantine). The government can choose to have a full or partial lockdown. Making this choice, it is essential that we rely on the norms and values of our free, democratic society, and that there is trust both in the citizenry and in the means and measures that may be employed. Ideally, this would result in a participatory lockdown based on everyone’s freedom and sense of responsibility.
Past experience shows that when there is open and honest communication, citizens act responsibly and in the general interest. This implies that draconian and structural legislative measures that restrict freedom can be kept at bay, much to the benefit of the people and the economy. In this respect, it is significant that practically all companies, institutions and organizations currently comply with the protocols, and even do more than what is required. After a period of inaction, the Dutch government has decided to act and take responsibility, which is most welcome. After all, this concerns a potentially great number of very sick patients and fatalities, including many elderly and vulnerable people.
Our government has opted for a democratic instead of a dictatorial approach, and that is to be applauded. So let’s use this moment to keep our head cool instead of infringing upon everyone’s freedom and right to privacy, freedom of movement, bodily integrity and cash payments. I see there is a bitter wind sweeping through Denmark, where a coronavirus emergency law has been rushed through, allowing the authorities to force people to be vaccinated (even though there is no vaccine yet), and in France too, where permanent crisis measures seem to have been implemented. All this is incompatible with a decent society and creates misplaced precedents. Let’s act in the general interest on the basis of trust and everyone’s own responsibility. For that, we need neither to be locked up, nor do we want to see the army in the streets, or any other draconian measures or laws to be put in place.
Let’s strive for a free and trustworthy Netherlands and Europe.
Privacy First chairman
(in personal capacity)
Today, the district court of The Hague ruled on the use of the algorithm-based system SyRI (System Risk Indication) by the Dutch government. The judges decided that the government, in trying to detect social services fraud, has to stop profiling citizens on the basis of large scale data analysis. As a result, people in the Netherlands are no longer 'suspected from the very start’ ("bij voorbaat verdacht").
The case against the Dutch government was brought by a coalition of NGOs, consisting of the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten), the Netherlands Committee of Jurists for Human Rights (Nederlands Juristen Comité voor de Mensenrechten, NJCM), Privacy First, the KDVP Foundation (privacy in mental healthcare), Dutch trade union FNV, the National Clients Council (LCR) and authors Tommy Wieringa and Maxim Februari.
The court concludes that SyRI is in violation of the European Convention on Human Rights. SyRI impinges disproportionately on the private life of citizens. This concerns not only those that SyRI has flagged as an 'increased risk', but everyone whose data are analysed by the system. According to the court, SyRI is non-transparent and therefore cannot be scrutinized. Citizens can neither anticipate the intrusion into their private life, nor can they guard themselves against it.
Moreover, the court draws attention to the actual risk of discrimination and stigmatization on the grounds of socio-economic status and possibly migration background, of citizens in disadvantaged urban areas where SyRI is being deployed. There is a risk – which cannot be examined – that SyRI operates on the basis of prejudices. The attorneys of the claimant parties, Mr. Ekker and Mr. Linders, had this to say: "The court confirms that the large scale linking of personal data is in violation of EU law, Dutch law and fundamental human rights, including the protection of privacy. Therefore, this ruling is also important for other European countries and on a wider international level."
From now on, as long as there is no well-founded suspicion, personal data from different sources may no longer be combined.
Line in the sand
"This ruling is an important line in the sand against the unbridled collection of data and risk profiling. The court puts a clear stop to the massive surveillance that innocent citizens have been under. SyRI and similar systems should be abolished immediately", states Privacy First director Vincent Böhre.
"Today we have been proved right on all fundamental aspects. This is a well-timed victory for the legal protection of all citizens in the Netherlands", says Tijmen Wisman of the Platform for the Protection of Civil Rights.
Another plaintiff in the case, trade union FNV, equally rejects SyRI on principal grounds. "We are delighted that the court has now definitively cancelled SyRI", comments Kitty Jong, vice chair of FNV.
The parties hope that the ruling will herald a turning point in the way in which the government deals with the data of citizens. They believe this viewpoint is endorsed by the considerations of the court: these apply not only to SyRI, but also to similar practices. Many municipalities in the Netherlands have their own data linking systems which profile citizens for all sorts of policy purposes. When it comes to combining data, a legislative proposal that would be greater in scope than SyRI and would enable lumping together the databases of private parties and those of public authorities, was all but unthinkable. The decision by the Hague district court, however, clamps down on these Big Data practices. According to the claimant parties, it is therefore of crucial importance that the SyRI ruling will affect both current as well as future political policies.
The case against SyRI serves both a legal and a social goal. With this ruling, both goals are reached. Merel Hendrickx of PILP-NJCM: "Apart from stopping SyRI, we also aimed at initiating a public debate about the way the government deals with citizens in a society undergoing digitisation. This ruling shows how important it is to have that discussion."
Although SyRI was adopted in 2014 without any fuss, the discussion about its legality intensified after the lawsuit was announced. At the start of 2019, the use of SyRI in two Rotterdam neighbourhoods led to protests among inhabitants and a discussion in the municipal council. Soon after, the mayor of Rotterdam, Ahmed Aboutaleb, pulled the plug on the SyRI program because of doubts over its legal basis. In June 2019, Dutch newspaper Volkskrant revealed that SyRI had not detected a single fraudster since its inception. In October 2019, the UN Special Rapporteur on extreme poverty and human rights, Philip Alston, wrote a critical letter to the district court of The Hague expressing serious doubts over the legality of SyRI. Late November 2019, SyRI won a Big Brother Award.
The coalition of parties was represented in court by Anton Ekker (Ekker Advocatuur) and Douwe Linders (SOLV Attorneys). The proceedings were coordinated by the Public Interest Litigation Project (PILP) of the NJCM.
The full ruling of the court can be found HERE (official translation in English).
Fundamental lawsuit against mass risk profiling of unsuspected citizens
On Tuesday October 29 at 9:30 am in the district court of The Hague the court hearing will take place in the main proceedings of a broad coalition of Dutch civil society organizations against Systeem Risico Indicatie (System Risk Indication - SyRI). SyRI uses secret algorithms to screen entire residential areas to profile citizens on the risk of fraud with social services. According to the coalition of plaintiffs, this system poses a threat to the rule of law and SyRI must be declared unlawful.
The group of plaintiffs, consisting of the Dutch Platform for the Protection of Civil Rights, the Netherlands Committee of Jurists for Human Rights (NJCM), the Privacy First Foundation, the KDVP Foundation and the National Client Council (LCR), in March 2018 sued the Dutch Ministry of Social Affairs. Authors Tommy Wieringa and Maxim Februari, who previously spoke very critically about SyRI, joined the proceedings in their personal capacity. In July 2018, Dutch labour union FNV also joined the coalition.
The parties are represented by Anton Ekker (Ekker Advocatuur) and Douwe Linders (SOLV Attorneys). The case is coordinated by the Public Interest Litigation Project (PILP) of the NJCM.
Trawl method on unsuspected citizens
SyRI links the personal data of citizens from various government databases on a large scale. These centrally collected data are subsequently analyzed by secret algorithms. This should show whether citizens pose a risk of being guilty of one of the many forms of fraud and violations that the system covers. If the analysis of SyRI leads to a risk notification, then the citizen in question will be included in the so-called Risk Notices Register (Register Risicomeldingen), which can be accessed by government authorities.
SyRI uses this trawl method to screen all residents of a neighborhood or area. For this, the system uses almost all data that government authorities store about citizens. It comprises 17 data categories, which together provide a very intrusive picture of someone's private life. SyRI currently covers the databases of the Dutch Tax Authorities, Inspectorate of Social Affairs, Employment Office, Social Security Bank, municipalities and the Immigration Service. According to the Dutch Council of State (Raad van State), which gave a negative opinion on the SyRI bill, it was hard to imagine any data that did not fall within the scope of the system. Former chairman Kohnstamm of the Dutch Data Protection Authority, which also issued a negative opinion on the system, called the adoption of the SyRI legislation "dramatic" at the time.
Threat to the rule of law
According to the claimants, SyRI is a black box with major risks for the democratic rule of law. It is completely unclear to any citizen, who can be screened by SyRI without cause, what data are used for this, which analysis is carried out with it and what makes him or her a 'risk'. Moreover, due to the secret operation of SyRI, citizens are also unable to refute an incorrect risk indication. The use of SyRI makes the legal process and the associated procedures intransparent.
SyRI thereby undermines the relationship of trust between the government and its citizens; these citizens are in fact suspected in advance. Virtually all information that they share with the government, often to be eligible for basic services, can be used against them secretly without any suspicion.
The plaintiffs in this lawsuit are not opposed to the government combating fraud. They just think that this should be done on the basis of a concrete suspicion. There should be no trawl searches in the private life of unsuspected Dutch citizens to look for possible fraud risks. According to the claimants, this disproportionate method does more harm than good. There are better and less radical forms of fraud prevention than SyRI.
Not one fraudster detected yet
The total of five SyRI investigations that have been announced since the system's legal introduction have by now turned tens of thousands of citizens inside out, but have not yet detected one fraudster. This was revealed at the end of June 2019 by Dutch newspaper Volkskrant, which managed to get hold of evaluations of SyRI investigations. The investigations failed because the analyses were incorrect, due to lack of capacity and time at the implementing bodies, but also because there is disagreement within the government about SyRI.
For example, mayor Aboutaleb of Rotterdam pulled the plug from the SyRI investigation in two neighborhoods in Rotterdam South last summer, because the Ministry, unlike the municipality, also wanted to use police and healthcare data in the investigation. The deployment of SyRI also led to protest among the neighborhood's residents, who clearly showed that they felt insulted and unfairly treated.
UN expresses concern about SyRI
The UN Special Rapporteur on extreme poverty and human rights Philip Alston wrote to the court earlier this month about his concerns about SyRI and urged the judges to thoroughly assess the case. According to the rapporteur, several fundamental rights are at stake. SyRI is described in his letter as a digital equivalent of a social detective who visits every household in an area without permission and searches for fraudulent cases; in the analogue world such a massive manhunt would immediately lead to great resistance, but with a digital instrument such as SyRI, it is wrongly claimed that 'ignorance is bliss'.
The court hearing is open to the public and will take place on Tuesday October 29th from 9.30 am in the Palace of Justice, Prins Clauslaan 60 in The Hague. Case number: C/09/550982 HA ZA 18/388 (Nederlands Juristen Comité c.s./Staat).
Source: campaign website Bijvoorbaatverdacht.nl.
Today an important debate will take place in the Dutch House of Representatives about the introduction of Passenger Name Records (PNR): the large scale, years-long storage of all sorts of data of airline passengers, supposedly to fight crime and terrorism. Privacy First has major objections and at the end of last week has sent the following letter to the House. Today’s parliamentary debate was first scheduled to take place on 14 May 2018, but was cancelled (following a similar letter from Privacy First) until further notice. Following new parliamentary questions, the debate will now take place today after all. Here is the full text of our most recent letter:
Dear Members of the House of Representatives,
On Monday afternoon, this 11 March, you will discuss the Dutch implementation of the European directive on Passenger Name Records (PNR) with minister Grapperhaus (Justice and Security). In Privacy First’s view, both the European PNR directive as well as the Dutch implementation thereof are legally untenable. We shall here briefly elucidate our position.
Under the minister’s legislative proposal concerning PNR, numerous data of every single airline passenger travelling to or from the Netherlands will be stored for five years in a central government database of the new Passenger Information Unit and will be used to prevent, investigate and prosecute crimes and terrorism. Sensitive personal data (such as names, addresses, telephone numbers, email addresses, dates of birth, travel data, ID document numbers, destinations, fellow passengers and payment data) of many millions of passengers will, as a result, become available for many years for the purpose of data mining and profiling. In essence, this means that every airline passenger will be treated as a potential criminal or terrorist. In 99.9% of all cases, however, this concerns perfectly innocent citizens, mainly holidaymakers and business travellers. This is a flagrant breach of their right to privacy and freedom of movement. Last year, Privacy First had already made these arguments in the Volkskrant and on BNR Nieuwsradio. Because of privacy objections, in recent years there has been a lot of political resistance to such large scale PNR storage of data, which has been rejected by both the House of Representatives as well as the European Parliament on several occasions since 2010. In 2015, Dutch ruling parties VVD and PvdA were absolutely opposed to PNR as well. Back then, they called it a ‘holiday register’ and they themselves threatened to take to the European Court of Justice in case the PNR directive would be adopted. However, after the attacks in Paris and Brussels, it seemed that many political restraints had evaporated and in 2016, the PNR directive finally came about after all. Up to now however, the legally required necessity and proportionality of this directive have still to be demonstrated.
In the summer of 2017, the European Court of Justice issued an important ruling with regard to the similar PNR agreement between the EU and Canada. The Court declared this agreement invalid because it violates the right to privacy. Among other things, the Court held that the envisaged agreement must, “limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime.” (See Opinion 1/15 (26 July 2017), par. 207.) Ever since this ruling, the European PNR directive is a legal uncertainty. Therefore, the Dutch government has valid ‘‘concerns about the future viability of the PNR directive” (see Note in response to report, p. 23, in Dutch). Privacy First expects that the current PNR directive will soon be submitted to the European Court of Justice for judicial review and will then be declared unlawful. Subsequently, a situation will arise that is similar to the one we have witnessed a few years ago with regard to the European Telecommunications Data Retention Act: as soon as this European directive will be annulled, the Dutch implementing provisions will equally be invalidated in interim injunction proceedings.
The current Dutch PNR legislative proposal seems unlawful a priori because of a lack of demonstrable necessity, proportionality and subsidiarity. The legislative proposal comes down to mass surveillance of mostly innocent citizens; in the 2016 Tele2 case the European Court already ruled that this type of legislation is unlawful. Thereupon the Netherlands pledged before the UN Human Rights Council “to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons.” The Netherlands now seems to renege on that promise. After all, a lot of completely unnecessary data of every airline passenger will be stored for years and can be used by various Dutch, European and even non-European government agencies. Moreover, the effectiveness of PNR has to date never been demonstrated, the minister himself affirmed: ‘‘There is no statistical support” (see Note in response to report, p. 8, in Dutch). The risk of unjust suspicion and discrimination (due to fallible algorithms used for profiling) under the proposed PNR system is serious, which also increases the likelihood of delays and missed flights for innocent passengers. All the while, wanted persons will often stay under the radar and choose alternative travel routes. Furthermore, the legislative proposal entirely fails to address the role and capabilities of secret services, which will be granted secret and shielded access to the central PNR database under the new Dutch Intelligence and Security Services Act. However, the most questionable aspect of the Dutch PNR legislative proposal is that it goes even two steps further than the European PNR directive itself: After all, it is the Dutch government's own decision to also store the data of passengers on all intra-EU flights. This is not obligatory under the PNR directive, and the Netherlands could have limited this to preselected flights (judged to be at risk) only. This would have been in line with the advice of most experts in this field who argue for targeted actions as opposed to mass surveillance. In other words, to focus on persons with a reasonable suspicion about them, in accordance with the principles of our democracy under the rule of law.
Privacy First Advice
Privacy First strongly advises you to reject the current legislative proposal and to replace it with a privacy-friendly version. In case this will lead to the European Commission referring the Netherlands to the European Court of Justice due to a lack of implementation of the present PNR directive, Privacy First would be confident this would end in a clear victory for the Netherlands. EU Member States simply cannot be expected to implement privacy-violating EU rules. This applies equally to the national implementation of relevant resolutions of the UN Security Council (in this case UNSC Res. 2396 (2017)) which is similarly at odds with international human rights law. In this respect, Privacy First has already warned of the abuse of the Dutch TRIP system (which is also used for PNR) by other UN Member States. In this regard, the Netherlands has its own responsibility under the Dutch Constitution as well as under international law.
Privacy First Foundation
Update 19 March 2019: Regrettably, today the House of Representatives has adopted the legislative proposal almost unchanged; only GroenLinks, SP, PvdD and Denk voted against. Unfortunately, a motion by GroenLinks and SP to provoke legal action by the European Commission against the Dutch government about the PNR directive was rejected. The only bright spot is the widely adopted motion for the judicial reassessment and possible revision of the PNR directive at a European political level. (Only PVV and FvD voted against this motion.) Next stop: the Senate.
Update 4 June 2019: despite sending the above letter for a second time and despite other critical input by Privacy First, the Senate today has unfortunately adopted the legislative proposal. Only GroenLinks, PvdD and SP voted against. Even in spite of the enormous error rates (false positives) of 99.7% that recently came to light in the comparable German PNR system, see https://www.sueddeutsche.de/digital/fluggastdaten-bka-falschtreffer-1.4419760. Meanwhile, large scale cases have been brought against the European PNR directive in Germany and Austria in order for the European Court of Justice to nullify it on account of violations of the right to privacy, see the German-English campaign website https://nopnr.eu and https://www.nrc.nl/nieuws/2019/05/15/burgers-in-verzet-tegen-opslaan-passagiersgegevens-a3960431. As soon as the European Court rules that the PNR directive is unlawful, Privacy First will start interim injunction proceedings in order for the Dutch PNR law to be rendered inoperative. Moreover, yesterday Privacy First has put the PNR law on the agenda of the UN Human Rights Committee in Geneva. On 1 and 2 July 2019, the overall human rights situation in the Netherlands (including violations of the right to privacy) will be critically reviewed by this Committee.
The Dutch Ministry of Finance is about to oblige companies to export personal data on a large scale. The measure is hidden in a subordinate clause of a letter from the Minister of Finance, although it has major consequences. The measure obliges companies that trade in 'virtual assets' (such as bitcoins, real estate, but also purchases in computer games) to include personal data of customers in the transaction records and messages. The information from all parties involved needs to remain visible and available to everyone in the value chain.
Consumers, companies and citizens cannot object to this mandatory addition of their personal data. The topic is not receiving the proper amount of political attention because it is presented as a technical measure. In his letter to Dutch Parliament of 21 March 2019, the Minister fails to point out the large scope and impact. It is, however, suggested that a consultation round will take the market responses to the envisaged rules onboard.
Privacy First and VBNL (United Bitcoin Companies Netherlands) have meanwhile understood that the worldwide objections to the proposed measure are being ignored. That is why they are today sending an urgent letter to the Dutch Minister of Finance. They ask him to study the issue better, with all relevant Ministries and in particular: to better inform Parliament. In doing so, they point to the conflicts of law that may arise as the measure may well violate international agreements and treaties that protect privacy.
Where it is known that consumers are very reluctant to make their own data available to private and commercial institutions, the government must be similarly reluctant on their behalf. Privacy First finds it extremely unfortunate that the Ministry of Finance seems to intend to give this all-in permission for unbridled export of personal data without giving it proper attention and without applying due process.
There is no merit to the claim that the measure is required for counter-terrorism purposes. Experts at Europol (!) indicate that the international proposal is "overkill" and not necessary for investigative purposes. The rule adds nothing to the existing European framework against money laundering and terrorist financing and only increases the risk of unwanted data breaches.
Privacy First and VBNL hope that their letter will make Dutch Parliament aware that this is a proposal that goes far beyond the much-debated access-regime of the recent second European Payment Services Directive (PSD2). With PSD2, consumers can decide to share data themselves. With this proposal, they will become deprived of that fundamental right for all kinds of economic acts. Privacy First and VBNL are calling on parliamentarians to protect consumers and businesses against this unnecessary planned measure.
The letter can be downloaded here (pdf).
Writing a New Year’s Column about the state of affairs concerning the protection of everyone’s privacy weighs me down this year. With the exception of a few bright spots, privacy in the Netherlands and the rest of the world has greatly deteriorated. For a while it seemed that the revelations of Edward Snowden in 2013 about secret services tracking everyone’s online behavior would be a rude wake-up call for the world. It was thought that an increasing number of data breaches and a rising number of governments and companies getting hacked, would make people realize that large amounts of data stored centrally is not the solution. The Arab Spring in 2015 would bring about major change through the unprecedented use of (social) media.
The European Union successfully voted against the exchange of data relating to travel movements, paved the way for the current General Data Protection Regulation and seemed to become the shining alternative example under the guidance of Germany, a country known for its vigilance when it comes to privacy. Unfortunately, things turned out differently. Under the Obama administration, Snowden was shunned as a traitor and other whistleblowers were clamped down on harder than ever before. Julian Assange was forced into exile while murdering people with the use of drones and without any form of trial was implemented on a large scale. Extrajudicial killings with collateral damage... While the discussion was about waterboarding... Discussions on such ‘secondary topics’ have by now become commonplace in politics, and so has the framing and blaming of opponents in the polarized public debate (the focus is usually on the person rather than on the argument itself).
Looking back on 2018, Privacy First identifies a great number of areas where the breakdown of privacy is evident:
Government & privacy
In March, an advisory referendum in the Netherlands was held on the introduction of the so-called Tapping law. Immediately after that, the referendum was abrogated. This happened in a time of unprecedented technological possibilities to organize referendums in various ways in a shared democracy. That’s outrageous. The outcome of the referendum was not taken into account and the Tapping law was introduced just like that. Moreover, it turned out that all along, the Dutch Minister of the Interior had withheld an important report on the functioning of the Dutch General Intelligence and Security Service.
Apparently this was nothing to worry about and occurred without any consequences. The recent report by the Dutch State Commission on the (re)introduction of referendums will likely end up in a drawer, not to be looked at again.
Fear of losing one’s role and the political mood of the day are all too important in a culture in which ‘professional politicians’ are afraid to make mistakes, but which is full of incidents nonetheless. One’s job or profession comes first, representing citizens comes second. Invariably, incidents are put under a magnifying glass in order to push through binding legislation with a broad scope. Without the review of compliance with guiding principles such as necessity, purpose limitation, subsidiarity and proportionality. There is an ever wider gap between government and citizens, who are not trusted but are expected to be fully transparent towards that self-same government. A government that time and again appears to be concealing matters from citizens. A government that is required by law to protect and promote privacy, but is itself still the most prominent privacy-violator.
The medical establishment & privacy
In this area things got really out of hand in 2018. Through various coordinated media offensives, the EU and the member states are trying to make us believe in the advantages of relinquishing our right to physical integrity and our humanity. Sharing biometric data with the United States continues unabatedly. We saw the police calling for compulsory DNA databases, compulsory vaccination programs, the use of smart medicines with microchips and the phasing out of alternative therapies. Furthermore, health insurance companies cautiously started to cover genetic testing and increasingly doing away with medical confidentiality, the Organ Donation Act was introduced and microchips implanted in humans (the cyborg as the highest ideal in Silicon Valley propaganda) became ever more popular.
How long before microchips become compulsory for all citizens? All (domestic) animals in the EU have already preceded us. And then there’s the Electronic Health Record, which was first rejected in the Dutch Senate but has reappeared on the minister’s agenda via a detour. Driven by commercial interests, it is being rammed down the throats of general practitioners while alternatives such as Whitebox are not taken seriously. The influence of Big Pharma through lobbying with government bodies and participating in government working groups is particularly acute. They closely cooperate with a few IT companies to realize their ideal of large and centralized networks and systems. It’s their year-end bonus and growth at the expense of our freedom and well-being.
Media & privacy
Naturally, we cannot overlook ‘fake news’. One of the premises for having privacy is being able to form your own opinion and respect and learn from the opinions of others. Furthermore, independent left and right-wing media are essential in a democratic constitutional State. It's their task to monitor the functioning of elected and unelected representatives in politics and in government. Journalists should be able to penetrate into the capillaries of society in order to produce local, national and global news.
Ever since free news gathering came about, it has been a challenge to obtain news based on facts. It’s not always easy to distinguish a press service, PR and propaganda from one another. In times of rapid technological changes and new opportunities, they should be continuously reviewed according to the principles of journalism. That’s nothing new. What is new, however, is that the European Union and our own Minister for the Interior, Kajsa Ollongren, feel they’re doing the right thing by outsourcing censorship to social media companies that are active on a global scale and have proven to be unreliable.
While Facebook and Google have to defend themselves in court for spreading fake news and censoring accounts, the governments hand over the monitoring task to them. The privacy violators and fake news distributors as the guardians of our privacy and journalism. That’s the world upside down. By so doing, this minister and this government undermine the constitutional State and show disdain for intelligent citizens. It’s time for a structural change in our media system, based on new technologies such as blockchain and the founding of a government media office whose task is to fund all media outlets through citizens’ contributions, taking into account the media’s scope and number of members. So that concerns all media, including the so-called alternative media, which should not be censored.
Finance & privacy
The erosion of one’s privacy increasingly manifests itself at a financial level too. The fact of the matter is, that the tax authorities already know in detail what the spending pattern of all companies and citizens looks like. Thanks to the Tapping Law, they can now pass on this information in real-time to the secret services (the General Intelligence and Security Service is watching along). Furthermore, a well-intended initiative such as PSD2 is being introduced in a wholly improvident and privacy-unfriendly way: basic conditions relating to the ownership of bank details (of citizens, account holders) are devoid of substance. Simple features such as selective sharing of banking details, for example according to the type of payment or time period, are not available. What’s more, payment details of third parties who have not given their consent, are sent along.
In the meantime, the ‘cash = criminal’ campaign goes on relentlessly. The right to cash and anonymous payment disappears, despite even the Dutch Central Bank now warning that the role of cash is crucial to our society. Privacy First has raised its opinion on this topic already in 2016 during a public debate. The latest development in this regard is the further linking of information through Big Data and profiling by debt-collecting agencies and public authorities. Excluding citizens from the electronic monetary system as a new form of punishment instead of letting them pay fines is a not so distant prospect. In this regard, a lot of experimentation is going on in China and there have been calls in Europe to move in the same direction, supposedly in order to fight terrorism. In other words, in the future it will become increasingly difficult to raise your voice and organize against abuse of power by governments and companies: from on high it takes only the press of a button and you may no longer be able to withdraw cash, travel or carry out online activities. In which case you have become an electronic outcast, banished from society.
Public domain & privacy
In 2018, privacy in public space has all but improved. Whereas 20 years ago, the Netherlands was deemed too small to require everyone out on the streets to be able to identify themselves, by now, all governments and municipalities in Europe are developing ‘smart city’ concepts. If you ask what the benefits and use of a smart city are (beyond the permanent supervision of citizens), proponents will say something vague about traffic problems and that the 'killer applications' will become visible only once the network of beacons is in place. In other words, there are absolutely no solid figures which would justify the necessity, subsidiarity and proportionality of smart cities. And that’s not even taking basic civil rights such as privacy into consideration.
Just to give a few examples:
- ANPR legislation applies from 1 January 2019 (all travel movements on public roads will be stored in a centralized police database for four weeks)
- A database consisting of all travel movements and stays of European citizens and toll rates as per 2023
- Emergency chips in every vehicle with a two-way communication feature (better known as spyware) as per 1 January 2019
- Cameras and two-way communication in public space, built into the lampposts among other objects as part of smart city projects
- A decision to introduce additional cameras in public transport as per 2019
- The introduction of Smart Cities and the introduction of unlimited beacons (doesn’t it sound so much better than electronic concentration camp posts?)
- Linking together all traffic centers and control rooms (including those of security companies operating on the private market)
- Citizens are permanently monitored by invisible and unknown eyes.
Private domain & privacy
It’s well known that governments and companies are keen to take a peek in our homes, but the extent to which this was being advanced last year, was outside of all proportion. Let’s start with energy companies, who foist compulsory smart meters on citizens. By way of ‘appointment to install a smart meter’, which you didn’t ask for, it’s almost impossible to stay clear of red tape. After several cancellations on my part and phone calls to energy provider Nuon, they simply continued to push forward. I still don’t have a smart meter and it will stay like that.
Once again Silicon Valley featured prominently in the news in 2018. Unelected dictatorial executives who are no less powerful than many a nation state, promote their utopias as trendy and modern among citizens. Self-driving cars take the autonomy and joy away from citizens (the number of accidents is very small considering the millions of cars on the road each day), while even children can tell that a hybrid approach is the only option. The implementation of smart speakers by these social media companies is downright spooky. By bringing smart toys onto the market, toy manufacturers equally respond to the needs that we all seem to have. We can all too readily guess what these developments will mean for our privacy. The manipulation of facts and images as well as distortion, will starkly increase.
Children & privacy
Children and youths represent the future and nothing of the above bodes well for them. Screen addiction is sharply on the rise and as children are being raised amidst propaganda and fake news, much more attention should go out to forming one’s own opinion and taking responsibility. Centralized pupil monitoring systems are introduced indifferently in the education system, information is exchanged with parents and not having interactive whiteboards and Ipads in the classroom has become unthinkable. The first thing children see every single day, is a screen with Google on it... Big Brother.
Dependence on the internet and social media results in impulsive behaviour among children, exposes them to the madness of the day and affects their historical awareness and ability to discern underlying links. The way of thinking at universities is becoming increasingly one-sided and undesirable views are marginalized. The causes of problems are not examined, books are not read though there is certainly no lack of opinions. It’s all about making your voice heard within the limits of self-censorship that’s in force in order to prevent becoming the odd one out in the group. The same pattern can be identified when it comes to forming opinions in politics, where discussing various issues based on facts seems no longer possible. Not to mention that the opinions of citizens are considered irrelevant by our politicians. Good quality education focused on forming opinions and on creating self-reflective minds instead of a robot-way of thinking, is essential for the development of a healthy democracy.
Are there any positive developments?
It's no easy task to identify any positive developments in the field of privacy. The fact is that the introduction of the GDPR and the corresponding option to impose fines has brought privacy more sharply into focus among companies and citizens than the revelations of Snowden have been able to do. The danger of the GDPR, however, is that it narrows down privacy to data protection and administrative red tape.
Another positive development is the growing number of (as of yet small) initiatives whereby companies and governments consider privacy protection as a business or PR opportunity. This is proved by the number of participants in the 2019 Dutch Privacy Awards. Recurring themes are means of anonymous communication (email, search engines, browsers), possible alternatives to social networks (messaging services like WhatsApp, Facebook, Instagram and Twitter) on the basis of subscriptions, blockchain technology and privacy by design projects by large organizations and companies.
Privacy First has teamed up with a few top quality pro bono attorneys who are prepared to represent us in court. However, judges are reluctant to go off the beaten track and come up with progressive rulings in cases such as those concerning number plate parking, average speed checks, Automatic Number Plate Recognition, the Tapping Law, etc. For years, Privacy First has been suffering from a lack of funding. Many of those who sympathize with us, find the topic of privacy a bit eerie. They support us morally but don’t dare to make a donation. After all, you draw attention to yourself when you’re concerned with issues such as privacy. That’s how bad things have become; fear and self-censorship... two bad counsellors! It’s high time for a government that seriously deals with privacy issues.
Constitutional reform should urgently be placed on the agenda
Privacy First is a great proponent of constitutional reform (see our 2017 New Year’s column about Shared Democracy), based on the principles of the democratic constitutional State and the European Convention on Human Rights (ECHR). Our democracy is only 150 years old and should be adapted to this current day and age. This means that the structure of the EU should be changed. Citizens should take on a central and active role. Government policies should focus on technological developments in order to reinforce democracy and formulate a response to the concentration of power of multinational companies.
Privacy First argues that the establishment of a Ministry of Technology has the highest priority in order to be able to stay up to date with the rapid developments in this field and produce adequate policies accordingly. It should live up to the standards of the ECHR and the Dutch Constitution and avoid becoming a victim of the increasing lobbying efforts in this sector. Moreover, it is time for a Minister of IT & Privacy who stays up to date on all developments and acts with sufficient powers and in accordance with the review of a Constitutional Court.
The protection of citizens’ privacy should be facilitated and there should be privacy-friendly alternatives for current services by technology companies. For 2019, Privacy First has a few tips for ordinary citizens:
- Watch out for and stay away from ‘smart’ initiatives on the basis of Big Data and profiling!
- Keep an eye on the ‘cash = criminal’ campaign. Make at least 50% of your payments anonymously in cash.
- Be cautious when communicating through Google, Apple, Facebook and Microsoft. Look for or develop new platforms based on Quantum AI encryption and use alternative browsers (TOR), networks (VPN) and search engines (Startpage).
- Be careful when it comes to medical data and physical integrity. Use your right for there to be no exchange of medical data as long as initiatives such as Whitebox are not used.
- Be aware of your right to stay anonymous, at home and in public space. Campaign against toll payment, microchips in number plates, ANPR and number plate parking.
- Be aware of your legal rights to bring lawsuits, for example against personalized waste disposal passes, camera surveillance, etc.
- Watch out for ‘smart’ meters, speakers, toys and other objects in the house connected to the internet. Purchase only privacy by design solutions with privacy enhanced technology!
The Netherlands and Europe as guiding nations in the field of privacy, with groundbreaking initiatives and solutions for apparent contradictions concerning privacy and security issues - that’s Privacy First's aim. There’s still a long way to go, however, and we’re being blown off course ever more. That’s due in part because a comprehensive vision on our society and a democracy 3.0 is lacking. So we continue to drift rudderless, ending up in the big manipulation machine of large companies one step at a time. We need many more yellow vests before things change. Privacy First would like to contribute to shaping and promoting a comprehensive, positive vision for the future. A future based on the principles that our society was built on and the need for greater freedom, with all the inevitable restrictions this entails. We will have to do it together. Please support Privacy First actively with a generous donation for your own freedom and that of your children in 2019!
To an open and free society! I wish everyone a lot of privacy in 2019 and beyond!
Bas Filippini, Privacy First chairman
A group of civil society organizations is bringing a case against the Dutch government because of System Risk Indication, better known by the abbreviation SyRI. According to the plaintiffs, this risk profiling system is a black box that should be stopped as it forms a risk to the democratic rule of law.
The coalition of plaintiffs consists of the Netherlands Committee of Jurists for Human Rights (NJCM), the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten), Privacy First, the KDVP Foundation (privacy in mental healthcare) and the National Clients Council (LCR). Two well-known authors, Tommy Wieringa and Maxim Februari, have in their individual capacities joined the case as plaintiffs. As ‘ambassadors’ to this lawsuit, they have fiercely criticized SyRI on multiple occasions.
The proceedings are carried out by Deikwijs Attorneys under the guidance of the Public Interest Litigation Project (PILP) of the NJCM.
Trawl net actions on the basis of secret algorithms targeting innocent citizens
SyRI links together on a large scale personal data of innocent citizens from databases of public authorities and companies. With the use of secret algorithms, citizens are subsequently subjected to a risk analysis. When there is an increased risk of breaking one of the many laws that SyRI covers, individuals are included in the Risk Reports Register, which is accessible to many government agencies.
SyRI is a black box that poses a major threat to the democratic rule of law. Citizens who are being examined through SyRI without any justification, have absolutely no idea which of their data are being used for analyses, what kind of analyses are being carried out and what actually determines whether or not they are a ‘risk’. Because SyRI works surreptitiously, citizens are not in a position to refute any incorrect flagging that may concern them.
According to the coalition, SyRI is in breach of various fundamental rights while it simultaneously undermines the relationship of trust between citizens and those in power. Citizens are suspect from the very start and all of the information that they share with public authorities, may secretly be used against them without imputation or concrete ground.
Ministry refuses to operate in a transparent manner
Despite fundamental objections from the Dutch Council of State (Raad van State) and the Dutch Data Protection Authority about the lawfulness of the system, at the end of 2014 the legislation for SyRI was rubber-stamped by the Dutch Senate and the House of Representatives. However, SyRI has been in use ever since 2008 already. Since then, dozens of investigations have been carried out and this included examining entire neighborhoods in several Dutch cities. Once the system was specified in law, it has been applied in Eindhoven and Capelle aan den IJssel among other places. It was recently announced that SyRI will be used in the Rotterdam neighborhoods of Bloemhof en Hillesluis and in the Haarlem neighborhood of Schalkwijk.
A FOIA request submitted by the coalition has resulted in barely any information concerning the dozens of SyRI investigations that have been carried out prior to and after the system had been laid down in law in 2014. The Dutch Ministry of Social Affairs is unwilling to provide insight into its practices arguing that, by disclosing the data and risk models that are used in SyRI, cunning citizens would become aware what to look out for when they commit fraud. The claimants, in their turn, assert that this is not in line with the obligation to inform and the right to a fair trial.
In the context of this lawsuit, a public information campaign called ‘Bij Voorbaat Verdacht’ (‘Suspect From The Very Start’) has been launched. On the (Dutch) campaign website you can find updates about the legal proceedings as well as a simplified summary of the subpoena. The complete subpoena (in Dutch) can be found on the website of Deikwijs Attorneys (pdf). Click HERE for the English version on the website of PILP (pdf).
Update 16 October 2018: the District Court of The Hague has allowed the Dutch Federation of Trade Unions (FNV) as co-plaintiff in the lawsuit.
Below, in alphabetical order, are Privacy First’s main objections against the new Dutch Intelligence and Security Services Act (Wiv2017, or ‘Tapping law’):
A. Authority to hack
Under the new law, the Dutch intelligence services will be able to hack a target through innocent third parties. By hacking a third party (for example an aunt, a sister, a friend, a husband, a grandfather, a colleague, a neighbour, a public authority, a company, etc.), information can be obtained about the target. In other words, any devices of innocent citizens may be hacked by the intelligence services. Citizens will never be notified about this, as there is no duty to inform.
C. Chilling effect
The new law may result in people behaving differently (either consciously or not) than they would do in a free environment. This can have a negative effect on the exercise of their fundamental rights other than the right to privacy, for instance on the right to freedom of expression and the right to freedom of association, assembly and demonstration.
Under both the current as well as the new law, Dutch secret agents are authorized to commit criminal offences. However, up until now, the exact scope of this power has been unknown. Under the current law, this power could be further regulated through a (never introduced) General Administrative Order. A number of years ago, the Dessens Commission recommended introducing such a General Administrative Order after all. In the new Tapping law however, the foundation for this General Administrative Order has been scrapped, leaving behind a legal vacuum.
The new law enables automatic access to databases in both the entire private and public sector. This allows intelligence services direct access to various sensitive databases of companies, public authorities and other organizations, either through informants and agents (infiltrators), or through secret agreements.
The power to conduct ‘research-oriented interception’, popularly known as the ‘trawl net method’ or the ‘the dragnet-surveillance power’, allows intelligence and security agencies (secret services) to tap the internet traffic of large groups of people simultaneously. They may tap a particular municipality, neighbourhood, local community or street, in case one of their targets happens to live there. This entails monitoring the communications of innocent citizens by means of a digital dragnet. Privacy First believes that the data of innocent citizens do not belong in the hands of intelligence services. Apart from that, the collection of huge amounts of data makes the intelligence services less effective.
Under the new law, encrypted data in the possession of companies, public authorities and individuals (for example communications data) must be decrypted on the request of secret services. Refusing to comply with a decryption order will be punished with a maximum of two years’ imprisonment.
Under the Tapping law, the intelligence and security services will have their own DNA database. They may collect DNA of targets and non-targets (innocent citizens). In order to collect DNA, they are allowed to grant themselves access to confined places, such as offices or residences. Dutch magazine Groene Amsterdammer has recently written an extensive article about the DNA Collection Service.
E. European Convention on Human Rights (ECHR)
The right to privacy is a human right: this right is protected by article 8 of the ECHR. Privacy First is of the opinion that the new Tapping law violates the right to privacy. We are ready to start interim injunction proceedings (lawsuit) against the Dutch government in case the Tapping law comes into force. This would enable a judge to scrutinize the new Act and possibly render it (partly) inoperative on account of violation of article 8 ECHR.
Exchange of data
The data of innocent citizens and journalists that are collected through the use of internet dragnet surveillance can be shared with foreign intelligence agencies before first being evaluated by the Dutch agencies.
F. Fake news from the Dutch government
According to the Dutch Minister of the Interior Kajsa Ollongren, it’s not necessary that the government puts neutral information about the Tapping law referendum on its website rijksoverheid.nl. This means that the Dutch government does not provide objective information to voters.
The law gives too much power to intelligence and security services and too little privacy guarantees to citizens. After the Tapping law referendum, the law will have to go back to the legal drawing board, where proper privacy guarantees should be added and the exercise of powers be reviewed.
H. Human rights
Privacy is a human right. The right to protection of one’s private life applies to everyone and is being guaranteed by numerous international and European treaties. The Tapping law will massively violate this right, considering the fact that it allows for the collection, storage and international exchange of data of large groups of innocent citizens.
Hyping the terror threat
Proponents of the Tapping law have often put forward the argument that it will prevent terror attacks, as was shown by Dutch television show Zondag met Lubach. However, other countries have already shown that working in a focused, targeted way is much more effective. Opponents of the Tapping law agree that the current law needs to be updated, but they demand that the law be modified and improved in crucial aspects.
I. I’ve got nothing to hide
Everyone is entitled to having a private life. That’s why the data of innocent citizens do not belong to intelligence and security agencies. It’s important for these data, which include medical information, personal conversations, private emails, work-related emails, news stories, hobbies, interests and internet search results, to be protected properly. You may have ‘nothing’ to hide, but other citizens, like medical professionals, attorneys, activists, whistle-blowers and journalists certainly do.
Interception of cable-bound data
It is falsely being argued that the intelligence and security services are currently allowed to intercept data over the ether (non cable-bound) only and not any cable-bound data. Under current legislation, they may intercept cable-bound data when the target concerns, for example, a particular individual. Under the new law, secret services will be authorized to intercept cable-bound data on a large scale and without specific targets (the dragnet method).
Internet of Things
An ever increasing number of devices are connected to the internet. All these devices can be tapped and hacked under the new Tapping law. Think of a car, a camera, microphone, printer and perhaps even a pacemaker. After all, the Tapping law doesn’t exclude this possibility.
The communications of journalists may be intercepted under the new Tapping law by means of dragnet surveillance, among other ways. Secret services may acquire knowledge about this confidential information. This constitutes a threat to the freedom of the press and the journalistic right to non-disclosure of sources. Only retrospectively will secret services delete information that turns out not to be useful for any investigation.
In most cases, a judicial verification of the exercise of powers is lacking. As explained under ‘Review Board for the Use of Powers’(TIB), the new Review Board lacks the investigatory powers for effective and independent monitoring.
In his tv programme Zondag met Lubach, comedian and television presenter Arjen Lubach has looked into the Tapping law three times, explaining why it’s good to be critical about it. You can watch the videos (in Dutch) here: Tapping law 1, Tapping law 2 and Tapping law 3.
M. Medical confidentiality
Under the new law, the medical confidentiality of patients and the medical secrecy of doctors cannot be guaranteed: secret services can make a request to anyone, including doctors and hospitals, to hand over relevant data and to grant access to their data system (Electronic Health Record). They can also hack into such systems. This can lead to the evasion of health care among patients, which could endanger national health.
N. Notification obligation
Under the new law, the notification obligation is insufficient. Five years after exercising a certain power, the person concerned should, in principle, be notified about this. This, however, applies to only a few of the newly introduced powers. Privacy First thinks the notification obligation should apply to the exercise of all powers.
O. Other countries
Under the new Tapping law, data that have been collected may be shared with other countries without being evaluated first. This means that Dutch intelligence services can share unseen and unselected data (of innocent citizens) with foreign secret services. Once the data have been shared, Dutch intelligence services won’t be able to monitor the use of these data anymore.
P. Presumption of innocence
With the introduction of the new law, the presumption of innocence gets inverted. The dragnet-surveillance makes every single citizen a potential suspect, without any concrete ground to monitor someone in particular. Moreover, large-scale data collection increases the chance of false positives.
Q. Quest for data
The Dutch government has developed an enormous thirst for data. Whereas neighbouring countries go back to a target-centric approach, the Netherlands embraces Big Data. This leads to an ever growing haystack in which finding the needle will become increasingly difficult. More data is no equivalent to more security.
R. Review Board for the Use of Powers (TIB)
Independent supervision in all phases of the exercise of powers by secret services (before, during and afterwards) is insufficiently guaranteed. Since intelligence services operate secretly, citizens against whom such powers are exercised cannot object to this themselves. That’s why the exercise of powers is to be reviewed independently. The new Review Board for the Use of Powers (Toetsingscommissie Inzet Bevoegdheden) reviews beforehand whether the minister has rightfully given approval for the exercise of a relatively far-reaching (‘special’) power under the new law. This review is substantiated by less guarantees than the review by a judge. Furthermore, the Review Board doesn’t have any investigative powers of its own and is completely dependent on the information it’s provided with by others. Various authorities, such as the Dutch Data Protection Authority, have warned that the Review Board shouldn’t become a 'rubber stamping machine'.
Review Committee on the Intelligence and Security Services (CTIVD)
The judgments of the Review Committee on the Intelligence and Security Services, which retrospectively reviews whether or not powers have been applied lawfully, are not binding. The Minister of the Interior may not take the findings and recommendations into account and continue to unlawfully use powers.
Privacy and security are unduly placed on opposite sides of the balance. In a free and democratic society, privacy and security go hand in hand. It’s possible to draft an Intelligence and Security Services Act that has good privacy safeguards under which information of innocent citizens doesn't end up in the hands of intelligence agencies.
Unevaluated data that have been collected through ‘dragnet surveillance, may be stored for three years. These data may also be shared with other countries, even without first being evaluated. Data that the intelligence and security agencies deem relevant may be kept for as long as they are regarded as such.
Z. Zero days
The intelligence and security services have the power to make use of unknown software vulnerabilities, so called zero-days. Such vulnerabilities are known to them, but not to the creator or manufacturer of the software. They don’t have to notify the manufacturer about it. This allows malicious parties to exploit vulnerabilities, even over longer time periods. It also creates a black market, where such vulnerabilities and data breaches are traded.
This list is not exhaustive and can be supplemented at all times.