"Recently, the Court of Appeal of The Hague held that the storage of Dutch citizens' personal data in a central register is an unjustified violation of the right to privacy.
In light of, amongst other things, the implementation of the European regulation on standards for security features and biometrics in passports and travel documents, and to comply with this regulation, the Dutch Passport Act was amended in 2009. This new Passport Act states that future passports would have to contain a chip with a digital facial image and two fingerprints of each applicant. The Dutch government therefore planned to create a central register to hold the facial image files and four fingerprints of each applicant (two of which are included in the passport for identity verification). This new register would also serve other purposes: it would help passport fraud control, and it would allow applicants to renew their passport in any municipality in the Netherlands. The national government acknowledged that the request and saving of these personal data would form a violation of the right to privacy of Dutch citizens, but the government stated that the data storage was proportionate and justified, considering the intended purposes.
The interest group Privacy First disagreed with the government. This group, which seeks to publicly promote the enhancement and preservation of the right to privacy, believed that the creation of this central register violates this fundamental right enshrined in several international laws and regulations. The group launched legal proceedings against the Dutch government. The district court of The Hague ruled that Privacy First did not have a cause of action. Privacy First then appealed against this verdict.
Remarkably, the government meanwhile reviewed their amendments to the new Passport Act. The government concluded that the storage of these personal data in a central register did not achieve its purpose, namely passport fraud control via one's identity verification. Therefore, the Act's provisions that related to the storage of personal data in a central register would be suspended. Furthermore, the number of fingerprints to be taken for the filing would be reduced from four to two in accordance with European regulation.
On appeal, the Court of Appeal ruled that since Privacy First and the government now share the same views about the central register, Privacy First would have lost its standing in their cause of actions, so it dismissed the interest group's claims. However, the Court of Appeal found that the district court had erred when it held that Privacy First did not have a cause of action at the time. Since Privacy First is an interest group advocating the protection of the general interest of Dutch nationals' right to privacy, it should have been able to bring proceedings before the civil court according to Article 3:305 of the Dutch Civil Code (Burgerlijk Wetboek). This would only have been different if the interest group had represented the combined interest of individuals. The Court of Appeal further ruled that Privacy First incurred a financial risk.
The Court of Appeal also ruled that in view of all the circumstances of the case at first instance, the district court should have ruled in favour of Privacy First concerning their arguments against the setting up of a central register. This central register's storage of Dutch citizens' personal data is an unjustified violation of one's right to privacy enshrined in Article 8 ECHR because it did not fulfill its purpose. The Court of Appeal understands that this was a violation from the start, but this had only become evident after the first ruling."
Source: http://www.lexology.com/library/detail.aspx?g=27bf8f03-ada9-47d4-ac7f-4e4aece29cd3, 15 July 2014.
Today the district court of The Hague ruled in the case Citizens v. [Dutch Minister of Home Affairs] Plasterk ("Burgers tegen Plasterk"). In this lawsuit a coalition of citizens and organizations (including Privacy First) demands the Dutch General Intelligence and Security Service (AIVD) and the Dutch Military Intelligence and Security Service (MIVD) to put an end to the receipt and use (''laundering'') of illegally collected foreign intelligence on Dutch citizens, for example through the infamous PRISM program of the American NSA. Unfortunately the court has rejected all of the claims. Below are some first observations by Privacy First.
A positive aspect of the judgment is that the court deems all plaintiffs (citizens and organizations) admissible. This is a very welcome development for Privacy First with regard to our current Passport Trial before the Supreme Court of the Netherlands, wherein such admissibility will be crucial. However, this bright spot is overshadowed by the way the district court of The Hague has dealt with the merits of the case.
First of all, the court failed to carry out a fact-finding study: in fact no witnesses and experts were heard at all, even though this was offered to the court on forehand and Dutch law offers sufficient opportunity for this.
Furthermore, it is striking that the court deems less strict procedural safeguards necessary when it comes to the exchange of massive amounts of raw data in bulk. For the exchange of information on such a large scale, stricter – not less strict – procedural safeguards are necessary, as most of these data relate to innocent citizens.
In addition, the court wrongfully makes a distinction between metadata (traffic data) and the content of communications, while both types of data overlap and require the same high level of judicial protection.
The court is also wide off the mark by judging that the legal requirement of foreseeability (including privacy guarantees) of Article 8 of the European Convention on Human Rights (ECHR) would be less applicable to the international exchange of data between secret services. As yet, in the Netherlands the legal basis of such exchange of data is formed by a relatively obscure legal provision: Article 59 of the Dutch Intelligence and Security Services Act (Wiv). This article is far from fulfilling the modern requirements that article 8 ECHR imposes on such provisions. Therefore, the current practice of exchange between the AIVD/MIVD and foreign secret services in essence takes place within a legal vacuum, a legal black hole.
In the view of Privacy First, the current judgment of the Hague court comes down to the ''legal laundering'' of this practice. Privacy First expects that higher courts will deem this situation to be a violation of Article 8 ECHR and is looking forward to the appeal before the Hague Court of Appeals with confidence.
"The Court of Justice in the Hague has ruled that fingerprints gathered from individuals getting a new passport can't be held centrally and used in criminal investigations.
Dutch authorities have been prevented from storing citizens' fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.
In the Netherlands, individuals' fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.
However, the system turned out to be far from perfect — 21 percent of fingerprints collected by the authorities in the Netherlands were unusable to identify individuals.
The court found such a high level unacceptable: "This can mean nothing other than the storage of fingerprints in a central register is not suitable for the purpose originally envisioned, that is, the determination and verification of one's identity.
"This means that it is also not suitable for the prevention of identity fraud or for the process of requesting a new travel document or using a travel document, which is one of the main purposes of the Act [the legislation which requires fingerprints in Dutch passports]. Therefore the conclusion is that the invasion of privacy formed by the central storage of fingerprints is unjustified."
No immediate effect
Although the ruling is a significant victory for Privacy First, the privacy group that brought the case before the Court of Justice, it won't have immediate consequences for the Dutch government.
The European Court of Justice had already ruled in October last year that the directive requiring European member states to include two fingerprints in their passports did not provide a legal basis for then also including all citizens' prints in a central repository.
In addition, the court stipulated that fingerprints given by individuals for such purposes could not to be used for criminal investigations.
However, according to Christiaan Alberdingk Thijm, the lawyer representing Privacy First, the ruling will have a bearing on any future government attempts to collect sensitive data, such as photos.
"This is not only good news for those opposing plans of a central fingerprint database, but for those opposing any central government owned database," he said."
Source: http://www.zdnet.com/no-you-cant-store-peoples-fingerprints-in-a-central-database-dutch-court-rules-7000026505/, 19 February 2014.
In a groundbreaking judgment, the Hague Court of Appeal has today decided that centralised storage of fingerprints under the Dutch Passport Act is unlawful. The Privacy First Foundation and 19 co-plaintiffs (Dutch citizens) had put forward this legal issue to the Court of Appeal in a so-called 'action of general interest' ("algemeen-belangactie"). In February 2011, the district court of The Hague had declared Privacy First inadmissible. Because of this, the district court couldn't address the merits of the case. The Court of Appeal has now declared Privacy First to be admissible after all and has quashed the judgment of the district court. Moreover, the Appeals Court deems centralised storage of fingerprints under the Dutch Passport Act to be unlawful since it violates the right to privacy. Therefore it seems that centralised storage of fingerprints under the Dutch Passport Act will be shelved once and for all.
In May 2010, Privacy First et al. took the Dutch government (Ministry of Home Affairs) to court on account of the centralised storage of fingerprints under the new Dutch Passport Act. Such storage had mainly been intended to prevent small-scale identity fraud with Dutch passports (look-alike fraud).
Partly due to the pressure exerted by this lawsuit of Privacy First, central storage of fingerprints was brought to a halt in the Summer of 2011. The judgment by the Hague Court of Appeal has now made any future centralised storage of fingerprints legally impossible: the Court deems centralised storage of fingerprints an "inappropriate means" to prevent identity fraud with travel documents. According to the Court "this cannot but lead to the conclusion that the infringement upon the right to privacy caused by centralised storage of fingerprints is not justified. In that regard the district court should have awarded the claim of Privacy First." (Para. 4.4.)
This is a great victory for Privacy First and for all the citizens who have stood up against centralised storage of fingerprints under the Dutch Passport Act in recent years. The judgment by the Court also paves the way for Privacy First (and other civil society organizations) to continue to initiate lawsuits in the general interest for the preservation and promotion of the right to privacy, for example the new lawsuit by Privacy First et al. against the Dutch government on account of illegal data espionage (NSA case). Recently the Dutch State Attorney deemed Privacy First to be admissible in this case too. These developments are a great impetus for Privacy First to continue to take legal steps in the coming years for the sake of everyone's right to privacy.
Read the entire judgment by the Hague Court of Appeal HERE (pdf in Dutch; for a text-version on the website of the Netherlands Judiciary, click HERE).
Click HERE for the press release by our attorneys of Bureau Brandeis.
Update 21 May 2014: the Dutch government appears to be a sore loser: earlier this week the State Attorney has lodged an appeal (in Dutch: 'cassatie') against the ruling of the Hague Court of Appeal at the Supreme Court of the Netherlands; click HERE (pdf in Dutch) for the appeal summons. The Dutch government wants Privacy First to be declared inadmissible after all and calls on the Supreme Court to still declare central storage of fingerprints lawful. This must not happen. Privacy First is considering its options in its own defence.
Update 21 November 2014: today Privacy First et al. have submitted to the Supreme Court their statement of defence against the appeal summons; click HERE for the document (pdf in Dutch). In the appeal, Privacy First et al. are being represented by Alt Kam Boer Attorneys in The Hague; this law-office is specialised in Supreme Court litigation. On behalf of the Dutch government (Ministry of Home Affairs) the State Attorney has today submitted a written explanation to the previous appeal summons; click HERE (pdf in Dutch). The next steps could consist of a written reply and rejoinder, followed by advice (''conclusion'') from the Procurator General at the Supreme Court (to which Privacy First et al. would be able to respond) and a judgment by the Supreme Court midway through 2015.
Update 5 December 2014: today Privacy First et al. have delivered an early Christmas present to the Dutch Minister of Home Affairs: our written reply (rejoinder) to the recent explanation of the Ministry of Home Affairs to the previous appeal summons. Click HERE for the document (pdf in Dutch). The Dutch government, in turn, submitted a short reply to the recent statement of defence by Privacy First et al.; click HERE (pdf in Dutch). On 9 January 2015 the Supreme Court will set a date on which the Procurator General will issue his advice.
Update 12 January 2015: the Procurator General at the Supreme Court will issue his advice ("conclusion") on 10 April 2015.
Update 12 March 2015: Much earlier than expected, Advocate General Mr. Jaap Spier delivered his advice (''conclusion'') in the case to the Supreme Court on 20 February 2015; click HERE (pdf in Dutch, 7 MB). Its conservative contents and tone are notable aspects of his advice. Furthermore, the Advocate General wrongfully assumes that the contested provisions of the Dutch Passport Act had never become legislation. While he upholds Privacy First's admissibility, he does so on the wrong legal grounds. Moreover, the Advocate General does not touch on the substance of the privacy issues at all, is incorrect in his view that proceedings could have taken place before an administrative judge and, erroneously, wants Privacy First et al. to still pay for the legal costs of the proceedings. In response to the advice of the Advocate General, within the formal term of two weeks Privacy First submitted a response letter ("Borgers brief") to the Supreme Court; click HERE (pdf in Dutch). No such letter has been submitted by the Dutch State Attorney. Therefore, Privacy First has had the final say in this case. We will now have to wait for the Supreme Court ruling, which is expected later this year.
"A coalition of lawyers, journalists and internet freedom activists launched legal action against the Dutch government, in an attempt to get it to stop using information about Dutch people gleaned from NSA surveillance.
After it recently emerged that information about 1.8 million Dutch people's calls had been purloined by the National Security Agency, the country's home affairs minister, Ronald Plasterk, expressed annoyance that the U.S. agency hadn't asked first. However, he said, the monitoring "only concerns metadata, like who called who."
Dutch lawyers and journalists aren't so quite so sanguine about the matter, largely because their professions require confidentiality – something you can't guarantee clients and sources when you're potentially being monitored. On Wednesday, the Dutch Association of Defense Counsels and the Dutch Association of Journalists joined a broad coalition in suing Plasterk and the country's government, demanding that the state stop using data recorded in the Netherlands by the NSA.
The coalition also includes internet freedom activist Rop Gonggrijp, security expert Jeroen van Beek, advocate Bart Nooitgedagt, investigative journalist Brenno de Winter and tech law expert Mathieu Paapst, as well as the Internet Society Netherlands Chapter and Privacy First Foundation.
At the heart of the complaint is a potential legal sleight-of-hand that many (including me) have long suspected is in play – namely that intelligence agencies are bypassing their own countries' privacy laws by getting allies to spy on their citizens for them.
Daphne van der Kroft, public policy advisor at the coalition's law firm, Bureau Brandeis (yes, named after the legendary American jurist), suggested Plasterk and the Dutch state were "whitewashing" data.
This is not the first such case to arise in Europe following Edward Snowden's NSA revelations. The activist group Privacy International has attempted to sue the British government over data-sharing between the NSA and its UK counterpart, GCHQ. However, it had to approach a secret court to do this, and it got no response.
It is now trying a different angle, complaining to the OECD about the collaboration of telecommunications firms with the NSA. A separate group, Privacy not Prism, has skipped the secret court bit and gone straight to the European Court of Human Rights. (...)"
Source: http://gigaom.com/2013/11/06/dutch-lawyers-and-journalists-sue-government-over-nsa-links/, 6 November 2013.
"Gestern hat ein Bündnis aus niederländischen Aktivisten und NGOs Klage gegen ihren Innenminister Ronald Plasterk eingereicht – darunter unter anderem der Journalist Brenno de Winter, der Hacker und ehemalige Wikileaks-Mitarbeiter Rop Gonggrijp der niederländische Strafverteidiger- und Journalistenverband, die Privacy First Foundation und der niederländische Zweig des ISOC. Das Bündnis nennt sich selbst “The Dutch against Plasterk” und kritisiert vor allem die scheinheilige öffentliche Verurteilung der NSA-Spionagetätigkeiten, während im Hintergrund Geheimdienstinformationen ausgetauscht werden.
Die Kläger werden durch die Anwaltskanzlei bureau Brandeis vertreten, die erst im August diesen Jahres gegründet wurde und die sich besonders mit der juristischen Vertretung von gesellschaftlich relevanten Fällen aus den Bereichen Copyright, Datenschutz und Medienrecht befasst. Einer der Gründer, Christiaan Alberdingk Thijm, wurde als Verteidiger der File-Sharing-Anwendung KaZaA bekannt."
Source: http://netzpolitik.org/2013/niederlaender-verklagen-ihre-regierung-wegen-nsa-kooperation/, 7 November 2013.
"A coalition of Dutch citizens and organizations initiated legal proceedings against the Dutch State, represented by Minister of Interior Affairs Ronald Plasterk on Wednesday, demanding Dutch intelligent services to stop using NSA data.The subpoena was filed by a coalition of citizens and organizations, among which the Dutch Association of Defense Counsels, the Dutch Association of Journalists, the Internet Society Netherlands Chapter and Privacy First Foundation.
They question the legality of the exchange of data between the Dutch intelligence service (AIVD) and the United States National Security Agency (NSA), and demand that the Dutch State stops using data that has not been obtained in accordance with Dutch law.
Last week Minister Plasterk confirmed the monitoring of mail and phone traffic in the Netherlands by the NSA. He also acknowledged that the Dutch Intelligence Agency had supplied information to the NSA and vice versa, but condemned the interception of phone calls and mails without permission.
"Plasterk has indeed condemned the NSA eavesdropping and spying without permission, but at the same time he is exchanging data with the NSA," told lawyer Christiaan Alberdingk Thijm, who represents the coalition of citizens and organizations, to Xinhua. "So based on the exchange of information regime the AIVD will eventually get the illegally obtained data."
"By using data that has been illegally acquired through the NSA, these data are sort of laundered by Plasterk and his secret services," Alberdingk Thijm added. "This case should put an end to that unlawful conduct. Our goal is that the Netherlands will act according to Dutch law. We cannot do much on what the Americans are doing here, but we can ensure that the Netherlands complies with the law. Furthermore we want citizens to be informed when their data was illegally obtained and used."
Alberdingk Thijm thinks their case could be followed in other European countries. "We based our case on European jurisdiction, so the case could simply be copied in other countries. However, they should sue their own state," he said.
Minister Plasterk was informed by the subpoena on Wednesday and he will, according to the administrative rules, have to appear in court on November 27. After that he will have six weeks, until January 8, to file a response."
Source: http://www.shanghaidaily.com/article/article_xinhua.aspx?id=178503, 7 November 2013.
"A coalition of defense lawyers, privacy advocates, and journalists has sued the Dutch government over its collaboration and exchange of data with the U.S. National Security Agency and other foreign intelligence services.
The coalition is seeking a court order to stop Dutch intelligence services AIVD and MIVD from using data received from foreign agencies like the NSA that was not obtained in accordance with European and Dutch law. It also wants the government to inform Dutch citizens whose data was obtained in this manner.
The legal proceedings were initiated in the Hague district court by the Dutch Association of Defense Counsels, the Dutch Association of Journalists, the Internet Society Netherlands Chapter, the Privacy First Foundation and five private citizens.
The coalition wants to close a loophole through which the Dutch intelligence services can obtain data on Dutch citizens from foreign intelligence partners that it wouldn't have been able to acquire through legal means in the country.
The coalition's lawyers argue that mass data-collection programs like those of the NSA and the U.K. Government Communications Headquarters (GCHQ) violate human rights guaranteed by international and European treaties including the European Convention on Human Rights, the International Covenant on Civil and Political Rights and the Charter of Fundamental Rights of the European Union.
As such, it was illegal in many countries, particularly in the European Union, to obtain data through those programs.
Civil society organizations and citizens in other European countries can and should launch similar legal actions, said Christiaan Alberdingk Thijm, a founding partner of Bureau Brandeis, the law firm that represents the Dutch coalition in this case."
Source: http://www.pcworld.com/article/2061581/dutch-civil-society-groups-sue-government-over-nsa-data-sharing.html, 6 November 2013.
"In Nederland heeft een groep burgers en organisaties een rechtszaak ingespannen tegen minister van Binnenlandse Zaken Roland Plasterk. De groep 'Burgers tegen Plasterk' eist dat de Nederlandse overheid geen informatie gebruikt die het via de Amerikaanse NSA heeft verkregen.
Burgers tegen Plasterk wil dat minister Plasterk verantwoording aflegt over het beleid van de Nederlandse overheid inzake het gebruik van NSA-gegevens. De geteisterde Amerikaanse inlichtingendienst zou illegaal informatie verzamelen over Nederlandse burgers, en die vervolgens doorspelen aan zijn Nederlandse tegenhanger AIVD.
Het initiatief komt onder meer van hacker Rop Gonggrijp en ICT-journalist Brenno De Winter. Ook de Nederlandse Vereniging voor Strafrechtadvocaten en de Nederlandse Vereniging voor Journalisten hebben zich aangesloten bij de rechtszaak, net als de Internet Society Nederland en de Stichting Privacy First.
De advocaat van de groep, Christaan Alberdingk Thijm, [stelt] dat Plasterk en de inlichtingendienst (...) illegaal verkregen data witwassen. 'Deze zaak moet daar een einde aan maken', aldus Alberdingk Thijm.
Minister Plasterk, die eerder al de Nederlandse inlichtingendienst verdedigde, is er van overtuigd dat de AIVD niets verkeerds doen en zich aan het wettelijk kader houdt. (...)"
Source: http://www.standaard.be/cnt/dmf20131106_00826456, 6 November 2013.
By now basically everyone is aware of the far-reaching eavesdropping practices by the American National Security Agency (NSA). For years the NSA has been secretly eavesdropping on millions of people around the world, varying from ordinary citizens to journalists, politicians, attorneys, judges, scientists, CEOs, diplomats and even presidents and heads of State. In doing so, the NSA has completely ignored the territorial borders and laws of other countries, as we have learned from the revelations by Edward Snowden in the PRISM scandal. Instead of calling the Americans to order, secret services in other countries appear to be all too eager to make use of the intelligence that the NSA has unlawfully obtained. In this way national, European and international legislation that should safeguard citizens against such practices is being violated in two ways: on the one hand by foreign secret services such as the NSA that collect intelligence unlawfully, and on the other hand by secret services in other countries that subsequently use this intelligence. This constitutes an immediate threat to everyone’s privacy and to the proper functioning of every democratic constitutional State. This is also the case in the Netherlands, where neither the national Parliament nor the responsible minister (Mr. Ronald Plasterk, Home Affairs) has so far taken appropriate action. This situation cannot continue any longer. Therefore a national coalition of Dutch citizens and organizations (including the Privacy First Foundation) has today decided to take the Dutch government to court and demand that the inflow and use of illegal foreign intelligence on Dutch soil is instantly brought to a halt. Furthermore, the coalition demands that the Dutch government notifies all citizens whose personal data have been illegally obtained. These data must also be deleted.
These legal proceedings by the Privacy First Foundation primarily serve the general interest and aim to restore the right to privacy of every citizen in the Netherlands. The lawsuit is conducted by bureau Brandeis; this law firm also represents Privacy First and 19 co-plaintiffs (Dutch citizens) in our Passport Trial against the Dutch government. Privacy First is confident it will soon have positive outcomes in both of these cases.
Click HERE to read the subpoena as it was presented to minister Plasterk today. (Dutch only)
Apart from Privacy First, the coalition of plaintiff parties consists of the following organizations and citizens:
- The Dutch Association of Defence Counsel (Nederlandse Vereniging van Strafrechtadvocaten, NVSA)
- The Dutch Association of Journalists (Nederlandse Vereniging van Journalisten, NVJ)
- The Dutch chapter of the Internet Society (ISOC.nl)
- Jeroen van Beek
- Rop Gonggrijp
- Bart Nooitgedagt (represented by the NVSA)
- Matthieu Paapst (represented by ISOC.nl)
- Brenno de Winter (represented by the NVJ).
Update 5 February 2014: today the Dutch government (Ministries of Home Affairs and Defence) has responded to the subpoena in a comprehensive statement of defence; click HERE for the entire document (pdf; MIRROR) and HERE for the press release by our attorneys of bureau Brandeis (in Dutch). It is remarkable that the State Attorney only deems the Privacy First Foundation admissible (see p. 31). This means that Privacy First is only one step away from standing before the judges of the district court of The Hague. This development is also of great importance for our Passport Trial, in which that same court at an earlier stage deemed Privacy First et al. inadmissible. The Hague Court of Appeal is currently looking into this legal issue once more. In the point of view of Privacy First, the court should declare all plaintiffs (citizens and organizations) admissible in both the court case concerning the NSA as well as our lawsuit regarding the Dutch biometric passport.