At the end of this summer our colleagues from Bits of Freedom will once again be organizing the annual Big Brother Awards. Below are our nominations for the biggest Dutch privacy violations of the past year:
- Automatic Number Plate Recognition plans from Minister Opstelten
If it’s up to the Dutch Minister of Security and Justice, Ivo Opstelten, the travels of every motorist in the Netherlands will soon be stored in a police database for four weeks through automatic number plate recognition (ANPR) for criminal investigation and prosecution purposes. This means that, in the view of Mr. Opstelten, every motorist is a potential criminal. Privacy First deems this proposal absolutely disproportional and therefore in breach with the right to privacy as stipulated under Article 8 of the European Convention on Human Rights. In case Dutch Parliament accepts this legislative proposal, Privacy First will summon the
on account of unlawful legislation in violation with the right to privacy; see http://www.privacyfirst.eu/focus-areas/cctv/item/580-every-motorist-becomes-potential-suspect.html. Dutch State
- Proposal for hacking scheme from Minister Opstelten
A second miserable plan from Minister Ivo Opstelten is to authorize the Dutch police force to hack into your computer and to oblige citizens to decrypt their encrypted files for the police. In the view of Privacy First this plan, too, is entirely in breach with the right to privacy, since it’s unnecessary and disproportional. Moreover, the proposal contravenes with the ban on self-incrimination (nemo tenetur). The proposal will lay the basis for future abuse of power and forms a typical building block for a police State instead of a democratic constitutional State. For our main objections, see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/599-privacy-first-objections-against-opstelten-hacking-scheme.html.
- License plate parking
As of late, in an ever greater number of Dutch cities (among which
) license plate parking is becoming compulsory. Privacy First stands up for the classical right of citizens to travel freely and anonymously in their own country. The right to park anonymously is a part of this. License plate parking clearly disregards these rights. Moreover, it leads to function creep in breach with the right to privacy. The prime example here is the already proven abuse of parking information of lease drivers by the Dutch tax authorities; see http://www.nrc.nl/nieuws/2013/07/29/privacywaakhond-het-servicehuis-parkeren-overtreedt-de-wet/ (in Dutch). Amsterdam
- Highway section controls
Section speed checks on Dutch highways make that the journeys of motorists are continuously being monitored. This forms a massive infringement of the right to privacy. Such an infringement requires a specific legal basis with guarantees against abuse. Moreover, function creep is just around the corner; this already becomes obvious from the current plans of Dutch Minister Opstelten to soon use all highway speed cameras for automatic number plate recognition (ANPR) for investigation and prosecution purposes of a whole range of criminal offences as well as the collection of outstanding fines, tax debts, etc.
Besides the ‘usual’ cameras in neighbourhoods, shops, stations, above highways etc., citizens are increasingly – and almost unnoticed – being spied upon by flying cameras: so-called drones. The government does this (mainly the police) and so are private parties, yet without any sufficient legislation. Because of this the privacy risks and the likelihood of an accident are enormous. Privacy First therefore pleas for a moratorium on the use of drones until proper national legislation is put in place. Furthermore, drones should only be allowed to be used by the government in exceptional cases, for instance in disaster situations or for the investigation of suspects of very serious crimes, and only in case no other adequate means can be deployed. For private parties a license system is to be introduced with strict supervision and enforcement. Moreover, every drone is to be equipped with a transponder that is publically cognizable.
- Police Taser weapons
In September 2012 it became known that Dutch Minister Opstelten was planning to equip the entire Dutch police force with Taser weapons. In the view of Privacy First, the use of Taser weapons can easily lead to violations of the international ban on torture and the related right to physical integrity (which is part of the right to privacy). Taser weapons lower the threshold for police violence and hardly leave behind any external scars. At the same time they can inflict serious physical damage and mental harm. In conjunction with the current lack of firearms training for Dutch police officers, this produces serious risks for the Dutch population. In May 2013 the Dutch government had to justify itself over Opstelten’s plans in front of the UN Committee against Torture in Geneva; see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/595-dutch-taser-weapons-on-agenda-of-un-committee-against-torture.html. Nevertheless, for the moment Opstelten’s intentions seem to be unchanged...
- Electronic Health Record
In April 2011 the introduction of a Dutch national Electronic Health Record (Elektronisch Patiëntendossier, EPD) was unanimously binned by the Dutch Senate due to privacy objections and security risks. However, the national introduction of almost the same EPD was subsequently worked towards along a private route and this included the exchange of medical data through a National Switch Point (Landelijk Schakelpunt, LSP). This will by definition lead to 'function creep by design' instead of privacy by design. The digital ‘regional walls’ in and around the LSP will easily be circumvented or removed. Therefore the entire system can take on its old central form again at any given moment in the future, with all the privacy and security risks this entails. Furthermore, the current layout is characterized by generic instead of specific permission of the patient to share medical data with healthcare providers (and future third parties). This constitutes an imminent danger for the medical privacy of citizens as well as the professional confidentiality of medical specialists.
The Dutch Ministry of the Interior is currently conducting an assessment of the fundamental rights situation in the Netherlands. Later this year this will probably result in a report called ‘De Staat van de Grondrechten’ (‘The State of Fundamental Rights’) and an accessory entitled ‘Nationaal Actieplan Mensenrechten’ (‘National Human Rights Action Plan’). In this context the Ministry recently requested input from several NGOs, among which Privacy First. Below is our advice:
Top 7 of issues that deserve a place in the State of Fundamental Rights and the National Human Rights Action Plan:
1. Active adherence to as well as protection, fulfilment and promotion of the right to privacy
Clarification: privacy is both a Dutch constitutional right as well as a universal human right. As with all human rights, the Dutch government accordingly has the obligation to 1) respect, 2) protect, 3) fulfil and 4) promote the right to privacy through proper legislation and policy. However, since '9/11' there have almost solely been made restrictions to the right to privacy, instead of enhancements of it. This constitutes a violation of the above-mentioned general duty to actively fulfil the right to privacy. The same goes for related rights and principles such as the presumption of innocence and the ban on self-incrimination (nemo tenetur).
2. Constitutional review
Clarification: the Netherlands is only familiar with constitutional ‘‘review’’ by civil servants and members of the Dutch House of Representatives when it comes to the development of new legislation. Unfortunately there is no Dutch Constitutional Court and, oddly enough, constitutional review of formal legislation by the judiciary is outlawed in the Netherlands. It is partly on account of this that the Dutch Constitution has become a dead letter over the last decades. It is therefore recommended to create a Constitutional Court as soon as possible and to abrogate the ban on constitutional review.
3. Collective legal means
Clarification: owing to a development of legal restrictions within the case law of the Dutch Supreme Court, over the last decades it has become increasingly difficult for foundations and associations to legally defend the social interests they advocate for through the collective right to action (Article 3:305a Dutch Civil Code and Article 1:2 paragraph 3 Dutch General Administrative Law Act, both links are in Dutch). Because of this the effective and efficient functioning of the Dutch constitutional State and legal economy have come under severe pressure. It is therefore recommended for the government to actively respect, protect and fulfil the collective right to action. For instance by no longer instructing the State attorney to plea for the inadmissability of foundations and associations in relevant lawsuits. Moreover, the ban on direct appeal against generally binding regulations (Article 8:3 Dutch General Administrative Law Act, in Dutch) is to be abrogated.
4. Voluntary instead of compulsory biometrics
Clarification: the premise in a healthy democracy under the Rule of Law should be that citizens may never be obliged to cede their unique physical characteristics (biometric personal data) to the government or the business sector. After all, this constitutes a violation of the right to privacy and physical integrity. Moreover, within companies, service providers, employers, etc. this leads to unfair trading practices. With the planned introduction of an ID card without fingerprints, in this area the Dutch government is taking a first step in the right direction. In line with this, we advise the Dutch government to plea at the European level for a passport with voluntary instead of compulsory taking of fingerprints.
5. Anonimity in public space
Clarification: the right to be able to travel anonymously and not to be spied upon has become increasingly illusory in recent years, especially through technological developments such as public transport chip cards, camera surveillance, cell phone tracking, etc. Both the government as well as the business sector are obliged to actively reinstate, protect and fulfil the right to privacy in terms of anonymity in public space through the introduction of public transport chip cards that are truly anonymous (privacy by design), the abrogation of camera surveillance unless strictly necessary, the development of privacy-friendly mobile telephony and apps, etc. For all the legislation and policies in this field, privacy, individual freedom of choice, necessity, proportionality and subsidiarity are to be leading principles.
6. Privacy by design
Clarification: all privacy-sensitive information technology is to comply with the highest standards of privacy by design. This can be achieved through the use of privacy enhancing technologies (PET), among which are state-of-the-art encryption and compartmentalization instead of centralization and the coupling of ICT. At the European level this is to become a strict legal duty for governments as well as the business sector, with active supervision and enforcement in this area.
7. Privacy education
Clarification: in terms of human rights education the Netherlands is threatening to become a third world country. In the long run this puts the continued existence of our democratic constitutional State at stake. It equally puts the right to privacy in danger. A privacy-friendly future begins with the youth of today. To that end privacy education is to become compulsory in primary, secondary and higher education. The government should play an active role in this.
Earlier this year the Dutch Minister of Justice and Security Ivo Opstelten came up with the miserable plan to authorize the Dutch police force to hack into your computer (both at home and abroad!) and to enable the police to demand that you decrypt your encrypted files in the presence of a policeman and obediently hand them over to the State. In the context of an online consultation (in Dutch), Privacy First notified to the Minister that it has a number of principal objections against his plans:
The Privacy First Foundation hereby advises you to withdraw the legislative proposal ‘enforcement of the fight against cybercrime’ on the basis of the following eleven principal grounds:
- In our view, this legislative proposal forms a typical building block for a police State, not for a democratic constitutional State based on freedom and trust.
- The Netherlands has a general human rights duty to continuously fulfil the right to privacy instead of restricting it. With this legislative proposal the Netherlands violates this general duty.
- This legislative proposal is not strictly necessary (contrary to possibly being ‘useful’ or 'handy') in a democratic society. Therefore the legislative proposal is in breach of Article 8 of the European Convention on Human Rights.
- Moreover, this legislative proposal violates the prohibition of self-incrimination (nemo tenetur se ipsum accusare).
- Function creep is a universal phenomenon. This will also apply to this legislative proposal, which will form the basis for future abuse of power.
- This legislative proposal puts the relationship of trust between the Dutch government and the Dutch people to the test. This will lead to a chilling effect in Dutch society.
- Through this legislative proposal age-old assets such as freedom of the press and the protection of journalistic sources, whistleblowers, freedom of speech, free information gathering, freedom of communication and the right to a fair trial are put under severe pressure. This is detrimental to the dynamics within a free democratic constitutional State.
- This legislative proposal and the accompanying technology will be imported and abused by less democratic governments abroad. Therefore the legislative proposal forms an international precedent for a worldwide Rule of the Jungle instead of the Rule of Law.
- As of yet the legislative proposal lacks a thorough and independent Privacy Impact Assessment.
- This legislative proposal stimulates suboptimal (i.e. crackable by the government, because otherwise illegal?) instead of optimal (‘uncrackable’) ICT security.
- Fighting cybercrime demands multilateral cooperation and coordination instead of unilateral panic-mongering as is the case with this legislative proposal.
The Privacy First Foundation
Shocking news reached us last week from the United States regarding the eavesdropping scandal that involves the US government. The digital state terrorism under Obama Bin Laden (the difference is really just a mere letter) has only been further institutionalized in his terms of office and undermines the basis of the democratic constitutional state inside and outside of America. Everyone’s a suspect, massive data storage and then continuous, real-time profiling of every citizen, in particular the citizens and organizations the governments dislikes. ‘’Just trust us, we don’t actually trust you.’’ One-sided transparency, citizens without any form of privacy, the government shielded by so-called state security protocols and always at war with an unknown enemy, so ‘’everything is permissible‘’.
- A democracy is characterized by administrative transparency and respect for the private life of citizens. Within a dictatorship things are exactly the other way around: transparency of private life and administrative secrecy are the norm. To what extent is America still democratic? Over there whistleblowers that represent fundamental rights and real patriots in the true sense of the word are portrayed as terrorists.
- 29-year old Edward Snowden is committed to his own principles and is now forced to seek asylum far away from the United States.
- After having revealed abuses by that same government, Julian Assange felt the need to flee to the Ecuadorian embassy in London where, by now, he’s been holed up for over a year.
- Where are the days when such people got the credit they deserved? Not that long ago, during the Watergate Scandal, the American president had to resign. It also brings to mind George Orwell’s newspeak: simply turning everything around, denying, lying, deceiving. So here we have it: the government that sold "change" and "hope" to its own people and the world.
A few hopeful changes à la Obama:
- Guantanamo Bay is still open and its prisoners have been held there for years without any form of fair trial and with no way out; secret courts are the norm.
- Everywhere in the world, unwanted citizens and innocent citizens are pre-emptively eliminated without any form of trial, judicial process or evidence through the use of drones, which additionally violates the sovereign airspace of foreign states. In case a drone crashes, instead of apologizing for violating international law, the drone is ordered back in no uncertain terms.
- By now hundreds of pilots are trained to fly drones and to kill "suspects" in a computer game-like way.
- Echelon, Carnivore and other data-collection programs are now complemented by PRISM, in order to be able to create a "digital life file" of every citizen, used to analyze the past, the present and possibly future behavior and ways of thinking. In case these ways of thinking are not to the government’s liking, the words "terrorist" and "part of a criminal organization" are immediately proclaimed and a profiling program commenced. This shameless infringement of the right to a private life takes place under the guise of terrorism prevention.
- Whereas in the past citizens under reasonable suspicion of a crime could be tracked on the basis of a judicial decision and whereas control was specifically aimed at foreigners in the home country, nowadays it’s every citizen’s turn without judicial interference and in the US, already 5 million officials of the State have access to such classified information. And the target within PRISM very clearly is the entire world and all (forms of) communication. Welcome to the new world! Data macht frei!
- Now the Obama administration is in the possession of these data, they are directly abused as well, for example by not handing out permits or by carrying out extra tax controls on dissenting groups. For years Privacy First has warned of function creep when it comes to this kind of legislation and the execution thereof. In this respect the Patriot Act is the least patriotic law (newspeak) since the coming into existence of the US and is applied all the time to be infinitely abused by the government, also outside of the US.
This was just a brief overview of cases that have come to the surface. Privacy First is especially bothered by the lack of self-reflection and self-control that governments display. "Is it technically possible? Then let’s do it!"
Instead of having a democratic discussion and offering a content-related reaction including apologies, or instead of the people responsible resigning, an immediate attack is launched and a sideway discussion started, exactly similar to the Wikileaks Affair:
- Everything is inverted, the whistleblowers are terrorists and privacy fetishists who are actually weak and sensitive, characteristics that need to be eliminated immediately.
- Immediately diverting the question away from the topic and focussing on the mistakes made within the organization with the aim to eliminate whistleblowers; how can it be these whistleblowers have not been detected earlier?
- The subsequent phase is the stigmatization of the whistleblower, saying that more resolute action is needed to discourage other intelligent people with common sense and a democratic vision to undertake any such actions.
- After that comes the stigmatization of those holding different views and the press; the disgraceful free press that dares to publish such information: there has already been a call to prosecute any press that collaborates with whistleblowers. An immediate counter attack and you don’t need to talk about the content, a very easy option!
- It is allowed by law through the Patriot Act! Instead of calling this law into question when true patriots that are committed to principles reveal abuses.
- Shamelessly asserting that nothing’s going on when information is shared without the permission of citizens from other countries, with the argument that it’s convenient and that the government knows what is good for citizens. And all of this from a line of thinking dominated by fear, without a privacy-friendly alternative.
Time and again the government evades the real debate about reinforcing the fundamental principles of the democratic society on the basis of faith, about stimulating individual responsibility of citizens and, where necessary, about modifying the system with technology in order to improve the democratic process. The US government, like many other governments, has totally gone out of its mind and has forgotten it serves the interests of its citizens and the democratic fundamental principles instead of the other way around.
Privacy First makes a call to all pressure groups and government institutions to have a broad debate in society about this; in this digital age we are in need of a concrete alternative for the organization of a democratic society in order to stop the explosive growth of government terror that targets innocent and defenceless citizens. In this way Western democracies rapidly become totalitarian dictatorships while our society turns into an "electronic concentration camp".
→ What difference is there still between a dictatorship or a single-party state like China and the big leader of the free Western world, the US? That they are capitalistic societies?
→ What meaning does the message of progress, faith and love still have on a model of society that offers a hopeful future to the fully participating citizen?
At the end of the day scaling up, distancing of citizens, negative messages on the basis of fear, suspicion and black and white thinking will not lead to a more pleasant society. Nevertheless these are everyday occurrences since 9/11. A few years ago Privacy First already decided to choose for a free and inspiring society that had been fought for for 2000 years and to draw a line in the sand for citizens. We pay tribute to the whistleblowers! Who’s next?
Chairman of the Privacy First Foundation
Since September 2012, Dutch Minister Ivo Opstelten has been planning to equip the entire Dutch police force with Taser weapons. At the request of the Privacy First Foundation, the Dutch government will have to answer some tough questions about this before the UN Committee against Torture.
One of the most important and most ratified human rights treaties in the world is the 1984 United Nations Convention against Torture. Under this Convention, torture is prohibited under all circumstances. Anyone who is guilty of torture anywhere in the world is to be prosecuted or extradited. This also applies to civil servants, ministers, presidents and heads of State. The Netherlands has been a party to the UN Convention against Torture since 1988. Periodically, every country that has ratified the Convention is examined by the supervisory treaty body in Geneva: the UN Committee against Torture (CAT). This upcoming Tuesday and Wednesday it's the Netherlands' turn to come under CAT's scrutiny: on Tuesday the Netherlands will be cross-examined by the Committee on various issues, after which the Dutch delegation will come up with answers on Wednesday. Subsequently, the Committee will make a number of critical recommendations (''Concluding Observations'') to the Netherlands.
In preparation of the Dutch session, the Privacy First Foundation, the Dutch National Human Rights Institute (College voor de Rechten van de Mens) and the Dutch section of the International Commission of Jurists (Nederlands Juristen Comité voor de Mensenrechten, NJCM) have recently sent so-called 'shadow reports' about the Netherlands to the Committee in Geneva. Both Privacy First and NJCM emphatically raised the issue of Taser weapons for the Dutch police. Privacy First did so through a special letter to the Committee: click HERE. In this letter Privacy First draws the Committee's attention to the intention of the Dutch Minister of Security and Justice Mr. Ivo Opstelten to soon supply every Dutch police officer with his/her own Taser weapon. (Currently 'only' the arrest teams of the Dutch police force are equipped with Taser weapons.) In the view of Privacy First, the use of Taser weapons can easily lead to a violation of the international ban on torture as well as the related right to physical integrity, which in turn is part of the right to privacy. Taser weapons lower the treshold for police violence and hardly leave behind any scars. At the same time Taser weapons can inflict serious physical damage and mental harm. In conjunction with the current lack of firearms training for Dutch police officers, this produces serious risks for the Dutch population. Therefore we have requested the Committee to critically examine the Netherlands about this and to advise against introducing Taser weapons for the entire Dutch police force. Last Friday, Privacy First was notified from Geneva that the UN Committee will indeed critically examine this issue. This week Privacy First will keep you up-to-date of the latest developments.
Update 13 May 2013, 23.00h: a livestream of the Dutch session can be viewed online HERE (Tuesday 10am-3pm, Wednesday 3pm).
Update 14 May 2013, 15.00h: Today the Dutch delegation in Geneva (under the chairmanship of the Dutch Permanent Representative to the UN) was critically questioned by the Committee on various issues, among which... Tasers. The Dutch answers will follow tomorrow afternoon at 15.00h. Below are the relevant parts both in text as well as in mp3:
Committee member Nora Sveaass (Norway): "I then want to bring the attention to something that I've been informed of, namely that the State [of the Netherlands] is planning on a pilot of using Taser weapons as a regular weapon within the police force. And the pilot is supposed to take place, I understand, the last half of this year, so it's probably just around the corner. This Committee has on many different occasions warned against the use of Tasers, both in special situations and especially as a regular weapon to all the police, as I understand the plans are. And there are a lot of reasons for this, I won't go into the detail, because these have been described both by this Committee and by a lot of others, because, first of all, health reasons, physical as well as psychological. So I would hope that you would rethink and perhaps change the decision of implementing a pilot and also doing it in practice."
Committee member Fernando Mariño Menéndez (Spain): "I'm also concerned by the decision that we've heard about to generalize the use of Tasers by all regular police officers, as just referred to by Mrs. Sveaass, that the Tasers will be used as an [armament] for standard use across the Kingdom of the Netherlands. That's our understanding, perhaps we're wrong, perhaps there is a special protocol governing the use of Tasers. Our position as a Committee is that Tasers shouldn't be used at all. If they are to be used, and this seems to be dangerous, then they need to be used in very specific cases and properly regulated. We'd like to know what's happening in the Kingdom of the Netherlands."
Update 14 May 2013, 16.45h: This afternoon Privacy First employee Vincent Böhre was interviewed about this topic on Dutch radio station FunX. You can listen to the entire interview (in Dutch) here:
Update 15 May 2013: This afternoon the Netherlands had the opportunity to answer the questions that were asked by the UN Committee yesterday. In the audio file below you can hear how the Dutch Permanent Representative to the UN in Geneva denies and downplays the Dutch plans concerning Taser weapons. For the Committee members this was no reason to tone down or withdraw their critical remarks made yesterday. Therefore, Privacy First expects the Committee to express sharp criticism on the Dutch Taser plans in its Concluding Observations that are soon to be issued. Tonight the Committee already published a press release about the Dutch session; click HERE.
Update 16 May 2013: An integral video registration of both session days of the UN Committee is online HERE. The Concluding Observations of the Committee about the Netherlands will follow on Friday afternoon 31 May 2013 (June 3rd at the latest), Privacy First was told by telephone from Geneva today.
Update 22 May 2013: as a result of the Dutch session before the UN Committee last week, Dutch opposition party D66 today has posed a series of critical Parliamentary questions to Minister Opstelten; click HERE (in Dutch).
Update 31 May 2013: As predicted earlier by Privacy First and as reported tonight by Dutch television news program EenVandaag, the UN Committee against Torture has issued a negative statement today about Minister Opstelten's plans to equip the entire Dutch police force with Taser weapons:
"The Committee is concerned about the pilot plan to be reportedly launched to distribute electrical discharge weapons to the entire Dutch police force, without due safeguards against misuse and proper training for the personnel. The Committee is concerned that this may lead to excessive use of force (arts. 2, 11 and 16). The Committee recommends to the State party, in accordance with articles 2 and 16 of the Convention, to refrain from flat distribution and use of electrical discharge weapons by police officers. It also recommends adopting safeguards against misuse and providing proper training for the personnel to avoid excessive use of force. In addition, the Committee recommends that electrical discharge weapons should be used exclusively in extreme limited situations where there is a real and immediate threat to life or risk of serious injury, as a substitute for lethal weapons." (para. 27. Click HERE for the entire document.)
The Privacy First Foundation hopes that this negative stance by the UN Committee will lead to a reconsideration and withdrawal of the Dutch plans to equip every Dutch police officer with a Taser weapon. Privacy First also hopes that the announced pilot will not be executed.
From the response to Parliamentary questions (in Dutch) it emerged this week that there is no specific legal basis for the secret use of drones by police in the
Without a specific legal basis in accordance with Article 8 paragraph 2 ECHR, every police drone constitutes an inadequate means of criminal investigation that shouldn't be used. Therefore the use of such drones should be suspended with immediate effect. In individual criminal cases, it is up to the judge to exclude information gathered with police drones from legal proceedings as it concerns unlawfully obtained evidence.
Privacy First hereby makes an urgent appeal to the Dutch House of Representatives to institute a moratorium on the further use of drones. Such a moratorium should only be lifted after a broad democratic debate has taken place and the use of drones has been properly regulated. In case the current Dutch situation will continue to be politically tolerated, Privacy First reserves the right to enforce a moratorium in court.
As of 2 October 2012, the new Dutch National Human Rights Institute (College voor de Rechten van de Mens, CRM) will open its doors. Recently the Institute under formation established the essential pillars of its policy for the coming years, namely 1) care for the elderly, 2) immigrants and 3) discrimination on the labor market. However, of all human rights, in recent years the right to privacy is worst off in the Netherlands. Contrary to the above mentioned pillars (that concern vulnerable groups of people), the right to privacy appertains to anyone who finds him or herself on Dutch soil. In essence this has turned the entire Dutch population into a vulnerable group, especially in comparison to the situation in other countries where the protection of privacy is much better regulated. A few years ago the right to privacy was even about to become a complete illusion in the Netherlands. In May 2009 this state of affairs led to the foundation of the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten) in which various non-governmental organisations (NGOs) have joined forces. This week the Platform sent the below appeal (co-authored and signed by Privacy First) to the chairman of the future National Human Rights Institute, Laurien Koster:
Dear Ms. Koster,
Today, of all human rights, the right to privacy finds itself under the most pressure. Therefore, it is with concern that the Platform for the Protection of Civil Rights recently took note of the three essential pillars of the National Human Rights Institute for the coming years, namely 1) care for the elderly, 2) immigrants and 3) discrimination on the labor market. Not willing to take anything away from the social importance of these three pillars, in this letter we ask you to still consider adopting privacy as one of the pillars of your Institute.
In recent years, there seems to be the tendency in the Netherlands to confront every social problem with a standard formula, that is say, more digital registration, more linkage of files, opening up systems and central databases that become accessible to ever more officials and third parties, restriction of professional autonomy, preventive controls and profiling. It seems as if people, especially politicians, influenced as they are by the media and the vox populi – which in turn is affected by the media – think that these instruments exert a certain control over society that should lead to more order, tranquillity and security. In our opinion the opposite effect is increasingly the case. After all, digitalization implies that the quantity of data that is stored of every citizen becomes ever greater and less clear and less controllable. This especially applies to data that have been inserted or linked up erroneously or that are obsolete. The exponential growth of digital registrations sees a dramatic increase in risks of data leakages while new forms of identity fraud and identity theft arise. This means that the insecurity of digital systems becomes a direct threat to citizens. Furthermore, there’s a risk that citizens become their own digital ‘doubles’ through digital profiling. This implies that the autonomy of the free citizen who participates in society – a characteristic so very important in a democratic constitutional State – is seriously put at stake.
Going back to a society without the Internet or digital files is by no means what we advocate for (if it were possible anyway). However, a sensible use of technological means, among which data storage, biometrics and other such technological assets, will be necessary to retain our democratic constitutional State and affiliated fundamental rights. Particularly in these times of unforeseen technological possibilities we should once more realize how important the fundamental principles of our society are. Therefore, it should every time be assessed what is within the boundaries of acceptability and to what extent possible alternatives on a human scale, such as personal contact but also assistance and service, are desirable or necessary.
Privacy constitutes the basis of our democratic constitutional State. Without privacy many other human rights are at issue, among which are the right to confidential communication and freedom of speech, non-discrimination, freedom of movement, association and assembly, demonstration, culture and religion, press freedom as well as the right to a fair trial. Apart from that we observe that in the Netherlands the right to privacy can only rely on patchy protection by government supervision, that is to say, it only concerns the protection of personal data. As far as the protection of personal privacy in the broadest sense of the word is concerned (and this includes the inviolability of the home and the right to physical integrity) there is hardly any government supervision. Moreover, with regard to the realization and compliance to as well as the protection and promotion of the right to privacy in conjunction with other human rights, government supervision is lacking altogether. It is especially in these areas that your Institute has added value and can help overcome the ‘human rights gap’ that has come into existence in the Netherlands in recent decades.
We hope that your Institute will still make the right to privacy one of its policy pillars. If you wish, the organizations that together form the Platform for the Protection of Civil Rights are happy to supply you with information and advice.
On behalf of the participants of the Platform for the Protection of Civil Rights I remain respectfully yours.
chairman of the Platform for the Protection of Civil Rights
On behalf of the Platform participants:
Humanistisch Verbond (Humanist Association)
Stichting KDVP (KDVP Foundation; Dome of DBC Free Practices)
Stichting Meldpunt Misbruik ID-plicht (Contact Point on Abuse of Mandatory Identification)
Ouders Online (Parents Online)
Stichting Privacy First (Privacy First Foundation)
Burgerrechtenvereniging Vrijbit (Civil rights society Vrijbit)
Jacques Barth (on behalf of Stichting Brein en Hart i.o. (Brain and Heart Foundation under formation)
Joyce Hes (advisor to the Platform for the Protection of Civil Rights)
Kaspar Mengelberg (on behalf of DeVrijePsych (The Free Psychiatrist))
A pdf version of this letter can be found HERE (in Dutch)
Update: in a written reply (pdf) the Institute under formation notifies that in the Netherlands there is indeed ‘‘still a lot to be done to safeguard the right to privacy’’. The Institute also acknowledges the limited mandate of the Dutch Data Protection Authority (College Bescherming Persoonsgegevens). However, for the time being the Institute sticks to its intended strategic agenda. Nevertheless, in the future (also the coming three years) the Institute ‘‘can’t and won’t distance itself from problems when realizing the right to privacy’’. Privacy First will be eager to remind the Institute of this in urgent cases.
"Courts are investigating the legality of a European Union regulation requiring biometric passports in Europe. Last month, the Dutch Council of State (Raad van State, the highest Dutch administrative court) asked the European Court of Justice (ECJ) to decide if the regulation requiring fingerprints in passports and travel documents violates citizens’ right to privacy. The case entered the courts when three Dutch citizens were denied passports and another citizen was denied an ID card for refusing to provide their fingerprints. The ECJ ruling will play an important role in determining the legality of including biometrics in passports and travel documents in the European Union.
The Dutch Council referred the question of legality to the ECJ, arguing that the restrictions on privacy do not outweigh the ostensible aim of fraud prevention, and questioning the RFID technique. The Council also questioned whether fingerprints could be safeguarded so that they would only be used in passports or identity cards and not in databases for other purposes (known as function creep). The four cases that prompted this challenge to the biometric passport regulation are suspended pending the ECJ’s response.
The Netherlands has mandated fingerprints in passports and ID-cards since 2009. The Dutch biometric Passport Act is the misshapen offspring of the European Regulation compelling security features and biometrics in passports. The Regulation mandates that passports include two fingerprints taken flat in interoperable formats.
The Netherlands' storage of a biometric database was suspended in 2011, following privacy concerns as well as questions over the reliability of biometric technology. The Mayor of the City of Roermond reported that 21 percent of fingerprints collected in the city could not be used to identify any individuals. In April 2011, the Dutch Minister of Interior, in a letter to the Dutch House of Representatives, asserted that the number of false rejections was too high to warrant using fingerprints for verification and identification. Currently, only fingerprints stored in Radio Frequency Identification (RFID) chips embedded in ID documents are being collected.
The Amsterdam-based Privacy First Foundation (Stichting Privacy First) appreciates the critical stance on biometrics taken by the Dutch Council of State in line with the position taken by a German court: "We hope the ECJ will soon rule that the European Passport Regulation is invalid both in a formal, procedural sense (having been improperly adopted in 2004) and in a material sense (violating the human right to privacy and data protection). In the meantime, we hope the Dutch Parliament will scrap compulsory fingerprinting for Dutch ID cards as soon as possible."
A government proposal to this effect is currently before the Dutch House of Representatives.
The Dutch Council concerns echo questions raised by a German court earlier this year regarding the legality of the German biometric passports with RFID chips. The German court has questioned whether the EU regulation is compatible with the Charter of Fundamental Rights of the European Union (EU Charter) and the European Convention of Human Rights (ECHR). The German case was preempted when a German citizen, Michael Schwarz, refused to provide his fingerprints to obtain his new passport and the City of Bochum decided not to issue him one.
Mr. Schwarz argued that the regulation infringes privacy as protected under the ECHR and the EU Charter. In this case, the German court argued that the European Union has no legislative competence to enact rules on standards for security features and biometrics in passports as there is no direct relation of such rules to the protection and security of EU external frontiers.
The German court decided that the requirement of biometric data in passports is a “serious infringement” on privacy, arguing that the measure does not satisfy the proportionality test of being appropriate, necessary, or reasonable."
Read the entire article (including sources) on the website of the Electronic Frontier Foundation (EFF) HERE.
In the context of a public consultation, the Dutch Ministry of the Interior recently requested Privacy First to react to the current government proposal to revise Article 13 of the Dutch Constitution (right to confidentiality of postal mail, telephone and telegraph). Below are our comments on the current draft of the legislative proposal (click HERE for the original Dutch version in pdf):
Ministry of the Interior and Kingdom Relations
Deputy Director for Constitutional Affairs and Legislation
Mr. W.J. Pedroli, LL.M.
PO Box 20011
2500 EA The Hague
Amsterdam, 29 December 2012
Re: Comments by Privacy First on the revision of Article 13 of the Constitution
Dear Mr. Pedroli,
On October 16th 2012 you requested the Privacy First Foundation to react to the draft legislative proposal to revise Article 13 of our Constitution. Privacy First is grateful for your request and is happy to hereby provide you with critical comments. In the first place, Privacy First fully endorses the desire of this government to modernise the current, archaic Article 13 of the Constitution. However, Privacy First regrets the fact that the government has not seized the opportunity to also renew and reinforce other ‘fundamental rights in the digital age’.
In the view of Privacy First, the first and third paragraphs of the current draft legislative proposal to revise Article 13 of the Constitution form powerful anchors for a future-proof right to confidential communication. The first paragraph rightly upgrades the old confidentiality of postal mail, telephone and telegraph to a technology-independent (or technology-neutral) confidentiality of mail and telecommunication. The third paragraph forms a correct guarantee for the horizontal effect thereof. Moreover, Privacy First endorses the broad interpretation that is being given by the draft Explanatory Memorandum (EM) to various relevant concepts. However, the second paragraph of the draft proposal contains a systematic imbalance which, in times less democratic, could endanger the rule of law in our society. It is precisely this paragraph which most of Privacy First’s criticism is focused upon. Other points of criticism concern compulsory notification towards citizens in the event that special powers have been used by the intelligence and security services, traffic data as well as the lack of a comparative legal section in the EM.
Judicial authorisation and national security
The EM rightly states that "in light of Article 13 (...) the protection of citizens against violations by the government is paramount, especially in light of the actions by the police and intelligence services. Demanding a judicial authorisation under the Constitution provides a strong and clear constitutional guarantee." It is therefore incomprehensible that in the second paragraph of the draft legislative proposal the domain of national security is being excluded from judicial supervision. After all, where the concentration of power is supreme, judicial checks and balances should be the most potent to prevent any (future) abuses of power. In light of European history, the exception in paragraph 2 is in fact entirely irresponsible: unfortunately, even in our part of the world a democratic constitutional State is not a static matter of fact. Apart from that, the current draft proposal sends out a dangerous signal to foreign governments. Furthermore, Privacy First deems the exception in paragraph 2 unwise in view of possible technological developments in the (far) future. The same holds true in relation to the (further) expansion of the notion of ‘national security’. Also in the future, the Dutch population needs to be protected against arbitrary violations of confidentiality of communication; in this regard the current wording of paragraph 2 offers no guarantee whatsoever.
Adding an extra ‘judicial layer’ would strengthen the current system of internal and external supervision on the intelligence and security services (and hence reinforce our democratic constitutional State). In this regard, the system of judicial supervision in a country like Canada could be a source of inspiration. Such judicial control would also be in line with the case-law of the European Court of Human Rights:
“The Court has indicated, when reviewing legislation governing secret surveillance in the light of Article 8 [ECHR], that in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge.”
In light hereof, the current wording of paragraph 2 is not expedient. Privacy First thus advises a revision of this paragraph as follows:
“This right can be restricted in cases defined by law with the authorisation of a judge or, in the interest of national security, with authorisation from one or more ministers appointed by law.’’ [lining through by Privacy First]
As a possible alternative to the introduction of judicial supervision in the security domain, Privacy First advises to upgrade the existing Dutch Review Committee on the Intelligence and Security Services (CTIVD) into a more powerful, independent supervisory body, similar to the Belgian or German model with overall compulsory inspections beforehand instead of random supervisory inspections afterwards.
A second point of criticism concerns the lack of an explicit constitutional notion of compulsory notification in the event of any infringement of the confidentiality of mail and telecommunication. Compulsory notification provides legal protection to citizens and contributes to the correct enforcement of law by the government, also in the security domain. Like judicial authorisation, this offers the best guarantuees against short-term as well as long-term violations.
From Privacy First's point of view, traffic data too need to fall within the scope of Article 13 of the Constitution. These data are often related to the content of communication; this even follows from the text of the EM itself, where text messages ('SMS') and the email subject line are rightly mentioned as examples. The same goes for instance for search terms in search engines. Apart from that, it is possible to deduce the content of communication between individuals and/or companies from traffic data in conjunction with other data (possibly collected in real-time). So here too, a vigorous regime of Article 13 of the Constitution in conjunction with judicial supervision is essential.
Finally, in the current EM Privacy First misses a comparative legal paragraph in which current Article 13 of the Constitution is compared with constitutional best practices from countries with either a civil law or a common law tradition. Additionally, with a new Article 13 of the Constitution that is state-of-the-art internationally, the Netherlands could positively distinguish itself and to some degree regain its former position as a leader in human rights.
Privacy First hopes that this advice will be of use to you. We are willing to give clarifications on the above points upon request.
Privacy First Foundation
Director of Operations
 EM, at 18, 20.
 Compare EM at 11, 1st paragraph.
 ECHR 22 November 2012, Telegraaf vs. Netherlands (Appl.no. 39315/06), para. 98. Compare also ibid., paras. 98-102.
 EM, at 18.
Update 8 February 2013: see also the critical comments by the Netherlands Committee of Jurists for Human Rights (NJCM), Bits of Freedom and the newly established Netherlands Institute for Human Rights (in Dutch).
This morning in Geneva the long-awaited Universal Periodic Review (UPR) of the Netherlands took place before the Human Rights Council of the United Nations (UN). In the run up to this four-year session, the Privacy First Foundation and various other organisations had emphatically voiced their privacy concerns about the Netherlands to both the UN and to almost all UN Member States; you can read more about this HERE. The Dutch delegation for the UPR session was led by Interior Minister Ms. Liesbeth Spies. The opening statement by Spies contained the following, remarkable passage about privacy:
"The need to strike a balance between different interests has sometimes been hotly debated in the Dutch political arena, for example in the context of privacy measures and draft legislation limiting privacy. The compatibility of this kind of legislation with human rights standards is of utmost importance. This requires a thorough scrutiny test, which is guaranteed by our professionals and institutions. Improvements in this regard have been made when necessary, especially in the starting phase of new draft legislation. This has been done in the field of privacy, where making Privacy Impact Assessments (PIAs), describing the modalities for the planned processing of personal data, are compulsory now." (pp. 5-6, italics Privacy First)
A "thorough scrutiny test" and compulsory Privacy Impact Assessments are the terms that positively stand out for Privacy First.
Prior to the UPR session, the United Kingdom had already put the following questions to the Netherlands: "Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?" (Source) On behalf of the Netherlands, Minister Spies responded to this question in Geneva this morning saying: "On the review of our laws on data protection, The Netherlands are currently working on a legislative proposal on data breach notification, following announcements of this proposal in the present coalition agreement. The proposal, which would require those responsible for personal data to notify the data protection authorities in case of "leakage" of personal data with specific risks for privacy (including identity theft), is expected to be tabled in Parliament in the coming months." This answer is rather concise and unfortunately it doesn’t contain any new elements. However, a new Dutch law on compulsory notification for data leakages will hopefully become a best practice for other UN Member States. The credits for this go to our colleagues of the Dutch NGO Bits of Freedom who have worked on this for a long time.
During the UPR session Estonia called the protection of privacy and personal data a "human rights challenge of the 21st century". Morocco then asked a critical question about the privacy issue: "Quelles sont les mesures concrètes entreprises par les autorités néerlandaises pour sécuriser l'utilisation des donnés personnelles?" ("What are the concrete measures taken by the Dutch authorities to protect the use of personal data?") The Philippines also raised the issue of the right to privacy, but only in these words: "The Philippine delegation appreciates the frank assessment of the Netherlands of the obstacles and challenges it has to hurdle in the implementation of the right to privacy especially in the area of protection of personal information." The comments by Greece, India, Russia and Uzbekistan were more content-focused. Greece addressed the practice of preventive searches: "We take note of reports regarding the issue of preventive body searches. We recommend that the Netherlands ensure that in its application of preventive body searches, all relevant human rights are adequately protected, in particular the right to privacy and physical integrity and the prohibition of discrimination on the basis of race and religion." India exhorted the Netherlands on ethnic profiling of citizens: "We encourage the Dutch Government to take concrete measures to combat discrimination including discrimination by the Government such as ethnic profiling." Russia too advised the Netherlands "to introduce measures to stamp out discrimination arising as a result of the practice of racist, ethnic or religious profiling." The Netherlands was addressed about this very issue by Uzbekistan as well: "We are concerned over the existence of information on the increasingly broad use by the police of racist profiling."
As a reaction to these points Minister Spies referred to recent research by the Dutch police, scientists and the National, the Amsterdam and the Rotterdam Ombudsman about preventive body searches, discrimination and ethnic profiling. With regard to digital profiling (in general), she moreover proclaimed the following: "In its recent proposal for a general Data Protection Regulation, the [European] Commission has included rules on profiling, which can address the problems associated with profiling and the protection of personal data. The Netherlands endorses the need for clear legislative rules with regard to this topic, given the specific challenges for privacy protection that this technique entails. This is also the background against which the Netherlands welcomed in 2010 the Council of Europe Resolution on this topic, which contained a useful definition of profiling that would also be beneficial for inclusion in the [European] Commission proposals. The Netherlands will draw attention to this ongoing discussion in Brussels. The Regulation, once in force, will be directly applicable in the Netherlands."
By and large this is a reasonable result, given that up until now the privacy issue had hardly played any role at all within the UN Human Rights Council. However, it’s a shame that most countries still hardly dare to confront this issue, let alone ask specific and critical questions about it. Many of the recommendations by Privacy First have not been touched upon during this UPR session, although diplomats in Geneva and The Hague had earlier shown great interest in them. Perhaps they were stopped by their Foreign Affairs departments in capital cities because many privacy issues are also sensitive in their own domestic politics? Who knows... However, the fact remains that the international community was informed by Privacy First well in advance, which was part of the reason that the Dutch UN delegation headed by Minister Spies was properly focussed on the job at hand. This can only be to the benefit of general awareness and the protection of privacy, both inside and outside the Netherlands. In the end, for us this is what it’s all about.
Update 4 June 2012: This afternoon, a working group of the Human Rights Council adopted a draft report on the Dutch UPR session. The final version of this report will be adopted by the Human Rights Council in September 2012, accompanied by a (motivated) acceptance or rejection by the Netherlands of each individual recommendation in the report. Furthermore, this will also be discussed by the Dutch House of Representatives.
A total of 49 countries have taken part in the Dutch UPR session. It is noteworthy that Belgium, Italy and Austria did not take part in the session (although Belgium and Italy had in fact enrolled beforehand). As far as Austria is concerned this is particularly regrettable, because of all the UN Member States it was actually Austria which had in advance expressed the most interest in the Privacy First UPR shadow report and had intimated to be able to make a powerful, overall recommendation to the Netherlands about the right to privacy.
Update 21 September 2012: This morning, the UN Human Rights Council discussed its recommendations to the Netherlands. The Dutch Permanent Representative in Geneva declared which recommendations have been accepted or rejected by the Netherlands; see this UN document and this video. The two recommendations by the Human Rights Council that related to ethnic profiling and preventive body searches have both been accepted by the Netherlands under the following clarification:
- ethnic profiling: "The Dutch government rejects the use of ethnic profiling for criminal investigation purposes as a matter of principle." About profiling in a more general sense: "In its recent proposal for a General Data Protection Regulation, the European Commission included rules on profiling that address problems that may arise due to the increasing technical possibilities for in-depth searches of databases containing personal data. The Netherlands endorses the need for clear legislative rules on this subject, given the specific challenges for privacy protection that this technology entails." (Source, 98.57 & n. 75).
- preventive body searches: "The power to stop and search is strictly regulated in the Netherlands. The mayor of a municipality may designate an area where, for a limited period of time, preventive searches may be carried out in response to a disturbance of or grave threats to public order due to the presence of weapons. The public prosecutor then has discretion to order actual body searches and searches of vehicles and luggage for weapons." (Source, 98.74 & n. 95).
See also this statement by the Netherlands Committee of Jurists for Human Rights (Dutch abbreviation: NJCM) from this morning (video). Just like the NJCM, Privacy First regrets the lack of government consultation in the run up to today’s UPR session.
Below you can watch the 31 May 2012 UPR session in its entirety (click HERE for video segments of individual countries).