The controversial and compulsory inclusion of fingerprints in passports has been in place in the EU since 2009. From that year on, fingerprints were also included in Dutch identity cards, even though under EU law there was no such obligation. While the inclusion of fingerprints in identity cards in the Netherlands was reversed in January 2014 due to privacy concerns, there is now new European legislation that will make the inclusion of fingerprints in identity cards compulsory as of August 2, 2021.
Dutch citizens can apply for a new identity card without fingerprints until August 2. After that, only people can do so who are ‘temporarily or permanently unable physically to have fingerprints taken’.
The Dutch Senate is expected to debate and vote on the amendment of the Dutch Passport Act in connection with the reintroduction of fingerprints in Dutch identity cards on July 13. In that context, Privacy First sent the following email to the Dutch Senate yesterday:
Dear Members of Parliament,
Since Privacy First was founded in 2008, we have opposed the mandatory collection of fingerprints for passports and identity cards. Since the introduction of the new Passport Act in 2009, Privacy First has done so through lawsuits, campaigns, freedom of information requests, political lobbying and by activating the media. Despite the subsequent Dutch discontinuation of the (planned) central storage of fingerprints in both national and municipal databases in 2011, everyone’s fingerprints are still taken when applying for a passport, and soon (as a result of the new European Regulation on ID cards) again for Dutch ID cards after this was retracted in 2014.
To date, however, the millions of fingerprints taken from virtually the entire adult population in the Netherlands have hardly been used in practice, as the biometric technology had already proven to be unsound and unworkable in 2009. The compulsory collection of everyone’s fingerprints under the Dutch Passport Act therefore still constitutes the most massive and longest-lasting privacy violation that the Netherlands has ever known.
Having read the current report of the Senate on the amendment of the Passport Act to reintroduce fingerprints in ID cards, Privacy First hereby draws your attention to the following concerns. In this context, we ask you to vote against the amendment of the law, in contravention of European policy. After all:
- As early as May 2016, the Dutch Council of State (Raad van State) ruled that fingerprints in Dutch identity cards violated the right to privacy due to a lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956 (in Dutch).
- Freedom of information requests from Privacy First have revealed that the phenomenon to be tackled (look-alike fraud with passports and identity cards) is so small in scale that the compulsory collection of everyone’s fingerprints is completely disproportionate and therefore unlawful. See: https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.
- In recent years, fingerprints in passports and identity cards have had a biometric error rate as high as 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (Dutch State Secretary Teeven, January 31, 2013). Before that, Minister Donner (Security & Justice) admitted an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (April 27, 2011). How high are these error rates today?
- Partly because of the high error rates mentioned above, fingerprints in passports and ID cards are virtually not used to date, either domestically, at borders or at airports.
- Because of these high error percentages, former Dutch State Secretary Bijleveld (Interior and Kingdom Relations) instructed all Dutch municipalities as early as September 2009 to (in principle) refrain from conducting biometric fingerprint verifications when issuing passports and identity cards. After all, in the event of a ‘mismatch’, the ID document concerned would have to be returned to the passport manufacturer, which would lead to rapid societal disruption if the numbers were high. In this respect, the Ministry of the Interior and Kingdom Relations was also concerned about large-scale unrest and even possible violence at municipal counters. These concerns and the instruction of State Secretary Bijleveld still apply today.
- Since 2016, several individual Dutch lawsuits are still pending at the European Court of Human Rights in Strasbourg, challenging the mandatory issuing of fingerprints for passports and ID cards on the grounds of violation of Art. 8 ECHR (right to privacy).
- In any case, an exception should be negotiated for people who, for whatever reason, do not wish to give their fingerprints (biometric conscientious objectors, Art. 9 ECHR).
- Partly for the above reasons, fingerprints have not been taken for the Dutch identity card since January 2014. It is up to your Chamber to maintain this status quo and also to push for the abolition of fingerprints for passports.
For background information, see the report ‘Happy Landings' by the Scientific Council for Government Policy (WRR) that Privacy First director Vincent Böhre wrote in 2010. Partly as a result of this critical report (and the large-scale lawsuit brought by Privacy First et al. against the Passport Act), the decentralized (municipal) storage of fingerprints was largely abolished in 2011 and the planned central storage of fingerprints was halted.
For further information or questions regarding the above, Privacy First can be reached at any time.
The Privacy First Foundation
A Dutch court has today handed down a judgment in preliminary injunction proceedings brought by Privacy First concerning the UBO register. The district court of The Hague confirmed that there is every reason to doubt the legality of the European money laundering directives which are the foundation of the UBO register. On this point the judge follows the very critical opinion of the European Data Protection Supervisor. The interim proceedings court rules that it cannot be excluded that the Court of Justice of the European Union (CJEU) will come to the conclusion that the public character of the UBO register is at odds with the proportionality principle. Questions over its legality were recently referred to the CJEU by a Luxembourg national court. As such, the Dutch court felt there is no need to do the same.
Privacy First had also requested a temporary deactivation of the UBO register. This, however, is a step too far for the court, which states that deactivating the register is not possible as long as the underlying EU guideline is still in force. It would put the Netherlands in a position in which it operates in violation of the European guideline. With this claim, the judge says, Privacy First is getting ahead of itself. Privacy First will examine the ruling on this point, also in view of possibly going into appeal.
‘The introduction of the UBO register would mean that privacy-sensitive data of millions of people will be up for grabs’, comments Privacy First’s attorney Otto Volgenant of Boekx Attorneys.’On all sides there are strong doubts whether this is actually an effective means in the fight against money laundering and terrorism. It’s like using a sledgehammer to crack a nut. The Court of Justice of the European Union will eventually adjudicate the case, and I expect it will annul the UBO register.’
At the start of this year, the Privacy First Foundation initiated fundamental legal action against the Dutch government on account of the new UBO register, which is linked to the Trade Register of the Dutch Chamber of Commerce. Under the law the UBO register is based on, all 1.5 million Dutch legal entities that are included in the Trade Register will have to make public all sorts of privacy-sensitive data about their Ultimate Beneficial Owners. This concerns personal data of millions of directors, shareholders and high executives of companies (including family businesses), foundations, associations, churches, social organizations, charities, etc. Privacy First deems that this is a massive privacy violation, one which also creates personal safety risks. That is why Privacy First has asked the court to immediately declare the UBO register unlawful. A lot of information in the register will be publicly available and can be requested by anyone. In Privacy First’s opinion this is completely disproportionate and an infringement of European privacy law. The CJEU will examine whether the European legislation on which the UBO register is based violates the fundamental right to privacy.
The ruling (in Dutch) by the interim proceedings court can be found here: http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBDHA:2021:2457.
Update 15 April 2021: yesterday Privacy First filed an urgent appeal against the entire judgment with the Court of Appeal of The Hague. The appeal subpoena can be found HERE (pdf in Dutch). Privacy First requests the Court, inter alia, to ask preliminary questions about the UBO register to the European Court of Justice and to suspend the UBO register until these questions are answered. In view of the major interests at stake, Privacy First hopes that the Court of Appeal of The Hague will hear this case as soon as possible.
Update 17 August 2021: the court hearing in the urgent appeal of Privacy First against the judgment will take place on Monday 27 September at the Court of Appeal in The Hague.
Privacy First initiates legal action against the Dutch government on account of the recently-introduced UBO register. The preliminary injunction proceedings point at the invalidity of the legislation on which this register is based. The consequences of this new piece of legislation are far-reaching as the register contains very privacy-sensitive information. Data relating to the financial situation of natural persons will be up for grabs. More than 1.5 million legal entities that are registered in the Dutch Trade Register will have to make public details about their Ultimate Beneficial Owners (UBOs). The UBO register is publicly accessible: a request for information costs €2.50.
The UBO register aims to prevent money laundering but will lead to defamation.
The privacy breach that is the result of the UBO register and the public accessibility of sensitive data are disproportionate. The goal of the register is to thwart money laundering and terrorist financing. In order to achieve this goal there is no need for a UBO register, at least not one that is publicly accessible.
That is why Privacy First wants the UBO register to be rendered inoperative by a court, which, in case necessary, should submit questions of interpretation to the highest court in Europe: the European Court of Justice. In cases like these, the judiciary will have the final say. It is not uncommon for a court to overrule privacy-violating legislation and in this respect, Privacy First’s litigation has been successful in the past.
The proceedings will take place before The Hague District Court on 25 February 2021 at 12pm. The entire summons can be found HERE (pdf in Dutch). The ruling will follow two or three weeks after the hearing.
Background of the UBO register case
On 24 June 2020, the Dutch ‘Implementation Act for the Registration of Ultimate Beneficial Owners of Companies and Other Legal Entities’ came into effect in the Netherlands. On the basis of this new Act, a new UBO register which is linked to the Commercial Register of the Dutch Chamber of Commerce will contain information about all ultimate beneficial owners of companies and other legal entities founded in the Netherlands. The register should indicate how many shares are owned by the UBO: 25-50%, 50-75% or more than 75%. Furthermore, the name, month and year of birth as well as the nationality of the UBO will be made public, with all the privacy risks this entails.
Since 27 September 2020, newly founded entities have to register the ultimate beneficial owners in the UBO register. Existing legal entities will have to do so before 27 March 2022.
The Act provides very few possibilities to safeguard information. This is possible only for persons that are protected by the police, minors and those placed under guardianship. This means that the shares of practically every UBO will become a matter of public record. Anyone has access to the UBO register, with extracts coming at a price of €2.50.
European money laundering directive
The new Act stems from the fifth European money laundering directive, which obliges EU Member States to register UBOs and disclose their details to the public. According to the European legislator, this contributes to the proclaimed objective of countering money laundering and terrorist financing. The transparency is supposed to be a deterrent for persons who set out to launder money or finance terrorism.
Massive privacy violation and fundamental criticism
The question is whether this produces a windfall effect. Registering the personal data of all UBOs and making these publicly available is a generic precautionary measure. 99.99% of UBOs have nothing to do with money laundering or terrorist financing. Even if it were proportionate to collect information on all UBOs, making that information available only to government agencies engaged in combating money laundering and terrorism should suffice. It is not appropriate to disclose that information to everyone. The European Data Protection Supervisor (EDPS) deemed this privacy violation to be disproportionate. This opinion, however, did not lead to an amendment of the European Directive.
When this Act was discussed in Dutch Parliament, fundamental criticism came from various corners of society. The business community made its voice heard because it perceived privacy risks and feared − and now indeed experiences − an increase in costs. UBOs of family-owned companies that have remained out of the public eye up until now are running major privacy and security risks. There was also a great deal of attention for the position of social organizations − such as church communities and NGOs − that attach great importance to the protection of those affiliated with them. Associations and foundations that do not have owners face a different burden: they have to put the data that are already in the Trade Register in yet another register. Unfortunately these complaints have not resulted in any changes to the legislation.
Legal proceedings look promising
Privacy First has initiated legal proceedings against the UBO register for violation of the fundamental right to privacy and the protection of personal data. Privacy First asks the Dutch court to render the UBO register inoperative in the short term and, if necessary, to submit questions of interpretation on this matter to the highest court in Europe, the Court of Justice of the European Union.
The Dutch Act as well as the underlying European directive are in conflict with both the European Charter of Fundamental Rights and the GDPR. It is the legislator who has created this legislation, but it will be up to the court to do a thorough review thereof. Ultimately, the court has the last word. If the (European) legislator fails to take adequate account of the protection of fundamental rights, then the (European) court can invalidate this legislation. This would not be unique. The Court of Justice of the European Union has previously declared legislation invalid due to privacy violations, for example the Data Retention Directive and, more recently, the Privacy Shield. Dutch courts too regularly annul privacy-invading regulations. Privacy First has previously successfully challenged the validity of legislation, for example in the proceedings concerning the Telecommunications Data Retention Act and the System Risk Indication (SyRI). Viewed against this background, a positive outcome in the case against the UBO register is all but unlikely.
The Privacy Collective press release
Millions of Dutch internet users victim of unlawful collection and use of personal data
The Privacy Collective takes Oracle and Salesforce to Court
The Privacy Collective - a foundation that acts against violation of privacy rights - is taking Oracle and Salesforce to Court. The foundation accuses the technology concerns of unlawfully collecting and processing data of millions of Dutch internet users. The foundation has launched a class action, a legal procedure in which compensation is claimed for a large group of individuals. It is the first time that this legal instrument is used in the Netherlands in a case of infringement of the General Data Protection Regulation (GDPR).
Christiaan Alberdingk Thijm, lead lawyer in the case: “This is one of the largest cases of unlawful processing of personal data in the history of the internet. Almost every Dutch individual who reads or views information online is structurally affected by the practices of Oracle and Salesforce. Practices that merely serve a commercial purpose.”
Online shadow profile
Oracle and Salesforce collect data from website visitors at any time and on a large scale. By combining this with additional information, they create a personal profile of each individual internet user. The millions of profiles are used, among other things, to offer personalized online advertisements and unlawfully shared with numerous commercial parties, including ad-tech companies. The tech giants collect their information using - among other things - specially developed cookies. Alberdingk Thijm: “Most people do not know that they have such an online 'shadow profile'. They don't know what it looks like and have certainly not given legitimate consent.” For the collection and sharing of personal data, Oracle and Salesforce are obliged to ask for permission under the GDPR. “These parties violate internet users' right to privacy. The right to protection of personal data and the right to protection of privacy are recognized as fundamental rights", says Alberdingk Thijm.
The possibility to claim damages in a class action was recently created under Dutch law.“Claiming damages in a class action is an important tool to ensure the enforcement of the GDPR,” says Joris van Hoboken, a board member of the foundation and professor in Information Law. “It gives the GDPR teeth.” The Privacy Collective calls upon individual consumers to register with the foundation in order to show their support. Based on the number of victims, the total extent of the damage could exceed 10 billion euros. Several organizations support The Privacy Collective's campaign, including Privacy First, Bits of Freedom, Qiy Foundation and Freedom Internet. The claims are being fully funded by Innsworth, a litigation funder. The organization’s funding enables the benefits of scaling common claims in a collective action, without any individual claimants being exposed to litigation costs. Inssworth finances a similar class action in England and Wales, which is currently being prepared.
Source: The Privacy Collective press release, 14 August 2020.
More information: https://theprivacycollective.eu/en/.
On July 1 and 2, 2019, the Netherlands will be examined in Geneva by the United Nations Human Rights Committee. This UN body is tasked with supervising the compliance of one of the oldest and most important human rights treaties in the world: the International Covenant on Civil and Political Rights (ICCPR). Each country which is a contracting party to the ICCPR is subject to periodical review by the UN Human Rights Committee. At the beginning of next week, the Dutch government must answer before the Committee for various current privacy issues that have been put on the agenda by Privacy First among others.
The previous Dutch session before the UN Human Rights Committee dates from July 2009, when the Dutch minister of Justice Ernst Hirsch Ballin had to answer for the then proposed central storage of fingerprints under the new Dutch Passport Act. This was a cause for considerable criticism of the Dutch government. Now, ten years on, the situation in the Netherlands will be examined once more. Against this background, Privacy First had submitted to the Committee a critical report (pdf) at the end of 2016, and has recently supplemented this with a new report (pdf). In a nutshell, Privacy First has brought the following current issues to the attention of the Committee:
- the limited admissibility of interest groups in class action lawsuits
- the Dutch ban on judicial review of the constitutionality of laws
- Automatic Number Plate Recognition (ANPR)
- border control camera system @MIGO-BORAS
- the Dutch public transport chip card ('OV-chipkaart')
- Electronic Health Record systems
- possible reintroduction of the Telecommunications Data Retention Act
- the new Dutch Intelligence and Security Services Act (‘Tapping Law’)
- Passenger Name Records (PNR)
- the Dutch abolition of consultative referendums
- the Dutch non-recognition of the international prohibition of propaganda for war.
The entire Dutch session before the Committee can be watched live on UN Web TV on Monday afternoon, July 1, and Tuesday morning, July 2. In addition to privacy issues, several Dutch organizations have put numerous other human rights issues on the agenda of the Committee; click HERE for an overview, which also features the previously established List of Issues (including the new Intelligence and Security Services Act, the possible reintroduction of the retention of telecommunications data, camera system @MIGO-BORAS, and medical confidentiality with health insurance companies). The Committee will likely present its ‘Concluding Observations’ within a matter of weeks. Privacy First awaits the outcome of these observations with confidence.
Update July 26, 2019: yesterday afternoon the Committee has published its Concluding Observations on the human rights situation in the Netherlands, which includes critical opinions on two privacy issues that were brought to the attention of the Committee by Privacy First:
The Intelligence and Security Services Act
The Committee is concerned about the Intelligence and Security Act 2017, which provides intelligence and security services with broad surveillance and interception powers, including bulk data collection. It is particularly concerned that the Act does not seem to provide for a clear definition of bulk data collection for investigation related purpose; clear grounds for extending retention periods for information collected; and effective independent safeguards against bulk data hacking. It is also concerned by the limited practical possibilities for complaining, in the absence of a comprehensive notification regime to the Dutch Oversight Board for the Intelligence and Security Services (CTIVD) (art. 17).
The State party should review the Act with a view to bringing its definitions and the powers and limits on their exercise in line with the Covenant and strengthen the independence and effectiveness of CTIVD and the Committee overseeing intelligence efforts and competences that has been established by the Act.
The Market Healthcare Act
The Committee is concerned that the Act to amend the Market Regulation (Healthcare) Act allows health insurance company medical consultants access to individual records in the electronic patient registration without obtaining a prior, informed and specific consent of the insured and that such practice has been carried out by health insurance companies for many years (art. 17).
The State party should require insurance companies to refrain from consulting individual medical records without a consent of the insured and ensure that the Bill requires health insurance companies to obtain a prior and informed consent of the insured to consult their records in the electronic patient registration and provide for an opt-out option for patients that oppose access to their records.
During the session in Geneva the abolition of the referendum and the camera system @MIGO-BORAS were also critically looked at. However, Privacy First regrets that the Committee makes no mention of these and various other current issues in its Concluding Observations. Nevertheless, the report by the Committee shows that the issue of privacy is ever higher on the agenda of the United Nations. Privacy First welcomes this development and will continue in the coming years to encourage the Committee to go down this path. Moreover, Privacy First will ensure that the Netherlands will indeed implement the various recommendations by the Committee.
Today an important debate will take place in the Dutch House of Representatives about the introduction of Passenger Name Records (PNR): the large scale, years-long storage of all sorts of data of airline passengers, supposedly to fight crime and terrorism. Privacy First has major objections and at the end of last week has sent the following letter to the House. Today’s parliamentary debate was first scheduled to take place on 14 May 2018, but was cancelled (following a similar letter from Privacy First) until further notice. Following new parliamentary questions, the debate will now take place today after all. Here is the full text of our most recent letter:
Dear Members of the House of Representatives,
On Monday afternoon, this 11 March, you will discuss the Dutch implementation of the European directive on Passenger Name Records (PNR) with minister Grapperhaus (Justice and Security). In Privacy First’s view, both the European PNR directive as well as the Dutch implementation thereof are legally untenable. We shall here briefly elucidate our position.
Under the minister’s legislative proposal concerning PNR, numerous data of every single airline passenger travelling to or from the Netherlands will be stored for five years in a central government database of the new Passenger Information Unit and will be used to prevent, investigate and prosecute crimes and terrorism. Sensitive personal data (such as names, addresses, telephone numbers, email addresses, dates of birth, travel data, ID document numbers, destinations, fellow passengers and payment data) of many millions of passengers will, as a result, become available for many years for the purpose of data mining and profiling. In essence, this means that every airline passenger will be treated as a potential criminal or terrorist. In 99.9% of all cases, however, this concerns perfectly innocent citizens, mainly holidaymakers and business travellers. This is a flagrant breach of their right to privacy and freedom of movement. Last year, Privacy First had already made these arguments in the Volkskrant and on BNR Nieuwsradio. Because of privacy objections, in recent years there has been a lot of political resistance to such large scale PNR storage of data, which has been rejected by both the House of Representatives as well as the European Parliament on several occasions since 2010. In 2015, Dutch ruling parties VVD and PvdA were absolutely opposed to PNR as well. Back then, they called it a ‘holiday register’ and they themselves threatened to take to the European Court of Justice in case the PNR directive would be adopted. However, after the attacks in Paris and Brussels, it seemed that many political restraints had evaporated and in 2016, the PNR directive finally came about after all. Up to now however, the legally required necessity and proportionality of this directive have still to be demonstrated.
In the summer of 2017, the European Court of Justice issued an important ruling with regard to the similar PNR agreement between the EU and Canada. The Court declared this agreement invalid because it violates the right to privacy. Among other things, the Court held that the envisaged agreement must, “limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime.” (See Opinion 1/15 (26 July 2017), par. 207.) Ever since this ruling, the European PNR directive is a legal uncertainty. Therefore, the Dutch government has valid ‘‘concerns about the future viability of the PNR directive” (see Note in response to report, p. 23, in Dutch). Privacy First expects that the current PNR directive will soon be submitted to the European Court of Justice for judicial review and will then be declared unlawful. Subsequently, a situation will arise that is similar to the one we have witnessed a few years ago with regard to the European Telecommunications Data Retention Act: as soon as this European directive will be annulled, the Dutch implementing provisions will equally be invalidated in interim injunction proceedings.
The current Dutch PNR legislative proposal seems unlawful a priori because of a lack of demonstrable necessity, proportionality and subsidiarity. The legislative proposal comes down to mass surveillance of mostly innocent citizens; in the 2016 Tele2 case the European Court already ruled that this type of legislation is unlawful. Thereupon the Netherlands pledged before the UN Human Rights Council “to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons.” The Netherlands now seems to renege on that promise. After all, a lot of completely unnecessary data of every airline passenger will be stored for years and can be used by various Dutch, European and even non-European government agencies. Moreover, the effectiveness of PNR has to date never been demonstrated, the minister himself affirmed: ‘‘There is no statistical support” (see Note in response to report, p. 8, in Dutch). The risk of unjust suspicion and discrimination (due to fallible algorithms used for profiling) under the proposed PNR system is serious, which also increases the likelihood of delays and missed flights for innocent passengers. All the while, wanted persons will often stay under the radar and choose alternative travel routes. Furthermore, the legislative proposal entirely fails to address the role and capabilities of secret services, which will be granted secret and shielded access to the central PNR database under the new Dutch Intelligence and Security Services Act. However, the most questionable aspect of the Dutch PNR legislative proposal is that it goes even two steps further than the European PNR directive itself: After all, it is the Dutch government's own decision to also store the data of passengers on all intra-EU flights. This is not obligatory under the PNR directive, and the Netherlands could have limited this to preselected flights (judged to be at risk) only. This would have been in line with the advice of most experts in this field who argue for targeted actions as opposed to mass surveillance. In other words, to focus on persons with a reasonable suspicion about them, in accordance with the principles of our democracy under the rule of law.
Privacy First Advice
Privacy First strongly advises you to reject the current legislative proposal and to replace it with a privacy-friendly version. In case this will lead to the European Commission referring the Netherlands to the European Court of Justice due to a lack of implementation of the present PNR directive, Privacy First would be confident this would end in a clear victory for the Netherlands. EU Member States simply cannot be expected to implement privacy-violating EU rules. This applies equally to the national implementation of relevant resolutions of the UN Security Council (in this case UNSC Res. 2396 (2017)) which is similarly at odds with international human rights law. In this respect, Privacy First has already warned of the abuse of the Dutch TRIP system (which is also used for PNR) by other UN Member States. In this regard, the Netherlands has its own responsibility under the Dutch Constitution as well as under international law.
Privacy First Foundation
Update 19 March 2019: Regrettably, today the House of Representatives has adopted the legislative proposal almost unchanged; only GroenLinks, SP, PvdD and Denk voted against. Unfortunately, a motion by GroenLinks and SP to provoke legal action by the European Commission against the Dutch government about the PNR directive was rejected. The only bright spot is the widely adopted motion for the judicial reassessment and possible revision of the PNR directive at a European political level. (Only PVV and FvD voted against this motion.) Next stop: the Senate.
Update 4 June 2019: despite sending the above letter for a second time and despite other critical input by Privacy First, the Senate today has unfortunately adopted the legislative proposal. Only GroenLinks, PvdD and SP voted against. Even in spite of the enormous error rates (false positives) of 99.7% that recently came to light in the comparable German PNR system, see https://www.sueddeutsche.de/digital/fluggastdaten-bka-falschtreffer-1.4419760. Meanwhile, large scale cases have been brought against the European PNR directive in Germany and Austria in order for the European Court of Justice to nullify it on account of violations of the right to privacy, see the German-English campaign website https://nopnr.eu and https://www.nrc.nl/nieuws/2019/05/15/burgers-in-verzet-tegen-opslaan-passagiersgegevens-a3960431. As soon as the European Court rules that the PNR directive is unlawful, Privacy First will start interim injunction proceedings in order for the Dutch PNR law to be rendered inoperative. Moreover, yesterday Privacy First has put the PNR law on the agenda of the UN Human Rights Committee in Geneva. On 1 and 2 July 2019, the overall human rights situation in the Netherlands (including violations of the right to privacy) will be critically reviewed by this Committee.
Writing a New Year’s Column about the state of affairs concerning the protection of everyone’s privacy weighs me down this year. With the exception of a few bright spots, privacy in the Netherlands and the rest of the world has greatly deteriorated. For a while it seemed that the revelations of Edward Snowden in 2013 about secret services tracking everyone’s online behavior would be a rude wake-up call for the world. It was thought that an increasing number of data breaches and a rising number of governments and companies getting hacked, would make people realize that large amounts of data stored centrally is not the solution. The Arab Spring in 2015 would bring about major change through the unprecedented use of (social) media.
The European Union successfully voted against the exchange of data relating to travel movements, paved the way for the current General Data Protection Regulation and seemed to become the shining alternative example under the guidance of Germany, a country known for its vigilance when it comes to privacy. Unfortunately, things turned out differently. Under the Obama administration, Snowden was shunned as a traitor and other whistleblowers were clamped down on harder than ever before. Julian Assange was forced into exile while murdering people with the use of drones and without any form of trial was implemented on a large scale. Extrajudicial killings with collateral damage... While the discussion was about waterboarding... Discussions on such ‘secondary topics’ have by now become commonplace in politics, and so has the framing and blaming of opponents in the polarized public debate (the focus is usually on the person rather than on the argument itself).
Looking back on 2018, Privacy First identifies a great number of areas where the breakdown of privacy is evident:
Government & privacy
In March, an advisory referendum in the Netherlands was held on the introduction of the so-called Tapping law. Immediately after that, the referendum was abrogated. This happened in a time of unprecedented technological possibilities to organize referendums in various ways in a shared democracy. That’s outrageous. The outcome of the referendum was not taken into account and the Tapping law was introduced just like that. Moreover, it turned out that all along, the Dutch Minister of the Interior had withheld an important report on the functioning of the Dutch General Intelligence and Security Service.
Apparently this was nothing to worry about and occurred without any consequences. The recent report by the Dutch State Commission on the (re)introduction of referendums will likely end up in a drawer, not to be looked at again.
Fear of losing one’s role and the political mood of the day are all too important in a culture in which ‘professional politicians’ are afraid to make mistakes, but which is full of incidents nonetheless. One’s job or profession comes first, representing citizens comes second. Invariably, incidents are put under a magnifying glass in order to push through binding legislation with a broad scope. Without the review of compliance with guiding principles such as necessity, purpose limitation, subsidiarity and proportionality. There is an ever wider gap between government and citizens, who are not trusted but are expected to be fully transparent towards that self-same government. A government that time and again appears to be concealing matters from citizens. A government that is required by law to protect and promote privacy, but is itself still the most prominent privacy-violator.
The medical establishment & privacy
In this area things got really out of hand in 2018. Through various coordinated media offensives, the EU and the member states are trying to make us believe in the advantages of relinquishing our right to physical integrity and our humanity. Sharing biometric data with the United States continues unabatedly. We saw the police calling for compulsory DNA databases, compulsory vaccination programs, the use of smart medicines with microchips and the phasing out of alternative therapies. Furthermore, health insurance companies cautiously started to cover genetic testing and increasingly doing away with medical confidentiality, the Organ Donation Act was introduced and microchips implanted in humans (the cyborg as the highest ideal in Silicon Valley propaganda) became ever more popular.
How long before microchips become compulsory for all citizens? All (domestic) animals in the EU have already preceded us. And then there’s the Electronic Health Record, which was first rejected in the Dutch Senate but has reappeared on the minister’s agenda via a detour. Driven by commercial interests, it is being rammed down the throats of general practitioners while alternatives such as Whitebox are not taken seriously. The influence of Big Pharma through lobbying with government bodies and participating in government working groups is particularly acute. They closely cooperate with a few IT companies to realize their ideal of large and centralized networks and systems. It’s their year-end bonus and growth at the expense of our freedom and well-being.
Media & privacy
Naturally, we cannot overlook ‘fake news’. One of the premises for having privacy is being able to form your own opinion and respect and learn from the opinions of others. Furthermore, independent left and right-wing media are essential in a democratic constitutional State. It's their task to monitor the functioning of elected and unelected representatives in politics and in government. Journalists should be able to penetrate into the capillaries of society in order to produce local, national and global news.
Ever since free news gathering came about, it has been a challenge to obtain news based on facts. It’s not always easy to distinguish a press service, PR and propaganda from one another. In times of rapid technological changes and new opportunities, they should be continuously reviewed according to the principles of journalism. That’s nothing new. What is new, however, is that the European Union and our own Minister for the Interior, Kajsa Ollongren, feel they’re doing the right thing by outsourcing censorship to social media companies that are active on a global scale and have proven to be unreliable.
While Facebook and Google have to defend themselves in court for spreading fake news and censoring accounts, the governments hand over the monitoring task to them. The privacy violators and fake news distributors as the guardians of our privacy and journalism. That’s the world upside down. By so doing, this minister and this government undermine the constitutional State and show disdain for intelligent citizens. It’s time for a structural change in our media system, based on new technologies such as blockchain and the founding of a government media office whose task is to fund all media outlets through citizens’ contributions, taking into account the media’s scope and number of members. So that concerns all media, including the so-called alternative media, which should not be censored.
Finance & privacy
The erosion of one’s privacy increasingly manifests itself at a financial level too. The fact of the matter is, that the tax authorities already know in detail what the spending pattern of all companies and citizens looks like. Thanks to the Tapping Law, they can now pass on this information in real-time to the secret services (the General Intelligence and Security Service is watching along). Furthermore, a well-intended initiative such as PSD2 is being introduced in a wholly improvident and privacy-unfriendly way: basic conditions relating to the ownership of bank details (of citizens, account holders) are devoid of substance. Simple features such as selective sharing of banking details, for example according to the type of payment or time period, are not available. What’s more, payment details of third parties who have not given their consent, are sent along.
In the meantime, the ‘cash = criminal’ campaign goes on relentlessly. The right to cash and anonymous payment disappears, despite even the Dutch Central Bank now warning that the role of cash is crucial to our society. Privacy First has raised its opinion on this topic already in 2016 during a public debate. The latest development in this regard is the further linking of information through Big Data and profiling by debt-collecting agencies and public authorities. Excluding citizens from the electronic monetary system as a new form of punishment instead of letting them pay fines is a not so distant prospect. In this regard, a lot of experimentation is going on in China and there have been calls in Europe to move in the same direction, supposedly in order to fight terrorism. In other words, in the future it will become increasingly difficult to raise your voice and organize against abuse of power by governments and companies: from on high it takes only the press of a button and you may no longer be able to withdraw cash, travel or carry out online activities. In which case you have become an electronic outcast, banished from society.
Public domain & privacy
In 2018, privacy in public space has all but improved. Whereas 20 years ago, the Netherlands was deemed too small to require everyone out on the streets to be able to identify themselves, by now, all governments and municipalities in Europe are developing ‘smart city’ concepts. If you ask what the benefits and use of a smart city are (beyond the permanent supervision of citizens), proponents will say something vague about traffic problems and that the 'killer applications' will become visible only once the network of beacons is in place. In other words, there are absolutely no solid figures which would justify the necessity, subsidiarity and proportionality of smart cities. And that’s not even taking basic civil rights such as privacy into consideration.
Just to give a few examples:
- ANPR legislation applies from 1 January 2019 (all travel movements on public roads will be stored in a centralized police database for four weeks)
- A database consisting of all travel movements and stays of European citizens and toll rates as per 2023
- Emergency chips in every vehicle with a two-way communication feature (better known as spyware) as per 1 January 2019
- Cameras and two-way communication in public space, built into the lampposts among other objects as part of smart city projects
- A decision to introduce additional cameras in public transport as per 2019
- The introduction of Smart Cities and the introduction of unlimited beacons (doesn’t it sound so much better than electronic concentration camp posts?)
- Linking together all traffic centers and control rooms (including those of security companies operating on the private market)
- Citizens are permanently monitored by invisible and unknown eyes.
Private domain & privacy
It’s well known that governments and companies are keen to take a peek in our homes, but the extent to which this was being advanced last year, was outside of all proportion. Let’s start with energy companies, who foist compulsory smart meters on citizens. By way of ‘appointment to install a smart meter’, which you didn’t ask for, it’s almost impossible to stay clear of red tape. After several cancellations on my part and phone calls to energy provider Nuon, they simply continued to push forward. I still don’t have a smart meter and it will stay like that.
Once again Silicon Valley featured prominently in the news in 2018. Unelected dictatorial executives who are no less powerful than many a nation state, promote their utopias as trendy and modern among citizens. Self-driving cars take the autonomy and joy away from citizens (the number of accidents is very small considering the millions of cars on the road each day), while even children can tell that a hybrid approach is the only option. The implementation of smart speakers by these social media companies is downright spooky. By bringing smart toys onto the market, toy manufacturers equally respond to the needs that we all seem to have. We can all too readily guess what these developments will mean for our privacy. The manipulation of facts and images as well as distortion, will starkly increase.
Children & privacy
Children and youths represent the future and nothing of the above bodes well for them. Screen addiction is sharply on the rise and as children are being raised amidst propaganda and fake news, much more attention should go out to forming one’s own opinion and taking responsibility. Centralized pupil monitoring systems are introduced indifferently in the education system, information is exchanged with parents and not having interactive whiteboards and Ipads in the classroom has become unthinkable. The first thing children see every single day, is a screen with Google on it... Big Brother.
Dependence on the internet and social media results in impulsive behaviour among children, exposes them to the madness of the day and affects their historical awareness and ability to discern underlying links. The way of thinking at universities is becoming increasingly one-sided and undesirable views are marginalized. The causes of problems are not examined, books are not read though there is certainly no lack of opinions. It’s all about making your voice heard within the limits of self-censorship that’s in force in order to prevent becoming the odd one out in the group. The same pattern can be identified when it comes to forming opinions in politics, where discussing various issues based on facts seems no longer possible. Not to mention that the opinions of citizens are considered irrelevant by our politicians. Good quality education focused on forming opinions and on creating self-reflective minds instead of a robot-way of thinking, is essential for the development of a healthy democracy.
Are there any positive developments?
It's no easy task to identify any positive developments in the field of privacy. The fact is that the introduction of the GDPR and the corresponding option to impose fines has brought privacy more sharply into focus among companies and citizens than the revelations of Snowden have been able to do. The danger of the GDPR, however, is that it narrows down privacy to data protection and administrative red tape.
Another positive development is the growing number of (as of yet small) initiatives whereby companies and governments consider privacy protection as a business or PR opportunity. This is proved by the number of participants in the 2019 Dutch Privacy Awards. Recurring themes are means of anonymous communication (email, search engines, browsers), possible alternatives to social networks (messaging services like WhatsApp, Facebook, Instagram and Twitter) on the basis of subscriptions, blockchain technology and privacy by design projects by large organizations and companies.
Privacy First has teamed up with a few top quality pro bono attorneys who are prepared to represent us in court. However, judges are reluctant to go off the beaten track and come up with progressive rulings in cases such as those concerning number plate parking, average speed checks, Automatic Number Plate Recognition, the Tapping Law, etc. For years, Privacy First has been suffering from a lack of funding. Many of those who sympathize with us, find the topic of privacy a bit eerie. They support us morally but don’t dare to make a donation. After all, you draw attention to yourself when you’re concerned with issues such as privacy. That’s how bad things have become; fear and self-censorship... two bad counsellors! It’s high time for a government that seriously deals with privacy issues.
Constitutional reform should urgently be placed on the agenda
Privacy First is a great proponent of constitutional reform (see our 2017 New Year’s column about Shared Democracy), based on the principles of the democratic constitutional State and the European Convention on Human Rights (ECHR). Our democracy is only 150 years old and should be adapted to this current day and age. This means that the structure of the EU should be changed. Citizens should take on a central and active role. Government policies should focus on technological developments in order to reinforce democracy and formulate a response to the concentration of power of multinational companies.
Privacy First argues that the establishment of a Ministry of Technology has the highest priority in order to be able to stay up to date with the rapid developments in this field and produce adequate policies accordingly. It should live up to the standards of the ECHR and the Dutch Constitution and avoid becoming a victim of the increasing lobbying efforts in this sector. Moreover, it is time for a Minister of IT & Privacy who stays up to date on all developments and acts with sufficient powers and in accordance with the review of a Constitutional Court.
The protection of citizens’ privacy should be facilitated and there should be privacy-friendly alternatives for current services by technology companies. For 2019, Privacy First has a few tips for ordinary citizens:
- Watch out for and stay away from ‘smart’ initiatives on the basis of Big Data and profiling!
- Keep an eye on the ‘cash = criminal’ campaign. Make at least 50% of your payments anonymously in cash.
- Be cautious when communicating through Google, Apple, Facebook and Microsoft. Look for or develop new platforms based on Quantum AI encryption and use alternative browsers (TOR), networks (VPN) and search engines (Startpage).
- Be careful when it comes to medical data and physical integrity. Use your right for there to be no exchange of medical data as long as initiatives such as Whitebox are not used.
- Be aware of your right to stay anonymous, at home and in public space. Campaign against toll payment, microchips in number plates, ANPR and number plate parking.
- Be aware of your legal rights to bring lawsuits, for example against personalized waste disposal passes, camera surveillance, etc.
- Watch out for ‘smart’ meters, speakers, toys and other objects in the house connected to the internet. Purchase only privacy by design solutions with privacy enhanced technology!
The Netherlands and Europe as guiding nations in the field of privacy, with groundbreaking initiatives and solutions for apparent contradictions concerning privacy and security issues - that’s Privacy First's aim. There’s still a long way to go, however, and we’re being blown off course ever more. That’s due in part because a comprehensive vision on our society and a democracy 3.0 is lacking. So we continue to drift rudderless, ending up in the big manipulation machine of large companies one step at a time. We need many more yellow vests before things change. Privacy First would like to contribute to shaping and promoting a comprehensive, positive vision for the future. A future based on the principles that our society was built on and the need for greater freedom, with all the inevitable restrictions this entails. We will have to do it together. Please support Privacy First actively with a generous donation for your own freedom and that of your children in 2019!
To an open and free society! I wish everyone a lot of privacy in 2019 and beyond!
Bas Filippini, Privacy First chairman
Privacy First has had a turbulent year. At the start of 2018, we organized the Dutch Privacy Awards and they were a great success. Soon this event will take place again. The greatest success of the year, however, was the referendum against the new Dutch Intelligence and Security Services Act (better known as the Tapping Law), which was won by the initiators and their many supporters. Subsequently however, the Dutch government decided to ruthlessly abolish the referendum and Privacy First and others unfortunately were not in a position to prevent the Tapping Law from entering into force almost unaltered. Unless the Dutch government and the House of Representatives decide to thoroughly overhaul the Act, a large scale new lawsuit to challenge it will be on the cards.
In terms of organization, the year has been marked mostly by positive developments. Since the summer, we have a new board of directors, a new advisory board and a new and relatively cheap (small) office on an excellent location. We have switched to privacy-friendly telecom provider Voys. Increasingly, Privacy First is approached by public authorities and companies to cooperate on privacy projects, for example with regard to the infamous European payments directive PSD2, which will soon enter into force in the Netherlands. In addition, Privacy First almost continuously pursues political lobbying and quiet diplomacy. Earlier this year, we’ve lobbied successfully with the Dutch State Commission on the Parliamentary System for the introduction of a binding referendum and a Constitutional Court. Moreover, we’ve made our critical voice heard with regard to the possible introduction of Passenger Name Records (PNR) in aviation and Taser weapons among the Dutch police force. After all, privacy is a broad term and is about much more than data protection only.
However, history has taught us that sustainable privacy protection usually requires legal action at a national or European level. That’s why Privacy First also pursues litigation. Those who’ve been acquainted with us for some time, know that when Privacy First starts legal proceedings, something is really going on - something, to be precise, which isn’t for the better. As soon as large scale privacy violations are imminent, it’s time for Privacy First to step in. This is one such moment. Your support of our operations is indispensable.
Case against ANPR Act
In recent years, Privacy First has regularly warned against the introduction of a new draconian Dutch law which allows for the continuous storage of data relating to travel movements of millions of motorists for four weeks in a central police database, regardless of whether or not these motorists are suspected of any wrongdoing. This is the Automatic Number Plate Recognition Act (ANPR). At the end of 2017, the Dutch Senate adopted this Act, after which Privacy First announced it would initiate legal proceedings. Subsequently, Privacy First had a meeting with the Dutch State Attorney, which was followed by a prolonged silence. Today however, the Dutch government announced it will introduce the ANPR Act as per 1 January 2019. Therefore, Privacy First is currently preparing interim injunction proceedings in order to render this Act inoperative on account of violation of the right to privacy. If necessary, these proceedings will be followed by proceedings which are broader in scope and will deal with the merits of the case. Indeed, this Act is a massive breach of privacy for which there is simply no place in a free and democratic constitutional State. Through Pro Bono Connect, Privacy First has hired law firm CMS to carry out proceedings on our behalf. Ideally, this would happen in coalition with other relevant organizations.
Urgent call for donations
Due to unexpected fundraising setbacks, at present Privacy First urgently needs financial support, including your support as a (potential) donor. The more support we get, the more thorough and therefore the more effective we will be able to conduct these legal proceedings and the more likely it will be we will come out victorious. Would you like to support Privacy First? Donating is very easy on the dedicated page on our website. Otherwise, please donate directly to account number NL95ABNA0495527521 (BIC: ABNANL2A) in the name of Stichting Privacy First in Amsterdam, the Netherlands, stating ‘donation’. Privacy First is recognized by the Dutch Tax and Customs Administration as an Institution for General Benefit (ANBI). Therefore your donations are tax-deductible.
In recent years, Privacy First has had a lot of positive influence thanks to your support. We hope to be able to count on you once again!
Privacy First wishes you happy holidays and a privacy-friendly 2019!
Since 2013, the Dutch Association of General Practitioners has, in an essential civil case, been litigating against the private successor of the Dutch Electronic Health Record (Elektronisch Patiëntendossier, EPD): the National Switch Point (Landelijk Schakelpunt, LSP). At the end of last week, the Dutch Supreme Court decided that, for the time being, the LSP is not in violation of current privacy law. However, the Supreme Court has laid down in its judgment that the LSP will soon have to comply with the legislative requirement of privacy-by-design. This constitutes an important precedent and raises the bar with a view to the future.
Private relaunch of EPD: National Switch Point
In April 2011, the Dutch Senate unanimously rejected the EPD, primarily on account of privacy objections. However, almost directly afterwards, various market participants (among which health insurance companies) made sure there was a relaunch of the same EPD in private form: the LSP, intended for the large-scale, central exchange of medical data. Since then, the LSP has been introduced nationally and many practitioners have aligned themselves with it, oftentimes under pressure of health insurers. Millions of people in the Netherlands have given their ‘consent’ to the exchange of their medical records via the LSP. However, this ‘consent’ is so broad and general, it’s virtually impossible to deem it lawful. This was one of the main objections the court case of the Association of General Practitioners against the LSP revolved around. Other objections against the LSP are related to the fact that its architecture is inherently insecure and in breach of privacy. Through the LSP, every connected medical record is accessible for thousands of health care providers. This is in violation of the right to privacy of patients and the medical confidentiality of treating physicians. What’s more, there is no privacy-by-design, for example through end-to-end encryption. The LSP is basically as leaky as a sieve, which means that it’s ideal for function creep and possible abuse by malicious actors.
Specific Consent Campaign
Over the last couple of years, Privacy First has repeatedly raised the alarm about this in the media. We have brought the issue to the attention even of the United Nations Human Rights Council. In April 2014, a large scale Internet campaign was launched on the initiative of Privacy First and the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten) in order to retain and enhance the right to medical confidentiality: www.SpecifiekeToestemming.nl. Ever since, this campaign is being supported by numerous civil organizations, healthcare providers and scholars. The essence of the campaign is that specific consent should (again) become the leading principle when it comes to the exchange of medical data. In case of specific consent, prior to sharing medical data, clients have to be able to decide whether or not, and if so, which data to share with which healthcare providers and for which purposes. This minimizes risks and enables patients to control the exchange of their medical data. This is in contrast to the generic consent that applies to the LSP. In the case of generic consent, it is unforeseeable who can access, use and exchange someone’s medical data. In this respect, generic consent is in contravention of two classic privacy principles: the purpose limitation principle and the right to free, prior and fully informed consent for the processing of personal data.
Privacy by design
Courtesy also of the pressure exerted by our campaign SpecifiekeToestemming.nl, the Dutch legislative proposal Clients’ Rights in relation to the processing of data in healthcare (legislative proposal 33509), was strenghtened by the House of Representatives in 2014 and was adopted by the Senate in 2016 as a result of two crucial motions: 1) the motion Bredenoord (D66) about the further elaboration of data-protection-by-design as the starting point for the electronic processing of medical data and 2) the motion Teunissen (Party for the Animals) related to keeping medical records accessible on a decentral (instead of a central) level. Under the new law, specific (‘specified’) consent is obligatory. This should now be implemented in all existing and future systems for the exchange of medical data, including the LSP. Moreover, privacy-by-design will become an inexorable legal duty under the new European General Protection Data Regulation (GDPR), that is to say, privacy and data protection should be incorporated in all relevant hardware and software from the very first design. In this context, there have been several developments on the Dutch market in recent years, all of which indicate that both specific consent as well as privacy-by-design are indeed becoming standards in new systems. A prime example of this in a medical context is Whitebox Systems, which won a Dutch National Privacy Innovation Award in 2015 already.
Court case of Association of General Practitioners
Since March 2013, the Dutch Association of General Practitioners (Vereniging Praktijkhoudende Huisartsen, VPH) has been litigating in a large-scale civil case against the private administrator of the LSP: the Association of Healthcare Providers for Healthcare Communication (Vereniging van zorgaanbieders voor zorgcommunicatie, VZVZ). Following unsatisfactory rulings by the district court of Utrecht and the Arnhem Court of Appeal, VPH appealed before the Dutch Supreme Court at the end of 2016. Since then, this case has, on the recommendation of Privacy First, received pro bono support from law firm Houthoff Buruma. As amicus curiae, Privacy First and the Platform for the Protection of Civil Rights filed a letter (PDF) with the Supreme Court in support of the general practitioners and in line with our joint campaign SpecifiekeToestemming.nl. In her conclusion, the Advocate general of the Supreme Court referred extensively to the amicus curiae letter. On 1 December 2016, the Supreme Court finally came up with its ruling. Regrettably, the Supreme Court by and large agreed with the line of reasoning of the Arnhem Court of Appeal. Privacy First cannot help thinking that the LSP (even before the Supreme Court) is apparently too big too fail: by now this faulty system has grown to the extend that no one dares to declare it unlawful. There is, however, an important positive note, which can be found in the final consideration of the Supreme Court:
‘‘[The Court has] acknowledged that the healthcare infrastructure can be designed in such a way that a clearer distinction can be made between (sorts of) data and (categories of) healthcare providers and, particularly, in such a way that the exchange of data on the basis of consent can beforehand be limited to cases of urgency. The Court takes the view that such infrastructure would be better in line with the principles of the Privacy Directive and the Personal Data Protection Act, but that it could not have been demanded from VZVZ at the time of the contested ruling. According to the Court, VZVZ can be expected, however, to alter its system offering greater freedom of choice, as soon as this is technically possible and feasible.
These considerations are not incomprehensible. It is worthwhile noting that, considering (...) the regulatory changes and VZVZ’s ambitions in relation to the system (...), privacy by design and privacy by default as explicit points of departure (art. 25, paragraphs 1 and 2 General Data Protection Regulation), is what the Court can reasonably expect from VZVZ.’' (5.4.4)
Just like the Arnhem Court of Appeal, the Supreme Court clearly homes in on the implementation of specific consent and privacy-by-design when it comes to the LSP. The Supreme Court thereby creates a positive precedent which will set the scene for the future, also in a broader sense. Privacy First will continue to actively follow the developments in this case and, if necessary, will not hesitate to bring certain aspects to the attention of the courts once more.
HERE you find the amicus curiae letter written by Privacy First and the Dutch Platform for the Protection of Civil Rights (pdf in Dutch).
Comments from the Dutch Association of General Practitioners: http://www.vphuisartsen.nl/nieuws/cassatieberoep-vphuisartsen-verloren-toch-winst/
Comments from SpecifiekeToestemming.nl: http://specifieketoestemming.nl/werk-aan-de-winkel-na-teleurstellend-vonnis-over-lsp/.
The Dutch government and Parliament aim to quickly introduce the privacy-violating Tapping law. A coalition of privacy advocates will start interim injunction proceedings to prevent this from happening.
Implementation of unaltered Tapping law imminent
In recent months, there has been a thorough public debate in the Netherlands about the new Dutch Intelligence and Security Services Act, the so-called ‘Tapping law’. In a referendum that was held on 21 March 2018, a majority of the Dutch citizenry voted AGAINST this act. In response to this, the Dutch government has promised only a few minor, superficial policy changes as well as a few non-fundamental legislative amendments. Both the Dutch government and the House of Representatives have with full intent pushed for a prompt entry into force of the Tapping law in its unaltered form, as per 1 May to be exact. The envisaged legislative amendments will be presented by the government only after the summer. Regrettably, a motion to postpone the implementation of the Tapping law until after these legislative amendments have been discussed, was yesterday repealed by the House of Representatives. With that, it seems Parliament has had its say and it is now again up to society to make a move.
Interim injunction proceedings
It is Privacy First’s established policy to try to prevent massive privacy violations. Unmistakeably, the implementation of the current Tapping law is a massive privacy breach, because as a result of it, there will be large-scale tapping into the Internet traffic of innocent citizens and, moreover, the data of innocent citizens will be exchanged with foreign secret services without first being evaluated. This is a blatant violation of the right to privacy. Therefore, we cannot wait for any possible legislative amendments that serve to ‘rectify retrospectively’. After all, by that time the violations will have already occurred. Today, a coalition of Privacy First and various other civil organizations and companies urge the government to postpone the introduction of the Tapping law (or at least those parts of it that constitute the gravest privacy violations) until all legislative amendments have been discussed in Parliament. In case the government refuses this request, our coalition will not hesitate to start interim injunction proceedings in order to enforce the postponement of the Tapping law before court.
Alongside Privacy First, the coalition that has been created for these proceedings is comprised of the Netherlands Committee of Jurists for Human Rights (NJCM), Bits of Freedom, the Dutch Association of Criminal Defence Lawyers (NVSA), the Dutch Platform for the Protection of Civil Rights, Free Press Unlimited, BIT, Voys, Speakup, Greenpeace International, Waag Society and Mijndomein Hosting. The case is taken care of by Boekx Attorneys and is coordinated by the Public Interest Litigation Project (PILP) of the Netherlands Committee of Jurists for Human Rights. Apart from said interim injunction proceedings, since March 2017 Privacy First and other organizations are preparing a larger scale lawsuit in order for multiple parts of the Tapping law to be declared unlawful as it contravenes international and European privacy law.
Today, on behalf of the coalition, our attorneys will send a letter to the Dutch government (the ministers of the Interior and Defence) requesting the postponement of the implementation of the Tapping law. The government will have the opportunity to respond to this request until Friday, 20 April.
Update 20 April 2018: the government has rejected the appeal of the coalition. The coalition will now continue preparing interim injunction proceedings.
Update 17 May 2018: today the coalition summons has been sent to the Dutch state attorney; click HERE for the full version (pdf in Dutch). The summary proceedings will take place at the District Court of The Hague on Thursday 7 June 2018, 10.00 am - 12.00 pm CET.
Update 7 June 2018: this morning the hearing took place before the District Court of The Hague; click HERE for the pleading of our attorneys (pdf in Dutch). The court is expected to deliver a ruling on Tuesday, 26 June 2018.
Update 26 June 2018: to the great disappointment of Privacy First, today the District Court of The Hague has unfortunately rejected the case. Find the complete ruling (in Dutch) HERE. From a legal point of view, the bar was set high in these interim injunction proceedings: in order to be able to win our case, the judge had to declare the Tapping law ‘unequivocally ineffective’ on account of blatant (unequivocal) violation of international or European privacy law. However, the court ruling reads like a foregone conclusion in favor of the State, not least because various objections of our coalition have remained unidentified. That being said, it needs to be stressed (as the court itself does too), that this ruling constitutes only a preliminary opinion and that a thorough (‘full’) review was lacking in this case.
The coalition of organizations that has initiated these proceedings regrets the judgment. In view also of the result of the referendum, the coalition is of the opinion that the government should have waited to introduce the contested parts of the Tapping law until the parliamentary legislative process in response to the referendum is finished. Introducing the Tapping law unchanged on 1 May 2018 before proposing amendments at a later stage (after the summer) is and remains incorrect.
The coalition will soon discuss possible follow-up legal action.