"The Dutch data retention law requiring telecommunications operators and ISPs to store customer metadata for police investigations was scrapped by the District Court of the Hague on Wednesday.
The court found that the law violates fundamental European Union privacy rights. The question remains though whether the law should be inactivated indefinitely, as the case can be appealed by the Dutch state, a court spokesman said. However, pending the outcome of any possible legal procedures the law will remain inactive, he said.
The Dutch Ministry of Security and Justice declined to comment as it was still studying the verdict.
The law suspended by the court was based on the EU's Data Retention Directive, which was invalidated by the Court of Justice of the EU (CJEU) last year, also because it violated fundamental privacy rights.
Despite that ruling though, the Dutch government decided in November last year to largely maintain its national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments were made, which mainly tightened who had access to what data and under what circumstances.
Not satisfied with that approach, a broad coalition of organizations, including Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, sued the government in January to get the law invalidated.
The court, ruling in their favor, criticized the overly broad scope of the law in its verdict.
Data retention rules were introduced after terror attacks in London and Madrid in 2004 and 2005 with the aim of fighting serious crime. However, the Dutch law also allowed law enforcement to retrieve data in the case of a bicycle theft, the court noted. And while the government promised not to use the law lightly, the fact remains that the opportunity to do so exists and there are no safeguards to effectively restrict access to information to what is strictly necessary for the fight against only serious crime, the court found.
What's more, under the scrapped law, access to data is not subject to a prior review by a court or independent administrative authority, the court said. Thus, the law violates articles 7 and 8 of the Charter of Fundamental Rights of the EU, which cover the right to a private life and the protection of personal data.
While the inactivation of the law may have profound implications for the investigation and prosecution of criminal offenses, that does not justify the persistence of the infringement, the court said.
The verdict probably means that ISPs and telecom companies can now stop retaining data, but when or whether they will do so is unclear. BIT did not immediately respond to a request for comment. A spokesman for Dutch ISP XS4ALL said the company can probably stop retaining data and delete existing records but wants the legal department to make absolutely sure it can before it will do so.
The Netherlands is not the only country where a law based on the EU Data Retention Directive was invalidated. A similar law was axed by the Constitutional Court of Austria in the wake of the CJEU ruling, for example, while Germany's data retention law was ruled unconstitutional long before the CJEU ruling.
In Sweden, meanwhile, the government maintains that the national data retention law can still be applied. And in the U.K., a new data retention law was rushed through by the U.K. government in December, replacing the one that was based on the EU directive. That new law will be reviewed by the country's High Court though to determine if it violates human rights."
Source: http://www.pcworld.com/article/2895356/dutch-court-scraps-telecommunications-data-retention-law.html, 11 March 2015.
Today the district court of The Hague has rendered the Dutch Data Retention Act inoperative in a break-through verdict. The judge did so at the request of the Privacy First Foundation and six other organizations. This puts an end to a massive privacy violation that lasted for years: retaining the telecommunications data of everyone in the Netherlands for criminal investigation purposes, which made every Dutch citizen a potential suspect.
Broad coalition of civil society organizations
Under the 2009 Dutch Data Retention Act, the telecommunications data (telephony and internet traffic) of everyone in the Netherlands had to be retained, for 12 months and 6 months respectively, for criminal investigation purposes. In interim injunction proceedings against the Dutch government, a broad coalition of civil society organizations demanded the Act to be rendered inoperative as it violated the right to privacy. The claimant organizations were the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ), the Netherlands Committee of Jurists for Human Rights (NJCM), Internet provider BIT and telecommunications providers VOYS and SpeakUp. The case was conducted by Boekx Attorneys (Amsterdam).
According to the claimant parties, the Dutch Data Retention Act constituted a violation of fundamental rights that protect privacy, communications and personal data. This was also the view of the European Court of Justice in April last year, followed by the Dutch Council of State (Raad van State), the Dutch Data Protection Authority (College Bescherming Persoonsgegevens) and the Dutch Senate (Eerste Kamer). However, former Dutch minister of Security and Justice, Ivo Opstelten, refused to withdraw the Act. Opstelten wanted to uphold the Act until a legislative change was implemented, which could have taken years. The district court in The Hague has now made short shrift of the Act by repealing it immediately.
Data retention is unlawful
On 8 April 2014, the European Court of Justice declared the EU Data Retention Directive entirely and retroactively unlawful. The Dutch Data Retention Act was almost identical to this invalid directive. According to the European Court, retaining the telecommunications data of everyone, without any well-founded suspicion, is in breach of the fundamental right to privacy. Randomly and unrestrictedly collecting 'metadata' in the context of mass surveillance is not permitted, according to the Court.
Privacy First is committed to maintaining and strengthening everyone's right to privacy, if necessary by filing lawsuits against the Dutch government. The Dutch Data Retention Act was an excellent cause for doing so, says Vincent Böhre of Privacy First: "This mass surveillance constituted a massive violation of the right to privacy of every Dutch citizen. It was unacceptable that minister Opstelten clinged to this practice after the highest European court had already clearly stated back in April that this privacy violation was not permitted. Privacy First works to promote a society in which innocent citizens are not burdened by the idea of constantly being watched. The judgment of the court in The Hague is an important step in that direction."
Privacy First expects Dutch telecommunications providers to comply with the judgment and stop retaining everyone's telecommunications data for criminal investigation purposes. In case the Dutch government decides to appeal the judgment, then Privacy First is confident about the outcome of proceedings before the Hague Court of Appeal.
"Recently, the Court of Appeal of The Hague held that the storage of Dutch citizens' personal data in a central register is an unjustified violation of the right to privacy.
In light of, amongst other things, the implementation of the European regulation on standards for security features and biometrics in passports and travel documents, and to comply with this regulation, the Dutch Passport Act was amended in 2009. This new Passport Act states that future passports would have to contain a chip with a digital facial image and two fingerprints of each applicant. The Dutch government therefore planned to create a central register to hold the facial image files and four fingerprints of each applicant (two of which are included in the passport for identity verification). This new register would also serve other purposes: it would help passport fraud control, and it would allow applicants to renew their passport in any municipality in the Netherlands. The national government acknowledged that the request and saving of these personal data would form a violation of the right to privacy of Dutch citizens, but the government stated that the data storage was proportionate and justified, considering the intended purposes.
The interest group Privacy First disagreed with the government. This group, which seeks to publicly promote the enhancement and preservation of the right to privacy, believed that the creation of this central register violates this fundamental right enshrined in several international laws and regulations. The group launched legal proceedings against the Dutch government. The district court of The Hague ruled that Privacy First did not have a cause of action. Privacy First then appealed against this verdict.
Remarkably, the government meanwhile reviewed their amendments to the new Passport Act. The government concluded that the storage of these personal data in a central register did not achieve its purpose, namely passport fraud control via one's identity verification. Therefore, the Act's provisions that related to the storage of personal data in a central register would be suspended. Furthermore, the number of fingerprints to be taken for the filing would be reduced from four to two in accordance with European regulation.
On appeal, the Court of Appeal ruled that since Privacy First and the government now share the same views about the central register, Privacy First would have lost its standing in their cause of actions, so it dismissed the interest group's claims. However, the Court of Appeal found that the district court had erred when it held that Privacy First did not have a cause of action at the time. Since Privacy First is an interest group advocating the protection of the general interest of Dutch nationals' right to privacy, it should have been able to bring proceedings before the civil court according to Article 3:305 of the Dutch Civil Code (Burgerlijk Wetboek). This would only have been different if the interest group had represented the combined interest of individuals. The Court of Appeal further ruled that Privacy First incurred a financial risk.
The Court of Appeal also ruled that in view of all the circumstances of the case at first instance, the district court should have ruled in favour of Privacy First concerning their arguments against the setting up of a central register. This central register's storage of Dutch citizens' personal data is an unjustified violation of one's right to privacy enshrined in Article 8 ECHR because it did not fulfill its purpose. The Court of Appeal understands that this was a violation from the start, but this had only become evident after the first ruling."
Source: http://www.lexology.com/library/detail.aspx?g=27bf8f03-ada9-47d4-ac7f-4e4aece29cd3, 15 July 2014.
Today the district court of The Hague ruled in the case Citizens v. [Dutch Minister of Home Affairs] Plasterk ("Burgers tegen Plasterk"). In this lawsuit a coalition of citizens and organizations (including Privacy First) demands the Dutch General Intelligence and Security Service (AIVD) and the Dutch Military Intelligence and Security Service (MIVD) to put an end to the receipt and use (''laundering'') of illegally collected foreign intelligence on Dutch citizens, for example through the infamous PRISM program of the American NSA. Unfortunately the court has rejected all of the claims. Below are some first observations by Privacy First.
A positive aspect of the judgment is that the court deems all plaintiffs (citizens and organizations) admissible. This is a very welcome development for Privacy First with regard to our current Passport Trial before the Supreme Court of the Netherlands, wherein such admissibility will be crucial. However, this bright spot is overshadowed by the way the district court of The Hague has dealt with the merits of the case.
First of all, the court failed to carry out a fact-finding study: in fact no witnesses and experts were heard at all, even though this was offered to the court on forehand and Dutch law offers sufficient opportunity for this.
Furthermore, it is striking that the court deems less strict procedural safeguards necessary when it comes to the exchange of massive amounts of raw data in bulk. For the exchange of information on such a large scale, stricter – not less strict – procedural safeguards are necessary, as most of these data relate to innocent citizens.
In addition, the court wrongfully makes a distinction between metadata (traffic data) and the content of communications, while both types of data overlap and require the same high level of judicial protection.
The court is also wide off the mark by judging that the legal requirement of foreseeability (including privacy guarantees) of Article 8 of the European Convention on Human Rights (ECHR) would be less applicable to the international exchange of data between secret services. As yet, in the Netherlands the legal basis of such exchange of data is formed by a relatively obscure legal provision: Article 59 of the Dutch Intelligence and Security Services Act (Wiv). This article is far from fulfilling the modern requirements that article 8 ECHR imposes on such provisions. Therefore, the current practice of exchange between the AIVD/MIVD and foreign secret services in essence takes place within a legal vacuum, a legal black hole.
In the view of Privacy First, the current judgment of the Hague court comes down to the ''legal laundering'' of this practice. Privacy First expects that higher courts will deem this situation to be a violation of Article 8 ECHR and is looking forward to the appeal before the Hague Court of Appeals with confidence.
"The Court of Justice in the Hague has ruled that fingerprints gathered from individuals getting a new passport can't be held centrally and used in criminal investigations.
Dutch authorities have been prevented from storing citizens' fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.
In the Netherlands, individuals' fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.
However, the system turned out to be far from perfect — 21 percent of fingerprints collected by the authorities in the Netherlands were unusable to identify individuals.
The court found such a high level unacceptable: "This can mean nothing other than the storage of fingerprints in a central register is not suitable for the purpose originally envisioned, that is, the determination and verification of one's identity.
"This means that it is also not suitable for the prevention of identity fraud or for the process of requesting a new travel document or using a travel document, which is one of the main purposes of the Act [the legislation which requires fingerprints in Dutch passports]. Therefore the conclusion is that the invasion of privacy formed by the central storage of fingerprints is unjustified."
No immediate effect
Although the ruling is a significant victory for Privacy First, the privacy group that brought the case before the Court of Justice, it won't have immediate consequences for the Dutch government.
The European Court of Justice had already ruled in October last year that the directive requiring European member states to include two fingerprints in their passports did not provide a legal basis for then also including all citizens' prints in a central repository.
In addition, the court stipulated that fingerprints given by individuals for such purposes could not to be used for criminal investigations.
However, according to Christiaan Alberdingk Thijm, the lawyer representing Privacy First, the ruling will have a bearing on any future government attempts to collect sensitive data, such as photos.
"This is not only good news for those opposing plans of a central fingerprint database, but for those opposing any central government owned database," he said."
Source: http://www.zdnet.com/no-you-cant-store-peoples-fingerprints-in-a-central-database-dutch-court-rules-7000026505/, 19 February 2014.
"A coalition of lawyers, journalists and internet freedom activists launched legal action against the Dutch government, in an attempt to get it to stop using information about Dutch people gleaned from NSA surveillance.
After it recently emerged that information about 1.8 million Dutch people's calls had been purloined by the National Security Agency, the country's home affairs minister, Ronald Plasterk, expressed annoyance that the U.S. agency hadn't asked first. However, he said, the monitoring "only concerns metadata, like who called who."
Dutch lawyers and journalists aren't so quite so sanguine about the matter, largely because their professions require confidentiality – something you can't guarantee clients and sources when you're potentially being monitored. On Wednesday, the Dutch Association of Defense Counsels and the Dutch Association of Journalists joined a broad coalition in suing Plasterk and the country's government, demanding that the state stop using data recorded in the Netherlands by the NSA.
The coalition also includes internet freedom activist Rop Gonggrijp, security expert Jeroen van Beek, advocate Bart Nooitgedagt, investigative journalist Brenno de Winter and tech law expert Mathieu Paapst, as well as the Internet Society Netherlands Chapter and Privacy First Foundation.
At the heart of the complaint is a potential legal sleight-of-hand that many (including me) have long suspected is in play – namely that intelligence agencies are bypassing their own countries' privacy laws by getting allies to spy on their citizens for them.
Daphne van der Kroft, public policy advisor at the coalition's law firm, Bureau Brandeis (yes, named after the legendary American jurist), suggested Plasterk and the Dutch state were "whitewashing" data.
This is not the first such case to arise in Europe following Edward Snowden's NSA revelations. The activist group Privacy International has attempted to sue the British government over data-sharing between the NSA and its UK counterpart, GCHQ. However, it had to approach a secret court to do this, and it got no response.
It is now trying a different angle, complaining to the OECD about the collaboration of telecommunications firms with the NSA. A separate group, Privacy not Prism, has skipped the secret court bit and gone straight to the European Court of Human Rights. (...)"
Source: http://gigaom.com/2013/11/06/dutch-lawyers-and-journalists-sue-government-over-nsa-links/, 6 November 2013.
"Gestern hat ein Bündnis aus niederländischen Aktivisten und NGOs Klage gegen ihren Innenminister Ronald Plasterk eingereicht – darunter unter anderem der Journalist Brenno de Winter, der Hacker und ehemalige Wikileaks-Mitarbeiter Rop Gonggrijp der niederländische Strafverteidiger- und Journalistenverband, die Privacy First Foundation und der niederländische Zweig des ISOC. Das Bündnis nennt sich selbst “The Dutch against Plasterk” und kritisiert vor allem die scheinheilige öffentliche Verurteilung der NSA-Spionagetätigkeiten, während im Hintergrund Geheimdienstinformationen ausgetauscht werden.
Die Kläger werden durch die Anwaltskanzlei bureau Brandeis vertreten, die erst im August diesen Jahres gegründet wurde und die sich besonders mit der juristischen Vertretung von gesellschaftlich relevanten Fällen aus den Bereichen Copyright, Datenschutz und Medienrecht befasst. Einer der Gründer, Christiaan Alberdingk Thijm, wurde als Verteidiger der File-Sharing-Anwendung KaZaA bekannt."
Source: http://netzpolitik.org/2013/niederlaender-verklagen-ihre-regierung-wegen-nsa-kooperation/, 7 November 2013.
"A coalition of Dutch citizens and organizations initiated legal proceedings against the Dutch State, represented by Minister of Interior Affairs Ronald Plasterk on Wednesday, demanding Dutch intelligent services to stop using NSA data.The subpoena was filed by a coalition of citizens and organizations, among which the Dutch Association of Defense Counsels, the Dutch Association of Journalists, the Internet Society Netherlands Chapter and Privacy First Foundation.
They question the legality of the exchange of data between the Dutch intelligence service (AIVD) and the United States National Security Agency (NSA), and demand that the Dutch State stops using data that has not been obtained in accordance with Dutch law.
Last week Minister Plasterk confirmed the monitoring of mail and phone traffic in the Netherlands by the NSA. He also acknowledged that the Dutch Intelligence Agency had supplied information to the NSA and vice versa, but condemned the interception of phone calls and mails without permission.
"Plasterk has indeed condemned the NSA eavesdropping and spying without permission, but at the same time he is exchanging data with the NSA," told lawyer Christiaan Alberdingk Thijm, who represents the coalition of citizens and organizations, to Xinhua. "So based on the exchange of information regime the AIVD will eventually get the illegally obtained data."
"By using data that has been illegally acquired through the NSA, these data are sort of laundered by Plasterk and his secret services," Alberdingk Thijm added. "This case should put an end to that unlawful conduct. Our goal is that the Netherlands will act according to Dutch law. We cannot do much on what the Americans are doing here, but we can ensure that the Netherlands complies with the law. Furthermore we want citizens to be informed when their data was illegally obtained and used."
Alberdingk Thijm thinks their case could be followed in other European countries. "We based our case on European jurisdiction, so the case could simply be copied in other countries. However, they should sue their own state," he said.
Minister Plasterk was informed by the subpoena on Wednesday and he will, according to the administrative rules, have to appear in court on November 27. After that he will have six weeks, until January 8, to file a response."
Source: http://www.shanghaidaily.com/article/article_xinhua.aspx?id=178503, 7 November 2013.
"A coalition of defense lawyers, privacy advocates, and journalists has sued the Dutch government over its collaboration and exchange of data with the U.S. National Security Agency and other foreign intelligence services.
The coalition is seeking a court order to stop Dutch intelligence services AIVD and MIVD from using data received from foreign agencies like the NSA that was not obtained in accordance with European and Dutch law. It also wants the government to inform Dutch citizens whose data was obtained in this manner.
The legal proceedings were initiated in the Hague district court by the Dutch Association of Defense Counsels, the Dutch Association of Journalists, the Internet Society Netherlands Chapter, the Privacy First Foundation and five private citizens.
The coalition wants to close a loophole through which the Dutch intelligence services can obtain data on Dutch citizens from foreign intelligence partners that it wouldn't have been able to acquire through legal means in the country.
The coalition's lawyers argue that mass data-collection programs like those of the NSA and the U.K. Government Communications Headquarters (GCHQ) violate human rights guaranteed by international and European treaties including the European Convention on Human Rights, the International Covenant on Civil and Political Rights and the Charter of Fundamental Rights of the European Union.
As such, it was illegal in many countries, particularly in the European Union, to obtain data through those programs.
Civil society organizations and citizens in other European countries can and should launch similar legal actions, said Christiaan Alberdingk Thijm, a founding partner of Bureau Brandeis, the law firm that represents the Dutch coalition in this case."
Source: http://www.pcworld.com/article/2061581/dutch-civil-society-groups-sue-government-over-nsa-data-sharing.html, 6 November 2013.
"In Nederland heeft een groep burgers en organisaties een rechtszaak ingespannen tegen minister van Binnenlandse Zaken Roland Plasterk. De groep 'Burgers tegen Plasterk' eist dat de Nederlandse overheid geen informatie gebruikt die het via de Amerikaanse NSA heeft verkregen.
Burgers tegen Plasterk wil dat minister Plasterk verantwoording aflegt over het beleid van de Nederlandse overheid inzake het gebruik van NSA-gegevens. De geteisterde Amerikaanse inlichtingendienst zou illegaal informatie verzamelen over Nederlandse burgers, en die vervolgens doorspelen aan zijn Nederlandse tegenhanger AIVD.
Het initiatief komt onder meer van hacker Rop Gonggrijp en ICT-journalist Brenno De Winter. Ook de Nederlandse Vereniging voor Strafrechtadvocaten en de Nederlandse Vereniging voor Journalisten hebben zich aangesloten bij de rechtszaak, net als de Internet Society Nederland en de Stichting Privacy First.
De advocaat van de groep, Christaan Alberdingk Thijm, [stelt] dat Plasterk en de inlichtingendienst (...) illegaal verkregen data witwassen. 'Deze zaak moet daar een einde aan maken', aldus Alberdingk Thijm.
Minister Plasterk, die eerder al de Nederlandse inlichtingendienst verdedigde, is er van overtuigd dat de AIVD niets verkeerds doen en zich aan het wettelijk kader houdt. (...)"
Source: http://www.standaard.be/cnt/dmf20131106_00826456, 6 November 2013.