At the end of this summer our colleagues from Bits of Freedom will once again be organizing the annual Big Brother Awards. Below are our nominations for the biggest Dutch privacy violations of the past year:
- Automatic Number Plate Recognition plans from Minister Opstelten
If it’s up to the Dutch Minister of Security and Justice, Ivo Opstelten, the travels of every motorist in the Netherlands will soon be stored in a police database for four weeks through automatic number plate recognition (ANPR) for criminal investigation and prosecution purposes. This means that, in the view of Mr. Opstelten, every motorist is a potential criminal. Privacy First deems this proposal absolutely disproportional and therefore in breach with the right to privacy as stipulated under Article 8 of the European Convention on Human Rights. In case Dutch Parliament accepts this legislative proposal, Privacy First will summon the
on account of unlawful legislation in violation with the right to privacy; see http://www.privacyfirst.eu/focus-areas/cctv/item/580-every-motorist-becomes-potential-suspect.html. Dutch State
- Proposal for hacking scheme from Minister Opstelten
A second miserable plan from Minister Ivo Opstelten is to authorize the Dutch police force to hack into your computer and to oblige citizens to decrypt their encrypted files for the police. In the view of Privacy First this plan, too, is entirely in breach with the right to privacy, since it’s unnecessary and disproportional. Moreover, the proposal contravenes with the ban on self-incrimination (nemo tenetur). The proposal will lay the basis for future abuse of power and forms a typical building block for a police State instead of a democratic constitutional State. For our main objections, see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/599-privacy-first-objections-against-opstelten-hacking-scheme.html.
- License plate parking
As of late, in an ever greater number of Dutch cities (among which
) license plate parking is becoming compulsory. Privacy First stands up for the classical right of citizens to travel freely and anonymously in their own country. The right to park anonymously is a part of this. License plate parking clearly disregards these rights. Moreover, it leads to function creep in breach with the right to privacy. The prime example here is the already proven abuse of parking information of lease drivers by the Dutch tax authorities; see http://www.nrc.nl/nieuws/2013/07/29/privacywaakhond-het-servicehuis-parkeren-overtreedt-de-wet/ (in Dutch). Amsterdam
- Highway section controls
Section speed checks on Dutch highways make that the journeys of motorists are continuously being monitored. This forms a massive infringement of the right to privacy. Such an infringement requires a specific legal basis with guarantees against abuse. Moreover, function creep is just around the corner; this already becomes obvious from the current plans of Dutch Minister Opstelten to soon use all highway speed cameras for automatic number plate recognition (ANPR) for investigation and prosecution purposes of a whole range of criminal offences as well as the collection of outstanding fines, tax debts, etc.
Besides the ‘usual’ cameras in neighbourhoods, shops, stations, above highways etc., citizens are increasingly – and almost unnoticed – being spied upon by flying cameras: so-called drones. The government does this (mainly the police) and so are private parties, yet without any sufficient legislation. Because of this the privacy risks and the likelihood of an accident are enormous. Privacy First therefore pleas for a moratorium on the use of drones until proper national legislation is put in place. Furthermore, drones should only be allowed to be used by the government in exceptional cases, for instance in disaster situations or for the investigation of suspects of very serious crimes, and only in case no other adequate means can be deployed. For private parties a license system is to be introduced with strict supervision and enforcement. Moreover, every drone is to be equipped with a transponder that is publically cognizable.
- Police Taser weapons
In September 2012 it became known that Dutch Minister Opstelten was planning to equip the entire Dutch police force with Taser weapons. In the view of Privacy First, the use of Taser weapons can easily lead to violations of the international ban on torture and the related right to physical integrity (which is part of the right to privacy). Taser weapons lower the threshold for police violence and hardly leave behind any external scars. At the same time they can inflict serious physical damage and mental harm. In conjunction with the current lack of firearms training for Dutch police officers, this produces serious risks for the Dutch population. In May 2013 the Dutch government had to justify itself over Opstelten’s plans in front of the UN Committee against Torture in Geneva; see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/595-dutch-taser-weapons-on-agenda-of-un-committee-against-torture.html. Nevertheless, for the moment Opstelten’s intentions seem to be unchanged...
- Electronic Health Record
In April 2011 the introduction of a Dutch national Electronic Health Record (Elektronisch Patiëntendossier, EPD) was unanimously binned by the Dutch Senate due to privacy objections and security risks. However, the national introduction of almost the same EPD was subsequently worked towards along a private route and this included the exchange of medical data through a National Switch Point (Landelijk Schakelpunt, LSP). This will by definition lead to 'function creep by design' instead of privacy by design. The digital ‘regional walls’ in and around the LSP will easily be circumvented or removed. Therefore the entire system can take on its old central form again at any given moment in the future, with all the privacy and security risks this entails. Furthermore, the current layout is characterized by generic instead of specific permission of the patient to share medical data with healthcare providers (and future third parties). This constitutes an imminent danger for the medical privacy of citizens as well as the professional confidentiality of medical specialists.
The Dutch Ministry of the Interior is currently conducting an assessment of the fundamental rights situation in the Netherlands. Later this year this will probably result in a report called ‘De Staat van de Grondrechten’ (‘The State of Fundamental Rights’) and an accessory entitled ‘Nationaal Actieplan Mensenrechten’ (‘National Human Rights Action Plan’). In this context the Ministry recently requested input from several NGOs, among which Privacy First. Below is our advice:
Top 7 of issues that deserve a place in the State of Fundamental Rights and the National Human Rights Action Plan:
1. Active adherence to as well as protection, fulfilment and promotion of the right to privacy
Clarification: privacy is both a Dutch constitutional right as well as a universal human right. As with all human rights, the Dutch government accordingly has the obligation to 1) respect, 2) protect, 3) fulfil and 4) promote the right to privacy through proper legislation and policy. However, since '9/11' there have almost solely been made restrictions to the right to privacy, instead of enhancements of it. This constitutes a violation of the above-mentioned general duty to actively fulfil the right to privacy. The same goes for related rights and principles such as the presumption of innocence and the ban on self-incrimination (nemo tenetur).
2. Constitutional review
Clarification: the Netherlands is only familiar with constitutional ‘‘review’’ by civil servants and members of the Dutch House of Representatives when it comes to the development of new legislation. Unfortunately there is no Dutch Constitutional Court and, oddly enough, constitutional review of formal legislation by the judiciary is outlawed in the Netherlands. It is partly on account of this that the Dutch Constitution has become a dead letter over the last decades. It is therefore recommended to create a Constitutional Court as soon as possible and to abrogate the ban on constitutional review.
3. Collective legal means
Clarification: owing to a development of legal restrictions within the case law of the Dutch Supreme Court, over the last decades it has become increasingly difficult for foundations and associations to legally defend the social interests they advocate for through the collective right to action (Article 3:305a Dutch Civil Code and Article 1:2 paragraph 3 Dutch General Administrative Law Act, both links are in Dutch). Because of this the effective and efficient functioning of the Dutch constitutional State and legal economy have come under severe pressure. It is therefore recommended for the government to actively respect, protect and fulfil the collective right to action. For instance by no longer instructing the State attorney to plea for the inadmissability of foundations and associations in relevant lawsuits. Moreover, the ban on direct appeal against generally binding regulations (Article 8:3 Dutch General Administrative Law Act, in Dutch) is to be abrogated.
4. Voluntary instead of compulsory biometrics
Clarification: the premise in a healthy democracy under the Rule of Law should be that citizens may never be obliged to cede their unique physical characteristics (biometric personal data) to the government or the business sector. After all, this constitutes a violation of the right to privacy and physical integrity. Moreover, within companies, service providers, employers, etc. this leads to unfair trading practices. With the planned introduction of an ID card without fingerprints, in this area the Dutch government is taking a first step in the right direction. In line with this, we advise the Dutch government to plea at the European level for a passport with voluntary instead of compulsory taking of fingerprints.
5. Anonimity in public space
Clarification: the right to be able to travel anonymously and not to be spied upon has become increasingly illusory in recent years, especially through technological developments such as public transport chip cards, camera surveillance, cell phone tracking, etc. Both the government as well as the business sector are obliged to actively reinstate, protect and fulfil the right to privacy in terms of anonymity in public space through the introduction of public transport chip cards that are truly anonymous (privacy by design), the abrogation of camera surveillance unless strictly necessary, the development of privacy-friendly mobile telephony and apps, etc. For all the legislation and policies in this field, privacy, individual freedom of choice, necessity, proportionality and subsidiarity are to be leading principles.
6. Privacy by design
Clarification: all privacy-sensitive information technology is to comply with the highest standards of privacy by design. This can be achieved through the use of privacy enhancing technologies (PET), among which are state-of-the-art encryption and compartmentalization instead of centralization and the coupling of ICT. At the European level this is to become a strict legal duty for governments as well as the business sector, with active supervision and enforcement in this area.
7. Privacy education
Clarification: in terms of human rights education the Netherlands is threatening to become a third world country. In the long run this puts the continued existence of our democratic constitutional State at stake. It equally puts the right to privacy in danger. A privacy-friendly future begins with the youth of today. To that end privacy education is to become compulsory in primary, secondary and higher education. The government should play an active role in this.
Earlier this year the Dutch Minister of Justice and Security Ivo Opstelten came up with the miserable plan to authorize the Dutch police force to hack into your computer (both at home and abroad!) and to enable the police to demand that you decrypt your encrypted files in the presence of a policeman and obediently hand them over to the State. In the context of an online consultation (in Dutch), Privacy First notified to the Minister that it has a number of principal objections against his plans:
The Privacy First Foundation hereby advises you to withdraw the legislative proposal ‘enforcement of the fight against cybercrime’ on the basis of the following eleven principal grounds:
- In our view, this legislative proposal forms a typical building block for a police State, not for a democratic constitutional State based on freedom and trust.
- The Netherlands has a general human rights duty to continuously fulfil the right to privacy instead of restricting it. With this legislative proposal the Netherlands violates this general duty.
- This legislative proposal is not strictly necessary (contrary to possibly being ‘useful’ or 'handy') in a democratic society. Therefore the legislative proposal is in breach of Article 8 of the European Convention on Human Rights.
- Moreover, this legislative proposal violates the prohibition of self-incrimination (nemo tenetur se ipsum accusare).
- Function creep is a universal phenomenon. This will also apply to this legislative proposal, which will form the basis for future abuse of power.
- This legislative proposal puts the relationship of trust between the Dutch government and the Dutch people to the test. This will lead to a chilling effect in Dutch society.
- Through this legislative proposal age-old assets such as freedom of the press and the protection of journalistic sources, whistleblowers, freedom of speech, free information gathering, freedom of communication and the right to a fair trial are put under severe pressure. This is detrimental to the dynamics within a free democratic constitutional State.
- This legislative proposal and the accompanying technology will be imported and abused by less democratic governments abroad. Therefore the legislative proposal forms an international precedent for a worldwide Rule of the Jungle instead of the Rule of Law.
- As of yet the legislative proposal lacks a thorough and independent Privacy Impact Assessment.
- This legislative proposal stimulates suboptimal (i.e. crackable by the government, because otherwise illegal?) instead of optimal (‘uncrackable’) ICT security.
- Fighting cybercrime demands multilateral cooperation and coordination instead of unilateral panic-mongering as is the case with this legislative proposal.
The Privacy First Foundation
From the response to Parliamentary questions (in Dutch) it emerged this week that there is no specific legal basis for the secret use of drones by police in the
Without a specific legal basis in accordance with Article 8 paragraph 2 ECHR, every police drone constitutes an inadequate means of criminal investigation that shouldn't be used. Therefore the use of such drones should be suspended with immediate effect. In individual criminal cases, it is up to the judge to exclude information gathered with police drones from legal proceedings as it concerns unlawfully obtained evidence.
Privacy First hereby makes an urgent appeal to the Dutch House of Representatives to institute a moratorium on the further use of drones. Such a moratorium should only be lifted after a broad democratic debate has taken place and the use of drones has been properly regulated. In case the current Dutch situation will continue to be politically tolerated, Privacy First reserves the right to enforce a moratorium in court.
"Die niederländische Polizei hat seit 2009 in 132 Fällen Drohnen eingesetzt, um unterschiedliche Straftaten zu klären oder Lagebilder zu erstellen. Die Verfolgung von Fluchtautos mit Kameras und das Aufspüren von Cannabis-Plantagen mit Wärmekameras bildeten dabei die Mehrzahl der Einsätze. Dies geht aus Angaben des niederländischen Infrastruktur- und Innenministeriums hervor, das allerdings Details zu den Drohnen-Einsätzen verweigerte. Das findet der anfragende Abgeordnete Gerard Schouw von der Partei D66 untragbar: Der Drohneneinsatz müsse öffentlich kontrollierbar sein und eine rechtliche Grundlage haben.
Gegenüber dem niederländischen Programm von RTL erklärte Schouw, dass ohne genaue Auskünfte und Kontrollmöglichkeiten der Einsatz von Drohnen in einer Grauzone stattfinde. "Aus welcher Entfernung werden da unschuldige Bürger gefilmt? Niemand hat eine Ahnung, was da passiert."
Unterstützung erhielt Schouw von der niederländischen Datenschutzorganisation Privacy First. Deren Anwalt Vincent Böhre erklärte, dass die Kameraüberwachung mit Drohnen eine Überwachungstechnik ist, die nach dem niederländischen Recht nicht erlaubt sei.
Ähnlich äußerte sich der Jurist Leon Wecke von der Universität Radboud. "Wir werden überall von Kameras verfolgt. Nun sind es auch noch Drohnen, denen wir uns nicht bewusst sind." Dies sei eine Verletzung der Privatsphäre, erklärte Wecke gegenüber dem Internet-Nachrichten Nu.nl. Drohnen bedürften daher einer eigenständigen gesetzlichen Regelung, betonte Wecke. Zu den Drohneneinsätzen soll es in Arnhem, Amsterdam, Almere und Rotterdam gekommen sein. Wegen fortlaufender technischer Probleme soll die Amsterdamer Polizei ihre Drohnen inzwischen außer Dienst gestellt haben.
In Deutschland hatten zuletzt die Grünen auf einer Fachtagung über den Einsatz von Drohnen diskutiert und dabei über Polizeidrohnen ebenso wie über Militärdrohnen gesprochen. Die Videos dieser Tagung sind mittlerweile online verfügbar."
Source: Heise Online, 23 March 2013.
"The police are increasingly using unmanned aircraft in their efforts to track down criminals in the Netherlands, leading to MPs' questions about the privacy implications.
Drones - small helicopters equipped with cameras - are used to trace burglars and getaway cars as well as illegal marijuana plantations. For example, Harlingen borrowed two drones from the defence ministry last year after a spate of burglaries in the Frisian town.
Since 2009, drones have been used in at least 40 areas, the AD reported on Monday. In total, they were in the air on at least 132 different days.
D66 parliamentarian Gerard Schouw has asked the justice ministry to explain the implications of the use of drones on privacy.
'I understand they can be useful, but they need to have a basis in law,' he is quoted as saying by RTL news. 'How closely can innocent citizens be filmed. No-one has a clue what they are filming.'
Lawyer Vincent Böhre from the Privacy First foundation said the use of drones is illegal because the flights are not made public.
'It is a form of camera supervision which is not allowed under Dutch law,' he told the broadcaster. The use of drones also infringes European privacy laws, he said.
Amsterdam city council said earlier this year it had grounded its two €29,000 drones because of continuing technical problems."
Source: Expatica.com (Netherlands), 18 March 2013.
"Dutch lawmakers and lawyers say they are questioning the increasing use of unmanned aircraft by police to track criminals and locate marijuana plantations.
The drones have been used for at least 132 days in at least 40 areas since 2009, DutchNews.nl reported Monday.
The city of Harlingen borrowed two drones from the defense ministry in 2012 after a rash of burglaries.
"I understand they can be useful, but they need to have a basis in law," said parliamentarian Gerard Schouw after asking the defense ministry to explain the implications the drones may have on privacy.
"How closely can innocent citizens be filmed," he queried. "No one has a clue what they are filming."
Use of the drones is illegal under Dutch law and may violate European privacy laws, said attorney Vincent Bohre of the Privacy First Foundation.
Amsterdam city officials said earlier this year they had grounded their two drones because of technical problems."
Source: UPI.com (United Press International, USA), 18 March 2013.
"Son yıllarda Hollanda polisinin yasadışı faaliyetlerle mücadele konusunda daha fazla oranda insansız uçaklardan kullandığı belirtildi.
AD gazetesinin yer alan bir haberde, "drones" adı verilen insansız uçakların özellikle insan ve uyuşturucu ticareti veya yasadışı suç örgütlerinin araştırıldığı belirtildi. Son dönemlerde bu uçakalrın daha sık kullanıldığı belirtilen haberde 2009'dan bu yana en az 132 kez kullanıldığı belirtildi.
Altyapı ve Çevre Bakanlığı, Güvenlik ve Adalet Bakanlığı ve İçişleri Bakanlığı verilerine göre Hollanda üzerinde en az 40 noktada adı geçen uçakların uçtuğu ve son dönemlerde bu sayıda artma olduğu belirtiliyor.
Gizlilik Birincilik Vakfı (De stichting Privacy First), polis tarafından kullanılan bu uygulamanın, haber verilmeden yapıldığını bundan dolayı da yasadışı olduğunu belirtiyor.
Öte yandan D66 milletvekili Gerard Schouw'da Mecliste bu konu hakkında açıklama isteyeceğini belirtirken "bu tür kontroller yasal ve kontrol edilebilir şekilde olmalı. Şuanda hiç bir şey bilmiyoruz"dedi.
Polis geçtiğimiz yıl Aralık ve bu yıl Şubat ayında Savunma Bakanlığına ait olan Drones uçaklarını Harlingen'deki hırsızlık olaylarını çözmek için kulandığını belirtmişti."
Bron: SonHaber.nl, 18 March 2013
The Dutch Ministry of Justice wants to track all motorists. The Privacy First Foundation is preparing for legal action.
Under a new, far-reaching legislative proposal, the Dutch Minister of Security and Justice Ivo Opstelten aims to enhance criminal investigation by introducing a four week storage period of the number plates of all cars through camera surveillance and Automatic Number Plate Recognition (ANPR). Current rules dictate that these data have to be deleted within 24 hours. In 2010, the previous Dutch Minister of Justice (Hirsch Ballin) planned to make a similar proposal with a storage period of 10 days. However, the Dutch House of Representatives then declared this topic to be controversial. In his current proposal, Opstelten takes things a few steps further. Early 2010 the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) ruled that police forces were not adhering to Dutch privacy rules by storing number plates for a greater period than was legally allowed. According to the CBP, all number plates that are not suspect (so-called ‘no hits’) are to be removed from relevant databases immediately. Opstelten’s plan to store the number plates of unsuspected citizens for four weeks directly flies in the face of this.
The Privacy First Foundation considers Opstelten’s legislative proposal to be a threat to society. ‘‘Under this measure every citizen becomes a potential suspect. You ought to trust the government, but it’s that very government that distrusts its own citizens’’, Privacy First chairman Bas Filippini declares. In a healthy democratic constitutional State the government should leave innocent citizens alone. Under this legislative proposal the government crosses that fundamental line. Collectively monitoring all motorists for criminal investigation and prosecution purposes is completely disproportionate and therefore unlawful.
In case Dutch Parliament adopts this legislative proposal, Privacy First will summon the Netherlands and have the legislative Act in question declared null and void on account of being in violation with the right to privacy. If needed, Privacy First and individual co-plaintiffs will be prepared to litigate all the way up to the European Court of Human Rights in
This week the Dutch House of Representatives will vote on a legislative proposal on the taking of 10 fingerprints of all foreigners (immigrants) for criminal investigation and prosecution purposes. This legislative proposal originally dates back to March 2009, the period in which all the Dutch government could come up with was privacy-intrusive legislation. The Privacy First Foundation deems this legislative proposal to be in breach of the right to privacy and the prohibition of self-incrimination. Below is the email that Privacy First sent to relevant Members of Parliament this afternoon:
Dear Members of Parliament,
Next Tuesday you will cast your vote on a legislative proposal aimed at extending the use of biometric features (fingerprints, facial scans) of immigrants. Hereby the Privacy First Foundation advises you to vote against this legislative proposal, especially in light of its disproportionate character. This disproportionality is demonstrated by the lack of relevant statistics and the relatively low fraud figures mentioned in the annotation to the legislative proposal dated 13 July 2012 by former Minister for Immigration, Integration and Asylum Gerd Leers (Christian-democratic party CDA). As with all human rights, any infringement of the right to privacy (Article 8 of the European Convention on Human Rights, ECHR) requires a concrete statistical necessity instead of vague suspicions and wishful thinking. Therefore, it is all the more worrying that under this legislative proposal the prints of as many as 10 fingers will be taken of every immigrant to ‘compensate’ for the fact that the biometric technology is inadequate to suffice with just one or two fingerprints. However, are these 10 fingerprints not actually meant to serve the interests of criminal investigation behind this legislative proposal...? In this respect, a comparison could be made with the following consideration by the Minister of Justice Benk Korthals (Dutch political party VVD), dated 10 December 2001:
‘‘In response to the question by the CDA, I am not prepared to proceed to the taking of fingerprints of all Dutch citizens in the interests of criminal investigation. This would be disproportionate, considering for example the number of print cases offered on an annual basis, in the whole of the Netherlands around 10,000. Furthermore, it is basically impracticable because prints have to be made of all ten fingers and possibly the hand palms for them to be of any use for criminal investigation. Apart from the administrative processing and control, this would require too big a drain on police resources. In the context of the new ID card, a new biometric feature such as a fingerprint will possibly be adopted. This will be about determining whether the holder of the ID card is in actual fact the very person that is mentioned on it. Perhaps just one fingerprint will be enough for that, but that is absolutely insufficient for criminal investigation.’’
In other words: under the guise of combating fraud, with this legislative proposal a centralised search register of immigrants is created, exactly in the same way that this was about to happen a few years ago with the fingerprints of all Dutch citizens. Privacy First assumes that the various reasons why this last project was reversed midway through 2011 at the insistence of your Parliament (!) are known to you and apply just as much for the current legislative proposal. In addition, this proposal has a stigmatizing effect since it causes a whole population group (immigrants) to be seen as potential suspects. This creates an inversion of the presumption of innocence and conflicts with the prohibition of self-incrimination. In that sense the legislative proposal constitutes a collective violation of both Article 6 (nemo tenetur) and Article 8 ECHR (privacy and physical integrity). With regard to the Passport Act, this has led to a Dutch and European snowball effect of lawsuits since 2009. Therefore, Privacy First hopes that the House of Representatives has the progressive insight to prevent a repetition of this history.
Update 29 January 2013: the legislative proposal (no. 33192) has unfortunately been accepted by the House of Representatives this afternoon (video; starting at 19m36s). Dutch political parties D66, SP, ChristenUnie and the Party for the Animals voted against. Read also the report by Privacy Barometer and today’s article in newspaper NRC Handelsblad. Next stop: the Senate...
Update 29 January 2013, 21:45: Left-wing party GroenLinks ('GreenLeft') has notified that it had intended to vote against and will have the voting record corrected.
Update 30 January 2013: today GroenLinks notified the House of Representatives of its vote against the legislative proposal.
Update 31 January 2013: the article in NRC Handelsblad was also published in the affiliated newspaper NRC Next. Read also today's article in newspaper Nederlands Dagblad.
Update 8 February 2013: for the current status of the legislative proposal in the Dutch Senate, click HERE.
Update 6 March 2013: today Privacy First has sent a similar version of the email above to the Commission for Immigration and Asylum of the Dutch Senate.