A Dutch court has ruled on appeal in the summary proceedings brought by Privacy First concerning the Ultimate Beneficial Owners (UBO) register. Like the preliminary relief court, the Court of Appeal of The Hague unfortunately rejected Privacy First’s claims.
The court in preliminary relief proceedings earlier confirmed that there is every reason to doubt the legal validity of the European money laundering directives that form the basis for the UBO register. The judge ruled that it cannot be precluded that the highest European court, the Court of Justice of the EU (CJEU), will conclude that the public nature of the UBO register is not in line with the principle of proportionality. The ruling of the CJEU is expected in mid-2022.
Existing legal entities in the Netherlands do not have to register their UBOs until 27 March 2022. This is different for new legal entities: these have to register their UBOs immediately. The Court of Appeal of The Hague deems it unlikely that these UBOs will suffer serious damage in the short term and points out that UBOs fearing to be at risk from the disclosure of personal data can immediately shield these data from the general public. Dutch law provides for this possibility. The Hague Court of Appeal called this ‘a simple way to prevent UBO data from becoming or remaining public’. UBOs can apply to the Trade Register for shielding. As long as such applications are pending, UBO data will actually be protected. Now that the Court of Appeal has so emphatically pointed out this possibility, it is expected that many UBOs will follow this route.
‘The solution must come from the highest European court, the Court of Justice of the EU’, comments Privacy First’s attorney, Otto Volgenant of Boekx Attorneys. ‘It will rule on this in mid-2022. I expect that the Court will mark the end of the open nature of the UBO register. Thus far hardly any data have been entered into the register and I advise everyone to just wait as long as possible. The Dutch government has arbitrarily chosen a date by which UBOs must provide their data, namely 27 March 2022. It would be wise to postpone that end date by a few months until after the CJEU has provided clarity. That would prevent a lot of trouble and unnecessary costs.’
The judgment (in Dutch) of the district court in preliminary relief proceedings can be found here:
while the judgment (in Dutch) of the Court of Appeal can be found here:
Despite an urgent call by Privacy First to the Dutch House of Representatives to block the coronavirus entry pass, the introduction of this pass throughout The Netherlands as of 25 September 2021 unfortunately seems to be a reality. Privacy First expects that this will lead to division of Dutch society, exclusion of vulnerable groups, discrimination and violation of everyone’s right to privacy. Moreover, the introduction of this pass leads to vaccination coercion, which violates everyone’s right to dispose freely of their own body. This is incompatible with the right to physical integrity and self-determination and fuels the undermining of our trust in the democratic rule of law, in which these fundamental rights are enshrined.
With massive encroachment and violation of human rights looming, it is up to the courts to intervene and correct the government. In line with our statutory objective to take action in the public interest, the current lawsuit by Dutch attorney Bart Maes and others to stop the coronavirus entry pass therefore has our full support. Privacy First would like to emphasize that this is not a statement against vaccination (on the contrary), but that it is crucial to fully respect and protect everyone’s human rights, especially in these times. Critical voices should be taken seriously and not be dismissed on emotional grounds. In both the short and the long term, this is the best guarantee for an open, free and healthy society.
Today, Privacy First sent the following plea to the Dutch House of Representatives:
Dear Members of Parliament,
It is with great disapproval that the Privacy First Foundation has taken note of the planned introduction of coronavirus entry passes for bars and restaurants, events and cultural institutions. This will lead to a division in society, exclusion of vulnerable groups and a massive violation of everyone’s right to privacy. Below, Privacy First will briefly explain this.
Serious violation of fundamental rights
The coronavirus entry pass (‘corona pass’) constitutes a serious infringement of numerous fundamental human rights, including the right to privacy, physical self-determination, bodily integrity and freedom of movement in conjunction with other classic human rights such as the right to participate in cultural life and various children’s rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. In the case of the corona pass, however, this has not been demonstrated to date and the required necessity is simply being assumed in the public interest. More privacy-friendly alternatives to reopen and normalize society seem never to have been seriously considered. For these reasons alone, the corona pass cannot pass the human rights test and should therefore be repealed. In this context, Privacy First would also like to remind you of countries such as England, Belgium and Denmark where a similar pass was deliberately not introduced, or has been done way with not long after its introduction. In the Netherlands, there has been a great lack of support in recent days for the corona pas and many thousands of entrepreneurs have already let it be known that they will not cooperate. Privacy First therefore expects that the introduction of the corona pass will lead to massive civil disobedience and successful lawsuits against the Dutch government.
The introduction of the corona pass violates the general prohibition of discrimination, as it introduces a broad social distinction based on medical status. This puts a strain on social life and may lead to widespread inequality, stigmatization, social segregation and even possible tensions, as large groups in society will not (or not systematically) want to, or will not be able to get tested or vaccinated (for a variety of reasons), or obtain a digital test or vaccination certificate. During our National Privacy Conference in early 2021, Privacy First already took the position that the introduction of a mandatory ‘corona passport’ would have a socially disruptive effect. On that occasion, the Dutch Data Protection Authority, among others, explicitly took a stand against the introduction of such a passport. The aforementioned social risks apply all the more strongly to the vaccination coercion that is caused by the introduction of the corona pass. In this regard, Privacy First would like to remind you of the fact that both your House of Representatives and the Parliamentary Assembly of the Council of Europe have expressed their opposition to a direct or indirect vaccination requirement. In addition, the corona pass will have the potential to set precedent for other medical conditions and other sectors of society, putting pressure on a much wider range of socio-economic human rights. For these reasons, Privacy First calls on you to block the introduction of the corona pass.
Multiple privacy violations
From the perspective of the right to privacy, there are a number of yet other specific concerns and questions. First of all, the corona pass introduces a mandatory ‘health proof’ for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Through the mandatory display of an ID card in addition to the corona pass, an entirely new identification requirement is created in public places. The existing anonymity in the public space is thus removed, with all the dangers and risks that this entails. Moreover, this new identification requirement raises questions about the capacities of entrepreneurs to determine the identity of a person and to assess the state of health by means of the corona pass.
Moreover, the underlying legislation results in the inconsistent application of existing legislation with regard to the same act, i.e. testing, with far-reaching consequences on the one hand for an important attainment such as medical confidentiality and the public’s trust in that confidentiality, and on the other for the practical implementation of retention periods of the test results while the processing of these results does not change. After all, it is not the result of the test that should determine whether the registration of the testing falls under the Dutch Medical Treatment Agreement Act (‘Wgbo’, which requires medical confidentiality and a 20-year retention period) or the Dutch Public Health Act (‘Wpg’, which requires a 5-year retention period), but the act of testing itself. Besides, it is questionable why a connection was sought with the Wpg and/or Wgbo now that it is about obtaining a certificate for participation in society and it does not concern medical treatment (Wgbo) or public health tasks for that purpose. The only ground for processing personal data for the purpose of ascertaining the presence of the coronavirus and for breaching medical confidentiality, should be consent. However, in this case there cannot be the legally required freely given consent, since testing and vaccination will be a mandatory condition for participation in society.
Privacy requires clarity
Many other things are and remain unclear: what data will be stored, where, by whom and in which systems? To what extent will there be an international and European exchange of such data? Which parties with which purposes will have access to or will copy the data, or put these in huge new national databases together with our health data? Will we have constant personal localization and identification, or only occasional verification and authentication? Why can test results be kept for an unnecessarily long time? How great are the risks of hacking, data breaches, fraud and forgery? To what extent have decentralized, privacy-friendly technologies and privacy by design, open source software, data minimization and anonymization seriously been considered? How long will test certificates remain free of charge? Is work already underway to introduce an ‘alternative digital medium’ to the Dutch CoronaCheck app, namely a chip (card), with all the objections and risks that entails? Why has there been no independent Privacy Impact Assessment (PIA)? How many more times must the country accept emergency laws to close privacy leaks, when our overburdened and understaffed Data Protection Authority is already noting that there is no legal basis for the processing of the data concerned? How will unforeseen uses and abuses, function creep and profiling be prevented, and how is privacy oversight arranged? Will non-digital, paper alternatives remain available at all times? Why is the ‘yellow booklet’ not accepted as a privacy-friendly alternative, as it is in other countries? What happens with the test material – i.e. everyone’s DNA – at the various testing sites? And when will the corona pass be abolished? In other words, to what extent is this actually a ‘temporary’ measure?
In the view of Privacy First, the introduction of the corona pass will lead merely to an impractical burden on entrepreneurs, innumerable deficiencies and destruction of capital for society. Privacy First therefore requests that the members of the House of Representatives block the introduction of the corona pass. Failing to do so, Privacy First reserves the right to have the legislation introducing the corona pass reviewed against international and European law and declared inoperative by the courts. Preparations for such legal proceedings by us and many others are already underway.
Privacy First Foundation
 See National Privacy Conference 28 January 2021, https://youtu.be/asEX1jy4Tv0?t=9378, starting at 2h 36 min 18 sec.
 See Council of Europe, Parliamentary Assembly, Resolution 2361 (2021): Covid-19 vaccines: ethical, legal and practical considerations, https://pace.coe.int/en/files/29004/html, par. 7.3.1-7.3.2: ‘‘Ensure that citizens are informed that the vaccination is NOT mandatory and that no one is politically, socially, or otherwise pressured to get themselves vaccinated, if they do not wish to do so themselves; ensure that no one is discriminated against for not having been vaccinated, due to possible health risks or not wanting to be vaccinated.’’ See also, inter alia, Dutch House of Representatives, Motion by Member Azarkan on no corona vaccination requirement (28 October 2020), House of Representatives, 25295-676, https://zoek.officielebekendmakingen.nl/kst-25295-676.html: ‘‘The House of Representatives (...) expresses that there should never be a direct or indirect corona vaccination obligation in the future’’; Motion by Member Azarkan on access to public benefits for all regardless of vaccination or testing status (5 January 2021), House of Representatives 25295-864, https://zoek.officielebekendmakingen.nl/kst-25295-864.html: "The House of Representatives (...) requests the government to allow access to public benefits for all regardless of vaccination or testing status."
An earlier, similar version of this commentary appeared as early as March 2021: https://www.privacyfirst.eu/focus-areas/law-and-politics/695-privacy-first-position-concerning-the-dutch-draft-bill-on-covid-19-test-certificates.html.
The hearing at the court of appeal in The Hague in the proceedings of Privacy First against the register for Ultimate Beneficial Owners (UBO) is scheduled for Monday, 27 September 2021.
Following the very critical advice of the European Data Protection Supervisor (EDPS), the district court of The Hague confirmed on 18 March 2021 that there is every reason to doubt the validity of the European money laundering directives that form the basis for the UBO register. The judge ruled that it cannot be excluded that the highest European court, the Court of Justice of the EU (CJEU), will conclude that the public nature of the UBO register is not in line with the principle of proportionality. Since a Luxembourg local court has already refered questions about this to the CJEU, the Dutch court in summary proceedings did not find it necessary to ask questions about it as well. Privacy First has appealed the judgment in these summary proceedings, taking the case to the court of appeal of The Hague. Our appeal summons can be found here (pdf in Dutch).
Privacy First requests the court of appeal to ask preliminary questions on the UBO register to the European Court of Justice and calls for the suspension of the operation of the UBO register until these questions have been answered. Privacy First also asks the court to temporarily suspend the public accessibility of the UBO register, at least until the CJEU has ruled on this matter. The court of appeal's ruling is expected a few weeks after the hearing on 27 September 2021.
‘‘The UBO register will put privacy-sensitive data of millions of people up for grabs’’, Privacy First’s attorney Otto Volgenant of Boekx Attorneys comments. ‘‘There are doubts from all sides whether this is an effective tool in the fight against money laundering and terrorism financing. It’s like using a sledgehammer to crack a nut. The Court of Justice of the EU will ultimately rule on this. I expect that it will annul the UBO register – at least its public accessibility. Until then, I advise UBOs not to submit any data to the UBO register. Once data have been made public, they cannot be retrieved.’’
Background of the lawsuit against the UBO register
Privacy First is bringing a lawsuit against the Dutch government regarding the UBO Register which was introduced in 2020. In summary proceedings, the invalidity of the EU regulations on which the UBO register is based are being invoked. The consequences of this new legislation are far-reaching. After all, it concerns very privacy-sensitive information. Data about the financial situation of natural persons will be out in the open. More than 1.5 million legal entities in the Netherlands that are listed in the Dutch Trade Register will have to disclose information about their ultimate beneficial owners. The UBO register is accessible to everyone, for €2.50 per retrieval. This level of public accessibility is not proportionate.
On 24 June 2020, the Dutch ‘Implementation Act on Registration of Ultimate Beneficial Owners of Companies and Other Legal Entities’ entered into force. Based on this new Act, a new UBO register linked to the Trade Register of the Netherlands Chamber of Commerce will contain information on all ultimate beneficial owners of companies and other legal entities incorporated in the Netherlands. This information must indicate the interest of the UBO, i.e. 25-50%, 50-75% or more than 75%. In any case, the UBO’s name, month and year of birth as well as nationality will be publicly available for everyone to consult, with all the privacy risks this entails.
Since 27 September 2020, newly established entities must register their UBO in the UBO Register. Existing legal entities have until March 27 2022 to register their UBOs. The law gives only very limited options for shielding information. This is only possible for persons secured by the police, for minors and for those under guardianship. The result will be that the interests of almost all UBOs will become public knowledge.
European Anti-Money Laundering Directive
This new law stems from the Fifth European Anti-Money Laundering Directive, which requires EU Member States to register and disclose to the public the personal data of UBOs. The aim of this is to combat money laundering and terrorist financing. According to the European legislator, the registration and subsequent disclosure of personal data of UBOs, including the interest that the UBO has in a company, contributes to that objective. The public nature of the register would have a deterrent effect on persons wishing to launder money or finance terrorism. But the effectiveness of a UBO register in the fight against money laundering and terrorism has never been substantiated.
Massive privacy violation and fundamental criticism
The question is whether the means does not defeat the purpose. Registering the personal data of all UBOs and making it accessible to everyone is a blanket measure of a preventive nature. 99.99% of all UBOs have nothing to do with money laundering or terrorist financing. If it was in fact proportionate to collect information on UBOs, it should be sufficient if that information is available to those government agencies involved in combating money laundering and terrorism. Making the information completely public is going too far. The European Data Protection Supervisor already ruled that this privacy violation is not proportionate. But this opinion has not led to an amendment of the European directive.
Leading up to the the debate on this law in the Dutch House of Representatives, fundamental criticism came from various quarters. The business community agitated because it feared – and now experiences – an increase in burdens and perceives privacy risks. UBOs of family-owned companies that have remained out of the public eye up until now are running major privacy and security risks. There was also a great deal of attention for the position of parties that attach great importance to the protection of data subjects, such as church communities and social organizations. As for associations and foundations that do not have owners, things are cumbersome: they have to put the data that is already in the Trade Register in another register. Unfortunately, this has not led to any changes in the regulations.
Dutch investigative journalism platform Follow the Money looked into the social costs of the Dutch UBO register. Follow the Money writes: ‘‘The UBO register entails costs, hassle and sometimes slightly absurd bureaucracy for millions of entrepreneurs and directors. The Ministry of Finance reckons the total costs of the register for the business community is 99 million Euros. Another 9 million Euros must be added for one-time implementation costs. When lawyer Volgenant hears about this amount, he reacts with dismay: 'The total costs are much higher than I thought! If you extrapolate that to the whole EU, the costs are astronomical.’’’
Favourable outcome of lawsuit is likely
Privacy First has initiated a lawsuit against the UBO register for violation of the fundamental right to privacy and the protection of personal data. Privacy First requests the Dutch judiciary to render the UBO register inoperative in the short term and to submit preliminary questions on this subject to the Court of Justice of the European Union. It would not be the first time privacy-violating regulations are repealed by the courts, something that previous Privacy First lawsuits attest to.
The Dutch law and also the underlying European directive are in conflict with the European Charter of Fundamental Rights as well as the General Data Protection Regulation. The legislator has created these regulations, but it is up to the courts to conduct a thorough review of them. Ultimately the judge will have the final say. If the (European) legislator does not pay enough attention to the protection of fundamental rights, then the (European) judge can cast the regulations aside. The Court of Justice of the European Union has previously declared regulations invalid due to privacy violations, for example the Telecom Data Protection Directive and the Privacy Shield. The Dutch courts also regularly invalidate privacy-invading regulations. Privacy First has previously successfully challenged the validity of legislation, for example in the proceedings about the Telecommunications Data Retention Act and in the proceedings against SyRI. Viewed against this background, the lawsuit against the UBO register is considered very promising.
Update 27 September 2021: this afternoon the court session took place in The Hague; click HERE for the pleading of our lawyer (pdf in Dutch). The judgment of the court of appeal is scheduled for 16 November 2021.
Summary proceedings against massive privacy violation by Automatic Number Plate Recognition (ANPR) camera surveillance
Challenging large-scale privacy violations in court has long been Privacy First’s established practice. In recent years, Privacy First has successfully done so against the central storage in the Netherlands of everyone’s fingerprints under the Dutch Passport Act, against the storage of everyone’s communications data under the Dutch Telecommunications Data Retention Act and – in coalition with other parties – against large-scale risk profiling of innocent citizens through the Dutch System Risk Indication (SyRI).
A current and urgent issue that equally merits going to court over, concerns the Dutch legislation on Automatic Number Plate Recognition (ANPR) which applies since 2019 under Art. 126jj of the Dutch Code of Penal Procedure. Under this piece of law, the number plate codes of millions of cars in the Netherlands (i.e. everyone’s travel movements) are stored continuously for four weeks in a central police database for criminal investigation purposes, regardless of whether one is suspected of anything. This is totally unnecessary, completely disproportionate and also ineffective, as was revealed in evaluation reports published today by the Dutch Research and Documentation Center (‘WODC’, part of the Dutch Ministry of Justice and Security). Supervision is lacking and the system can easily be abused, newspaper NRC Handelsblad recently confirmed in its reporting.
Privacy First has therefore prepared a lawsuit to have the ANPR legislation repealed on account of violation of European privacy law. Summary proceedings against the Dutch government will take place at the district court of The Hague on 10 November 2021. Through Pro Bono Connect, Privacy First has engaged CMS as the law firm that will take care of the litigation in this case. Our summons in summary proceedings can be found HERE (pdf in Dutch). If necessary, these preliminary proceedings will be followed by broader proceedings on the merits. After all, there is no doubt that the current ANPR law constitutes a massive privacy violation and simply does not belong in a free democratic society. Considering the relevant European case law, Privacy First deems the likelihood of successful legal action very high.
Case details: Privacy First vs. the State (Dutch Ministry of Justice and Security), Wednesday 10 November 2021 11.00 am, The Hague district court. You are welcome to attend the court hearing. A route description in Dutch can be found here.
Update November 8, 2021: due to Corona restrictions, it appears that the court is only willing to allow two (already registered) visitors at the court hearing. However, due to high public interest, there will be a livestream: https://www.rechtspraak.nl/Organisatie-en-contact/Organisatie/Rechtbanken/Rechtbank-Den-Haag/Nieuws/Paginas/Livestream-rechtszaak-stichting-Privacy-First-tegen-de-Staat.aspx.
Update November 10, 2021: the court hearing took place today; click HERE for our lawyer's pleading (pdf in Dutch). The court's ruling is scheduled for December 1st.
Update December 1, 2021: today the district court of The Hague rendered its judgment. In the judgment, the court first of all established that Privacy First is admissible in this case as a non-profit interest group for the protection of the privacy of all citizens in the Netherlands. This again establishes that Privacy First can conduct these and subsequent legal proceedings in the public interest. Subsequently, however, the court ruled that in these preliminary relief proceedings there was no sufficiently urgent interest. Privacy First finds this judgment incomprehensible, since in the case of a daily massive privacy violation by definition there is an urgent interest to have that violation legally reviewed and to have it stopped. Privacy First will now commence proceedings on the merits against the ANPR legislation and is also considering lodging an urgent appeal against the current judgment with the Court of Appeal of The Hague. In view of relevant European case law, Privacy First still considers the chances of successful legal action exceptionally high.
The ANPR legislation at issue in Privacy First's lawsuit relates to the mass collection and storage of everyone's "historical" ANPR data, also known as "no hits". This should be distinguished from the many years of police practice where license plates of suspects (so-called "hits") can be used for criminal investigations. Dutch media are regularly confused about this as a result of misleading government information, for example on the websites of the Dutch National Police and the Public Prosecution Service. Privacy First regrets such deception and hopes that the media will not be misled by this.
Would you like to support these legal proceedings? Then please consider becoming a donor! Privacy First consists largely of volunteers and is entirely dependent on sponsorship and donations to pursue litigation.
The controversial and compulsory inclusion of fingerprints in passports has been in place in the EU since 2009. From that year on, fingerprints were also included in Dutch identity cards, even though under EU law there was no such obligation. While the inclusion of fingerprints in identity cards in the Netherlands was reversed in January 2014 due to privacy concerns, there is now new European legislation that will make the inclusion of fingerprints in identity cards compulsory as of August 2, 2021.
Dutch citizens can apply for a new identity card without fingerprints until August 2. After that, only people can do so who are ‘temporarily or permanently unable physically to have fingerprints taken’.
The Dutch Senate is expected to debate and vote on the amendment of the Dutch Passport Act in connection with the reintroduction of fingerprints in Dutch identity cards on July 13. In that context, Privacy First sent the following email to the Dutch Senate yesterday:
Dear Members of Parliament,
Since Privacy First was founded in 2008, we have opposed the mandatory collection of fingerprints for passports and identity cards. Since the introduction of the new Passport Act in 2009, Privacy First has done so through lawsuits, campaigns, freedom of information requests, political lobbying and by activating the media. Despite the subsequent Dutch discontinuation of the (planned) central storage of fingerprints in both national and municipal databases in 2011, everyone’s fingerprints are still taken when applying for a passport, and soon (as a result of the new European Regulation on ID cards) again for Dutch ID cards after this was retracted in 2014.
To date, however, the millions of fingerprints taken from virtually the entire adult population in the Netherlands have hardly been used in practice, as the biometric technology had already proven to be unsound and unworkable in 2009. The compulsory collection of everyone’s fingerprints under the Dutch Passport Act therefore still constitutes the most massive and longest-lasting privacy violation that the Netherlands has ever known.
Having read the current report of the Senate on the amendment of the Passport Act to reintroduce fingerprints in ID cards, Privacy First hereby draws your attention to the following concerns. In this context, we ask you to vote against the amendment of the law, in contravention of European policy. After all:
- As early as May 2016, the Dutch Council of State (Raad van State) ruled that fingerprints in Dutch identity cards violated the right to privacy due to a lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956 (in Dutch).
- Freedom of information requests from Privacy First have revealed that the phenomenon to be tackled (look-alike fraud with passports and identity cards) is so small in scale that the compulsory collection of everyone’s fingerprints is completely disproportionate and therefore unlawful. See: https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.
- In recent years, fingerprints in passports and identity cards have had a biometric error rate as high as 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (Dutch State Secretary Teeven, January 31, 2013). Before that, Minister Donner (Security & Justice) admitted an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (April 27, 2011). How high are these error rates today?
- Partly because of the high error rates mentioned above, fingerprints in passports and ID cards are virtually not used to date, either domestically, at borders or at airports.
- Because of these high error percentages, former Dutch State Secretary Bijleveld (Interior and Kingdom Relations) instructed all Dutch municipalities as early as September 2009 to (in principle) refrain from conducting biometric fingerprint verifications when issuing passports and identity cards. After all, in the event of a ‘mismatch’, the ID document concerned would have to be returned to the passport manufacturer, which would lead to rapid societal disruption if the numbers were high. In this respect, the Ministry of the Interior and Kingdom Relations was also concerned about large-scale unrest and even possible violence at municipal counters. These concerns and the instruction of State Secretary Bijleveld still apply today.
- Since 2016, several individual Dutch lawsuits are still pending at the European Court of Human Rights in Strasbourg, challenging the mandatory issuing of fingerprints for passports and ID cards on the grounds of violation of Art. 8 ECHR (right to privacy).
- In any case, an exception should be negotiated for people who, for whatever reason, do not wish to give their fingerprints (biometric conscientious objectors, Art. 9 ECHR).
- Partly for the above reasons, fingerprints have not been taken for the Dutch identity card since January 2014. It is up to your Chamber to maintain this status quo and also to push for the abolition of fingerprints for passports.
For background information, see the report ‘Happy Landings' by the Scientific Council for Government Policy (WRR) that Privacy First director Vincent Böhre wrote in 2010. Partly as a result of this critical report (and the large-scale lawsuit brought by Privacy First et al. against the Passport Act), the decentralized (municipal) storage of fingerprints was largely abolished in 2011 and the planned central storage of fingerprints was halted.
For further information or questions regarding the above, Privacy First can be reached at any time.
The Privacy First Foundation
Today – on European Data Protection Day – the 2021 Dutch Privacy Awards were handed out during the Dutch National Privacy Conference, a joint initiative by Privacy First and the Dutch Platform for the Information Society (ECP). These Awards provide a platform for companies and governments that see privacy as an opportunity to distinguish themselves positively and to make privacy-friendly entrepreneurship and innovation the norm. The winners of the Dutch Privacy Awards 2021 are STER, NLdigital, Schluss, FCInet and the Dutch Ministry of Justice and Security.
Advertising without storage of personal data, contextual targeting: proven effectiveness
The Dutch Stichting Ether Reclame (Ether Advertising Foundation), better known as STER, was one of the first organizations in the Netherlands to abandon the common model of offering advertisements based on information collected via cookies. STER has developed a procedure that only uses relevant information on the webpages visited. No personal data are collected at all (data such as browser version, IP address and click-through behaviour). Advertisers submit their advertisements to STER, which are then put on the website in conformity with the protocol developed by STER, which is based on a number of simple categories. These categories are linked to the information that is shown, such as a TV program that someone has selected. The protocol has been built up and refined over the past period and now works properly.
In this way, STER kills several birds with one stone. Most importantly, initial applications show that this approach is at least as effective for advertisers as the old cookie-based way. Secondly, the approach removes parties from the chain. Data brokers who played a role in the old system are now superfluous. Apart from the financial gain for the chain, this also prevents data coming into the possession of parties the data should not end up with. And thirdly, STER stays in control of its own advertising campaigns.
This makes STER a deserved winner of the Dutch Privacy Awards. The concept developed is innovative and helps to protect the privacy of citizens without them having to make any effort. STER is also investigating the possibility of using the approach more broadly. This too is an innovation that the expert panel applauds.
In that sense STER’s approach is also a well-founded response to the data-driven superpowers on the market as it demonstrates that the endless collection of personal data is not at all necessary to get your message across, whether it is commercial or idealistic.
STER could perhaps also have been submitted as a Business-to-Business entry, but the direct interests of consumers meant that it was listed in the category of consumer solutions.
Organisational innovation and practical application: Data Pro Code
Entries for the Dutch Privacy Awards often relate to technical innovations. At NLdigital it is not the technology, but the approach that is innovative. It has given concrete meaning to GDPR obligations through agreements and focuses mainly on data processors, not on the responsible parties. This enables processors to make agreements more quickly, practically and with sufficient care – agreements which are also verifiable in this regard. Many companies provide services by making applications available which involve data processing. And that requires processing agreements, which are not easy to apply for every organization. Filling in the corresponding statement leads to an appropriate processing agreement for clients.
NLdigital’s code of conduct called Data Pro Code is a practical instrument tailor made for the target group: IT companies that process data on behalf of others. With the help of (600) participants/members, the Code is drawn up as an elaboration of Art. 28 of the GDPR. It has been approved by the Dutch Data Protection Authority and has led to a publicly accessible certification.
Winner: FCInet & Ministery of Justice and Security
Ma³tch, privacy on the government agenda: innovative data minimization
FCInet is innovative, privacy-enhancing technology that was developed by the Dutch Ministry of Justice and Security and the Dutch Ministry of Finance. It is meant to assist in the fight against (international) crime. Part of FCInet is Ma³tch, which stands for Autonous Anonymous Analysis. With this feature the Financial Criminal Investigation Services (FCIS) can share secure and pseudonymized datasets on a national level (for example with the Financial Intelligence Unit-Netherlands and the Fiscal Information and Investigation Service), but also internationally. Ma³tch is a technology that supports and enforces parties concerned to make careful considerations per data field. This is possible with regard to the question of which data these parties want to compare and on the basis of which conditions. This ensures that parties can set up the infrastructure in such a way that it can be technically enforced that data are exchanged only on a legitimate basis.
Through hashing, organization A encrypts (bundles of) personal data in such a way that receiving party B has the possibility to check whether a person known to organization B is also known to organization A. Only if it turns out that there is a match (because the list of known persons in hashed form of organization B is checked against the list of persons in the sent list) does the next step take place whereby organization B actually requests information about the person concerned from organization A. The check takes place in a secure decentralized environment, so organization A does not know whether there is a hit or not. The technology thus prevents the unnecessary perusal of personal data in the context of comparisons.
The open source code technology of FCInet offers broader possibilities for application, which is encouraged by the expert panel and was an important reason for the submission: it can be reused in many other organizations and systems. The panel therefore assessed this initiative as a good investment in privacy by the government, where, clearly, the issue of privacy really is on the agenda.
Schluss applied for the Dutch Privacy Awards in 2021 for the third time. That is not the reason for the Incentive Award, even though it may encourage others to persevere in a similar way.
The reason is that it is a very nice initiative, focused on the self-management of personal data. In the form of an app, private users are offered a vault for their personal data, whether they are of a medical, financial or other nature. Users decide which people or organizations gets access to their data. The idea is that others who are allowed to see the data no longer need to store these data themselves. Schluss has no insight into who uses the app, its role is only to facilitate the process. The technology, which is open source, guarantees transparency about the operation of the app.
Schluss won the prestigious Incentive Award because thus far the app has had only a beta release. However, promising projects have been started with the Volksbank and there is a pilot in collaboration with the Royal Dutch Association of Civil-law Notaries. With the mission statement (‘With Schluss, only you decide who gets to know which of your details’) in mind, Schluss chose to become a cooperation, an organizational form that appealed to the expert panel. With this national Incentive Award the panel hopes to encourage the initiators to continue along this path and to persuade parties to join forces with Schluss.
There are four categories in which applicants are awarded:
1. the category of Consumer solutions (business-to-consumer)
2. the category of Business solutions (within a company or business-to-business)
3. the category of Public services (public authority-to-citizen)
4. the incentive award for a ground breaking technology or person.
From the various entries, the independent expert panel chose the following nominees per category (listed in arbitrary order):
Roseman Labs (Secure Multiparty Computation)
Ministry of Health (CoronaMelder)
NLdigital (Data Pro Code)
FCInet & Ministry of Justice (Ma³tch)
STER (Contextual targeting)
During the National Privacy Conference all nominees presented their projects to the audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (pdf in Dutch), which includes participation criteria and explanatory notes on all the nominees and winners.
National Privacy Conference
The Dutch National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, the conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy by design is key.
These were the speakers during the 2021 National Privacy Conference in successive order:
- Monique Verdier (vice chairwoman of the Dutch Data Protection Authority)
- Judith van Schie (Considerati)
- Erik Gerritsen (Secretary General of the Dutch Ministery of Health, Welfare and Sport)
- Mieke van Heesewijk (SIDN Fund)
- Peter Verkoulen (Dutch Blockchain Coalition)
- Paul Tang (MEP for PvdA)
- Ancilla van de Leest (Privacy First chairwoman)
- Chris van Dam (Member of the Dutch House of Representatives for CDA)
- Evelyn Austin (director of Bits of Freedom)
- Wilmar Hendriks (chairman of the expert panel of the Dutch Privacy Awards).
The entire conference was livestreamed from Nieuwspoort in The Hague: see https://www.nieuwspoort.nl/agenda/overzicht/privacy-conferentie-2021/stream and https://youtu.be/asEX1jy4Tv0.
Dutch Privacy Awards expert panel
The independent expert Award panel consists of privacy experts from different fields:
- Wilmar Hendriks, founder of Control Privacy and member of the Privacy First advisory board (panel chairman)
- Ancilla van de Leest, Privacy First chairwoman
- Paul Korremans, partner at Comfort Information Architects and Privacy First board member
- Marc van Lieshout, managing director at iHub, Radboud University Nijmegen
- Alex Commandeur, senior advisor BMC Advies
- Melanie Rieback, CEO and co-founder of Radically Open Security
- Nico Mookhoek, privacy lawyer and founder of DePrivacyGuru
- Rion Rijker, privacy and data protection expert, IT lawyer and partner at Fresa Consulting.
In order to make sure that the Award process is run objectively, the panel members may not judge on any entry of his or her own organization.
In collaboration with the Dutch Platform for the Information Society (ECP), Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and The Privacy Factory.
Pre-registrations for the 2022 Dutch Privacy Awards are welcome!
Would you like to become a sponsor of the Dutch Privacy Awards? Please contact Privacy First!
A Dutch court has today handed down a judgment in preliminary injunction proceedings brought by Privacy First concerning the UBO register. The district court of The Hague confirmed that there is every reason to doubt the legality of the European money laundering directives which are the foundation of the UBO register. On this point the judge follows the very critical opinion of the European Data Protection Supervisor. The interim proceedings court rules that it cannot be excluded that the Court of Justice of the European Union (CJEU) will come to the conclusion that the public character of the UBO register is at odds with the proportionality principle. Questions over its legality were recently referred to the CJEU by a Luxembourg national court. As such, the Dutch court felt there is no need to do the same.
Privacy First had also requested a temporary deactivation of the UBO register. This, however, is a step too far for the court, which states that deactivating the register is not possible as long as the underlying EU guideline is still in force. It would put the Netherlands in a position in which it operates in violation of the European guideline. With this claim, the judge says, Privacy First is getting ahead of itself. Privacy First will examine the ruling on this point, also in view of possibly going into appeal.
‘The introduction of the UBO register would mean that privacy-sensitive data of millions of people will be up for grabs’, comments Privacy First’s attorney Otto Volgenant of Boekx Attorneys.’On all sides there are strong doubts whether this is actually an effective means in the fight against money laundering and terrorism. It’s like using a sledgehammer to crack a nut. The Court of Justice of the European Union will eventually adjudicate the case, and I expect it will annul the UBO register.’
At the start of this year, the Privacy First Foundation initiated fundamental legal action against the Dutch government on account of the new UBO register, which is linked to the Trade Register of the Dutch Chamber of Commerce. Under the law the UBO register is based on, all 1.5 million Dutch legal entities that are included in the Trade Register will have to make public all sorts of privacy-sensitive data about their Ultimate Beneficial Owners. This concerns personal data of millions of directors, shareholders and high executives of companies (including family businesses), foundations, associations, churches, social organizations, charities, etc. Privacy First deems that this is a massive privacy violation, one which also creates personal safety risks. That is why Privacy First has asked the court to immediately declare the UBO register unlawful. A lot of information in the register will be publicly available and can be requested by anyone. In Privacy First’s opinion this is completely disproportionate and an infringement of European privacy law. The CJEU will examine whether the European legislation on which the UBO register is based violates the fundamental right to privacy.
The ruling (in Dutch) by the interim proceedings court can be found here: http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBDHA:2021:2457.
Update 15 April 2021: yesterday Privacy First filed an urgent appeal against the entire judgment with the Court of Appeal of The Hague. The appeal subpoena can be found HERE (pdf in Dutch). Privacy First requests the Court, inter alia, to ask preliminary questions about the UBO register to the European Court of Justice and to suspend the UBO register until these questions are answered. In view of the major interests at stake, Privacy First hopes that the Court of Appeal of The Hague will hear this case as soon as possible.
Update 17 August 2021: the court hearing in the urgent appeal of Privacy First against the judgment will take place on Monday 27 September at the Court of Appeal in The Hague.
In the context of the National Privacy Conference organized by Privacy First and the Dutch Platform for the Information Society (ECP), today the Dutch Privacy Awards have been handed out. These Awards offer a podium to organizations that consider privacy as an opportunity to positively distinguish themselves and want privacy-friendly entrepreneurship and innovation to become a benchmark. The winners of the 2020 Dutch Privacy Awards are Publicroam, NUTS and Candle.
Safe and easy access to WiFi everywhere for guest users
Most people in libraries, hotels, coffee bars and other public places log onto the local WiFi network in order to save on mobile data and to not rely on mobile networks which indoors may not be available everywhere. Often, WiFi networks operate on the basis of a single, local password, indicated on tables and screens. This makes the digital activities of users vulnerable in more ways than one, with all the ensuing nasty consequences. On top of that, users may not be informed about what the internet provider does with their personal data. It is said that the trade in personal data is by now more profitable than the trade in oil.
These risks were first identified by educational institutions and later by public authorities. This led to the creation of international roaming services like Eduroam and Govroam. But why aren’t such services available everywhere and to everyone? Publicroam set out to change just that and is being welcomed in more and more places. And rightfully so, according to the Privacy Awards expert panel. Several large municipalities and organizations (all libraries in the Netherlands among them) are already connected to Publicroam, or will be soon. In and of itself this facility is not a completely new solution, but the expert panel is particularly impressed by the fact that it can offer great advantages to literally everyone in the country – and possibly beyond – and can therefore have a huge impact on what we’re used to: one account which allows all users to go online automatically and securely, with serious respect for privacy ensured.
It’s possible after all: sound business initiatives that respect privacy; Publicroam is proof of this.
Decentral infrastructure for privacy-friendly communication in healthcare
The NUTS Foundation is an initiative which aims to offer a privacy-friendly solution to identity management and sharing personal data in healthcare environments. It entails that individuals keep control over which healthcare data may be shared between healthcare providers. The NUTS Foundation has laid down its principles in a manifesto which all participants should ascribe to and which states that all software that’s being developed should meet the demands of open source. The result that the NUTS Foundation is striving for is a decentral system which keeps control over personal health information in the hands of the people involved.
The services offered by the decentral network are based on the principles of privacy by design. Identity management solutions contribute to irrefutably establishing the identity of individuals concerned. The decentral approach is in line with the digital healthcare architecture which is currently in the making and is also partly being introduced already. In this way, healthcare information components can use the decentral facilities that are being realized through NUTS.
In the eyes of the expert panel, the NUTS Foundation is a strong example of an initiative which not only looks at privacy issues in a comprehensive way but creates concrete solutions to these issues as well. The open source community that the NUTS Foundation is bringing to fruition, prevents vendor-lock-in in crucial areas of the digital healthcare infrastructure. Emerging digital Personal Healthcare Areas can equally make use of the decentral administrative provisions which NUTS is working towards. The rationale behind NUTS – creating a utility for a crucial part of the digital healthcare architecture – particularly appeals to the expert panel. Expanding the foundation, which currently by and large relies on a single company, will further increase the support for this initiative.
In order to give the NUTS Foundation the opportunity to further realize its ideals and to propagate these more widely, the expert panel has decided to confer this year’s Dutch Privacy Award for business solutions to the NUTS Foundation.
Privacy-friendly smart home solution
Candle is a reaction to a risk analysis (privacy by design) to Internet of Things products which unnecessarily connect to a cloud server. It’s a project which concentrates on developing alternative smart systems in and around the home, based on the principle that connection to the internet is unnecessary. Candle started off as a project organization run by students from universities and colleges of higher education as well as by artists’ collectives who aimed at developing practical hardware solutions combined with open source software. Various domestic appliances such as central heating, cameras, CO2 sensors and other applications can easily be connected with one another. A switch is used to make contact with an external network. Users make a deliberate choice when they import and export emails and other data.
Candle shows that it’s very well feasible to create a Smart solution without Big Tech companies and their data driven models. Meanwhile, there are various concept solutions which companies can actually put into practice. In its core, Candle is privacy by design and it opens people’s eyes to alternative smart systems.
"The market for ethical technology will grow in much the same way as the market for biological food has grown enormously. But how do we boost this market? That’s the challenge. The GDPR has ploughed the earth. Now it’s time to sow and entrust this concept to consumers", comments Candle.
There are four categories in which applicants are awarded:
1. the category of Consumer solutions (business-to-consumer)
2. the category of Business solutions (within a company or business-to-business)
3. the category of Public services (public authority-to-citizen)
4. The incentive prize for a ground breaking technology or person.
From the various entries, the independent expert panel chose the following nominees per category:
|Consumer solutions:||Business solutions:||Public services:|
During the National Privacy Conference the nominees presented their projects to the audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (pdf), which includes participation criteria and explanatory notes on all the nominees and winners.
National Privacy Conference
The National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, the conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy by design is key.
These were the speakers during the 2020 National Privacy Conference in successive order:
- Monique Verdier (vice chairman of Dutch Data Protection Authority)
- Richard van Hooijdonk (trendwatcher/futurist) and Bas Filippini (founder and chairman of Privacy First)
- Tom Vreeburg (IT-auditor)
- Coen Steenhuisen (privacy advisor at Privacy Company)
- Peter Fleischer (global privacy counsel at Google)
- Sander Klous (professor in Big Data Eco Systems, University of Amsterdam)
- Kees Verhoeven (Member of the Dutch House of Representatives for D66).
Expert panel of the Dutch Privacy Awards
The independent expert award panel consists of privacy experts from different fields:
• Bas Filippini, founder and chairman of Privacy First
• Paul Korremans, partner at Comfort Information Architects and Privacy First board member
• Marie-José Bonthuis, owner of IT’s Privacy
• Esther Janssen, attorney at Brandeis Attorneys specialized in information law and fundamental rights
• Marc van Lieshout, managing director at iHub, Radboud University Nijmegen
• Melanie Rieback, CEO and co-founder of Radically Open Security
• Nico Mookhoek, privacy lawyer and owner of NMLA
• Wilmar Hendriks, founder of Control Privacy and member of the Privacy First advisory board
• Alex Commandeur, senior advisor at BMC Advies.
In order to make sure that the award process is run objectively, the panel members may not judge on any entry of his or her own organization.
Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and in collaboration with ECP. Would you like to become a partner of the Dutch Privacy Awards? Then please contact Privacy First!
On July 1 and 2, 2019, the Netherlands will be examined in Geneva by the United Nations Human Rights Committee. This UN body is tasked with supervising the compliance of one of the oldest and most important human rights treaties in the world: the International Covenant on Civil and Political Rights (ICCPR). Each country which is a contracting party to the ICCPR is subject to periodical review by the UN Human Rights Committee. At the beginning of next week, the Dutch government must answer before the Committee for various current privacy issues that have been put on the agenda by Privacy First among others.
The previous Dutch session before the UN Human Rights Committee dates from July 2009, when the Dutch minister of Justice Ernst Hirsch Ballin had to answer for the then proposed central storage of fingerprints under the new Dutch Passport Act. This was a cause for considerable criticism of the Dutch government. Now, ten years on, the situation in the Netherlands will be examined once more. Against this background, Privacy First had submitted to the Committee a critical report (pdf) at the end of 2016, and has recently supplemented this with a new report (pdf). In a nutshell, Privacy First has brought the following current issues to the attention of the Committee:
- the limited admissibility of interest groups in class action lawsuits
- the Dutch ban on judicial review of the constitutionality of laws
- Automatic Number Plate Recognition (ANPR)
- border control camera system @MIGO-BORAS
- the Dutch public transport chip card ('OV-chipkaart')
- Electronic Health Record systems
- possible reintroduction of the Telecommunications Data Retention Act
- the new Dutch Intelligence and Security Services Act (‘Tapping Law’)
- Passenger Name Records (PNR)
- the Dutch abolition of consultative referendums
- the Dutch non-recognition of the international prohibition of propaganda for war.
The entire Dutch session before the Committee can be watched live on UN Web TV on Monday afternoon, July 1, and Tuesday morning, July 2. In addition to privacy issues, several Dutch organizations have put numerous other human rights issues on the agenda of the Committee; click HERE for an overview, which also features the previously established List of Issues (including the new Intelligence and Security Services Act, the possible reintroduction of the retention of telecommunications data, camera system @MIGO-BORAS, and medical confidentiality with health insurance companies). The Committee will likely present its ‘Concluding Observations’ within a matter of weeks. Privacy First awaits the outcome of these observations with confidence.
Update July 26, 2019: yesterday afternoon the Committee has published its Concluding Observations on the human rights situation in the Netherlands, which includes critical opinions on two privacy issues that were brought to the attention of the Committee by Privacy First:
The Intelligence and Security Services Act
The Committee is concerned about the Intelligence and Security Act 2017, which provides intelligence and security services with broad surveillance and interception powers, including bulk data collection. It is particularly concerned that the Act does not seem to provide for a clear definition of bulk data collection for investigation related purpose; clear grounds for extending retention periods for information collected; and effective independent safeguards against bulk data hacking. It is also concerned by the limited practical possibilities for complaining, in the absence of a comprehensive notification regime to the Dutch Oversight Board for the Intelligence and Security Services (CTIVD) (art. 17).
The State party should review the Act with a view to bringing its definitions and the powers and limits on their exercise in line with the Covenant and strengthen the independence and effectiveness of CTIVD and the Committee overseeing intelligence efforts and competences that has been established by the Act.
The Market Healthcare Act
The Committee is concerned that the Act to amend the Market Regulation (Healthcare) Act allows health insurance company medical consultants access to individual records in the electronic patient registration without obtaining a prior, informed and specific consent of the insured and that such practice has been carried out by health insurance companies for many years (art. 17).
The State party should require insurance companies to refrain from consulting individual medical records without a consent of the insured and ensure that the Bill requires health insurance companies to obtain a prior and informed consent of the insured to consult their records in the electronic patient registration and provide for an opt-out option for patients that oppose access to their records.
During the session in Geneva the abolition of the referendum and the camera system @MIGO-BORAS were also critically looked at. However, Privacy First regrets that the Committee makes no mention of these and various other current issues in its Concluding Observations. Nevertheless, the report by the Committee shows that the issue of privacy is ever higher on the agenda of the United Nations. Privacy First welcomes this development and will continue in the coming years to encourage the Committee to go down this path. Moreover, Privacy First will ensure that the Netherlands will indeed implement the various recommendations by the Committee.