Mass storage of fingerprints violates the right to privacy
Following the Court of Appeal of The Hague, today the Dutch Council of State (Raad van State) judged that municipal (‘decentral’) storage of fingerprints under the Dutch Passport Act is unlawful on account of violation of the right to privacy. The Council of State reached this conclusion in seven administrative law cases of Dutch individual citizens (supported by civil organization Vrijbit). At the start of 2014, the Court of Appeal of The Hague handed down a similar ruling in the civil Passport case by the Privacy First Foundation and 19 (other) citizens against the Dutch government. Subsequently however, our Passport trial was declared inadmissible by the Dutch Supreme Court and was redirected to the administrative judge: the Dutch Council of State. Privacy First then submitted its entire case file to the Council of State in order to reinforce the individual passport cases pending before this body. The Council of State (the supreme administrative court of the Netherlands) now rules similar to the way the Court of Appeal of The Hague has done before. Notwithstanding the later inadmissibility before the Supreme Court, the ban on the storage of everyone’s fingerprints in databases thus stands firm once again.
Faulty judgement and procedure
As was the case with the previous judgement by the Court of Appeal of The Hague, Privacy First regrets that the Council of State was unwilling to declare the storage of fingerprints unlawful on strictly principal grounds (that is, because of a lack of societal necessity, proportionality and subsidiarity), but merely on the basis of technical imperfections. Therefore, Privacy First will advise the concerned citizens to keep on litigating all the way up to the European Court of Human Rights (ECtHR) in Strasbourg. Considering the existing Strasbourg case law, there is a high likeliness that the Netherlands will still be condemned on principal grounds on account of violation of the right to privacy (art. 8 European Convention on Human Rights, ECHR). Privacy First also expects a condemnation on account of violation of the right of access to justice and an effective legal remedy (art. 6 and 13 ECHR). After all, civil litigation against the Dutch Passport Act proved to be impossible, and administrative legal action was possible only indirectly after the rejection of individual requests for new passports or ID cards (in case the applicants refused to have their fingerprints taken). In order to obtain their current victory before the Council of State, these citizens thus have had to get by for years without passports or ID cards, with all the problems and risks this entailed.
Exceptions for conscientious objectors
In today’s judgement, the Council of State also decided that the compulsory taking of two fingerprints for a new passport applies equally to everyone and that there can be no exceptions for people who do not want to have their fingerprints taken out of conscientious objections. Privacy First is doubtful whether this verdict will stand the scrutiny of the ECtHR. Apart from a violation of the right to privacy, it seems this decision is also in breach of the freedom of conscience (art. 9 ECHR). The fact that the European Passport Regulation does not include such an exception is irrelevant as this Regulation is subordinate to the ECHR.
RFID chips and facial scans
Privacy First also deplores the fact that the Council of State was not prepared to make a critical assessment of the risks of Radio Frequency Identification (RFID) chips (which include sensitive personal data that can be read remotely) in passports and ID cards. The same goes for the compulsory storage of facial scans in municipal databases. But these aspects, too, can still be challenged in Strasbourg.
Municipalities’ own responsibility
A small ray of hope in the judgement by the Council of State is that municipalities and mayors have their own responsibility to respect human rights (including the right to privacy) independently, even if this means independently refraining from applying national legislation because it violates higher international or European law:
"Insofar as the mayor claims that there is no possibility to deviate from the provisions (laid down in national law), the [Council of State] holds that pursuant to Article 94 of the [Dutch] Constitution, current statutory provisions within the Kingdom [of the Netherlands] do not apply if such application is not compatible with any binding provisions of treaties and of resolutions of international organizations.’’ (Source in Dutch, paragraph 6.)
This decision by the Council of State applies to all domains and could have far-reaching consequences in the future.
New ID cards for free
The ruling of the Council of State entails that for applications of new ID cards, fingerprints have been taken (and stored) on a massive scale but without a legal basis since 2009. Accordingly, Privacy First advises everyone in the possession of an ID card with fingerprints to change it (if desired) at his or her municipality for a free new one without fingerprints. If municipalities refuse to offer this service, Privacy First reserves the right to take new legal steps in this regard.
After years of legal proceedings against the storage of fingerprints under the Dutch Passport Act — one of the gravest privacy violations in the Netherlands — Privacy First and 19 co-plaintiffs were declared inadmissible by the Dutch Supreme Court.
Since May 2010, a large-scale lawsuit against the central storage of fingerprints under the Dutch Passport Act by Privacy First and 19 co-plaintiffs (Dutch citizens) has been under way. This so-called 'Passport Trial' was a civil case because with regard to the merits of the case, individual citizens were not able to turn to an administrative court.
Citizens could only go to an administrative court if they would first provoke an individual decision: an administrative refusal to issue a passport or ID card after an individual refusal to give one's fingerprints. Hence, they could only litigate on an administrative level if they were prepared to live without a passport or ID card for years.
Moreover, the provision in the Passport Act on the central storage of fingerprints (Article 4b) still hasn't entered into force. Therefore, the administrative courts were unauthorized to assess this provision. Moreover, contrary to other countries, a direct administrative appeal against Dutch law (Acts and statutes) isn't possible in the Netherlands.
Subsequently, an administrative court would only have been able to individually and indirectly ("exceptionally") assess this provision on the basis of higher privacy legislation after that same provision would have entered into force, that is to say, after the central storage (and exchange) of everyone's fingerprints would have become a fait accompli.
To prevent such a massive violation of privacy, only the civil courts were authorized to rule in the case of Privacy First et al. For many years civil courts have been the perfect type court for the direct assessment of national legislation on the basis of higher (privacy) legislation, even if the national legislation in question has not yet entered into force but does entail an imminent privacy violation.
As a relevant foundation, Privacy First was able to take civil action in the general interest, on behalf of the Dutch population at large. Since the early 90s this is possible via a special procedure under Article 3:305a of the Dutch Civil Code: the so-called "action of general interest." Up until May 2010, when Privacy First et al. summoned the Dutch government, the Dutch Supreme Court seemed to have given the green light for this.
However, in July 2010, the Supreme Court disregarded its earlier case law by declaring that interest groups can only turn to a civil court if individual citizens cannot pursue legal proceedings before an administrative court. But in Privacy First's Passport Trial, citizens could not apply to an administrative court. So Privacy First et al. still had a very strong case. What's more, the admissibility criteria of the Supreme Court seemed not to apply to actions of general interest, but merely to 'group actions' that are organized on behalf of a specific group of people instead of the entire population.
In February 2011, the district court of The Hague wrongly declared our Passport Trial inadmissible. This decision was subsequently appealed by Privacy First et al. Courtesy also of the pressure exerted by this appeal, the central (as well as municipal) storage of fingerprints was largely discontinued in the summer of 2011 and the taking of fingerprints for Dutch ID Cards was halted altogether at the start of 2014.
In February 2014, The Hague Court of Appeal declared Privacy First — in the general interest — admissible after all and judged that the central storage of fingerprints under the Passport Act was in violation of the right to privacy. The Dutch Minister of the Interior, Ronald Plasterk, was not amused and demanded an appeal in cassation before the Dutch Supreme Court.
Against all odds (as Privacy First had virtually all Dutch legislation, legislative history, case law and legal literature on its side), on May 22, 2015, the Dutch Supreme Court declared Privacy and its 19 co-plaintiffs inadmissible once more. According to the Supreme Court, the citizens can turn to an administrative court, which has also blocked the road to a civil court for Privacy First.
All this while in the last few years it had been established that the co-plaintiffs could not turn to an administrative court, at least not for the review of Article 4b of the Passport Act concerning the central storage of fingerprints. In innumerable administrative cases over the past few years, judges of various Dutch administrative courts have declined jurisdiction in this respect. That meant that for Privacy First as an interested organization, the road to an administrative court was equally blocked.
The fact that the Supreme Court rules as if that isn't so is simply incomprehensible. Furthermore, litigating citizens can neither be expected to get by without a passport for years, nor can they be expected to first let their privacy be violated (giving up fingerprints, even for storage) before a judge can determine whether this is legal. The fact that the Supreme Court seems to require this just the same is not just inconceivable (as well as in breach of its own case law) but also reprehensible.
Gap in the legal protection
The ruling by the Dutch Supreme Court creates a legal vacuum in the Netherlands: if citizens or organizations want massive and imminent privacy violations, such as the central storage of fingerprints under the Passport Act, to be reviewed, then they may not be able to turn to either a civil or an administrative court. This creates a gap in the legal protection that has been in place in the Netherlands over the past few decades.
The Supreme Court may now have passed on this case to the highest Dutch administrative court (the Council of State), but it's all but certain that the Council of State is able and still prepared to review the central storage of fingerprints under the Passport Act. In light of this, the Supreme Court should have waited for the ruling by the Council of State in four current and parallel administrative cases revolving around the Passport Act, prior to coming up with its ruling in Privacy First's Passport Trial. By not doing this, the Supreme Court has taken a huge risk, has prematurely stepped into the shoes of the Council of State and has put the Council of State under severe pressure.
If the Council of State were soon to judge differently than the Supreme Court (that is to say, if the Council of State would judge that it is equally unauthorized to rule in this matter), the two institutions would make an enormous blunder and would create a huge gap in the legal protection in the Netherlands, in contravention of the European Convention on Human Rights (ECHR)
Multiple ECHR violations
Privacy First et al. await the ruling of the Council of State with considerable anticipation. In the meantime, Privacy First et al. will already prepare to file a complaint with the European Court of Human Rights in Strasbourg on account of a breach of Article 8 ECHR (right to privacy) and Articles 6 and 13 EHCR (right to access to justice and an effective legal remedy). Despite the Kafkaesque anti-climax before the Dutch Supreme Court, a European conviction of the Netherlands would thus be on the cards once the complaint has been filed.
Read the entire judgment by the Dutch Supreme Court HERE (in Dutch).
Click HERE for our entire case file.
A similar version of this article was published on http://www.liberties.eu/en/news/bad-day-for-privacy-in-the-netherlands.
Today, the European Court of Justice in Luxembourg (EU Court) has come up with its long awaited judgment in four Dutch cases related to the storage of fingerprints under the Dutch Passport Act. The EU Court did so at the request of the Dutch Council of State. The EU Court deems the storage of fingerprints in databases to fall outside the scope of the European Passport Regulation. Therefore, the Court leaves the judicial review of such storage to national judges and the European Court of Human Rights.
Cause for the ruling
In all four Dutch cases citizens refused to give their fingerprints (and facial scans) when they requested a new Dutch passport or ID card. For this reason, their requests for a new passport or ID card were rejected. In 2012, their subsequent lawsuits ended up before the Dutch Council of State (Raad van State), which decided to ask the EU Court to clarify relevant European law (European Passport Regulation) before coming up with its own ruling. Subsequently, in 2013, the EU Court judged in a similar German case that the obligation to give ones fingerprints under the Passport Regulation is not unlawful. However, in this case, the EU Court failed to carry out a thorough review on the basis of the privacy-related legal requirements of necessity and proportionality. Moreover, the EU Court refused to merge the (more substantiated) Dutch cases with the German one, even though this was an explicit request from the Council of State. The ruling of the EU Court in the German case presented the Council of State (along with 300 million European citizens) with a disappointing fait accompli. During the case before the EU Court at the end of 2014, new arguments and new evidence in the Dutch cases fell on deaf ears: the EU Court wished not to deviate from the German case and appeared uninterested in the, by now, proven lack of necessity and proportionality of taking fingerprints (low passport fraud rates) and the enormous error rates when it comes to the biometric verification of fingerprints (25-30%). In that sense, the current ruling of the EU Court comes as no surprise to the Privacy First Foundation.
Bright spot: ID card without fingerprints
The only chink of light in the ruling of the EU Court is the confirmation that national ID cards don't fall within the scope of the European Passport Regulation. The Dutch government seemed to have already been anticipating this judgment by ending the compulsory taking of fingerprints for ID cards as of January 20, 2014. In this respect, the ruling of the EU court doesn't bring any change to the current situation in the Netherlands, but it does confirm that the introduction of ID cards without fingerprints at the start of 2014 was the right choice of the Dutch government. Most other EU Member States have never actually had ID cards with fingerprints; under the European Passport Act, the compulsory taking of fingerprints only applied to passports. The fact that in between 2009 and 2014 the Netherlands wished to go further than the rest of Europe, was therefore at its own risk.
EU Court leaves judgement on database storage of fingerprints to national judges and the European Court of Human Rights
The EU Court in Luxemburg rules that possible storage and use of fingerprints in databases doesn't fall within the scope of the European Passport Regulation and leaves the judicial review of such storage to national judges and the European Court of Human Rights in Strasbourg. However, in various (over a dozen) pending individual cases in the Netherlands against the Dutch Passport Act, administrative judges have so far always decided that such judicial review falls outside of their powers, as the relevant provisions of the Passport Act have not (yet) entered into force. It's now up to the Council of State to adjudicate on this matter. At the same time, the Dutch Supreme Court is currently looking into the collective civil Passport Trial of Privacy First and 19 co-plaintiffs (citizens), where such judicial review has already successfully been carried out by the Hague Court of Appeal and is now before the Supreme Court. In February 2014, the Hague Court of Appeal rightly judged that central storage of fingerprints is in breach of the right to privacy. In that sense the case of Privacy First is in line with the EU Court: review of database storage by a national judge, possibly followed by the European Court of Human Rights. Current individual cases before the Council of State may soon be resumed before the European Court of Human Rights as well. Privacy First hopes that this complex interaction between different judges will lead to the desired results with regard to privacy: a repeal of the taking and storage of fingerprints for passports!
Read the entire ruling of the EU Court HERE.
Update 17 April 2015: unfortunately, the ruling of the EU Court led to a lot of misleading media reporting in the Netherlands through Dutch press agency ANP (for example in Dutch national newspaper Volkskrant). Better comments can be found at the website of SOLV Attorneys, in this blog post by British professor Steve Peers and in Dutch newspaper Telegraaf, translated below:
A database with fingerprints, relinquished by people who request a new passport, seems to have come a step closer. This could be deduced from a ruling of the European Court of Justice.
The Council of State asked the judges in Luxembourg for an opinion on four cases of citizens who refused to give their fingerprints. They appealed not getting a passport because of this. In a similar German case, the EU Court ruled that the compulsory taking of fingerprints isn't unlawful under European law.
Yesterday, the EU Court ruled in the Dutch case that the storage of fingerprints is a responsibility of the Member States. So the national judge will have to review this. As the only Member State, the Netherlands wanted a central register of fingerprints: a register that would even be accessible by secret services. The Passport Act that regulated this has not yet entered into force and last year the Hague Court of Appeal ruled that the central storage is in breach of the right to privacy.
Research points out that such a database brings along many risks, varying from security leaks to improper use and criminal manipulation. This proves that the whole system is a monstrosity that should never be introduced."
Source: Telegraaf 17 April 2015, p. 2.
"The Court of Justice in the Hague has ruled that fingerprints gathered from individuals getting a new passport can't be held centrally and used in criminal investigations.
Dutch authorities have been prevented from storing citizens' fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.
In the Netherlands, individuals' fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.
However, the system turned out to be far from perfect — 21 percent of fingerprints collected by the authorities in the Netherlands were unusable to identify individuals.
The court found such a high level unacceptable: "This can mean nothing other than the storage of fingerprints in a central register is not suitable for the purpose originally envisioned, that is, the determination and verification of one's identity.
"This means that it is also not suitable for the prevention of identity fraud or for the process of requesting a new travel document or using a travel document, which is one of the main purposes of the Act [the legislation which requires fingerprints in Dutch passports]. Therefore the conclusion is that the invasion of privacy formed by the central storage of fingerprints is unjustified."
No immediate effect
Although the ruling is a significant victory for Privacy First, the privacy group that brought the case before the Court of Justice, it won't have immediate consequences for the Dutch government.
The European Court of Justice had already ruled in October last year that the directive requiring European member states to include two fingerprints in their passports did not provide a legal basis for then also including all citizens' prints in a central repository.
In addition, the court stipulated that fingerprints given by individuals for such purposes could not to be used for criminal investigations.
However, according to Christiaan Alberdingk Thijm, the lawyer representing Privacy First, the ruling will have a bearing on any future government attempts to collect sensitive data, such as photos.
"This is not only good news for those opposing plans of a central fingerprint database, but for those opposing any central government owned database," he said."
Source: http://www.zdnet.com/no-you-cant-store-peoples-fingerprints-in-a-central-database-dutch-court-rules-7000026505/, 19 February 2014.
In a groundbreaking judgment, the Hague Court of Appeal has today decided that centralised storage of fingerprints under the Dutch Passport Act is unlawful. The Privacy First Foundation and 19 co-plaintiffs (Dutch citizens) had put forward this legal issue to the Court of Appeal in a so-called 'action of general interest' ("algemeen-belangactie"). In February 2011, the district court of The Hague had declared Privacy First inadmissible. Because of this, the district court couldn't address the merits of the case. The Court of Appeal has now declared Privacy First to be admissible after all and has quashed the judgment of the district court. Moreover, the Appeals Court deems centralised storage of fingerprints under the Dutch Passport Act to be unlawful since it violates the right to privacy. Therefore it seems that centralised storage of fingerprints under the Dutch Passport Act will be shelved once and for all.
In May 2010, Privacy First et al. took the Dutch government (Ministry of Home Affairs) to court on account of the centralised storage of fingerprints under the new Dutch Passport Act. Such storage had mainly been intended to prevent small-scale identity fraud with Dutch passports (look-alike fraud).
Partly due to the pressure exerted by this lawsuit of Privacy First, central storage of fingerprints was brought to a halt in the Summer of 2011. The judgment by the Hague Court of Appeal has now made any future centralised storage of fingerprints legally impossible: the Court deems centralised storage of fingerprints an "inappropriate means" to prevent identity fraud with travel documents. According to the Court "this cannot but lead to the conclusion that the infringement upon the right to privacy caused by centralised storage of fingerprints is not justified. In that regard the district court should have awarded the claim of Privacy First." (Para. 4.4.)
This is a great victory for Privacy First and for all the citizens who have stood up against centralised storage of fingerprints under the Dutch Passport Act in recent years. The judgment by the Court also paves the way for Privacy First (and other civil society organizations) to continue to initiate lawsuits in the general interest for the preservation and promotion of the right to privacy, for example the new lawsuit by Privacy First et al. against the Dutch government on account of illegal data espionage (NSA case). Recently the Dutch State Attorney deemed Privacy First to be admissible in this case too. These developments are a great impetus for Privacy First to continue to take legal steps in the coming years for the sake of everyone's right to privacy.
Read the entire judgment by the Hague Court of Appeal HERE (pdf in Dutch; for a text-version on the website of the Netherlands Judiciary, click HERE).
Click HERE for the press release by our attorneys of Bureau Brandeis.
Update 21 May 2014: the Dutch government appears to be a sore loser: earlier this week the State Attorney has lodged an appeal (in Dutch: 'cassatie') against the ruling of the Hague Court of Appeal at the Supreme Court of the Netherlands; click HERE (pdf in Dutch) for the appeal summons. The Dutch government wants Privacy First to be declared inadmissible after all and calls on the Supreme Court to still declare central storage of fingerprints lawful. This must not happen. Privacy First is considering its options in its own defence.
Update 21 November 2014: today Privacy First et al. have submitted to the Supreme Court their statement of defence against the appeal summons; click HERE for the document (pdf in Dutch). In the appeal, Privacy First et al. are being represented by Alt Kam Boer Attorneys in The Hague; this law-office is specialised in Supreme Court litigation. On behalf of the Dutch government (Ministry of Home Affairs) the State Attorney has today submitted a written explanation to the previous appeal summons; click HERE (pdf in Dutch). The next steps could consist of a written reply and rejoinder, followed by advice (''conclusion'') from the Procurator General at the Supreme Court (to which Privacy First et al. would be able to respond) and a judgment by the Supreme Court midway through 2015.
Update 5 December 2014: today Privacy First et al. have delivered an early Christmas present to the Dutch Minister of Home Affairs: our written reply (rejoinder) to the recent explanation of the Ministry of Home Affairs to the previous appeal summons. Click HERE for the document (pdf in Dutch). The Dutch government, in turn, submitted a short reply to the recent statement of defence by Privacy First et al.; click HERE (pdf in Dutch). On 9 January 2015 the Supreme Court will set a date on which the Procurator General will issue his advice.
Update 12 January 2015: the Procurator General at the Supreme Court will issue his advice ("conclusion") on 10 April 2015.
Update 12 March 2015: Much earlier than expected, Advocate General Mr. Jaap Spier delivered his advice (''conclusion'') in the case to the Supreme Court on 20 February 2015; click HERE (pdf in Dutch, 7 MB). Its conservative contents and tone are notable aspects of his advice. Furthermore, the Advocate General wrongfully assumes that the contested provisions of the Dutch Passport Act had never become legislation. While he upholds Privacy First's admissibility, he does so on the wrong legal grounds. Moreover, the Advocate General does not touch on the substance of the privacy issues at all, is incorrect in his view that proceedings could have taken place before an administrative judge and, erroneously, wants Privacy First et al. to still pay for the legal costs of the proceedings. In response to the advice of the Advocate General, within the formal term of two weeks Privacy First submitted a response letter ("Borgers brief") to the Supreme Court; click HERE (pdf in Dutch). No such letter has been submitted by the Dutch State Attorney. Therefore, Privacy First has had the final say in this case. We will now have to wait for the Supreme Court ruling, which is expected later this year.
Model Municipality Guarantee Letter 2.0
In case you are in need of a new Dutch passport or ID card even though you find it a problem having your fingerprints taken, you can protest against this and cover yourself against the possible consequences of how the Dutch government will deal with your personal data by using the letter below. You can download the Municipality Guarantee Letter for personal use in PDFor in Word-format.
Privacy First has already filled in some possible objections in the model letter. However, you can alter or complete the letter to your own wishes.
At your request your municipality is obliged to accept this Municipality Guarantee Letter, according also to the Dutch National Ombudsman. See also the report about this in Dutch national newspaper De Telegraaf of 22 April 2010.
MODEL MUNICIPALITY GUARANTEE LETTER IN CASE OF A NEW PASSPORT OR ID CARD WITH FINGERPRINTS
Municipality [name of your municipality]
Attn [name of the mayor or the name of the authorised representative of the municipality]
[Address town hall]
[Postal code] [City]
[Your place of residency], [Date]
Dear Sir/Madam [name of the mayor],
You, or one of your officials has stated that on account of the new Dutch Passport Act it is not possible for me to apply for a passport and/or ID card without me providing fingerprints. These fingerprints will be stored in an RFID-chip in my passport or ID card that can be read from a distance.
I hereby protest against the taking of my fingerprints on the following grounds:
1) Having my fingerprints taken constitutes a violation of my human dignity. Fingerprints are to be taken of criminal suspects. Not of innocent citizens.
2) My fingerprints are, and remain, my property. The government has no say over this.
3) Current fingerprint technology (biometrics) does not work in 21-25% of cases. Going ahead with it is a waste of funds at the expense of citizens.
4) By having my fingerprints taken I risk becoming a victim of (biometric) identity fraud, for example after (the RFID-chip in) my passport or ID card has been stolen, lost or hacked into.
This situation constitutes an illicit restriction of my right to the protection of my private life as laid down in Article 8 of the European Convention on Human Rights. Therefore I only provide my fingerprints under protest of having to do so.
Moreover, I would like to point out to you that all actions carried out by the municipality with regard to my fingerprints have to comply with the rules of the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp).
I hereby request you to declare, by signing this letter, that the municipality has taken note of my objections and will only process my fingerprints in compliance with the Wbp. This implies, among other things, that the municipality:
1) will process my fingerprints in a fair and accurate way;
2) will not proceed to further process my fingerprints in ways incompatible with the purposes for which the fingerprints have been obtained (viz., the issuance of a passport and/or ID card);
3) will not provide my fingerprints to any third parties without my explicit prior approval;
4) will not store my fingerprints any longer than is necessary for the realization of the purposes for which the fingerprints have been collected or processed (viz., the issuance of a passport and/or ID card); and
5) will protect my fingerprints against any loss or any form of unlawful processing by means of suitable technical and organizational measures.
I would like to receive this signed letter five days from now at the latest at the address indicated below.
Nothing in this letter may be assumed to be a recognition of the right of the municipality to carry out the above-described actions with my fingerprints. The content of this letter does not restrict any of my rights, all of which are reserved. Furthermore, I would like to point out to you that in case the municipality will process my fingerprints without taking the Wbp into account, or in any other illicit way, the municipality is bound to reimburse any possible damage suffered by me as a consequence.
Signed for agreement on behalf of the municipality,
The appeal by Privacy First and 19 citizens against the Dutch government
On February 2, 2011, the Privacy First Foundation and 21 co-plaintiffs (citizens) were declared inadmissible by the district court of The Hague in our civil case against the Netherlands regarding the 2009 Dutch Passport Act. A proposal by the Dutch Minister of the Interior, Ms. Liesbeth Spies, to revise the Passport Act has been presented to the House of Representatives on 17 October this year. However, in this legislative proposal the original provision (Article 4b) concerning a centralised database remains intact for the greater part. Under this provision, biometric data of every Dutch citizen will be used for criminal investigation and prosecution purposes as well as intelligence work, disaster control and counter-terrorism. This constitutes a flagrant violation of, among other things, European privacy law. Efforts by individual citizens to challenge this through individual administrative court cases have thus far not yielded any results, since the administrative courts proved unwilling to evaluate the provision in question. Nevertheless, the Dutch Council of State (Raad van State) has recently made a preliminary reference to the European Court of Justice in
To that end we have today presented our Statement of Appeal to the Court of Appeal in The Hague. In this Statement Christiaan Alberdingk Thijm and Vita Zwaan (SOLV Attorneys) outline why Privacy First and co-plaintiffs have to be declared admissible. Subsequently, it will be possible for the Passport Act to be legally scrutinized in its entirety by the court and be measured up against higher law, including European privacy legislation. Our entire Statement of Appeal can be downloaded HERE (in Dutch). The Appeals Court of The Hague is expected to deliver its judgment before the summer.
Privacy First makes an urgent appeal to all Dutch citizens to contribute to the financing of this lawsuit. This can be done by donating on account number 22.214.171.1241 attn. Stichting Privacy First in
The Privacy First Foundation has, with pleasure, just taken cognisance of 1) the announcement earlier today of a Dutch legislative proposal to abrogate fingerprints in ID cards and 2) the decision by the Dutch Council of State (Raad van State) to make a request for a preliminary ruling to the European Court of Justice in Luxembourg on the legality and interpretation of the European Passport Regulation in four administrative cases of individual Dutch citizens. The Privacy First Foundation hereby makes an appeal to Dutch Parliament to adopt the legislative proposal to abrogate fingerprints in ID cards as soon as possible. In anticipation of the expected adoption of this legislative proposal, taking people's fingerprints for ID cards must be halted immediately or at least become voluntary as a temporary solution. Privacy First also hopes that the European Court of Justice will swiftly deal with the preliminary reference and conclude that taking fingerprints for passports and ID cards is unlawful because it violates the right to privacy. Further comments by Privacy First will follow.
Update 18.00h: listen to the interview (in Dutch) with Privacy First on Radio 1.
Update 29 September 2012: see also our reaction in the Dutch regional press.
This Tuesday afternoon it is expected that the Dutch House of Representatives will vote in favour of two important motions. The first motion urges the Dutch government to have the European Passport Regulation critically discussed in Brussels. The second motion appeals to the government to take a firm stand in Brussels for there to be a critical reaction to American extraterritorial legislation, such as the notorious US Patriot Act. Both motions have come into being partly as a result of earlier reports by Privacy First about 1) the futility of taking fingerprints for passports and ID-cards and 2) the risk of Dutch fingerprints secretly ending up in foreign hands.
The current taking of fingerprints is the result of the European Passport Regulation. This regulation dates back to the end of 2004 and primarily came into existence under pressure of the American Bush administration. Back then there was hardly any critical discussion about the benefits and necessity of taking people's fingerprints for travel documents. At the time the responsible rapporteur of the European Parliament wasn’t even able to bring out into the open statistics about this matter, as was recently revealed through a FOIA-request filed by Privacy First. Soon it will be up to the European Commission to still prove the effectiveness of the Passport Regulation. In case the Commission fails in doing so, the Regulation should be discarded immediately.
Apart from fingerprints, the long arm of the Bush administration has for years been reaching deep into the heart of
In recent years
Update: Both motions have been adopted by the House of Representatives with an overwhelming majority! You can find a video of it HERE (in Dutch, starting at 9m55s). Only the right-wing Party for Freedom (PVV) rejected the motions.
The following article by Privacy First employee Vincent Böhre was published this month in the periodical De Filosoof (‘The Philosopher’, University of Utrecht). Tomorrow the Dutch Passport Act will be high on the Dutch political agenda: in a debate with the Minister of the Interior Liesbeth Spies the compulsory taking of fingerprints for Dutch passports and ID cards will be discussed. Privacy First has recently (again) emphasized to all political parties in the Dutch House of Representatives to have passports without fingerprints introduced as soon as possible and to make a request to the government to have the Passport Regulation revised at the European level. This in order for the compulsory taking of fingerprints to be done away with also for passports, or at least to become of a voluntarily nature. The text below offers a quick recap with a positive twist. A pdf version of the original article in Dutch can be found HERE (pp. 6-7).
The biometric passport as an unintended privacy gift
‘‘Late 2001, the Christian-democratic political party CDA proposed storing the fingerprints of every Dutch citizen through passports for criminal investigation purposes. However, this proposal was immediately scrapped by other political parties because it would lead to a Big Brother society. Nonetheless, an even more far-reaching proposal became law seven years later almost inconspicuously. Under the new Dutch Passport Act, apart from criminal investigation and prosecution, everyone’s fingerprints and facial scan (biometric data) could also be used for counter-terrorism, domestic and foreign State security, disaster control and personal identification. However, none of these legal purposes had been discussed in Parliament. In fact, the new Passport Act was accepted by the Senate even without a vote. The media merely stood by and watched how it happened. How could things have gotten this far?
In a certain way the Passport Act was (and is) emblematic for the Dutch era after '9/11'. An era in which (presupposed) anti-terrorism measures could be steered through Parliament with the greatest of ease. After all, such measures would enhance our security, we were continuously told. By nature people are inclined to believe the authorities and to accept the status quo. From a human rights point of view, one could consider the post-9/11 era as a huge Milgram experiment: without too much resistance many human rights have for years been put to the rack of society. The realization of the new Passport Act is no exception. Every Member of the Senate could at least have made a request for a parliamentary vote. Journalists and scientists could have blown the whistle on time. Instead, they all stood there and watched since, of course, the law would make the Netherlands a ‘more secure’ place. But what was this assumption based on? Wasn’t the Netherlands actually going to be less secure by the massive storage of fingerprints in travel documents and affiliated databases? This question has never been asked in public, let alone discussed and answered.
The prime argument by the Dutch government for the introduction of fingerprints in passports and ID cards has, since the late 90s, been the following: it would prevent look-alike fraud with travel documents. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his or her appearance resembles. Questions about the scale of this type of fraud have hardly ever been asked in Parliament. From a recent FOIA-request filed by Privacy First, it appeared that we’re dealing with only a few dozen cases each year (with Dutch travel documents on Dutch territory). In light thereof the introduction of fingerprints in travel documents of 17 million Dutch citizens is completely disproportionate. Not to mention the dozens, if not hundreds of millions of Euros that the government has spent on this project.
With the introduction of a ‘biometric identity infrastructure’ a new form of fraud comes to life that is extremely difficult to trace and combat: biometric identity fraud, for instance through hacking. Not just with guileless citizens and companies, but also in the public sphere (espionage). Moreover, it has been pointed out that in 21-25% of cases the biometric data in the chip of Dutch travel documents cannot be read (verified). So in the event of passport control, there is a high risk that citizens become unjustly suspected of fraud. The biometric passport is no good for combating terrorism either: terrorists generally use their own, authentic travel documents. Unfortunately, little is publicly known about the way security and intelligence agencies use biometrics, even though some purposes are easy to predict: identification of suspects unwilling to speak and ‘interesting’ persons in public space, the recognition of emotions, lie detection and the recognition or use of doubles. The same applies to the domain of criminal investigation and prosecution, also in conjunction with camera surveillance and automatic facial recognition. In addition, the RFID (Radio Frequency Identification)-aspect of the chip in the document enables it to be read from a distance: citizens can be identified and tracked without it being noticed. With regard to personal identification, one could think of the possible introduction of fingerprints at banks, social services, the internet, etc. (Since the end of last year, a Dutch pilot project with mobile finger scanners for the police is ongoing.) Finally, there’s the domain of fighting disasters: biometrics used for the identification of casualties in the event of large-scale disasters or as a logistic means. All in all these possibilities for the use of biometrics go dozens, if not a hundred steps beyond the mere combating of look-alike fraud with travel documents. One ought to realize that all of these possibilities will sooner or later be put into practice. In jargon this is called ‘function creep’; historically seen it’s inevitable. Scientific research into future applications of biometrics continuously takes place. What’s more, even in our part of the world a democratic constitutional State is no invariable matter of fact. It is therefore very dubious whether our world will become ‘more secure’ by the large-scale use of biometrics.
It is exactly this concern which brought about a small Dutch revolution in the summer of 2009: at the time, the enactment of the new Passport Act led to a torrent of criticism and to the coming into being of the current Dutch privacy movement. New privacy organizations such as Privacy First proliferated, social coalitions were forged and lawsuits against the new Passport Act were filed. This boomerang effect within society continues to this day. Since that time the right to privacy is ever higher on the societal and political agenda. In that sense the biometric passport has so far proved to be an unintended gift from heaven.''
 See Vincent Böhre, Happy Landings? Het biometrische paspoort als zwarte doos (Happy landings? The biometric passport as a black box), Wetenschappelijke Raad voor het Regeringsbeleid, WRR (Scientific Council for Government Policy) October 2010, http://www.wrr.nl/publicaties/publicatie/article/happy-landings-het-biometrische-paspoort-als-zwarte-doos-46/.
 See Privacy First, Revealing figures about look-alike fraud with Dutch travel documents (20 March 2012).
 See Böhre supra footnote 1, p. 111 ff.