JUser: :_load: Unable to load user with ID: 65
In the context of a public consultation, the Dutch Ministry of the Interior recently requested Privacy First to react to the current government proposal to revise Article 13 of the Dutch Constitution (right to confidentiality of postal mail, telephone and telegraph). Below are our comments on the current draft of the legislative proposal (click HERE for the original Dutch version in pdf):
Ministry of the Interior and Kingdom Relations
Deputy Director for Constitutional Affairs and Legislation
Mr. W.J. Pedroli, LL.M.
PO Box 20011
2500 EA The Hague
Amsterdam, 29 December 2012
Re: Comments by Privacy First on the revision of Article 13 of the Constitution
Dear Mr. Pedroli,
On October 16th 2012 you requested the Privacy First Foundation to react to the draft legislative proposal to revise Article 13 of our Constitution. Privacy First is grateful for your request and is happy to hereby provide you with critical comments. In the first place, Privacy First fully endorses the desire of this government to modernise the current, archaic Article 13 of the Constitution. However, Privacy First regrets the fact that the government has not seized the opportunity to also renew and reinforce other ‘fundamental rights in the digital age’.
In the view of Privacy First, the first and third paragraphs of the current draft legislative proposal to revise Article 13 of the Constitution form powerful anchors for a future-proof right to confidential communication. The first paragraph rightly upgrades the old confidentiality of postal mail, telephone and telegraph to a technology-independent (or technology-neutral) confidentiality of mail and telecommunication. The third paragraph forms a correct guarantee for the horizontal effect thereof. Moreover, Privacy First endorses the broad interpretation that is being given by the draft Explanatory Memorandum (EM) to various relevant concepts. However, the second paragraph of the draft proposal contains a systematic imbalance which, in times less democratic, could endanger the rule of law in our society. It is precisely this paragraph which most of Privacy First’s criticism is focused upon. Other points of criticism concern compulsory notification towards citizens in the event that special powers have been used by the intelligence and security services, traffic data as well as the lack of a comparative legal section in the EM.
Judicial authorisation and national security
The EM rightly states that "in light of Article 13 (...) the protection of citizens against violations by the government is paramount, especially in light of the actions by the police and intelligence services. Demanding a judicial authorisation under the Constitution provides a strong and clear constitutional guarantee." It is therefore incomprehensible that in the second paragraph of the draft legislative proposal the domain of national security is being excluded from judicial supervision. After all, where the concentration of power is supreme, judicial checks and balances should be the most potent to prevent any (future) abuses of power. In light of European history, the exception in paragraph 2 is in fact entirely irresponsible: unfortunately, even in our part of the world a democratic constitutional State is not a static matter of fact. Apart from that, the current draft proposal sends out a dangerous signal to foreign governments. Furthermore, Privacy First deems the exception in paragraph 2 unwise in view of possible technological developments in the (far) future. The same holds true in relation to the (further) expansion of the notion of ‘national security’. Also in the future, the Dutch population needs to be protected against arbitrary violations of confidentiality of communication; in this regard the current wording of paragraph 2 offers no guarantee whatsoever.
Adding an extra ‘judicial layer’ would strengthen the current system of internal and external supervision on the intelligence and security services (and hence reinforce our democratic constitutional State). In this regard, the system of judicial supervision in a country like Canada could be a source of inspiration. Such judicial control would also be in line with the case-law of the European Court of Human Rights:
“The Court has indicated, when reviewing legislation governing secret surveillance in the light of Article 8 [ECHR], that in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge.”
In light hereof, the current wording of paragraph 2 is not expedient. Privacy First thus advises a revision of this paragraph as follows:
“This right can be restricted in cases defined by law with the authorisation of a judge or, in the interest of national security, with authorisation from one or more ministers appointed by law.’’ [lining through by Privacy First]
As a possible alternative to the introduction of judicial supervision in the security domain, Privacy First advises to upgrade the existing Dutch Review Committee on the Intelligence and Security Services (CTIVD) into a more powerful, independent supervisory body, similar to the Belgian or German model with overall compulsory inspections beforehand instead of random supervisory inspections afterwards.
A second point of criticism concerns the lack of an explicit constitutional notion of compulsory notification in the event of any infringement of the confidentiality of mail and telecommunication. Compulsory notification provides legal protection to citizens and contributes to the correct enforcement of law by the government, also in the security domain. Like judicial authorisation, this offers the best guarantuees against short-term as well as long-term violations.
From Privacy First's point of view, traffic data too need to fall within the scope of Article 13 of the Constitution. These data are often related to the content of communication; this even follows from the text of the EM itself, where text messages ('SMS') and the email subject line are rightly mentioned as examples. The same goes for instance for search terms in search engines. Apart from that, it is possible to deduce the content of communication between individuals and/or companies from traffic data in conjunction with other data (possibly collected in real-time). So here too, a vigorous regime of Article 13 of the Constitution in conjunction with judicial supervision is essential.
Finally, in the current EM Privacy First misses a comparative legal paragraph in which current Article 13 of the Constitution is compared with constitutional best practices from countries with either a civil law or a common law tradition. Additionally, with a new Article 13 of the Constitution that is state-of-the-art internationally, the Netherlands could positively distinguish itself and to some degree regain its former position as a leader in human rights.
Privacy First hopes that this advice will be of use to you. We are willing to give clarifications on the above points upon request.
Privacy First Foundation
Director of Operations
 EM, at 18, 20.
 Compare EM at 11, 1st paragraph.
 ECHR 22 November 2012, Telegraaf vs. Netherlands (Appl.no. 39315/06), para. 98. Compare also ibid., paras. 98-102.
 EM, at 18.
Update 8 February 2013: see also the critical comments by the Netherlands Committee of Jurists for Human Rights (NJCM), Bits of Freedom and the newly established Netherlands Institute for Human Rights (in Dutch).
The appeal by Privacy First and 19 citizens against the Dutch government
On February 2, 2011, the Privacy First Foundation and 21 co-plaintiffs (citizens) were declared inadmissible by the district court of The Hague in our civil case against the Netherlands regarding the 2009 Dutch Passport Act. A proposal by the Dutch Minister of the Interior, Ms. Liesbeth Spies, to revise the Passport Act has been presented to the House of Representatives on 17 October this year. However, in this legislative proposal the original provision (Article 4b) concerning a centralised database remains intact for the greater part. Under this provision, biometric data of every Dutch citizen will be used for criminal investigation and prosecution purposes as well as intelligence work, disaster control and counter-terrorism. This constitutes a flagrant violation of, among other things, European privacy law. Efforts by individual citizens to challenge this through individual administrative court cases have thus far not yielded any results, since the administrative courts proved unwilling to evaluate the provision in question. Nevertheless, the Dutch Council of State (Raad van State) has recently made a preliminary reference to the European Court of Justice in
To that end we have today presented our Statement of Appeal to the Court of Appeal in The Hague. In this Statement Christiaan Alberdingk Thijm and Vita Zwaan (SOLV Attorneys) outline why Privacy First and co-plaintiffs have to be declared admissible. Subsequently, it will be possible for the Passport Act to be legally scrutinized in its entirety by the court and be measured up against higher law, including European privacy legislation. Our entire Statement of Appeal can be downloaded HERE (in Dutch). The Appeals Court of The Hague is expected to deliver its judgment before the summer.
Privacy First makes an urgent appeal to all Dutch citizens to contribute to the financing of this lawsuit. This can be done by donating on account number 220.127.116.111 attn. Stichting Privacy First in
This afternoon the Privacy First Foundation sent the following email to the Dutch Senate:
Dear Members of the Senate,
Recently the international Amsterdam Privacy Conference 2012 took place. In his opening speech at this conference, Dutch politician Lodewijk Asscher principally addressed the current legislative proposal of regulating prostitution. Asscher voiced the expectation that the envisaged registration of prostitutes will lead to lawsuits that will end up before the European Court of Human Rights in
1. Compulsory registration of prostitutes will lead to a shift of prostitution to the illegal circuit. Thereby this legislative proposal will prove to be counterproductive, with all the risks this entails. The social (legal) status of prostitutes will become further weakened instead of strengthened.
2. Compulsory registration of prostitutes violates the right to privacy because it concerns the registration of sensitive personal information. This is prohibited under Article 16 of the Dutch Data Protection Act and is in breach of Article 8 of the European Convention on Human Rights.
3. Registration of prostitutes has a stigmatizing effect. Moreover, the security of this registration cannot possibly be guaranteed and there is also the danger of function creep. Therefore, the supposed advantages of registering do not outweigh the risks of data breaches, hacking, unauthorised and unforeseen use - now and in the future. This, in turn, also implies new risks of abuse and blackmailing.
4. Combating criminality and human trafficking ought not to happen through the risky registration of prostitutes, but rather through more effective criminal investigation, prosecution and adjudication of the culprits without putting the victims in danger. For that purpose it is up to the Minister to develop alternative, privacy-friendly instruments in consultation with relevant NGOs.
We are willing to supply further information on the above points upon request.
Privacy First Foundation
Update 30 October 2012: this afternoon the Senate heavily criticised (especially) the privacy aspects of compulsory registration of prostitutes. As a result, Minister Ivo Opstelten has decided to reconsider his approach to the issue. It now seems that compulsory registration is shelved. The discussion on other parts of the legislative proposal is postponed until further notice. Click HERE for an audio recording of the parliamentary debate (in Dutch) until its suspension (mp3, 2u53m, 119 MB).
The Privacy First Foundation has, with pleasure, just taken cognisance of 1) the announcement earlier today of a Dutch legislative proposal to abrogate fingerprints in ID cards and 2) the decision by the Dutch Council of State (Raad van State) to make a request for a preliminary ruling to the European Court of Justice in Luxembourg on the legality and interpretation of the European Passport Regulation in four administrative cases of individual Dutch citizens. The Privacy First Foundation hereby makes an appeal to Dutch Parliament to adopt the legislative proposal to abrogate fingerprints in ID cards as soon as possible. In anticipation of the expected adoption of this legislative proposal, taking people's fingerprints for ID cards must be halted immediately or at least become voluntary as a temporary solution. Privacy First also hopes that the European Court of Justice will swiftly deal with the preliminary reference and conclude that taking fingerprints for passports and ID cards is unlawful because it violates the right to privacy. Further comments by Privacy First will follow.
Update 18.00h: listen to the interview (in Dutch) with Privacy First on Radio 1.
Update 29 September 2012: see also our reaction in the Dutch regional press.
On Thursday morning 23 August 2012, the Dutch Royal Military and Border Police (Koninklijke Nederlandse Marechaussee, KMAR) presented to the international press the by now notorious Dutch camera system called @migo-Boras. That same afternoon the Privacy First Foundation was visited in Amsterdam by a camera crew of international news agency Associated Press (AP). For copyright reasons unfortunately we cannot publish the video material from AP. Among other things, Vincent Böhre (Privacy First) declared the following to AP:
‘‘Our main concerns are about privacy, because this system is based on profiling and total surveillance of everybody driving on the highway. Our second objection is of course the Schengen Agreement: this system really comes down to border control, even though they don’t want to call it that way. But if you look at the capabilities of the system and the intentions behind it, it’s pretty clear that it comes down to border control, and that's also what most lawyers say.’’
The news report that was then distributed across the world by AP is set out below:
‘‘Amid privacy concerns, Dutch immigration minister shows off new border cameras targeting crime’
THE HAGUE, Netherlands (AP) — The Dutch immigration minister has shown off the government’s new system of cameras posted at border crossings with Germany and Belgium that he says will help clamp down on crimes like drug and people smuggling and illegal immigration.
However the new surveillance system has raised concerns among privacy activists.
The European Commission says that, based on information provided by Dutch authorities, the surveillance does not appear to breach the Schengen agreement governing freedom of movement within the 27-nation bloc and does not amount to a reintroduction of border controls.
However, the Commission says it will monitor the use of the cameras, which are posted at 15 highway border crossings. Immigration Minister Gerd Leers said Thursday the cameras are intended to help police target suspicious vehicles.’’
(Example: Montreal Gazette, via AP Worldstream)
Meanwhile, the Privacy First Foundation still considers taking legal action against @migo-Boras. It does so because 1) the system still has no specific legal basis, 2) the system is not necessary because it is solely 'supportive' to the task of the KMAR called Mobiel Toezicht Veiligheid (Mobile Security Monitoring) which is to check up on people from other Schengen countries travelling into the Netherlands, 3) the system is disproportionate because it is meant to track down a few individuals at the cost of the privacy and freedom to travel of everyone, 4) people are stopped and searched by the KMAR on the basis of the unlawful criterion of 'being interesting' instead of the lawful criterion of being under the 'reasonable suspicion of a criminal act', 5) the effectiveness of the system has thus far not been proved, 6) the system considers everyone at border crossings a potential suspect, 7) in practice, some elements of the system have a discriminatory effect, 8) the system seems increasingly set to be extended with four weeks of storage of everyone's travel movements through Automatic Number Plate Recognition (ANPR), 9) within the system design there is 'function creep (derogation from the original purpose) by design' instead of 'privacy by design' and 10) despite the judgement of the European Commission things basically come down to mass electronic border controls which are prohibited under the Schengen Agreement.
See also the following items (in Dutch, on privacyfirst.nl):
Big Brother-systeem zet privacy automobilist aan kant (Telegraaf.nl, 10 September 2012)
Interview met Privacy First over camerasysteem @migo-Boras (BNR Nieuwsradio, 1 August 2012)
Met @migo-Boras maak je geen vrienden (Privacy First, 5 January 2012)
Interview met Privacy First over nieuw grenscontrolesysteem @migo-boras (NOS Radio 1, 30 November 2011)
Interview met Privacy First over nieuw grenscontrolesysteem @migo-Boras (ZDF Journaal, 25 November 2011)
Click HERE for more items about @migo-Boras.
On March 5, 2012, Adriaan Bos presented his exciting debut novel Advocaat van de waarheid ('Advocate of the Truth') at Van Doorne Lawyers in Amsterdam. More about the book can be found HERE (in Dutch). Below are the translated text and a Dutch video of the speech that Privacy First chairman Bas Filippini held for this occasion:
"We are a foundation, we proceed from donors and with that money we deliver action. That's actually a new form of action: business action - I come from the industry - and if necessary we can also take legal action. Mainly against the Dutch government: the government which should be protecting our privacy, but which at this moment is in fact the biggest violator of privacy that you can imagine.
There is something very "close" about privacy, namely one's own private environment. The thing with privacy is, it is actually quite simple, as the Egyptians used to say: there is a balance, an ostrich feather, and your soul, and you can find out for yourself what has weighed most heavily in your life. We always see the pictures of the hieroglyphics, but that's what these people were actually doing. Which life do you live and how do you shape that life? Just as the government has a mantra of "nothing to fear, nothing to hide", we have our own mantra: "I have nothing to hide, so I do not have to be checked and I am certainly not to be watched. I prefer to possess my own personal data in this society." For me, this line in the sand had already been drawn in the year 2000. Then at one point I took the initiative and said: let's take action. With a foundation. Maybe you've heard about us from the Passport Act. The big Moloch, the government goes on and on, often out of ignorance, sometimes unwillingness, sometimes consciously, funded by IT companies, so is my perception. Then there comes a point that if one doesn't want to listen, one must feel. So we deployed a lawyer. And through these first small steps, we have already achieved some big results.
From the book by Adriaan Bos I recognized many things to myself: personal development and making choices in life. In his book, Adriaan immediately puts the cat among the pigeons by choosing the worst scenario: government-obliged chipping of people. That is of course the horror scenario where I dig my Privacy First heels in the sand. The storyline immediately appealed to me and I found it very recognizable. It reminds me of the ability to make personal choices: make it personal, get that balance and make your choice. On the other hand, I recognized it as a Da Vinci Code-type book, a thriller, businesslike, including the legal profession. I experience that a lot: you need a lawyer for a contract or an acquisition; that's when you need each other. That business approach really appealed to me. This is also a beautiful way of introducing this topic to the masses. But also the frightening prospect of the end to your personal freedom. In my perception we're talking about principles here which took 3,000 years to develop and to discuss, where people have been killed, given their lives and waged wars. What are the real truths in everyone's own story? For me, those are freedom, a sense of freedom, and trust, a society based on trust. Another key is different for each person: a child comes to this world in freedom, curiosity and confidence. I think a child is always a good mirror for how society should be. A society based on opposite principles, mistrust, hatred and control, to that everyone will say in advance: this is not a society we want to live in. But look around you and see what is happening: we are building a society based on distrust, hate - "you are either with us or against us" - and control. This is what we call 'profiling'. From unwillingness and stupidity you see a lot of profiling taking place in this society. The highway is under total surveillance. Everywhere you drive into Amsterdam you will be photographed. This started with environmental legislation and then we quickly saw the poles shift until it suddenly became a measure for every Amsterdam resident. Even the parking meters have cameras. For what purpose? To buy a ticket? I don't understand this, and yet you see some kind of general acceptance about it. Looking at Adriaan's book, I can say that you must experience it yourself and read it in order to have to your own opinion about it. Luckily, we are free to do this. The book is about the fact that, in times of crisis, legislation can quickly shift in the direction of a quick "fix". As we all know, choices out of fear are often not the best choices. Short-term pleasure is long-term pain, and short-term pain is long-term pleasure. Sometimes it is better not to overreact because of something hysterical in the newspapers, as we often experience in this media democracy.
I would like to finish by stating my intention of not leaving my daughter behind in an electronic concentration camp. This is what I see we are heading toward. This may not be the nicest of messages, but that is not what I am here for; I like to challenge and to stimulate. I hope that Adriaan Bos will make a very good contribution to this. You should really make a movie out of this book. The Privacy First Foundation hereby donates 5,000 Euros for the first building block: the translation of the book into English so that it can get a much bigger audience. It really is a whole new genre in the field of thrillers, ethics, spirituality and personal development."
Video (in Dutch):
The Amsterdam police are considering the introduction of mobile X-ray body scanners on the streets, local television station AT5 reported today. If the police will indeed introduce such "nude scanners", Privacy First will not hesitate to sue both the Amsterdam police and the responsible Amsterdam Mayor Van der Laan for breach of 1) human dignity, 2) the presumption of innocence, 3) privacy, 4) freedom of movement, 5) physical integrity and 6) the health of all Amsterdam residents. Any introduction of mobile X-ray scanners will actively jeopardize the privacy as well as the health of innocent citizens.
Privacy First hereby makes an urgent appeal for political measures: this Thursday the subject of preventive searches is on the agenda of the Amsterdam city council. It is primarily up to the council to blow the whistle and prohibit the introduction of nude scanners by the Amsterdam police. If the council fails in this, Privacy First reserves the right to take all necessary measures to prevent the introduction of nude scanners.
Update 7.00pm: reaction of Privacy First on FunX Radio (in Dutch).
Update June 29, 2012: the introduction of mobile body scanners is put on hold during further investigations by Amsterdam Mayor Van der Laan. The subject will not be on the agenda of the Amsterdam city council again until early 2013. The political debate on preventive searches (including the possible introduction of body scanners) which took place yesterday in the Amsterdam city council Committee for General Affairs can be viewed online HERE (starting at 233m40s).
On June 11, 2012, the long-awaited National Privacy Debate took place in The Hague. Privacy First summarizes the most noteworthy aspects for you, starting with the striking plea (in Dutch) for a Privacy Delta Plan by Brenno de Winter:
"The National Privacy Debate is a unique opportunity to start something beautiful and to challenge people into engaging in open discussion. Let us seize this opportunity and work on a Delta Plan. To make the Netherlands a guiding country again. A model for the rule of law as to the protection of the citizen. That's what we are best at!"
The floor was then given to Anthony House (Google), who at the end of his keynote speech posed the following question to the audience:
“Are the principles of data protection that were developed in the 1970s still good today? Do we need to start from scratch on privacy principles?”
From the silence in the audience and some answers that followed, it could (fortunately) be inferred that the classic privacy principles still suffice today, at least to a large extent.
The event then turned to the first panel discussion, which was focused on the question of what is currently preferred most: more legislation or more self-regulation? The responses from the panel and from the audience showed a predominant preference for both options together instead of just one or the other. As in the financial sector, good laws and strict enforcement have become a bitter necessity for the ICT sector. However, such laws only represent a rapidly aging minimum level of privacy protection. It follows that it is up to the ICT sector itself to operate continuously at the highest, most privacy-friendly (i.e. customer-friendly) level. This is an important selling point which offers significant competitive advantages. In this sense, legislation and self-regulation can complement each other well.
Then there was a speech by Joost Farwerck (KPN) who stated, inter alia, that privacy now has a high priority among a broad Dutch audience: research by KPN had shown that the public attaches most value to this after good healthcare and education. Therefore, KPN has set up an internal Privacy Awareness program and an external Privacy Mission. Farwerck finally pleaded to make the National Privacy Debate a recurring event. (So did Arie van Bellen (ECP-EPN) later that day.) Privacy First is happy to join this plea.
During the second panel session (on privacy and security) some interesting parallels were drawn with security in other sectors such as the food industry and the aviation industry, both in terms of legislation and self-regulation as well as supervision and enforcement. Earlier in the day, Vincent Böhre (Privacy First) had drawn a similar parallel with past developments in the field of environmental protection. Many participants in the debate agreed that, on the one hand, the Dutch Data Protection Authority (DPA) lacks adequate resources and powers, while on the other hand its enforcement of existing privacy laws is too weak. In addition, Walter van Holst (Mitopics) rightly noted from the audience that more emphasis should be put on data minimization. Indeed, without any data no security is needed.
The floor was then given to Bart de Koning: journalist and author of the Dutch book 'Alles onder controle, de overheid houdt u in de gaten' ("Everything under control, the government is watching you"). In his speech, De Koning pointed out some positive recent developments, such as the Dutch resistance to passport fingerprinting, the new Dutch law on cookies, net neutrality and political attention to the risks of the U.S. Patriot Act. At the same time he warned about negative developments such as the Dutch proposal to provide all car number plates with RFID chips. Furthermore, the Netherlands is still champion in eavesdropping. In addition, De Koning noted that Dutch media (including Elsevier magazine) are devoting more attention to privacy than before and that citizens are increasingly keeping an eye on their government instead of vice versa. "The citizen peeks back" and this can have "a disciplining effect on the State", De Koning said. As to the future, De Koning suggested the following guidelines to the audience: 1) think before you act, 2) data minimization, 3) transparancy, 4) effectiveness, 5) sunset clauses and 6) an ongoing debate. De Koning further argued for the introduction of Dutch constitutional review (at the judiciary), a Constitutional Court and stronger oversight by the Dutch DPA. In this connection he made a comparison with Germany, where ANPR (automatic number plate recognition) is prohibited.
Then there was room for discussion with the audience, at which point Joyce Hes (Foundation for the Protection of Civil Rights) made an especially important remark: many public debates (including the periodic Privacy Cafes in Felix Meritis) are conducted with privacy advocates. Politicians and officials who are critical of privacy rarely show up at these debates. This is not good for the discussion.
Finally, Bart de Koning stated that the ethnic 'underclass' has become the main victim of systematic privacy violations, including preventive home visits. Privacy First endorses all of these points.
The topic of the third panel session was "privacy and government":
On behalf of Privacy First, Bas Filippini kicked off as follows:
"What we focus on are private choices in a free environment. Private choice means the freedom to choose, and a free environment means that we endeavor to keep society as free as possible for the average citizen in the Netherlands. This unless you are suspected of a crime: then privacy can be exchanged for security. That is our philosophy. We argue things from principles first, tested against the Constitution. Then we look at the implementation: are there sufficient checks and balances? How is policy being set and how is it applied? Only finally we look at technology. I always use the following example: "With a knife you can stab someone, but you can also make a sandwich." For many people, technology is the "holy grail" to which everything is connected, without first having taken these three steps: 1) principles , 2) policy, 3) implementation, followed by smart use of technology. Often the principles of subsidiarity and proportionality are breached, which is very unfortunate. In government, there are many people who would like to do things differently, but if they disagree with something, they are quickly seen as whistleblowers, which has a stigmatizing effect. So the Titanic keeps on sailing towards the iceberg, currently resulting in more and more profiling. By that we don't mean targeted profiling in case of a reasonable suspicion of a criminal offence, but surveillance of an entire population to see if there is "anything wrong" somewhere, based on outliers, the deviations from the median. We consider this a great danger, because everyone will become suspect. This creates a lot of self-censorship among people, officials and citizens alike."
During the remainder of the panel debate, the observations by Ronald Leenes (Tilburg University) stood out: Leenes warned about loss of confidence among citizens in their government if that government didn't take the right to privacy seriously. "The consideration whether or not an infringement of privacy is necessary in a democratic society is hardly made by the Dutch government in a number of cases", Leenes said. According to Leenes, data are being collected simply "because it's possible", there is huge confidence in technology, it is thought that more information leads to better decisions, insufficient attention is paid by the government to alternatives to reach the same goals, and there is ignorance. Leenes warned about current plans to register prostitutes in a central database. He also stressed that privacy is not only an individual right, but that it also has a social function.
Others in the panel pointed to the dangers of risk profiling. Furthermore, the fallacy "if you have nothing to hide, you have nothing to fear" was unanimously invalidated: everyone has the right to keep his or her private life simply to themselves. Moreover, a core element of freedom is precisely that you may have something to hide. It was further noted that hard work must be made to increase privacy knowledge and awareness in government. Some in the panel emphasized incompetence in government rather than intent. Bas Filippini replied that there is often an agenda behind things, namely policy from the United States and the European Union. "How do you shape your society? Do you do that on a basis of fear, hatred and control, or on a basis of trust, freedom and love?", Filippini said.
Then there was a discussion with the audience, in which Jeroen Terstegge (PrivaSense) rightly stated that one should be wary of Privacy Impact Assessments (PIAs) conducted by directly involved officials rather than an independent regulator, such as a Chief Privacy Officer. In this field there should be more self-criticism in government, aside from the Dutch DPA's external role. Another striking remark from the audience was made at the end of the panel session by Dimitri Tokmetzis (Sargasso): insurance was originally intended to spread risk, but through profiling risks are being individualized. This comes at the expense of solidarity in our society.
Thereafter Pim Takkenberg (National Police Services Agency, KLPD) held a speech on the theme of privacy and criminal investigation, in which he specifically discussed the dilemmas around dismantling a so-called botnet: a network of hijacked computer systems. According to Takkenberg, the legal framework in this context is sometimes "insufficiently specific", e.g. in case of 1) remotely "entering" (or hacking) computer systems by the police and 2) international cooperation in fighting cybercrime. Also in public-private partnerships, the police in this context are still "walking on eggshells", Takkenberg noted. In reply to a question from the audience about the effectiveness of data retention, Takkenberg said that "sometimes you have to give things some time in order to see what they yield in the long-term". This strengthens the position of Privacy First that this measure should never have been introduced. Finally, Takkenberg rightly stated that the police does not benefit from too much information gathering and that one must be very selective.
The panel discussion on privacy and criminal investigation that followed took an unexpected turn due to the comments of Jan Grijpink (Utrecht University, formerly also Ministry of Justice) on the recent complications surrounding the Dutch biometric passport. When asked which aspect of the privacy debate annoyed him, Grijpink answered as follows:
"The discussion about the biometric passport, which I find a good example of how too persistent nagging - if I may say so - on the privacy side impairs the security side. If we have now come to the point of saying "let's remove the fingerprints from the passport", then I am satisfied. Back in 2002, I would have liked to avoid putting fingerprints on the passport, because it is unnecessary to use fingerprints to verify the holder. That has just been superfluous. But the moment you put fingerprints on the passport, you must be able to check whether those fingerprints are still the correct fingerprints and whether the person who says he belongs to them is truly that person. This has led to a decision by various [Dutch] ministers who were responsible for storing four fingers in a municipal database, and if you don't have that, then the citizen is actually lawless when he carries a document with two fingers, because that document is also intended to show to others. If it is just for yourself, then so be it, but a passport is meant to hand over to an authority. When we distribute a passport, we do not even check with the same biometrics whether it's really being distributed to the person who's the official holder. Either no fingerprints, or completely correct. Both these aspects are now threatened to be destroyed through a persistent nagging to one aspect of privacy only. That's what I worry about."
This led Vincent Böhre (Privacy First) to ask Grijpink about his assessment of the risk of function creep in the storage of fingerprints in municipal databases.
Grijpink answered as follows:
"If you put the fingers on the passport only, you just lose all control for the protection of the individual. I have always made the case for storing four fingers - two on the passport and two extra - with the municipality in order to be able to check whether it is still the right person and whether anything in the document has changed. This can also exonerate yourself if you're accused of something with such a document. Whether that can lead to function creep: yes, everything can lead to function creep. But I think that if you organize it well, and I'm naturally a strong supporter of that, also because of the fact that we build large-scale infrastructures with chain-computerization to manage it well, then I think you also have to put some confidence in the government in a certain sense. I have been part of it for 40 years. In my view, some sort of a ghost is often made of the government in privacy debates. I don't recognize that. Many government officials do their work faithfully."
It is up to the reader to draw his own conclusions from this... ;)
During the panel discussion another central issue concerned the question whether or not to release figures on Dutch telephone and internet wiretaps. On behalf of Bits of Freedom Simone Halink rightly pleaded for more transparency in this respect. From the KLPD corner (and a former AIVD intelligence officer in the audience) however, it quickly became clear that there was complete unwillingness to provide any openness. This then led to a hardening of the discussion in which privacy advocates and (former) representatives of police and justice became diametrically opposed to each other. During this discussion Grijpink made the following remarks:
"I want to bring attention to an aspect as to why you should also be careful with making such hard calls for data and surveys. Especially, very clear in my file, identity fraud, then you make use of someone else's identity. When successful, it is invisible. And if the person is dead, then he won't notice anything. So that's a good example that if you start measuring, you get the wrong answer. And false conclusions and false images may even be worse for criminal investigation than if something gets known. In the case of identity fraud it is quite clear. I was asked: "How bad is the problem?" I replied: "Asking that question means that you don't understand. You must first have a situation in which you are sure to have the person who succeeded in committing identity fraud." There is only one situation that I know: the prison cells of the Justice department. Then minister Donner said: "Let's have a look." And guess what: 15% had the wrong identity. Half of those we didn't even know. And those people are in jail. In other words: figures are only really useful to some extent, and in the public debate they often go wrong."
This led Böhre to emphasize the importance of the notion that privacy is a human right, in which the question of proportionality in both individual and collective sense is fundamental. The discussion should therefore always be based on hard facts and figures. Vague assumptions about look-alike fraud are no excuse to impose biometric passports on an entire population. No negative reaction to this followed from the panel. The importance of further discussions based on facts and figures also seemed to be recognized by the audience. In that sense, the National Privacy Debate hopefully marked the end of an era of fact-free politics.
Privacy First will be happy to actively attend the next National Privacy Debate. In the meantime, the debate between all relevant stakeholders should be permanent.
A full video recording of the whole (6.5 hour) National Privacy Debate can be viewed online HERE.
More pictures of the event can be found HERE and HERE.
Postscript: the above report has also been published in the Dutch journal Privacy & Compliance 3-4/2012, p. 46-49.
This Tuesday afternoon it is expected that the Dutch House of Representatives will vote in favour of two important motions. The first motion urges the Dutch government to have the European Passport Regulation critically discussed in Brussels. The second motion appeals to the government to take a firm stand in Brussels for there to be a critical reaction to American extraterritorial legislation, such as the notorious US Patriot Act. Both motions have come into being partly as a result of earlier reports by Privacy First about 1) the futility of taking fingerprints for passports and ID-cards and 2) the risk of Dutch fingerprints secretly ending up in foreign hands.
The current taking of fingerprints is the result of the European Passport Regulation. This regulation dates back to the end of 2004 and primarily came into existence under pressure of the American Bush administration. Back then there was hardly any critical discussion about the benefits and necessity of taking people's fingerprints for travel documents. At the time the responsible rapporteur of the European Parliament wasn’t even able to bring out into the open statistics about this matter, as was recently revealed through a FOIA-request filed by Privacy First. Soon it will be up to the European Commission to still prove the effectiveness of the Passport Regulation. In case the Commission fails in doing so, the Regulation should be discarded immediately.
Apart from fingerprints, the long arm of the Bush administration has for years been reaching deep into the heart of
In recent years
Update: Both motions have been adopted by the House of Representatives with an overwhelming majority! You can find a video of it HERE (in Dutch, starting at 9m55s). Only the right-wing Party for Freedom (PVV) rejected the motions.
This morning in Geneva the long-awaited Universal Periodic Review (UPR) of the Netherlands took place before the Human Rights Council of the United Nations (UN). In the run up to this four-year session, the Privacy First Foundation and various other organisations had emphatically voiced their privacy concerns about the Netherlands to both the UN and to almost all UN Member States; you can read more about this HERE. The Dutch delegation for the UPR session was led by Interior Minister Ms. Liesbeth Spies. The opening statement by Spies contained the following, remarkable passage about privacy:
"The need to strike a balance between different interests has sometimes been hotly debated in the Dutch political arena, for example in the context of privacy measures and draft legislation limiting privacy. The compatibility of this kind of legislation with human rights standards is of utmost importance. This requires a thorough scrutiny test, which is guaranteed by our professionals and institutions. Improvements in this regard have been made when necessary, especially in the starting phase of new draft legislation. This has been done in the field of privacy, where making Privacy Impact Assessments (PIAs), describing the modalities for the planned processing of personal data, are compulsory now." (pp. 5-6, italics Privacy First)
A "thorough scrutiny test" and compulsory Privacy Impact Assessments are the terms that positively stand out for Privacy First.
Prior to the UPR session, the United Kingdom had already put the following questions to the Netherlands: "Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?" (Source) On behalf of the Netherlands, Minister Spies responded to this question in Geneva this morning saying: "On the review of our laws on data protection, The Netherlands are currently working on a legislative proposal on data breach notification, following announcements of this proposal in the present coalition agreement. The proposal, which would require those responsible for personal data to notify the data protection authorities in case of "leakage" of personal data with specific risks for privacy (including identity theft), is expected to be tabled in Parliament in the coming months." This answer is rather concise and unfortunately it doesn’t contain any new elements. However, a new Dutch law on compulsory notification for data leakages will hopefully become a best practice for other UN Member States. The credits for this go to our colleagues of the Dutch NGO Bits of Freedom who have worked on this for a long time.
During the UPR session Estonia called the protection of privacy and personal data a "human rights challenge of the 21st century". Morocco then asked a critical question about the privacy issue: "Quelles sont les mesures concrètes entreprises par les autorités néerlandaises pour sécuriser l'utilisation des donnés personnelles?" ("What are the concrete measures taken by the Dutch authorities to protect the use of personal data?") The Philippines also raised the issue of the right to privacy, but only in these words: "The Philippine delegation appreciates the frank assessment of the Netherlands of the obstacles and challenges it has to hurdle in the implementation of the right to privacy especially in the area of protection of personal information." The comments by Greece, India, Russia and Uzbekistan were more content-focused. Greece addressed the practice of preventive searches: "We take note of reports regarding the issue of preventive body searches. We recommend that the Netherlands ensure that in its application of preventive body searches, all relevant human rights are adequately protected, in particular the right to privacy and physical integrity and the prohibition of discrimination on the basis of race and religion." India exhorted the Netherlands on ethnic profiling of citizens: "We encourage the Dutch Government to take concrete measures to combat discrimination including discrimination by the Government such as ethnic profiling." Russia too advised the Netherlands "to introduce measures to stamp out discrimination arising as a result of the practice of racist, ethnic or religious profiling." The Netherlands was addressed about this very issue by Uzbekistan as well: "We are concerned over the existence of information on the increasingly broad use by the police of racist profiling."
As a reaction to these points Minister Spies referred to recent research by the Dutch police, scientists and the National, the Amsterdam and the Rotterdam Ombudsman about preventive body searches, discrimination and ethnic profiling. With regard to digital profiling (in general), she moreover proclaimed the following: "In its recent proposal for a general Data Protection Regulation, the [European] Commission has included rules on profiling, which can address the problems associated with profiling and the protection of personal data. The Netherlands endorses the need for clear legislative rules with regard to this topic, given the specific challenges for privacy protection that this technique entails. This is also the background against which the Netherlands welcomed in 2010 the Council of Europe Resolution on this topic, which contained a useful definition of profiling that would also be beneficial for inclusion in the [European] Commission proposals. The Netherlands will draw attention to this ongoing discussion in Brussels. The Regulation, once in force, will be directly applicable in the Netherlands."
By and large this is a reasonable result, given that up until now the privacy issue had hardly played any role at all within the UN Human Rights Council. However, it’s a shame that most countries still hardly dare to confront this issue, let alone ask specific and critical questions about it. Many of the recommendations by Privacy First have not been touched upon during this UPR session, although diplomats in Geneva and The Hague had earlier shown great interest in them. Perhaps they were stopped by their Foreign Affairs departments in capital cities because many privacy issues are also sensitive in their own domestic politics? Who knows... However, the fact remains that the international community was informed by Privacy First well in advance, which was part of the reason that the Dutch UN delegation headed by Minister Spies was properly focussed on the job at hand. This can only be to the benefit of general awareness and the protection of privacy, both inside and outside the Netherlands. In the end, for us this is what it’s all about.
Update 4 June 2012: This afternoon, a working group of the Human Rights Council adopted a draft report on the Dutch UPR session. The final version of this report will be adopted by the Human Rights Council in September 2012, accompanied by a (motivated) acceptance or rejection by the Netherlands of each individual recommendation in the report. Furthermore, this will also be discussed by the Dutch House of Representatives.
A total of 49 countries have taken part in the Dutch UPR session. It is noteworthy that Belgium, Italy and Austria did not take part in the session (although Belgium and Italy had in fact enrolled beforehand). As far as Austria is concerned this is particularly regrettable, because of all the UN Member States it was actually Austria which had in advance expressed the most interest in the Privacy First UPR shadow report and had intimated to be able to make a powerful, overall recommendation to the Netherlands about the right to privacy.
Update 21 September 2012: This morning, the UN Human Rights Council discussed its recommendations to the Netherlands. The Dutch Permanent Representative in Geneva declared which recommendations have been accepted or rejected by the Netherlands; see this UN document and this video. The two recommendations by the Human Rights Council that related to ethnic profiling and preventive body searches have both been accepted by the Netherlands under the following clarification:
- ethnic profiling: "The Dutch government rejects the use of ethnic profiling for criminal investigation purposes as a matter of principle." About profiling in a more general sense: "In its recent proposal for a General Data Protection Regulation, the European Commission included rules on profiling that address problems that may arise due to the increasing technical possibilities for in-depth searches of databases containing personal data. The Netherlands endorses the need for clear legislative rules on this subject, given the specific challenges for privacy protection that this technology entails." (Source, 98.57 & n. 75).
- preventive body searches: "The power to stop and search is strictly regulated in the Netherlands. The mayor of a municipality may designate an area where, for a limited period of time, preventive searches may be carried out in response to a disturbance of or grave threats to public order due to the presence of weapons. The public prosecutor then has discretion to order actual body searches and searches of vehicles and luggage for weapons." (Source, 98.74 & n. 95).
See also this statement by the Netherlands Committee of Jurists for Human Rights (Dutch abbreviation: NJCM) from this morning (video). Just like the NJCM, Privacy First regrets the lack of government consultation in the run up to today’s UPR session.
Below you can watch the 31 May 2012 UPR session in its entirety (click HERE for video segments of individual countries).