Financial Privacy & PSD2

On July 1 and 2, 2019, the Netherlands will be examined in Geneva by the United Nations Human Rights Committee. This UN body is tasked with supervising the compliance of one of the oldest and most important human rights treaties in the world: the International Covenant on Civil and Political Rights (ICCPR). Each country which is a contracting party to the ICCPR is subject to periodical review by the UN Human Rights Committee. At the beginning of next week, the Dutch government must answer before the Committee for various current privacy issues that have been put on the agenda by Privacy First among others.

The previous Dutch session before the UN Human Rights Committee dates from July 2009, when the Dutch minister of Justice Ernst Hirsch Ballin had to answer for the then proposed central storage of fingerprints under the new Dutch Passport Act. This was a cause for considerable criticism of the Dutch government. Now, ten years on, the situation in the Netherlands will be examined once more. Against this background, Privacy First had submitted to the Committee a critical report (pdf) at the end of 2016, and has recently supplemented this with a new report (pdf). In a nutshell, Privacy First has brought the following current issues to the attention of the Committee:

- the limited admissibility of interest groups in class action lawsuits 

- the Dutch ban on judicial review of the constitutionality of laws

- profiling

- Automatic Number Plate Recognition (ANPR)

- border control camera system @MIGO-BORAS

- the Dutch public transport chip card ('OV-chipkaart') 

- Electronic Health Record systems

- possible reintroduction of the Telecommunications Data Retention Act

- the new Dutch Intelligence and Security Services Act (‘Tapping Law’)

- PSD2

- Passenger Name Records (PNR)

- the Dutch abolition of consultative referendums

- the Dutch non-recognition of the international prohibition of propaganda for war.

The entire Dutch session before the Committee can be watched live on UN Web TV on Monday afternoon, July 1, and Tuesday morning, July 2. In addition to privacy issues, several Dutch organizations have put numerous other human rights issues on the agenda of the Committee; click HERE for an overview, which also features the previously established List of Issues (including the new Intelligence and Security Services Act, the possible reintroduction of the retention of telecommunications data, camera system @MIGO-BORAS, and medical confidentiality with health insurance companies). The Committee will likely present its ‘Concluding Observations’ within a matter of weeks. Privacy First awaits the outcome of these observations with confidence.

Update July 26, 2019: yesterday afternoon the Committee has published its Concluding Observations on the human rights situation in the Netherlands, which includes critical opinions on two privacy issues that were brought to the attention of the Committee by Privacy First: 

The Intelligence and Security Services Act

The Committee is concerned about the Intelligence and Security Act 2017, which provides intelligence and security services with broad surveillance and interception powers, including bulk data collection. It is particularly concerned that the Act does not seem to provide for a clear definition of bulk data collection for investigation related purpose; clear grounds for extending retention periods for information collected; and effective independent safeguards against bulk data hacking. It is also concerned by the limited practical possibilities for complaining, in the absence of a comprehensive notification regime to the Dutch Oversight Board for the Intelligence and Security Services (CTIVD) (art. 17).
The State party should review the Act with a view to bringing its definitions and the powers and limits on their exercise in line with the Covenant and strengthen the independence and effectiveness of CTIVD and the Committee overseeing intelligence efforts and competences that has been established by the Act.

The Market Healthcare Act

The Committee is concerned that the Act to amend the Market Regulation (Healthcare) Act allows health insurance company medical consultants access to individual records in the electronic patient registration without obtaining a prior, informed and specific consent of the insured and that such practice has been carried out by health insurance companies for many years (art. 17).
The State party should require insurance companies to refrain from consulting individual medical records without a consent of the insured and ensure that the Bill requires health insurance companies to obtain a prior and informed consent of the insured to consult their records in the electronic patient registration and provide for an opt-out option for patients that oppose access to their records.

During the session in Geneva the abolition of the referendum and the camera system @MIGO-BORAS were also critically looked at. However, Privacy First regrets that the Committee makes no mention of these and various other current issues in its Concluding Observations. Nevertheless, the report by the Committee shows that the issue of privacy is ever higher on the agenda of the United Nations. Privacy First welcomes this development and will continue in the coming years to encourage the Committee to go down this path. Moreover, Privacy First will ensure that the Netherlands will indeed implement the various recommendations by the Committee.

The entire Dutch Session before the Committee can be watched on UN Web TV (1 July and 2 July). See also the extensive UN reports, part 1 and part 2 (pdf).

Tomorrow morning the Netherlands will be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. Since 2008, the Human Rights Council reviews the human rights situation in each UN Member State once every five years. This procedure is called the Universal Periodic Review (UPR).

Privacy First shadow report

During the previous two UPR sessions in 2008 and 2012, the Netherlands endured a fair amount of criticism. At the moment, the perspectives with regard to privacy in the Netherlands are worse than they’ve ever been before. This is reason for Privacy First to actively bring a number of issues to the attention of the UN. Privacy First did so in September 2016 (a week prior to the UN deadline), through a so-called shadow report: a report in which civil society organizations express their concerns about certain issues. (It’s worth pointing out that the Human Rights Council imposes rigorous requirements on these reports, a strict word limit being one of them.) UN diplomats rely on these reports in order to properly carry out their job. Otherwise, they would depend on one-sided State-written reports that mostly provide a far too optimistic view. So Privacy First submitted its own report about the Netherlands (pdf), which includes the following recommendations:

• Better opportunities in the Netherlands for civil society organizations to collectively institute legal proceedings.

• Introduction of constitutional review of laws by the Dutch judiciary.

• Better legislation pertaining to profiling and datamining.

• No introduction of automatic number plate recognition (ANPR) as is currently being envisaged.

• Suspension of the unregulated border control system @MIGO-BORAS.

• No reintroduction of large scale data retention (general Data Retention Act).

• No mass surveillance under the new Intelligence and Security Services Act and closer judicial supervision over secret services.

• Withdrawal of the Computer Criminality Act III , which will allow the Dutch police to hack into any ICT device.

• A voluntary and regionally organized (instead of a national) Electronic Health Record system with privacy by design.

• Introduction of an anonymous public transport chip card that is truly anonymous.

You can find our entire report HERE (pdf). The reports from other organizations can be found HERE.

Embassies

Privacy First did not sent its report only to the Human Rights Council but also forwarded it to all the foreign embassies in The Hague. Consequently, Privacy First had extensive (confidential) meetings in recent months with the embassies of Argentina, Australia, Bulgaria, Chili, Germany, Greece and Tanzania. The positions of our interlocutors varied from senior diplomats to ambassadors. Furthermore, Privacy First received positive reactions to its report from the embassies of Mexico, Sweden and the United Kingdom. Moreover, several passages from our report were integrated in the UN summary of the overall human rights situation in the Netherlands; click HERE ('Summary of stakeholders' information', par. 47-50).

Our efforts will hopefully prove to have been effective tomorrow. However, this cannot be guaranteed as it concerns an inter-State, diplomatic process and many issues in our report (and in recent talks) are sensitive subjects in countless other UN Member States as well.

UN Human Rights Committee

In December 2016, Privacy First submitted a similar report to the UN Human Rights Committee in Geneva. This Committee periodically reviews the compliance of the Netherlands with the International Covenant on Civil and Political Rights (ICCPR). Partly as a result of this report, last week the Committee put the Intelligence and Security Services Act, camera system @MIGO-BORAS and the Data Retention Act among other things, on the agenda for the upcoming Dutch session in 2018 (see par. 11, 27).

We hope that our input will be used by both the UN Human Rights Council as well as the UN Human Rights Committee and that it will lead to constructive criticism and internationally exchangeable best practices.

The Dutch UPR session will take place tomorrow between 9am and 12.30pm and can be followed live online.

Update 10 May 2017: during the UPR session in Geneva today, the Dutch government delegation (led by Dutch Minister of Home Affairs Ronald Plasterk) received critical recommendations on human rights and privacy in relation to counter-terrorism by Canada, Germany, Hungary, Mexico and Russia. The entire UPR session can be viewed HERE. Publication of all recommendations by the UN Human Rights Council follows May 12th.

Update 12 May 2017: Today all recommendations to the Netherlands have been published by the UN Human Rights Council, click HERE (pdf). Useful recommendations to the Netherlands regarding the right to privacy were made by Germany, Canada, Spain, Hungary, Mexico and Russia, see paras. 5.29, 5.30, 5.113, 5.121, 5.128 & 5.129. You can find these recommendations below. Further comments by Privacy First will follow.

Extend the National Action Plan on Human Rights to cover all relevant human rights issues, including counter-terrorism, government surveillance, migration and human rights education (Germany);

Extend the National Action Plan on Human Rights, published in 2013 to cover all relevant human rights issues, including respect for human rights while countering terrorism, and ensure independent monitoring and evaluation of the Action Plan (Hungary);

Review any adopted or proposed counter-terrorism legislation, policies, or programs to provide adequate safeguards against human rights violations and minimize any possible stigmatizing effect such measures might have on certain segments of the population (Canada);

Take necessary measures to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons (Spain);

Adopt and implement specific legislation on collection, use and accumulation of meta-data and individual profiles, including in security and anti-terrorist activities, guaranteeing the right to privacy, transparency, accountability, and the right to decide on the use, correction and deletion of personal data (Mexico);

Ensure the protection of private life and prevent cases of unwarranted access of special agencies in personal information of citizens in the Internet that have no connection with any illegal actions (Russian Federation). [sic]

Update 26 May 2017: a more comprehensive UN report of the UPR session has now been published (including the 'interactive dialogue' between UN Member States and the Netherlands); click HERE (pdf). In September this year, the Dutch government will announce which recommendations it will accept and implement.

After numerous lawsuits in various European countries, the decision has finally been made: in a break-through ruling, the European Court of Justice has decided this week that a general requirement to retain telecommunications data (data retention) is unlawful because it is in violation of the right to privacy. This ruling has far-reaching consequences for surveillance legislation in all EU member States, including the Netherlands.

Previous data retention in the Netherlands

Under the 2009 Dutch Data Retention Act, the telecommunications data (telephony and internet traffic) of everyone in the Netherlands used to be retained for 12 months and 6 months, respectively, for criminal investigation purposes. This legislation stemmed from the 2006 European Data Retention Directive. However, in April 2014 the European Court of Justice declared this European Directive invalid because it violates the right to privacy. Subsequently, former Dutch minister of Security and Justice Ivo Opstelten refused to withdraw the Dutch Data Retention Act, after which a broad coalition of Dutch organizations and companies demanded in interim injunction proceedings that the Act would be rendered inoperative. The claimant organizations were the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ), the Netherlands Committee of Jurists for Human Rights (NJCM), Internet provider BIT and telecommunications providers VOYS and SpeakUp. Boekx Attorneys in Amsterdam took care of the proceedings, and successfully so: rather uniquely (laws are seldomly rendered inoperative by a judge, let alone in interim injunction proceedings), on 11 March, 2015, the Dutch district court in The Hague repealed the entire Act at once. The Dutch government decided not to appeal the ruling, which has been final since then. Consequently, all telecom operators concerned have deleted the relevant data. In relation to criminal investigations and prosecutions, so far this does not seem to have led to any problems.

European Court makes short shrift of mass storage once and for all

Unfortunately, the April 2014 decision of the European Court left some margin for interpretation under which broad, general retention of everyone’s telecommunications data could still be allowed, for example through close judicial supervision before access and use of those data. In a Swedish and a British case about data retention, the European Court has now ensured full clarity in favour of the right to privacy of every innocent person on European territory:

"The Charter of Fundamental Rights of the European Union must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’’, the Court judges.

In other words: mass storage of everyone’s data for criminal investigation purposes is unlawful. After all, according to the Court this ‘‘exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society’’.

In conventional language, the Court basically says that such legislation doesn’t belong in a free democracy under the rule of law, but in a totalitatrian dictatorship instead. And this is exactly the raison d'être of the Charter of Fundamental Rights of the European Union (which was inspired by universal human rights), on which the verdict of the Court is based.

Consequences for the Netherlands

Recently the current Dutch minister of Security and Justice, Ard van der Steur, has again presented to the Dutch House of Representatives a legislative proposal to reintroduce a broad, general telecommunications retention Act. Moreover, a similar legislative proposal pending in the Dutch Senate concerns the recognition and retention of number plate codes of all cars in the Netherlands (i.e. everyone’s travel movements and location data). Following the EU Court ruling, both legislative proposals are unlawful in advance on account of violation of the right to privacy. The same goes for planned mass storage of data that flow in and out of the Netherlands through large internet cables under the new Dutch Intelligence and Security Services Act (and the international exchange thereof), the possible future reintroduction of central databases with everyone’s fingerprints, national DNA databases, national records which include everyone’s financial transactions, etc. etc.

Following the EU Court ruling, the Dutch government can draw one conclusion only: both the legislative proposal that regards the new telecommunications retention Act as well as the legislative proposal that relates to the registration on a massive scale of number plate codes, are to be withdrawn this instant. Otherwise Privacy First will again enforce this in court and will do likewise with every other legislative proposal that threathens to violate the right to privacy of innocent citizens on a large scale.

Privacy First wishes you happy holidays and a privacy-friendly 2017!

"A Dutch court on Wednesday struck down a law requiring telecoms and Internet service providers to store their clients' private phone and email data, saying it breached European privacy rules.

"The judge ruled that data retention is necessary and effective to combat serious crime. Dutch legislation however infringes on the individual's right to privacy and the protection of personal data," the Hague district court said.

"The law therefore contravenes the Charter of Fundamental Rights of the European Union," the court said in a statement.

Seven groups and organisations including privacy watchdog Privacy First and the Dutch Association of Journalists dragged the Dutch state to court last month over the issue.

The Dutch court's decision comes after the European Court of Justice in April 2014 struck down the European Union law that forced telecoms operators to store private phone and email data for up to two years, judging it too invasive, despite its usefulness in combating terrorism.

Advocate General Pedro Cruiz Villalon declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.

The 2006 directive called for EU states to store individuals' Internet, mobile telephone and text metadata -- the time, date, duration and destination, but not the content of the communications themselves -- for six months to two years.

This data could then be accessed by national intelligence and police agencies.

"The privacy rights of Dutch citizens were violated en masse by this mass surveillance," said Vincent Boehre of Privacy First.

"Privacy First fights for a society in which innocent civilians do not have to feel that they are being constantly monitored," he said on the organisation's website in response to the ruling.

"The verdict of the Hague tribunal is an important step in that direction," said Boehre."

Source: http://thepeninsulaqatar.com/news/international/326442/dutch-court-nixes-data-storage-law-says-privacy-breached, 12 March 2015.

"La justice néerlandaise a annulé mercredi une loi exigeant le stockage de données personnelles, assurant que bien qu'utile à la lutte contre le crime, le texte violait la vie privée des utilisateurs des réseaux téléphoniques et d'internet.

"Les juges ont estimé que le stockage de données était nécessaire et efficace pour combattre le crime, mais la législation néerlandaise est contraire aux droits des personnes à une vie privée et à la protection de leurs données personnelles", a indiqué le tribunal de La Haye dans un communiqué.

"La loi est donc contraire à la Charte des droits fondamentaux de l'Union européenne", a ajouté le tribunal.

Sept organisations, dont l'organisation de défense de la vie privée Privacy First et l'Association néerlandaise des Journalistes, avaient entamé une action contre l?État le mois dernier.

Cette décision des juges intervient environ un an après une décision de la justice européenne, qui avait imposé en avril 2014 une révision de la législation sur la conservation des données personnelles, la jugeant "disproportionnée" malgré son utilité dans la lutte contre le terrorisme.

La directive en question datait de 2006 et exigeait des opérateurs de télécoms et des fournisseurs d'accès internet de stocker les données des communications téléphoniques ou de courriels pendant six mois à deux ans.

Étaient donc conservées les métadonnées desdites communications, comme l'heure, la date, la durée et la destination, mais pas leur teneur.

Ces données pouvaient ensuite être consultées par les services de renseignement ou la police.

"Les droits à une vie privée des citoyens néerlandais ont été violés en masse par cette surveillance", a affirmé Vincent Boehre, le directeur des opérations de Privacy First, cité dans un communiqué publié sur le site internet de l'organisation.

Privacy First "lutte pour une société dans laquelle des civils innocents ne doivent pas se sentir comme s'ils étaient constamment surveillés", a-t-il ajouté, soulignant que ce jugement est "une étape importante dans cette direction"."

Source: http://www.leparisien.fr/high-tech/la-justice-neerlandaise-annule-une-loi-sur-les-donnees-personnelles-11-03-2015-4595081.php, 11 March 2015.

"A Dutch court struck down a law requiring telecoms and Internet service providers to store their clients' private phone and e-mail data, saying it breached European privacy rules.

"The judge ruled that data retention is necessary and effective to combat serious crime. Dutch legislation however infringes on the individual's right to privacy and the protection of personal data," the Hague district court said.

"The law therefore contravenes the Charter of Fundamental Rights of the European Union," the court said in a statement.

Seven groups and organisations including privacy watchdog Privacy First and the Dutch Association of Journalists dragged the Dutch state to court last month over the issue.

The Dutch court's decision comes after the European Court of Justice in April 2014 struck down the European Union law that forced telecoms operators to store private phone and e-mail data for up to two years, judging it too invasive, despite its usefulness in combating terrorism.

Advocate General Pedro Cruiz Villalon declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.

The 2006 directive called for EU states to store individuals' Internet, mobile telephone and text metadata – the time, date, duration and destination, but not the content of the communications themselves – for six months to two years.

This data could then be accessed by national intelligence and police agencies.

"The privacy rights of Dutch citizens were violated en masse by this mass surveillance," said Vincent Boehre of Privacy First.

"Privacy First fights for a society in which innocent civilians do not have to feel that they are being constantly monitored," he said on the organisation's website in response to the ruling.

"The verdict of the Hague tribunal is an important step in that direction," said Boehre."

Source: http://www.thestar.com.my/Tech/Tech-News/2015/03/12/Dutch-court-nixes-data-storage-law-says-privacy-breached/, 12 March 2015.

"A Dutch court on Wednesday struck down a law requiring telecoms and Internet service providers to store their clients' private phone and email data, saying it breached European privacy rules.

"The judge ruled that data retention is necessary and effective to combat serious crime. Dutch legislation however infringes on the individual's right to privacy and the protection of personal data," the Hague district court said.

"The law therefore contravenes the Charter of Fundamental Rights of the European Union," the court said in a statement.

Seven groups and organisations including privacy watchdog Privacy First and the Dutch Association of Journalists dragged the Dutch state to court last month over the issue.

The Dutch court's decision comes after the European Court of Justice in April 2014 struck down the European Union law that forced telecoms operators to store private phone and email data for up to two years, judging it too invasive, despite its usefulness in combating terrorism.

Advocate General Pedro Cruiz Villalon declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.

The 2006 directive called for EU states to store individuals' Internet, mobile telephone and text metadata - the time, date, duration and destination, but not the content of the communications themselves - for six months to two years.

This data could then be accessed by national intelligence and police agencies.

"The privacy rights of Dutch citizens were violated en masse by this mass surveillance," said Vincent Boehre of Privacy First.

"Privacy First fights for a society in which innocent civilians do not have to feel that they are being constantly monitored," he said on the organisation's website in response to the ruling.

"The verdict of the Hague tribunal is an important step in that direction," said Boehre."

Source: http://www.bangkokpost.com/tech/world-updates/494578/dutch-court-nixes-data-storage-law-says-privacy-breached, 12 March 2015.

"A judge scrapped the Netherlands' data retention law Wednesday, saying that while it helps solve crimes it also breaches the privacy of telephone and Internet users.

The ruling followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The Security and Justice Ministry said it was considering an appeal.

Under the Dutch law, telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' Internet use for six months.

The written judgment by Judge G.P. van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entails.

The judge did not set a deadline for disposing of the data.

Privacy First, one of the organizations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.

The government said after last year's European court ruling that it would amend its law.

In a written statement, the Security and Justice Ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime.""

Source: http://thechronicleherald.ca/business/1274008-judge-overturns-dutch-data-retention-legislation, 11 March 2015.

"A Dutch court Wednesday handed a victory to privacy advocates by striking down a data-retention law that gives the government easy access to telecommunication data.

The District court of The Hague said the law, which requires telecom providers to collect and store data for as long as 12 months, violates citizens' right to privacy and the right to protection of personal data. "The judge finds that this violation is not limited to what is strictly necessary," it said.

The ruling, which can still be appealed, is a blow to the Dutch government, which said the law was important to fight terrorism and organized crime. But it is a victory for privacy advocates, journalists and criminal lawyers in the Netherlands who argued that the law was unconstitutional because data are kept regardless of whether citizens are a suspect or not.

A spokesman for the Dutch ministry of Security and Justice wasn't immediately available to comment on the ruling.

The court's decision is effective immediately, which means that telecommunication companies are no longer obligated to store and collect data.

Most of the big providers weren't immediately available for comment, with some saying their legal experts need time to assess the implications.

"There are multiple layers in this ruling. We need to know how we should interpret it," a Tele2 spokesman said.

The lawsuit was the latest in a decade of legal challenges to data-retention across Europe. First adopted under an European Union directive dating to 2006, such rules generally require telecom providers to collect and store data about their users' mobile phone traffic and location for as long as two years.

But in several countries, including Germany, data-retention laws have since been tossed out on privacy grounds. And last spring, the European Union Court of Justice, the bloc's highest court, struck down the underlying directive requiring countries to implement the rules in the first place, saying it didn't have sufficient safeguards for individual's right to privacy.

In the Netherlands, where a data-retention law was enacted in 2009, the Dutch government has shown reluctance to scrap the law for security reasons. (...)"

Source: http://blogs.wsj.com/digits/2015/03/11/dutch-court-strikes-down-countrys-data-retention-law/, 12 March 2015.

"A judge scrapped the Netherlands' data retention law Wednesday, saying that while it helps solve crimes it also breaches the privacy of telephone and Internet users.

The ruling by a judge in The Hague followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The Security and Justice Ministry said it was considering an appeal.

Under the Dutch law, telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' Internet use for six months.

The written judgment by Judge G.P. van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entails.

The judge did not set a deadline for disposing of the data.

Privacy First, one of the organizations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.

The government said after last year's European court ruling that it would amend its law.

In a written statement, the Security and Justice Ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime.""

Source: http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11415850, 12 March 2015.