Financial Privacy & PSD2

A coalition of civil rights organizations in the Netherlands that had previously won a lawsuit against System Risk Indication (SyRI) is calling on the Dutch Senate to reject an even more sweeping Bill dubbed ‘Super SyRI’. According to the parties, the proposal is on a collision course with the rule of law while the Dutch government refuses to learn lessons from the childcare benefits scandal, one of the largest scandals in Dutch politics in recent decades.

The Data Processing by Partnerships Act (Wet Gegevensverwerking door Samenwerkingsverbanden, WGS) enables Dutch government agencies and companies to link together the data stored about citizens and companies through partnerships. Public authorities and companies that take part in such cooperative frameworks are obliged to pool together their data. This should help in the fight against all kinds of crime and offenses.

Under the Act, it is not just data that companies and public authorities share with each other. Signals, suspicions and blacklists are also exchanged and linked together. On the basis of this form of shadow record-keeping, these parties can coordinate with each other enforcement ‘interventions’ against citizens who end up in their crosshairs.

Public authorities and companies targeting citizens through data surveillance

In order to enable the large-scale sharing of personal data between public authorities and companies, the Act casts aside numerous confidentiality obligations, privacy rights and legal safeguards that have traditionally applied to the processing of personal data. This leads to a "far-reaching, large-scale erosion of the legal protection of citizens", according to the opposing coalition of which Privacy First is a member: "If this Bill is adopted, the door will be left wide open for the executive branch of the government and private parties to subject both citizens and companies to arbitrary data surveillance."

Through the Act, the Dutch government also wants to create the possibility to start new partnerships in case of ‘urgency’, without providing Parliament the opportunity of examination. The Dutch House of Representatives will be informed about such partnerships only after their establishment, then having to decide whether to pass them into law. This is contrary to the Dutch Constitution, which stipulates that legislation approved by Parliament should include privacy protections. The parties find it unacceptable that Parliament is not involved in the formation of new partnerships and can decide on them only after they have been established.

Legitimizing unlawful practices that have lasted for years

In addition to the possibility of establishing new partnerships, the Act includes four partnerships that have been around for years, but have never been laid down in law. The cabinet now wants to retroactively create a legal basis for these partnerships.

The parties that brought legal proceedings against System Risk Indication (SyRI) point out that SyRI, which was prohibited by the court, was also used for years without a legal basis. According to the parties, there are strong similarities with the partnerships that the new Bill is now intended to legitimize: "Drastic practices in which personal data are processed in violation of the fundamental rights of citizens were set up as a trial and continued for years, only to be given a legal basis as a fait accompli. Fundamental rights that should protect citizens against unjustified government action thereby become mere obstacles for the government to overcome."

Risk assessments, blacklists and suspicions

The coalition previously wrote that the practices under the Act are in many ways similar to the data processing that preceded the childcare benefits scandal that sent shock waves through Dutch society. Based on secret data analyses, lists of citizens who had been falsely labeled by the tax authorities as criminal fraudsters were distributed through various agencies, ruining the personal lives of tens of thousands of families. Under the partnerships that would be made possible by the Act, public authorities and companies would be able to abundantly share risk analyses, blacklists and many other types of data, suspicions and signals about citizens. The Dutch Data Protection Authority advised the Senate in November 2021 not to pass the law, stating that the proposal could lead to "Kafkaesque situations for large numbers of people".

The civil society coalition against SyRI consists of the Dutch Civil Rights Platform (Platform Bescherming Burgerrechten), the Dutch Lawyers Committee for Human Rights (NJCM), Dutch trade union FNV, the Dutch National Clients Council, Privacy First, the KDVP Foundation and authors Maxim Februari and Tommy Wieringa.

Download the recent letter by the coalition to the Dutch Senate HERE (pdf in Dutch).

Source: https://bijvoorbaatverdacht.nl/syri-coalitie-eerste-kamer-moet-datasurveillancewet-super-syri-afwijzen/, 15 February 2022.

Today, the district court of The Hague ruled on the use of the algorithm-based system SyRI (System Risk Indication) by the Dutch government. The judges decided that the government, in trying to detect social services fraud, has to stop profiling citizens on the basis of large scale data analysis. As a result, people in the Netherlands are no longer 'suspected from the very start’ ("bij voorbaat verdacht").

The case against the Dutch government was brought by a coalition of NGOs, consisting of the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten), the Netherlands Committee of Jurists for Human Rights (Nederlands Juristen Comité voor de Mensenrechten, NJCM), Privacy First, the KDVP Foundation (privacy in mental healthcare), Dutch trade union FNV, the National Clients Council (LCR) and authors Tommy Wieringa and Maxim Februari.

The court concludes that SyRI is in violation of the European Convention on Human Rights. SyRI impinges disproportionately on the private life of citizens. This concerns not only those that SyRI has flagged as an 'increased risk', but everyone whose data are analysed by the system. According to the court, SyRI is non-transparent and therefore cannot be scrutinized. Citizens can neither anticipate the intrusion into their private life, nor can they guard themselves against it.

Moreover, the court draws attention to the actual risk of discrimination and stigmatization on the grounds of socio-economic status and possibly migration background, of citizens in disadvantaged urban areas where SyRI is being deployed. There is a risk – which cannot be examined – that SyRI operates on the basis of prejudices. The attorneys of the claimant parties, Mr. Ekker and Mr. Linders, had this to say: "The court confirms that the large scale linking of personal data is in violation of EU law, Dutch law and fundamental human rights, including the protection of privacy. Therefore, this ruling is also important for other European countries and on a wider international level."

From now on, as long as there is no well-founded suspicion, personal data from different sources may no longer be combined.

Line in the sand

"This ruling is an important line in the sand against the unbridled collection of data and risk profiling. The court puts a clear stop to the massive surveillance that innocent citizens have been under. SyRI and similar systems should be abolished immediately", states Privacy First director Vincent Böhre.

"Today we have been proved right on all fundamental aspects. This is a well-timed victory for the legal protection of all citizens in the Netherlands", says Tijmen Wisman of the Platform for the Protection of Civil Rights.

Another plaintiff in the case, trade union FNV, equally rejects SyRI on principal grounds. "We are delighted that the court has now definitively cancelled SyRI", comments Kitty Jong, vice chair of FNV.

Turning point

The parties hope that the ruling will herald a turning point in the way in which the government deals with the data of citizens. They believe this viewpoint is endorsed by the considerations of the court: these apply not only to SyRI, but also to similar practices. Many municipalities in the Netherlands have their own data linking systems which profile citizens for all sorts of policy purposes. When it comes to combining data, a legislative proposal that would be greater in scope than SyRI and would enable lumping together the databases of private parties and those of public authorities, was all but unthinkable. The decision by the Hague district court, however, clamps down on these Big Data practices. According to the claimant parties, it is therefore of crucial importance that the SyRI ruling will affect both current as well as future political policies.

Public debate

The case against SyRI serves both a legal and a social goal. With this ruling, both goals are reached. Merel Hendrickx of PILP-NJCM: "Apart from stopping SyRI, we also aimed at initiating a public debate about the way the government deals with citizens in a society undergoing digitisation. This ruling shows how important it is to have that discussion."

Although SyRI was adopted in 2014 without any fuss, the discussion about its legality intensified after the lawsuit was announced. At the start of 2019, the use of SyRI in two Rotterdam neighbourhoods led to protests among inhabitants and a discussion in the municipal council. Soon after, the mayor of Rotterdam, Ahmed Aboutaleb, pulled the plug on the SyRI program because of doubts over its legal basis. In June 2019, Dutch newspaper Volkskrant revealed that SyRI had not detected a single fraudster since its inception. In October 2019, the UN Special Rapporteur on extreme poverty and human rights, Philip Alston, wrote a critical letter to the district court of The Hague expressing serious doubts over the legality of SyRI. Late November 2019, SyRI won a Big Brother Award.

The coalition of parties was represented in court by Anton Ekker (Ekker Advocatuur) and Douwe Linders (SOLV Attorneys). The proceedings were coordinated by the Public Interest Litigation Project (PILP) of the NJCM.

The full ruling of the court can be found HERE (official translation in English).

Fundamental lawsuit against mass risk profiling of unsuspected citizens

On Tuesday October 29 at 9:30 am in the district court of The Hague the court hearing will take place in the main proceedings of a broad coalition of Dutch civil society organizations against Systeem Risico Indicatie (System Risk Indication - SyRI). SyRI uses secret algorithms to screen entire residential areas to profile citizens on the risk of fraud with social services. According to the coalition of plaintiffs, this system poses a threat to the rule of law and SyRI must be declared unlawful.

The group of plaintiffs, consisting of the Dutch Platform for the Protection of Civil Rights, the Netherlands Committee of Jurists for Human Rights (NJCM), the Privacy First Foundation, the KDVP Foundation and the National Client Council (LCR), in March 2018 sued the Dutch Ministry of Social Affairs. Authors Tommy Wieringa and Maxim Februari, who previously spoke very critically about SyRI, joined the proceedings in their personal capacity. In July 2018, Dutch labour union FNV also joined the coalition.

The parties are represented by Anton Ekker (Ekker Advocatuur) and Douwe Linders (SOLV Attorneys). The case is coordinated by the Public Interest Litigation Project (PILP) of the NJCM.

Trawl method on unsuspected citizens

SyRI links the personal data of citizens from various government databases on a large scale. These centrally collected data are subsequently analyzed by secret algorithms. This should show whether citizens pose a risk of being guilty of one of the many forms of fraud and violations that the system covers. If the analysis of SyRI leads to a risk notification, then the citizen in question will be included in the so-called Risk Notices Register (Register Risicomeldingen), which can be accessed by government authorities.

SyRI uses this trawl method to screen all residents of a neighborhood or area. For this, the system uses almost all data that government authorities store about citizens. It comprises 17 data categories, which together provide a very intrusive picture of someone's private life. SyRI currently covers the databases of the Dutch Tax Authorities, Inspectorate of Social Affairs, Employment Office, Social Security Bank, municipalities and the Immigration Service. According to the Dutch Council of State (Raad van State), which gave a negative opinion on the SyRI bill, it was hard to imagine any data that did not fall within the scope of the system. Former chairman Kohnstamm of the Dutch Data Protection Authority, which also issued a negative opinion on the system, called the adoption of the SyRI legislation "dramatic" at the time.

Threat to the rule of law

According to the claimants, SyRI is a black box with major risks for the democratic rule of law. It is completely unclear to any citizen, who can be screened by SyRI without cause, what data are used for this, which analysis is carried out with it and what makes him or her a 'risk'. Moreover, due to the secret operation of SyRI, citizens are also unable to refute an incorrect risk indication. The use of SyRI makes the legal process and the associated procedures intransparent.

SyRI thereby undermines the relationship of trust between the government and its citizens; these citizens are in fact suspected in advance. Virtually all information that they share with the government, often to be eligible for basic services, can be used against them secretly without any suspicion.

The plaintiffs in this lawsuit are not opposed to the government combating fraud. They just think that this should be done on the basis of a concrete suspicion. There should be no trawl searches in the private life of unsuspected Dutch citizens to look for possible fraud risks. According to the claimants, this disproportionate method does more harm than good. There are better and less radical forms of fraud prevention than SyRI.

Not one fraudster detected yet

The total of five SyRI investigations that have been announced since the system's legal introduction have by now turned tens of thousands of citizens inside out, but have not yet detected one fraudster. This was revealed at the end of June 2019 by Dutch newspaper Volkskrant, which managed to get hold of evaluations of SyRI investigations. The investigations failed because the analyses were incorrect, due to lack of capacity and time at the implementing bodies, but also because there is disagreement within the government about SyRI.

For example, mayor Aboutaleb of Rotterdam pulled the plug from the SyRI investigation in two neighborhoods in Rotterdam South last summer, because the Ministry, unlike the municipality, also wanted to use police and healthcare data in the investigation. The deployment of SyRI also led to protest among the neighborhood's residents, who clearly showed that they felt insulted and unfairly treated.

UN expresses concern about SyRI

The UN Special Rapporteur on extreme poverty and human rights Philip Alston wrote to the court earlier this month about his concerns about SyRI and urged the judges to thoroughly assess the case. According to the rapporteur, several fundamental rights are at stake. SyRI is described in his letter as a digital equivalent of a social detective who visits every household in an area without permission and searches for fraudulent cases; in the analogue world such a massive manhunt would immediately lead to great resistance, but with a digital instrument such as SyRI, it is wrongly claimed that 'ignorance is bliss'.

Practical information

The court hearing is open to the public and will take place on Tuesday October 29th from 9.30 am in the Palace of Justice, Prins Clauslaan 60 in The Hague. Case number: C/09/550982 HA ZA 18/388 (Nederlands Juristen Comité c.s./Staat).

Source: campaign website Bijvoorbaatverdacht.nl.

Today an important debate will take place in the Dutch House of Representatives about the introduction of Passenger Name Records (PNR): the large scale, years-long storage of all sorts of data of airline passengers, supposedly to fight crime and terrorism. Privacy First has major objections and at the end of last week has sent the following letter to the House. Today’s parliamentary debate was first scheduled to take place on 14 May 2018, but was cancelled (following a similar letter from Privacy First) until further notice. Following new parliamentary questions, the debate will now take place today after all. Here is the full text of our most recent letter:

Dear Members of the House of Representatives,

On Monday afternoon, this 11 March, you will discuss the Dutch implementation of the European directive on Passenger Name Records (PNR) with minister Grapperhaus (Justice and Security). In Privacy First’s view, both the European PNR directive as well as the Dutch implementation thereof are legally untenable. We shall here briefly elucidate our position.

Holiday register

Under the minister’s legislative proposal concerning PNR, numerous data of every single airline passenger travelling to or from the Netherlands will be stored for five years in a central government database of the new Passenger Information Unit and will be used to prevent, investigate and prosecute crimes and terrorism. Sensitive personal data (such as names, addresses, telephone numbers, email addresses, dates of birth, travel data, ID document numbers, destinations, fellow passengers and payment data) of many millions of passengers will, as a result, become available for many years for the purpose of data mining and profiling. In essence, this means that every airline passenger will be treated as a potential criminal or terrorist. In 99.9% of all cases, however, this concerns perfectly innocent citizens, mainly holidaymakers and business travellers. This is a flagrant breach of their right to privacy and freedom of movement. Last year, Privacy First had already made these arguments in the Volkskrant and on BNR Nieuwsradio. Because of privacy objections, in recent years there has been a lot of political resistance to such large scale PNR storage of data, which has been rejected by both the House of Representatives as well as the European Parliament on several occasions since 2010. In 2015, Dutch ruling parties VVD and PvdA were absolutely opposed to PNR as well. Back then, they called it a ‘holiday register’ and they themselves threatened to take to the European Court of Justice in case the PNR directive would be adopted. However, after the attacks in Paris and Brussels, it seemed that many political restraints had evaporated and in 2016, the PNR directive finally came about after all. Up to now however, the legally required necessity and proportionality of this directive have still to be demonstrated.

European Court

In the summer of 2017, the European Court of Justice issued an important ruling with regard to the similar PNR agreement between the EU and Canada. The Court declared this agreement invalid because it violates the right to privacy. Among other things, the Court held that the envisaged agreement must, “limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime.” (See Opinion 1/15 (26 July 2017), par. 207.) Ever since this ruling, the European PNR directive is a legal uncertainty. Therefore, the Dutch government has valid ‘‘concerns about the future viability of the PNR directive” (see Note in response to report, p. 23, in Dutch). Privacy First expects that the current PNR directive will soon be submitted to the European Court of Justice for judicial review and will then be declared unlawful. Subsequently, a situation will arise that is similar to the one we have witnessed a few years ago with regard to the European Telecommunications Data Retention Act: as soon as this European directive will be annulled, the Dutch implementing provisions will equally be invalidated in interim injunction proceedings.

Mass surveillance

The current Dutch PNR legislative proposal seems unlawful a priori because of a lack of demonstrable necessity, proportionality and subsidiarity. The legislative proposal comes down to mass surveillance of mostly innocent citizens; in the 2016 Tele2 case the European Court already ruled that this type of legislation is unlawful. Thereupon the Netherlands pledged before the UN Human Rights Council “to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons.” The Netherlands now seems to renege on that promise. After all, a lot of completely unnecessary data of every airline passenger will be stored for years and can be used by various Dutch, European and even non-European government agencies. Moreover, the effectiveness of PNR has to date never been demonstrated, the minister himself affirmed: ‘‘There is no statistical support” (see Note in response to report, p. 8, in Dutch). The risk of unjust suspicion and discrimination (due to fallible algorithms used for profiling) under the proposed PNR system is serious, which also increases the likelihood of delays and missed flights for innocent passengers. All the while, wanted persons will often stay under the radar and choose alternative travel routes. Furthermore, the legislative proposal entirely fails to address the role and capabilities of secret services, which will be granted secret and shielded access to the central PNR database under the new Dutch Intelligence and Security Services Act. However, the most questionable aspect of the Dutch PNR legislative proposal is that it goes even two steps further than the European PNR directive itself: After all, it is the Dutch government's own decision to also store the data of passengers on all intra-EU flights. This is not obligatory under the PNR directive, and the Netherlands could have limited this to preselected flights (judged to be at risk) only. This would have been in line with the advice of most experts in this field who argue for targeted actions as opposed to mass surveillance. In other words, to focus on persons with a reasonable suspicion about them, in accordance with the principles of our democracy under the rule of law.

Privacy First Advice

Privacy First strongly advises you to reject the current legislative proposal and to replace it with a privacy-friendly version. In case this will lead to the European Commission referring the Netherlands to the European Court of Justice due to a lack of implementation of the present PNR directive, Privacy First would be confident this would end in a clear victory for the Netherlands. EU Member States simply cannot be expected to implement privacy-violating EU rules. This applies equally to the national implementation of relevant resolutions of the UN Security Council (in this case UNSC Res. 2396 (2017)) which is similarly at odds with international human rights law. In this respect, Privacy First has already warned of the abuse of the Dutch TRIP system (which is also used for PNR) by other UN Member States. In this regard, the Netherlands has its own responsibility under the Dutch Constitution as well as under international law.

For further information or questions with respect to the issues above, feel free to contact Privacy First at all times by phone (+31-20-8100279) or email: This email address is being protected from spambots. You need JavaScript enabled to view it..

Yours sincerely,

Privacy First Foundation

Update 19 March 2019: Regrettably, today the House of Representatives has adopted the legislative proposal almost unchanged; only GroenLinks, SP, PvdD and Denk voted against. Unfortunately, a motion by GroenLinks and SP to provoke legal action by the European Commission against the Dutch government about the PNR directive was rejected. The only bright spot is the widely adopted motion for the judicial reassessment and possible revision of the PNR directive at a European political level. (Only PVV and FvD voted against this motion.) Next stop: the Senate.

Update 4 June 2019: despite sending the above letter for a second time and despite other critical input by Privacy First, the Senate today has unfortunately adopted the legislative proposal. Only GroenLinks, PvdD and SP voted against. Even in spite of the enormous error rates (false positives) of 99.7% that recently came to light in the comparable German PNR system, see https://www.sueddeutsche.de/digital/fluggastdaten-bka-falschtreffer-1.4419760. Meanwhile, large scale cases have been brought against the European PNR directive in Germany and Austria in order for the European Court of Justice to nullify it on account of violations of the right to privacy, see the German-English campaign website https://nopnr.eu and https://www.nrc.nl/nieuws/2019/05/15/burgers-in-verzet-tegen-opslaan-passagiersgegevens-a3960431. As soon as the European Court rules that the PNR directive is unlawful, Privacy First will start interim injunction proceedings in order for the Dutch PNR law to be rendered inoperative. Moreover, yesterday Privacy First has put the PNR law on the agenda of the UN Human Rights Committee in Geneva. On 1 and 2 July 2019, the overall human rights situation in the Netherlands (including violations of the right to privacy) will be critically reviewed by this Committee.

A group of civil society organizations is bringing a case against the Dutch government because of System Risk Indication, better known by the abbreviation SyRI. According to the plaintiffs, this risk profiling system is a black box that should be stopped as it forms a risk to the democratic rule of law.

The coalition of plaintiffs consists of the Netherlands Committee of Jurists for Human Rights (NJCM), the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten), Privacy First, the KDVP Foundation (privacy in mental healthcare) and the National Clients Council (LCR). Two well-known authors, Tommy Wieringa and Maxim Februari, have in their individual capacities joined the case as plaintiffs. As ‘ambassadors’ to this lawsuit, they have fiercely criticized SyRI on multiple occasions.

The proceedings are carried out by Deikwijs Attorneys under the guidance of the Public Interest Litigation Project (PILP) of the NJCM.

Trawl net actions on the basis of secret algorithms targeting innocent citizens

SyRI links together on a large scale personal data of innocent citizens from databases of public authorities and companies. With the use of secret algorithms, citizens are subsequently subjected to a risk analysis. When there is an increased risk of breaking one of the many laws that SyRI covers, individuals are included in the Risk Reports Register, which is accessible to many government agencies.

SyRI is a black box that poses a major threat to the democratic rule of law. Citizens who are being examined through SyRI without any justification, have absolutely no idea which of their data are being used for analyses, what kind of analyses are being carried out and what actually determines whether or not they are a ‘risk’. Because SyRI works surreptitiously, citizens are not in a position to refute any incorrect flagging that may concern them.

According to the coalition, SyRI is in breach of various fundamental rights while it simultaneously undermines the relationship of trust between citizens and those in power. Citizens are suspect from the very start and all of the information that they share with public authorities, may secretly be used against them without imputation or concrete ground.

Ministry refuses to operate in a transparent manner

Despite fundamental objections from the Dutch Council of State (Raad van State) and the Dutch Data Protection Authority about the lawfulness of the system, at the end of 2014 the legislation for SyRI was rubber-stamped by the Dutch Senate and the House of Representatives. However, SyRI has been in use ever since 2008 already. Since then, dozens of investigations have been carried out and this included examining entire neighborhoods in several Dutch cities. Once the system was specified in law, it has been applied in Eindhoven and Capelle aan den IJssel among other places. It was recently announced that SyRI will be used in the Rotterdam neighborhoods of Bloemhof en Hillesluis and in the Haarlem neighborhood of Schalkwijk.

A FOIA request submitted by the coalition has resulted in barely any information concerning the dozens of SyRI investigations that have been carried out prior to and after the system had been laid down in law in 2014. The Dutch Ministry of Social Affairs is unwilling to provide insight into its practices arguing that, by disclosing the data and risk models that are used in SyRI, cunning citizens would become aware what to look out for when they commit fraud. The claimants, in their turn, assert that this is not in line with the obligation to inform and the right to a fair trial.

More information

In the context of this lawsuit, a public information campaign called ‘Bij Voorbaat Verdacht’ (‘Suspect From The Very Start’) has been launched. On the (Dutch) campaign website you can find updates about the legal proceedings as well as a simplified summary of the subpoena. The complete subpoena (in Dutch) can be found on the website of Deikwijs Attorneys (pdf). Click HERE for the English version on the website of PILP (pdf).

Update 16 October 2018: the District Court of The Hague has allowed the Dutch Federation of Trade Unions (FNV) as co-plaintiff in the lawsuit.

"Twelve organizations teamed up to file a lawsuit to stop the implementation of a new data mining law in the Netherlands. The new law was adopted by the Dutch Senate on Tuesday and gives the intelligence services more capabilities to spy on internet traffic on a large scale.

"We trust that the Dutch judges will pull the brake and say: this law goes too far", human rights lawyer Jelle Klaas, who is representing the coalition of organizations in their lawsuit, said to RTL Nieuws. The coalition includes the Public Interest Litigation Project, civil rights organization Privacy First, the Dutch Association of Journalists, the Dutch Association of Criminal Law Attorneys and the Platform for the Protection of Civil Rights.

According to the organizations, this law is a serious violation of Dutch citizens' privacy. The case will first be presented to a Dutch court, who will test it against the European Convention of Human Rights. If the Dutch court rules against the organizations, they will take it to the European Court.

Klaas is currently preparing the case. He expects that the lawsuit will only actually start after the new law is implemented on January 1st, 2018, but he hopes it happens earlier."

Source: http://nltimes.nl/2017/07/12/lawsuit-started-new-dutch-data-mining-law, 12 July 2017.

Tomorrow morning the Netherlands will be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. Since 2008, the Human Rights Council reviews the human rights situation in each UN Member State once every five years. This procedure is called the Universal Periodic Review (UPR).

Privacy First shadow report

During the previous two UPR sessions in 2008 and 2012, the Netherlands endured a fair amount of criticism. At the moment, the perspectives with regard to privacy in the Netherlands are worse than they’ve ever been before. This is reason for Privacy First to actively bring a number of issues to the attention of the UN. Privacy First did so in September 2016 (a week prior to the UN deadline), through a so-called shadow report: a report in which civil society organizations express their concerns about certain issues. (It’s worth pointing out that the Human Rights Council imposes rigorous requirements on these reports, a strict word limit being one of them.) UN diplomats rely on these reports in order to properly carry out their job. Otherwise, they would depend on one-sided State-written reports that mostly provide a far too optimistic view. So Privacy First submitted its own report about the Netherlands (pdf), which includes the following recommendations:

• Better opportunities in the Netherlands for civil society organizations to collectively institute legal proceedings.

• Introduction of constitutional review of laws by the Dutch judiciary.

• Better legislation pertaining to profiling and datamining.

• No introduction of automatic number plate recognition (ANPR) as is currently being envisaged.

• Suspension of the unregulated border control system @MIGO-BORAS.

• No reintroduction of large scale data retention (general Data Retention Act).

• No mass surveillance under the new Intelligence and Security Services Act and closer judicial supervision over secret services.

• Withdrawal of the Computer Criminality Act III , which will allow the Dutch police to hack into any ICT device.

• A voluntary and regionally organized (instead of a national) Electronic Health Record system with privacy by design.

• Introduction of an anonymous public transport chip card that is truly anonymous.

You can find our entire report HERE (pdf). The reports from other organizations can be found HERE.

Embassies

Privacy First did not sent its report only to the Human Rights Council but also forwarded it to all the foreign embassies in The Hague. Consequently, Privacy First had extensive (confidential) meetings in recent months with the embassies of Argentina, Australia, Bulgaria, Chili, Germany, Greece and Tanzania. The positions of our interlocutors varied from senior diplomats to ambassadors. Furthermore, Privacy First received positive reactions to its report from the embassies of Mexico, Sweden and the United Kingdom. Moreover, several passages from our report were integrated in the UN summary of the overall human rights situation in the Netherlands; click HERE ('Summary of stakeholders' information', par. 47-50).

Our efforts will hopefully prove to have been effective tomorrow. However, this cannot be guaranteed as it concerns an inter-State, diplomatic process and many issues in our report (and in recent talks) are sensitive subjects in countless other UN Member States as well.

UN Human Rights Committee

In December 2016, Privacy First submitted a similar report to the UN Human Rights Committee in Geneva. This Committee periodically reviews the compliance of the Netherlands with the International Covenant on Civil and Political Rights (ICCPR). Partly as a result of this report, last week the Committee put the Intelligence and Security Services Act, camera system @MIGO-BORAS and the Data Retention Act among other things, on the agenda for the upcoming Dutch session in 2018 (see par. 11, 27).

We hope that our input will be used by both the UN Human Rights Council as well as the UN Human Rights Committee and that it will lead to constructive criticism and internationally exchangeable best practices.

The Dutch UPR session will take place tomorrow between 9am and 12.30pm and can be followed live online.

Update 10 May 2017: during the UPR session in Geneva today, the Dutch government delegation (led by Dutch Minister of Home Affairs Ronald Plasterk) received critical recommendations on human rights and privacy in relation to counter-terrorism by Canada, Germany, Hungary, Mexico and Russia. The entire UPR session can be viewed HERE. Publication of all recommendations by the UN Human Rights Council follows May 12th.

Update 12 May 2017: Today all recommendations to the Netherlands have been published by the UN Human Rights Council, click HERE (pdf). Useful recommendations to the Netherlands regarding the right to privacy were made by Germany, Canada, Spain, Hungary, Mexico and Russia, see paras. 5.29, 5.30, 5.113, 5.121, 5.128 & 5.129. You can find these recommendations below. Further comments by Privacy First will follow.

Extend the National Action Plan on Human Rights to cover all relevant human rights issues, including counter-terrorism, government surveillance, migration and human rights education (Germany);

Extend the National Action Plan on Human Rights, published in 2013 to cover all relevant human rights issues, including respect for human rights while countering terrorism, and ensure independent monitoring and evaluation of the Action Plan (Hungary);

Review any adopted or proposed counter-terrorism legislation, policies, or programs to provide adequate safeguards against human rights violations and minimize any possible stigmatizing effect such measures might have on certain segments of the population (Canada);

Take necessary measures to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons (Spain);

Adopt and implement specific legislation on collection, use and accumulation of meta-data and individual profiles, including in security and anti-terrorist activities, guaranteeing the right to privacy, transparency, accountability, and the right to decide on the use, correction and deletion of personal data (Mexico);

Ensure the protection of private life and prevent cases of unwarranted access of special agencies in personal information of citizens in the Internet that have no connection with any illegal actions (Russian Federation). [sic]

Update 26 May 2017: a more comprehensive UN report of the UPR session has now been published (including the 'interactive dialogue' between UN Member States and the Netherlands); click HERE (pdf). In September this year, the Dutch government will announce which recommendations it will accept and implement.

Shocking news reached us last week from the United States regarding the eavesdropping scandal that involves the US government. The digital state terrorism under Obama Bin Laden (the difference is really just a mere letter) has only been further institutionalized in his terms of office and undermines the basis of the democratic constitutional state inside and outside of America. Everyone’s a suspect, massive data storage and then continuous, real-time profiling of every citizen, in particular the citizens and organizations the governments dislikes. ‘’Just trust us, we don’t actually trust you.’’ One-sided transparency, citizens without any form of privacy, the government shielded by so-called state security protocols and always at war with an unknown enemy, so ‘’everything is permissible‘’.

• A democracy is characterized by administrative transparency and respect for the private life of citizens. Within a dictatorship things are exactly the other way around: transparency of private life and administrative secrecy are the norm. To what extent is America still democratic? Over there whistleblowers that represent fundamental rights and real patriots in the true sense of the word are portrayed as terrorists.
• 29-year old Edward Snowden is committed to his own principles and is now forced to seek asylum far away from the United States.
• After having revealed abuses by that same government, Julian Assange felt the need to flee to the Ecuadorian embassy in London where, by now, he’s been holed up for over a year.
• Where are the days when such people got the credit they deserved? Not that long ago, during the Watergate Scandal, the American president had to resign. It also brings to mind George Orwell’s newspeak: simply turning everything around, denying, lying, deceiving. So here we have it: the government that sold "change" and "hope" to its own people and the world.

A few hopeful changes à la Obama:

• Guantanamo Bay is still open and its prisoners have been held there for years without any form of fair trial and with no way out; secret courts are the norm.
• Everywhere in the world, unwanted citizens and innocent citizens are pre-emptively eliminated without any form of trial, judicial process or evidence through the use of drones, which additionally violates the sovereign airspace of foreign states. In case a drone crashes, instead of apologizing for violating international law, the drone is ordered back in no uncertain terms.
• By now hundreds of pilots are trained to fly drones and to kill "suspects" in a computer game-like way.
• Echelon, Carnivore and other data-collection programs are now complemented by PRISM, in order to be able to create a "digital life file" of every citizen, used to analyze the past, the present and possibly future behavior and ways of thinking. In case these ways of thinking are not to the government’s liking, the words "terrorist" and "part of a criminal organization" are immediately proclaimed and a profiling program commenced. This shameless infringement of the right to a private life takes place under the guise of terrorism prevention.
• Whereas in the past citizens under reasonable suspicion of a crime could be tracked on the basis of a judicial decision and whereas control was specifically aimed at foreigners in the home country, nowadays it’s every citizen’s turn without judicial interference and in the US, already 5 million officials of the State have access to such classified information. And the target within PRISM very clearly is the entire world and all (forms of) communication. Welcome to the new world! Data macht frei!
• Now the Obama administration is in the possession of these data, they are directly abused as well, for example by not handing out permits or by carrying out extra tax controls on dissenting groups. For years Privacy First has warned of function creep when it comes to this kind of legislation and the execution thereof. In this respect the Patriot Act is the least patriotic law (newspeak) since the coming into existence of the US and is applied all the time to be infinitely abused by the government, also outside of the US.

This was just a brief overview of cases that have come to the surface. Privacy First is especially bothered by the lack of self-reflection and self-control that governments display. "Is it technically possible? Then let’s do it!"

Instead of having a democratic discussion and offering a content-related reaction including apologies, or instead of the people responsible resigning, an immediate attack is launched and a sideway discussion started, exactly similar to the Wikileaks Affair:  

• Everything is inverted, the whistleblowers are terrorists and privacy fetishists who are actually weak and sensitive, characteristics that need to be eliminated immediately.
• Immediately diverting the question away from the topic and focussing on the mistakes made within the organization with the aim to eliminate whistleblowers; how can it be these whistleblowers have not been detected earlier?
• The subsequent phase is the stigmatization of the whistleblower, saying that more resolute action is needed to discourage other intelligent people with common sense and a democratic vision to undertake any such actions.
• After that comes the stigmatization of those holding different views and the press; the disgraceful free press that dares to publish such information: there has already been a call to prosecute any press that collaborates with whistleblowers. An immediate counter attack and you don’t need to talk about the content, a very easy option!
• It is allowed by law through the Patriot Act! Instead of calling this law into question when true patriots that are committed to principles reveal abuses.
• Shamelessly asserting that nothing’s going on when information is shared without the permission of citizens from other countries, with the argument that it’s convenient and that the government knows what is good for citizens. And all of this from a line of thinking dominated by fear, without a privacy-friendly alternative.

Time and again the government evades the real debate about reinforcing the fundamental principles of the democratic society on the basis of faith, about stimulating individual responsibility of citizens and, where necessary, about modifying the system with technology in order to improve the democratic process. The US government, like many other governments, has totally gone out of its mind and has forgotten it serves the interests of its citizens and the democratic fundamental principles instead of the other way around.

Privacy First makes a call to all pressure groups and government institutions to have a broad debate in society about this; in this digital age we are in need of a concrete alternative for the organization of a democratic society in order to stop the explosive growth of government terror that targets innocent and defenceless citizens. In this way Western democracies rapidly become totalitarian dictatorships while our society turns into an "electronic concentration camp".

→ What difference is there still between a dictatorship or a single-party state like China and the big leader of the free Western world, the US? That they are capitalistic societies?

→ What meaning does the message of progress, faith and love still have on a model of society that offers a hopeful future to the fully participating citizen?

At the end of the day scaling up, distancing of citizens, negative messages on the basis of fear, suspicion and black and white thinking will not lead to a more pleasant society. Nevertheless these are everyday occurrences since 9/11. A few years ago Privacy First already decided to choose for a free and inspiring society that had been fought for for 2000 years and to draw a line in the sand for citizens. We pay tribute to the whistleblowers! Who’s next?

Bas Filippini,
Chairman of the Privacy First Foundation

On Thursday 28 February 2013 there will be an important debate about the Dutch 'OV-chipkaart' (Public Transport chip card) in the Dutch House of Representatives (permanent commission for Infrastructure and Environment). In preparation of this debate the Privacy First Foundation today brought the following points to the attention of relevant Dutch Members of Parliament:  

1. The 'anonymous' OV chip card is not anonymous because it contains a unique identification number in the Radio Frequency Identification (RFID)-chip with which travellers can be identified and tracked afterwards through the linking of transaction data. In the view of Privacy First, this constitutes a violation of two human rights, namely the freedom of movement in conjunction with the right to privacy, in other words the classic right to travel freely and anonymously within one’s own country. Privacy First is eager to learn from the House of Representatives as well as the responsible member of government which steps have already been taken for the introduction of an anonymous OV chip card that is truly anonymous, for example through the development of new chip technology and modern forms of encryption without a unique identification number (privacy by design).
2. As long as (truly) anonymous OV chip cards and anonymous discount cards do not exist, printed travel tickets are to remain available for travellers who want to travel anonymously. Moreover, a special, anonymous discount card for children and elderly people should also be introduced.
3. Compulsory check-ins and check-outs for students carrying student OV chip cards contravenes with the right of students to travel freely and anonymously. Compulsory check-ins and check-outs therefore have to be abolished.
4. The planned closure of turnstiles at Dutch National Railway stations (Nederlandse Spoorwegen, NS) constitutes an unnecessary restriction to people's freedom of movement and can lead to dangerous situations in the event of calamities. It also creates unsafe situations in individual cases, for example for children, elderly people, ill or incapacitated people who need to be accompanied through the station by family or friends. Therefore Privacy First makes an urgent appeal to leave the turnstiles open at all times or to get rid of them and replace them with anonymous check-in and check-out poles.
5. The current retention period of OV chip card data should be reduced to an absolute minimum. Moreover, travellers should be offered the option to erase their travel history at any given moment.
6. The OV chip card dramatically increases costs for travellers, either when purchasing a chip card, when forgetting to check out, in the event of a malfunctioning card or check-out pole or when deciding to travel anonymously with a printed ticket. Privacy First is eager to hear from the House of Representatives as well as the responsible government member which measures will be taken to make travelling with an OV chip card cheaper while preserving people's privacy.

This afternoon the Privacy First Foundation sent the following email to the Dutch Senate: 

Dear Members of the Senate,

Recently the international Amsterdam Privacy Conference 2012 took place. In his opening speech at this conference, Dutch politician Lodewijk Asscher principally addressed the current legislative proposal of regulating prostitution. Asscher voiced the expectation that the envisaged registration of prostitutes will lead to lawsuits that will end up before the European Court of Human Rights in Strasbourg. The Privacy First Foundation shares this expectation. Therefore, we hereby make an urgent appeal to you not to let things get this far and to reject the legislative proposal during the plenary discussion this coming Tuesday, October 30th. Privacy First does so on the following grounds:

1. Compulsory registration of prostitutes will lead to a shift of prostitution to the illegal circuit. Thereby this legislative proposal will prove to be counterproductive, with all the risks this entails. The social (legal) status of prostitutes will become further weakened instead of strengthened.
2. Compulsory registration of prostitutes violates the right to privacy because it concerns the registration of sensitive personal information. This is prohibited under Article 16 of the Dutch Data Protection Act and is in breach of Article 8 of the European Convention on Human Rights.
3. Registration of prostitutes has a stigmatizing effect. Moreover, the security of this registration cannot possibly be guaranteed and there is also the danger of function creep. Therefore, the supposed advantages of registering do not outweigh the risks of data breaches, hacking, unauthorised and unforeseen use - now and in the future. This, in turn, also implies new risks of abuse and blackmailing.  
4. Combating criminality and human trafficking ought not to happen through the risky registration of prostitutes, but rather through more effective criminal investigation, prosecution and adjudication of the culprits without putting the victims in danger. For that purpose it is up to the Minister to develop alternative, privacy-friendly instruments in consultation with relevant NGOs.

We are willing to supply further information on the above points upon request.

Yours sincerely,

Privacy First Foundation

Update 30 October 2012: this afternoon the Senate heavily criticised (especially) the privacy aspects of compulsory registration of prostitutes. As a result, Minister Ivo Opstelten has decided to reconsider his approach to the issue. It now seems that compulsory registration is shelved. The discussion on other parts of the legislative proposal is postponed until further notice. Click HERE for an audio recording of the parliamentary debate (in Dutch) until its suspension (mp3, 2u53m, 119 MB).