Financial Privacy & PSD2

Recently, the Netherlands Standardisation Forum issued an advice to the government to ensure that public Wi-Fi networks for guest use are always secure. The independent advisory body recommends improving Wi-Fi security by using the WPA2-Enterprise standard. This recommendation applies to all public and semi-public institutions in the Netherlands and therefore has an impact on thousands of Wi-Fi networks.

The Standardisation Forum facilitates digital cooperation (interoperability) between government organizations and between government, businesses and citizens. It is the advisory body for the public sector regarding the use of open standards. According to its own website, all standards that the Forum recommends have been thoroughly tested, lower costs and reduce the risk of internet fraud and data abuse. The recent recommendation came after a request over a year ago by Privacy First and Wi-Fi roaming provider Publicroam. Privacy First and Publicroam requested the Forum to mandate WPA2-Enterprise as the standard for access to guest Wi-Fi. The Standardization Forum then decided to conduct further research, resulting in its current opinion.

Stop offering insecure guest Wi-Fi 

Privacy First chairman Paul Korremans is delighted with the advice: "It took a while, but now there is a clear recommendation. The Standardisation Forum calls for the secure provision of guest Wi-Fi, preferably using the WPA2-Enterprise standard. This recommendation creates clarity for all parties involved in setting up and managing public Wi-Fi networks within government institutions. Moreover, the recommendation will likely have a broader effect: in our view, the Forum is saying that we need to stop offering insecure guest Wi-Fi altogether." 

The Netherlands at the vanguard 

The Standardisation Forum made its decision in the summer of 2021 after several expert meetings and a public consultation. The recommendation was added to the existing obligation around WPA2-Enterprise in early September. The Netherlands is one of the first countries to have such an obligation.

WPA2-Enterprise 

Experts consider the standard WPA2-Enterprise (and its successor WPA3-Enterprise) to be the most suitable method for achieving secure Wi-Fi access. The standard is mandatory for Wi-Fi access for government employees and is widely used by businesses and educational institutions among others. Because it is a long-standing open standard, it is widely available and easy to implement.

The Privacy Collective press release

Millions of Dutch internet users victim of unlawful collection and use of personal data

The Privacy Collective takes Oracle and Salesforce to Court

The Privacy Collective - a foundation that acts against violation of privacy rights - is taking Oracle and Salesforce to Court. The foundation accuses the technology concerns of unlawfully collecting and processing data of millions of Dutch internet users. The foundation has launched a class action, a legal procedure in which compensation is claimed for a large group of individuals. It is the first time that this legal instrument is used in the Netherlands in a case of infringement of the General Data Protection Regulation (GDPR).

Christiaan Alberdingk Thijm, lead lawyer in the case: “This is one of the largest cases of unlawful processing of personal data in the history of the internet. Almost every Dutch individual who reads or views information online is structurally affected by the practices of Oracle and Salesforce. Practices that merely serve a commercial purpose.”

Online shadow profile

Oracle and Salesforce collect data from website visitors at any time and on a large scale. By combining this with additional information, they create a personal profile of each individual internet user. The millions of profiles are used, among other things, to offer personalized online advertisements and unlawfully shared with numerous commercial parties, including ad-tech companies. The tech giants collect their information using - among other things - specially developed cookies. Alberdingk Thijm: “Most people do not know that they have such an online 'shadow profile'. They don't know what it looks like and have certainly not given legitimate consent.” For the collection and sharing of personal data, Oracle and Salesforce are obliged to ask for permission under the GDPR. “These parties violate internet users' right to privacy. The right to protection of personal data and the right to protection of privacy are recognized as fundamental rights", says Alberdingk Thijm.

Class action

The possibility to claim damages in a class action was recently created under Dutch law.“Claiming damages in a class action is an important tool to ensure the enforcement of the GDPR,” says Joris van Hoboken, a board member of the foundation and professor in Information Law. “It gives the GDPR teeth.” The Privacy Collective calls upon individual consumers to register with the foundation in order to show their support. Based on the number of victims, the total extent of the damage could exceed 10 billion euros. Several organizations support The Privacy Collective's campaign, including Privacy First, Bits of Freedom, Qiy Foundation and Freedom Internet. The claims are being fully funded by Innsworth, a litigation funder. The organization’s funding enables the benefits of scaling common claims in a collective action, without any individual claimants being exposed to litigation costs. Inssworth finances a similar class action in England and Wales, which is currently being prepared.

Source: The Privacy Collective press release, 14 August 2020.

More information: https://theprivacycollective.eu/en/.

Writing a New Year’s Column about the state of affairs concerning the protection of everyone’s privacy weighs me down this year. With the exception of a few bright spots, privacy in the Netherlands and the rest of the world has greatly deteriorated. For a while it seemed that the revelations of Edward Snowden in 2013 about secret services tracking everyone’s online behavior would be a rude wake-up call for the world. It was thought that an increasing number of data breaches and a rising number of governments and companies getting hacked, would make people realize that large amounts of data stored centrally is not the solution. The Arab Spring in 2015 would bring about major change through the unprecedented use of (social) media.

The European Union successfully voted against the exchange of data relating to travel movements, paved the way for the current General Data Protection Regulation and seemed to become the shining alternative example under the guidance of Germany, a country known for its vigilance when it comes to privacy. Unfortunately, things turned out differently. Under the Obama administration, Snowden was shunned as a traitor and other whistleblowers were clamped down on harder than ever before. Julian Assange was forced into exile while murdering people with the use of drones and without any form of trial was implemented on a large scale. Extrajudicial killings with collateral damage... While the discussion was about waterboarding... Discussions on such ‘secondary topics’ have by now become commonplace in politics, and so has the framing and blaming of opponents in the polarized public debate (the focus is usually on the person rather than on the argument itself).

Looking back on 2018, Privacy First identifies a great number of areas where the breakdown of privacy is evident:

Government & privacy

In March, an advisory referendum in the Netherlands was held on the introduction of the so-called Tapping law. Immediately after that, the referendum was abrogated. This happened in a time of unprecedented technological possibilities to organize referendums in various ways in a shared democracy. That’s outrageous. The outcome of the referendum was not taken into account and the Tapping law was introduced just like that. Moreover, it turned out that all along, the Dutch Minister of the Interior had withheld an important report on the functioning of the Dutch General Intelligence and Security Service.

Apparently this was nothing to worry about and occurred without any consequences. The recent report by the Dutch State Commission on the (re)introduction of referendums will likely end up in a drawer, not to be looked at again.

Fear of losing one’s role and the political mood of the day are all too important in a culture in which ‘professional politicians’ are afraid to make mistakes, but which is full of incidents nonetheless. One’s job or profession comes first, representing citizens comes second. Invariably, incidents are put under a magnifying glass in order to push through binding legislation with a broad scope. Without the review of compliance with guiding principles such as necessity, purpose limitation, subsidiarity and proportionality. There is an ever wider gap between government and citizens, who are not trusted but are expected to be fully transparent towards that self-same government. A government that time and again appears to be concealing matters from citizens. A government that is required by law to protect and promote privacy, but is itself still the most prominent privacy-violator.

The medical establishment & privacy

In this area things got really out of hand in 2018. Through various coordinated media offensives, the EU and the member states are trying to make us believe in the advantages of relinquishing our right to physical integrity and our humanity. Sharing biometric data with the United States continues unabatedly. We saw the police calling for compulsory DNA databases, compulsory vaccination programs, the use of smart medicines with microchips and the phasing out of alternative therapies. Furthermore, health insurance companies cautiously started to cover genetic testing and increasingly doing away with medical confidentiality, the Organ Donation Act was introduced and microchips implanted in humans (the cyborg as the highest ideal in Silicon Valley propaganda) became ever more popular.

How long before microchips become compulsory for all citizens? All (domestic) animals in the EU have already preceded us. And then there’s the Electronic Health Record, which was first rejected in the Dutch Senate but has reappeared on the minister’s agenda via a detour. Driven by commercial interests, it is being rammed down the throats of general practitioners while alternatives such as Whitebox are not taken seriously. The influence of Big Pharma through lobbying with government bodies and participating in government working groups is particularly acute. They closely cooperate with a few IT companies to realize their ideal of large and centralized networks and systems. It’s their year-end bonus and growth at the expense of our freedom and well-being.

Media & privacy

Naturally, we cannot overlook ‘fake news’. One of the premises for having privacy is being able to form your own opinion and respect and learn from the opinions of others. Furthermore, independent left and right-wing media are essential in a democratic constitutional State. It's their task to monitor the functioning of elected and unelected representatives in politics and in government. Journalists should be able to penetrate into the capillaries of society in order to produce local, national and global news.

Ever since free news gathering came about, it has been a challenge to obtain news based on facts. It’s not always easy to distinguish a press service, PR and propaganda from one another. In times of rapid technological changes and new opportunities, they should be continuously reviewed according to the principles of journalism. That’s nothing new. What is new, however, is that the European Union and our own Minister for the Interior, Kajsa Ollongren, feel they’re doing the right thing by outsourcing censorship to social media companies that are active on a global scale and have proven to be unreliable.

While Facebook and Google have to defend themselves in court for spreading fake news and censoring accounts, the governments hand over the monitoring task to them. The privacy violators and fake news distributors as the guardians of our privacy and journalism. That’s the world upside down. By so doing, this minister and this government undermine the constitutional State and show disdain for intelligent citizens. It’s time for a structural change in our media system, based on new technologies such as blockchain and the founding of a government media office whose task is to fund all media outlets through citizens’ contributions, taking into account the media’s scope and number of members. So that concerns all media, including the so-called alternative media, which should not be censored.

Finance & privacy

The erosion of one’s privacy increasingly manifests itself at a financial level too. The fact of the matter is, that the tax authorities already know in detail what the spending pattern of all companies and citizens looks like. Thanks to the Tapping Law, they can now pass on this information in real-time to the secret services (the General Intelligence and Security Service is watching along). Furthermore, a well-intended initiative such as PSD2 is being introduced in a wholly improvident and privacy-unfriendly way: basic conditions relating to the ownership of bank details (of citizens, account holders) are devoid of substance. Simple features such as selective sharing of banking details, for example according to the type of payment or time period, are not available. What’s more, payment details of third parties who have not given their consent, are sent along.

In the meantime, the ‘cash = criminal’ campaign goes on relentlessly. The right to cash and anonymous payment disappears, despite even the Dutch Central Bank now warning that the role of cash is crucial to our society. Privacy First has raised its opinion on this topic already in 2016 during a public debate. The latest development in this regard is the further linking of information through Big Data and profiling by debt-collecting agencies and public authorities. Excluding citizens from the electronic monetary system as a new form of punishment instead of letting them pay fines is a not so distant prospect. In this regard, a lot of experimentation is going on in China and there have been calls in Europe to move in the same direction, supposedly in order to fight terrorism. In other words, in the future it will become increasingly difficult to raise your voice and organize against abuse of power by governments and companies: from on high it takes only the press of a button and you may no longer be able to withdraw cash, travel or carry out online activities. In which case you have become an electronic outcast, banished from society.

Public domain & privacy

In 2018, privacy in public space has all but improved. Whereas 20 years ago, the Netherlands was deemed too small to require everyone out on the streets to be able to identify themselves, by now, all governments and municipalities in Europe are developing ‘smart city’ concepts. If you ask what the benefits and use of a smart city are (beyond the permanent supervision of citizens), proponents will say something vague about traffic problems and that the 'killer applications' will become visible only once the network of beacons is in place. In other words, there are absolutely no solid figures which would justify the necessity, subsidiarity and proportionality of smart cities. And that’s not even taking basic civil rights such as privacy into consideration.

Just to give a few examples:

• ANPR legislation applies from 1 January 2019 (all travel movements on public roads will be stored in a centralized police database for four weeks)
• A database consisting of all travel movements and stays of European citizens and toll rates as per 2023
• Emergency chips in every vehicle with a two-way communication feature (better known as spyware) as per 1 January 2019
• Cameras and two-way communication in public space, built into the lampposts among other objects as part of smart city projects
• A decision to introduce additional cameras in public transport as per 2019
• The introduction of Smart Cities and the introduction of unlimited beacons (doesn’t it sound so much better than electronic concentration camp posts?)
• Linking together all traffic centers and control rooms (including those of security companies operating on the private market)
• Citizens are permanently monitored by invisible and unknown eyes.

Private domain & privacy

It’s well known that governments and companies are keen to take a peek in our homes, but the extent to which this was being advanced last year, was outside of all proportion. Let’s start with energy companies, who foist compulsory smart meters on citizens. By way of ‘appointment to install a smart meter’, which you didn’t ask for, it’s almost impossible to stay clear of red tape. After several cancellations on my part and phone calls to energy provider Nuon, they simply continued to push forward. I still don’t have a smart meter and it will stay like that.

Once again Silicon Valley featured prominently in the news in 2018. Unelected dictatorial executives who are no less powerful than many a nation state, promote their utopias as trendy and modern among citizens. Self-driving cars take the autonomy and joy away from citizens (the number of accidents is very small considering the millions of cars on the road each day), while even children can tell that a hybrid approach is the only option. The implementation of smart speakers by these social media companies is downright spooky. By bringing smart toys onto the market, toy manufacturers equally respond to the needs that we all seem to have. We can all too readily guess what these developments will mean for our privacy. The manipulation of facts and images as well as distortion, will starkly increase.

Children & privacy

Children and youths represent the future and nothing of the above bodes well for them. Screen addiction is sharply on the rise and as children are being raised amidst propaganda and fake news, much more attention should go out to forming one’s own opinion and taking responsibility. Centralized pupil monitoring systems are introduced indifferently in the education system, information is exchanged with parents and not having interactive whiteboards and Ipads in the classroom has become unthinkable. The first thing children see every single day, is a screen with Google on it... Big Brother.

Dependence on the internet and social media results in impulsive behaviour among children, exposes them to the madness of the day and affects their historical awareness and ability to discern underlying links. The way of thinking at universities is becoming increasingly one-sided and undesirable views are marginalized. The causes of problems are not examined, books are not read though there is certainly no lack of opinions. It’s all about making your voice heard within the limits of self-censorship that’s in force in order to prevent becoming the odd one out in the group. The same pattern can be identified when it comes to forming opinions in politics, where discussing various issues based on facts seems no longer possible. Not to mention that the opinions of citizens are considered irrelevant by our politicians. Good quality education focused on forming opinions and on creating self-reflective minds instead of a robot-way of thinking, is essential for the development of a healthy democracy.

Are there any positive developments?

It's no easy task to identify any positive developments in the field of privacy. The fact is that the introduction of the GDPR and the corresponding option to impose fines has brought privacy more sharply into focus among companies and citizens than the revelations of Snowden have been able to do. The danger of the GDPR, however, is that it narrows down privacy to data protection and administrative red tape.

Another positive development is the growing number of (as of yet small) initiatives whereby companies and governments consider privacy protection as a business or PR opportunity. This is proved by the number of participants in the 2019 Dutch Privacy Awards. Recurring themes are means of anonymous communication (email, search engines, browsers), possible alternatives to social networks (messaging services like WhatsApp, Facebook, Instagram and Twitter) on the basis of subscriptions, blockchain technology and privacy by design projects by large organizations and companies.

Privacy First has teamed up with a few top quality pro bono attorneys who are prepared to represent us in court. However, judges are reluctant to go off the beaten track and come up with progressive rulings in cases such as those concerning number plate parking, average speed checks, Automatic Number Plate Recognition, the Tapping Law, etc. For years, Privacy First has been suffering from a lack of funding. Many of those who sympathize with us, find the topic of privacy a bit eerie. They support us morally but don’t dare to make a donation. After all, you draw attention to yourself when you’re concerned with issues such as privacy. That’s how bad things have become; fear and self-censorship... two bad counsellors! It’s high time for a government that seriously deals with privacy issues.

Constitutional reform should urgently be placed on the agenda

Privacy First is a great proponent of constitutional reform (see our 2017 New Year’s column about Shared Democracy), based on the principles of the democratic constitutional State and the European Convention on Human Rights (ECHR). Our democracy is only 150 years old and should be adapted to this current day and age. This means that the structure of the EU should be changed. Citizens should take on a central and active role. Government policies should focus on technological developments in order to reinforce democracy and formulate a response to the concentration of power of multinational companies.

Privacy First argues that the establishment of a Ministry of Technology has the highest priority in order to be able to stay up to date with the rapid developments in this field and produce adequate policies accordingly. It should live up to the standards of the ECHR and the Dutch Constitution and avoid becoming a victim of the increasing lobbying efforts in this sector. Moreover, it is time for a Minister of IT & Privacy who stays up to date on all developments and acts with sufficient powers and in accordance with the review of a Constitutional Court.

The protection of citizens’ privacy should be facilitated and there should be privacy-friendly alternatives for current services by technology companies. For 2019, Privacy First has a few tips for ordinary citizens:

• Watch out for and stay away from ‘smart’ initiatives on the basis of Big Data and profiling!
• Keep an eye on the ‘cash = criminal’ campaign. Make at least 50% of your payments anonymously in cash.
• Be cautious when communicating through Google, Apple, Facebook and Microsoft. Look for or develop new platforms based on Quantum AI encryption and use alternative browsers (TOR), networks (VPN) and search engines (Startpage).
• Be careful when it comes to medical data and physical integrity. Use your right for there to be no exchange of medical data as long as initiatives such as Whitebox are not used.
• Be aware of your right to stay anonymous, at home and in public space. Campaign against toll payment, microchips in number plates, ANPR and number plate parking.
• Be aware of your legal rights to bring lawsuits, for example against personalized waste disposal passes, camera surveillance, etc.
• Watch out for ‘smart’ meters, speakers, toys and other objects in the house connected to the internet. Purchase only privacy by design solutions with privacy enhanced technology!

The Netherlands and Europe as guiding nations in the field of privacy, with groundbreaking initiatives and solutions for apparent contradictions concerning privacy and security issues - that’s Privacy First's aim. There’s still a long way to go, however, and we’re being blown off course ever more. That’s due in part because a comprehensive vision on our society and a democracy 3.0 is lacking. So we continue to drift rudderless, ending up in the big manipulation machine of large companies one step at a time. We need many more yellow vests before things change. Privacy First would like to contribute to shaping and promoting a comprehensive, positive vision for the future. A future based on the principles that our society was built on and the need for greater freedom, with all the inevitable restrictions this entails. We will have to do it together. Please support Privacy First actively with a generous donation for your own freedom and that of your children in 2019!

To an open and free society! I wish everyone a lot of privacy in 2019 and beyond!

Bas Filippini, Privacy First chairman

"Facebook continues to breach personal data privacy rights in Europe, says a group of human rights organizations, and it demands that Facebook’s EU-US data transfers stop by February 6, 2016. Facebook has formally responded.

As previously reported, the Privacy First Foundation, Public Interest Litigation Project PILP and the Dutch Platform for the Protection of Civil Rights (collectively, “Privacy First”) sent Facebook a demand letter, to which Facebook has now replied in writing.

Facebook’s written response

Facebook responded to Privacy First’s demand letter by giving written assurances of data protection in accordance with current law–that is, those parts of the Privacy Directive that survived the ruling in Schrems, the case that invalidated Safe Harbor.

Specifically, Facebook states that “the grounds for transfer of data set out in Article 26 of the Directive remain entirely lawful,” and that it complies with “these other grounds to transfer data legally from the European Union to the United States .” Facebook further challenged the Dutch tribunal Privacy First plans to use, as lacking competence over Facebook Ireland, the party it asserts is the data controller for data of Facebook Netherlands.

Privacy First’s reply

Privacy First, in its reply through its counsel Boekx, Amsterdam, reiterated its position that the other instruments currently used as basis for EU-US data transfers (such as Standard Contractual Clauses or individual consent) are “fundamentally flawed, as these options do not resolve the problems identified by the European Court of Justice in the Schrems judgment.”

Privacy First’s reply further reserves its rights to initiate legal proceedings in the Hague “requesting a preliminary injunction and/or raising prejudicial questions with the European Court of Justice” if Facebook doesn’t stop EU-US data transfers or provide adequate protections by February 6th, 2016.

Clearly, Privacy First and its co-plaintiffs are not happy with Facebook's response. (...)

Competent court

Facebook’s letter also challenges the competence of Dutch courts to hear proceedings in the Netherlands against Facebook Ireland, which it alleges is the true data controller, not Facebook Netherlands B.V. Regarding the competence issue, [Boekx] said that Dutch courts have rendered decisions in the past against both Facebook parties.

As reported, the EU and US are currently negotiating replacement of the Safe Harbor Agreement; there is a meeting of the negotiating parties scheduled for February 2nd to discuss EU-US data transfers and how to ensure protections for EU citizens in the legal uncertainties left by Schrems.

Further delays possible

Due to delay in legislation in the U.S. that may be one of the EU’s preconditions to Safe Harbor (the Judicial Redress Act), further delays in Safe Harbor resolution are expected (by some) that could take those negotiations beyond the February 6 deadline set by Privacy First. These delays could set Facebook up for proceedings that, if successful, would result in a shutdown of its EU-US data transfers. (...)"

Source: http://www.forbes.com/sites/lisabrownlee/2016/01/27/facebook-fires-back-in-eu-privacy-dispute/#2fe9f2801d5b, 27 January 2016.

"Non siamo la pecora nera, e rispettiamo le stesse regole degli altri. Potremmo così sintetizzare il nocciolo della difesa di Facebook contro le accuse di alcune organizzazioni pro-privacy e utenti olandesi che hanno chiesto, con lettera formale, di impedire il trasferimento di dati personali degli iscritti verso gli Stati Uniti, dove risiedono molti suoi data center e molte delle sue aziende inserzioniste. Minacciando azioni legali nel caso il social network non interrompa questa pratica prima del 16 gennaio. Le radici della vicenda sono note: dalla denuncia inoltrata nel 2013 dallo studente austriaco Max Schrems, fino alla recente decisione della Corte di Giustizia dell’Unione Europea di invalidare gli accordi regolati dal Safe Harbor.Vero è che le nuove regole comunitarie travolgono non solo la creatura di Mark Zuckerberg bensì circa quattromila aziende statunitensi presenti sul Web, però è altrettanto vero che l’attenzione mediatica e le preoccupazioni si concentrano inevitabilmente su Facebook, luogo dove più di ogni altro le vite private diventano condivise. Ma anche il social network delle immagini, Instagram, e la più popolare fra le applicazioni di messaggistica, WhatsApp (entrambe proprietà dell’azienda di Menlo Park) sono coinvolti.

La lettera in questione, infatti, è stata inviata alle sedi di Facebook in California, in Olanda e in Irlanda così come alle sedi di Instagram e Whatsapp. Il mittente è uno studio legale di Amsterdam, Boekx, che parla in rappresentanza di tre associazioni pro-privacy (Stichting Privacy First, Public Interest Litigation Project e Dutch Platform for the Protection of Civil Rights) e di privati cittadini olandesi. La richiesta è, appunto, quella di interrompere il trasferimento dei dati verso gli States entro le ore 18 del gennaio, a meno di non voler incorrere in azioni legali.

Nelle parole dell’avvocato Otto Volgenant dello studio Boekx, “Vogliamo fare pressione su Facebook” e indurre Zuckerberg a pronunciarsi in merito al dibattito sulla privacy in corso nei governi di diversi Paesi. Se poi Facebook facesse ostruzionismo, la protesta degli olandesi potrebbe arrivare dapprima in un tribunale nazionale e poi da qui alla Corte Europea di Giustizia.

La replica della società californiana, arrivata tramite Forbes da un portavoce dell’azienda, Matt Steinfeld, esordisce ribadendo che il social network “utilizza i medesimi meccanismi impiegati da migliaia di altre aziende per trasferire legittimamente dati dall’Europa agli Stati Uniti e ad altri Paesi in tutto in mondo”. E poi fa una proposta: “Crediamo che il modo migliore per risolvere l’attuale dibattito sul trasferimento dei dati oltre l’oceano sia creare un nuovo patto di Safe Harbour, che garantisca adeguate tutele ai cittadini europei”. Il social network, dunque, non si sottrae alla possibilità di modifiche del regolamento ma anzi si auspica che le discussioni in corso fra organismi regolatori europei e statunitensi, e fra essi e i rispettivi governi sfocino presto in un “esito positivo”, ha dichiarato Steinfeld."

Source: http://www.ictbusiness.it/cont/news/l-attacco-olandese-e-la-difesa-facebook-non-siamo-peggio-di-altri/36065/1.html#.VoJYKfFIiUn, 17 December 2015.

"Facebook, Inc. and related entities have received a letter demanding them to stop EU-US data transfers until U.S. laws comply with the EU data protection regime, or risk lawsuit in the Netherlands. Facebook must cease transfer by 15 January 2016. The complaining parties have reserved rights to file suit if compliance is not forthcoming.

The demand and summons letter was sent today by the Boekx law firm in Amsterdam on behalf of numerous plaintiffs including:
• Privacy First Foundation (Stichting Privacy First)
• Public Interest Litigation Project PILP
• Dutch Platform for the Protection of Civil Rights
and other users of Facebook, Instagram and WhatsApp. The letter was sent to Facebook Netherlands B.V., Facebook Ireland Limited, Facebook Inc. and Instagram LLC (California), and WhatsApp Inc. (California).

Facebook response

Facebook spokesperson Matt Steinfeld provided (...) the following written statement:

“Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world. We believe that the best solution to the on-going debate around transatlantic data transfers is for there to be a new Safe Harbor agreement with appropriate safeguards for EU citizens.”
“We understand that authorities in the EU and US are working hard to put such an agreement in place as soon as possible. We trust that these groups are engaging with their respective governments on this process to help it reach a successful conclusion.”

Lawsuit intended to pressure Facebook

Otto Volgenant of the Boekx stated to Dutch outlet RTLZ, “We want to put pressure on Facebook. Mark Zuckerberg must make its voice heard in the debate about privacy, the US government has the solution for this problem.” According to Volgenant (as reported), the case would first be brought in The Hague, which could exercise its option to refer the case to the European Court of Justice.

Volgenant predicted that such referral would not be made, given the clarity of law on the topic since the recent Schrems ruling of the European Court of Justice (discussed further below).

U.S. compliant-laws required

Specifically, the demand requires that Facebook “end the current unlawful transfer of personal data from the European Union to the United States” until the U.S. adopts laws “essentially equivalent to” European data protection laws, or face lawsuit in the Netherlands. The summons gives Facebook until Friday 15 January 2016 (18:00 CET) to cease EU-US transfers, or risk having a court force it and related Facebook entities, through an injunction, to cease such transfers.

Facebook “remarkably absent” in data privacy discussions

In its letter, Boekx accuses Facebook of being “remarkably absent” in the public debate over EU-US data transfers, following the European Court of Justice decision in Schrems, which decision invalidated the so-called “Safe Harbor Agreement” between the U.S. and the E.U. and thus made such transfers illegal under E.U. law., effective immediately upon rendering of that decision. (...)

The demand letter further articulates the specifics of the Schrems decision, including that court’s conclusions that the NSA violated “European fundamental rights to respect for private life” by its “access on a generalized basis to the content of electronic communications.”
(...)
The letter concludes:

If we cannot find an amicable solution and Facebook does not refrain from further transfer of personal data of data subjects from the European Union to the United States by then, we reserve the right to initiate legal proceedings in the Netherlands and to request a preliminary injunction from the competent Dutch Court."

Source: http://www.forbes.com/sites/lisabrownlee/2015/12/15/facebook-threatened-with-lawsuit-over-eu-us-data-transfers-facebook-response/, 15 December 2015.

Today the Privacy First Foundation and three other public interest groups as well as a number of Dutch individual users of Facebook, WhatsApp and Instagram request Mark Zuckerberg to join the public debate following the landmark Schrems-judgment of the European Court of Justice.

On 6 October 2015, the European Court of Justice invalidated the Safe Harbour Decision, which was the basis for Facebook’s transfer of personal data from the European Union to the United States. The Grand Chamber of the Court found that the legislation of the United States fails to ensure a level of protection essentially equivalent to that guaranteed in the legal order of the European Union. The NSA has access to Facebook content of users from the European Union, without any judicial redress being available to them. The Court held that this compromises the essence of the fundamental right to privacy. These issues have not been resolved yet.

Following the judgment, Facebook continued the transfer of personal data from the European Union to the United States. Bas Filippini of Privacy First says: ‘Absent an adequate level of protection in the United States, the continued transfer of personal data is clearly incompatible with European data protection laws. Such transfer violates the rights of millions of individuals. If this is not resolved shortly, we will initiate legal action.’

To date, Facebook has been remarkably absent in the public debate that followed this landmark judgment. Ton Siedsma of Bits of Freedom says: ‘We invite Facebook to publicly engage in a meaningful and transparent dialogue aimed at finding a solution, and to pressure the authorities to find such solution. Facebook is invited to publicly share its current and intended policies and practice on data transfer.’

Today, Facebook was summoned to come up with an adequate solution ultimately by 15 January 2016. If it fails to do so, civil rights groups and a number of Dutch individuals will request the Court in The Hague to grant an injunction ordering Facebook to immediately cease the transfer of personal data to the United States. This pertains to all services of Facebook, including WhatsApp and Instagram.

‘As long as the United States fails to provide an adequate level of protection against mass surveillance, personal data may not be transferred to the United States. Taking Facebook to court emphasizes the urgency of resolving this issue.’ says Jelle Klaas of the Public Interest Litigation Project of NJCM, the Dutch section of the International Commission of Jurists. ‘Our goal is not to put the screens of millions of users to black, but to enhance the current level of privacy protection. Hopefully, a solution can be found shortly by the legislators.’

Click HERE for our entire letter of summons to Mark Zuckerberg (pdf).

Update 21 January 2016: shortly before the deadline Facebook responded to our letter of summons by fax, click HERE (pdf). According to Facebook, there is still a suitable legal basis for the transfer of personal data from the EU to the US, despite the invalidity of Safe Harbour. Privacy First et al. contest this and have today sent a response to Facebook, click HERE (pdf).

In the discussion about a newly proposed surveillance bill in England, Facebook, following our summons letter, has made it publicly clear that:

“Governments should not be able to compel the production of private communications content absent authorization from an independent and impartial judicial official. (...) Surveillance laws should not permit bulk collection of information. The principles require that the Government specifically identify the individuals or accounts to be targeted and should expressly prohibit bulk surveillance.”

However, it is precisely these aspects where, according to the European Court of Justice, the legal protection in the US is inadequate. In our letter of this afternoon, Privacy First et al. have therefore requested Facebook to present their standpoint also in the debate about mass surveillance in the US. Negotiations about this issue are currently ongoing between the EU and the US. It would be good if Facebook gets involved in this debate, in line with the standpoint it voiced in relation to the English legislative proposal.

If in the short term a solution will not be found for the fundamental privacy issues the European Court of Justice has identified, Privacy First et al. will consider bringing interim injunction proceedings before the district court of The Hague.

"A Dutch court on Wednesday struck down a law requiring telecoms and Internet service providers to store their clients' private phone and email data, saying it breached European privacy rules.

"The judge ruled that data retention is necessary and effective to combat serious crime. Dutch legislation however infringes on the individual's right to privacy and the protection of personal data," the Hague district court said.

"The law therefore contravenes the Charter of Fundamental Rights of the European Union," the court said in a statement.

Seven groups and organisations including privacy watchdog Privacy First and the Dutch Association of Journalists dragged the Dutch state to court last month over the issue.

The Dutch court's decision comes after the European Court of Justice in April 2014 struck down the European Union law that forced telecoms operators to store private phone and email data for up to two years, judging it too invasive, despite its usefulness in combating terrorism.

Advocate General Pedro Cruiz Villalon declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.

The 2006 directive called for EU states to store individuals' Internet, mobile telephone and text metadata -- the time, date, duration and destination, but not the content of the communications themselves -- for six months to two years.

This data could then be accessed by national intelligence and police agencies.

"The privacy rights of Dutch citizens were violated en masse by this mass surveillance," said Vincent Boehre of Privacy First.

"Privacy First fights for a society in which innocent civilians do not have to feel that they are being constantly monitored," he said on the organisation's website in response to the ruling.

"The verdict of the Hague tribunal is an important step in that direction," said Boehre."

Source: http://thepeninsulaqatar.com/news/international/326442/dutch-court-nixes-data-storage-law-says-privacy-breached, 12 March 2015.

"La justice néerlandaise a annulé mercredi une loi exigeant le stockage de données personnelles, assurant que bien qu'utile à la lutte contre le crime, le texte violait la vie privée des utilisateurs des réseaux téléphoniques et d'internet.

"Les juges ont estimé que le stockage de données était nécessaire et efficace pour combattre le crime, mais la législation néerlandaise est contraire aux droits des personnes à une vie privée et à la protection de leurs données personnelles", a indiqué le tribunal de La Haye dans un communiqué.

"La loi est donc contraire à la Charte des droits fondamentaux de l'Union européenne", a ajouté le tribunal.

Sept organisations, dont l'organisation de défense de la vie privée Privacy First et l'Association néerlandaise des Journalistes, avaient entamé une action contre l?État le mois dernier.

Cette décision des juges intervient environ un an après une décision de la justice européenne, qui avait imposé en avril 2014 une révision de la législation sur la conservation des données personnelles, la jugeant "disproportionnée" malgré son utilité dans la lutte contre le terrorisme.

La directive en question datait de 2006 et exigeait des opérateurs de télécoms et des fournisseurs d'accès internet de stocker les données des communications téléphoniques ou de courriels pendant six mois à deux ans.

Étaient donc conservées les métadonnées desdites communications, comme l'heure, la date, la durée et la destination, mais pas leur teneur.

Ces données pouvaient ensuite être consultées par les services de renseignement ou la police.

"Les droits à une vie privée des citoyens néerlandais ont été violés en masse par cette surveillance", a affirmé Vincent Boehre, le directeur des opérations de Privacy First, cité dans un communiqué publié sur le site internet de l'organisation.

Privacy First "lutte pour une société dans laquelle des civils innocents ne doivent pas se sentir comme s'ils étaient constamment surveillés", a-t-il ajouté, soulignant que ce jugement est "une étape importante dans cette direction"."

Source: http://www.leparisien.fr/high-tech/la-justice-neerlandaise-annule-une-loi-sur-les-donnees-personnelles-11-03-2015-4595081.php, 11 March 2015.

"A Dutch court struck down a law requiring telecoms and Internet service providers to store their clients' private phone and e-mail data, saying it breached European privacy rules.

"The judge ruled that data retention is necessary and effective to combat serious crime. Dutch legislation however infringes on the individual's right to privacy and the protection of personal data," the Hague district court said.

"The law therefore contravenes the Charter of Fundamental Rights of the European Union," the court said in a statement.

Seven groups and organisations including privacy watchdog Privacy First and the Dutch Association of Journalists dragged the Dutch state to court last month over the issue.

The Dutch court's decision comes after the European Court of Justice in April 2014 struck down the European Union law that forced telecoms operators to store private phone and e-mail data for up to two years, judging it too invasive, despite its usefulness in combating terrorism.

Advocate General Pedro Cruiz Villalon declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.

The 2006 directive called for EU states to store individuals' Internet, mobile telephone and text metadata – the time, date, duration and destination, but not the content of the communications themselves – for six months to two years.

This data could then be accessed by national intelligence and police agencies.

"The privacy rights of Dutch citizens were violated en masse by this mass surveillance," said Vincent Boehre of Privacy First.

"Privacy First fights for a society in which innocent civilians do not have to feel that they are being constantly monitored," he said on the organisation's website in response to the ruling.

"The verdict of the Hague tribunal is an important step in that direction," said Boehre."

Source: http://www.thestar.com.my/Tech/Tech-News/2015/03/12/Dutch-court-nixes-data-storage-law-says-privacy-breached/, 12 March 2015.