Financial Privacy & PSD2

A coalition of civil rights organizations in the Netherlands that had previously won a lawsuit against System Risk Indication (SyRI) is calling on the Dutch Senate to reject an even more sweeping Bill dubbed ‘Super SyRI’. According to the parties, the proposal is on a collision course with the rule of law while the Dutch government refuses to learn lessons from the childcare benefits scandal, one of the largest scandals in Dutch politics in recent decades.

The Data Processing by Partnerships Act (Wet Gegevensverwerking door Samenwerkingsverbanden, WGS) enables Dutch government agencies and companies to link together the data stored about citizens and companies through partnerships. Public authorities and companies that take part in such cooperative frameworks are obliged to pool together their data. This should help in the fight against all kinds of crime and offenses.

Under the Act, it is not just data that companies and public authorities share with each other. Signals, suspicions and blacklists are also exchanged and linked together. On the basis of this form of shadow record-keeping, these parties can coordinate with each other enforcement ‘interventions’ against citizens who end up in their crosshairs.

Public authorities and companies targeting citizens through data surveillance

In order to enable the large-scale sharing of personal data between public authorities and companies, the Act casts aside numerous confidentiality obligations, privacy rights and legal safeguards that have traditionally applied to the processing of personal data. This leads to a "far-reaching, large-scale erosion of the legal protection of citizens", according to the opposing coalition of which Privacy First is a member: "If this Bill is adopted, the door will be left wide open for the executive branch of the government and private parties to subject both citizens and companies to arbitrary data surveillance."

Through the Act, the Dutch government also wants to create the possibility to start new partnerships in case of ‘urgency’, without providing Parliament the opportunity of examination. The Dutch House of Representatives will be informed about such partnerships only after their establishment, then having to decide whether to pass them into law. This is contrary to the Dutch Constitution, which stipulates that legislation approved by Parliament should include privacy protections. The parties find it unacceptable that Parliament is not involved in the formation of new partnerships and can decide on them only after they have been established.

Legitimizing unlawful practices that have lasted for years

In addition to the possibility of establishing new partnerships, the Act includes four partnerships that have been around for years, but have never been laid down in law. The cabinet now wants to retroactively create a legal basis for these partnerships.

The parties that brought legal proceedings against System Risk Indication (SyRI) point out that SyRI, which was prohibited by the court, was also used for years without a legal basis. According to the parties, there are strong similarities with the partnerships that the new Bill is now intended to legitimize: "Drastic practices in which personal data are processed in violation of the fundamental rights of citizens were set up as a trial and continued for years, only to be given a legal basis as a fait accompli. Fundamental rights that should protect citizens against unjustified government action thereby become mere obstacles for the government to overcome."

Risk assessments, blacklists and suspicions

The coalition previously wrote that the practices under the Act are in many ways similar to the data processing that preceded the childcare benefits scandal that sent shock waves through Dutch society. Based on secret data analyses, lists of citizens who had been falsely labeled by the tax authorities as criminal fraudsters were distributed through various agencies, ruining the personal lives of tens of thousands of families. Under the partnerships that would be made possible by the Act, public authorities and companies would be able to abundantly share risk analyses, blacklists and many other types of data, suspicions and signals about citizens. The Dutch Data Protection Authority advised the Senate in November 2021 not to pass the law, stating that the proposal could lead to "Kafkaesque situations for large numbers of people".

The civil society coalition against SyRI consists of the Dutch Civil Rights Platform (Platform Bescherming Burgerrechten), the Dutch Lawyers Committee for Human Rights (NJCM), Dutch trade union FNV, the Dutch National Clients Council, Privacy First, the KDVP Foundation and authors Maxim Februari and Tommy Wieringa.

Download the recent letter by the coalition to the Dutch Senate HERE (pdf in Dutch).

Source: https://bijvoorbaatverdacht.nl/syri-coalitie-eerste-kamer-moet-datasurveillancewet-super-syri-afwijzen/, 15 February 2022.

Today, the district court of The Hague ruled on the use of the algorithm-based system SyRI (System Risk Indication) by the Dutch government. The judges decided that the government, in trying to detect social services fraud, has to stop profiling citizens on the basis of large scale data analysis. As a result, people in the Netherlands are no longer 'suspected from the very start’ ("bij voorbaat verdacht").

The case against the Dutch government was brought by a coalition of NGOs, consisting of the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten), the Netherlands Committee of Jurists for Human Rights (Nederlands Juristen Comité voor de Mensenrechten, NJCM), Privacy First, the KDVP Foundation (privacy in mental healthcare), Dutch trade union FNV, the National Clients Council (LCR) and authors Tommy Wieringa and Maxim Februari.

The court concludes that SyRI is in violation of the European Convention on Human Rights. SyRI impinges disproportionately on the private life of citizens. This concerns not only those that SyRI has flagged as an 'increased risk', but everyone whose data are analysed by the system. According to the court, SyRI is non-transparent and therefore cannot be scrutinized. Citizens can neither anticipate the intrusion into their private life, nor can they guard themselves against it.

Moreover, the court draws attention to the actual risk of discrimination and stigmatization on the grounds of socio-economic status and possibly migration background, of citizens in disadvantaged urban areas where SyRI is being deployed. There is a risk – which cannot be examined – that SyRI operates on the basis of prejudices. The attorneys of the claimant parties, Mr. Ekker and Mr. Linders, had this to say: "The court confirms that the large scale linking of personal data is in violation of EU law, Dutch law and fundamental human rights, including the protection of privacy. Therefore, this ruling is also important for other European countries and on a wider international level."

From now on, as long as there is no well-founded suspicion, personal data from different sources may no longer be combined.

Line in the sand

"This ruling is an important line in the sand against the unbridled collection of data and risk profiling. The court puts a clear stop to the massive surveillance that innocent citizens have been under. SyRI and similar systems should be abolished immediately", states Privacy First director Vincent Böhre.

"Today we have been proved right on all fundamental aspects. This is a well-timed victory for the legal protection of all citizens in the Netherlands", says Tijmen Wisman of the Platform for the Protection of Civil Rights.

Another plaintiff in the case, trade union FNV, equally rejects SyRI on principal grounds. "We are delighted that the court has now definitively cancelled SyRI", comments Kitty Jong, vice chair of FNV.

Turning point

The parties hope that the ruling will herald a turning point in the way in which the government deals with the data of citizens. They believe this viewpoint is endorsed by the considerations of the court: these apply not only to SyRI, but also to similar practices. Many municipalities in the Netherlands have their own data linking systems which profile citizens for all sorts of policy purposes. When it comes to combining data, a legislative proposal that would be greater in scope than SyRI and would enable lumping together the databases of private parties and those of public authorities, was all but unthinkable. The decision by the Hague district court, however, clamps down on these Big Data practices. According to the claimant parties, it is therefore of crucial importance that the SyRI ruling will affect both current as well as future political policies.

Public debate

The case against SyRI serves both a legal and a social goal. With this ruling, both goals are reached. Merel Hendrickx of PILP-NJCM: "Apart from stopping SyRI, we also aimed at initiating a public debate about the way the government deals with citizens in a society undergoing digitisation. This ruling shows how important it is to have that discussion."

Although SyRI was adopted in 2014 without any fuss, the discussion about its legality intensified after the lawsuit was announced. At the start of 2019, the use of SyRI in two Rotterdam neighbourhoods led to protests among inhabitants and a discussion in the municipal council. Soon after, the mayor of Rotterdam, Ahmed Aboutaleb, pulled the plug on the SyRI program because of doubts over its legal basis. In June 2019, Dutch newspaper Volkskrant revealed that SyRI had not detected a single fraudster since its inception. In October 2019, the UN Special Rapporteur on extreme poverty and human rights, Philip Alston, wrote a critical letter to the district court of The Hague expressing serious doubts over the legality of SyRI. Late November 2019, SyRI won a Big Brother Award.

The coalition of parties was represented in court by Anton Ekker (Ekker Advocatuur) and Douwe Linders (SOLV Attorneys). The proceedings were coordinated by the Public Interest Litigation Project (PILP) of the NJCM.

The full ruling of the court can be found HERE (official translation in English).

Fundamental lawsuit against mass risk profiling of unsuspected citizens

On Tuesday October 29 at 9:30 am in the district court of The Hague the court hearing will take place in the main proceedings of a broad coalition of Dutch civil society organizations against Systeem Risico Indicatie (System Risk Indication - SyRI). SyRI uses secret algorithms to screen entire residential areas to profile citizens on the risk of fraud with social services. According to the coalition of plaintiffs, this system poses a threat to the rule of law and SyRI must be declared unlawful.

The group of plaintiffs, consisting of the Dutch Platform for the Protection of Civil Rights, the Netherlands Committee of Jurists for Human Rights (NJCM), the Privacy First Foundation, the KDVP Foundation and the National Client Council (LCR), in March 2018 sued the Dutch Ministry of Social Affairs. Authors Tommy Wieringa and Maxim Februari, who previously spoke very critically about SyRI, joined the proceedings in their personal capacity. In July 2018, Dutch labour union FNV also joined the coalition.

The parties are represented by Anton Ekker (Ekker Advocatuur) and Douwe Linders (SOLV Attorneys). The case is coordinated by the Public Interest Litigation Project (PILP) of the NJCM.

Trawl method on unsuspected citizens

SyRI links the personal data of citizens from various government databases on a large scale. These centrally collected data are subsequently analyzed by secret algorithms. This should show whether citizens pose a risk of being guilty of one of the many forms of fraud and violations that the system covers. If the analysis of SyRI leads to a risk notification, then the citizen in question will be included in the so-called Risk Notices Register (Register Risicomeldingen), which can be accessed by government authorities.

SyRI uses this trawl method to screen all residents of a neighborhood or area. For this, the system uses almost all data that government authorities store about citizens. It comprises 17 data categories, which together provide a very intrusive picture of someone's private life. SyRI currently covers the databases of the Dutch Tax Authorities, Inspectorate of Social Affairs, Employment Office, Social Security Bank, municipalities and the Immigration Service. According to the Dutch Council of State (Raad van State), which gave a negative opinion on the SyRI bill, it was hard to imagine any data that did not fall within the scope of the system. Former chairman Kohnstamm of the Dutch Data Protection Authority, which also issued a negative opinion on the system, called the adoption of the SyRI legislation "dramatic" at the time.

Threat to the rule of law

According to the claimants, SyRI is a black box with major risks for the democratic rule of law. It is completely unclear to any citizen, who can be screened by SyRI without cause, what data are used for this, which analysis is carried out with it and what makes him or her a 'risk'. Moreover, due to the secret operation of SyRI, citizens are also unable to refute an incorrect risk indication. The use of SyRI makes the legal process and the associated procedures intransparent.

SyRI thereby undermines the relationship of trust between the government and its citizens; these citizens are in fact suspected in advance. Virtually all information that they share with the government, often to be eligible for basic services, can be used against them secretly without any suspicion.

The plaintiffs in this lawsuit are not opposed to the government combating fraud. They just think that this should be done on the basis of a concrete suspicion. There should be no trawl searches in the private life of unsuspected Dutch citizens to look for possible fraud risks. According to the claimants, this disproportionate method does more harm than good. There are better and less radical forms of fraud prevention than SyRI.

Not one fraudster detected yet

The total of five SyRI investigations that have been announced since the system's legal introduction have by now turned tens of thousands of citizens inside out, but have not yet detected one fraudster. This was revealed at the end of June 2019 by Dutch newspaper Volkskrant, which managed to get hold of evaluations of SyRI investigations. The investigations failed because the analyses were incorrect, due to lack of capacity and time at the implementing bodies, but also because there is disagreement within the government about SyRI.

For example, mayor Aboutaleb of Rotterdam pulled the plug from the SyRI investigation in two neighborhoods in Rotterdam South last summer, because the Ministry, unlike the municipality, also wanted to use police and healthcare data in the investigation. The deployment of SyRI also led to protest among the neighborhood's residents, who clearly showed that they felt insulted and unfairly treated.

UN expresses concern about SyRI

The UN Special Rapporteur on extreme poverty and human rights Philip Alston wrote to the court earlier this month about his concerns about SyRI and urged the judges to thoroughly assess the case. According to the rapporteur, several fundamental rights are at stake. SyRI is described in his letter as a digital equivalent of a social detective who visits every household in an area without permission and searches for fraudulent cases; in the analogue world such a massive manhunt would immediately lead to great resistance, but with a digital instrument such as SyRI, it is wrongly claimed that 'ignorance is bliss'.

Practical information

The court hearing is open to the public and will take place on Tuesday October 29th from 9.30 am in the Palace of Justice, Prins Clauslaan 60 in The Hague. Case number: C/09/550982 HA ZA 18/388 (Nederlands Juristen Comité c.s./Staat).

Source: campaign website Bijvoorbaatverdacht.nl.

A group of civil society organizations is bringing a case against the Dutch government because of System Risk Indication, better known by the abbreviation SyRI. According to the plaintiffs, this risk profiling system is a black box that should be stopped as it forms a risk to the democratic rule of law.

The coalition of plaintiffs consists of the Netherlands Committee of Jurists for Human Rights (NJCM), the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten), Privacy First, the KDVP Foundation (privacy in mental healthcare) and the National Clients Council (LCR). Two well-known authors, Tommy Wieringa and Maxim Februari, have in their individual capacities joined the case as plaintiffs. As ‘ambassadors’ to this lawsuit, they have fiercely criticized SyRI on multiple occasions.

The proceedings are carried out by Deikwijs Attorneys under the guidance of the Public Interest Litigation Project (PILP) of the NJCM.

Trawl net actions on the basis of secret algorithms targeting innocent citizens

SyRI links together on a large scale personal data of innocent citizens from databases of public authorities and companies. With the use of secret algorithms, citizens are subsequently subjected to a risk analysis. When there is an increased risk of breaking one of the many laws that SyRI covers, individuals are included in the Risk Reports Register, which is accessible to many government agencies.

SyRI is a black box that poses a major threat to the democratic rule of law. Citizens who are being examined through SyRI without any justification, have absolutely no idea which of their data are being used for analyses, what kind of analyses are being carried out and what actually determines whether or not they are a ‘risk’. Because SyRI works surreptitiously, citizens are not in a position to refute any incorrect flagging that may concern them.

According to the coalition, SyRI is in breach of various fundamental rights while it simultaneously undermines the relationship of trust between citizens and those in power. Citizens are suspect from the very start and all of the information that they share with public authorities, may secretly be used against them without imputation or concrete ground.

Ministry refuses to operate in a transparent manner

Despite fundamental objections from the Dutch Council of State (Raad van State) and the Dutch Data Protection Authority about the lawfulness of the system, at the end of 2014 the legislation for SyRI was rubber-stamped by the Dutch Senate and the House of Representatives. However, SyRI has been in use ever since 2008 already. Since then, dozens of investigations have been carried out and this included examining entire neighborhoods in several Dutch cities. Once the system was specified in law, it has been applied in Eindhoven and Capelle aan den IJssel among other places. It was recently announced that SyRI will be used in the Rotterdam neighborhoods of Bloemhof en Hillesluis and in the Haarlem neighborhood of Schalkwijk.

A FOIA request submitted by the coalition has resulted in barely any information concerning the dozens of SyRI investigations that have been carried out prior to and after the system had been laid down in law in 2014. The Dutch Ministry of Social Affairs is unwilling to provide insight into its practices arguing that, by disclosing the data and risk models that are used in SyRI, cunning citizens would become aware what to look out for when they commit fraud. The claimants, in their turn, assert that this is not in line with the obligation to inform and the right to a fair trial.

More information

In the context of this lawsuit, a public information campaign called ‘Bij Voorbaat Verdacht’ (‘Suspect From The Very Start’) has been launched. On the (Dutch) campaign website you can find updates about the legal proceedings as well as a simplified summary of the subpoena. The complete subpoena (in Dutch) can be found on the website of Deikwijs Attorneys (pdf). Click HERE for the English version on the website of PILP (pdf).

Update 16 October 2018: the District Court of The Hague has allowed the Dutch Federation of Trade Unions (FNV) as co-plaintiff in the lawsuit.

As of 2 October 2012, the new Dutch National Human Rights Institute (College voor de Rechten van de Mens, CRM) will open its doors. Recently the Institute under formation established the essential pillars of its policy for the coming years, namely 1) care for the elderly, 2) immigrants and 3) discrimination on the labor market. However, of all human rights, in recent years the right to privacy is worst off in the Netherlands. Contrary to the above mentioned pillars (that concern vulnerable groups of people), the right to privacy appertains to anyone who finds him or herself on Dutch soil. In essence this has turned the entire Dutch population into a vulnerable group, especially in comparison to the situation in other countries where the protection of privacy is much better regulated. A few years ago the right to privacy was even about to become a complete illusion in the Netherlands. In May 2009 this state of affairs led to the foundation of the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten) in which various non-governmental organisations (NGOs) have joined forces. This week the Platform sent the below appeal (co-authored and signed by Privacy First) to the chairman of the future National Human Rights Institute, Laurien Koster:

Dear Ms. Koster,

Today, of all human rights, the right to privacy finds itself under the most pressure. Therefore, it is with concern that the Platform for the Protection of Civil Rights recently took note of the three essential pillars of the National Human Rights Institute for the coming years, namely 1) care for the elderly, 2) immigrants and 3) discrimination on the labor market. Not willing to take anything away from the social importance of these three pillars, in this letter we ask you to still consider adopting privacy as one of the pillars of your Institute.  

In recent years, there seems to be the tendency in the Netherlands to confront every social problem with a standard formula, that is say, more digital registration, more linkage of files, opening up systems and central databases that become accessible to ever more officials and third parties, restriction of professional autonomy, preventive controls and profiling. It seems as if people, especially politicians, influenced as they are by the media and the vox populi – which in turn is affected by the media – think that these instruments exert a certain control over society that should lead to more order, tranquillity and security. In our opinion the opposite effect is increasingly the case. After all, digitalization implies that the quantity of data that is stored of every citizen becomes ever greater and less clear and less controllable. This especially applies to data that have been inserted or linked up erroneously or that are obsolete. The exponential growth of digital registrations sees a dramatic increase in risks of data leakages while new forms of identity fraud and identity theft arise. This means that the insecurity of digital systems becomes a direct threat to citizens. Furthermore, there’s a risk that citizens become their own digital ‘doubles’ through digital profiling. This implies that the autonomy of the free citizen who participates in society – a characteristic so very important in a democratic constitutional State – is seriously put at stake.

Going back to a society without the Internet or digital files is by no means what we advocate for (if it were possible anyway). However, a sensible use of technological means, among which data storage, biometrics and other such technological assets, will be necessary to retain our democratic constitutional State and affiliated fundamental rights. Particularly in these times of unforeseen technological possibilities we should once more realize how important the fundamental principles of our society are. Therefore, it should every time be assessed what is within the boundaries of acceptability and to what extent possible alternatives on a human scale, such as personal contact but also assistance and service, are desirable or necessary.    

Privacy constitutes the basis of our democratic constitutional State. Without privacy many other human rights are at issue, among which are the right to confidential communication and freedom of speech, non-discrimination, freedom of movement, association and assembly, demonstration, culture and religion, press freedom as well as the right to a fair trial. Apart from that we observe that in the Netherlands the right to privacy can only rely on patchy protection by government supervision, that is to say, it only concerns the protection of personal data. As far as the protection of personal privacy in the broadest sense of the word is concerned (and this includes the inviolability of the home and the right to physical integrity) there is hardly any government supervision. Moreover, with regard to the realization and compliance to as well as the protection and promotion of the right to privacy in conjunction with other human rights, government supervision is lacking altogether. It is especially in these areas that your Institute has added value and can help overcome the ‘human rights gap’ that has come into existence in the Netherlands in recent decades.

We hope that your Institute will still make the right to privacy one of its policy pillars. If you wish, the organizations that together form the Platform for the Protection of Civil Rights are happy to supply you with information and advice.

On behalf of the participants of the Platform for the Protection of Civil Rights I remain respectfully yours.

Sincerely,

Vincent Böhre
chairman of the Platform for the Protection of Civil Rights

On behalf of the Platform participants:
Humanistisch Verbond (Humanist Association)
Stichting KDVP (KDVP Foundation; Dome of DBC Free Practices)
Stichting Meldpunt Misbruik ID-plicht (Contact Point on Abuse of Mandatory Identification)
Ouders Online (Parents Online)
Stichting Privacy First (Privacy First Foundation)
Burgerrechtenvereniging Vrijbit (Civil rights society Vrijbit)
Jacques Barth (on behalf of Stichting Brein en Hart i.o. (Brain and Heart Foundation under formation)
Joyce Hes (advisor to the Platform for the Protection of Civil Rights)
Kaspar Mengelberg (on behalf of DeVrijePsych (The Free Psychiatrist))

A pdf version of this letter can be found HERE (in Dutch)

Update: in a written reply (pdf) the Institute under formation notifies that in the Netherlands there is indeed ‘‘still a lot to be done to safeguard the right to privacy’’. The Institute also acknowledges the limited mandate of the Dutch Data Protection Authority (College Bescherming Persoonsgegevens). However, for the time being the Institute sticks to its intended strategic agenda. Nevertheless, in the future (also the coming three years) the Institute ‘‘can’t and won’t distance itself from problems when realizing the right to privacy’’. Privacy First will be eager to remind the Institute of this in urgent cases.