Financial Privacy & PSD2

"A judge in the Netherlands has struck down a Dutch law that forces local telcos to store customer internet and phone metadata.

The law is similar to legislation being proposed by the Abbott government.

The ruling by a judge in The Hague on Wednesday followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The judge said that while the metadata retention law helped solve crimes, it also breached the privacy of telephone and internet users.

The Dutch Justice and Security Ministry said it was considering an appeal.

Under the Dutch law, telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' internet use for six months.

The written judgment by Judge G. P. van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entails.

The judge did not set a deadline for disposing of the data.

The ruling follows Australian Communications Minister Malcolm Turnbull telling the bosses of news organisations concerned about journalists' sources being exposed that Australia's data retention bill was being overblown as an issue.

The government wants the bill legislated by the end of this month.

The minister, who began meeting the bosses this week, said his message to them was that law enforcement and security authorities already had access to metadata and there were no exemptions for journalists.

"The only thing the data retention law is requiring is that types of metadata which are currently retained will be retained in the future for at least two years," Mr Turnbull told ABC Radio on Wednesday.

"This whole metadata retention issue has been overblown by a lot of people; the changes are not as substantial as people make out."

The Dutch ruling also comes as Prime Minister Tony Abbott's office began offering briefings to media organisations with Australian Federal Police officials in an attempt to calm their concerns. The briefings are being arranged for several of Australia's most prominent media bosses before they front an inquiry examining the protection of journalists' sources on March 20, where they are expected to oppose Australia's data retention laws on the basis that they will result in journalists' sources being exposed in leak investigations.

The media bosses' concerns follow Britain rushing through guidelines for access to journalists' metadata after it was revealed that more than 600 applications in a three-year period were made for journalists' metadata by 19 different law enforcement agencies.

The Australian Federal Police has repeatedly refused to provide Fairfax Media with similar figures in Australia and recently refused to divulge the figure under freedom of information laws to another publication.

In the 2013-14 financial year, there were more than 500,000 disclosures of metadata to various agencies, including Centrelink, the Tax Office, Australia Post and traditional policing agencies.

Critics have described the Australian proposal as unnecessary, not proportionate, and a privacy violation.

The Australian journalists' union, the Media, Entertainment and Arts Alliance, said it would have a "chilling effect" on reporting.

But Mr Turnbull said the two-year retention period was vital for investigating crime and terrorism.

After the Dutch ruling, Privacy First, one of the organisations that took the Dutch government to court, said the ruling would "bring to an end years of massive privacy breaches" in the Netherlands.

In a written statement, the Dutch Justice and Security Ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime.""

Source: http://www.smh.com.au/digital-life/consumer-security/dutch-do-a-uturn-on-metadata-laws-20150312-141rkl.html, 12 March 2015.

"A Dutch court has scrapped a national data retention law. The judge ruled that, although saving metadata might help solve crimes, it certainly breached the privacy of telephone and Internet users.

A court in the Netherlands struck down a law requiring telecoms and Internet service providers to store their clients' private phone and email data, saying it breached EU privacy rules. The decision took effect immediately on Wednesday, but officials announced that the Security and Justice Ministry could appeal.

"The judge ruled that data retention is necessary and effective to combat serious crime," according to the district court in The Hague. "Dutch legislation, however, infringes on the individual's right to privacy and the protection of personal data." The court added that "the law therefore contravenes the Charter of Fundamental Rights of the European Union."

The law had previously required telephone companies in the Netherlands to store information about all fixed and mobile calls for a year. Internet providers had to store information on their clients' use for six months.

In April 2014, the European Court of Justice struck down a 2006 EU law forcing telecoms to store electronic metadata - the time, date, duration and destination of communiques, but not the content - for up to two years. The practice was ruled to be invasive, despite the claimed anti-terror potential. Advocate General Pedro Cruz Villalon had declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.

'Far-reaching crime'

The written ruling by Gerard van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes," but, the judge added, this could not justify the privacy breaches that the law entails. The judge did not set a deadline for disposing of the data.

According to Privacy First, one of seven organizations that took the government to court last month, the ruling "will bring to an end years of massive privacy breaches." The Dutch Association of Journalists was also a party to the suit.

After last year's ruling in the EU court, the government had announced that it would amend its law. However, in a written statement released on Wednesday, officials from the Security and Justice Ministry criticized the court's decision.

"Providers are no longer required to store data for investigations," the officials complained in the statement. "The ministry is seriously concerned about the effect this will have on fighting crime."

The extent to which governments and corporations monitor private individuals has risen to the forefront in the wake of a series of documents released since 2013 by the American intelligence whistleblower Edward Snowden. According to the latest report, New Zealand has monitored neighbors in the Asia-Pacific region. A new anti-terror law in China requires that foreign corporations allow the government to access their data.

The Wikimedia Foundation has sued the US National Secutiry Agency over its mass surveillance of private individuals. And consumer advocates have lashed out at large corporations that harvest personal data for commercial purposes."

Source: http://www.dw.de/in-hague-court-rules-for-dutch-tech-privacy-advocates/a-18308553, 11 March 2015.

"A judge scrapped the Netherlands' data retention law Wednesday, saying that while it helps solve crimes it also breaches the privacy of telephone and Internet users.

The ruling by a judge in The Hague followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The Security and Justice Ministry said it was considering an appeal.

Under the Dutch law, telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' Internet use for six months.

The written judgment by Judge G.P. van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entails.

The judge did not set a deadline for disposing of the data.

Privacy First, one of the organizations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.

The government said after last year's European court ruling that it would amend its law.

In a written statement, the Security and Justice Ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime.""

Source: http://abcnews.go.com/Technology/wireStory/court-scraps-dutch-data-retention-law-cites-privacy-29551938, 12 March 2015.

"Judge in The Hague says country's regime for retaining telephone and internet users helps to solve crime but is too intrusive.

A judge has scrapped the Netherlands' data retention law, saying that while it helps solve crime it also breaches the privacy of telephone and Internet users.

The ruling by a judge in The Hague followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The Dutch security and justice ministry said it was considering an appeal.

Under the Dutch law telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' internet use for six months.

The written judgment by Judge GP van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entailed.

The judge did not set a deadline for disposing of the data.

Privacy First, one of the organisations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.

The Dutch government said after last year's European court ruling that it would amend its law. In a written statement the security and justice ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime."

Data retention has been a heated issue in light of Edward Snowden's revelations about the activities of the National Security Agency in the US and its affiliates overseas.

In Australia, a key US intelligence ally, the government is currently considering its own data retention package, which would store certain types of Australians' phone and web data for two years.

Privacy concerns have been raised and a lengthy political debate has ensued amid confusion within the government itself over how far the laws would extend or what would be retained. But the bill is now closer to passing with the support of a parliamentary committee involving both major parties.

The government in Canberra has agreed to hold a separate hearing into the issues of law enforcement agencies access to journalists' metadata, and news outlets will appear before a parliamentary hearing on 20 March."

Source: http://www.theguardian.com/technology/2015/mar/12/data-retention-netherlands-court-strikes-down-law-as-breach-of-privacy, 12 March 2015.

"The Dutch data retention law requiring telecommunications operators and ISPs to store customer metadata for police investigations was scrapped by the District Court of the Hague on Wednesday.

The court found that the law violates fundamental European Union privacy rights. The question remains though whether the law should be inactivated indefinitely, as the case can be appealed by the Dutch state, a court spokesman said. However, pending the outcome of any possible legal procedures the law will remain inactive, he said.

The Dutch Ministry of Security and Justice declined to comment as it was still studying the verdict.

The law suspended by the court was based on the EU's Data Retention Directive, which was invalidated by the Court of Justice of the EU (CJEU) last year, also because it violated fundamental privacy rights.

Despite that ruling though, the Dutch government decided in November last year to largely maintain its national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments were made, which mainly tightened who had access to what data and under what circumstances.

Not satisfied with that approach, a broad coalition of organizations, including Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, sued the government in January to get the law invalidated.

The court, ruling in their favor, criticized the overly broad scope of the law in its verdict.

Data retention rules were introduced after terror attacks in London and Madrid in 2004 and 2005 with the aim of fighting serious crime. However, the Dutch law also allowed law enforcement to retrieve data in the case of a bicycle theft, the court noted. And while the government promised not to use the law lightly, the fact remains that the opportunity to do so exists and there are no safeguards to effectively restrict access to information to what is strictly necessary for the fight against only serious crime, the court found.

What's more, under the scrapped law, access to data is not subject to a prior review by a court or independent administrative authority, the court said. Thus, the law violates articles 7 and 8 of the Charter of Fundamental Rights of the EU, which cover the right to a private life and the protection of personal data.

While the inactivation of the law may have profound implications for the investigation and prosecution of criminal offenses, that does not justify the persistence of the infringement, the court said.

The verdict probably means that ISPs and telecom companies can now stop retaining data, but when or whether they will do so is unclear. BIT did not immediately respond to a request for comment. A spokesman for Dutch ISP XS4ALL said the company can probably stop retaining data and delete existing records but wants the legal department to make absolutely sure it can before it will do so.

The Netherlands is not the only country where a law based on the EU Data Retention Directive was invalidated. A similar law was axed by the Constitutional Court of Austria in the wake of the CJEU ruling, for example, while Germany's data retention law was ruled unconstitutional long before the CJEU ruling.

In Sweden, meanwhile, the government maintains that the national data retention law can still be applied. And in the U.K., a new data retention law was rushed through by the U.K. government in December, replacing the one that was based on the EU directive. That new law will be reviewed by the country's High Court though to determine if it violates human rights."

Source: http://www.pcworld.com/article/2895356/dutch-court-scraps-telecommunications-data-retention-law.html, 11 March 2015.

Today the district court of The Hague has rendered the Dutch Data Retention Act inoperative in a break-through verdict. The judge did so at the request of the Privacy First Foundation and six other organizations. This puts an end to a massive privacy violation that lasted for years: retaining the telecommunications data of everyone in the Netherlands for criminal investigation purposes, which made every Dutch citizen a potential suspect.

Broad coalition of civil society organizations

Under the 2009 Dutch Data Retention Act, the telecommunications data (telephony and internet traffic) of everyone in the Netherlands had to be retained, for 12 months and 6 months respectively, for criminal investigation purposes. In interim injunction proceedings against the Dutch government, a broad coalition of civil society organizations demanded the Act to be rendered inoperative as it violated the right to privacy. The claimant organizations were the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ), the Netherlands Committee of Jurists for Human Rights (NJCM), Internet provider BIT and telecommunications providers VOYS and SpeakUp. The case was conducted by Boekx Attorneys (Amsterdam).

Stubborn minister

According to the claimant parties, the Dutch Data Retention Act constituted a violation of fundamental rights that protect privacy, communications and personal data. This was also the view of the European Court of Justice in April last year, followed by the Dutch Council of State (Raad van State), the Dutch Data Protection Authority (College Bescherming Persoonsgegevens) and the Dutch Senate (Eerste Kamer). However, former Dutch minister of Security and Justice, Ivo Opstelten, refused to withdraw the Act. Opstelten wanted to uphold the Act until a legislative change was implemented, which could have taken years. The district court in The Hague has now made short shrift of the Act by repealing it immediately.

Data retention is unlawful

On 8 April 2014, the European Court of Justice declared the EU Data Retention Directive entirely and retroactively unlawful. The Dutch Data Retention Act was almost identical to this invalid directive. According to the European Court, retaining the telecommunications data of everyone, without any well-founded suspicion, is in breach of the fundamental right to privacy. Randomly and unrestrictedly collecting 'metadata' in the context of mass surveillance is not permitted, according to the Court.

Important precedent

Privacy First is committed to maintaining and strengthening everyone's right to privacy, if necessary by filing lawsuits against the Dutch government. The Dutch Data Retention Act was an excellent cause for doing so, says Vincent Böhre of Privacy First: "This mass surveillance constituted a massive violation of the right to privacy of every Dutch citizen. It was unacceptable that minister Opstelten clinged to this practice after the highest European court had already clearly stated back in April that this privacy violation was not permitted. Privacy First works to promote a society in which innocent citizens are not burdened by the idea of constantly being watched. The judgment of the court in The Hague is an important step in that direction."

Privacy First expects Dutch telecommunications providers to comply with the judgment and stop retaining everyone's telecommunications data for criminal investigation purposes. In case the Dutch government decides to appeal the judgment, then Privacy First is confident about the outcome of proceedings before the Hague Court of Appeal.

The original judgment in Dutch can be found HERE. Click HERE (pdf) for an unofficial English translation on the website of the Interdisciplinary Internet Institute.

"The first hearing of the appeal against the Dutch data retention legislation will be heard 18 February, announced ISP BIT, one of the organisations bringing the suit. BIT as well as a number of NGOs claim the legislation is in violation of personal privacy rights. The lawsuit was filed in December in cooperation with Privacy First, the Dutch association of defense lawyers, the Dutch journalists union, the Dutch committee of lawyers for human rights and the telecom operators BIT, Voys and SpeakUp. The Amsterdam law fim Boekx Advocaten is handling the case."

Source: http://www.telecompaper.com/news/dutch-data-retention-appeal-hearing-scheduled-for-18-feb--1059022, 12 January 2015.

"The Dutch data retention law will have its day in court on Feb. 18, when the District Court of the Hague hears a legal challenge to it filed by a broad coalition of organizations.

The law requires telecommunications and Internet companies to retain their customer's location and traffic metadata for six to 12 months, depending on the type of data, for investigatory purposes.

However, the complainants want the court to invalidate the law because it violates fundamental privacy rights, said their law firm Boekx Advocaten. The main reason the law should be scrapped, they say, is a ruling from the Court of Justice of the European Union (CJEU) last year, which invalidated the EU's Data Retention Directive on which the Dutch law is based because it violates fundamental privacy rights.

After evaluating that ruling, though, the Dutch government decided in November largely to maintain the national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances.

By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws.

The challenge, filed by civil rights organization Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, aims to get the law invalidated as soon as possible.

Data retention laws in other EU countries have been ruled unconstitutional. The Constitutional Court of Austria for instance axed the local data retention law in the wake of the CJEU ruling, and in Germany the local data retention law was already ruled unconstitutional in 2010, long before the CJEU ruling.

In Sweden though things are much the same as in the Netherlands. There, the government maintains that the Swedish national legislation can still be applied, causing trouble for Swedish ISP Bahnhof, which had stopped retaining and deleted data after being given permission by the Swedish Post and Telecom Authority (PTS) to do so in wake of the CJEU ruling.

However, Bahnhof was told to start retaining data again later last year. To protect its customers, the ISP has set up a free VPN (virtual private network) service to hide their communication metadata from the police. It also asked to the European Commission to intervene and vowed to fight the law in court.

Meanwhile, the European Parliament's Legal Service also reached a conclusion about the CJEU ruling. It means that EU countries no longer have any obligation but rather an option to keep retaining data, it said in its analysis of the implications of the judgement that was leaked by digital rights group Access Now last week.

As a result of the CJEU ruling, countries run an even higher risk than before of having their national legislation annulled by national courts in a similar way to what has happened in some EU countries, the Legal Service said. (...)"

Source: http://www.pcworld.com/article/2867792/dutch-government-sued-over-data-retention-law.html, 12 January 2015.

Privacy constitutes the basis of our democratic constitutional State. However, of all human rights in the Netherlands, the right to privacy finds itself under the most pressure. This observation was the reason for Privacy First to be founded in March 2009. Ever since, retaining and reinforcing everyone's right to privacy is what the Privacy First Foundation has been striving for on a daily basis. Partly due to the efforts of Privacy First, in recent years large scale privacy violations have either been brought to a halt or have been prevented, privacy awareness in Dutch society has increased and ever more privacy friendly initiatives see the light of day. Think of the discontinuation of the central storage of fingerprints under the Dutch Passport Act, the introduction of Dutch ID cards without fingerprints, compulsory Privacy Impact Assessments and 'privacy by design' as part of new Dutch legislation. In 2013 this positive turn-around continued. However, there have been less positive developments as well. We are keen to elucidate this for you in our annual report 2013.

A broad coalition of organizations and companies is starting interim injunction proceedings against the Dutch government. The Privacy First Foundation, internet provider BIT, the Dutch Association of Journalists and the Dutch Association of Defence Counsel among others are demanding the abolition of the Dutch Telecommunications Data Retention Act. The Dutch Council of State and the European Court of Justice have already ruled that the Act is in violation of fundamental rights that protect private life, communications and personal data. However, the Dutch government refuses to render the Telecommunications Data Retention Act inoperative.

On 8 April 2014 the European Court of Justice declared the European Data Retention Directive (2006/24/EC) invalid with retroactive effect. According to the Court, retaining communications data of everyone without any concrete suspicion is in violation of the fundamental right to privacy. Objective criteria should be applied to determine the necessity of collection and retention of data and there should be prior control from an independent body or judge. Randomly and unrestrictedly collecting metadata (traffic data) in the context of 'mass surveillance' is not permitted, according to the Court.

In the Netherlands, regulations in this area are enshrined in the Dutch Telecommunications Data Retention Act, which largely mirrors the European Data Retention Directive. The Act provides that telecommunications companies and internet providers have to retain various data regarding internet and telephone usage for at least six and at most twelve months in order for judicial authorities to be able to use those data for criminal investigation purposes. Recently the Dutch Council of State ('Raad van State') judged that the Act does not comply with fundamental rights that protect private life, communications and personal data. However, the Dutch government does not heed the advice of the Council of State and refuses to repeal the Act. Compliance with the Act will be maintained by the government.

Vincent Böhre of Privacy First: "Mass surveillance constitutes a massive violation of citizens' privacy rights. It is unacceptable that the Dutch government clings to this practice after the highest European judge has already clearly stated back in April that this privacy violation is not permitted."

Thomas Bruning, Secretary of the Dutch Association of Journalists: "Telecommunications companies and internet providers are now obliged to retain a vast amount of communications data of all citizens. This includes journalists. Companies have to disclose these data at the request of the government. There is no guarantee whatsoever for the journalistic right of non-disclosure."

"The Dutch regulations are in breach of the applicable European fundamental rights", states Fulco Blokhuis, partner at Boekx Attorneys, who has meanwhile drafted a subpoena. "This situation is as disconcerting as it is undesirable. Maintaining this Act is unlawful, both towards citizens as well as companies who are forced to stay in possession of traffic data."

Alex Bik of internet provider BIT: "When the Dutch government introduced the Act, it hid behind the argument that the introduction was simply imposed upon by Europe, but since the European Data Retention Directive has been repealed with retroactive effect, this argument all of a sudden is no longer deemed valid by the government. That is not right."

Otto Volgenant of Boekx Attorneys: "As the Dutch Minister of Security and Justice, Ivo Opstelten, is unwilling to abolish the Telecommunications Data Retention Act, we will request the court to either render the Act inoperative or to prohibit its application any longer. We will shortly be issuing interim injunction proceedings."

Update 12 January 2015: the interim injunction proceedings against the Dutch government pertaining to the retention of telecommunications data will take place before the district court of The Hague in a public hearing on Wednesday 18 February 2015 at 11:00 hours. Meanwhile, the renowned Netherlands Committee of Jurists for Human Rights (NJCM) has joined the coalition of claimant organizations. Click HERE (pdf, in Dutch) for the subpoena, click HERE for a press release from Boekx Attorneys (in Dutch) and HERE for an article (in Dutch) which appeared on the website of Dutch newspaper Telegraaf this morning.

Update 30 January 2015: yesterday a hearing (roundtable) about the Dutch Data Retention Act took place in the Dutch House of Representatives. Click HERE for a schedule of the hearing (pdf) and HERE (pdf, in Dutch) for the talking points that Privacy First sent to the House of Representatives prior to the hearing (pdf). The lack of necessity and proportionality of the current Data Retention Act were the main topics that were discussed by Privacy First during the roundtable. Other aspects that were raised by Privacy First related to the chilling effect in society as well as the potential for function creep that the Act brings about.

Update 13 February 2015: today, on behalf of the State, the Dutch State Attorney submitted a Statement of Defence; click HERE (pdf in Dutch, 9 MB). The admissibility of the claimant organizations will not be challenged by the Dutch government, the State Attorney told our own attorneys by telephone. Therefore the proceedings will immediately focus on the merits of the case, rather than on procedural requirements. This is a breakthrough development: in similar cases the admissibility of the claimant parties was almost always contested by the State. A crucial lawsuit concerning such admissibility (our Passport Trial against the storage of fingerprints) is currently being conducted by Privacy First against the Dutch government before the Supreme Court of the Netherlands. Privacy First is of the opinion that the recognition of admissibility by the State Attorney in the interim injunction proceedings against the Telecommunications Data Retention Act puts Privacy First in a stronger position for this and future lawsuits that revolve around the right to privacy. Moreover, in times when access to justice of individual citizens in the Netherlands is increasingly under financial pressure, the admissibility of civil society organizations such as Privacy First forms an important safeguard for a well functioning Dutch democracy under the rule of law.

Update 18 February 2015: in front of a full courtroom (many civil servants, citizens, students and journalists were in attendance), today Privacy First et al. crossed swords with the State; click HERE for the plea of our attorneys (pdf in Dutch) and HERE for the pleadings of the State Attorney (pdf, in Dutch). The judge listened carefully but didn't ask any questions. As yet, Wednesday 11 March 2015 has been determined as the date of the judgment.

Update 11 March 2015: in a break-through verdict today, the district court of The Hague has rendered the Dutch Data Retention Act inoperative; click HERE.