The Dutch Ministry of the Interior is currently conducting an assessment of the fundamental rights situation in the Netherlands. Later this year this will probably result in a report called ‘De Staat van de Grondrechten’ (‘The State of Fundamental Rights’) and an accessory entitled ‘Nationaal Actieplan Mensenrechten’ (‘National Human Rights Action Plan’). In this context the Ministry recently requested input from several NGOs, among which Privacy First. Below is our advice:
Top 7 of issues that deserve a place in the State of Fundamental Rights and the National Human Rights Action Plan:
1. Active adherence to as well as protection, fulfilment and promotion of the right to privacy
Clarification: privacy is both a Dutch constitutional right as well as a universal human right. As with all human rights, the Dutch government accordingly has the obligation to 1) respect, 2) protect, 3) fulfil and 4) promote the right to privacy through proper legislation and policy. However, since '9/11' there have almost solely been made restrictions to the right to privacy, instead of enhancements of it. This constitutes a violation of the above-mentioned general duty to actively fulfil the right to privacy. The same goes for related rights and principles such as the presumption of innocence and the ban on self-incrimination (nemo tenetur).
2. Constitutional review
Clarification: the Netherlands is only familiar with constitutional ‘‘review’’ by civil servants and members of the Dutch House of Representatives when it comes to the development of new legislation. Unfortunately there is no Dutch Constitutional Court and, oddly enough, constitutional review of formal legislation by the judiciary is outlawed in the Netherlands. It is partly on account of this that the Dutch Constitution has become a dead letter over the last decades. It is therefore recommended to create a Constitutional Court as soon as possible and to abrogate the ban on constitutional review.
3. Collective legal means
Clarification: owing to a development of legal restrictions within the case law of the Dutch Supreme Court, over the last decades it has become increasingly difficult for foundations and associations to legally defend the social interests they advocate for through the collective right to action (Article 3:305a Dutch Civil Code and Article 1:2 paragraph 3 Dutch General Administrative Law Act, both links are in Dutch). Because of this the effective and efficient functioning of the Dutch constitutional State and legal economy have come under severe pressure. It is therefore recommended for the government to actively respect, protect and fulfil the collective right to action. For instance by no longer instructing the State attorney to plea for the inadmissability of foundations and associations in relevant lawsuits. Moreover, the ban on direct appeal against generally binding regulations (Article 8:3 Dutch General Administrative Law Act, in Dutch) is to be abrogated.
4. Voluntary instead of compulsory biometrics
Clarification: the premise in a healthy democracy under the Rule of Law should be that citizens may never be obliged to cede their unique physical characteristics (biometric personal data) to the government or the business sector. After all, this constitutes a violation of the right to privacy and physical integrity. Moreover, within companies, service providers, employers, etc. this leads to unfair trading practices. With the planned introduction of an ID card without fingerprints, in this area the Dutch government is taking a first step in the right direction. In line with this, we advise the Dutch government to plea at the European level for a passport with voluntary instead of compulsory taking of fingerprints.
5. Anonimity in public space
Clarification: the right to be able to travel anonymously and not to be spied upon has become increasingly illusory in recent years, especially through technological developments such as public transport chip cards, camera surveillance, cell phone tracking, etc. Both the government as well as the business sector are obliged to actively reinstate, protect and fulfil the right to privacy in terms of anonymity in public space through the introduction of public transport chip cards that are truly anonymous (privacy by design), the abrogation of camera surveillance unless strictly necessary, the development of privacy-friendly mobile telephony and apps, etc. For all the legislation and policies in this field, privacy, individual freedom of choice, necessity, proportionality and subsidiarity are to be leading principles.
6. Privacy by design
Clarification: all privacy-sensitive information technology is to comply with the highest standards of privacy by design. This can be achieved through the use of privacy enhancing technologies (PET), among which are state-of-the-art encryption and compartmentalization instead of centralization and the coupling of ICT. At the European level this is to become a strict legal duty for governments as well as the business sector, with active supervision and enforcement in this area.
7. Privacy education
Clarification: in terms of human rights education the Netherlands is threatening to become a third world country. In the long run this puts the continued existence of our democratic constitutional State at stake. It equally puts the right to privacy in danger. A privacy-friendly future begins with the youth of today. To that end privacy education is to become compulsory in primary, secondary and higher education. The government should play an active role in this.
Earlier this year the Dutch Minister of Justice and Security Ivo Opstelten came up with the miserable plan to authorize the Dutch police force to hack into your computer (both at home and abroad!) and to enable the police to demand that you decrypt your encrypted files in the presence of a policeman and obediently hand them over to the State. In the context of an online consultation (in Dutch), Privacy First notified to the Minister that it has a number of principal objections against his plans:
The Privacy First Foundation hereby advises you to withdraw the legislative proposal ‘enforcement of the fight against cybercrime’ on the basis of the following eleven principal grounds:
- In our view, this legislative proposal forms a typical building block for a police State, not for a democratic constitutional State based on freedom and trust.
- The Netherlands has a general human rights duty to continuously fulfil the right to privacy instead of restricting it. With this legislative proposal the Netherlands violates this general duty.
- This legislative proposal is not strictly necessary (contrary to possibly being ‘useful’ or 'handy') in a democratic society. Therefore the legislative proposal is in breach of Article 8 of the European Convention on Human Rights.
- Moreover, this legislative proposal violates the prohibition of self-incrimination (nemo tenetur se ipsum accusare).
- Function creep is a universal phenomenon. This will also apply to this legislative proposal, which will form the basis for future abuse of power.
- This legislative proposal puts the relationship of trust between the Dutch government and the Dutch people to the test. This will lead to a chilling effect in Dutch society.
- Through this legislative proposal age-old assets such as freedom of the press and the protection of journalistic sources, whistleblowers, freedom of speech, free information gathering, freedom of communication and the right to a fair trial are put under severe pressure. This is detrimental to the dynamics within a free democratic constitutional State.
- This legislative proposal and the accompanying technology will be imported and abused by less democratic governments abroad. Therefore the legislative proposal forms an international precedent for a worldwide Rule of the Jungle instead of the Rule of Law.
- As of yet the legislative proposal lacks a thorough and independent Privacy Impact Assessment.
- This legislative proposal stimulates suboptimal (i.e. crackable by the government, because otherwise illegal?) instead of optimal (‘uncrackable’) ICT security.
- Fighting cybercrime demands multilateral cooperation and coordination instead of unilateral panic-mongering as is the case with this legislative proposal.
The Privacy First Foundation
In the context of a public consultation, the Dutch Ministry of the Interior recently requested Privacy First to react to the current government proposal to revise Article 13 of the Dutch Constitution (right to confidentiality of postal mail, telephone and telegraph). Below are our comments on the current draft of the legislative proposal (click HERE for the original Dutch version in pdf):
Ministry of the Interior and Kingdom Relations
Deputy Director for Constitutional Affairs and Legislation
Mr. W.J. Pedroli, LL.M.
PO Box 20011
2500 EA The Hague
Amsterdam, 29 December 2012
Re: Comments by Privacy First on the revision of Article 13 of the Constitution
Dear Mr. Pedroli,
On October 16th 2012 you requested the Privacy First Foundation to react to the draft legislative proposal to revise Article 13 of our Constitution. Privacy First is grateful for your request and is happy to hereby provide you with critical comments. In the first place, Privacy First fully endorses the desire of this government to modernise the current, archaic Article 13 of the Constitution. However, Privacy First regrets the fact that the government has not seized the opportunity to also renew and reinforce other ‘fundamental rights in the digital age’.
In the view of Privacy First, the first and third paragraphs of the current draft legislative proposal to revise Article 13 of the Constitution form powerful anchors for a future-proof right to confidential communication. The first paragraph rightly upgrades the old confidentiality of postal mail, telephone and telegraph to a technology-independent (or technology-neutral) confidentiality of mail and telecommunication. The third paragraph forms a correct guarantee for the horizontal effect thereof. Moreover, Privacy First endorses the broad interpretation that is being given by the draft Explanatory Memorandum (EM) to various relevant concepts. However, the second paragraph of the draft proposal contains a systematic imbalance which, in times less democratic, could endanger the rule of law in our society. It is precisely this paragraph which most of Privacy First’s criticism is focused upon. Other points of criticism concern compulsory notification towards citizens in the event that special powers have been used by the intelligence and security services, traffic data as well as the lack of a comparative legal section in the EM.
Judicial authorisation and national security
The EM rightly states that "in light of Article 13 (...) the protection of citizens against violations by the government is paramount, especially in light of the actions by the police and intelligence services. Demanding a judicial authorisation under the Constitution provides a strong and clear constitutional guarantee." It is therefore incomprehensible that in the second paragraph of the draft legislative proposal the domain of national security is being excluded from judicial supervision. After all, where the concentration of power is supreme, judicial checks and balances should be the most potent to prevent any (future) abuses of power. In light of European history, the exception in paragraph 2 is in fact entirely irresponsible: unfortunately, even in our part of the world a democratic constitutional State is not a static matter of fact. Apart from that, the current draft proposal sends out a dangerous signal to foreign governments. Furthermore, Privacy First deems the exception in paragraph 2 unwise in view of possible technological developments in the (far) future. The same holds true in relation to the (further) expansion of the notion of ‘national security’. Also in the future, the Dutch population needs to be protected against arbitrary violations of confidentiality of communication; in this regard the current wording of paragraph 2 offers no guarantee whatsoever.
Adding an extra ‘judicial layer’ would strengthen the current system of internal and external supervision on the intelligence and security services (and hence reinforce our democratic constitutional State). In this regard, the system of judicial supervision in a country like Canada could be a source of inspiration. Such judicial control would also be in line with the case-law of the European Court of Human Rights:
“The Court has indicated, when reviewing legislation governing secret surveillance in the light of Article 8 [ECHR], that in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge.”
In light hereof, the current wording of paragraph 2 is not expedient. Privacy First thus advises a revision of this paragraph as follows:
“This right can be restricted in cases defined by law with the authorisation of a judge or, in the interest of national security, with authorisation from one or more ministers appointed by law.’’ [lining through by Privacy First]
As a possible alternative to the introduction of judicial supervision in the security domain, Privacy First advises to upgrade the existing Dutch Review Committee on the Intelligence and Security Services (CTIVD) into a more powerful, independent supervisory body, similar to the Belgian or German model with overall compulsory inspections beforehand instead of random supervisory inspections afterwards.
A second point of criticism concerns the lack of an explicit constitutional notion of compulsory notification in the event of any infringement of the confidentiality of mail and telecommunication. Compulsory notification provides legal protection to citizens and contributes to the correct enforcement of law by the government, also in the security domain. Like judicial authorisation, this offers the best guarantuees against short-term as well as long-term violations.
From Privacy First's point of view, traffic data too need to fall within the scope of Article 13 of the Constitution. These data are often related to the content of communication; this even follows from the text of the EM itself, where text messages ('SMS') and the email subject line are rightly mentioned as examples. The same goes for instance for search terms in search engines. Apart from that, it is possible to deduce the content of communication between individuals and/or companies from traffic data in conjunction with other data (possibly collected in real-time). So here too, a vigorous regime of Article 13 of the Constitution in conjunction with judicial supervision is essential.
Finally, in the current EM Privacy First misses a comparative legal paragraph in which current Article 13 of the Constitution is compared with constitutional best practices from countries with either a civil law or a common law tradition. Additionally, with a new Article 13 of the Constitution that is state-of-the-art internationally, the Netherlands could positively distinguish itself and to some degree regain its former position as a leader in human rights.
Privacy First hopes that this advice will be of use to you. We are willing to give clarifications on the above points upon request.
Privacy First Foundation
Director of Operations
 EM, at 18, 20.
 Compare EM at 11, 1st paragraph.
 ECHR 22 November 2012, Telegraaf vs. Netherlands (Appl.no. 39315/06), para. 98. Compare also ibid., paras. 98-102.
 EM, at 18.
Update 8 February 2013: see also the critical comments by the Netherlands Committee of Jurists for Human Rights (NJCM), Bits of Freedom and the newly established Netherlands Institute for Human Rights (in Dutch).