Law & Politics

"A Dutch court Wednesday handed a victory to privacy advocates by striking down a data-retention law that gives the government easy access to telecommunication data.

The District court of The Hague said the law, which requires telecom providers to collect and store data for as long as 12 months, violates citizens' right to privacy and the right to protection of personal data. "The judge finds that this violation is not limited to what is strictly necessary," it said.

The ruling, which can still be appealed, is a blow to the Dutch government, which said the law was important to fight terrorism and organized crime. But it is a victory for privacy advocates, journalists and criminal lawyers in the Netherlands who argued that the law was unconstitutional because data are kept regardless of whether citizens are a suspect or not.

A spokesman for the Dutch ministry of Security and Justice wasn't immediately available to comment on the ruling.

The court's decision is effective immediately, which means that telecommunication companies are no longer obligated to store and collect data.

Most of the big providers weren't immediately available for comment, with some saying their legal experts need time to assess the implications.

"There are multiple layers in this ruling. We need to know how we should interpret it," a Tele2 spokesman said.

The lawsuit was the latest in a decade of legal challenges to data-retention across Europe. First adopted under an European Union directive dating to 2006, such rules generally require telecom providers to collect and store data about their users' mobile phone traffic and location for as long as two years.

But in several countries, including Germany, data-retention laws have since been tossed out on privacy grounds. And last spring, the European Union Court of Justice, the bloc's highest court, struck down the underlying directive requiring countries to implement the rules in the first place, saying it didn't have sufficient safeguards for individual's right to privacy.

In the Netherlands, where a data-retention law was enacted in 2009, the Dutch government has shown reluctance to scrap the law for security reasons. (...)"

Source: http://blogs.wsj.com/digits/2015/03/11/dutch-court-strikes-down-countrys-data-retention-law/, 12 March 2015.

"A judge scrapped the Netherlands' data retention law Wednesday, saying that while it helps solve crimes it also breaches the privacy of telephone and Internet users.

The ruling by a judge in The Hague followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The Security and Justice Ministry said it was considering an appeal.

Under the Dutch law, telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' Internet use for six months.

The written judgment by Judge G.P. van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entails.

The judge did not set a deadline for disposing of the data.

Privacy First, one of the organizations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.

The government said after last year's European court ruling that it would amend its law.

In a written statement, the Security and Justice Ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime.""

Source: http://www.nzherald.co.nz/business/news/article.cfm?c_id=3&objectid=11415850, 12 March 2015.

"A judge in the Netherlands has struck down a Dutch law that forces local telcos to store customer internet and phone metadata.

The law is similar to legislation being proposed by the Abbott government.

The ruling by a judge in The Hague on Wednesday followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The judge said that while the metadata retention law helped solve crimes, it also breached the privacy of telephone and internet users.

The Dutch Justice and Security Ministry said it was considering an appeal.

Under the Dutch law, telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' internet use for six months.

The written judgment by Judge G. P. van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entails.

The judge did not set a deadline for disposing of the data.

The ruling follows Australian Communications Minister Malcolm Turnbull telling the bosses of news organisations concerned about journalists' sources being exposed that Australia's data retention bill was being overblown as an issue.

The government wants the bill legislated by the end of this month.

The minister, who began meeting the bosses this week, said his message to them was that law enforcement and security authorities already had access to metadata and there were no exemptions for journalists.

"The only thing the data retention law is requiring is that types of metadata which are currently retained will be retained in the future for at least two years," Mr Turnbull told ABC Radio on Wednesday.

"This whole metadata retention issue has been overblown by a lot of people; the changes are not as substantial as people make out."

The Dutch ruling also comes as Prime Minister Tony Abbott's office began offering briefings to media organisations with Australian Federal Police officials in an attempt to calm their concerns. The briefings are being arranged for several of Australia's most prominent media bosses before they front an inquiry examining the protection of journalists' sources on March 20, where they are expected to oppose Australia's data retention laws on the basis that they will result in journalists' sources being exposed in leak investigations.

The media bosses' concerns follow Britain rushing through guidelines for access to journalists' metadata after it was revealed that more than 600 applications in a three-year period were made for journalists' metadata by 19 different law enforcement agencies.

The Australian Federal Police has repeatedly refused to provide Fairfax Media with similar figures in Australia and recently refused to divulge the figure under freedom of information laws to another publication.

In the 2013-14 financial year, there were more than 500,000 disclosures of metadata to various agencies, including Centrelink, the Tax Office, Australia Post and traditional policing agencies.

Critics have described the Australian proposal as unnecessary, not proportionate, and a privacy violation.

The Australian journalists' union, the Media, Entertainment and Arts Alliance, said it would have a "chilling effect" on reporting.

But Mr Turnbull said the two-year retention period was vital for investigating crime and terrorism.

After the Dutch ruling, Privacy First, one of the organisations that took the Dutch government to court, said the ruling would "bring to an end years of massive privacy breaches" in the Netherlands.

In a written statement, the Dutch Justice and Security Ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime.""

Source: http://www.smh.com.au/digital-life/consumer-security/dutch-do-a-uturn-on-metadata-laws-20150312-141rkl.html, 12 March 2015.

"A Dutch court has scrapped a national data retention law. The judge ruled that, although saving metadata might help solve crimes, it certainly breached the privacy of telephone and Internet users.

A court in the Netherlands struck down a law requiring telecoms and Internet service providers to store their clients' private phone and email data, saying it breached EU privacy rules. The decision took effect immediately on Wednesday, but officials announced that the Security and Justice Ministry could appeal.

"The judge ruled that data retention is necessary and effective to combat serious crime," according to the district court in The Hague. "Dutch legislation, however, infringes on the individual's right to privacy and the protection of personal data." The court added that "the law therefore contravenes the Charter of Fundamental Rights of the European Union."

The law had previously required telephone companies in the Netherlands to store information about all fixed and mobile calls for a year. Internet providers had to store information on their clients' use for six months.

In April 2014, the European Court of Justice struck down a 2006 EU law forcing telecoms to store electronic metadata - the time, date, duration and destination of communiques, but not the content - for up to two years. The practice was ruled to be invasive, despite the claimed anti-terror potential. Advocate General Pedro Cruz Villalon had declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.

'Far-reaching crime'

The written ruling by Gerard van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes," but, the judge added, this could not justify the privacy breaches that the law entails. The judge did not set a deadline for disposing of the data.

According to Privacy First, one of seven organizations that took the government to court last month, the ruling "will bring to an end years of massive privacy breaches." The Dutch Association of Journalists was also a party to the suit.

After last year's ruling in the EU court, the government had announced that it would amend its law. However, in a written statement released on Wednesday, officials from the Security and Justice Ministry criticized the court's decision.

"Providers are no longer required to store data for investigations," the officials complained in the statement. "The ministry is seriously concerned about the effect this will have on fighting crime."

The extent to which governments and corporations monitor private individuals has risen to the forefront in the wake of a series of documents released since 2013 by the American intelligence whistleblower Edward Snowden. According to the latest report, New Zealand has monitored neighbors in the Asia-Pacific region. A new anti-terror law in China requires that foreign corporations allow the government to access their data.

The Wikimedia Foundation has sued the US National Secutiry Agency over its mass surveillance of private individuals. And consumer advocates have lashed out at large corporations that harvest personal data for commercial purposes."

Source: http://www.dw.de/in-hague-court-rules-for-dutch-tech-privacy-advocates/a-18308553, 11 March 2015.

"A judge scrapped the Netherlands' data retention law Wednesday, saying that while it helps solve crimes it also breaches the privacy of telephone and Internet users.

The ruling by a judge in The Hague followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The Security and Justice Ministry said it was considering an appeal.

Under the Dutch law, telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' Internet use for six months.

The written judgment by Judge G.P. van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entails.

The judge did not set a deadline for disposing of the data.

Privacy First, one of the organizations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.

The government said after last year's European court ruling that it would amend its law.

In a written statement, the Security and Justice Ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime.""

Source: http://abcnews.go.com/Technology/wireStory/court-scraps-dutch-data-retention-law-cites-privacy-29551938, 12 March 2015.

"Judge in The Hague says country's regime for retaining telephone and internet users helps to solve crime but is too intrusive.

A judge has scrapped the Netherlands' data retention law, saying that while it helps solve crime it also breaches the privacy of telephone and Internet users.

The ruling by a judge in The Hague followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.

The Dutch security and justice ministry said it was considering an appeal.

Under the Dutch law telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' internet use for six months.

The written judgment by Judge GP van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entailed.

The judge did not set a deadline for disposing of the data.

Privacy First, one of the organisations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.

The Dutch government said after last year's European court ruling that it would amend its law. In a written statement the security and justice ministry said it regretted the court's decision.

"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime."

Data retention has been a heated issue in light of Edward Snowden's revelations about the activities of the National Security Agency in the US and its affiliates overseas.

In Australia, a key US intelligence ally, the government is currently considering its own data retention package, which would store certain types of Australians' phone and web data for two years.

Privacy concerns have been raised and a lengthy political debate has ensued amid confusion within the government itself over how far the laws would extend or what would be retained. But the bill is now closer to passing with the support of a parliamentary committee involving both major parties.

The government in Canberra has agreed to hold a separate hearing into the issues of law enforcement agencies access to journalists' metadata, and news outlets will appear before a parliamentary hearing on 20 March."

Source: http://www.theguardian.com/technology/2015/mar/12/data-retention-netherlands-court-strikes-down-law-as-breach-of-privacy, 12 March 2015.

"The Dutch data retention law requiring telecommunications operators and ISPs to store customer metadata for police investigations was scrapped by the District Court of the Hague on Wednesday.

The court found that the law violates fundamental European Union privacy rights. The question remains though whether the law should be inactivated indefinitely, as the case can be appealed by the Dutch state, a court spokesman said. However, pending the outcome of any possible legal procedures the law will remain inactive, he said.

The Dutch Ministry of Security and Justice declined to comment as it was still studying the verdict.

The law suspended by the court was based on the EU's Data Retention Directive, which was invalidated by the Court of Justice of the EU (CJEU) last year, also because it violated fundamental privacy rights.

Despite that ruling though, the Dutch government decided in November last year to largely maintain its national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments were made, which mainly tightened who had access to what data and under what circumstances.

Not satisfied with that approach, a broad coalition of organizations, including Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, sued the government in January to get the law invalidated.

The court, ruling in their favor, criticized the overly broad scope of the law in its verdict.

Data retention rules were introduced after terror attacks in London and Madrid in 2004 and 2005 with the aim of fighting serious crime. However, the Dutch law also allowed law enforcement to retrieve data in the case of a bicycle theft, the court noted. And while the government promised not to use the law lightly, the fact remains that the opportunity to do so exists and there are no safeguards to effectively restrict access to information to what is strictly necessary for the fight against only serious crime, the court found.

What's more, under the scrapped law, access to data is not subject to a prior review by a court or independent administrative authority, the court said. Thus, the law violates articles 7 and 8 of the Charter of Fundamental Rights of the EU, which cover the right to a private life and the protection of personal data.

While the inactivation of the law may have profound implications for the investigation and prosecution of criminal offenses, that does not justify the persistence of the infringement, the court said.

The verdict probably means that ISPs and telecom companies can now stop retaining data, but when or whether they will do so is unclear. BIT did not immediately respond to a request for comment. A spokesman for Dutch ISP XS4ALL said the company can probably stop retaining data and delete existing records but wants the legal department to make absolutely sure it can before it will do so.

The Netherlands is not the only country where a law based on the EU Data Retention Directive was invalidated. A similar law was axed by the Constitutional Court of Austria in the wake of the CJEU ruling, for example, while Germany's data retention law was ruled unconstitutional long before the CJEU ruling.

In Sweden, meanwhile, the government maintains that the national data retention law can still be applied. And in the U.K., a new data retention law was rushed through by the U.K. government in December, replacing the one that was based on the EU directive. That new law will be reviewed by the country's High Court though to determine if it violates human rights."

Source: http://www.pcworld.com/article/2895356/dutch-court-scraps-telecommunications-data-retention-law.html, 11 March 2015.

Today the district court of The Hague has rendered the Dutch Data Retention Act inoperative in a break-through verdict. The judge did so at the request of the Privacy First Foundation and six other organizations. This puts an end to a massive privacy violation that lasted for years: retaining the telecommunications data of everyone in the Netherlands for criminal investigation purposes, which made every Dutch citizen a potential suspect.

Broad coalition of civil society organizations

Under the 2009 Dutch Data Retention Act, the telecommunications data (telephony and internet traffic) of everyone in the Netherlands had to be retained, for 12 months and 6 months respectively, for criminal investigation purposes. In interim injunction proceedings against the Dutch government, a broad coalition of civil society organizations demanded the Act to be rendered inoperative as it violated the right to privacy. The claimant organizations were the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ), the Netherlands Committee of Jurists for Human Rights (NJCM), Internet provider BIT and telecommunications providers VOYS and SpeakUp. The case was conducted by Boekx Attorneys (Amsterdam).

Stubborn minister

According to the claimant parties, the Dutch Data Retention Act constituted a violation of fundamental rights that protect privacy, communications and personal data. This was also the view of the European Court of Justice in April last year, followed by the Dutch Council of State (Raad van State), the Dutch Data Protection Authority (College Bescherming Persoonsgegevens) and the Dutch Senate (Eerste Kamer). However, former Dutch minister of Security and Justice, Ivo Opstelten, refused to withdraw the Act. Opstelten wanted to uphold the Act until a legislative change was implemented, which could have taken years. The district court in The Hague has now made short shrift of the Act by repealing it immediately.

Data retention is unlawful

On 8 April 2014, the European Court of Justice declared the EU Data Retention Directive entirely and retroactively unlawful. The Dutch Data Retention Act was almost identical to this invalid directive. According to the European Court, retaining the telecommunications data of everyone, without any well-founded suspicion, is in breach of the fundamental right to privacy. Randomly and unrestrictedly collecting 'metadata' in the context of mass surveillance is not permitted, according to the Court.

Important precedent

Privacy First is committed to maintaining and strengthening everyone's right to privacy, if necessary by filing lawsuits against the Dutch government. The Dutch Data Retention Act was an excellent cause for doing so, says Vincent Böhre of Privacy First: "This mass surveillance constituted a massive violation of the right to privacy of every Dutch citizen. It was unacceptable that minister Opstelten clinged to this practice after the highest European court had already clearly stated back in April that this privacy violation was not permitted. Privacy First works to promote a society in which innocent citizens are not burdened by the idea of constantly being watched. The judgment of the court in The Hague is an important step in that direction."

Privacy First expects Dutch telecommunications providers to comply with the judgment and stop retaining everyone's telecommunications data for criminal investigation purposes. In case the Dutch government decides to appeal the judgment, then Privacy First is confident about the outcome of proceedings before the Hague Court of Appeal.

The original judgment in Dutch can be found HERE. Click HERE (pdf) for an unofficial English translation on the website of the Interdisciplinary Internet Institute.

"The first hearing of the appeal against the Dutch data retention legislation will be heard 18 February, announced ISP BIT, one of the organisations bringing the suit. BIT as well as a number of NGOs claim the legislation is in violation of personal privacy rights. The lawsuit was filed in December in cooperation with Privacy First, the Dutch association of defense lawyers, the Dutch journalists union, the Dutch committee of lawyers for human rights and the telecom operators BIT, Voys and SpeakUp. The Amsterdam law fim Boekx Advocaten is handling the case."

Source: http://www.telecompaper.com/news/dutch-data-retention-appeal-hearing-scheduled-for-18-feb--1059022, 12 January 2015.

"The Dutch data retention law will have its day in court on Feb. 18, when the District Court of the Hague hears a legal challenge to it filed by a broad coalition of organizations.

The law requires telecommunications and Internet companies to retain their customer's location and traffic metadata for six to 12 months, depending on the type of data, for investigatory purposes.

However, the complainants want the court to invalidate the law because it violates fundamental privacy rights, said their law firm Boekx Advocaten. The main reason the law should be scrapped, they say, is a ruling from the Court of Justice of the European Union (CJEU) last year, which invalidated the EU's Data Retention Directive on which the Dutch law is based because it violates fundamental privacy rights.

After evaluating that ruling, though, the Dutch government decided in November largely to maintain the national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances.

By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws.

The challenge, filed by civil rights organization Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, aims to get the law invalidated as soon as possible.

Data retention laws in other EU countries have been ruled unconstitutional. The Constitutional Court of Austria for instance axed the local data retention law in the wake of the CJEU ruling, and in Germany the local data retention law was already ruled unconstitutional in 2010, long before the CJEU ruling.

In Sweden though things are much the same as in the Netherlands. There, the government maintains that the Swedish national legislation can still be applied, causing trouble for Swedish ISP Bahnhof, which had stopped retaining and deleted data after being given permission by the Swedish Post and Telecom Authority (PTS) to do so in wake of the CJEU ruling.

However, Bahnhof was told to start retaining data again later last year. To protect its customers, the ISP has set up a free VPN (virtual private network) service to hide their communication metadata from the police. It also asked to the European Commission to intervene and vowed to fight the law in court.

Meanwhile, the European Parliament's Legal Service also reached a conclusion about the CJEU ruling. It means that EU countries no longer have any obligation but rather an option to keep retaining data, it said in its analysis of the implications of the judgement that was leaked by digital rights group Access Now last week.

As a result of the CJEU ruling, countries run an even higher risk than before of having their national legislation annulled by national courts in a similar way to what has happened in some EU countries, the Legal Service said. (...)"

Source: http://www.pcworld.com/article/2867792/dutch-government-sued-over-data-retention-law.html, 12 January 2015.