This week the Dutch House of Representatives will debate the ‘temporary’ Corona emergency law under which the movements of everyone in the Netherlands can henceforth be monitored ‘anonymously’. Privacy First has previously criticized this plan in a television broadcast by current affairs program Nieuwsuur. Subsequently, today Privacy First has sent the following letter to the House of Representatives:
Dear Members of Parliament,
With great concern, Privacy First has taken note of the ‘temporary’ legislative proposal to provide COVID-19 related telecommunications data to the Dutch National Public Health Institute (RIVM). Privacy First advises to reject this proposal on account of the following fundamental concerns and risks:
Violation of fundamental administrative and privacy principles
- There is no societal necessity for this legislative proposal. Other forms of monitoring have already proven sufficiently effective. The necessity of this proposal has not been demonstrated and there is no other country where the application of similar technologies made any significant contribution.
- The proposal is entirely disproportionate as it encompasses all telecom location data in the entire country. Any form of differentiation is absent. The same applies to data minimization: a sample would be sufficient.
- The proposal goes into effect retroactively on 1 January 2020. This violates legal certainty and the principle of legality, particularly because this date is long before the Dutch ‘start’ of the pandemic (11 March 2020).
- The system of ‘further instructions from the minister’ that has been chosen for the proposal is completely undemocratic. This further erodes the democratic rule of law and the oversight of parliament.
- The proposal does not mention 'privacy by design' or the implementation thereof, while this should actually be one of its prominent features.
Alternatives are less invasive: subsidiarity
- The State Secretary failed to adequately investigate alternatives which are more privacy friendly. Does she even have any interest in this at all?
- Data in the possession of telecom providers are pseudonymized with unique ID numbers and as such are submitted to Statistics Netherlands (CBS). This means that huge amounts of sensitive personal data become very vulnerable. Anonymization by CBS happens only at a later stage.
- When used, the data are filtered based on geographical origin. This creates a risk of discrimination on the basis of nationality, which is prohibited.
- It is unclear whether the CBS and the RIVM intend to ‘enrich’ these data with other data, which could lead to function creep and potential data misuse.
Lack of transparency and independent oversight
- Up until now, the Privacy Impact Assessment (PIA) of the proposal has not been made public.
- There is no independent oversight on the measures and effects (by a judge or an independent commission).
- The GDPR may be applicable to the proposal only partially as anonymous data and statistics are exempt from the GDPR. This gives rise to new risks of data misuse, poor digital protection, data breaches, etc. General privacy principles should therefore be made applicable in any case.
Structural changes and chilling effect
- This proposal seems to be temporary, but the history of similar legislation shows that it will most likely become permanent.
- Regardless of the ‘anonymization’ of various data, this proposal will make many people feel like they are being monitored, which in turn will make them behave unnaturally. The risk of a societal chilling effect is huge.
Faulty method with a significant impact
- The effectiveness of the legislative proposal is unknown. In essence, it constitutes a large scale experiment. However, Dutch society is not meant to be a living laboratory.
- By means of data fusion, it appears that individuals could still be identified on the basis of anonymous data. Even at the chosen threshold of 15 units per data point, the risk of unique singling out and identification is likely still too large.
- The proposal will lead to false signals and blind spots due to people with several telephones as well as vulnerable groups without telephones, etc.
- There is a large risk of function creep, of surreptitious use and misuse of data (including the international exchange thereof) by other public services (including the intelligence services) and future public authorities.
- This proposal puts pressure not just on the right to privacy, but on other human rights as well, including the right to freedom of movement and the right to demonstrate. The proposal can easily lead to structural crowd control that does not belong in a democratic society.
Specific prior consent
Quite apart from the above concerns and risks, Privacy First doubts whether the use of telecom data by telecom providers, as envisaged by the legislative proposal, is lawful in the first place. In the view of Privacy First, this would require either explicit, specific and prior consent (opt-in) from customers, or the possibility for them to opt-out at a later stage and to have the right to have all their data removed.
It is up to you as Members of Parliament to protect our society from this legislative proposal. If you fail to do so, Privacy First reserves the right to take legal action against this law.
The Privacy First Foundation
Yesterday, there was a hearing in the Dutch House of Representatives in which the by now notorious Corona app was critically discussed. The House had invited various experts and organizations (among which Privacy First) to submit position papers and take part in the hearing. Below is both the full text of our position paper, as well as the text which was read out at the hearing. A video of the entire hearing (in Dutch) can be found HERE. Click HERE for the program, all speakers and position papers.
Dear Members of Parliament,
Thank you kindly for your invitation to take part in this roundtable discussion about the so-called Corona app. In the view of Privacy First, apps like these are a threat to everyone’s privacy. We will briefly clarify this below.
Lack of necessity and effectiveness
With great concern, Privacy First has taken note of the intention of the Dutch government to employ a contact tracing app in the fight against the coronavirus. Thus far, the social necessity of such apps has not been proven, while the experience of other countries indicates there is ground to seriously doubt their benefit and effectiveness. In fact, these apps may even be counterproductive as their use leads to a false sense of safety. Moreover, it’s very hard to involve the most vulnerable group of people (the elderly) through this means. This should already be enough reason to refrain from using Corona apps.
In Privacy First’s view, the use of such apps is a dangerous development because it could lead to stigmatization and numerous unfounded suspicions, and may also cause unnecessary unrest and panic. Even when ‘anonymized’, the data from these apps can still be traced back to individuals through data fusion. In case this technology will be introduced on a large scale, it will result in a surveillance society in which everyone is being continuously monitored – something people will be acutely aware of and would lead to an imminent societal chilling effect.
Risks of misuse
There is a significant risk that the collected data will be used for multiple purposes (function creep) and be misused by both companies and public authorities. The risk of surreptitious access, hacking, data breaches and misuse is substantial, particularly in the case of central instead of decentral (personal) storage as well as a lack of open source software. However, not even the use of personal storage offers any warranty against misuse, malware and spyware, or, for that matter, makes users less dependent on technical vulnerabilities. Moreover, if the data fall into the hands of criminal organizations, they will be a gold mine for criminal activities.
For Privacy First, the risks of Corona apps do not outweigh their presumed benefits. Therefore, Privacy First advises the House to urge the cabinet not to proceed with the introduction of such apps.
Testing instead of apps
According to Privacy First, there is a better and more effective solution in the fight against the coronavirus. One that is based on the principles of proportionality and subsidiarity, i.e., large scale testing of people to learn about infection rates and immunization. To this end, the necessary test capacity should become available as soon as possible.
Haste is rarely a good thing
If, despite all the above-mentioned objections, it will be decided there is going to be a Corona app after all, then this should come about only after a careful social and democratic process with sufficiently critical, objective and independent scrutiny. This has not been the case so far, judging by the developments of the past few days. In this context, Privacy First recommends that the House calls on the cabinet to put its plans on ice and impose a moratorium on the use of Corona apps.
Privacy by design
The right to anonymity in public space is a fundamental right, one that is crucial for the functioning of our democratic constitutional state. Any democratic decision to nullify this right is simply unacceptable. If indeed the deployment of ‘Corona apps’ will be widespread, then at least their use should be strictly anonymous and voluntary. That is to say, they should be used only for a legitimate, specific purpose, following individual, prior consent without any form of outside pressure and on the premise that all the necessary information is provided. In this respect, privacy by design (embedding privacy protection in technology) must be a guiding principle. For Privacy First, these are stringent and non-negotiable prerequisites. In case these conditions are not met, Privacy First will not hesitate to bring proceedings before a court.
The Privacy First Foundation
Dear Members of Parliament,
You have received our position paper, this is our oral explanation.
First of all: Privacy First is firmly against any form of surveillance infrastructure, with or without apps.
With this in mind, we look at three legal principles:
- Legitimate purpose limitation.
- What is the problem?
- What is the scale of the problem?
- What are possible objectives, how can we achieve these objectives, and how can we measure progress towards them?
It’s already impossible to answer the first question as we now test partially and selectively. The total infected population is unknown, the people who have recovered are unknown also, and do not get reported. There is, however, fearmongering as a result of emotions and selective reporting; deaths with multiple causes (die with as opposed to die from Corona) and admittance to critical care units.
Let us be clear, we will first have to map out the causes of this problem before we can draw conclusions and talk about solutions. Not only IT professionals and virologists should be involved in this, to no lesser extent we need philosophers, legal scholars, sociologists, entrepreneurs and others who represent society also.
- Necessity and proportionality. In terms of test capacity, critical care units, medical materials and medical personnel, we essentially have a capacity problem. So, there is no doubt in our mind what we should be focusing on, also in view of future outbreaks; testing the entire population in order to tell who is infected and who is immune, and be able to determine the real problem. 97% of the population is unaffected. Make sure there will be a division and proper care for high-risk groups. Halt crisis communication and start crisis management. Take all treatment methods seriously, including those that are not profitable for Big Pharma and Big Tech.
- Subsidiarity. Once we know the problem, we may ask what the solutions are. Additional personnel at municipal health centers? Building a critical care unit hospital specifically for situations like these? Increasing the test capacity in order to be able to take decisions based on figures? All of this is possible within our current health system, with the general practitioner as the first point of contact.
On the basis of trust, we have given our government six weeks to get its act together. And what do we get in return? Distrust and monitoring tools. And still shortages of medical equipment. So, fix the fundamentals, deal with the treatment and test capacity and stop building new technological gadgets and draconian apps used in dictatorial regimes in Asia. And take The Netherlands out of this prolonged lockdown as soon as possible. Privacy First is opposed to a ‘1.5-meter society’ as the new normal, and is instead in favor of a common-sense society based on trust in mature citizens.
With great concern, Privacy First has taken note of the intention of the Dutch government to employ special apps in the fight against the coronavirus. In Privacy First’s view, the use of such apps is a dangerous development because it could lead to stigmatisation and numerous unfounded suspicions, and may also cause unnecessary unrest and panic. Even when ‘anonymized’, the data from these apps can still be traced back to individuals through data fusion. In case this technology will be introduced on a large scale, it will result in a surveillance society in which everyone is being continuously monitored – something people will be acutely aware of and would lead to an imminent societal chilling effect. Furthermore, there is a substantial risk that the collected data will be used and misued for multiple (illegitimate) purposes by companies and public authorities. Moreover, if these data fall into the hands of criminal organizations, they will be a gold mine for criminal activities. For Privacy First, these risks of Corona apps do not outweigh their presumed benefits.
The right to anonymity in public space is a fundamental right, one that is crucial for the functioning of our democratic constitutional State. Any democratic decision to nullify this right is simply unacceptable. If indeed the deployment of ‘Corona apps’ will be widespread, then at least their use should be strictly anonymous and voluntary. That is to say, they should be used only for a legitimate, specific purpose, following individual, prior consent without any form of outside pressure and on the premise that all the necessary information is provided. In this respect, privacy by design (embedding privacy protection in technology) must be a guiding principle. For Privacy First, these are stringent and non-negotiable prerequisites. In case these conditions are not met, Privacy First will not hesitate to bring proceedings before a court.
Today an important debate will take place in the Dutch House of Representatives about the introduction of Passenger Name Records (PNR): the large scale, years-long storage of all sorts of data of airline passengers, supposedly to fight crime and terrorism. Privacy First has major objections and at the end of last week has sent the following letter to the House. Today’s parliamentary debate was first scheduled to take place on 14 May 2018, but was cancelled (following a similar letter from Privacy First) until further notice. Following new parliamentary questions, the debate will now take place today after all. Here is the full text of our most recent letter:
Dear Members of the House of Representatives,
On Monday afternoon, this 11 March, you will discuss the Dutch implementation of the European directive on Passenger Name Records (PNR) with minister Grapperhaus (Justice and Security). In Privacy First’s view, both the European PNR directive as well as the Dutch implementation thereof are legally untenable. We shall here briefly elucidate our position.
Under the minister’s legislative proposal concerning PNR, numerous data of every single airline passenger travelling to or from the Netherlands will be stored for five years in a central government database of the new Passenger Information Unit and will be used to prevent, investigate and prosecute crimes and terrorism. Sensitive personal data (such as names, addresses, telephone numbers, email addresses, dates of birth, travel data, ID document numbers, destinations, fellow passengers and payment data) of many millions of passengers will, as a result, become available for many years for the purpose of data mining and profiling. In essence, this means that every airline passenger will be treated as a potential criminal or terrorist. In 99.9% of all cases, however, this concerns perfectly innocent citizens, mainly holidaymakers and business travellers. This is a flagrant breach of their right to privacy and freedom of movement. Last year, Privacy First had already made these arguments in the Volkskrant and on BNR Nieuwsradio. Because of privacy objections, in recent years there has been a lot of political resistance to such large scale PNR storage of data, which has been rejected by both the House of Representatives as well as the European Parliament on several occasions since 2010. In 2015, Dutch ruling parties VVD and PvdA were absolutely opposed to PNR as well. Back then, they called it a ‘holiday register’ and they themselves threatened to take to the European Court of Justice in case the PNR directive would be adopted. However, after the attacks in Paris and Brussels, it seemed that many political restraints had evaporated and in 2016, the PNR directive finally came about after all. Up to now however, the legally required necessity and proportionality of this directive have still to be demonstrated.
In the summer of 2017, the European Court of Justice issued an important ruling with regard to the similar PNR agreement between the EU and Canada. The Court declared this agreement invalid because it violates the right to privacy. Among other things, the Court held that the envisaged agreement must, “limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime.” (See Opinion 1/15 (26 July 2017), par. 207.) Ever since this ruling, the European PNR directive is a legal uncertainty. Therefore, the Dutch government has valid ‘‘concerns about the future viability of the PNR directive” (see Note in response to report, p. 23, in Dutch). Privacy First expects that the current PNR directive will soon be submitted to the European Court of Justice for judicial review and will then be declared unlawful. Subsequently, a situation will arise that is similar to the one we have witnessed a few years ago with regard to the European Telecommunications Data Retention Act: as soon as this European directive will be annulled, the Dutch implementing provisions will equally be invalidated in interim injunction proceedings.
The current Dutch PNR legislative proposal seems unlawful a priori because of a lack of demonstrable necessity, proportionality and subsidiarity. The legislative proposal comes down to mass surveillance of mostly innocent citizens; in the 2016 Tele2 case the European Court already ruled that this type of legislation is unlawful. Thereupon the Netherlands pledged before the UN Human Rights Council “to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons.” The Netherlands now seems to renege on that promise. After all, a lot of completely unnecessary data of every airline passenger will be stored for years and can be used by various Dutch, European and even non-European government agencies. Moreover, the effectiveness of PNR has to date never been demonstrated, the minister himself affirmed: ‘‘There is no statistical support” (see Note in response to report, p. 8, in Dutch). The risk of unjust suspicion and discrimination (due to fallible algorithms used for profiling) under the proposed PNR system is serious, which also increases the likelihood of delays and missed flights for innocent passengers. All the while, wanted persons will often stay under the radar and choose alternative travel routes. Furthermore, the legislative proposal entirely fails to address the role and capabilities of secret services, which will be granted secret and shielded access to the central PNR database under the new Dutch Intelligence and Security Services Act. However, the most questionable aspect of the Dutch PNR legislative proposal is that it goes even two steps further than the European PNR directive itself: After all, it is the Dutch government's own decision to also store the data of passengers on all intra-EU flights. This is not obligatory under the PNR directive, and the Netherlands could have limited this to preselected flights (judged to be at risk) only. This would have been in line with the advice of most experts in this field who argue for targeted actions as opposed to mass surveillance. In other words, to focus on persons with a reasonable suspicion about them, in accordance with the principles of our democracy under the rule of law.
Privacy First Advice
Privacy First strongly advises you to reject the current legislative proposal and to replace it with a privacy-friendly version. In case this will lead to the European Commission referring the Netherlands to the European Court of Justice due to a lack of implementation of the present PNR directive, Privacy First would be confident this would end in a clear victory for the Netherlands. EU Member States simply cannot be expected to implement privacy-violating EU rules. This applies equally to the national implementation of relevant resolutions of the UN Security Council (in this case UNSC Res. 2396 (2017)) which is similarly at odds with international human rights law. In this respect, Privacy First has already warned of the abuse of the Dutch TRIP system (which is also used for PNR) by other UN Member States. In this regard, the Netherlands has its own responsibility under the Dutch Constitution as well as under international law.
Privacy First Foundation
Update 19 March 2019: Regrettably, today the House of Representatives has adopted the legislative proposal almost unchanged; only GroenLinks, SP, PvdD and Denk voted against. Unfortunately, a motion by GroenLinks and SP to provoke legal action by the European Commission against the Dutch government about the PNR directive was rejected. The only bright spot is the widely adopted motion for the judicial reassessment and possible revision of the PNR directive at a European political level. (Only PVV and FvD voted against this motion.) Next stop: the Senate.
Update 4 June 2019: despite sending the above letter for a second time and despite other critical input by Privacy First, the Senate today has unfortunately adopted the legislative proposal. Only GroenLinks, PvdD and SP voted against. Even in spite of the enormous error rates (false positives) of 99.7% that recently came to light in the comparable German PNR system, see https://www.sueddeutsche.de/digital/fluggastdaten-bka-falschtreffer-1.4419760. Meanwhile, large scale cases have been brought against the European PNR directive in Germany and Austria in order for the European Court of Justice to nullify it on account of violations of the right to privacy, see the German-English campaign website https://nopnr.eu and https://www.nrc.nl/nieuws/2019/05/15/burgers-in-verzet-tegen-opslaan-passagiersgegevens-a3960431. As soon as the European Court rules that the PNR directive is unlawful, Privacy First will start interim injunction proceedings in order for the Dutch PNR law to be rendered inoperative. Moreover, yesterday Privacy First has put the PNR law on the agenda of the UN Human Rights Committee in Geneva. On 1 and 2 July 2019, the overall human rights situation in the Netherlands (including violations of the right to privacy) will be critically reviewed by this Committee.
A train passenger has submitted an enforcement request to the Dutch Data Protection Authority, because he argues that Dutch Railways (NS) violates the privacy of train passengers.
In response to three new attempts by Dutch Railways (NS) to violate the privacy of train passengers, NS customer Michiel Jonker has submitted a request for enforcement to the Dutch Data Protection Authority (DPA). It concerns:
- Rejecting the reimbursement of the remaining balance on anonymous public transport chip cards if the holder does not provide his or her name and address data to NS;
- Refusing international train tickets by NS employees at station desks if buyers do not provide their name and address data to NS;
- Charging, since 2 July 2018, additional "service costs" when holders of anonymous public transport chip cards pay in cash for topping up the balance on these cards.
Since July 2014, NS has already launched attacks on the privacy of Dutch train passengers in various ways. It then concerned:
- Discriminating holders of anonymous public transport chip cards in discount hours;
- Requiring de-anonymization of the anonymous public transport chip cards when NS is asked to provide services (for example, reimbursing money in the event of delays);
- Applying two unique card numbers on each anonymous OV chip card, as a result of which the anonymity of these cards is affected.
As a traveler who wants to maintain his privacy, Jonker repeatedly asked the DPA to investigate these violations and to take enforcement measures. Jonker already won several lawsuits against the DPA, which initially refused to even investigate the reports.
The recently adopted General Data Protection Regulation (GDPR) will play an important role in the assessment of the new violations by NS. Another central issue will be the right to pay by cash, which protects privacy.
Jonker: "In all these matters, the question is whether users of Dutch public transport are entitled to a real, effective protection of their privacy. This question is more relevant than ever, when you see how people are treated in situations where privacy is not adequately protected. We don't only think about China with its Social Credit score, or the United States with their "No Fly" lists, but also about European countries where laws have been adopted in recent years that allow the government to spy on travelers who are not even suspected of any punishable or risky behavior. For example France with its permanent state of emergency and the Netherlands with its new Intelligence and Security Act."
In this new case, Jonker is supported by Privacy First and Maatschappij voor Beter OV.
Source: https://www.liberties.eu/en/news/ns-privacy-fight-passenger-privacy/15444, 25 July 2018.
On November 2nd 2016, the Dutch House of Representatives will address a controversial legislative proposal that will introduce four week storage of the travel movements of all motorists in the Netherlands. In case both chambers of Dutch Parliament adopt this proposal, Privacy First will try to overturn this in court.
Large scale breach of privacy
It is Privacy First’s constant policy to challenge large scale privacy violations in court and have them declared unlawful. Privacy First successfully did so with the central storage of everyone’s fingerprints under the Dutch Passport Act and the storage of everyone’s communications data under the Dutch Telecommunications Retention Act. A current and similar legislative proposal that lends itself for another major lawsuit is legislative proposal 33542 (in Dutch) of the Dutch Minister of Security and Justice, Ard van der Steur, in relation to Automatic Number Plate Recognition (ANPR). Under this legislative proposal, the number plate codes of all motorists in the Netherlands, i.e. everyone’s travel movements, will be collected through camera surveillance and stored for four weeks in police databases for criminal investigation purposes. As a result, every motorist will become a potential suspect. This is a completely unnecessary, wholly disproportionate and ineffective measure. Therefore the proposal is in breach of the right to privacy and thus unlawful.
The current ANPR legislative proposal was already submitted to the Dutch House of Representatives in February 2013 by the then Minister of Security and Justice, Ivo Opstelten. Before that, in 2010, Opstelten’s predecessor Hirsch Ballin had the intention to submit a similar proposal, albeit with a storage period of 10 days. However, back then the House of Representatives declared this subject to be controversial. Opstelten and Van der Steur have thus now taken things a few steps further. Due to privacy concerns, the parliamentary scrutiny of this proposal was at a standstill for several years, but now seems to be reactivated and even reinforced through a six-fold increase of the proposed retention period, courtesy of the ruling parties VVD and PvdA.
Under current Dutch national law, ANPR data of innocent citizens must be erased within 24 hours. In the eyes of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), all number plate codes that are not suspect (so-called ‘no-hits’) are to be removed from relevant databases immediately. Van der Steur’s plan to also store the number plate codes of unsuspected citizens for four weeks directly flies in the face of this. VVD and PvdA are even willing to increase this retention period to six months. The inevitable consequence, a haystack of data, would constitute a blatant violation of the right to privacy of every motorist. Any possible judicial oversight of the use of these data would do nothing to alter this.
UN Human Rights Council
In recent years, Privacy First has repeatedly expressed this position to both the House of Representatives (standing committee on Security and Justice) as well as to relevant MPs personally. Privacy First has also made its stance clear in personal meetings with Minister Opstelten (July 2012) and Minister Van der Steur (July 2014, at that time still a VVD MP). Moreover, Privacy First has recently raised this issue with the United Nations. In May 2017, the Dutch government can be held accountable for this at the UN Human Rights Council in Geneva.
In case both the House of Representatives and the Dutch Senate will adopt the ANPR legislative proposal in its current form, Privacy First (in a broad coalition together with other civil organizations) will immediately summon the Dutch government in order to render the law inoperative on account of violation of the right to privacy. If necessary, Privacy First and co-plaintiffs will litigate all the way up to the European Court of Human Rights in Strasbourg. Considering the European and Dutch case law on the subject, Privacy First rates its chances of legal success very high.
Update 20 December 2018: today the Dutch government has announced that the ANPR Act will enter into force on 1 January 2019. The summary proceedings of Privacy First against the ANPR Act will soon take place at the District Court of The Hague.
EU Passenger Name Records: every airline passenger a potential suspect.
Today is a historic day in both a positive and a negative sense: on the one hand European Parliament has taken an important step forward in the area of privacy by adopting the General Data Protection Regulation. On the other hand, that same parliament has today concurred with large-scale storage of data of European airline passengers. As a result, every airline passenger becomes a potential suspect.
The General Data Protection Regulation will replace national privacy legislation in all EU Member States (this includes the Dutch Data Protection Act, Wet bescherming persoonsgegevens) and, in broad terms, will lead to better privacy protection throughout the European Union. Privacy Impact Assessments and Privacy by Design will become obligatory. These are two important features which Privacy First has for years been advocating for. Fundamental privacy principles such as necessity, proportionality and subsidiarity (obligatory use of privacy-friendly alternatives) will be more strongly enshrined and better elaborated.
In this light it is surprising that on the same day European Parliament has also adopted a measure that is in blatant disregard of these selfsame principles: the European Passenger Name Records (PNR) Directive. Under this PNR Directive, the data of all European airline passengers will be stored in centralized government databases for the duration of five years for the detection and prosecution of serious crimes, counter-terrorism, intelligence gathering, etc. Large amounts of travel data (names and addresses, telephone numbers, destinations, credit card data, even meals and service requests) of millions of people will therefore remain available to law enforcement and intelligence services for the purpose of datamining and profiling.
However, in 99.99% of all cases this concerns innocent citizens, most of which are people on vacation and business travellers. This constitutes a flagrant violation of their right to privacy and freedom of movement. Because of this, in recent years there had been a lot of political resistance against this plan which, since 2010, has been repealed on various occasions by both the Dutch House of Representatives as well as European Parliament. Last year, Dutch ruling parties VVD (Liberals) and PvdA (Labour) were still resolutely opposed to PNR. At the time, these parties referred to it as a ‘vacation register’ and even threatened to turn to the European Court of Justice in case the EU PNR Directive were to be approved of. But after the attacks in Paris and Brussels, many political reservations now seem to have disappeared like snow melting in the sun. Meanwhile, the necessity and proportionality of large-scale PNR storage has still not been proven. In the view of Privacy First, this PNR Directive is therefore unlawful in advance.
At the moment Privacy First is looking into legal steps to sweep this directive aside after all, either through a Dutch court or by lodging a direct appeal before the European Court of Justice in Luxembourg. Additionally, Privacy First will continue to advocate for a privacy-friendly PNR system which records and monitors only suspected individuals and leaves the vast majority of travellers alone.
© RTL Nieuws
Column by Bas Filippini,
Privacy First chairman
The Dutch police is currently running a pilot with Radio Frequency Identification (RFID)-chips in license plates. According to an internal report, fraud with license plates is alleged to be a big problem. A chip which is compulsory for every motorist and which can be read from a distance through a 'read-out portal' at all times on public roads, would supposedly be THE solution. However, Privacy First perceives the setting up of a national control system to track all movements in public space of all 17 million Dutch citizens as a great danger to society. Privacy First finds a compulsory spychip disproportional and unfit for a decent democracy under the rule of law.
A comprehensive electronic control system
Enquiries by Privacy First reveal that the license plate chip is part of a much larger plan to equip all roads in the Netherlands with so-called 'portals' with measurement equipment. These portals would record all cars 24 hours a day and thus the movements of all 17 million citizens in public space. The Dutch Bicycle and Automobile Industry (RAI) Association strongly recommends the use of such a chip in a recently leaked report. Moreover, new regulations, which make chips inside cars compulsory alongside license plate chips, are being prepared by European Parliament. According to the basic concept, over 60 details would be recorded and stored in the European database EUCARIS. The chip should enable immobilizers as well as a digital license plate database, online license plate requests, a European general periodical car inspection and could eventually grow into a European system for travel and residence rights and taxes.
For the time being, the project is traded as a solution for identity fraud and license plate related crimes in order to get citizens 'aboard'. However, in Privacy First's eyes the system is yet another attempt to be able to record citizens in public space, either through the public transport chip card or chips in license plates and/or cars. A license plate chip for all citizens as if it were an ankle bracelet is a dogged principle in the current control oriented way of thinking by the Dutch government and now the European Parliament, too. Which role do Dutch lobbyists outside Dutch parliament play in order to introduce these chips from Dutch manufacturer NXP in all European license plates on the basis of a Europe measure, or, in other words, by way of a political U-turn? Privacy First thinks it's high time for some serious journalistic research into this.
Current license plate issues: facts or suggestions?
Upon enquiry into the real problem, none of the authorities have been able to provide any clarity about the presupposed 40,000 cases of fraud with license plates. Even though it's important for citizens to know if there's a problem, and how substantial this problem is, the figure cannot be confirmed. Therefore, the question is raised whether it's legally justified to introduce such a system. Even in case of an estimated 40,000 license plates (a mere 0.5 per mil of the total) it's dubious whether the privacy of the entire society should be sacrificed. It's also altogether unclear how high the costs of such a system would be, and how high the gains in respect of the current alleged costs of identity fraud and license plate related crimes.
Are there no alternative solutions to 'the problem'? From a recent letter from the Dutch minister of Security and Justice, Ard van der Steur, it emerges that fraud with license plates occurs less frequently already due to measures such as the controlled online management and issuing and returning of license plates, requirements for recognized manufacturers and laminators (laminate code) as well as the obligation to report stolen or lost blank plates or license plates that have not yet been issued. Moreover, in 2000, the system of duplicate codes on license plates was introduced. Furthermore, faulty license plates are entered in the database for Automatic Number Plate Recognition (ANPR) control.
Whether it concerns black boxes, chips for theft prevention in (as of yet only more expensive) cars, eCall for crash analyses (also manufactured by NXP), dashcams, speed checks or the network of ANPR cameras, time and again Privacy First sees a pattern whereby the Dutch government tries to turn the complete recording of travel behaviour of citizens into reality. Now we're about to witness a spychip in every license plate and in every car, through undemocratic EU law – the ICT industry lobbied a number of MEPs in order to circumvent national parliaments – and the central database EUCARIS.
Reasons to opt for free choice and very selective use of a passive chip
Privacy First sees many reasons to not give a control infrastructure the go-ahead:
• A lack of necessity due to the absence of concrete figures regarding the 'alleged problem' and the availability of alternative solution-paths and measures, some of which have already been introduced.
• A complete lack of a cost-benefit analysis of a control infrastructure. The only one benefitting from the system in the short term is the chip manufacturer: in the future, chip manufacturer NXP will spy on you alongside the NSA! Under American surveillance legislation that is.
• The alleged problem is not commensurate with the measure, which is entirely disproportional and in breach of Article 8 ECHR. In the fight against identity fraud with license plates, a passive registration chip suffices and citizens should be able to choose freely whether or not they want to have a RFID license plate.
• The system will enable real-time identification, monitoring and recording of all citizens, including lawyers, journalists, politicians, activists – a very serious privacy infringement
• A central infrastructure and central data storage are particularly susceptible to fraud. If criminals get access to databases containing all the travel and residency data of cars and people in the Netherlands and the rest of Europe, all floodgates will be opened.
• There is a risk of function creep. The tax authorities, police and other law enforcement agencies already have real-time access to systems that have been intended for entirely different purposes, think of systems related to car parks and speed checks.
• Eventually a system like that could be deployed to burden citizens even more in various ways, such as road pricing and other travel & residency taxes and sanction systems, something that is perhaps the underlying thought of this draconian measure. Meanwhile ANPR cameras are used to fine drivers of old diesel cars in inner cities. What's next?
• Permanently recording citizens in public space will lead to self-censorship and an 'apology society' in which citizens have to have an alibi all time to explain what they were doing in a given location and why they were there. Citizens are already pestered by the police and authorities as a result of their travel behaviour – complaints about this reach Privacy First ever more often.
• Finally, an infrastructure like this affects our constitutional democracy by inverting the legal principle that there should be a reasonable suspicion of a criminal offence to be tracked: every citizen would be considered a potential suspect and would be continuously spied on.
An over-zealous control oriented way of thinking by a distrustful government
The policies of the Dutch government are tenaciously moving in one direction only. New technological gadgets are mandatorily deployed to record all citizens and central systems are subsequently linked together. After that, a flawed law and its implementation are being proposed and finally there are talks with privacy organizations and guileless citizens, who are left behind in an electronic prison. Nowadays Big Data, data mining and profiling are the magic words in all government departments. It all concerns 'OPD' (other people's data) anyway, very convenient indeed. In this case we're talking about equipping each car with three chips and implementing and maintaining a comprehensive ICT network on all roads, a market potentially worth billions of euros. And in the relationship that is then being formed between the public and the government, the latter is a distrustful partner that wants to know who the former is communicating with and what its travel movements look like. It also wants to dispose of systems with which errors can be checked, but in the worst case, it deals carelessly with all the data it collects. Such a relation, based on mistrust, certainly isn't sustainable.
The Netherlands, a global pioneer in the field of privacy
Time and again people forget: it's the legitimate task of the government to protect and promote the privacy of its citizens! Privacy First wants the Netherlands to become a global pioneer in the field of privacy with advanced technologies, based on the principles of our constitutional democracy and independent of the misconceptions of the day and our incident-driven political system. After all, this is about a fundamental turnaround in the relationship with the public, something Privacy First is opposed to. We therefore challenge politics, industry and science to turn the Netherlands into THE nation that is at the vanguard of privacy matters while maintaining security, and not the other way around!
"Holland sammelt unbändig Daten. Neue digitale Produkte dienen der totalen Überwachung. Und sind eine große Gefahr für die Gesellschaft.
Hinter den Dünen, ein paar hundert Meter vom Strand entfernt, liegt in Noordwijk der futuristische Bau von Decos. Das niederländische Software-Unternehmen hat sich eine neue Zentrale geleistet – einem eingeschlagenen Meteoriten ist sie nachempfunden, es könnte auch ein Raumschiff sein. Hier setzen IT-Spezialisten die digitale Zukunft durch: den völlig papierlosen Betrieb. Mitarbeiter kommunizieren ausschließlich elektronisch, und wer dem Unternehmen einen Brief schreibt, bekommt ihn zurück mit der Aufforderung, ihn nochmals zu senden, aber bitte als E-Mail.
Auch seinen Kunden bietet Decos Digitalisierung pur: Das Unternehmen liefert ihnen Software, um alle Dokumente elektronisch zu speichern – aber auch Produkte zur totalen Überwachung von Mitarbeitern. Sein „Cartracker" verfolgt jede Dienstreise, alle fünf Sekunden wird das Fahrzeug frisch verortet. „Hiermit haben Sie immer eine aktuelle Übersicht, wo sich Ihre Autos und Mitarbeiter befinden", wirbt Decos. Mehr noch: Der Fahrstil wird ständig überwacht und sogar benotet: „Aufgrund der Höchstgeschwindigkeit, des Bremsverhaltens und der Beschleunigung berechnet ,Decos Cartracker' eine individuelle Zensur für das Fahrverhalten jedes Fahrers."
Digitalisierung wird zur Norm
Nun mag es bei Geldtransportern noch sinnig sein, ihnen aus Sicherheitsgründen aus der Ferne zu folgen. In allen anderen Fällen gilt: Wohl dem, der einen weniger progressiven Arbeitgeber hat – einen, der vertraut, statt nonstop zu überwachen. Aber die Digitalisierung nimmt zu, sie wird zur Norm – und das nicht nur im Beruf, auch im öffentlichen Raum. Und die Niederlande sind hier in mancherlei Hinsicht schon weiter fortgeschritten als Deutschland.
Im Juli schaffte das Land endgültig die Fahrkarte aus Papier im öffentlichen Verkehr ab – für die zuvor schon schrittweise eingeführte „ÖV-Chipkarte", die den Preis in der Regel je Kilometer berechnet. Für den Kunden bedeutet sie außer 7,50 Euro Anschaffungskosten vor allem Umstände: für das Aufladen, für das Ein- und Auschecken bei jeder Fahrt. Wer das versäumt oder an einen kaputten Kartenleser gerät, ist schnell ein Sümmchen los; man muss dann auf Kulanz hoffen und per Online-Antrag versuchen, es erstattet zu bekommen.
Anonymität hat ihren Preis
Was aber noch schwerer wiegt: Die Chipkarte speichert so die Fahrstrecke – und da die Standardversion alle wesentlichen Nutzerdaten enthält (inklusive Kontonummer), kann sie das Reiseverhalten des Bürgers erfassen. Wer anonym mit einem Einmal-Ticket fahren will, muss Aufschlag zahlen – nicht viel, einen Euro momentan, aber immerhin; und vielleicht ist das ja auch nur der Anfang. Viel gravierender noch: Wer eine Studenten- oder Rentnerkarte braucht, muss zwingend die personengebundene Version mit den Daten wählen. Natürlich versichern die Betreiber, alles vertraulich zu behandeln. Aber wer sich darauf verlässt, ist naiv. Wo immer auf der Welt digital gespeichert wird: Die Vorfälle sind Legion, in denen Patienten-, Sozial- oder andere Daten missbraucht wurden – oder massenweise verfügbar, sei es versehentlich, sei es durch Hacker.
Natürlich gibt es in Deutschland den ähnlichen Fall: wenn jemand mit seiner Bahncard Punkte sammelt. Aber das macht er dann freiwillig. Und es ist wichtig aufzupassen, dass die öffentlichen Verkehrsträger hierzulande nicht dem Beispiel aus dem Ausland folgen. Generell ist Obacht schon geboten, wann immer die Preisgabe von Daten belohnt wird – wie bei dem Vorstoß eines deutschen Autoversicherers, Rabatt zu gewähren, wenn der Autohalter einen digitalen Fahrtenschreiber (Blackbox) installiert. Denn das läuft schnell darauf hinaus, dass er umgekehrt für das Recht auf Anonymität einen Malus bekommt.
Erstaunlich ist, dass ein Land wie die Niederlande so unbändig Daten sammelt – sieht es sich doch gerne als „gidsland": als internationales Vorbild, wenn es um Politik, Verwaltung, gesellschaftliche Werte und Normen geht. „Von allen Menschenrechten steht das Recht auf Privatsphäre in den Niederlanden am meisten unter Druck", befindet die Stiftung Privacy First.
Mal führen die Behörden Sicherheit als Argument für die Digitalisierung an, mal Effizienz. Nach Amsterdam führt jetzt auch Rotterdam stadtweit das „Kennzeichenparken" ein: Wer das Auto abstellt, muss am Automaten die Buchstaben und Ziffern des Nummernschilds eingeben. Mit Bargeld darf er auch nicht mehr zahlen, nur mit Karte oder per Mobiltelefon – auch dies ein nationaler Trend. Wieder eine digitale Spur hinterlassen, wieder ein Stück Anonymität dahin. (...) [A]ls Nächstes eine Pflicht für Smart Meters in Wohnungen: Ablesegeräte, die viel mehr erfassen können als nur den Energieverbrauch in den Wohnungen. Die Industrie lobbyiere schon kräftig dafür. Nicht zu reden von den zahllosen Überwachungskameras in Städten, der massenweisen Kennzeichenerfassung auf Autobahnen und Polizeidrohnen mit Kamera. Die Bedenken der Datenschützer werden gerne abgetan: Wer nichts zu verbergen hat, muss doch nichts befürchten? Aber das ist die falsche Haltung, sie kehrt ein grundlegendes Recht um: das Recht, sich unbewacht zu bewegen."
Source: http://www.faz.net/aktuell/wirtschaft/wirtschaftspolitik/digitalisierung-big-brother-in-holland-13092653.html, 12 August 2014.
Privacy First is considering taking legal steps.
Without any regard to all the privacy objections, this week the European Parliament has voted in favor of mandatory introduction of the eCall system in new cars. This system forms a direct threat to the privacy of every motorist. In case the European Council (i.e. a majority of EU Member States) approves the decision of the European Parliament, the eCall device will become mandatory in every car in Europe as of October 2015. Privacy First demands that eCall will become voluntary instead of mandatory and to this end is prepared to start a lawsuit if necessary.
In case of a road accident eCall automatically alerts the emergency services by calling 112. However, the eCall alarm system also leaves behind a trail of location data without the motorist having given his prior consent to this. It's an in-vehicle system that doesn't have an on/off button but does continuously leave behind traces (metadata) to the surrounding GSM networks. This constitutes a flagrant breach of the right to privacy and anonymity in public space. Moreover, the system could be used for purposes other than road safety only by organizations such as the police, insurance companies, tax authorities, intelligence services and possibly even criminals. There has hardly been any public debate about the possible introduction of eCall. Therefore the mandatory introduction is not only unlawful but also undemocratic. A few years ago the introduction of the electronic toll system with the accompanying 'spying device' was rejected by the Dutch in mass numbers. Now it seems they will be put up with a spying device in their cars via a European back door after all. This is unworthy of a democratic constitutional State such as the Netherlands.
The Privacy First Foundation intervenes as soon as the right to privacy is about to be violated on a massive scale. In case the eCall system will be mandatorily introduced in the Netherlands, Privacy First will start a lawsuit to turn this decision around. If needed, Privacy First is prepared to litigate all the way up to the European Court of Justice in Luxembourg and is confident about the outcome of any legal steps it may take.