Law & Politics

Privacy First has had a turbulent year. At the start of 2018, we organized the Dutch Privacy Awards and they were a great success. Soon this event will take place again. The greatest success of the year, however, was the referendum against the new Dutch Intelligence and Security Services Act (better known as the Tapping Law), which was won by the initiators and their many supporters. Subsequently however, the Dutch government decided to ruthlessly abolish the referendum and Privacy First and others unfortunately were not in a position to prevent the Tapping Law from entering into force almost unaltered. Unless the Dutch government and the House of Representatives decide to thoroughly overhaul the Act, a large scale new lawsuit to challenge it will be on the cards.

Positive developments

In terms of organization, the year has been marked mostly by positive developments. Since the summer, we have a new board of directors, a new advisory board and a new and relatively cheap (small) office on an excellent location. We have switched to privacy-friendly telecom provider Voys. Increasingly, Privacy First is approached by public authorities and companies to cooperate on privacy projects, for example with regard to the infamous European payments directive PSD2, which will soon enter into force in the Netherlands. In addition, Privacy First almost continuously pursues political lobbying and quiet diplomacy. Earlier this year, we’ve lobbied successfully with the Dutch State Commission on the Parliamentary System for the introduction of a binding referendum and a Constitutional Court. Moreover, we’ve made our critical voice heard with regard to the possible introduction of Passenger Name Records (PNR) in aviation and Taser weapons among the Dutch police force. After all, privacy is a broad term and is about much more than data protection only.

However, history has taught us that sustainable privacy protection usually requires legal action at a national or European level. That’s why Privacy First also pursues litigation. Those who’ve been acquainted with us for some time, know that when Privacy First starts legal proceedings, something is really going on - something, to be precise, which isn’t for the better. As soon as large scale privacy violations are imminent, it’s time for Privacy First to step in. This is one such moment. Your support of our operations is indispensable.

Case against ANPR Act

In recent years, Privacy First has regularly warned against the introduction of a new draconian Dutch law which allows for the continuous storage of data relating to travel movements of millions of motorists for four weeks in a central police database, regardless of whether or not these motorists are suspected of any wrongdoing. This is the Automatic Number Plate Recognition Act (ANPR). At the end of 2017, the Dutch Senate adopted this Act, after which Privacy First announced it would initiate legal proceedings. Subsequently, Privacy First had a meeting with the Dutch State Attorney, which was followed by a prolonged silence. Today however, the Dutch government announced it will introduce the ANPR Act as per 1 January 2019. Therefore, Privacy First is currently preparing interim injunction proceedings in order to render this Act inoperative on account of violation of the right to privacy. If necessary, these proceedings will be followed by proceedings which are broader in scope and will deal with the merits of the case. Indeed, this Act is a massive breach of privacy for which there is simply no place in a free and democratic constitutional State. Through Pro Bono Connect, Privacy First has hired law firm CMS to carry out proceedings on our behalf. Ideally, this would happen in coalition with other relevant organizations.

Urgent call for donations

Due to unexpected fundraising setbacks, at present Privacy First urgently needs financial support, including your support as a (potential) donor. The more support we get, the more thorough and therefore the more effective we will be able to conduct these legal proceedings and the more likely it will be we will come out victorious. Would you like to support Privacy First? Donating is very easy on the dedicated page on our website. Otherwise, please donate directly to account number NL95ABNA0495527521 (BIC: ABNANL2A) in the name of Stichting Privacy First in Amsterdam, the Netherlands, stating ‘donation’. Privacy First is recognized by the Dutch Tax and Customs Administration as an Institution for General Benefit (ANBI). Therefore your donations are tax-deductible.

In recent years, Privacy First has had a lot of positive influence thanks to your support. We hope to be able to count on you once again!

Privacy First wishes you happy holidays and a privacy-friendly 2019!

New European PSD2 legislation in force

At the start of 2019, the Payment Service Directive 2 will enter into force in the Netherlands. Under this new European banking law, consumers can share their banking details with parties other than their own bank. This first requires their explicit consent, upon which banks must share all transactional data[1] of the consumer (account holder) with an external party (financial service provider) for a period of 90 days, after which the consumer can renew his consent. The consumer can also withdraw his consent at all times.

PSD2 is a great concern to Privacy First

Privacy First is very worried about PSD2. The law focuses too much on improving competition and innovation while the privacy interest of account holders is overlooked. These are Privacy First’s greatest concerns:

• Consumers are not in a position to limit the amount of banking details. Even in case a financial service provider does not need these details, all data are shared just the same once the account holder has issued his consent.
• The bank details of a consumer include the details of contra accounts. Holders of such accounts are unaware of the fact that their details may be shared and are not in a position to prevent that. As transactional data will be analyzed much more widely with the use of Big Data and data analyses than before the introduction of PSD2, there will be a much greater risk of privacy violations.
• Banking details contain ‘sensitive personal data’ that may only be issued under strict conditions.[2] A subscription payment to a trade union, political party or organization that reveals one’s sexual preferences, should be considered sensitive personal data according to Privacy First. The same applies to transactions with health insurance companies and pharmacists. Currently, there is no way to filter out these data and they are being issued to parties that are not allowed to process them.

During an episode of the Dutch television program Radar that was broadcast on Monday 7 January 2019, Privacy First drew particular attention to these issues.

PSD2 quality label aims for transparency

Privacy First wants consumers to get honest and transparent information on what happens to their data. We advocate not for lengthy privacy statements, but rather for information that fits on a single sheet of paper. This information should not come from the financial industry, but from consumers themselves. After all, they can best decide which information they find valuable when making a choice. During 2018, Privacy First worked on this initiative along with the Volksbank and other partners from the financial sector.

PSD2 opt-out register

Privacy First is surprised that no attention has been paid to the role of ‘sensitive personal details’ in transactional data. Such details may only be shared under strict conditions and therefore have to be filtered out. Equally, consumers who do not want others to share their data with financial service providers should have the opportunity to prevent this. That is why Privacy First would like to see an opt-out register, similar to the do-not-call-me register which has been around in the Netherlands for many years. During the Radar broadcast, Privacy First announced it would bring forward this proposal, hoping to be able to develop it further together with the financial sector and policy makers. The aim is to have a compulsory opt-out register. This will, however, require amending the European PSD2 directive.

[1] Additional information: it concerns all transactional data. The extent to which these data go back in time varies per bank. See the overview (in Dutch) of the Dutch consumer association: The majority of account holders saves their bank statements for at least five years https://www.consumentenbond.nl/betaalrekening/meerderheid-bewaart-rekeningafschriften-ten-minste-5-jaar.
[2] Additional information: this is included in Article 9 of the GDPR and in Article 22 of the Dutch GDPR implementation Act. In short, processing sensitive personal data is unlawful, with a few exceptions. See (in Dutch) https://wetten.overheid.nl/BWBR0040940/2018-05-25.

Partly on the initiative of Privacy First, a special Committee of the United Nations will this week in Geneva look into the imminent adoption of Taser weapons among the entire Dutch police force. This adoption possibly contravenes the UN Convention against Torture.

Right to physical integrity

For Privacy First, the right to privacy has always been a broad human rights concept. This includes the right to physical integrity. In recent years, this right has come under increasing pressure, think of preventive frisking on the streets, body scans at airports, DNA databases, the new Organ Donation Act in the Netherlands, discussions about compulsory vaccinations, etc. The right to physical integrity is laid down not only in the European Convention on Human Rights, but is also protected by Article 11 of the Dutch Constitution. At an international level, this right is part of the category of human rights which have the strongest protection. The absolute prohibition of torture and other cruel, inhuman or degrading treatment falls in the same category.

UN Convention against Torture

In international law, torture is in the small category of absolute prohibitions. Other examples within this category are the prohibition of genocide, international aggression (illegal warfare), slavery, racial discrimination, apartheid and piracy. Violation of these norms is always and under all circumstances prohibited. Anyone anywhere in the world who is committing or has committed torture or other cruel, inhuman or degrading treatment or punishment should therefore be prosecuted and extradited. Public officials, ministers, presidents and Heads of State are no exception to this rule. Since 1988, the Netherlands is party to the convention in which this is laid down: the UN Convention against Torture. Every contracting party is periodically reviewed by the treaty monitoring body in Geneva: the UN Committee against Torture. Opinions delivered by this Committee provide authoritative guidance on the application and interpretation of the convention. On Tuesday and Wednesday this week, it will be the Netherlands’ turn to be reviewed (the last time was in 2013): on Tuesday the Netherlands will be questioned by the Committee’s members, after which the Dutch government delegation will provide its answers on Wednesday. Subsequently, the Committee will issue a series a recommendations (‘Concluding Observations’) to the Netherlands.

Taser weapons on the UN agenda

In preparation of the Dutch session and on behalf of a broad coalition of civil society organizations, the Dutch section of the International Commission of Jurists for Human Rights (Nederlands Juristen Comité voor de Mensenrechten, NJCM) has recently sent a so-called 'shadow report' about the Netherlands to the Committee in Geneva. On the initiative of Privacy First, the issue of Taser weapons was expressly put on the agenda, as was the case in 2013. The situation is such that the Dutch government aims to provide every Dutch police officer with his own Taser weapon, media reported only last week. Thus far, only special arrest teams are equipped with Taser weapons. The expectation is that the wider, more general deployment of Taser weapons will lead to structural excesses. In this respect, all scandals with Taser weapons, particularly those in the United States, speak for themselves. In Privacy First’s view, the use of Taser weapons can easily lead to violations of the international prohibition of torture or cruel or inhuman treatment and the associated right to physical integrity. Taser weapons lower the threshold for the use of violence and hardly leave behind any visible traces. By the same token, Taser weapons can cause serious physical and mental damage. This results in serious risks for the Dutch population and for certain vulnerable groups in particular. That’s why our joint shadow report to the Committee emphasizes these risks (see pages 15-16 of the report).

Previous criticism of the UN Committee

Both the Dutch coalition of civil society organizations as well as Amnesty International have requested the UN Committee to cross-examine the Dutch government on this issue and advise the Netherlands not to equip the entire police force with Taser weapons. This is what Privacy First and other parties had already pushed for during the previous session of the UN Committee in 2013. Back then, this led the Committee to issue the following urgent recommendations to the Netherlands:

“The Committee recommends to [the Netherlands], in accordance with articles 2 and 16 of [the Convention against Torture], to refrain from flat distribution and use of electrical discharge weapons by police officers. It also recommends adopting safeguards against misuse and providing proper training for the personnel to avoid excessive use of force. In addition, the Committee recommends that electrical discharge weapons should be used exclusively in extreme limited situations where there is a real and immediate threat to life or risk of serious injury, as a substitute for lethal weapons.” (paragraph 27).

Privacy First is confident the Committee will again come up with critical recommendations.

Update 22 November 2018: yesterday and the day before the Dutch session took place before the UN Committee. Numerous topical issues were critically examined, including Taser weapons. Representatives of Curaçao, Sint Maarten and Aruba emphatically declared that no Taser weapons are used on their islands. This contrasted sharply with the statements made by the representative of the Dutch government (Secretary General Siebe Riedstra of the Ministry of Justice and Security), who barely addressed the issue and merely remarked that the Dutch government will take a decision on the adoption of Taser weapons in 2019. Below are all the relevant audio clips:

Questions by Abdelwahab El Hani on behalf of the UN Committee, 20 November 2018:

Answer by Siebe Riedstra on behalf of the Netherlands:

New questions by Abdelwahab El Hani on behalf of the UN Committee, 21 November 2018:

Answer by Siebe Riedstra on behalf of the Netherlands:

See also the UN press release about the Dutch session in Geneva, the full video recording (day 1 and day 2) and the verbatim report of proceedings (day 1 and day 2). The UN Committee is expected to present its Concluding Observations about the Netherlands within a few weeks’ time.

Update 7 December 2018: today the UN Committee has issued a number of Concluding Observations to the Dutch government, urging the Netherlands not to equip the entire police force with Taser weapons and to limit their adoption to cases that can be deemed proportionate and strictly necessary. The Committee emphatically cautions against using Taser weapons against vulnerable people. Moreover, the Committee expresses serious concerns about the way Taser weapons have been used by the Dutch police thus far.The entire report by the Committee can be found HERE (pdf). Below is the part concerning Taser weapons (paragraph 42-43):

Electrical discharge weapons (tasers) and pepper spray

42. The Committee notes with concern that despite its previous recommendations against the routine distribution and use of electrical discharge weapons (tasers) by police officers, the State party conducted a pilot testing from February 2017 to February 2018 without clear instructions on their restrictive use. It is particularly concerned at information that during this pilot period, police officers used tasers in situations where there was no real and immediate threat to life or risk of serious injury, including in cases where targeted individuals were already in police custody. It is further concerned about reports of the frequent use of the so-called “stun mode” which is intended to merely inflict pain, and the incidents in which tasers were used against minors as well as persons with mental disabilities in healthcare settings. In addition, the Committee is concerned about information that the use of pepper spray is not regulated fully in line with principles of necessity and proportionality and that the new draft Instructions on the Use of Force is expected to further lower the threshold for using it and to permit its use against vulnerable persons including pregnant women and children (arts. 2, 11 and 16).

43. Recalling the Committee’s previous recommendations (CAT/C/NLD/CO/5-6, para. 27), the State party should:

(a) Refrain from routine distribution and use of electrical discharge weapons by police officers in their day-to-day policing, with a view to establishing a high threshold for their use and avoiding excessive use of force;

(b) Ensure that electrical discharge weapons are used exclusively in limited situations where there is a real and immediate threat to life or risk of serious injury, as a substitute for lethal weapons and by trained law enforcement officers only;

(c) Explicitly prohibit the use of electrical discharge weapons and pepper spray against vulnerable persons, including minors and pregnant women, and in healthcare settings, including mental health institutions, and especially prohibit the use of electrical discharge weapons in the custodial settings;

(d) Ensure that the instructions on the use of electrical discharge weapons and pepper spray emphasize the absolute prohibition of torture and the need to respect the principles of necessity and proportionality, fully in accordance with the Convention and the Basic Principles on the Use of Force and Firearms by Law Enforcement Officials;

(e) Adopt safeguards against misuse of electrical discharge weapons and pepper spray and provide proper training and awareness programmes for the law enforcement personnel;

(f) Monitor and regularly review the use of electrical discharge weapons and pepper spray, and provide the Committee with this information.

Privacy First appreciates the critical opinion and the principled position of the Committee. Not least because it creates a strong precedent for other countries worldwide. Privacy First will ensure that the Dutch government will comply with the Committee’s observations.

The Advisory Board of the Privacy First Foundation consists of the following persons, in their personal capacity:

The Board of the Privacy First Foundation consists of the following persons, in their personal capacity:

A train passenger has submitted an enforcement request to the Dutch Data Protection Authority, because he argues that Dutch Railways (NS) violates the privacy of train passengers.

In response to three new attempts by Dutch Railways (NS) to violate the privacy of train passengers, NS customer Michiel Jonker has submitted a request for enforcement to the Dutch Data Protection Authority (DPA). It concerns:

• Rejecting the reimbursement of the remaining balance on anonymous public transport chip cards if the holder does not provide his or her name and address data to NS;
• Refusing international train tickets by NS employees at station desks if buyers do not provide their name and address data to NS;
• Charging, since 2 July 2018, additional "service costs" when holders of anonymous public transport chip cards pay in cash for topping up the balance on these cards.

Since July 2014, NS has already launched attacks on the privacy of Dutch train passengers in various ways. It then concerned:

• Discriminating holders of anonymous public transport chip cards in discount hours;
• Requiring de-anonymization of the anonymous public transport chip cards when NS is asked to provide services (for example, reimbursing money in the event of delays);
• Applying two unique card numbers on each anonymous OV chip card, as a result of which the anonymity of these cards is affected.

As a traveler who wants to maintain his privacy, Jonker repeatedly asked the DPA to investigate these violations and to take enforcement measures. Jonker already won several lawsuits against the DPA, which initially refused to even investigate the reports.

The recently adopted General Data Protection Regulation (GDPR) will play an important role in the assessment of the new violations by NS. Another central issue will be the right to pay by cash, which protects privacy.

Jonker: "In all these matters, the question is whether users of Dutch public transport are entitled to a real, effective protection of their privacy. This question is more relevant than ever, when you see how people are treated in situations where privacy is not adequately protected. We don't only think about China with its Social Credit score, or the United States with their "No Fly" lists, but also about European countries where laws have been adopted in recent years that allow the government to spy on travelers who are not even suspected of any punishable or risky behavior. For example France with its permanent state of emergency and the Netherlands with its new Intelligence and Security Act."

In this new case, Jonker is supported by Privacy First and Maatschappij voor Beter OV.


Source: https://www.liberties.eu/en/news/ns-privacy-fight-passenger-privacy/15444, 25 July 2018.

A group of civil society organizations is bringing a case against the Dutch government because of System Risk Indication, better known by the abbreviation SyRI. According to the plaintiffs, this risk profiling system is a black box that should be stopped as it forms a risk to the democratic rule of law.

The coalition of plaintiffs consists of the Netherlands Committee of Jurists for Human Rights (NJCM), the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten), Privacy First, the KDVP Foundation (privacy in mental healthcare) and the National Clients Council (LCR). Two well-known authors, Tommy Wieringa and Maxim Februari, have in their individual capacities joined the case as plaintiffs. As ‘ambassadors’ to this lawsuit, they have fiercely criticized SyRI on multiple occasions.

The proceedings are carried out by Deikwijs Attorneys under the guidance of the Public Interest Litigation Project (PILP) of the NJCM.

Trawl net actions on the basis of secret algorithms targeting innocent citizens

SyRI links together on a large scale personal data of innocent citizens from databases of public authorities and companies. With the use of secret algorithms, citizens are subsequently subjected to a risk analysis. When there is an increased risk of breaking one of the many laws that SyRI covers, individuals are included in the Risk Reports Register, which is accessible to many government agencies.

SyRI is a black box that poses a major threat to the democratic rule of law. Citizens who are being examined through SyRI without any justification, have absolutely no idea which of their data are being used for analyses, what kind of analyses are being carried out and what actually determines whether or not they are a ‘risk’. Because SyRI works surreptitiously, citizens are not in a position to refute any incorrect flagging that may concern them.

According to the coalition, SyRI is in breach of various fundamental rights while it simultaneously undermines the relationship of trust between citizens and those in power. Citizens are suspect from the very start and all of the information that they share with public authorities, may secretly be used against them without imputation or concrete ground.

Ministry refuses to operate in a transparent manner

Despite fundamental objections from the Dutch Council of State (Raad van State) and the Dutch Data Protection Authority about the lawfulness of the system, at the end of 2014 the legislation for SyRI was rubber-stamped by the Dutch Senate and the House of Representatives. However, SyRI has been in use ever since 2008 already. Since then, dozens of investigations have been carried out and this included examining entire neighborhoods in several Dutch cities. Once the system was specified in law, it has been applied in Eindhoven and Capelle aan den IJssel among other places. It was recently announced that SyRI will be used in the Rotterdam neighborhoods of Bloemhof en Hillesluis and in the Haarlem neighborhood of Schalkwijk.

A FOIA request submitted by the coalition has resulted in barely any information concerning the dozens of SyRI investigations that have been carried out prior to and after the system had been laid down in law in 2014. The Dutch Ministry of Social Affairs is unwilling to provide insight into its practices arguing that, by disclosing the data and risk models that are used in SyRI, cunning citizens would become aware what to look out for when they commit fraud. The claimants, in their turn, assert that this is not in line with the obligation to inform and the right to a fair trial.

More information

In the context of this lawsuit, a public information campaign called ‘Bij Voorbaat Verdacht’ (‘Suspect From The Very Start’) has been launched. On the (Dutch) campaign website you can find updates about the legal proceedings as well as a simplified summary of the subpoena. The complete subpoena (in Dutch) can be found on the website of Deikwijs Attorneys (pdf). Click HERE for the English version on the website of PILP (pdf).

Update 16 October 2018: the District Court of The Hague has allowed the Dutch Federation of Trade Unions (FNV) as co-plaintiff in the lawsuit.

The Privacy First Foundation hereby publishes its 2017 annual report: click HERE to download the pdf version. This annual report is accompanied by our annual account 2017 (pdf in Dutch). In our annual report you can read all about our main activities in 2017, including our court cases, our lobbying and our public events. Despite the recent renewal of European privacy law by the entry into force of the General Data Protection Regulation (GDPR), the right to privacy in 2018 is under greater pressure than ever. A powerful organization like Privacy First therefore remains crucial and your support as a donor is indispensable. Click HERE to become a financial supporter of Privacy First!

Below, in alphabetical order, are Privacy First’s main objections against the new Dutch Intelligence and Security Services Act (Wiv2017, or ‘Tapping law’):   

A. Authority to hack 
Under the new law, the Dutch intelligence services will be able to hack a target through innocent third parties. By hacking a third party (for example an aunt, a sister, a friend, a husband, a grandfather, a colleague, a neighbour, a public authority, a company, etc.), information can be obtained about the target. In other words, any devices of innocent citizens may be hacked by the intelligence services. Citizens will never be notified about this, as there is no duty to inform.

C. Chilling effect
The new law may result in people behaving differently (either consciously or not) than they would do in a free environment. This can have a negative effect on the exercise of their fundamental rights other than the right to privacy, for instance on the right to freedom of expression and the right to freedom of association, assembly and demonstration. 

Criminal offences
Under both the current as well as the new law, Dutch secret agents are authorized to commit criminal offences. However, up until now, the exact scope of this power has been unknown. Under the current law, this power could be further regulated through a (never introduced) General Administrative Order. A number of years ago, the Dessens Commission recommended introducing such a General Administrative Order after all.  In the new Tapping law however, the foundation for this General Administrative Order has been scrapped, leaving behind a legal vacuum. 

D. Databases
The new law enables automatic access to databases in both the entire private and public sector. This allows intelligence services direct access to various sensitive databases of companies, public authorities and other organizations, either through informants and agents (infiltrators), or through secret agreements.   

Dragnet
The power to conduct ‘research-oriented interception’, popularly known as the ‘trawl net method’ or the ‘the dragnet-surveillance power’, allows intelligence and security agencies (secret services) to tap the internet traffic of large groups of people simultaneously. They may tap a particular municipality, neighbourhood, local community or street, in case one of their targets happens to live there. This entails monitoring the communications of innocent citizens by means of a digital dragnet. Privacy First believes that the data of innocent citizens do not belong in the hands of intelligence services. Apart from that, the collection of huge amounts of data makes the intelligence services less effective. 

Decryption order
Under the new law, encrypted data in the possession of companies, public authorities and individuals (for example communications data) must be decrypted on the request of secret services. Refusing to comply with a decryption order will be punished with a maximum of two years’ imprisonment. 

DNA database
Under the Tapping law, the intelligence and security services will have their own DNA database. They may collect DNA of targets and non-targets (innocent citizens). In order to collect DNA, they are allowed to grant themselves access to confined places, such as offices or residences. Dutch magazine Groene Amsterdammer has recently written an extensive article about the DNA Collection Service. 

E. European Convention on Human Rights (ECHR)
The right to privacy is a human right: this right is protected by article 8 of the ECHR. Privacy First is of the opinion that the new Tapping law violates the right to privacy. We are ready to start interim injunction proceedings (lawsuit) against the Dutch government in case the Tapping law comes into force. This would enable a judge to scrutinize the new Act and possibly render it (partly) inoperative on account of violation of article 8 ECHR.

Exchange of data
The data of innocent citizens and journalists that are collected through the use of internet dragnet surveillance can be shared with foreign intelligence agencies before first being evaluated by the Dutch agencies. 

F. Fake news from the Dutch government
According to the Dutch Minister of the Interior Kajsa Ollongren, it’s not necessary that the government puts neutral information about the Tapping law referendum on its website rijksoverheid.nl. This means that the Dutch government does not provide objective information to voters.

G. Guarantees
The law gives too much power to intelligence and security services and too little privacy guarantees to citizens. After the Tapping law referendum, the law will have to go back to the legal drawing board, where proper privacy guarantees should be added and the exercise of powers be reviewed.  

H. Human rights
Privacy is a human right. The right to protection of one’s private life applies to everyone and is being guaranteed by numerous international and European treaties. The Tapping law will massively violate this right, considering the fact that it allows for the collection, storage and international exchange of data of large groups of innocent citizens.    

Hyping the terror threat
Proponents of the Tapping law have often put forward the argument that it will prevent terror attacks, as was shown by Dutch television show Zondag met Lubach.  However, other countries have already shown that working in a focused, targeted way is much more effective. Opponents of the Tapping law agree that the current law needs to be updated, but they demand that the law be modified and improved in crucial aspects.

I. I’ve got nothing to hide
Everyone is entitled to having a private life. That’s why the data of innocent citizens do not belong to intelligence and security agencies. It’s important for these data, which include medical information, personal conversations, private emails, work-related emails, news stories, hobbies, interests and internet search results, to be protected properly. You may have ‘nothing’ to hide, but other citizens, like medical professionals, attorneys, activists, whistle-blowers and journalists certainly do. 

Interception of cable-bound data
It is falsely being argued that the intelligence and security services are currently allowed to intercept data over the ether (non cable-bound) only and not any cable-bound data. Under current legislation, they may intercept cable-bound data when the target concerns, for example, a particular individual. Under the new law, secret services will be authorized to intercept cable-bound data on a large scale and without specific targets (the dragnet method).

Internet of Things
An ever increasing number of devices are connected to the internet. All these devices can be tapped and hacked under the new Tapping law. Think of a car, a camera, microphone, printer and perhaps even a pacemaker. After all, the Tapping law doesn’t exclude this possibility.

J. Journalists
The communications of journalists may be intercepted under the new Tapping law by means of dragnet surveillance, among other ways. Secret services may acquire knowledge about this confidential information. This constitutes a threat to the freedom of the press and the journalistic right to non-disclosure of sources. Only retrospectively will secret services delete information that turns out not to be useful for any investigation. 

Judge
In most cases, a judicial verification of the exercise of powers is lacking. As explained under ‘Review Board for the Use of Powers’(TIB), the new Review Board lacks the investigatory powers for effective and independent monitoring. 

L. Lubach
In his tv programme Zondag met Lubach, comedian and television presenter Arjen Lubach has looked into the Tapping law three times, explaining why it’s good to be critical about it. You can watch the videos (in Dutch) here: Tapping law 1, Tapping law 2 and Tapping law 3.

M. Medical confidentiality
Under the new law, the medical confidentiality of patients and the medical secrecy of doctors cannot be guaranteed: secret services can make a request to anyone, including doctors and hospitals, to hand over relevant data and to grant access to their data system (Electronic Health Record). They can also hack into such systems. This can lead to the evasion of health care among patients, which could endanger national health. 

N. Notification obligation
Under the new law, the notification obligation is insufficient.  Five years after exercising a certain power, the person concerned should, in principle, be notified about this. This, however, applies to only a few of the newly introduced powers. Privacy First thinks the notification obligation should apply to the exercise of all powers.

O. Other countries
Under the new Tapping law, data that have been collected may be shared with other countries without being evaluated first. This means that Dutch intelligence services can share unseen and unselected data (of innocent citizens) with foreign secret services. Once the data have been shared, Dutch intelligence services won’t be able to monitor the use of these data anymore. 

P. Presumption of innocence
With the introduction of the new law, the presumption of innocence gets inverted. The dragnet-surveillance makes every single citizen a potential suspect, without any concrete ground to monitor someone in particular. Moreover, large-scale data collection increases the chance of false positives.

Q. Quest for data
The Dutch government has developed an enormous thirst for data. Whereas neighbouring countries go back to a target-centric approach, the Netherlands embraces Big Data. This leads to an ever growing haystack in which finding the needle will become increasingly difficult. More data is no equivalent to more security. 

R. Review Board for the Use of Powers (TIB)
Independent supervision in all phases of the exercise of powers by secret services (before, during and afterwards) is insufficiently guaranteed. Since intelligence services operate secretly, citizens against whom such powers are exercised cannot object to this themselves. That’s why the exercise of powers is to be reviewed independently. The new Review Board for the Use of Powers (Toetsingscommissie Inzet Bevoegdheden) reviews beforehand whether the minister has rightfully given approval for the exercise of a relatively far-reaching (‘special’) power under the new law. This review is substantiated by less guarantees than the review by a judge. Furthermore, the Review Board doesn’t have any investigative powers of its own and is completely dependent on the information it’s provided with by others. Various authorities, such as the Dutch Data Protection Authority, have warned that the Review Board shouldn’t become a 'rubber stamping machine'. 

Review Committee on the Intelligence and Security Services (CTIVD)
The judgments of the Review Committee on the Intelligence and Security Services, which retrospectively reviews whether or not powers have been applied lawfully, are not binding. The Minister of the Interior may not take the findings and recommendations into account and continue to unlawfully use powers.

S. Security
Privacy and security are unduly placed on opposite sides of the balance. In a free and democratic society, privacy and security go hand in hand. It’s possible to draft an Intelligence and Security Services Act that has good privacy safeguards under which information of innocent citizens doesn't end up in the hands of intelligence agencies.

Storage period
Unevaluated data that have been collected through ‘dragnet surveillance, may be stored for three years. These data may also be shared with other countries, even without first being evaluated. Data that the intelligence and security agencies deem relevant may be kept for as long as they are regarded as such.

Z. Zero days
The intelligence and security services have the power to make use of unknown software vulnerabilities, so called zero-days. Such vulnerabilities are known to them, but not to the creator or manufacturer of the software. They don’t have to notify the manufacturer about it. This allows malicious parties to exploit vulnerabilities, even over longer time periods. It also creates a black market, where such vulnerabilities and data breaches are traded. 

This list is not exhaustive and can be supplemented at all times.

During a Dutch press meeting about the new Payment Service Directive 2 (PSD2), an initiative to launch a privacy quality label for payment services was announced. This quality label should encourage financial service providers and fintech companies to focus on the privacy of consumers.

Volksbank

If you struggle to make ends meet, sooner or later you will get physical complaints, two Utrecht physicians wrote in Dutch newspaper AD/Utrechts Nieuwsblad of 7 March 2018. Those who want to lead a healthy life, will first have to make sure they’re in a healthy financial position. Being in control of your own finances and all related data is a part of that. De Volksbank offers a helping hand in both these areas.

The new European Payment Service Directive 2 (PSD2) paves the way for payment apps of new parties. Banks no longer have the exclusive right to offer payment services. This appears to be good news for consumers. But there is a downside too. Customers who share their data with any such new service provider, should take into account that part of those data are privacy-sensitive. A bank cannot recover such data once in the hands of other financial service providers, so the consumer cannot resort to anyone but himself if he regrets his decisions.

The Dutch Consumers' Association (Consumentenbond) has recently warned that personal data are already being collected on a large scale for commercial reasons. With the introduction of PSD2, this will only increase. Ninety days of access to personal information is sufficient for service providers to create digital profiles that can be traded. De Volksbank does not want to create profiles and is of the opinion that client information should be secure in the hands of the bank: ‘‘That means that we don’t sell information of clients, neither on an individual nor on an aggregated level. We earn our money as a bank, not by selling the data of our clients.'’

De Volksbank considers it to be its role of helping clients deal with their data in a secure and deliberate way in an environment that has changed. By providing information (free is never really free), but also by encouraging clients to take additional measures:

• When it comes to taking deliberate decisions on sharing data, clients should increase their self-awareness by operating a Main Switch. The default setting of the Main Switch should be ‘off’. Before a client is able to authorize the bank to share his data with third parties, he should first flick the Main Switch. The client should then authorize the sharing of data for each party. In so doing, he can stop sharing his data with any party at any moment. Alternatively, he can flick the Main Switch, blocking the access to his data of all parties in a single instant.
• In cooperation with De Volksbank, several other banks, KPMG and fintech companies, Privacy First is developing a PSD2 quality label. This should answer the call of the Central Bank of the Netherlands (DNB), which ascertained that as of yet there is no such quality label, while there is the need to have one. As far as we know, the Netherlands is the first country to be working on this issue. Thanks to the PSD2 quality label, consumers should at once be able to tell which parties they can or cannot entrust their data to. De Volksbank is working hard on further developing the quality label in order for it to be ready as soon as the Payment Service Directive 2 has been transposed into Dutch legislation.

Privacy First

The Privacy First Foundation supports the PSD2 privacy quality label. Privacy First would like it to become an international label which is recognized and supported by banks, fintech companies, financial service providers, regulators and consumer organizations.

PSD2 offers advantages, but also puts people’s privacy at risk. People are more than just consumers. Privacy First doubts whether the measures laid down in PSD2 to protect the data and therewith the privacy of people, will be sufficient. For the protection of personal data, PSD2 relies heavily on the new General Data Protection Regulation (GDPR). This regulation has not yet come into force and we don’t know which effects PSD2 will have in practice and what the monitoring of it will look like. Many organizations are not yet ready to comply with all of the GDPR requirements. However, they will not hold off providing their services. In turn, regulators are not yet ready to enforce all aspects of the GDPR. Introducing PSD2 is like going out to fly without checking the parachute.

We hope that the quality label will encourage financial service providers and fintech companies to start considering consumers as human beings. We want the requirements of the label to be set higher each year. We also want service providers to consider the ‘information behind the information’:

• The disclosure of behavior and data by others
• Services with the underlying aim of collecting data (improper application)
• Deducting data, such as transaction data from which sensitive personal data can be deduced.

We call on fintech companies to continue to explore ways to limit the amounts of data they collect and store. Think of excluding transaction data that could indicate religion, political preference or health status. Limiting the retention period of transaction data is another measure to take into consideration.

This article has also been published on privacy-web.nl.