For the benefit of the policy debate in the Dutch Senate on 17 May 2011 about digital data processing the Privacy First Foundation today has sent the following focal points to Senate members. Privacy First hopes that these focal points will take on a guiding role in the debate between the members of the Senate and members of the Dutch government.

Privacy’s First motto is ‘‘your choice in a free society’’ For citizens, this translates into:

- the right to express, prior and fully informed consent of citizens in the use of their personal data, both by the government and corporations;

- any use of personal data is to be strictly necessary and purpose bound;

- citizens have the right to access, correction and deletion of their personal data at all times;

- relevant legislation needs to be known and to be accessible to citizens;

- no new legislation without prior democratic (public) debate.

For the government and Parliament, this translates into:

- privacy, freedom of choice, transparency and efficiency as guiding principles in the drafting of new legislation;

- a preference for formal laws instead of Orders in Council and ministerial regulations;

- no so-called ‘gold-plating’ (add-ons) in the implementation of European legislation;

- mandatory evaluation and sunset clauses;

- an integral approach by considering every new law in conjunction with other, already existing laws and treaties;

- an integral approach by considering all new technical applications in conjunction with other, already existing technical applications;

- public cost-benefit analyses;

- public disclosure of relevant official feasibility studies, pilot projects and research reports;

- making privacy impact assessments (PIAs), privacy by design and privacy enhancing technologies (PET) compulsory;

- support of the legislative process by means of expert meetings and external advice.

For further information or questions regarding the above Privacy First is available at all times.

Published in Law & Politics

Today the situation has finally been saved: the storage of fingerprints under the new Dutch Passport Act has been done away with! Both the development of a national database as well as the current storage by municipalities are being stopped. The fingerprints of 4.5 million innocent citizens that have already been stored will now have to be destroyed. Moreover, the legal status of the national ID card will have to be modified in such a way that fingerprints will no longer have to be a part of this document. This will create an ID document for use within national borders that is without biometrics which means that a long-cherished wish of those principally aggrieved is being fulfilled. Last week Privacy First made all these demands in a letter to the House of Representatives and is delighted that all demands will now be met.

From the moment the new Passport Act came into force in the Summer of 2009, Privacy First has been opposing against it by whatever means were available. Today is an historic day: this day proves that social resistance pays off. Partly because of the pressure of our civil lawsuit together with 21 co-plaintiffs the new Passport Act has today effectively succumbed. We already predicted it months ago: one way or another (politically or judicially) we were going to win this case. Privacy First is determined to continue this development and to turn the Netherlands into a society that Dutch citizens deserve: a society in which faith and freedom are basic values once more and in which everyone’s right to privacy is being respected. To that end this victory over the new Passport Act is a crucial first step.

Published in Biometrics

Privacy First appeals to the Dutch House of Representatives to stop the storage of passport biometrics and to withdraw the new Passport Act.

Today the Privacy First Foundation has sent a letter to the Dutch House of Representatives with regard to the general meeting about the new Passport Act of 27 April 2011 with the Minister of the Interior and Kingdom Relations Piet Hein Donner. This is the content of our letter:

No more than two years after the coming into force of the new Passport Act, this law is again high on the agenda of the House of Representatives. After having gone through a relatively inconspicuous parliamentary trajectory, the new Passport Act was accepted on 9 June 2009 without a vote in the Senate. At the time this came like a bolt from the blue for many: after all, there had hardly been any democratic debate about this far-reaching Act. Confronted with this fait accompli, one and a half years of increasing resistance followed in the form of citizens protests, petitions, scientific and political criticism, objection proceedings, lawsuits and even motions of disapproval by local councils. In that sense the new Passport Act is heading back to the House of Representatives like a societal boomerang. Privacy First hereby reiterates its main objections against the current Act:

- Under the European Passport Regulation the taking of only two fingerprints and a facial scan in a travel document is obligatory. This is for the (supposed) fight against fraud with those same documents. With the new Passport Act the Netherlands takes things much further by also storing these data (plus two extra fingerprints) in databases for a broad range of other purposes, among which criminal investigation and prosecution, counter-terrorism, disaster control and intelligence work in the Netherlands and in third countries. Considering the entirely unjustified and disproportionate character of this measure, this constitutes a collective violation of the right to privacy and physical integrity of every Dutch citizen with a new travel document;

- Most citizens have never been told about the above mentioned purposes in the new Passport Act; this constitutes a violation of their right to informed consent in the processing of their biometric data;

- Citizens who are willing to object against the compulsory storage are forced to undertake legal proceedings that take years, a period during which they must make their way through life without a valid travel and ID document, with all the disadvantages and risks this entails;

- The storage of biometric data (both in the travel document and in a database) creates a new form of fraud: biometric identity fraud. This type of fraud can stay undetected for years and haunt someone for the rest of his or her life.

- The same goes for the Radio Frequency Identification (RFID)-chip in the document that can be read from a distance: this too creates news risks of identity fraud;

- The security of the storage in databases (be it a ‘centralized’ or a ‘de-centralized’ database) can impossibly be (entirely) guaranteed;

- Storage in databases is suitable for identification instead of verification and paves the way for function creep;

- During the issuance of the travel document generally no biometric verification takes place. Therefore it’s unknown to what extent the travel documents that have been brought into circulation under the new Passport Act function as far as the biometrics are concerned. In this respect it appeared, during the parliamentary Round Table about the new Passport Act on 20 April 2011, that there’s a percentage of error (when verifying fingerprints) of no less than 21%.

On account of these objections Privacy First makes an urgent appeal to the House of Representatives to immediately halt the storage of biometric data (in particular fingerprints) and to withdraw the new Passport Act of 2009 or to revise it along the following lines:

- Enrolment of biometric data is to become voluntary;

- Storage of these data in municipal or national databases is to be stopped;

- The Netherlands is to leave behind the current model of storage with municipalities and to opt for the German model characterized by voluntary storage in the chip of the document;

- For domestic use an alternative ID document without biometrics is to be developed.

Published in Biometrics
Sunday, 17 April 2011 19:17

Be smart: choose for opt-in!

In February 2011, the Dutch Senate adopted a revised, more privacy-friendly legislative proposal on the introduction of 'smart energy meters'. But does this really enhance the protection of citizens' privacy? Dr. Jaap-Henk Hoepman of the Radboud University Nijmegen puts this in doubt and advocates for opt-in instead of opt-out
[translated by Privacy First from the original article in Dutch]

‘‘In the legislative act, the following things have changed: smart meters are no longer compulsory and refusing a smart meter is no longer an economic crime. Monitoring energy consumption continuously is no longer allowed. This is only allowed when making an invoice, in the event of relocation or where technical management is due. When moving to a house where a smart meter is already installed, you can request to have the meter turned off ‘administratively’. The distribution network operator is obliged to accept this request. Basically an administratively disabled meter behaves like a traditional, ‘dumb’ meter. This sounds hopeful.  

However, the extent to which ‘administratively turned off’ in practice truly does mean ‘turned off’ still depends on further requirements that will be imposed on smart meters. Of course there’s a big difference between a meter that never passes on information and a meter that does so every once in a while even though the information is then being ignored by the distribution network operator. Administratively turned off could also mean that the operator promises not to make a request for information to the meter. But what if someone else does this instead? And what if operators are required by law enforcement agencies to make a request for information to the meter after all? Would the meter simply respond to it? A ‘dumb’ meter would never do such a thing...

In my view a greater objection is the opt-out character of the law. A consumer is allowed to request for the smart meter to be disabled. It would have been better to make that into an opt-in rule. When a smart meter is delivered and whenever a relocation takes place the meter is automatically turned off. Consumers can then request for the smart meter to be administratively turned on.  

Citizens are not in a position to choose not to use systems such as smart meters, an electronic toll system or the Electronic Health Record which have been introduced by the government. Therefore a great deal of responsibility to protect citizens against abuse lies with the government. The default state should therefore be a good protection of privacy. And opt-in should be the norm. Be smart: choose for opt-in!’’  

Dutch source: Jaap-Henk Hoepman's blog, 'Opt-in, da's pas slim', http://blog.xot.nl/2011/04/11/opt-in-das-pas-slim/, 11 April 2011.

Published in Smart Grids

This afternoon a long-awaited irrevocable decision has been made: the introduction of the national Electronic Health Record (Elektronisch Patiënten Dossier, EPD) was unanimously rejected by the Dutch Senate. After 14 years and spending 300 million euros, the national EPD has ended up where it should have been years earlier: at the Scrapyard of Draconian Laws. Two years ago the Dutch House of Representatives accepted by a large majority the same plan for the national exchange of very sensitive patient’s data: almost all of the large Dutch political parties, namely PvdA, GroenLinks, D66, VVD, ChristenUnie, SGP and CDA voted in favour. This afternoon all these parties made a historic U-turn. Even the Christian-democratic CDA now seems to be cured. Progressive insight? Who knows... In any case, this development fits in with a wider trend that has been ongoing for a year and which sees politics being increasingly considerate about the privacy of citizens. Privacy First welcomes this development and expects that many other privacy-violating laws will equally be rejected.

Published in Medical Privacy

Rotterdam-Rijnmond police chief Frank Paauw is of the opinion that the DNA of all Dutch citizens should be compulsorily stored in a national database for the investigation of crime. He declared this in an interview in the paper of the regional political party Leefbaar Rotterdam ('Livable Rotterdam'). While according to police chief Paauw privacy is ‘‘a great asset’’, he thinks that massive storage of DNA can make the ‘‘world more secure’’.

In the paper of Leefbaar Rotterdam Paauw cites the 19th century French criminologist Alexandre Lacassagne who said that ‘‘every society gets the crime it deserves’’. For the Privacy First Foundation this includes privacy crime and we are eager to point to a more relevant quote by Benjamin Franklin: ‘‘Those who surrender freedom for security will not have, nor do they deserve, either one.’’

Compulsory storage of the DNA of all Dutch citizens in a national database constitutes a collective human rights violation beforehand. The sheer disproportionate character of it already signifies a gross violation of the right to privacy and physical integrity of every Dutch citizen. Apart from the total lack of knowledge and respect for human rights that police chief Paauw expresses with his statements, this is also proof of an obsolete vision on society in which security and privacy have for years formed a false contradiction. Privacy is security: the personal security of the individual against a government that no longer trusts its own citizens and wishes to treat every Dutch citizen as a potential suspect. Privacy First wants to halt this development and move forward with a positive vision on society in which trust and freedom are basic values.

Update: Police chief Paauw gets no support for his plan whatsoever, neither from politics, nor from the Dutch Ministry of Security and Justice. Dutch Minister Opstelten calls it ''disproportionate" and "beyond the pale''.

Published in Profiling
Wednesday, 16 February 2011 19:38

Privacy First appeals in Passport Trial

On 2 February this year, the district court of The Hague gave its judgement in the civil lawsuit on the Dutch Passport Act which had been initiated by the Privacy First Foundation and 21 co-plaintiffs (citizens) against the Dutch government on 6 May 2010. The main request in this case is that the new Passport Act is to be declared unlawful on account of violating human rights, in particular the right to privacy. However, to the astonishment of many, the court declared both Privacy First as well as the 21 co-plaintiffs inadmissible. Hence the court didn’t proceed to the stage of dealing with the merits of the legal questions regarding the new Passport Act.

A striking aspect about the judgement is, first of all, how short it is. Privacy First cannot help thinking that the court wanted to be done with this case quickly. The court motivated its judgement by declaring that Privacy First would not have an own interest in this case and that for the co-plaintiffs (citizens) a legal avenue to an administrative judge would be all that remains. However, as a matter of fact, Privacy First as a relevant foundation has every interest in this case. What’s more, citizens are not in a position to (directly) object to the storage of fingerprints for their new passport or ID-card. Making such individual objections is only possible through time-consuming and cumbersome proceedings.

Privacy First has decided to appeal against the court’s judgement. On the basis of an analysis by our attorneys of SOLV we deem the judgement to be perfectly contestable, especially with regard to the inadmissibility of Privacy First as well as our co-plaintiffs. (This analysis is being shared by other legal experts.) The appeal will take place before the Court of Appeal in The Hague. Once the earlier judgement on inadmissibility has been overturned, the merits of the case can be dealt with there.

The press release by Privacy First announcing its appeal can be read HERE (Dutch pdf).

Update 17 February 2011: See also this article on Webwereld (in Dutch).

Published in Litigation

Late 2010 the United Kingom decided to put an end to central storage of biometrics. On 10 February 2011, the responsible British Minister implemented this decision by personally putting the hard drives of the national database into a giant metal shredder:

Published in Video Corner

With the exception of Great-Britain, of all countries in the European Union the Netherlands is worse off in terms of privacy. This emerges from a large-scale survey by the British organisation Privacy International. In the Netherlands there is endemic surveillance in no less than 10 areas, among which are the biometric passport/ID-card, the exchange of personal data, the storage of communication data, medical and financial information, telephone and internet tapping and border controls. Furthermore, with regard to privacy, in the Netherlands there are no effective constitutional safeguards, insufficient judicial supervision and a lack of political leadership. You can read the entire survey HERE.

The findings of Privacy International confirm that a radical change of direction is needed in the Netherlands in the area of privacy: from worst practice to best practice, moving from the position of a ‘privacy third world country’ towards that of a ‘privacy leading nation’. The Netherlands has the knowledge and the means to make this step. Privacy First is eager to contribute its mite in this well-needed ‘privacy U-turn’.

Published in Meta-Privacy

Soon every car driver in Holland will be a potential suspect 

Under a new, far-reaching legislative proposal, the Dutch Minister for Security and Justice Ivo Opstelten aims to enhance criminal investigation by introducing a four week storage period of the number plates of all cars through camera surveillance. Current rules dictate that these data have to be deleted within 24 hours. Last year the previous Minister of Justice (Hirsch Ballin) planned to make a similar proposal with a storage period of 10 days. However, the Dutch House of Representatives then declared this topic to be controversial. In his current proposal, Opstelten takes things a few steps further. Already in 2008 the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) ruled that police forces were not adhering to Dutch privacy rules by storing number plates for a greater period than was legally permitted. According to the CBP, all number plates that are not suspect (so-called ‘no-hits’) are to be removed from relevant databases immediately. Opstelten’s plan to also store the number plates of unsuspected citizens for four weeks directly flies in the face of this.  

Listen to what Privacy First had to say (in Dutch) about this on Radio 2 (NCRV, Knooppunt Kranenbarg, 11 January 2011):



Read more about Opstelten's plans in Computerworld , Tweakers  and on the weblog of SOLV.
Published in CCTV
Page 17 of 18

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon