Listen to what Privacy First had to say (in Dutch) about this on Radio 2 (NCRV, Knooppunt Kranenbarg, 11 January 2011):
Read more about Opstelten's plans in Computerworld , Tweakers and on the weblog of SOLV.
On 2 February this year, the district court of The Hague gave its judgement in the civil lawsuit on the Dutch Passport Act which had been initiated by the Privacy First Foundation and 21 co-plaintiffs (citizens) against the Dutch government on 6 May 2010. The main request in this case is that the new Passport Act is to be declared unlawful on account of violating human rights, in particular the right to privacy. However, to the astonishment of many, the court declared both Privacy First as well as the 21 co-plaintiffs inadmissible. Hence the court didn’t proceed to the stage of dealing with the merits of the legal questions regarding the new Passport Act.
A striking aspect about the judgement is, first of all, how short it is. Privacy First cannot help thinking that the court wanted to be done with this case quickly. The court motivated its judgement by declaring that Privacy First would not have an own interest in this case and that for the co-plaintiffs (citizens) a legal avenue to an administrative judge would be all that remains. However, as a matter of fact, Privacy First as a relevant foundation has every interest in this case. What’s more, citizens are not in a position to (directly) object to the storage of fingerprints for their new passport or ID-card. Making such individual objections is only possible through time-consuming and cumbersome proceedings.
Privacy First has decided to appeal against the court’s judgement. On the basis of an analysis by our attorneys of SOLV we deem the judgement to be perfectly contestable, especially with regard to the inadmissibility of Privacy First as well as our co-plaintiffs. (This analysis is being shared by other legal experts.) The appeal will take place before the Court of Appeal in The Hague. Once the earlier judgement on inadmissibility has been overturned, the merits of the case can be dealt with there.
The press release by Privacy First announcing its appeal can be read HERE (Dutch pdf).
Update 17 February 2011: See also this article on Webwereld (in Dutch).
With the exception of Great-Britain, of all countries in the European Union the Netherlands is worse off in terms of privacy. This emerges from a large-scale survey by the British organisation Privacy International. In the Netherlands there is endemic surveillance in no less than 10 areas, among which are the biometric passport/ID-card, the exchange of personal data, the storage of communication data, medical and financial information, telephone and internet tapping and border controls. Furthermore, with regard to privacy, in the Netherlands there are no effective constitutional safeguards, insufficient judicial supervision and a lack of political leadership. You can read the entire survey HERE.
The findings of Privacy International confirm that a radical change of direction is needed in the Netherlands in the area of privacy: from worst practice to best practice, moving from the position of a ‘privacy third world country’ towards that of a ‘privacy leading nation’. The Netherlands has the knowledge and the means to make this step. Privacy First is eager to contribute its mite in this well-needed ‘privacy U-turn’.
Soon every car driver in Holland will be a potential suspect
Next to the Netherlands and the United Kingdom, Germany is also on its way to become an electronic surveillance State. Watch the response to this development by German video artist Alexander Lehmann:
(click HERE for this video in other languages)
This video by the American Civil Liberties Union (ACLU) gives you an idea about the future consequences of boundless interconnection of databases:
The meters, grids and networks for a Big Brother society are not developed or placed by one organisation.
It is the economic impetus that inadvertently builds all the ingredients needed for a centrally controlled electronic society.
Here is an example of the way the thought processes run. When found, more will be added.
It is good practice to know the way the winds blow and heed them.
As soon as someone says you should give up your right to self-determination ‘‘for your own good’’, all alarm bells should set off.
‘‘We are here for your own good’’, ‘‘we work for your security’’ and all that jazz, and then they immediately entirely wipe out YOUR privacy. Now that’s the primary distinguishing mark of Big Brother.
Within the European Union there’s a research program called the 7th Framework Programme (FP7) which receives € 51 billion of funding.
It’s a beautiful research program of which pro-privacy programs such as PrimeLife are a part.
In November 2010 it was found out, through insufficiently censored documents that the Dutch Ministry of the Interior had released, that apart from telephone data Dutch judicial authorities now also want to cluster and examine all bank details of citizens, on the same principle that was already used for telephone data tapping. Click HERE for more information about this.
The essence of the objections against Big Brother-like practices is that citizens are forced to completely adapt to certain standards that are being imposed on them by strangers – who don’t impose those standards on themselves! These standards are then evaluated on the basis of vague criteria in order for everyone to no longer be able to be him or herself. Instead, everyone has to fit into a mould determined by the authorities. Take, for example, Mao’s reign of terror with his Little Red Book, the Cultural Revolution and the Mao uniform. Or think of the film Das Leben der Anderen. In that way rulers are instantly able to see who’s trying to escape their rulership. There are other people who outline this in more politically correct terms. See this article in The Telegraph of 19 September 2009: ‘‘EU funding ‘Orwellian’ artificial intelligence plan to monitor public for "abnormal behaviour’’. Download a pdf-version of the article here.
Trilliant’s area networks from houses to energy producer, download the White Paper here. Trilliant is a big player in the smart grid business in the USA.
Argumentation courtesy of Stichting Meldpunt Misbruik Identificatieplicht ('Dutch Contact Point on Abuse of Mandatory Identification'):
(1) The application of a Radio-Frequency Identification (RFID)-chip makes the 'OV-chipkaart' (Public Transport chip card) vulnerable. Information on the card can be read by others at a distance, the card can be copied or manipulated, and the credit that’s on it can easily be stolen.
(2) Storing personal data for much too long affects people's personal freedom. There is absolutely no need for transport companies to continuously register exactly where someone is located, to make video images of every check-in and check-out and to store these data for an undetermined period of time.
(3) Because personalized chip cards are to be accommodated with a scan of the passport photo, cameras located at every public transport turnstile can be programmed in such a way that certain people or certain groups of people can be singled out. Associated law enforcement or commercial applications invade people's privacy. By means of the new system, public transport companies become an extension of police and law enforcement authorities and can earn money by commercially making use of personal information for marketing or advertisement purposes.
(4) Privacy will have to be paid for. Everyone who doesn’t want his travel behavior being documented or his passport being scanned and digitally saved in the administration of the transport company will be excluded by the system from subscription and will be financially disadvantaged in case he/she wants to protect his/her privacy. In this way, public transport companies that have the task to provide proper transport will start earning money from the privacy of their clients.
The database contains details of all families in the UK who receive Child Benefit — all families with children up to 16 years of age, plus those with children up to 20 years old if they are in full-time education or training — estimated to contain 25 million individuals in 7.25 million families. Among other items of information, the database contains names, addresses, dates of birth, child benefit and National Insurance numbers, and where appropriate, bank or building society account details.
The discs were created by a junior official at the HMRC in response to a request for information by the NAO, and were sent unregistered and unrecorded on 18 October using the courier company TNT — which operates the HMRC's internal mail system. When it was found that the discs had not arrived for audit at the NAO, a further copy of this data was made and sent — this time by registered mail — and this package did arrive. HMRC were not informed that the original discs had been lost until 8 November, and Darling himself was informed on 10 November.
The violation of data protection laws involved in the creation of the discs has led to strong attacks on the government's competence to establish the proposed National Identity Register, when all UK residents will have an identity card. Conservative Shadow Chancellor George Osborne described the loss of data as "catastrophic" and said "They [the government] simply cannot be trusted with people's personal information".
The Chairman of HMRC, Paul Gray, has resigned over the affair, and critics are calling for Darling to do likewise.
This is the third data embarrassment for HMRC in recent weeks — earlier this month it was reported that the details of over 15,000 Standard Life customers had been put on disk, and then lost en route from HMRC in Newcastle to Standard Life in Edinburgh — and last month a laptop containing the data of 400 people with high-value ISAs was stolen from the boot of a car belonging to a HMRC official who had been carrying out a routine audit.
The most fundamental principle is notice. Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below -- choice/consent, access/participation, and enforcement/redress -- are only meaningful when a consumer has notice of an entity's policies, and his or her rights with respect thereto.
While the scope and content of notice will depend on the entity's substantive information practices, notice of some or all of the following have been recognized as essential to ensuring that consumers are properly informed before divulging personal information:
Some information practice codes state that the notice should also identify any available consumer rights, including: any choice respecting the use of the data; whether the consumer has been given a right of access to the data; the ability of the consumer to contest inaccuracies; the availability of redress for violations of the practice code; and how such rights can be exercised.
In the Internet context, notice can be accomplished easily by the posting of an information practice disclosure describing an entity's information practices on a company's site on the Web. To be effective, such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any Web page where information is collected from the consumer. It should also be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge.
The second widely-accepted core principle of fair information practice is consumer choice or consent. At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information -- i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.
Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out. Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule when no affirmative steps are taken by the consumer. Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. Thus, for example, consumers can be provided separate choices as to whether they wish to be on a company's general internal mailing list or a marketing list sold to third parties. In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice.
In the online environment, choice easily can be exercised by simply clicking a box on the computer screen that indicates a user's decision with respect to the use and/or dissemination of the information being collected. The online environment also presents new possibilities to move beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their preferences regarding information use before entering a Web site, thus effectively eliminating any need for default rules.
Access is the third core principle. It refers to an individual's ability both to access data about him or herself -- i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness. Both are essential to ensuring that data are accurate and complete. To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.
The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.
Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers that are inaccessible by modem.
It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core fair information practice principles.
Klik hier voor de bron.
These principles are usually referred to as “fair information principles”.
They are included in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law, and called "Privacy Principles".
Principle 1 — Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
Principle 2 — Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Principle 3 — Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4 — Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Principle 5 — Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
Principle 6 — Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Principle 7 — Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Principle 8 — Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Principle 9 — Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 — Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.