Dutch privacy violations on the agenda of the UN Human Rights Committee
On July 1 and 2, 2019, the Netherlands will be examined in Geneva by the United Nations Human Rights Committee. This UN body is tasked with supervising the compliance of one of the oldest and most important human rights treaties in the world: the International Covenant on Civil and Political Rights (ICCPR). Each country which is a contracting party to the ICCPR is subject to periodical review by the UN Human Rights Committee. At the beginning of next week, the Dutch government must answer before the Committee for various current privacy issues that have been put on the agenda by Privacy First among others.
The previous Dutch session before the UN Human Rights Committee dates from July 2009, when the Dutch minister of Justice Ernst Hirsch Ballin had to answer for the then proposed central storage of fingerprints under the new Dutch Passport Act. This was a cause for considerable criticism of the Dutch government. Now, ten years on, the situation in the Netherlands will be examined once more. Against this background, Privacy First had submitted to the Committee a critical report (pdf) at the end of 2016, and has recently supplemented this with a new report (pdf). In a nutshell, Privacy First has brought the following current issues to the attention of the Committee:
- the limited admissibility of interest groups in class action lawsuits
- the Dutch ban on judicial review of the constitutionality of laws
- Automatic Number Plate Recognition (ANPR)
- border control camera system @MIGO-BORAS
- the Dutch public transport chip card ('OV-chipkaart')
- Electronic Health Record systems
- possible reintroduction of the Telecommunications Data Retention Act
- the new Dutch Intelligence and Security Services Act (‘Tapping Law’)
- Passenger Name Records (PNR)
- the Dutch abolition of consultative referendums
- the Dutch non-recognition of the international prohibition of propaganda for war.
The entire Dutch session before the Committee can be watched live on UN Web TV on Monday afternoon, July 1, and Tuesday morning, July 2. In addition to privacy issues, several Dutch organizations have put numerous other human rights issues on the agenda of the Committee; click HERE for an overview, which also features the previously established List of Issues (including the new Intelligence and Security Services Act, the possible reintroduction of the retention of telecommunications data, camera system @MIGO-BORAS, and medical confidentiality with health insurance companies). The Committee will likely present its ‘Concluding Observations’ within a matter of weeks. Privacy First awaits the outcome of these observations with confidence.
Update July 26, 2019: yesterday afternoon the Committee has published its Concluding Observations on the human rights situation in the Netherlands, which includes critical opinions on two privacy issues that were brought to the attention of the Committee by Privacy First:
The Intelligence and Security Services Act
The Committee is concerned about the Intelligence and Security Act 2017, which provides intelligence and security services with broad surveillance and interception powers, including bulk data collection. It is particularly concerned that the Act does not seem to provide for a clear definition of bulk data collection for investigation related purpose; clear grounds for extending retention periods for information collected; and effective independent safeguards against bulk data hacking. It is also concerned by the limited practical possibilities for complaining, in the absence of a comprehensive notification regime to the Dutch Oversight Board for the Intelligence and Security Services (CTIVD) (art. 17).
The State party should review the Act with a view to bringing its definitions and the powers and limits on their exercise in line with the Covenant and strengthen the independence and effectiveness of CTIVD and the Committee overseeing intelligence efforts and competences that has been established by the Act.
The Market Healthcare Act
The Committee is concerned that the Act to amend the Market Regulation (Healthcare) Act allows health insurance company medical consultants access to individual records in the electronic patient registration without obtaining a prior, informed and specific consent of the insured and that such practice has been carried out by health insurance companies for many years (art. 17).
The State party should require insurance companies to refrain from consulting individual medical records without a consent of the insured and ensure that the Bill requires health insurance companies to obtain a prior and informed consent of the insured to consult their records in the electronic patient registration and provide for an opt-out option for patients that oppose access to their records.
During the session in Geneva the abolition of the referendum and the camera system @MIGO-BORAS were also critically looked at. However, Privacy First regrets that the Committee makes no mention of these and various other current issues in its Concluding Observations. Nevertheless, the report by the Committee shows that the issue of privacy is ever higher on the agenda of the United Nations. Privacy First welcomes this development and will continue in the coming years to encourage the Committee to go down this path. Moreover, Privacy First will ensure that the Netherlands will indeed implement the various recommendations by the Committee.
The entire Dutch Session before the Committee can be watched on UN Web TV (1 July and 2 July). See also the extensive UN reports, part 1 and part 2 (pdf).
New Round in Privacy Fight Between Dutch Railways and Passenger
A train passenger has submitted an enforcement request to the Dutch Data Protection Authority, because he argues that Dutch Railways (NS) violates the privacy of train passengers.
In response to three new attempts by Dutch Railways (NS) to violate the privacy of train passengers, NS customer Michiel Jonker has submitted a request for enforcement to the Dutch Data Protection Authority (DPA). It concerns:
- Rejecting the reimbursement of the remaining balance on anonymous public transport chip cards if the holder does not provide his or her name and address data to NS;
- Refusing international train tickets by NS employees at station desks if buyers do not provide their name and address data to NS;
- Charging, since 2 July 2018, additional "service costs" when holders of anonymous public transport chip cards pay in cash for topping up the balance on these cards.
Since July 2014, NS has already launched attacks on the privacy of Dutch train passengers in various ways. It then concerned:
- Discriminating holders of anonymous public transport chip cards in discount hours;
- Requiring de-anonymization of the anonymous public transport chip cards when NS is asked to provide services (for example, reimbursing money in the event of delays);
- Applying two unique card numbers on each anonymous OV chip card, as a result of which the anonymity of these cards is affected.
As a traveler who wants to maintain his privacy, Jonker repeatedly asked the DPA to investigate these violations and to take enforcement measures. Jonker already won several lawsuits against the DPA, which initially refused to even investigate the reports.
The recently adopted General Data Protection Regulation (GDPR) will play an important role in the assessment of the new violations by NS. Another central issue will be the right to pay by cash, which protects privacy.
Jonker: "In all these matters, the question is whether users of Dutch public transport are entitled to a real, effective protection of their privacy. This question is more relevant than ever, when you see how people are treated in situations where privacy is not adequately protected. We don't only think about China with its Social Credit score, or the United States with their "No Fly" lists, but also about European countries where laws have been adopted in recent years that allow the government to spy on travelers who are not even suspected of any punishable or risky behavior. For example France with its permanent state of emergency and the Netherlands with its new Intelligence and Security Act."
In this new case, Jonker is supported by Privacy First and Maatschappij voor Beter OV.
Source: https://www.liberties.eu/en/news/ns-privacy-fight-passenger-privacy/15444, 25 July 2018.
The Netherlands under the United Nations magnifying glass
Tomorrow morning the Netherlands will be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. Since 2008, the Human Rights Council reviews the human rights situation in each UN Member State once every five years. This procedure is called the Universal Periodic Review (UPR).
Privacy First shadow report
During the previous two UPR sessions in 2008 and 2012, the Netherlands endured a fair amount of criticism. At the moment, the perspectives with regard to privacy in the Netherlands are worse than they’ve ever been before. This is reason for Privacy First to actively bring a number of issues to the attention of the UN. Privacy First did so in September 2016 (a week prior to the UN deadline), through a so-called shadow report: a report in which civil society organizations express their concerns about certain issues. (It’s worth pointing out that the Human Rights Council imposes rigorous requirements on these reports, a strict word limit being one of them.) UN diplomats rely on these reports in order to properly carry out their job. Otherwise, they would depend on one-sided State-written reports that mostly provide a far too optimistic view. So Privacy First submitted its own report about the Netherlands (pdf), which includes the following recommendations:
Better opportunities in the Netherlands for civil society organizations to collectively institute legal proceedings.
Introduction of constitutional review of laws by the Dutch judiciary.
Better legislation pertaining to profiling and datamining.
No introduction of automatic number plate recognition (ANPR) as is currently being envisaged.
Suspension of the unregulated border control system @MIGO-BORAS.
No reintroduction of large scale data retention (general Data Retention Act).
No mass surveillance under the new Intelligence and Security Services Act and closer judicial supervision over secret services.
Withdrawal of the Computer Criminality Act III , which will allow the Dutch police to hack into any ICT device.
A voluntary and regionally organized (instead of a national) Electronic Health Record system with privacy by design.
Introduction of an anonymous public transport chip card that is truly anonymous.
You can find our entire report HERE (pdf). The reports from other organizations can be found HERE.
Privacy First did not sent its report only to the Human Rights Council but also forwarded it to all the foreign embassies in The Hague. Consequently, Privacy First had extensive (confidential) meetings in recent months with the embassies of Argentina, Australia, Bulgaria, Chili, Germany, Greece and Tanzania. The positions of our interlocutors varied from senior diplomats to ambassadors. Furthermore, Privacy First received positive reactions to its report from the embassies of Mexico, Sweden and the United Kingdom. Moreover, several passages from our report were integrated in the UN summary of the overall human rights situation in the Netherlands; click HERE ('Summary of stakeholders' information', par. 47-50).
Our efforts will hopefully prove to have been effective tomorrow. However, this cannot be guaranteed as it concerns an inter-State, diplomatic process and many issues in our report (and in recent talks) are sensitive subjects in countless other UN Member States as well.
UN Human Rights Committee
In December 2016, Privacy First submitted a similar report to the UN Human Rights Committee in Geneva. This Committee periodically reviews the compliance of the Netherlands with the International Covenant on Civil and Political Rights (ICCPR). Partly as a result of this report, last week the Committee put the Intelligence and Security Services Act, camera system @MIGO-BORAS and the Data Retention Act among other things, on the agenda for the upcoming Dutch session in 2018 (see par. 11, 27).
We hope that our input will be used by both the UN Human Rights Council as well as the UN Human Rights Committee and that it will lead to constructive criticism and internationally exchangeable best practices.
The Dutch UPR session will take place tomorrow between 9am and 12.30pm and can be followed live online.
Update 10 May 2017: during the UPR session in Geneva today, the Dutch government delegation (led by Dutch Minister of Home Affairs Ronald Plasterk) received critical recommendations on human rights and privacy in relation to counter-terrorism by Canada, Germany, Hungary, Mexico and Russia. The entire UPR session can be viewed HERE. Publication of all recommendations by the UN Human Rights Council follows May 12th.
Update 12 May 2017: Today all recommendations to the Netherlands have been published by the UN Human Rights Council, click HERE (pdf). Useful recommendations to the Netherlands regarding the right to privacy were made by Germany, Canada, Spain, Hungary, Mexico and Russia, see paras. 5.29, 5.30, 5.113, 5.121, 5.128 & 5.129. You can find these recommendations below. Further comments by Privacy First will follow.
Extend the National Action Plan on Human Rights to cover all relevant human rights issues, including counter-terrorism, government surveillance, migration and human rights education (Germany);
Extend the National Action Plan on Human Rights, published in 2013 to cover all relevant human rights issues, including respect for human rights while countering terrorism, and ensure independent monitoring and evaluation of the Action Plan (Hungary);
Review any adopted or proposed counter-terrorism legislation, policies, or programs to provide adequate safeguards against human rights violations and minimize any possible stigmatizing effect such measures might have on certain segments of the population (Canada);
Take necessary measures to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons (Spain);
Adopt and implement specific legislation on collection, use and accumulation of meta-data and individual profiles, including in security and anti-terrorist activities, guaranteeing the right to privacy, transparency, accountability, and the right to decide on the use, correction and deletion of personal data (Mexico);
Ensure the protection of private life and prevent cases of unwarranted access of special agencies in personal information of citizens in the Internet that have no connection with any illegal actions (Russian Federation). [sic]
Update 26 May 2017: a more comprehensive UN report of the UPR session has now been published (including the 'interactive dialogue' between UN Member States and the Netherlands); click HERE (pdf). In September this year, the Dutch government will announce which recommendations it will accept and implement.
Frankfurter Allgemeine Zeitung (Germany), 12 August 2014: 'Big Brother in Holland'
"Holland sammelt unbändig Daten. Neue digitale Produkte dienen der totalen Überwachung. Und sind eine große Gefahr für die Gesellschaft.
Hinter den Dünen, ein paar hundert Meter vom Strand entfernt, liegt in Noordwijk der futuristische Bau von Decos. Das niederländische Software-Unternehmen hat sich eine neue Zentrale geleistet – einem eingeschlagenen Meteoriten ist sie nachempfunden, es könnte auch ein Raumschiff sein. Hier setzen IT-Spezialisten die digitale Zukunft durch: den völlig papierlosen Betrieb. Mitarbeiter kommunizieren ausschließlich elektronisch, und wer dem Unternehmen einen Brief schreibt, bekommt ihn zurück mit der Aufforderung, ihn nochmals zu senden, aber bitte als E-Mail.
Auch seinen Kunden bietet Decos Digitalisierung pur: Das Unternehmen liefert ihnen Software, um alle Dokumente elektronisch zu speichern – aber auch Produkte zur totalen Überwachung von Mitarbeitern. Sein „Cartracker" verfolgt jede Dienstreise, alle fünf Sekunden wird das Fahrzeug frisch verortet. „Hiermit haben Sie immer eine aktuelle Übersicht, wo sich Ihre Autos und Mitarbeiter befinden", wirbt Decos. Mehr noch: Der Fahrstil wird ständig überwacht und sogar benotet: „Aufgrund der Höchstgeschwindigkeit, des Bremsverhaltens und der Beschleunigung berechnet ,Decos Cartracker' eine individuelle Zensur für das Fahrverhalten jedes Fahrers."
Digitalisierung wird zur Norm
Nun mag es bei Geldtransportern noch sinnig sein, ihnen aus Sicherheitsgründen aus der Ferne zu folgen. In allen anderen Fällen gilt: Wohl dem, der einen weniger progressiven Arbeitgeber hat – einen, der vertraut, statt nonstop zu überwachen. Aber die Digitalisierung nimmt zu, sie wird zur Norm – und das nicht nur im Beruf, auch im öffentlichen Raum. Und die Niederlande sind hier in mancherlei Hinsicht schon weiter fortgeschritten als Deutschland.
Im Juli schaffte das Land endgültig die Fahrkarte aus Papier im öffentlichen Verkehr ab – für die zuvor schon schrittweise eingeführte „ÖV-Chipkarte", die den Preis in der Regel je Kilometer berechnet. Für den Kunden bedeutet sie außer 7,50 Euro Anschaffungskosten vor allem Umstände: für das Aufladen, für das Ein- und Auschecken bei jeder Fahrt. Wer das versäumt oder an einen kaputten Kartenleser gerät, ist schnell ein Sümmchen los; man muss dann auf Kulanz hoffen und per Online-Antrag versuchen, es erstattet zu bekommen.
Anonymität hat ihren Preis
Was aber noch schwerer wiegt: Die Chipkarte speichert so die Fahrstrecke – und da die Standardversion alle wesentlichen Nutzerdaten enthält (inklusive Kontonummer), kann sie das Reiseverhalten des Bürgers erfassen. Wer anonym mit einem Einmal-Ticket fahren will, muss Aufschlag zahlen – nicht viel, einen Euro momentan, aber immerhin; und vielleicht ist das ja auch nur der Anfang. Viel gravierender noch: Wer eine Studenten- oder Rentnerkarte braucht, muss zwingend die personengebundene Version mit den Daten wählen. Natürlich versichern die Betreiber, alles vertraulich zu behandeln. Aber wer sich darauf verlässt, ist naiv. Wo immer auf der Welt digital gespeichert wird: Die Vorfälle sind Legion, in denen Patienten-, Sozial- oder andere Daten missbraucht wurden – oder massenweise verfügbar, sei es versehentlich, sei es durch Hacker.
Natürlich gibt es in Deutschland den ähnlichen Fall: wenn jemand mit seiner Bahncard Punkte sammelt. Aber das macht er dann freiwillig. Und es ist wichtig aufzupassen, dass die öffentlichen Verkehrsträger hierzulande nicht dem Beispiel aus dem Ausland folgen. Generell ist Obacht schon geboten, wann immer die Preisgabe von Daten belohnt wird – wie bei dem Vorstoß eines deutschen Autoversicherers, Rabatt zu gewähren, wenn der Autohalter einen digitalen Fahrtenschreiber (Blackbox) installiert. Denn das läuft schnell darauf hinaus, dass er umgekehrt für das Recht auf Anonymität einen Malus bekommt.
Erstaunlich ist, dass ein Land wie die Niederlande so unbändig Daten sammelt – sieht es sich doch gerne als „gidsland": als internationales Vorbild, wenn es um Politik, Verwaltung, gesellschaftliche Werte und Normen geht. „Von allen Menschenrechten steht das Recht auf Privatsphäre in den Niederlanden am meisten unter Druck", befindet die Stiftung Privacy First.
Mal führen die Behörden Sicherheit als Argument für die Digitalisierung an, mal Effizienz. Nach Amsterdam führt jetzt auch Rotterdam stadtweit das „Kennzeichenparken" ein: Wer das Auto abstellt, muss am Automaten die Buchstaben und Ziffern des Nummernschilds eingeben. Mit Bargeld darf er auch nicht mehr zahlen, nur mit Karte oder per Mobiltelefon – auch dies ein nationaler Trend. Wieder eine digitale Spur hinterlassen, wieder ein Stück Anonymität dahin. (...) [A]ls Nächstes eine Pflicht für Smart Meters in Wohnungen: Ablesegeräte, die viel mehr erfassen können als nur den Energieverbrauch in den Wohnungen. Die Industrie lobbyiere schon kräftig dafür. Nicht zu reden von den zahllosen Überwachungskameras in Städten, der massenweisen Kennzeichenerfassung auf Autobahnen und Polizeidrohnen mit Kamera. Die Bedenken der Datenschützer werden gerne abgetan: Wer nichts zu verbergen hat, muss doch nichts befürchten? Aber das ist die falsche Haltung, sie kehrt ein grundlegendes Recht um: das Recht, sich unbewacht zu bewegen."
Source: http://www.faz.net/aktuell/wirtschaft/wirtschaftspolitik/digitalisierung-big-brother-in-holland-13092653.html, 12 August 2014.
Privacy First demands privacy-friendly Public Transport chip card
On Thursday 28 February 2013 there will be an important debate about the Dutch 'OV-chipkaart' (Public Transport chip card) in the Dutch House of Representatives (permanent commission for Infrastructure and Environment). In preparation of this debate the Privacy First Foundation today brought the following points to the attention of relevant Dutch Members of Parliament:
- The 'anonymous' OV chip card is not anonymous because it contains a unique identification number in the Radio Frequency Identification (RFID)-chip with which travellers can be identified and tracked afterwards through the linking of transaction data. In the view of Privacy First, this constitutes a violation of two human rights, namely the freedom of movement in conjunction with the right to privacy, in other words the classic right to travel freely and anonymously within one’s own country. Privacy First is eager to learn from the House of Representatives as well as the responsible member of government which steps have already been taken for the introduction of an anonymous OV chip card that is truly anonymous, for example through the development of new chip technology and modern forms of encryption without a unique identification number (privacy by design).
- As long as (truly) anonymous OV chip cards and anonymous discount cards do not exist, printed travel tickets are to remain available for travellers who want to travel anonymously. Moreover, a special, anonymous discount card for children and elderly people should also be introduced.
- Compulsory check-ins and check-outs for students carrying student OV chip cards contravenes with the right of students to travel freely and anonymously. Compulsory check-ins and check-outs therefore have to be abolished.
- The planned closure of turnstiles at Dutch National Railway stations (Nederlandse Spoorwegen, NS) constitutes an unnecessary restriction to people's freedom of movement and can lead to dangerous situations in the event of calamities. It also creates unsafe situations in individual cases, for example for children, elderly people, ill or incapacitated people who need to be accompanied through the station by family or friends. Therefore Privacy First makes an urgent appeal to leave the turnstiles open at all times or to get rid of them and replace them with anonymous check-in and check-out poles.
- The current retention period of OV chip card data should be reduced to an absolute minimum. Moreover, travellers should be offered the option to erase their travel history at any given moment.
- The OV chip card dramatically increases costs for travellers, either when purchasing a chip card, when forgetting to check out, in the event of a malfunctioning card or check-out pole or when deciding to travel anonymously with a printed ticket. Privacy First is eager to hear from the House of Representatives as well as the responsible government member which measures will be taken to make travelling with an OV chip card cheaper while preserving people's privacy.
Privacy First puts Dutch privacy violations on UN agenda
On 31 May 2012 the Netherlands will once again be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. The UN Human Rights Council was founded in 2006 and consists of 47 of the 192 UN Member States. Since 2008 the human rights situation in each country is periodically reviewed. This procedure takes place every four years for each UN Member State and is called ‘Universal Periodic Review’ (UPR). During the first UPR session in 2008 it was straight away the Netherlands’ turn to be examined and our country was in fact heavily criticized. In 2011 the privacy situation in the Netherlands is even worse compared to 2008: enough ground for Privacy First to raise a number of issues with the UN. Privacy First did so last night through a so-called shadow report: a report in which NGOs can voice their concerns on a particular issue. (For such reports strict requirements with the Human Rights Council apply, among which a limit of 2815 words.) Without shadow reports, diplomats in the Council are not able to do their work properly. Otherwise they would of course be dependent on the State report of the Netherlands itself. So Privacy First presented its own report with the following recommendations:
• No national biometric database, not even in the long run;
• No introduction of mobile fingerprint scanners;
• Introduction of a truly anonymous OV-chipkaart (Public Transport chip card);
• No introduction of Automatic Number Plate Recognition (ANPR) as currently envisaged;
• Transparency and suspension of the new border control system @MIGO;
• A voluntary, regional instead of national Electronic Health Record System with 'privacy by design';
• Proper legislation concerning the profiling of citizens.
You can download our entire report HERE. We hope that our recommendations will be accepted in the Human Rights Council and will lead to an international exchange of best practices. Privacy First is happy to keep you informed on these developments.
Update 23 March 2012: this week the long-awaited Dutch UPR State report for the Human Rights Council appeared. Moreover, the shadow report by the Dutch section of the International Commission of Jurists (Dutch abbreviation: NJCM) that was presented earlier (also on behalf of 24 other NGOs) became public. The NJCM report contains a very critical section on privacy in which – parallel to the recommendations of Privacy First – among other things, a call for the abrogation of the current plans concerning ANPR and mobile fingerprint scanners is made; see pp. 6-7 of the NJCM report. Relevant reports by other organisations can be found HERE.
Official preparatory work for the Dutch State report has seen two consultation meetings with Dutch civil society (NGOs) at the Dutch Ministry of the Interior (Dutch abbreviation: BZK) in recent months. During the first meeting on 1 December 2011, Privacy First insisted on incorporating a separate section about privacy in the State report. During the second meeting on 16 January 2012, Privacy First requested an explicit mention of ‘privacy by design’ in that very section. BZK responded positively to both requests. However, the privacy section in the State report appears to be relatively short, superficial and elusive. It is telling that this section is part of the chapter ‘Challenges and constraints’. This gives the impression of a defensive attitude. What’s even more telling is the following sentence: ‘‘The challenge will now be to ensure that all these [privacy infringing] measures are implemented.’’ Apparently the Dutch State is not sure where it stands... And rightly so. The mere positive points are the mention of ‘privacy by design’, the report by the Dutch Scientific Council for Government Policy called iOverheid (iGovernment) and the following passage:
"In addition, partly in response to concerns expressed in Parliament, certain policy measures that impact on privacy are currently being modified, as for example the discontinuation of the storage of fingerprint data on national ID-cards and within the passport database."
Privacy First interprets this passage as an international declaration (unilateral statement) from the Netherlands to stop the storage of fingerprints on ID-cards and in its travel document administration once and for all. Privacy First is keen to continue reminding the government of this.
Update 5 April 2012: the international lobbying surrounding the UPR session of the Netherlands on 31 May 2012 is in full swing, both at foreign embassies in The Hague as well as within the permanent representations of UN Member States in Geneva. In this context an important 'UPR pre-session' took place yesterday morning in Geneva where various international human rights organisations had the opportunity to voice their concerns about the Netherlands in front of a broad audience of foreign diplomats. Click HERE for an impression of the meeting about the Netherlands. The statement by Privacy First during this meeting can be found HERE and can also be downloaded on the website of the Dutch Human Rights Institute under incorporation.
Update 21 April 2012: Based on all shadow reports (among which that of Privacy First) that the UN received at the end of 2011, an official UN summary has in the meantime been drawn up in Geneva. This ‘summary of stakeholders’ information’ can be found HERE. Apart from Privacy First, the NJCM (also on behalf of the Dutch Platform for the Protection of Civil Rights / Platform Bescherming Burgerrechten), Bits of Freedom, the Dutch Data Protection Authority, Vrijbit and the Dutch Contact Point on Abuse of Mandatory Identification (Meldpunt Misbruik Identificatieplicht) all sent their privacy worries to Geneva in writing; all these reports will soon appear on this UN page. As far as Privacy First is aware, this has not occurred on this scale before. Therefore, for the first time in history the privacy theme figures prominently in a UN report about the Netherlands, as a matter of fact more prominent than is the case in other summaries, for example the one on the United Kingdom. Furthermore, it’s striking that the UN cites a passage about profiling from the Privacy First report: ‘‘digital profiles can be extremely detailed and profiling can easily lead to discrimination and 'steering' of persons in pre-determined directions, depending on the 'categories' their profiles 'fit into' and without the persons in question being aware of this.’’ (UN summary, para. 65). All of this can rightly be called a breakthrough that will hopefully bear fruit during the upcoming session on 31 May 2012.
Update 23 May 2012: In recent months Privacy First has had a series of useful conversations with foreign diplomats in Geneva and The Hague. Meanwhile a number of so-called ‘advance questions’ by UN Member States have appeared on the UPR website of the UN. Among them is the following question by the United Kingdom to the Netherlands: ‘‘Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?’’ (Source) Privacy First looks forward with confidence to further questions by UN Member States about Dutch privacy perils.
Four privacy-related objections against Public Transport chip cards
Argumentation courtesy of Stichting Meldpunt Misbruik Identificatieplicht ('Dutch Contact Point on Abuse of Mandatory Identification'):
(1) The application of a Radio-Frequency Identification (RFID)-chip makes the 'OV-chipkaart' (Public Transport chip card) vulnerable. Information on the card can be read by others at a distance, the card can be copied or manipulated, and the credit that’s on it can easily be stolen.
(2) Storing personal data for much too long affects people's personal freedom. There is absolutely no need for transport companies to continuously register exactly where someone is located, to make video images of every check-in and check-out and to store these data for an undetermined period of time.
(3) Because personalized chip cards are to be accommodated with a scan of the passport photo, cameras located at every public transport turnstile can be programmed in such a way that certain people or certain groups of people can be singled out. Associated law enforcement or commercial applications invade people's privacy. By means of the new system, public transport companies become an extension of police and law enforcement authorities and can earn money by commercially making use of personal information for marketing or advertisement purposes.
(4) Privacy will have to be paid for. Everyone who doesn’t want his travel behavior being documented or his passport being scanned and digitally saved in the administration of the transport company will be excluded by the system from subscription and will be financially disadvantaged in case he/she wants to protect his/her privacy. In this way, public transport companies that have the task to provide proper transport will start earning money from the privacy of their clients.