Law & Politics

Despite an urgent call by Privacy First to the Dutch House of Representatives to block the coronavirus entry pass, the introduction of this pass throughout The Netherlands as of 25 September 2021 unfortunately seems to be a reality. Privacy First expects that this will lead to division of Dutch society, exclusion of vulnerable groups, discrimination and violation of everyone’s right to privacy. Moreover, the introduction of this pass leads to vaccination coercion, which violates everyone’s right to dispose freely of their own body. This is incompatible with the right to physical integrity and self-determination and fuels the undermining of our trust in the democratic rule of law, in which these fundamental rights are enshrined.

With massive encroachment and violation of human rights looming, it is up to the courts to intervene and correct the government. In line with our statutory objective to take action in the public interest, the current lawsuit by Dutch attorney Bart Maes and others to stop the coronavirus entry pass therefore has our full support. Privacy First would like to emphasize that this is not a statement against vaccination (on the contrary), but that it is crucial to fully respect and protect everyone’s human rights, especially in these times. Critical voices should be taken seriously and not be dismissed on emotional grounds. In both the short and the long term, this is the best guarantee for an open, free and healthy society.

Today, Privacy First sent the following plea to the Dutch House of Representatives: 

Dear Members of Parliament, 

It is with great disapproval that the Privacy First Foundation has taken note of the planned introduction of coronavirus entry passes for bars and restaurants, events and cultural institutions. This will lead to a division in society, exclusion of vulnerable groups and a massive violation of everyone’s right to privacy. Below, Privacy First will briefly explain this.

Serious violation of fundamental rights

The coronavirus entry pass (‘corona pass’) constitutes a serious infringement of numerous fundamental human rights, including the right to privacy, physical self-determination, bodily integrity and freedom of movement in conjunction with other classic human rights such as the right to participate in cultural life and various children’s rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. In the case of the corona pass, however, this has not been demonstrated to date and the required necessity is simply being assumed in the public interest. More privacy-friendly alternatives to reopen and normalize society seem never to have been seriously considered. For these reasons alone, the corona pass cannot pass the human rights test and should therefore be repealed. In this context, Privacy First would also like to remind you of countries such as England, Belgium and Denmark where a similar pass was deliberately not introduced, or has been done way with not long after its introduction. In the Netherlands, there has been a great lack of support in recent days for the corona pas and many thousands of entrepreneurs have already let it be known that they will not cooperate. Privacy First therefore expects that the introduction of the corona pass will lead to massive civil disobedience and successful lawsuits against the Dutch government.

Social exclusion

The introduction of the corona pass violates the general prohibition of discrimination, as it introduces a broad social distinction based on medical status. This puts a strain on social life and may lead to widespread inequality, stigmatization, social segregation and even possible tensions, as large groups in society will not (or not systematically) want to, or will not be able to get tested or vaccinated (for a variety of reasons), or obtain a digital test or vaccination certificate. During our National Privacy Conference in early 2021, Privacy First already took the position that the introduction of a mandatory ‘corona passport’ would have a socially disruptive effect.[1] On that occasion, the Dutch Data Protection Authority, among others, explicitly took a stand against the introduction of such a passport. The aforementioned social risks apply all the more strongly to the vaccination coercion that is caused by the introduction of the corona pass. In this regard, Privacy First would like to remind you of the fact that both your House of Representatives and the Parliamentary Assembly of the Council of Europe have expressed their opposition to a direct or indirect vaccination requirement.[2] In addition, the corona pass will have the potential to set precedent for other medical conditions and other sectors of society, putting pressure on a much wider range of socio-economic human rights. For these reasons, Privacy First calls on you to block the introduction of the corona pass.

Multiple privacy violations

From the perspective of the right to privacy, there are a number of yet other specific concerns and questions. First of all, the corona pass introduces a mandatory ‘health proof’ for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Through the mandatory display of an ID card in addition to the corona pass, an entirely new identification requirement is created in public places. The existing anonymity in the public space is thus removed, with all the dangers and risks that this entails. Moreover, this new identification requirement raises questions about the capacities of entrepreneurs to determine the identity of a person and to assess the state of health by means of the corona pass.

Moreover, the underlying legislation results in the inconsistent application of existing legislation with regard to the same act, i.e. testing, with far-reaching consequences on the one hand for an important attainment such as medical confidentiality and the public’s trust in that confidentiality, and on the other for the practical implementation of retention periods of the test results while the processing of these results does not change. After all, it is not the result of the test that should determine whether the registration of the testing falls under the Dutch Medical Treatment Agreement Act (‘Wgbo’, which requires medical confidentiality and a 20-year retention period) or the Dutch Public Health Act (‘Wpg’, which requires a 5-year retention period), but the act of testing itself. Besides, it is questionable why a connection was sought with the Wpg and/or Wgbo now that it is about obtaining a certificate for participation in society and it does not concern medical treatment (Wgbo) or public health tasks for that purpose. The only ground for processing personal data for the purpose of ascertaining the presence of the coronavirus and for breaching medical confidentiality, should be consent. However, in this case there cannot be the legally required freely given consent, since testing and vaccination will be a mandatory condition for participation in society.

Privacy requires clarity

Many other things are and remain unclear: what data will be stored, where, by whom and in which systems? To what extent will there be an international and European exchange of such data? Which parties with which purposes will have access to or will copy the data, or put these in huge new national databases together with our health data? Will we have constant personal localization and identification, or only occasional verification and authentication? Why can test results be kept for an unnecessarily long time? How great are the risks of hacking, data breaches, fraud and forgery? To what extent have decentralized, privacy-friendly technologies and privacy by design, open source software, data minimization and anonymization seriously been considered? How long will test certificates remain free of charge? Is work already underway to introduce an ‘alternative digital medium’ to the Dutch CoronaCheck app, namely a chip (card), with all the objections and risks that entails? Why has there been no independent Privacy Impact Assessment (PIA)? How many more times must the country accept emergency laws to close privacy leaks, when our overburdened and understaffed Data Protection Authority is already noting that there is no legal basis for the processing of the data concerned? How will unforeseen uses and abuses, function creep and profiling be prevented, and how is privacy oversight arranged? Will non-digital, paper alternatives remain available at all times? Why is the ‘yellow booklet’ not accepted as a privacy-friendly alternative, as it is in other countries? What happens with the test material – i.e. everyone’s DNA – at the various testing sites? And when will the corona pass be abolished? In other words, to what extent is this actually a ‘temporary’ measure?

In the view of Privacy First, the introduction of the corona pass will lead merely to an impractical burden on entrepreneurs, innumerable deficiencies and destruction of capital for society. Privacy First therefore requests that the members of the House of Representatives block the introduction of the corona pass. Failing to do so, Privacy First reserves the right to have the legislation introducing the corona pass reviewed against international and European law and declared inoperative by the courts. Preparations for such legal proceedings by us and many others are already underway.

Yours sincerely,

Privacy First Foundation 

[1] See National Privacy Conference 28 January 2021, https://youtu.be/asEX1jy4Tv0?t=9378, starting at 2h 36 min 18 sec.
[2] See Council of Europe, Parliamentary Assembly, Resolution 2361 (2021): Covid-19 vaccines: ethical, legal and practical considerations, https://pace.coe.int/en/files/29004/html, par. 7.3.1-7.3.2: ‘‘Ensure that citizens are informed that the vaccination is NOT mandatory and that no one is politically, socially, or otherwise pressured to get themselves vaccinated, if they do not wish to do so themselves; ensure that no one is discriminated against for not having been vaccinated, due to possible health risks or not wanting to be vaccinated.’’ See also, inter alia, Dutch House of Representatives, Motion by Member Azarkan on no corona vaccination requirement (28 October 2020), House of Representatives, 25295-676, https://zoek.officielebekendmakingen.nl/kst-25295-676.html: ‘‘The House of Representatives (...) expresses that there should never be a direct or indirect corona vaccination obligation in the future’’; Motion by Member Azarkan on access to public benefits for all regardless of vaccination or testing status (5 January 2021), House of Representatives 25295-864, https://zoek.officielebekendmakingen.nl/kst-25295-864.html: "The House of Representatives (...) requests the government to allow access to public benefits for all regardless of vaccination or testing status."

An earlier, similar version of this commentary appeared as early as March 2021: https://www.privacyfirst.eu/focus-areas/law-and-politics/695-privacy-first-position-concerning-the-dutch-draft-bill-on-covid-19-test-certificates.html.

Summary proceedings against massive privacy violation by Automatic Number Plate Recognition (ANPR) camera surveillance

Challenging large-scale privacy violations in court has long been Privacy First’s established practice. In recent years, Privacy First has successfully done so against the central storage in the Netherlands of everyone’s fingerprints under the Dutch Passport Act, against the storage of everyone’s communications data under the Dutch Telecommunications Data Retention Act and – in coalition with other parties – against large-scale risk profiling of innocent citizens through the Dutch System Risk Indication (SyRI).

A current and urgent issue that equally merits going to court over, concerns the Dutch legislation on Automatic Number Plate Recognition (ANPR) which applies since 2019 under Art. 126jj of the Dutch Code of Penal Procedure. Under this piece of law, the number plate codes of millions of cars in the Netherlands (i.e. everyone’s travel movements) are stored continuously for four weeks in a central police database for criminal investigation purposes, regardless of whether one is suspected of anything. This is totally unnecessary, completely disproportionate and also ineffective, as was revealed in evaluation reports published today by the Dutch Research and Documentation Center (‘WODC’, part of the Dutch Ministry of Justice and Security). Supervision is lacking and the system can easily be abused, newspaper NRC Handelsblad recently confirmed in its reporting.

Privacy First has therefore prepared a lawsuit to have the ANPR legislation repealed on account of violation of European privacy law. Summary proceedings against the Dutch government will take place at the district court of The Hague on 10 November 2021. Through Pro Bono Connect, Privacy First has engaged CMS as the law firm that will take care of the litigation in this case. Our summons in summary proceedings can be found HERE (pdf in Dutch). If necessary, these preliminary proceedings will be followed by broader proceedings on the merits. After all, there is no doubt that the current ANPR law constitutes a massive privacy violation and simply does not belong in a free democratic society. Considering the relevant European case law, Privacy First deems the likelihood of successful legal action very high.

Case details: Privacy First vs. the State (Dutch Ministry of Justice and Security), Wednesday 10 November 2021 11.00 am, The Hague district court. You are welcome to attend the court hearing. A route description in Dutch can be found here. 

Update November 8, 2021: due to Corona restrictions, it appears that the court is only willing to allow two (already registered) visitors at the court hearing. However, due to high public interest, there will be a livestream: https://www.rechtspraak.nl/Organisatie-en-contact/Organisatie/Rechtbanken/Rechtbank-Den-Haag/Nieuws/Paginas/Livestream-rechtszaak-stichting-Privacy-First-tegen-de-Staat.aspx.

Update November 10, 2021: the court hearing took place today; click HERE for our lawyer's pleading (pdf in Dutch). The court's ruling is scheduled for December 1st.

Update December 1, 2021: today the district court of The Hague rendered its judgment. In the judgment, the court first of all established that Privacy First is admissible in this case as a non-profit interest group for the protection of the privacy of all citizens in the Netherlands. This again establishes that Privacy First can conduct these and subsequent legal proceedings in the public interest. Subsequently, however, the court ruled that in these preliminary relief proceedings there was no sufficiently urgent interest. Privacy First finds this judgment incomprehensible, since in the case of a daily massive privacy violation by definition there is an urgent interest to have that violation legally reviewed and to have it stopped. Privacy First will now commence proceedings on the merits against the ANPR legislation and is also considering lodging an urgent appeal against the current judgment with the Court of Appeal of The Hague. In view of relevant European case law, Privacy First still considers the chances of successful legal action exceptionally high.

The ANPR legislation at issue in Privacy First's lawsuit relates to the mass collection and storage of everyone's "historical" ANPR data, also known as "no hits". This should be distinguished from the many years of police practice where license plates of suspects (so-called "hits") can be used for criminal investigations. Dutch media are regularly confused about this as a result of misleading government information, for example on the websites of the Dutch National Police and the Public Prosecution Service. Privacy First regrets such deception and hopes that the media will not be misled by this.

Would you like to support these legal proceedings? Then please consider becoming a donor! Privacy First consists largely of volunteers and is entirely dependent on sponsorship and donations to pursue litigation.

It is with great concern that Privacy First has taken note of the Dutch draft bill on COVID-19 test certificates. Under this bill, a negative COVID-19 test certificate will become mandatory for access to sporting and youth activities, all sorts of events and public places including bars and restaurants and cultural and higher education institutions, Those who have no such certificates risk getting high fines. This will put pressure on everyone's right to privacy. 

Serious violation of fundamental rights

The draft bill severely infringes numerous fundamental and human rights, including the right to privacy, physical integrity and freedom of movement in combination with other relevant human rights such as the right to participate in cultural life, the right to education and various children’s rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. However, the current draft bill fails to demonstrate this, while the required necessity in the public interest is simply assumed. More privacy-friendly alternatives to reopen and normalize society do not seem to have been considered. For these reasons alone, the proposal cannot pass the human rights test and should therefore be withdrawn.

Social exclusion

The proposal also violates the general prohibition of discrimination, as it introduces a broad social distinction based on medical status. This puts pressure on social life and may lead to large-scale inequality, stigmatization, social segregation and even possible tensions, as large groups in society will not (or not systematically) want to or will not be able to get tested (for various reasons). During the recent Dutch National Privacy Conference organized by Privacy First and the Platform for the Information Society (ECP), it already became clear that the introduction of a mandatory ‘corona passport’ could have a socially disruptive effect.[1] On that occasion the Dutch Data Protection Authority, among others, took a strong stand against it. Such social risks apply all the more strongly to the indirect vaccination obligation that follows on from the corona test certificate. In this regard, Privacy First wants to recall that recently both the Dutch House of Representatives and the Parliamentary Assembly of the Council of Europe have expressed their opposition to a direct or indirect vaccination requirement.[2] In addition, the draft bill under consideration will have the potential to set precedents for other medical conditions and other sectors of society, putting pressure on a much broader range of socio-economic rights. For all of these reasons, Privacy First strongly recommends that the Dutch government withdraw this draft bill.

Multiple privacy violations

Moreover, from the perspective of the right to privacy, a number of specific objections and questions apply. First of all, the draft bill introduces a mandatory ‘proof of healthiness’ for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Also, the draft bill introduces an identification requirement at the entrance of public places, in violation of the right to anonymity in public spaces. The bill also results in the inconsistent application of existing legislation to the same act, namely testing, with far-reaching consequences on the one hand for a precious achievement like medical confidentiality and the trust of citizens in that confidentiality, and on the other hand for the practical implementation of retention periods while the processing of the test result does not change. After all, it is not the result of the test that should determine whether the file falls under the Dutch Medical Treatment Contracts Act (WGBO, which has a medical secrecy requirement and a retention period of 20 years) or under the Public Health Act (with a retention period of five years), but the act of testing itself. Moreover, it is unclear why the current draft bill seeks to connect to the Public Health Act and/or WGBO if it only concerns obtaining a test certificate for the purpose of participating in society (and therefore no medical treatment or public health task for that purpose). Here, the only possibility for processing and for breaching medical confidentiality should be the basis of consent. In this case, however, there cannot be the legally required freely given consent, since testing will be a compelling condition for participation in society.

Privacy requires clarity

Many other issues are still unclear: which data will be stored, where, by whom, and which data may possibly be exchanged? To what extent will there be personal localization and identification as opposed to occasional verification and authentication? Why may test results be kept for an unnecessarily long time (five or even 20 years)? How great are the risks of hacking, data breaches, fraud and forgery? To what extent will there be decentralized, privacy-friendly technology, privacy by design, open source software, data minimization and anonymization? Will test certificates remain free of charge and to what extent will privacy-friendly diversity and choice in testing applications be possible? Is work already underway to introduce an ‘alternative digital carrier’ in place of the Dutch CoronaCheck app, namely a chip, with all the risks that entails? How will function creep and profiling be prevented and are there any arrangements when it comes to data protection supervision? Will non-digital, paper alternatives always remain available? What will happen to the test material taken, i.e. everyone’s DNA? And when will the corona test certificates be abolished?

As long as such concerns and questions remain unanswered, submission of this bill makes no sense at all and the corona test certificate will only lead to the destruction of social capital. Privacy First therefore reiterates its request that the current proposal be withdrawn and not submitted to Parliament. Failing this, Privacy First will reserve the right to have the matter reviewed by the courts and declared unlawful.

[1] See the Dutch National Privacy Conference, 28 January 2021, https://youtu.be/asEX1jy4Tv0?t=9378, starting at 2h 36 min 18 sec.
[2] See Council of Europe, Parliamentary Assembly, Resolution 2361 (2021): Covid-19 vaccines: ethical, legal and practical considerations, https://pace.coe.int/en/files/29004/html, par. 7.3.1-7.3.2: “Ensure that citizens are informed that the vaccination is NOT mandatory and that no one is politically, socially, or otherwise pressured to get themselves vaccinated, if they do not wish to do so themselves; ensure that no one is discriminated against for not having been vaccinated, due to possible health risks or not wanting to be vaccinated.” See also, for example, Dutch House of Representatives, Motion by Member Azarkan on No Corona Vaccination Obligation (28 October 2020), Parliamentary Document 25295-676, https://zoek.officielebekendmakingen.nl/kst-25295-676.html: "The House (...) pronounces that there should never be a direct or indirect coronavirus vaccination obligation in the future"; Motion by Member Azarkan on Access to Public Benefits for All Regardless of Vaccination or Testing Status (5 January 2021), Parliamentary Document 25295-864, https://zoek.officielebekendmakingen.nl/kst-25295-864.html: "The House (...) requests the government to enable access to public services for all regardless of vaccination or testing status.’

In the fight against the coronavirus, the Dutch government this week made clear that the introduction of a curfew is imminent. Because of this, Privacy First today has sent the following appeal to the Dutch House of Representatives:

Dear Members of Parliament,

This week the Netherlands finds itself at a historical human rights crossroads: is a nation-wide curfew going to be introduced for the first time since World War II? For Privacy First such a far-reaching, generic measure would be disproportionate and far from necessary in virtually every situation. Moreover, in the fight against the coronavirus the effectiveness of such a measure remains unknown to this date. For that alone, there can be no legally required social necessity of a curfew. A curfew could in fact also be counterproductive, as it would harm the mental and (therefore also) physical health of large groups in society. Besides, a curfew in the Netherlands is yet another step towards a surveillance society. The use of lighter, targeted and more effective measures is always preferable. Should a curfew nonetheless be introduced, Privacy First would consider it a massive violation of the right to privacy and freedom of movement. Privacy First therefore calls on you to not let this happen and to thwart the introduction of a curfew.

Yours faithfully,

The Privacy First Foundation

Update 17 February 2021: this week, in summary proceedings, the district court of The Hague handed down a ground-breaking ruling that says that the curfew was wrongly introduced under the Dutch Extraordinary Powers Act. The current Dutch curfew is therefore unlawful. Moreover, the court found that there are "major question marks regarding the factual substantiation by the State of the necessity of the curfew. (...) Before a far-reaching restriction such as a curfew is introduced, it must be clear that no other, less far-reaching measures are available and that the introduction of the curfew will actually have a substantial effect", stated the court, without the conviction that this was the case. In addition, the court raised the question of why an urgent (but voluntary) curfew advice had not been chosen. The court also noted that "the Dutch Outbreak Management Team, according to the team itself, has no evidence that the curfew will make a substantial contribution to reducing the spread of the virus." All this "makes the State's assertion that a curfew is inevitable at least debatable and without convincing justification", the court concluded. (See judgment (in Dutch), paragraphs 4.12-4.14.)

The judgment of the district court of The Hague is in line with Privacy First’s earlier position. Privacy First hopes that this will be confirmed on appeal by the Hague Court of Appeal and that it will also lead to the rejection of the curfew by both the Dutch House of Representatives and the Senate.

Yesterday, there was a hearing in the Dutch House of Representatives in which the by now notorious Corona app was critically discussed. The House had invited various experts and organizations (among which Privacy First) to submit position papers and take part in the hearing. Below is both the full text of our position paper, as well as the text which was read out at the hearing. A video of the entire hearing (in Dutch) can be found HERE. Click HERE for the program, all speakers and position papers.

Dear Members of Parliament,

Thank you kindly for your invitation to take part in this roundtable discussion about the so-called Corona app. In the view of Privacy First, apps like these are a threat to everyone’s privacy. We will briefly clarify this below.

Lack of necessity and effectiveness

With great concern, Privacy First has taken note of the intention of the Dutch government to employ a contact tracing app in the fight against the coronavirus. Thus far, the social necessity of such apps has not been proven, while the experience of other countries indicates there is ground to seriously doubt their benefit and effectiveness. In fact, these apps may even be counterproductive as their use leads to a false sense of safety. Moreover, it’s very hard to involve the most vulnerable group of people (the elderly) through this means. This should already be enough reason to refrain from using Corona apps.

Surveillance society

In Privacy First’s view, the use of such apps is a dangerous development because it could lead to stigmatization and numerous unfounded suspicions, and may also cause unnecessary unrest and panic. Even when ‘anonymized’, the data from these apps can still be traced back to individuals through data fusion. In case this technology will be introduced on a large scale, it will result in a surveillance society in which everyone is being continuously monitored – something people will be acutely aware of and would lead to an imminent societal chilling effect.

Risks of misuse

There is a significant risk that the collected data will be used for multiple purposes (function creep) and be misused by both companies and public authorities. The risk of surreptitious access, hacking, data breaches and misuse is substantial, particularly in the case of central instead of decentral (personal) storage as well as a lack of open source software. However, not even the use of personal storage offers any warranty against misuse, malware and spyware, or, for that matter, makes users less dependent on technical vulnerabilities. Moreover, if the data fall into the hands of criminal organizations, they will be a gold mine for criminal activities.

For Privacy First, the risks of Corona apps do not outweigh their presumed benefits. Therefore, Privacy First advises the House to urge the cabinet not to proceed with the introduction of such apps.

Testing instead of apps

According to Privacy First, there is a better and more effective solution in the fight against the coronavirus. One that is based on the principles of proportionality and subsidiarity, i.e., large scale testing of people to learn about infection rates and immunization. To this end, the necessary test capacity should become available as soon as possible.

Haste is rarely a good thing

If, despite all the above-mentioned objections, it will be decided there is going to be a Corona app after all, then this should come about only after a careful social and democratic process with sufficiently critical, objective and independent scrutiny. This has not been the case so far, judging by the developments of the past few days. In this context, Privacy First recommends that the House calls on the cabinet to put its plans on ice and impose a moratorium on the use of Corona apps.

Privacy by design

The right to anonymity in public space is a fundamental right, one that is crucial for the functioning of our democratic constitutional state. Any democratic decision to nullify this right is simply unacceptable. If indeed the deployment of ‘Corona apps’ will be widespread, then at least their use should be strictly anonymous and voluntary. That is to say, they should be used only for a legitimate, specific purpose, following individual, prior consent without any form of outside pressure and on the premise that all the necessary information is provided. In this respect, privacy by design (embedding privacy protection in technology) must be a guiding principle. For Privacy First, these are stringent and non-negotiable prerequisites. In case these conditions are not met, Privacy First will not hesitate to bring proceedings before a court.      

Yours faithfully,

The Privacy First Foundation
(...)

Dear Members of Parliament,

You have received our position paper, this is our oral explanation.

First of all: Privacy First is firmly against any form of surveillance infrastructure, with or without apps.

With this in mind, we look at three legal principles:

•  Legitimate purpose limitation.
  - What is the problem?
  - What is the scale of the problem?
  - What are possible objectives, how can we achieve these objectives, and how can we measure progress towards them?
  
  It’s already impossible to answer the first question as we now test partially and selectively. The total infected population is unknown, the people who have recovered are unknown also, and do not get reported. There is, however, fearmongering as a result of emotions and selective reporting; deaths with multiple causes (die with as opposed to die from Corona) and admittance to critical care units.
  
  Let us be clear, we will first have to map out the causes of this problem before we can draw conclusions and talk about solutions. Not only IT professionals and virologists should be involved in this, to no lesser extent we need philosophers, legal scholars, sociologists, entrepreneurs and others who represent society also.
  
  
• Necessity and proportionality. In terms of test capacity, critical care units, medical materials and medical personnel, we essentially have a capacity problem. So, there is no doubt in our mind what we should be focusing on, also in view of future outbreaks; testing the entire population in order to tell who is infected and who is immune, and be able to determine the real problem. 97% of the population is unaffected. Make sure there will be a division and proper care for high-risk groups. Halt crisis communication and start crisis management. Take all treatment methods seriously, including those that are not profitable for Big Pharma and Big Tech.
  
  
• Subsidiarity. Once we know the problem, we may ask what the solutions are. Additional personnel at municipal health centers? Building a critical care unit hospital specifically for situations like these? Increasing the test capacity in order to be able to take decisions based on figures? All of this is possible within our current health system, with the general practitioner as the first point of contact.

On the basis of trust, we have given our government six weeks to get its act together. And what do we get in return? Distrust and monitoring tools. And still shortages of medical equipment. So, fix the fundamentals, deal with the treatment and test capacity and stop building new technological gadgets and draconian apps used in dictatorial regimes in Asia. And take The Netherlands out of this prolonged lockdown as soon as possible. Privacy First is opposed to a ‘1.5-meter society’ as the new normal, and is instead in favor of a common-sense society based on trust in mature citizens.

With great concern, Privacy First has taken note of the intention of the Dutch government to employ special apps in the fight against the coronavirus. In Privacy First’s view, the use of such apps is a dangerous development because it could lead to stigmatisation and numerous unfounded suspicions, and may also cause unnecessary unrest and panic. Even when ‘anonymized’, the data from these apps can still be traced back to individuals through data fusion. In case this technology will be introduced on a large scale, it will result in a surveillance society in which everyone is being continuously monitored – something people will be acutely aware of and would lead to an imminent societal chilling effect. Furthermore, there is a substantial risk that the collected data will be used and misued for multiple (illegitimate) purposes by companies and public authorities. Moreover, if these data fall into the hands of criminal organizations, they will be a gold mine for criminal activities. For Privacy First, these risks of Corona apps do not outweigh their presumed benefits.

The right to anonymity in public space is a fundamental right, one that is crucial for the functioning of our democratic constitutional State. Any democratic decision to nullify this right is simply unacceptable. If indeed the deployment of ‘Corona apps’ will be widespread, then at least their use should be strictly anonymous and voluntary. That is to say, they should be used only for a legitimate, specific purpose, following individual, prior consent without any form of outside pressure and on the premise that all the necessary information is provided. In this respect, privacy by design (embedding privacy protection in technology) must be a guiding principle. For Privacy First, these are stringent and non-negotiable prerequisites. In case these conditions are not met, Privacy First will not hesitate to bring proceedings before a court.

The world is hit exceptionally hard by the coronavirus. This pandemic is not only a health hazard, but can also lead to a human rights crisis, endangering privacy among other rights.

The right to privacy includes the protection of everyone’s private life, personal data, confidential communication, home inviolability and physical integrity. Privacy First was founded to protect and promote these rights. Not only in times of peace and prosperity, but also in times of crisis.

Now more than ever, it is vital to stand up for our social freedom and privacy. Fear should not play a role in this. However, various countries have introduced draconian laws, measures and infrastructures. Much is at stake here, namely preserving everyone’s freedom, autonomy and human dignity.

Privacy First monitors these developments and reacts proactively as soon as governments are about to take measures that are not strictly necessary and proportionate. In this respect, Privacy First holds that the following measures are in essence illegitimate:
- Mass surveillance
- Forced inspections in the home
- Abolition of anonymous or cash payments
- Secret use of camera surveillance and biometrics
- Every form of infringement on medical confidentiality.

Privacy First will see to it that justified measures will only apply temporarily and will be lifted as soon as the Corona crisis is over. It should be ensured that no new, structural and permanent emergency legislation is introduced. While the measures are in place, effective legal means should remain available and privacy supervisory bodies should remain critical.

Moreover, in order to control the coronavirus effectively, we should rely on the individual responsibility of citizens. Much is possible on the basis of voluntariness and individual, fully informed, specific and prior consent.

As always, Privacy First is prepared to assist in the development of privacy-friendly policies and any solutions based on privacy by design, preferably in collaboration with relevant organizations and experts. Especially in these times, the Netherlands (and the European Union) can become an international point of reference when it comes to fighting a pandemic while preserving democratic values and the right to privacy. This is the only way that the Corona crisis will not be able to weaken our world lastingly, and instead, we will emerge stronger together.

On July 1 and 2, 2019, the Netherlands will be examined in Geneva by the United Nations Human Rights Committee. This UN body is tasked with supervising the compliance of one of the oldest and most important human rights treaties in the world: the International Covenant on Civil and Political Rights (ICCPR). Each country which is a contracting party to the ICCPR is subject to periodical review by the UN Human Rights Committee. At the beginning of next week, the Dutch government must answer before the Committee for various current privacy issues that have been put on the agenda by Privacy First among others.

The previous Dutch session before the UN Human Rights Committee dates from July 2009, when the Dutch minister of Justice Ernst Hirsch Ballin had to answer for the then proposed central storage of fingerprints under the new Dutch Passport Act. This was a cause for considerable criticism of the Dutch government. Now, ten years on, the situation in the Netherlands will be examined once more. Against this background, Privacy First had submitted to the Committee a critical report (pdf) at the end of 2016, and has recently supplemented this with a new report (pdf). In a nutshell, Privacy First has brought the following current issues to the attention of the Committee:

- the limited admissibility of interest groups in class action lawsuits 

- the Dutch ban on judicial review of the constitutionality of laws

- profiling

- Automatic Number Plate Recognition (ANPR)

- border control camera system @MIGO-BORAS

- the Dutch public transport chip card ('OV-chipkaart') 

- Electronic Health Record systems

- possible reintroduction of the Telecommunications Data Retention Act

- the new Dutch Intelligence and Security Services Act (‘Tapping Law’)

- PSD2

- Passenger Name Records (PNR)

- the Dutch abolition of consultative referendums

- the Dutch non-recognition of the international prohibition of propaganda for war.

The entire Dutch session before the Committee can be watched live on UN Web TV on Monday afternoon, July 1, and Tuesday morning, July 2. In addition to privacy issues, several Dutch organizations have put numerous other human rights issues on the agenda of the Committee; click HERE for an overview, which also features the previously established List of Issues (including the new Intelligence and Security Services Act, the possible reintroduction of the retention of telecommunications data, camera system @MIGO-BORAS, and medical confidentiality with health insurance companies). The Committee will likely present its ‘Concluding Observations’ within a matter of weeks. Privacy First awaits the outcome of these observations with confidence.

Update July 26, 2019: yesterday afternoon the Committee has published its Concluding Observations on the human rights situation in the Netherlands, which includes critical opinions on two privacy issues that were brought to the attention of the Committee by Privacy First: 

The Intelligence and Security Services Act

The Committee is concerned about the Intelligence and Security Act 2017, which provides intelligence and security services with broad surveillance and interception powers, including bulk data collection. It is particularly concerned that the Act does not seem to provide for a clear definition of bulk data collection for investigation related purpose; clear grounds for extending retention periods for information collected; and effective independent safeguards against bulk data hacking. It is also concerned by the limited practical possibilities for complaining, in the absence of a comprehensive notification regime to the Dutch Oversight Board for the Intelligence and Security Services (CTIVD) (art. 17).
The State party should review the Act with a view to bringing its definitions and the powers and limits on their exercise in line with the Covenant and strengthen the independence and effectiveness of CTIVD and the Committee overseeing intelligence efforts and competences that has been established by the Act.

The Market Healthcare Act

The Committee is concerned that the Act to amend the Market Regulation (Healthcare) Act allows health insurance company medical consultants access to individual records in the electronic patient registration without obtaining a prior, informed and specific consent of the insured and that such practice has been carried out by health insurance companies for many years (art. 17).
The State party should require insurance companies to refrain from consulting individual medical records without a consent of the insured and ensure that the Bill requires health insurance companies to obtain a prior and informed consent of the insured to consult their records in the electronic patient registration and provide for an opt-out option for patients that oppose access to their records.

During the session in Geneva the abolition of the referendum and the camera system @MIGO-BORAS were also critically looked at. However, Privacy First regrets that the Committee makes no mention of these and various other current issues in its Concluding Observations. Nevertheless, the report by the Committee shows that the issue of privacy is ever higher on the agenda of the United Nations. Privacy First welcomes this development and will continue in the coming years to encourage the Committee to go down this path. Moreover, Privacy First will ensure that the Netherlands will indeed implement the various recommendations by the Committee.

The entire Dutch Session before the Committee can be watched on UN Web TV (1 July and 2 July). See also the extensive UN reports, part 1 and part 2 (pdf).

Today an important debate will take place in the Dutch House of Representatives about the introduction of Passenger Name Records (PNR): the large scale, years-long storage of all sorts of data of airline passengers, supposedly to fight crime and terrorism. Privacy First has major objections and at the end of last week has sent the following letter to the House. Today’s parliamentary debate was first scheduled to take place on 14 May 2018, but was cancelled (following a similar letter from Privacy First) until further notice. Following new parliamentary questions, the debate will now take place today after all. Here is the full text of our most recent letter:

Dear Members of the House of Representatives,

On Monday afternoon, this 11 March, you will discuss the Dutch implementation of the European directive on Passenger Name Records (PNR) with minister Grapperhaus (Justice and Security). In Privacy First’s view, both the European PNR directive as well as the Dutch implementation thereof are legally untenable. We shall here briefly elucidate our position.

Holiday register

Under the minister’s legislative proposal concerning PNR, numerous data of every single airline passenger travelling to or from the Netherlands will be stored for five years in a central government database of the new Passenger Information Unit and will be used to prevent, investigate and prosecute crimes and terrorism. Sensitive personal data (such as names, addresses, telephone numbers, email addresses, dates of birth, travel data, ID document numbers, destinations, fellow passengers and payment data) of many millions of passengers will, as a result, become available for many years for the purpose of data mining and profiling. In essence, this means that every airline passenger will be treated as a potential criminal or terrorist. In 99.9% of all cases, however, this concerns perfectly innocent citizens, mainly holidaymakers and business travellers. This is a flagrant breach of their right to privacy and freedom of movement. Last year, Privacy First had already made these arguments in the Volkskrant and on BNR Nieuwsradio. Because of privacy objections, in recent years there has been a lot of political resistance to such large scale PNR storage of data, which has been rejected by both the House of Representatives as well as the European Parliament on several occasions since 2010. In 2015, Dutch ruling parties VVD and PvdA were absolutely opposed to PNR as well. Back then, they called it a ‘holiday register’ and they themselves threatened to take to the European Court of Justice in case the PNR directive would be adopted. However, after the attacks in Paris and Brussels, it seemed that many political restraints had evaporated and in 2016, the PNR directive finally came about after all. Up to now however, the legally required necessity and proportionality of this directive have still to be demonstrated.

European Court

In the summer of 2017, the European Court of Justice issued an important ruling with regard to the similar PNR agreement between the EU and Canada. The Court declared this agreement invalid because it violates the right to privacy. Among other things, the Court held that the envisaged agreement must, “limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime.” (See Opinion 1/15 (26 July 2017), par. 207.) Ever since this ruling, the European PNR directive is a legal uncertainty. Therefore, the Dutch government has valid ‘‘concerns about the future viability of the PNR directive” (see Note in response to report, p. 23, in Dutch). Privacy First expects that the current PNR directive will soon be submitted to the European Court of Justice for judicial review and will then be declared unlawful. Subsequently, a situation will arise that is similar to the one we have witnessed a few years ago with regard to the European Telecommunications Data Retention Act: as soon as this European directive will be annulled, the Dutch implementing provisions will equally be invalidated in interim injunction proceedings.

Mass surveillance

The current Dutch PNR legislative proposal seems unlawful a priori because of a lack of demonstrable necessity, proportionality and subsidiarity. The legislative proposal comes down to mass surveillance of mostly innocent citizens; in the 2016 Tele2 case the European Court already ruled that this type of legislation is unlawful. Thereupon the Netherlands pledged before the UN Human Rights Council “to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons.” The Netherlands now seems to renege on that promise. After all, a lot of completely unnecessary data of every airline passenger will be stored for years and can be used by various Dutch, European and even non-European government agencies. Moreover, the effectiveness of PNR has to date never been demonstrated, the minister himself affirmed: ‘‘There is no statistical support” (see Note in response to report, p. 8, in Dutch). The risk of unjust suspicion and discrimination (due to fallible algorithms used for profiling) under the proposed PNR system is serious, which also increases the likelihood of delays and missed flights for innocent passengers. All the while, wanted persons will often stay under the radar and choose alternative travel routes. Furthermore, the legislative proposal entirely fails to address the role and capabilities of secret services, which will be granted secret and shielded access to the central PNR database under the new Dutch Intelligence and Security Services Act. However, the most questionable aspect of the Dutch PNR legislative proposal is that it goes even two steps further than the European PNR directive itself: After all, it is the Dutch government's own decision to also store the data of passengers on all intra-EU flights. This is not obligatory under the PNR directive, and the Netherlands could have limited this to preselected flights (judged to be at risk) only. This would have been in line with the advice of most experts in this field who argue for targeted actions as opposed to mass surveillance. In other words, to focus on persons with a reasonable suspicion about them, in accordance with the principles of our democracy under the rule of law.

Privacy First Advice

Privacy First strongly advises you to reject the current legislative proposal and to replace it with a privacy-friendly version. In case this will lead to the European Commission referring the Netherlands to the European Court of Justice due to a lack of implementation of the present PNR directive, Privacy First would be confident this would end in a clear victory for the Netherlands. EU Member States simply cannot be expected to implement privacy-violating EU rules. This applies equally to the national implementation of relevant resolutions of the UN Security Council (in this case UNSC Res. 2396 (2017)) which is similarly at odds with international human rights law. In this respect, Privacy First has already warned of the abuse of the Dutch TRIP system (which is also used for PNR) by other UN Member States. In this regard, the Netherlands has its own responsibility under the Dutch Constitution as well as under international law.

For further information or questions with respect to the issues above, feel free to contact Privacy First at all times by phone (+31-20-8100279) or email: This email address is being protected from spambots. You need JavaScript enabled to view it..

Yours sincerely,

Privacy First Foundation

Update 19 March 2019: Regrettably, today the House of Representatives has adopted the legislative proposal almost unchanged; only GroenLinks, SP, PvdD and Denk voted against. Unfortunately, a motion by GroenLinks and SP to provoke legal action by the European Commission against the Dutch government about the PNR directive was rejected. The only bright spot is the widely adopted motion for the judicial reassessment and possible revision of the PNR directive at a European political level. (Only PVV and FvD voted against this motion.) Next stop: the Senate.

Update 4 June 2019: despite sending the above letter for a second time and despite other critical input by Privacy First, the Senate today has unfortunately adopted the legislative proposal. Only GroenLinks, PvdD and SP voted against. Even in spite of the enormous error rates (false positives) of 99.7% that recently came to light in the comparable German PNR system, see https://www.sueddeutsche.de/digital/fluggastdaten-bka-falschtreffer-1.4419760. Meanwhile, large scale cases have been brought against the European PNR directive in Germany and Austria in order for the European Court of Justice to nullify it on account of violations of the right to privacy, see the German-English campaign website https://nopnr.eu and https://www.nrc.nl/nieuws/2019/05/15/burgers-in-verzet-tegen-opslaan-passagiersgegevens-a3960431. As soon as the European Court rules that the PNR directive is unlawful, Privacy First will start interim injunction proceedings in order for the Dutch PNR law to be rendered inoperative. Moreover, yesterday Privacy First has put the PNR law on the agenda of the UN Human Rights Committee in Geneva. On 1 and 2 July 2019, the overall human rights situation in the Netherlands (including violations of the right to privacy) will be critically reviewed by this Committee.