Law & Politics

On July 1 and 2, 2019, the Netherlands will be examined in Geneva by the United Nations Human Rights Committee. This UN body is tasked with supervising the compliance of one of the oldest and most important human rights treaties in the world: the International Covenant on Civil and Political Rights (ICCPR). Each country which is a contracting party to the ICCPR is subject to periodical review by the UN Human Rights Committee. At the beginning of next week, the Dutch government must answer before the Committee for various current privacy issues that have been put on the agenda by Privacy First among others.

The previous Dutch session before the UN Human Rights Committee dates from July 2009, when the Dutch minister of Justice Ernst Hirsch Ballin had to answer for the then proposed central storage of fingerprints under the new Dutch Passport Act. This was a cause for considerable criticism of the Dutch government. Now, ten years on, the situation in the Netherlands will be examined once more. Against this background, Privacy First had submitted to the Committee a critical report (pdf) at the end of 2016, and has recently supplemented this with a new report (pdf). In a nutshell, Privacy First has brought the following current issues to the attention of the Committee:

- the limited admissibility of interest groups in class action lawsuits 

- the Dutch ban on judicial review of the constitutionality of laws

- profiling

- Automatic Number Plate Recognition (ANPR)

- border control camera system @MIGO-BORAS

- the Dutch public transport chip card ('OV-chipkaart') 

- Electronic Health Record systems

- possible reintroduction of the Telecommunications Data Retention Act

- the new Dutch Intelligence and Security Services Act (‘Tapping Law’)

- PSD2

- Passenger Name Records (PNR)

- the Dutch abolition of consultative referendums

- the Dutch non-recognition of the international prohibition of propaganda for war.

The entire Dutch session before the Committee can be watched live on UN Web TV on Monday afternoon, July 1, and Tuesday morning, July 2. In addition to privacy issues, several Dutch organizations have put numerous other human rights issues on the agenda of the Committee; click HERE for an overview, which also features the previously established List of Issues (including the new Intelligence and Security Services Act, the possible reintroduction of the retention of telecommunications data, camera system @MIGO-BORAS, and medical confidentiality with health insurance companies). The Committee will likely present its ‘Concluding Observations’ within a matter of weeks. Privacy First awaits the outcome of these observations with confidence.

Update July 26, 2019: yesterday afternoon the Committee has published its Concluding Observations on the human rights situation in the Netherlands, which includes critical opinions on two privacy issues that were brought to the attention of the Committee by Privacy First: 

The Intelligence and Security Services Act

The Committee is concerned about the Intelligence and Security Act 2017, which provides intelligence and security services with broad surveillance and interception powers, including bulk data collection. It is particularly concerned that the Act does not seem to provide for a clear definition of bulk data collection for investigation related purpose; clear grounds for extending retention periods for information collected; and effective independent safeguards against bulk data hacking. It is also concerned by the limited practical possibilities for complaining, in the absence of a comprehensive notification regime to the Dutch Oversight Board for the Intelligence and Security Services (CTIVD) (art. 17).
The State party should review the Act with a view to bringing its definitions and the powers and limits on their exercise in line with the Covenant and strengthen the independence and effectiveness of CTIVD and the Committee overseeing intelligence efforts and competences that has been established by the Act.

The Market Healthcare Act

The Committee is concerned that the Act to amend the Market Regulation (Healthcare) Act allows health insurance company medical consultants access to individual records in the electronic patient registration without obtaining a prior, informed and specific consent of the insured and that such practice has been carried out by health insurance companies for many years (art. 17).
The State party should require insurance companies to refrain from consulting individual medical records without a consent of the insured and ensure that the Bill requires health insurance companies to obtain a prior and informed consent of the insured to consult their records in the electronic patient registration and provide for an opt-out option for patients that oppose access to their records.

During the session in Geneva the abolition of the referendum and the camera system @MIGO-BORAS were also critically looked at. However, Privacy First regrets that the Committee makes no mention of these and various other current issues in its Concluding Observations. Nevertheless, the report by the Committee shows that the issue of privacy is ever higher on the agenda of the United Nations. Privacy First welcomes this development and will continue in the coming years to encourage the Committee to go down this path. Moreover, Privacy First will ensure that the Netherlands will indeed implement the various recommendations by the Committee.

The entire Dutch Session before the Committee can be watched on UN Web TV (1 July and 2 July). See also the extensive UN reports, part 1 and part 2 (pdf).

Partly on the initiative of Privacy First, a special Committee of the United Nations will this week in Geneva look into the imminent adoption of Taser weapons among the entire Dutch police force. This adoption possibly contravenes the UN Convention against Torture.

Right to physical integrity

For Privacy First, the right to privacy has always been a broad human rights concept. This includes the right to physical integrity. In recent years, this right has come under increasing pressure, think of preventive frisking on the streets, body scans at airports, DNA databases, the new Organ Donation Act in the Netherlands, discussions about compulsory vaccinations, etc. The right to physical integrity is laid down not only in the European Convention on Human Rights, but is also protected by Article 11 of the Dutch Constitution. At an international level, this right is part of the category of human rights which have the strongest protection. The absolute prohibition of torture and other cruel, inhuman or degrading treatment falls in the same category.

UN Convention against Torture

In international law, torture is in the small category of absolute prohibitions. Other examples within this category are the prohibition of genocide, international aggression (illegal warfare), slavery, racial discrimination, apartheid and piracy. Violation of these norms is always and under all circumstances prohibited. Anyone anywhere in the world who is committing or has committed torture or other cruel, inhuman or degrading treatment or punishment should therefore be prosecuted and extradited. Public officials, ministers, presidents and Heads of State are no exception to this rule. Since 1988, the Netherlands is party to the convention in which this is laid down: the UN Convention against Torture. Every contracting party is periodically reviewed by the treaty monitoring body in Geneva: the UN Committee against Torture. Opinions delivered by this Committee provide authoritative guidance on the application and interpretation of the convention. On Tuesday and Wednesday this week, it will be the Netherlands’ turn to be reviewed (the last time was in 2013): on Tuesday the Netherlands will be questioned by the Committee’s members, after which the Dutch government delegation will provide its answers on Wednesday. Subsequently, the Committee will issue a series a recommendations (‘Concluding Observations’) to the Netherlands.

Taser weapons on the UN agenda

In preparation of the Dutch session and on behalf of a broad coalition of civil society organizations, the Dutch section of the International Commission of Jurists for Human Rights (Nederlands Juristen Comité voor de Mensenrechten, NJCM) has recently sent a so-called 'shadow report' about the Netherlands to the Committee in Geneva. On the initiative of Privacy First, the issue of Taser weapons was expressly put on the agenda, as was the case in 2013. The situation is such that the Dutch government aims to provide every Dutch police officer with his own Taser weapon, media reported only last week. Thus far, only special arrest teams are equipped with Taser weapons. The expectation is that the wider, more general deployment of Taser weapons will lead to structural excesses. In this respect, all scandals with Taser weapons, particularly those in the United States, speak for themselves. In Privacy First’s view, the use of Taser weapons can easily lead to violations of the international prohibition of torture or cruel or inhuman treatment and the associated right to physical integrity. Taser weapons lower the threshold for the use of violence and hardly leave behind any visible traces. By the same token, Taser weapons can cause serious physical and mental damage. This results in serious risks for the Dutch population and for certain vulnerable groups in particular. That’s why our joint shadow report to the Committee emphasizes these risks (see pages 15-16 of the report).

Previous criticism of the UN Committee

Both the Dutch coalition of civil society organizations as well as Amnesty International have requested the UN Committee to cross-examine the Dutch government on this issue and advise the Netherlands not to equip the entire police force with Taser weapons. This is what Privacy First and other parties had already pushed for during the previous session of the UN Committee in 2013. Back then, this led the Committee to issue the following urgent recommendations to the Netherlands:

“The Committee recommends to [the Netherlands], in accordance with articles 2 and 16 of [the Convention against Torture], to refrain from flat distribution and use of electrical discharge weapons by police officers. It also recommends adopting safeguards against misuse and providing proper training for the personnel to avoid excessive use of force. In addition, the Committee recommends that electrical discharge weapons should be used exclusively in extreme limited situations where there is a real and immediate threat to life or risk of serious injury, as a substitute for lethal weapons.” (paragraph 27).

Privacy First is confident the Committee will again come up with critical recommendations.

Update 22 November 2018: yesterday and the day before the Dutch session took place before the UN Committee. Numerous topical issues were critically examined, including Taser weapons. Representatives of Curaçao, Sint Maarten and Aruba emphatically declared that no Taser weapons are used on their islands. This contrasted sharply with the statements made by the representative of the Dutch government (Secretary General Siebe Riedstra of the Ministry of Justice and Security), who barely addressed the issue and merely remarked that the Dutch government will take a decision on the adoption of Taser weapons in 2019. Below are all the relevant audio clips:

Questions by Abdelwahab El Hani on behalf of the UN Committee, 20 November 2018:

(simultaneous interpretation into English)

Answer by Siebe Riedstra on behalf of the Netherlands:

New questions by Abdelwahab El Hani on behalf of the UN Committee, 21 November 2018:

(simultaneous interpretation into English)

Answer by Siebe Riedstra on behalf of the Netherlands:

See also the UN press release about the Dutch session in Geneva, the full video recording (day 1 and day 2) and the verbatim report of proceedings (day 1 and day 2). The UN Committee is expected to present its Concluding Observations about the Netherlands within a few weeks’ time.

Update 7 December 2018: today the UN Committee has issued a number of Concluding Observations to the Dutch government, urging the Netherlands not to equip the entire police force with Taser weapons and to limit their adoption to cases that can be deemed proportionate and strictly necessary. The Committee emphatically cautions against using Taser weapons against vulnerable people. Moreover, the Committee expresses serious concerns about the way Taser weapons have been used by the Dutch police thus far.The entire report by the Committee can be found HERE (pdf). Below is the part concerning Taser weapons (paragraph 42-43):

Electrical discharge weapons (tasers) and pepper spray

42. The Committee notes with concern that despite its previous recommendations against the routine distribution and use of electrical discharge weapons (tasers) by police officers, the State party conducted a pilot testing from February 2017 to February 2018 without clear instructions on their restrictive use. It is particularly concerned at information that during this pilot period, police officers used tasers in situations where there was no real and immediate threat to life or risk of serious injury, including in cases where targeted individuals were already in police custody. It is further concerned about reports of the frequent use of the so-called “stun mode” which is intended to merely inflict pain, and the incidents in which tasers were used against minors as well as persons with mental disabilities in healthcare settings. In addition, the Committee is concerned about information that the use of pepper spray is not regulated fully in line with principles of necessity and proportionality and that the new draft Instructions on the Use of Force is expected to further lower the threshold for using it and to permit its use against vulnerable persons including pregnant women and children (arts. 2, 11 and 16).

43. Recalling the Committee’s previous recommendations (CAT/C/NLD/CO/5-6, para. 27), the State party should:

(a) Refrain from routine distribution and use of electrical discharge weapons by police officers in their day-to-day policing, with a view to establishing a high threshold for their use and avoiding excessive use of force;

(b) Ensure that electrical discharge weapons are used exclusively in limited situations where there is a real and immediate threat to life or risk of serious injury, as a substitute for lethal weapons and by trained law enforcement officers only;

(c) Explicitly prohibit the use of electrical discharge weapons and pepper spray against vulnerable persons, including minors and pregnant women, and in healthcare settings, including mental health institutions, and especially prohibit the use of electrical discharge weapons in the custodial settings;

(d) Ensure that the instructions on the use of electrical discharge weapons and pepper spray emphasize the absolute prohibition of torture and the need to respect the principles of necessity and proportionality, fully in accordance with the Convention and the Basic Principles on the Use of Force and Firearms by Law Enforcement Officials;

(e) Adopt safeguards against misuse of electrical discharge weapons and pepper spray and provide proper training and awareness programmes for the law enforcement personnel;

(f) Monitor and regularly review the use of electrical discharge weapons and pepper spray, and provide the Committee with this information.

Privacy First appreciates the critical opinion and the principled position of the Committee. Not least because it creates a strong precedent for other countries worldwide. Privacy First will ensure that the Dutch government will comply with the Committee’s observations.

Tomorrow morning the Netherlands will be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. Since 2008, the Human Rights Council reviews the human rights situation in each UN Member State once every five years. This procedure is called the Universal Periodic Review (UPR).

Privacy First shadow report

During the previous two UPR sessions in 2008 and 2012, the Netherlands endured a fair amount of criticism. At the moment, the perspectives with regard to privacy in the Netherlands are worse than they’ve ever been before. This is reason for Privacy First to actively bring a number of issues to the attention of the UN. Privacy First did so in September 2016 (a week prior to the UN deadline), through a so-called shadow report: a report in which civil society organizations express their concerns about certain issues. (It’s worth pointing out that the Human Rights Council imposes rigorous requirements on these reports, a strict word limit being one of them.) UN diplomats rely on these reports in order to properly carry out their job. Otherwise, they would depend on one-sided State-written reports that mostly provide a far too optimistic view. So Privacy First submitted its own report about the Netherlands (pdf), which includes the following recommendations:

• Better opportunities in the Netherlands for civil society organizations to collectively institute legal proceedings.

• Introduction of constitutional review of laws by the Dutch judiciary.

• Better legislation pertaining to profiling and datamining.

• No introduction of automatic number plate recognition (ANPR) as is currently being envisaged.

• Suspension of the unregulated border control system @MIGO-BORAS.

• No reintroduction of large scale data retention (general Data Retention Act).

• No mass surveillance under the new Intelligence and Security Services Act and closer judicial supervision over secret services.

• Withdrawal of the Computer Criminality Act III , which will allow the Dutch police to hack into any ICT device.

• A voluntary and regionally organized (instead of a national) Electronic Health Record system with privacy by design.

• Introduction of an anonymous public transport chip card that is truly anonymous.

You can find our entire report HERE (pdf). The reports from other organizations can be found HERE.

Embassies

Privacy First did not sent its report only to the Human Rights Council but also forwarded it to all the foreign embassies in The Hague. Consequently, Privacy First had extensive (confidential) meetings in recent months with the embassies of Argentina, Australia, Bulgaria, Chili, Germany, Greece and Tanzania. The positions of our interlocutors varied from senior diplomats to ambassadors. Furthermore, Privacy First received positive reactions to its report from the embassies of Mexico, Sweden and the United Kingdom. Moreover, several passages from our report were integrated in the UN summary of the overall human rights situation in the Netherlands; click HERE ('Summary of stakeholders' information', par. 47-50).

Our efforts will hopefully prove to have been effective tomorrow. However, this cannot be guaranteed as it concerns an inter-State, diplomatic process and many issues in our report (and in recent talks) are sensitive subjects in countless other UN Member States as well.

UN Human Rights Committee

In December 2016, Privacy First submitted a similar report to the UN Human Rights Committee in Geneva. This Committee periodically reviews the compliance of the Netherlands with the International Covenant on Civil and Political Rights (ICCPR). Partly as a result of this report, last week the Committee put the Intelligence and Security Services Act, camera system @MIGO-BORAS and the Data Retention Act among other things, on the agenda for the upcoming Dutch session in 2018 (see par. 11, 27).

We hope that our input will be used by both the UN Human Rights Council as well as the UN Human Rights Committee and that it will lead to constructive criticism and internationally exchangeable best practices.

The Dutch UPR session will take place tomorrow between 9am and 12.30pm and can be followed live online.

Update 10 May 2017: during the UPR session in Geneva today, the Dutch government delegation (led by Dutch Minister of Home Affairs Ronald Plasterk) received critical recommendations on human rights and privacy in relation to counter-terrorism by Canada, Germany, Hungary, Mexico and Russia. The entire UPR session can be viewed HERE. Publication of all recommendations by the UN Human Rights Council follows May 12th.

Update 12 May 2017: Today all recommendations to the Netherlands have been published by the UN Human Rights Council, click HERE (pdf). Useful recommendations to the Netherlands regarding the right to privacy were made by Germany, Canada, Spain, Hungary, Mexico and Russia, see paras. 5.29, 5.30, 5.113, 5.121, 5.128 & 5.129. You can find these recommendations below. Further comments by Privacy First will follow.

Extend the National Action Plan on Human Rights to cover all relevant human rights issues, including counter-terrorism, government surveillance, migration and human rights education (Germany);

Extend the National Action Plan on Human Rights, published in 2013 to cover all relevant human rights issues, including respect for human rights while countering terrorism, and ensure independent monitoring and evaluation of the Action Plan (Hungary);

Review any adopted or proposed counter-terrorism legislation, policies, or programs to provide adequate safeguards against human rights violations and minimize any possible stigmatizing effect such measures might have on certain segments of the population (Canada);

Take necessary measures to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons (Spain);

Adopt and implement specific legislation on collection, use and accumulation of meta-data and individual profiles, including in security and anti-terrorist activities, guaranteeing the right to privacy, transparency, accountability, and the right to decide on the use, correction and deletion of personal data (Mexico);

Ensure the protection of private life and prevent cases of unwarranted access of special agencies in personal information of citizens in the Internet that have no connection with any illegal actions (Russian Federation). [sic]

Update 26 May 2017: a more comprehensive UN report of the UPR session has now been published (including the 'interactive dialogue' between UN Member States and the Netherlands); click HERE (pdf). In September this year, the Dutch government will announce which recommendations it will accept and implement.

On November 2nd 2016, the Dutch House of Representatives will address a controversial legislative proposal that will introduce four week storage of the travel movements of all motorists in the Netherlands. In case both chambers of Dutch Parliament adopt this proposal, Privacy First will try to overturn this in court.

Large scale breach of privacy

It is Privacy First’s constant policy to challenge large scale privacy violations in court and have them declared unlawful. Privacy First successfully did so with the central storage of everyone’s fingerprints under the Dutch Passport Act and the storage of everyone’s communications data under the Dutch Telecommunications Retention Act. A current and similar legislative proposal that lends itself for another major lawsuit is legislative proposal 33542 (in Dutch) of the Dutch Minister of Security and Justice, Ard van der Steur, in relation to Automatic Number Plate Recognition (ANPR). Under this legislative proposal, the number plate codes of all motorists in the Netherlands, i.e. everyone’s travel movements, will be collected through camera surveillance and stored for four weeks in police databases for criminal investigation purposes. As a result, every motorist will become a potential suspect. This is a completely unnecessary, wholly disproportionate and ineffective measure. Therefore the proposal is in breach of the right to privacy and thus unlawful.

Old proposal

The current ANPR legislative proposal was already submitted to the Dutch House of Representatives in February 2013 by the then Minister of Security and Justice, Ivo Opstelten. Before that, in 2010, Opstelten’s predecessor Hirsch Ballin had the intention to submit a similar proposal, albeit with a storage period of 10 days. However, back then the House of Representatives declared this subject to be controversial. Opstelten and Van der Steur have thus now taken things a few steps further. Due to privacy concerns, the parliamentary scrutiny of this proposal was at a standstill for several years, but now seems to be reactivated and even reinforced through a six-fold increase of the proposed retention period, courtesy of the ruling parties VVD and PvdA.

Data haystack

Under current Dutch national law, ANPR data of innocent citizens must be erased within 24 hours. In the eyes of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), all number plate codes that are not suspect (so-called ‘no-hits’) are to be removed from relevant databases immediately. Van der Steur’s plan to also store the number plate codes of unsuspected citizens for four weeks directly flies in the face of this. VVD and PvdA are even willing to increase this retention period to six months. The inevitable consequence, a haystack of data, would constitute a blatant violation of the right to privacy of every motorist. Any possible judicial oversight of the use of these data would do nothing to alter this.

UN Human Rights Council

In recent years, Privacy First has repeatedly expressed this position to both the House of Representatives (standing committee on Security and Justice) as well as to relevant MPs personally. Privacy First has also made its stance clear in personal meetings with Minister Opstelten (July 2012) and Minister Van der Steur (July 2014, at that time still a VVD MP). Moreover, Privacy First has recently raised this issue with the United Nations. In May 2017, the Dutch government can be held accountable for this at the UN Human Rights Council in Geneva.

Lawsuit

In case both the House of Representatives and the Dutch Senate will adopt the ANPR legislative proposal in its current form, Privacy First (in a broad coalition together with other civil organizations) will immediately summon the Dutch government in order to render the law inoperative on account of violation of the right to privacy. If necessary, Privacy First and co-plaintiffs will litigate all the way up to the European Court of Human Rights in Strasbourg. Considering the European and Dutch case law on the subject, Privacy First rates its chances of legal success very high.

Update 20 December 2018: today the Dutch government has announced that the ANPR Act will enter into force on 1 January 2019. The summary proceedings of Privacy First against the ANPR Act will soon take place at the District Court of The Hague.

Since September 2012, Dutch Minister Ivo Opstelten has been planning to equip the entire Dutch police force with Taser weapons. At the request of the Privacy First Foundation, the Dutch government will have to answer some tough questions about this before the UN Committee against Torture.

One of the most important and most ratified human rights treaties in the world is the 1984 United Nations Convention against Torture. Under this Convention, torture is prohibited under all circumstances. Anyone who is guilty of torture anywhere in the world is to be prosecuted or extradited. This also applies to civil servants, ministers, presidents and heads of State. The Netherlands has been a party to the UN Convention against Torture since 1988. Periodically, every country that has ratified the Convention is examined by the supervisory treaty body in Geneva: the UN Committee against Torture (CAT). This upcoming Tuesday and Wednesday it's the Netherlands' turn to come under CAT's scrutiny: on Tuesday the Netherlands will be cross-examined by the Committee on various issues, after which the Dutch delegation will come up with answers on Wednesday. Subsequently, the Committee will make a number of critical recommendations (''Concluding Observations'') to the Netherlands.

In preparation of the Dutch session, the Privacy First Foundation, the Dutch National Human Rights Institute (College voor de Rechten van de Mens) and the Dutch section of the International Commission of Jurists (Nederlands Juristen Comité voor de Mensenrechten, NJCM) have recently sent so-called 'shadow reports' about the Netherlands to the Committee in Geneva. Both Privacy First and NJCM emphatically raised the issue of Taser weapons for the Dutch police. Privacy First did so through a special letter to the Committee: click HERE. In this letter Privacy First draws the Committee's attention to the intention of the Dutch Minister of Security and Justice Mr. Ivo Opstelten to soon supply every Dutch police officer with his/her own Taser weapon. (Currently 'only' the arrest teams of the Dutch police force are equipped with Taser weapons.) In the view of Privacy First, the use of Taser weapons can easily lead to a violation of the international ban on torture as well as the related right to physical integrity, which in turn is part of the right to privacy. Taser weapons lower the treshold for police violence and hardly leave behind any scars. At the same time Taser weapons can inflict serious physical damage and mental harm. In conjunction with the current lack of firearms training for Dutch police officers, this produces serious risks for the Dutch population. Therefore we have requested the Committee to critically examine the Netherlands about this and to advise against introducing Taser weapons for the entire Dutch police force. Last Friday, Privacy First was notified from Geneva that the UN Committee will indeed critically examine this issue. This week Privacy First will keep you up-to-date of the latest developments.

Update 13 May 2013, 23.00h: a livestream of the Dutch session can be viewed online HERE (Tuesday 10am-3pm, Wednesday 3pm).

Update 14 May 2013, 15.00h: Today the Dutch delegation in Geneva (under the chairmanship of the Dutch Permanent Representative to the UN) was critically questioned by the Committee on various issues, among which... Tasers. The Dutch answers will follow tomorrow afternoon at 15.00h. Below are the relevant parts both in text as well as in mp3:

Committee member Nora Sveaass (Norway): "I then want to bring the attention to something that I've been informed of, namely that the State [of the Netherlands] is planning on a pilot of using Taser weapons as a regular weapon within the police force. And the pilot is supposed to take place, I understand, the last half of this year, so it's probably just around the corner. This Committee has on many different occasions warned against the use of Tasers, both in special situations and especially as a regular weapon to all the police, as I understand the plans are. And there are a lot of reasons for this, I won't go into the detail, because these have been described both by this Committee and by a lot of others, because, first of all, health reasons, physical as well as psychological. So I would hope that you would rethink and perhaps change the decision of implementing a pilot and also doing it in practice."
Audio:

Committee member Fernando Mariño Menéndez (Spain): "I'm also concerned by the decision that we've heard about to generalize the use of Tasers by all regular police officers, as just referred to by Mrs. Sveaass, that the Tasers will be used as an [armament] for standard use across the Kingdom of the Netherlands. That's our understanding, perhaps we're wrong, perhaps there is a special protocol governing the use of Tasers. Our position as a Committee is that Tasers shouldn't be used at all. If they are to be used, and this seems to be dangerous, then they need to be used in very specific cases and properly regulated. We'd like to know what's happening in the Kingdom of the Netherlands."
Audio:

Update 14 May 2013, 16.45h: This afternoon Privacy First employee Vincent Böhre was interviewed about this topic on Dutch radio station FunX. You can listen to the entire interview (in Dutch) here:

Update 15 May 2013: This afternoon the Netherlands had the opportunity to answer the questions that were asked by the UN Committee yesterday. In the audio file below you can hear how the Dutch Permanent Representative to the UN in Geneva denies and downplays the Dutch plans concerning Taser weapons. For the Committee members this was no reason to tone down or withdraw their critical remarks made yesterday. Therefore, Privacy First expects the Committee to express sharp criticism on the Dutch Taser plans in its Concluding Observations that are soon to be issued. Tonight the Committee already published a press release about the Dutch session; click HERE.

Update 16 May 2013: An integral video registration of both session days of the UN Committee is online HERE. The Concluding Observations of the Committee about the Netherlands will follow on Friday afternoon 31 May 2013 (June 3rd at the latest), Privacy First was told by telephone from Geneva today.

Update 22 May 2013: as a result of the Dutch session before the UN Committee last week, Dutch opposition party D66 today has posed a series of critical Parliamentary questions to Minister Opstelten; click HERE (in Dutch).

Update 31 May 2013: As predicted earlier by Privacy First and as reported tonight by Dutch television news program EenVandaag, the UN Committee against Torture has issued a negative statement today about Minister Opstelten's plans to equip the entire Dutch police force with Taser weapons:

"The Committee is concerned about the pilot plan to be reportedly launched to distribute electrical discharge weapons to the entire Dutch police force, without due safeguards against misuse and proper training for the personnel. The Committee is concerned that this may lead to excessive use of force (arts. 2, 11 and 16). The Committee recommends to the State party, in accordance with articles 2 and 16 of the Convention, to refrain from flat distribution and use of electrical discharge weapons by police officers. It also recommends adopting safeguards against misuse and providing proper training for the personnel to avoid excessive use of force. In addition, the Committee recommends that electrical discharge weapons should be used exclusively in extreme limited situations where there is a real and immediate threat to life or risk of serious injury, as a substitute for lethal weapons." (para. 27. Click HERE for the entire document.)

The Privacy First Foundation hopes that this negative stance by the UN Committee will lead to a reconsideration and withdrawal of the Dutch plans to equip every Dutch police officer with a Taser weapon. Privacy First also hopes that the announced pilot will not be executed.

 

This morning in Geneva the long-awaited Universal Periodic Review (UPR) of the Netherlands took place before the Human Rights Council of the United Nations (UN). In the run up to this four-year session, the Privacy First Foundation and various other organisations had emphatically voiced their privacy concerns about the Netherlands to both the UN and to almost all UN Member States; you can read more about this HERE. The Dutch delegation for the UPR session was led by Interior Minister Ms. Liesbeth Spies. The opening statement by Spies contained the following, remarkable passage about privacy:

"The need to strike a balance between different interests has sometimes been hotly debated in the Dutch political arena, for example in the context of privacy measures and draft legislation limiting privacy. The compatibility of this kind of legislation with human rights standards is of utmost importance. This requires a thorough scrutiny test, which is guaranteed by our professionals and institutions. Improvements in this regard have been made when necessary, especially in the starting phase of new draft legislation. This has been done in the field of privacy, where making Privacy Impact Assessments (PIAs), describing the modalities for the planned processing of personal data, are compulsory now." (pp. 5-6, italics Privacy First)

A "thorough scrutiny test" and compulsory Privacy Impact Assessments are the terms that positively stand out for Privacy First.

Prior to the UPR session, the United Kingdom had already put the following questions to the Netherlands: "Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?" (Source) On behalf of the Netherlands, Minister Spies responded to this question in Geneva this morning saying: "On the review of our laws on data protection, The Netherlands are currently working on a legislative proposal on data breach notification, following announcements of this proposal in the present coalition agreement. The proposal, which would require those responsible for personal data to notify the data protection authorities in case of "leakage" of personal data with specific risks for privacy (including identity theft), is expected to be tabled in Parliament in the coming months." This answer is rather concise and unfortunately it doesn’t contain any new elements. However, a new Dutch law on compulsory notification for data leakages will hopefully become a best practice for other UN Member States. The credits for this go to our colleagues of the Dutch NGO Bits of Freedom who have worked on this for a long time.  

During the UPR session Estonia called the protection of privacy and personal data a "human rights challenge of the 21st century". Morocco then asked a critical question about the privacy issue: "Quelles sont les mesures concrètes entreprises par les autorités néerlandaises pour sécuriser l'utilisation des donnés personnelles?" ("What are the concrete measures taken by the Dutch authorities to protect the use of personal data?") The Philippines also raised the issue of the right to privacy, but only in these words: "The Philippine delegation appreciates the frank assessment of the Netherlands of the obstacles and challenges it has to hurdle in the implementation of the right to privacy especially in the area of protection of personal information." The comments by Greece, India, Russia and Uzbekistan were more content-focused. Greece addressed the practice of preventive searches: "We take note of reports regarding the issue of preventive body searches. We recommend that the Netherlands ensure that in its application of preventive body searches, all relevant human rights are adequately protected, in particular the right to privacy and physical integrity and the prohibition of discrimination on the basis of race and religion." India exhorted the Netherlands on ethnic profiling of citizens: "We encourage the Dutch Government to take concrete measures to combat discrimination including discrimination by the Government such as ethnic profiling." Russia too advised the Netherlands "to introduce measures to stamp out discrimination arising as a result of the practice of racist, ethnic or religious profiling." The Netherlands was addressed about this very issue by Uzbekistan as well: "We are concerned over the existence of information on the increasingly broad use by the police of racist profiling."

As a reaction to these points Minister Spies referred to recent research by the Dutch police, scientists and the National, the Amsterdam and the Rotterdam Ombudsman about preventive body searches, discrimination and ethnic profiling. With regard to digital profiling (in general), she moreover proclaimed the following: "In its recent proposal for a general Data Protection Regulation, the [European] Commission has included rules on profiling, which can address the problems associated with profiling and the protection of personal data. The Netherlands endorses the need for clear legislative rules with regard to this topic, given the specific challenges for privacy protection that this technique entails. This is also the background against which the Netherlands welcomed in 2010 the Council of Europe Resolution on this topic, which contained a useful definition of profiling that would also be beneficial for inclusion in the [European] Commission proposals. The Netherlands will draw attention to this ongoing discussion in Brussels. The Regulation, once in force, will be directly applicable in the Netherlands." 

By and large this is a reasonable result, given that up until now the privacy issue had hardly played any role at all within the UN Human Rights Council. However, it’s a shame that most countries still hardly dare to confront this issue, let alone ask specific and critical questions about it. Many of the recommendations by Privacy First have not been touched upon during this UPR session, although diplomats in Geneva and The Hague had earlier shown great interest in them. Perhaps they were stopped by their Foreign Affairs departments in capital cities because many privacy issues are also sensitive in their own domestic politics? Who knows... However, the fact remains that the international community was informed by Privacy First well in advance, which was part of the reason that the Dutch UN delegation headed by Minister Spies was properly focussed on the job at hand. This can only be to the benefit of general awareness and the protection of privacy, both inside and outside the Netherlands. In the end, for us this is what it’s all about. 

Update 4 June 2012: This afternoon, a working group of the Human Rights Council adopted a draft report on the Dutch UPR session. The final version of this report will be adopted by the Human Rights Council in September 2012, accompanied by a (motivated) acceptance or rejection by the Netherlands of each individual recommendation in the report. Furthermore, this will also be discussed by the Dutch House of Representatives.

A total of 49 countries have taken part in the Dutch UPR session. It is noteworthy that Belgium, Italy and Austria did not take part in the session (although Belgium and Italy had in fact enrolled beforehand). As far as Austria is concerned this is particularly regrettable, because of all the UN Member States it was actually Austria which had in advance expressed the most interest in the Privacy First UPR shadow report and had intimated to be able to make a powerful, overall recommendation to the Netherlands about the right to privacy.  

Update 21 September 2012: This morning, the UN Human Rights Council discussed its recommendations to the Netherlands. The Dutch Permanent Representative in Geneva declared which recommendations have been accepted or rejected by the Netherlands; see this UN document and this video. The two recommendations by the Human Rights Council that related to ethnic profiling and preventive body searches have both been accepted by the Netherlands under the following clarification:

- ethnic profiling: "The Dutch government rejects the use of ethnic profiling for criminal investigation purposes as a matter of principle." About profiling in a more general sense: "In its recent proposal for a General Data Protection Regulation, the European Commission included rules on profiling that address problems that may arise due to the increasing technical possibilities for in-depth searches of databases containing personal data. The Netherlands endorses the need for clear legislative rules on this subject, given the specific challenges for privacy protection that this technology entails." (Source, 98.57 & n. 75).
- preventive body searches: "The power to stop and search is strictly regulated in the Netherlands. The mayor of a municipality may designate an area where, for a limited period of time, preventive searches may be carried out in response to a disturbance of or grave threats to public order due to the presence of weapons. The public prosecutor then has discretion to order actual body searches and searches of vehicles and luggage for weapons." (Source, 98.74 & n. 95).

See also this statement by the Netherlands Committee of Jurists for Human Rights (Dutch abbreviation: NJCM) from this morning (video). Just like the NJCM, Privacy First regrets the lack of government consultation in the run up to today’s UPR session.

Below you can watch the 31 May 2012 UPR session in its entirety (click HERE for video segments of individual countries). 

Today Privacy First sent the following email to the Electronic Health Record spokespersons in the Dutch House of Representatives: 

Dear Members of Parliament,

On Tuesday 13 December 2012 an important General Meeting with Minister Edith Schippers about the Electronic Health Record (Elektronisch Patiëntendossier, EPD) will take place. The Privacy First Foundation is keen to provide you with the following points of interest in order for you to prepare for and make possible contributions to the debate:

1) As far as Privacy First is aware, at the moment one is working towards an opportunistic spurious solution along private lines, namely a regional exchange of data through the National Switch Point (Landelijk Schakelpunt, LSP). By definition this leads to function creep by design. The digital ‘regional walls’ in and around the LSP can of course easily be circumvented or removed. Therefore the entire system can take on its old central form again at any given moment in the future, with all the privacy and security risks this entails.   

2) Those same risks around the LSP will neither be annulled by henceforth indicating the EPD as a ‘Personal Health Record’ (Persoonlijk Gezondheidsdossier, PGD). This is merely privacy by semantics which, moreover, has a misleading effect. Indeed, the infrastructure that’s behind the LSP remains virtually unchanged.

3) A privacy-friendly EPD first of all demands an independent Privacy Impact Assessment (PIA) by which various solutions characterized by privacy by design can be established. As long as such a PIA has not been conducted and subsequently evaluated in Parliament, no irrevocable steps regarding the design and possible extension of the EPD are to be taken. 

4) When further designing the EPD, it is absolutely key to leave space for research, innovation and competition. The recent DigiNotar affair shows that dependence on one party (or a select group of parties) is to be avoided. Apart from suboptimal, privacy-unfriendly products, this prevents cartel formations.

5) Apart from proper security, privacy-friendly transparency for patients also requires individual freedom of choice. Access by patients to their own records, for example, is not to be made dependent on the linking up with the LSP. Such access via the internet also creates new privacy related risks.

6) Within the governance structure around the EPD, independent privacy and security experts are to be appointed.

7) In terms of human rights the Netherlands continues to be unabatedly responsible for the protection of the medical privacy of its citizens, even in the event of a privatized EPD. At the initiative of Privacy First the Netherlands will have to be able to account for this in front of the United Nations Human Rights Council in May 2012.

Yours faithfully,

The Privacy First Foundation

Unfortunately it has been on the cards for weeks. Now it seems it will happen after all: a private restart of the Dutch national Electronic Health Record (Elektronisch Patiëntendossier, EPD). Albeit under the name ‘personal health record’ (privacy by semantics), which at first will above all be used ‘regionally’ and only with the permission of each individual patient. However, the underlying infrastructure (National Switch Point, in Dutch: Landelijk Schakelpunt, LSP) is still national in orientation and was voted down unanimously by the Dutch Senate earlier this year due to privacy objections. So by now the private EPD looks suspiciously like a nuclear transport with the LSP as its radioactive cargo. In anticipation of this development, Privacy First has recently (shortly before the reporting deadline) raised some issues with the United Nations Human Rights Council in Geneva. At the end of May 2012, the Dutch human rights situation (including Dutch national privacy policy) will be on the agenda there. The Netherlands will then have to publicly explain which solutions it has found to still safeguard privacy around the EPD. For instance by implementing privacy by design in the coming months through technical compartmentalization, data minimalization, freedom of choice and transparency for patients. In that case perhaps the Netherlands will cut a good figure in Geneva after all...

On 31 May 2012 the Netherlands will once again be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. The UN Human Rights Council was founded in 2006 and consists of 47 of the 192 UN Member States. Since 2008 the human rights situation in each country is periodically reviewed. This procedure takes place every four years for each UN Member State and is called ‘Universal Periodic Review’ (UPR). During the first UPR session in 2008 it was straight away the Netherlands’ turn to be examined and our country was in fact heavily criticized. In 2011 the privacy situation in the Netherlands is even worse compared to 2008: enough ground for Privacy First to raise a number of issues with the UN. Privacy First did so last night through a so-called shadow report: a report in which NGOs can voice their concerns on a particular issue. (For such reports strict requirements with the Human Rights Council apply, among which a limit of 2815 words.) Without shadow reports, diplomats in the Council are not able to do their work properly. Otherwise they would of course be dependent on the State report of the Netherlands itself. So Privacy First presented its own report with the following recommendations:  

•  No national biometric database, not even in the long run;

•  No introduction of mobile fingerprint scanners;

•  Introduction of a truly anonymous OV-chipkaart (Public Transport chip card);

•  No introduction of Automatic Number Plate Recognition (ANPR) as currently envisaged;

•  Transparency and suspension of the new border control system @MIGO;

•  A voluntary, regional instead of national Electronic Health Record System with 'privacy by design';

•  Proper legislation concerning the profiling of citizens.

You can download our entire report HERE. We hope that our recommendations will be accepted in the Human Rights Council and will lead to an international exchange of best practices. Privacy First is happy to keep you informed on these developments.

Update 23 March 2012: this week the long-awaited Dutch UPR State report for the Human Rights Council appeared. Moreover, the shadow report by the Dutch section of the International Commission of Jurists (Dutch abbreviation: NJCM) that was presented earlier (also on behalf of 24 other NGOs) became public. The NJCM report contains a very critical section on privacy in which – parallel to the recommendations of Privacy First – among other things, a call for the abrogation of the current plans concerning ANPR and mobile fingerprint scanners is made; see pp. 6-7 of the NJCM report. Relevant reports by other organisations can be found HERE.

Official preparatory work for the Dutch State report has seen two consultation meetings with Dutch civil society (NGOs) at the Dutch Ministry of the Interior (Dutch abbreviation: BZK) in recent months. During the first meeting on 1 December 2011, Privacy First insisted on incorporating a separate section about privacy in the State report. During the second meeting on 16 January 2012, Privacy First requested an explicit mention of ‘privacy by design’ in that very section. BZK responded positively to both requests. However, the privacy section in the State report appears to be relatively short, superficial and elusive. It is telling that this section is part of the chapter ‘Challenges and constraints’. This gives the impression of a defensive attitude. What’s even more telling is the following sentence: ‘‘The challenge will now be to ensure that all these [privacy infringing] measures are implemented.’’ Apparently the Dutch State is not sure where it stands... And rightly so. The mere positive points are the mention of ‘privacy by design’, the report by the Dutch Scientific Council for Government Policy called iOverheid (iGovernment) and the following passage:

"In addition, partly in response to concerns expressed in Parliament, certain policy measures that impact on privacy are currently being modified, as for example the discontinuation of the storage of fingerprint data on national ID-cards and within the passport database."

Privacy First interprets this passage as an international declaration (unilateral statement) from the Netherlands to stop the storage of fingerprints on ID-cards and in its travel document administration once and for all. Privacy First is keen to continue reminding the government of this.

Update 5 April 2012: the international lobbying surrounding the UPR session of the Netherlands on 31 May 2012 is in full swing, both at foreign embassies in The Hague as well as within the permanent representations of UN Member States in Geneva. In this context an important 'UPR pre-session' took place yesterday morning in Geneva where various international human rights organisations had the opportunity to voice their concerns about the Netherlands in front of a broad audience of foreign diplomats. Click HERE for an impression of the meeting about the Netherlands. The statement by Privacy First during this meeting can be found HERE and can also be downloaded on the website of the Dutch Human Rights Institute under incorporation.

Update 21 April 2012: Based on all shadow reports (among which that of Privacy First) that the UN received at the end of 2011, an official UN summary has in the meantime been drawn up in Geneva. This ‘summary of stakeholders’ information’ can be found HERE. Apart from Privacy First, the NJCM (also on behalf of the Dutch Platform for the Protection of Civil Rights / Platform Bescherming Burgerrechten), Bits of Freedom, the Dutch Data Protection Authority, Vrijbit and the Dutch Contact Point on Abuse of Mandatory Identification (Meldpunt Misbruik Identificatieplicht) all sent their privacy worries to Geneva in writing; all these reports will soon appear on this UN page. As far as Privacy First is aware, this has not occurred on this scale before. Therefore, for the first time in history the privacy theme figures prominently in a UN report about the Netherlands, as a matter of fact more prominent than is the case in other summaries, for example the one on the United Kingdom. Furthermore, it’s striking that the UN cites a passage about profiling from the Privacy First report: ‘‘digital profiles can be extremely detailed and profiling can easily lead to discrimination and 'steering' of persons in pre-determined directions, depending on the 'categories' their profiles 'fit into' and without the persons in question being aware of this.’’ (UN summary, para. 65). All of this can rightly be called a breakthrough that will hopefully bear fruit during the upcoming session on 31 May 2012.

Update 23 May 2012: In recent months Privacy First has had a series of useful conversations with foreign diplomats in Geneva and The Hague. Meanwhile a number of so-called ‘advance questions’ by UN Member States have appeared on the UPR website of the UN. Among them is the following question by the United Kingdom to the Netherlands: ‘‘Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?’’ (Source) Privacy First looks forward with confidence to further questions by UN Member States about Dutch privacy perils.