Today – European Data Protection Day – the Dutch Privacy Awards were handed out during the National Privacy Conference, a joint initiative by Privacy First and Dutch Platform for the Information Society ECP. The winners of the 2022 Dutch Privacy Awards are:
- Street Art Museum Amsterdam (SAMA)
- Quodari
- Summitto
- Center for Information Security and Privacy Protection (CIP).

The Dutch Privacy Awards provide a platform for companies and government agencies that see Privacy as an opportunity to positively stand out and make privacy-friendly entrepreneurship and innovation the norm. "These Awards have been handed out each year since 2015 and every time the jury nominated special, innovative and inspiring candidates. That’s been no different in 2022. Most of the time, privacy becomes a news item only when things have gone terribly wrong, when hefty fines are issued or certain parties incur serious reputational damage in court. In this respect, it would be a good thing if more attention would go out to ‘the bright side of privacy’ – to solutions that save time and money, strengthen trust, offer insights to people who need it and increase the overall effectiveness of various sorts of applications. The Dutch Privacy Awards are there to put the most inspiring initiatives in the spotlight and give these the recognition they deserve," said Awards jury chairman Wilmar Hendriks.

Nominations  

There are four categories in which applicants are awarded:

1. the category of Consumer solutions (business-to-consumer)

2. the category of Business solutions (within a company or business-to-business)

3. the category of Public services (public authority-to-citizen)

4. The incentive Award for a groundbreaking technology or person.

From the various entries, the independent expert panel chose the following nominees per category (listed in arbitrary order):

  1. Scoor voor je Club
  2. Summitto
  3. Privacy Rating
  4. PiM, the Personal identity Manager by KPN
  5. Street Art Museum Amsterdam (SAMA) 
  6. Quodari
  7. Shuttercam. 

During the National Privacy Conference all nominees presented their projects to the digital audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (pdf in Dutch), which includes participation criteria and explanatory notes on all the nominees and winners.

WINNER Consumer solutions: Street Art Museum Amsterdam (SAMA) 

Connecting privacy and art in a project that aims to raise awareness among neighborhood residents is unique and pleasantly surprised the jury. With its Privacy Project, SAMA allows such themes as privacy, digital rights, anonymity on the internet and the impact of technology on society to capture the imagination. More than 80 artists were invited to create a design for a mural, and out of their designs three were chosen to actually be produced on the streets. Local residents were involved in the choice for the design through voting.

Offering critical reflections through their art, artists encouraged residents to think about the issue of privacy. Raising awareness was in fact one of the main goals of this project. For SAMA, the project was a new adventure that saw murals being created in three vulnerable districts in Amsterdam: Nieuw-West, Noord and Zuidoost.

The jury believes that this project shows that graffiti-art murals can help raise awareness among residents about privacy issues. The whole process whereby residents think about both these issues as well as the realization of the murals equally contributes to give meaning to an abstract concept like privacy.

The jury expresses the wish that this project will be replicated in many other cities and especially in vulnerable neighborhoods where residents are still insufficiently aware of what happens to their personal data, and how important it is to be able to make choices about who you share these data with.

WINNER Business solutions: Quodari

Quodari is a privacy-friendly social media platform that puts users in control of their own data and content. It enables users to share collections of data online with friends, but also to make these data public. Taking European values as point of departure, Quodari aims to be a privacy-friendly alternative to existing social media platforms. Quodari’s business model is based on providing true value for users through additional storage space and other features for business or personal use. Quodari does not aim to attract users to its platform for as long as possible, does not exploit personal data and is free of advertising. In this way, privacy risks on the platform are reduced and financial conflicts of interest are avoided. Quodari is a Dutch initiative launched in 2021. The company expects a European rollout as well as the start to a new marketing campaign this year.

In the jury’s opinion, Quodari is a successful attempt to provide an alternative to existing social media platforms, where privacy is paramount and users truly control their own data. With Quodari, users who attach great importance to their privacy have a fair alternative to what Big Tech has to offer. That was the primary reason for the jury to grant Quodari a Dutch Privacy Award.

WINNER Public services: Summitto 

Summitto develops software for tax authorities to combat VAT fraud. Whereas existing solutions collect massive amounts of data that are often stored in plain text in a centralized way, this solution ensures that VAT fraud can be fought without actually storing data. Summitto’s method is based on modern cryptography to optimally protect invoicing. The product is a commercial off-the-shelf product that is open-source and can help tax authorities digitize VAT in a privacy-friendly way. Summitto has received grants from Horizon 2020, the EU program for research and innovation. The company is in close contact with a number of key players which in one way or another deal with VAT, including the European Commission, various government bodies and the International Bureau of Fiscal Documentation (IBFD).

With its original approach, Summitto links the social importance of combating VAT fraud with high privacy values. The approach has drawn a lot of attention from experts throughout Europe. The jury is impressed with the practical applicability of the software in combination with its high privacy standards and has therefore declared Summitto the winner in the public services category.

WINNER Incentive Award: Centrum Informatiebeveiliging en Privacybescherming (CIP) 

This year, the jury chose to present the Incentive Award to the Dutch Center for Information Security and Privacy Protection (CIP).

In spite of the pandemic, CIP has over the past year made a tremendous effort to keep its network updated through digital webinars, podcasts, workshops and games that span a range of topics. The center has built up a remarkable database of videos that are accessible to everyone on YouTube. Privacy is an important topic for CIP: up until now it has made public 22 different sorts of productions on this issue.

CIP is a public-private network organization that operates on the basis of the principle "for all, by all". It is made up of a team of passionate professionals who work together with the members of the network and its partners on practical and usable products in the field of privacy protection, ethics and information security. CIP is also on top of the news and is constantly coming up with new hot topics that are proposed by its participants and partners.

The jury expresses its great appreciation for the achievements of CIP and encourages the center to continue with the important work it is doing. Not least because the results of this work are freely accessible to public authorities, industry, organizations and citizens.

National Privacy Conference

The Dutch National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, the conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy by design is key.

These were the speakers during the 2022 National Privacy Conference in successive order:

Marjolijn Bonthuis (ECP deputy director)
Monique Verdier (Dutch Data Protection Authority vice chairwoman)
Martin Vliem (National Security Officer, Microsoft)
Max Schrems (founder of None of Your Business - NOYB)
Haroon Sheikh (senior scientist, Dutch Advisory Council on Government Policy, WRR)
Gry Hasselbalch (cofounder of European ThinkDoTank DataEthics)
Paul Korremans (Privacy First chairman)
Wilmar Hendriks (chairman of the expert panel of the Dutch Privacy Awards).

Both the conference as well as the Awards session – which were livestreamed from Nieuwspoort in The Hague: https://www.nieuwspoort.nl/stream/privacy-first-ecp/ – were moderated by Dutch television host Tom Jessen.

Expert panel Dutch Privacy Awards

The independent expert Award panel consists of privacy experts from different fields, all of whom participated in their personal capacity:

  • Wilmar Hendriks, founder of Control Privacy, chairman of CUIC and Privacy First board member (panel chairman)
  • Paul Korremans (Privacy First chairman)
  • Melanie Rieback, CEO and cofounder of Radically Open Security
  • Nico Mookhoek, legal expert in the field of privacy and founder of DePrivacyGuru
  • Rion Rijker, privacy and IT security expert, partner at Fresa Consulting
  • Magdalena Magala, privacy officer at the municipality of Zaanstad
  • Mathieu Paapst, university lecturer IT law at the University of Groningen and projectlead of cookiedatabase.org
  • Jaap van der Wel, IT expert and legal expert in the field of privacy, managing partner at Comfort Information Architects
  • Erik Bruinsma, legal expert; director Strategy and management advice, Statistics Netherlands (CBS). 

In order to make sure that the Award process is run objectively, panel members may not judge on any entry from their own organization or an organization in which a panel member has an interest.

In collaboration with the Dutch Platform for the Information Society (ECP), Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and The Privacy Factory.

Preregistrations for the 2023 Dutch Privacy Awards are welcome!

Would you like to become a sponsor or (media) partner of the Dutch Privacy Awards? Then please get in touch with Privacy First! 

 

FG7A4979m
Published in Actions

Recently, the Netherlands Standardisation Forum issued an advice to the government to ensure that public Wi-Fi networks for guest use are always secure. The independent advisory body recommends improving Wi-Fi security by using the WPA2-Enterprise standard. This recommendation applies to all public and semi-public institutions in the Netherlands and therefore has an impact on thousands of Wi-Fi networks.

The Standardisation Forum facilitates digital cooperation (interoperability) between government organizations and between government, businesses and citizens. It is the advisory body for the public sector regarding the use of open standards. According to its own website, all standards that the Forum recommends have been thoroughly tested, lower costs and reduce the risk of internet fraud and data abuse. The recent recommendation came after a request over a year ago by Privacy First and Wi-Fi roaming provider Publicroam. Privacy First and Publicroam requested the Forum to mandate WPA2-Enterprise as the standard for access to guest Wi-Fi. The Standardization Forum then decided to conduct further research, resulting in its current opinion.

Stop offering insecure guest Wi-Fi 

Privacy First chairman Paul Korremans is delighted with the advice: "It took a while, but now there is a clear recommendation. The Standardisation Forum calls for the secure provision of guest Wi-Fi, preferably using the WPA2-Enterprise standard. This recommendation creates clarity for all parties involved in setting up and managing public Wi-Fi networks within government institutions. Moreover, the recommendation will likely have a broader effect: in our view, the Forum is saying that we need to stop offering insecure guest Wi-Fi altogether." 

The Netherlands at the vanguard 

The Standardisation Forum made its decision in the summer of 2021 after several expert meetings and a public consultation. The recommendation was added to the existing obligation around WPA2-Enterprise in early September. The Netherlands is one of the first countries to have such an obligation.

WPA2-Enterprise 

Experts consider the standard WPA2-Enterprise (and its successor WPA3-Enterprise) to be the most suitable method for achieving secure Wi-Fi access. The standard is mandatory for Wi-Fi access for government employees and is widely used by businesses and educational institutions among others. Because it is a long-standing open standard, it is widely available and easy to implement.

Published in Online Privacy

A coalition of civil rights organizations in the Netherlands that had previously won a lawsuit against System Risk Indication (SyRI) is calling on the Dutch Senate to reject an even more sweeping Bill dubbed ‘Super SyRI’. According to the parties, the proposal is on a collision course with the rule of law while the Dutch government refuses to learn lessons from the childcare benefits scandal, one of the largest scandals in Dutch politics in recent decades.

The Data Processing by Partnerships Act (Wet Gegevensverwerking door Samenwerkingsverbanden, WGS) enables Dutch government agencies and companies to link together the data stored about citizens and companies through partnerships. Public authorities and companies that take part in such cooperative frameworks are obliged to pool together their data. This should help in the fight against all kinds of crime and offenses.

Under the Act, it is not just data that companies and public authorities share with each other. Signals, suspicions and blacklists are also exchanged and linked together. On the basis of this form of shadow record-keeping, these parties can coordinate with each other enforcement ‘interventions’ against citizens who end up in their crosshairs.

Public authorities and companies targeting citizens through data surveillance

In order to enable the large-scale sharing of personal data between public authorities and companies, the Act casts aside numerous confidentiality obligations, privacy rights and legal safeguards that have traditionally applied to the processing of personal data. This leads to a "far-reaching, large-scale erosion of the legal protection of citizens", according to the opposing coalition of which Privacy First is a member: "If this Bill is adopted, the door will be left wide open for the executive branch of the government and private parties to subject both citizens and companies to arbitrary data surveillance."

Through the Act, the Dutch government also wants to create the possibility to start new partnerships in case of ‘urgency’, without providing Parliament the opportunity of examination. The Dutch House of Representatives will be informed about such partnerships only after their establishment, then having to decide whether to pass them into law. This is contrary to the Dutch Constitution, which stipulates that legislation approved by Parliament should include privacy protections. The parties find it unacceptable that Parliament is not involved in the formation of new partnerships and can decide on them only after they have been established.

Legitimizing unlawful practices that have lasted for years

In addition to the possibility of establishing new partnerships, the Act includes four partnerships that have been around for years, but have never been laid down in law. The cabinet now wants to retroactively create a legal basis for these partnerships.

The parties that brought legal proceedings against System Risk Indication (SyRI) point out that SyRI, which was prohibited by the court, was also used for years without a legal basis. According to the parties, there are strong similarities with the partnerships that the new Bill is now intended to legitimize: "Drastic practices in which personal data are processed in violation of the fundamental rights of citizens were set up as a trial and continued for years, only to be given a legal basis as a fait accompli. Fundamental rights that should protect citizens against unjustified government action thereby become mere obstacles for the government to overcome."

Risk assessments, blacklists and suspicions

The coalition previously wrote that the practices under the Act are in many ways similar to the data processing that preceded the childcare benefits scandal that sent shock waves through Dutch society. Based on secret data analyses, lists of citizens who had been falsely labeled by the tax authorities as criminal fraudsters were distributed through various agencies, ruining the personal lives of tens of thousands of families. Under the partnerships that would be made possible by the Act, public authorities and companies would be able to abundantly share risk analyses, blacklists and many other types of data, suspicions and signals about citizens. The Dutch Data Protection Authority advised the Senate in November 2021 not to pass the law, stating that the proposal could lead to "Kafkaesque situations for large numbers of people".

The civil society coalition against SyRI consists of the Dutch Civil Rights Platform (Platform Bescherming Burgerrechten), the Dutch Lawyers Committee for Human Rights (NJCM), Dutch trade union FNV, the Dutch National Clients Council, Privacy First, the KDVP Foundation and authors Maxim Februari and Tommy Wieringa.

Download the recent letter by the coalition to the Dutch Senate HERE (pdf in Dutch).

Source: https://bijvoorbaatverdacht.nl/syri-coalitie-eerste-kamer-moet-datasurveillancewet-super-syri-afwijzen/, 15 February 2022.

Published in Law & Politics

Despite an urgent call by Privacy First to the Dutch House of Representatives to block the coronavirus entry pass, the introduction of this pass throughout The Netherlands as of 25 September 2021 unfortunately seems to be a reality. Privacy First expects that this will lead to division of Dutch society, exclusion of vulnerable groups, discrimination and violation of everyone’s right to privacy. Moreover, the introduction of this pass leads to vaccination coercion, which violates everyone’s right to dispose freely of their own body. This is incompatible with the right to physical integrity and self-determination and fuels the undermining of our trust in the democratic rule of law, in which these fundamental rights are enshrined.

With massive encroachment and violation of human rights looming, it is up to the courts to intervene and correct the government. In line with our statutory objective to take action in the public interest, the current lawsuit by Dutch attorney Bart Maes and others to stop the coronavirus entry pass therefore has our full support. Privacy First would like to emphasize that this is not a statement against vaccination (on the contrary), but that it is crucial to fully respect and protect everyone’s human rights, especially in these times. Critical voices should be taken seriously and not be dismissed on emotional grounds. In both the short and the long term, this is the best guarantee for an open, free and healthy society.

Published in Law & Politics

Today, Privacy First sent the following plea to the Dutch House of Representatives: 

Dear Members of Parliament, 

It is with great disapproval that the Privacy First Foundation has taken note of the planned introduction of coronavirus entry passes for bars and restaurants, events and cultural institutions. This will lead to a division in society, exclusion of vulnerable groups and a massive violation of everyone’s right to privacy. Below, Privacy First will briefly explain this.

Serious violation of fundamental rights

The coronavirus entry pass (‘corona pass’) constitutes a serious infringement of numerous fundamental human rights, including the right to privacy, physical self-determination, bodily integrity and freedom of movement in conjunction with other classic human rights such as the right to participate in cultural life and various children’s rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. In the case of the corona pass, however, this has not been demonstrated to date and the required necessity is simply being assumed in the public interest. More privacy-friendly alternatives to reopen and normalize society seem never to have been seriously considered. For these reasons alone, the corona pass cannot pass the human rights test and should therefore be repealed. In this context, Privacy First would also like to remind you of countries such as England, Belgium and Denmark where a similar pass was deliberately not introduced, or has been done way with not long after its introduction. In the Netherlands, there has been a great lack of support in recent days for the corona pas and many thousands of entrepreneurs have already let it be known that they will not cooperate. Privacy First therefore expects that the introduction of the corona pass will lead to massive civil disobedience and successful lawsuits against the Dutch government.

Social exclusion

The introduction of the corona pass violates the general prohibition of discrimination, as it introduces a broad social distinction based on medical status. This puts a strain on social life and may lead to widespread inequality, stigmatization, social segregation and even possible tensions, as large groups in society will not (or not systematically) want to, or will not be able to get tested or vaccinated (for a variety of reasons), or obtain a digital test or vaccination certificate. During our National Privacy Conference in early 2021, Privacy First already took the position that the introduction of a mandatory ‘corona passport’ would have a socially disruptive effect.[1] On that occasion, the Dutch Data Protection Authority, among others, explicitly took a stand against the introduction of such a passport. The aforementioned social risks apply all the more strongly to the vaccination coercion that is caused by the introduction of the corona pass. In this regard, Privacy First would like to remind you of the fact that both your House of Representatives and the Parliamentary Assembly of the Council of Europe have expressed their opposition to a direct or indirect vaccination requirement.[2] In addition, the corona pass will have the potential to set precedent for other medical conditions and other sectors of society, putting pressure on a much wider range of socio-economic human rights. For these reasons, Privacy First calls on you to block the introduction of the corona pass.

Multiple privacy violations

From the perspective of the right to privacy, there are a number of yet other specific concerns and questions. First of all, the corona pass introduces a mandatory ‘health proof’ for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Through the mandatory display of an ID card in addition to the corona pass, an entirely new identification requirement is created in public places. The existing anonymity in the public space is thus removed, with all the dangers and risks that this entails. Moreover, this new identification requirement raises questions about the capacities of entrepreneurs to determine the identity of a person and to assess the state of health by means of the corona pass.

Moreover, the underlying legislation results in the inconsistent application of existing legislation with regard to the same act, i.e. testing, with far-reaching consequences on the one hand for an important attainment such as medical confidentiality and the public’s trust in that confidentiality, and on the other for the practical implementation of retention periods of the test results while the processing of these results does not change. After all, it is not the result of the test that should determine whether the registration of the testing falls under the Dutch Medical Treatment Agreement Act (‘Wgbo’, which requires medical confidentiality and a 20-year retention period) or the Dutch Public Health Act (‘Wpg’, which requires a 5-year retention period), but the act of testing itself. Besides, it is questionable why a connection was sought with the Wpg and/or Wgbo now that it is about obtaining a certificate for participation in society and it does not concern medical treatment (Wgbo) or public health tasks for that purpose. The only ground for processing personal data for the purpose of ascertaining the presence of the coronavirus and for breaching medical confidentiality, should be consent. However, in this case there cannot be the legally required freely given consent, since testing and vaccination will be a mandatory condition for participation in society.

Privacy requires clarity

Many other things are and remain unclear: what data will be stored, where, by whom and in which systems? To what extent will there be an international and European exchange of such data? Which parties with which purposes will have access to or will copy the data, or put these in huge new national databases together with our health data? Will we have constant personal localization and identification, or only occasional verification and authentication? Why can test results be kept for an unnecessarily long time? How great are the risks of hacking, data breaches, fraud and forgery? To what extent have decentralized, privacy-friendly technologies and privacy by design, open source software, data minimization and anonymization seriously been considered? How long will test certificates remain free of charge? Is work already underway to introduce an ‘alternative digital medium’ to the Dutch CoronaCheck app, namely a chip (card), with all the objections and risks that entails? Why has there been no independent Privacy Impact Assessment (PIA)? How many more times must the country accept emergency laws to close privacy leaks, when our overburdened and understaffed Data Protection Authority is already noting that there is no legal basis for the processing of the data concerned? How will unforeseen uses and abuses, function creep and profiling be prevented, and how is privacy oversight arranged? Will non-digital, paper alternatives remain available at all times? Why is the ‘yellow booklet’ not accepted as a privacy-friendly alternative, as it is in other countries? What happens with the test material – i.e. everyone’s DNA – at the various testing sites? And when will the corona pass be abolished? In other words, to what extent is this actually a ‘temporary’ measure?

In the view of Privacy First, the introduction of the corona pass will lead merely to an impractical burden on entrepreneurs, innumerable deficiencies and destruction of capital for society. Privacy First therefore requests that the members of the House of Representatives block the introduction of the corona pass. Failing to do so, Privacy First reserves the right to have the legislation introducing the corona pass reviewed against international and European law and declared inoperative by the courts. Preparations for such legal proceedings by us and many others are already underway.

Yours sincerely,

Privacy First Foundation 

[1] See National Privacy Conference 28 January 2021, https://youtu.be/asEX1jy4Tv0?t=9378, starting at 2h 36 min 18 sec.
[2] See Council of Europe, Parliamentary Assembly, Resolution 2361 (2021): Covid-19 vaccines: ethical, legal and practical considerations, https://pace.coe.int/en/files/29004/html, par. 7.3.1-7.3.2: ‘‘Ensure that citizens are informed that the vaccination is NOT mandatory and that no one is politically, socially, or otherwise pressured to get themselves vaccinated, if they do not wish to do so themselves; ensure that no one is discriminated against for not having been vaccinated, due to possible health risks or not wanting to be vaccinated.’’ See also, inter alia, Dutch House of Representatives, Motion by Member Azarkan on no corona vaccination requirement (28 October 2020), House of Representatives, 25295-676, https://zoek.officielebekendmakingen.nl/kst-25295-676.html: ‘‘The House of Representatives (...) expresses that there should never be a direct or indirect corona vaccination obligation in the future’’; Motion by Member Azarkan on access to public benefits for all regardless of vaccination or testing status (5 January 2021), House of Representatives 25295-864, https://zoek.officielebekendmakingen.nl/kst-25295-864.html: "The House of Representatives (...) requests the government to allow access to public benefits for all regardless of vaccination or testing status."


An earlier, similar version of this commentary appeared as early as March 2021: https://www.privacyfirst.eu/focus-areas/law-and-politics/695-privacy-first-position-concerning-the-dutch-draft-bill-on-covid-19-test-certificates.html.

Published in Law & Politics

As an NGO that promotes civil rights and privacy protection, Privacy First has been concerned with financial privacy for years. Since 2017, we have been keeping close track of the developments surrounding the second European Payment Services Directive (PSD2), pointing out the dangers to the privacy of consumers. In particular, we focus on privacy issues related to ‘account information service providers’ (AISPs) and on the dangerous possibilities offered by PSD2 to process personal data in more extensive ways.

At the end of 2017, we assumed that providing more adequate information and more transparency to consumers would be sufficient to mitigate the risks associated with PSD2. However, these risks turned out to be greater and of a more fundamental nature. We therefore decided to launch a bilingual (Dutch & English) website called PSD2meniet.nl in order to outline both our concerns and our solutions with regard to PSD2.

Central to our project is the Don’t-PSD2-Me-Register, an idea we launched on 7 January 2019 in the Dutch television program Radar and in this press release. The aim of the Don’t-PSD2-Me-Register is to provide a real tool to consumers with which they can filter out and thus protect their personal data. In time, more options to filter out and restrict the use of data should become available. With this project, Privacy First aims to contribute to positive improvements to PSD2 and its implementation.

Protection of special personal data

In this project, which is supported by the SIDN Fund, Privacy First has focused particularly on ‘special personal data’, such as those generated through payments made to trade unions, political parties, religious organizations, LGBT advocacy groups or medical service providers. Payments made to the Dutch Central Judicial Collection Agency equally reveal parts of people’s lives that require extra protection. These special personal data directly touch upon the issue of fundamental human rights. When consumers use AISPs under PSD2, their data can be shared more widely among third parties. PSD2 indirectly allows data that are currently protected, to become widely known, for example by being included in consumer profiles or black lists.

The best form of protection is to prevent special personal data from getting processed in the first place. That is why we have built the Don’t-PSD2-Me-Register, with an Application Programming Interface (API) – essentially a privacy filter – wrapped around it. With this filter, AISPs can detect and filter out account numbers and thus prevent special personal data from being unnecessarily processed or provided to third parties. Moreover, the register informs consumers and gives them a genuine choice as to whether or not they wish to share their data.

What’s next?

We have outlined many of the results we have achieved in a Whitepaper, which has been sent to stakeholders such as the European Commission, the European Data Protection Board (EDPB) and the Dutch Data Protection Authority. And of course, to as many AISPs as possible, because if they decide to adopt the measures we propose, they would be protecting privacy by design. Our Whitepaper contains a number of examples and good practices on how to enhance privacy protection. Among other things, it lays out how to improve the transparency of account information services. We hope that AISPs will take the recommendations in our Whitepaper to heart.

Our Application Programming Interface (API) has already been adopted by a service provider called Gatekeeper for Open Banking. We support this start up’s continued development, and we make suggestions on how the privacy filter can be best incorporated into their design and services. When AISPs use Gatekeeper, consumers get the control over their data that they deserve.

Knowing that the European Commission will not be evaluating PSD2 until 2022, we are glad to have been able to convey our own thoughts through our Whitepaper. Along with the API we have developed and distributed, it is an important tool for any AISP that takes the privacy of its consumers seriously.

Privacy First will continue to monitor all developments related to the second Payment Services Directive. Our website PSD2meniet.nl will remain up and running and will continue to be the must-visit platform for any updates on this topic.

If you want to know how things develop, or in case you have any suggestions, please send an email to Martijn van der Veen: This email address is being protected from spambots. You need JavaScript enabled to view it..

Today – on European Data Protection Day – the 2021 Dutch Privacy Awards were handed out during the Dutch National Privacy Conference, a joint initiative by Privacy First and the Dutch Platform for the Information Society (ECP). These Awards provide a platform for companies and governments that see privacy as an opportunity to distinguish themselves positively and to make privacy-friendly entrepreneurship and innovation the norm. The winners of the Dutch Privacy Awards 2021 are STER, NLdigital, Schluss, FCInet and the Dutch Ministry of Justice and Security.

Consumer solutions

Winner: STER

Advertising without storage of personal data, contextual targeting: proven effectiveness

The Dutch Stichting Ether Reclame (Ether Advertising Foundation), better known as STER, was one of the first organizations in the Netherlands to abandon the common model of offering advertisements based on information collected via cookies. STER has developed a procedure that only uses relevant information on the webpages visited. No personal data are collected at all (data such as browser version, IP address and click-through behaviour). Advertisers submit their advertisements to STER, which are then put on the website in conformity with the protocol developed by STER, which is based on a number of simple categories. These categories are linked to the information that is shown, such as a TV program that someone has selected. The protocol has been built up and refined over the past period and now works properly.

In this way, STER kills several birds with one stone. Most importantly, initial applications show that this approach is at least as effective for advertisers as the old cookie-based way. Secondly, the approach removes parties from the chain. Data brokers who played a role in the old system are now superfluous. Apart from the financial gain for the chain, this also prevents data coming into the possession of parties the data should not end up with. And thirdly, STER stays in control of its own advertising campaigns.

This makes STER a deserved winner of the Dutch Privacy Awards. The concept developed is innovative and helps to protect the privacy of citizens without them having to make any effort. STER is also investigating the possibility of using the approach more broadly. This too is an innovation that the expert panel applauds.

In that sense STER’s approach is also a well-founded response to the data-driven superpowers on the market as it demonstrates that the endless collection of personal data is not at all necessary to get your message across, whether it is commercial or idealistic.

STER could perhaps also have been submitted as a Business-to-Business entry, but the direct interests of consumers meant that it was listed in the category of consumer solutions.

Business solutions

Winner: NLdigital

Organisational innovation and practical application: Data Pro Code

Entries for the Dutch Privacy Awards often relate to technical innovations. At NLdigital it is not the technology, but the approach that is innovative. It has given concrete meaning to GDPR obligations through agreements and focuses mainly on data processors, not on the responsible parties. This enables processors to make agreements more quickly, practically and with sufficient care – agreements which are also verifiable in this regard. Many companies provide services by making applications available which involve data processing. And that requires processing agreements, which are not easy to apply for every organization. Filling in the corresponding statement leads to an appropriate processing agreement for clients.

NLdigital’s code of conduct called Data Pro Code is a practical instrument tailor made for the target group: IT companies that process data on behalf of others. With the help of (600) participants/members, the Code is drawn up as an elaboration of Art. 28 of the GDPR. It has been approved by the Dutch Data Protection Authority and has led to a publicly accessible certification.

Public services

Winner: FCInet & Ministery of Justice and Security

Ma³tch, privacy on the government agenda: innovative data minimization

FCInet is innovative, privacy-enhancing technology that was developed by the Dutch Ministry of Justice and Security and the Dutch Ministry of Finance. It is meant to assist in the fight against (international) crime. Part of FCInet is Ma³tch, which stands for Autonous Anonymous Analysis. With this feature the Financial Criminal Investigation Services (FCIS) can share secure and pseudonymized datasets on a national level (for example with the Financial Intelligence Unit-Netherlands and the Fiscal Information and Investigation Service), but also internationally. Ma³tch is a technology that supports and enforces parties concerned to make careful considerations per data field. This is possible with regard to the question of which data these parties want to compare and on the basis of which conditions. This ensures that parties can set up the infrastructure in such a way that it can be technically enforced that data are exchanged only on a legitimate basis.

Through hashing, organization A encrypts (bundles of) personal data in such a way that receiving party B has the possibility to check whether a person known to organization B is also known to organization A. Only if it turns out that there is a match (because the list of known persons in hashed form of organization B is checked against the list of persons in the sent list) does the next step take place whereby organization B actually requests information about the person concerned from organization A. The check takes place in a secure decentralized environment, so organization A does not know whether there is a hit or not. The technology thus prevents the unnecessary perusal of personal data in the context of comparisons.

The open source code technology of FCInet offers broader possibilities for application, which is encouraged by the expert panel and was an important reason for the submission: it can be reused in many other organizations and systems. The panel therefore assessed this initiative as a good investment in privacy by the government, where, clearly, the issue of privacy really is on the agenda.

Incentive Award

Winner: Schluss

Schluss applied for the Dutch Privacy Awards in 2021 for the third time. That is not the reason for the Incentive Award, even though it may encourage others to persevere in a similar way.

The reason is that it is a very nice initiative, focused on the self-management of personal data. In the form of an app, private users are offered a vault for their personal data, whether they are of a medical, financial or other nature. Users decide which people or organizations gets access to their data. The idea is that others who are allowed to see the data no longer need to store these data themselves. Schluss has no insight into who uses the app, its role is only to facilitate the process. The technology, which is open source, guarantees transparency about the operation of the app.

Schluss won the prestigious Incentive Award because thus far the app has had only a beta release. However, promising projects have been started with the Volksbank and there is a pilot in collaboration with the Royal Dutch Association of Civil-law Notaries. With the mission statement (‘With Schluss, only you decide who gets to know which of your details’) in mind, Schluss chose to become a cooperation, an organizational form that appealed to the expert panel. With this national Incentive Award the panel hopes to encourage the initiators to continue along this path and to persuade parties to join forces with Schluss.

Nominations  

There are four categories in which applicants are awarded:

1. the category of Consumer solutions (business-to-consumer)

2. the category of Business solutions (within a company or business-to-business)

3. the category of Public services (public authority-to-citizen)

4. the incentive award for a ground breaking technology or person.

From the various entries, the independent expert panel chose the following nominees per category (listed in arbitrary order):

Consumer solutions:

Business solutions:

Public services:

NKey

Roseman Labs (Secure Multiparty Computation)

Ministry of Health (CoronaMelder)

Schluss

NLdigital (Data Pro Code)

FCInet & Ministry of Justice (Ma³tch)

STER (Contextual targeting)

Simple Analytics

 

4MedBox (4LifeSupport)

 

 

During the National Privacy Conference all nominees presented their projects to the audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (pdf in Dutch), which includes participation criteria and explanatory notes on all the nominees and winners.

National Privacy Conference

The Dutch National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, the conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy by design is key.

These were the speakers during the 2021 National Privacy Conference in successive order:
- Monique Verdier (vice chairwoman of the Dutch Data Protection Authority)
- Judith van Schie (Considerati)
- Erik Gerritsen (Secretary General of the Dutch Ministery of Health, Welfare and Sport) 
- Mieke van Heesewijk (SIDN Fund) 
- Peter Verkoulen (Dutch Blockchain Coalition)
- Paul Tang (MEP for PvdA)
- Ancilla van de Leest (Privacy First chairwoman)
- Chris van Dam (Member of the Dutch House of Representatives for CDA)
- Evelyn Austin (director of Bits of Freedom)
- Wilmar Hendriks (chairman of the expert panel of the Dutch Privacy Awards).

The entire conference was livestreamed from Nieuwspoort in The Hague: see https://www.nieuwspoort.nl/agenda/overzicht/privacy-conferentie-2021/stream and https://youtu.be/asEX1jy4Tv0.

Dutch Privacy Awards expert panel

The independent expert Award panel consists of privacy experts from different fields:

  • Wilmar Hendriks, founder of Control Privacy and member of the Privacy First advisory board (panel chairman)
  • Ancilla van de Leest, Privacy First chairwoman
  • Paul Korremans, partner at Comfort Information Architects and Privacy First board member
  • Marc van Lieshout, managing director at iHub, Radboud University Nijmegen
  • Alex Commandeur, senior advisor BMC Advies
  • Melanie Rieback, CEO and co-founder of Radically Open Security
  • Nico Mookhoek, privacy lawyer and founder of DePrivacyGuru
  • Rion Rijker, privacy and data protection expert, IT lawyer and partner at Fresa Consulting.

In order to make sure that the Award process is run objectively, the panel members may not judge on any entry of his or her own organization.

In collaboration with the Dutch Platform for the Information Society (ECP), Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and The Privacy Factory.

Pre-registrations for the 2022 Dutch Privacy Awards are welcome!

Would you like to become a sponsor of the Dutch Privacy Awards? Please contact Privacy First! 

 

FG7A4979m

Published in Actions

It is with great concern that Privacy First has taken note of the Dutch draft bill on COVID-19 test certificates. Under this bill, a negative COVID-19 test certificate will become mandatory for access to sporting and youth activities, all sorts of events and public places including bars and restaurants and cultural and higher education institutions, Those who have no such certificates risk getting high fines. This will put pressure on everyone's right to privacy. 

Serious violation of fundamental rights

The draft bill severely infringes numerous fundamental and human rights, including the right to privacy, physical integrity and freedom of movement in combination with other relevant human rights such as the right to participate in cultural life, the right to education and various children’s rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. However, the current draft bill fails to demonstrate this, while the required necessity in the public interest is simply assumed. More privacy-friendly alternatives to reopen and normalize society do not seem to have been considered. For these reasons alone, the proposal cannot pass the human rights test and should therefore be withdrawn.

Social exclusion

The proposal also violates the general prohibition of discrimination, as it introduces a broad social distinction based on medical status. This puts pressure on social life and may lead to large-scale inequality, stigmatization, social segregation and even possible tensions, as large groups in society will not (or not systematically) want to or will not be able to get tested (for various reasons). During the recent Dutch National Privacy Conference organized by Privacy First and the Platform for the Information Society (ECP), it already became clear that the introduction of a mandatory ‘corona passport’ could have a socially disruptive effect.[1] On that occasion the Dutch Data Protection Authority, among others, took a strong stand against it. Such social risks apply all the more strongly to the indirect vaccination obligation that follows on from the corona test certificate. In this regard, Privacy First wants to recall that recently both the Dutch House of Representatives and the Parliamentary Assembly of the Council of Europe have expressed their opposition to a direct or indirect vaccination requirement.[2] In addition, the draft bill under consideration will have the potential to set precedents for other medical conditions and other sectors of society, putting pressure on a much broader range of socio-economic rights. For all of these reasons, Privacy First strongly recommends that the Dutch government withdraw this draft bill.

Multiple privacy violations

Moreover, from the perspective of the right to privacy, a number of specific objections and questions apply. First of all, the draft bill introduces a mandatory ‘proof of healthiness’ for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Also, the draft bill introduces an identification requirement at the entrance of public places, in violation of the right to anonymity in public spaces. The bill also results in the inconsistent application of existing legislation to the same act, namely testing, with far-reaching consequences on the one hand for a precious achievement like medical confidentiality and the trust of citizens in that confidentiality, and on the other hand for the practical implementation of retention periods while the processing of the test result does not change. After all, it is not the result of the test that should determine whether the file falls under the Dutch Medical Treatment Contracts Act (WGBO, which has a medical secrecy requirement and a retention period of 20 years) or under the Public Health Act (with a retention period of five years), but the act of testing itself. Moreover, it is unclear why the current draft bill seeks to connect to the Public Health Act and/or WGBO if it only concerns obtaining a test certificate for the purpose of participating in society (and therefore no medical treatment or public health task for that purpose). Here, the only possibility for processing and for breaching medical confidentiality should be the basis of consent. In this case, however, there cannot be the legally required freely given consent, since testing will be a compelling condition for participation in society.

Privacy requires clarity

Many other issues are still unclear: which data will be stored, where, by whom, and which data may possibly be exchanged? To what extent will there be personal localization and identification as opposed to occasional verification and authentication? Why may test results be kept for an unnecessarily long time (five or even 20 years)? How great are the risks of hacking, data breaches, fraud and forgery? To what extent will there be decentralized, privacy-friendly technology, privacy by design, open source software, data minimization and anonymization? Will test certificates remain free of charge and to what extent will privacy-friendly diversity and choice in testing applications be possible? Is work already underway to introduce an ‘alternative digital carrier’ in place of the Dutch CoronaCheck app, namely a chip, with all the risks that entails? How will function creep and profiling be prevented and are there any arrangements when it comes to data protection supervision? Will non-digital, paper alternatives always remain available? What will happen to the test material taken, i.e. everyone’s DNA? And when will the corona test certificates be abolished?

As long as such concerns and questions remain unanswered, submission of this bill makes no sense at all and the corona test certificate will only lead to the destruction of social capital. Privacy First therefore reiterates its request that the current proposal be withdrawn and not submitted to Parliament. Failing this, Privacy First will reserve the right to have the matter reviewed by the courts and declared unlawful.

[1] See the Dutch National Privacy Conference, 28 January 2021, https://youtu.be/asEX1jy4Tv0?t=9378, starting at 2h 36 min 18 sec.
[2] See Council of Europe, Parliamentary Assembly, Resolution 2361 (2021): Covid-19 vaccines: ethical, legal and practical considerations, https://pace.coe.int/en/files/29004/html, par. 7.3.1-7.3.2: “Ensure that citizens are informed that the vaccination is NOT mandatory and that no one is politically, socially, or otherwise pressured to get themselves vaccinated, if they do not wish to do so themselves; ensure that no one is discriminated against for not having been vaccinated, due to possible health risks or not wanting to be vaccinated.” See also, for example, Dutch House of Representatives, Motion by Member Azarkan on No Corona Vaccination Obligation (28 October 2020), Parliamentary Document 25295-676, https://zoek.officielebekendmakingen.nl/kst-25295-676.html: "The House (...) pronounces that there should never be a direct or indirect coronavirus vaccination obligation in the future"; Motion by Member Azarkan on Access to Public Benefits for All Regardless of Vaccination or Testing Status (5 January 2021), Parliamentary Document 25295-864, https://zoek.officielebekendmakingen.nl/kst-25295-864.html: "The House (...) requests the government to enable access to public services for all regardless of vaccination or testing status.’

Published in Law & Politics

Under the Corona Pandemic Emergency Act, the Dutch government has the option to introduce all kinds of restrictive measures, including the wide-ranging and mandatory use of face masks. This is unless the Dutch House of Representatives rejects this measure later this week. In this context, Privacy First today has sent the following email to the House of Representatives:

Dear Members of Parliament,

On 19 November, the government submitted to you the Regulation concerning additional requirements for face masks under COVID-19. Under this regulation, wearing a face mask will become mandatory in numerous places (including shops, railway stations, airports and schools) as of 1 December 2020. This obligation can be periodically extended by the government without the consent of Parliament. Based on the Corona Pandemic Emergency Act, you currently have seven days to exercise your right of veto and prevent the entry into force of a wide-ranging face mask obligation. By 26 November at the latest, you will be able to vote on this issue and reject this measure.

The wearing of face masks has been the subject of much public debate for months. Both the government and the National Institute for Public Health and the Environment (RIVM) have repeatedly stated that wearing non-medical face masks is hardly effective in combating the coronavirus. Scientists seem to be divided on this. At the same time, wearing a face mask can also have the opposite effect, i.e. harm people's health. There is a consensus, however, that in a legal sense the compulsory use of face masks is an infringement of the right to privacy and self-determination.

This accordingly falls within the scope of Privacy First. The right to privacy is a universal human right that is protected in the Netherlands by international and European treaties and by our national Constitution. Any infringement of the right to privacy must therefore be strictly necessary, proportionate and effective. If that is not the case, it is an unjustified breach and therefore a violation of the right to privacy, both as a human right and as a constitutional right. As long as the wearing of non-medical face masks to deafeat the coronavirus has not proven effective and can even have adverse health effects, there cannot be any social necessity for the introduction of a general face mask obligation. Such an obligation would thus amount to a social experiment with unforeseen consequences. This is not in keeping with a free and democratic constitutional society under the rule of law. Privacy First therefore advises you to reject the proposed regulation for the introduction of compulsory face masks and instead propose to continue wearing them on a voluntary basis.

Yours faithfully,

The Privacy First Foundation

Published in Law & Politics

In the fight against the coronavirus, the Dutch government this week made clear that the introduction of a curfew is imminent. Because of this, Privacy First today has sent the following appeal to the Dutch House of Representatives:

Dear Members of Parliament,

This week the Netherlands finds itself at a historical human rights crossroads: is a nation-wide curfew going to be introduced for the first time since World War II? For Privacy First such a far-reaching, generic measure would be disproportionate and far from necessary in virtually every situation. Moreover, in the fight against the coronavirus the effectiveness of such a measure remains unknown to this date. For that alone, there can be no legally required social necessity of a curfew. A curfew could in fact also be counterproductive, as it would harm the mental and (therefore also) physical health of large groups in society. Besides, a curfew in the Netherlands is yet another step towards a surveillance society. The use of lighter, targeted and more effective measures is always preferable. Should a curfew nonetheless be introduced, Privacy First would consider it a massive violation of the right to privacy and freedom of movement. Privacy First therefore calls on you to not let this happen and to thwart the introduction of a curfew.

Yours faithfully,

The Privacy First Foundation


Update 17 February 2021: this week, in summary proceedings, the district court of The Hague handed down a ground-breaking ruling that says that the curfew was wrongly introduced under the Dutch Extraordinary Powers Act. The current Dutch curfew is therefore unlawful. Moreover, the court found that there are "major question marks regarding the factual substantiation by the State of the necessity of the curfew. (...) Before a far-reaching restriction such as a curfew is introduced, it must be clear that no other, less far-reaching measures are available and that the introduction of the curfew will actually have a substantial effect", stated the court, without the conviction that this was the case. In addition, the court raised the question of why an urgent (but voluntary) curfew advice had not been chosen. The court also noted that "the Dutch Outbreak Management Team, according to the team itself, has no evidence that the curfew will make a substantial contribution to reducing the spread of the virus." All this "makes the State's assertion that a curfew is inevitable at least debatable and without convincing justification", the court concluded. (See judgment (in Dutch), paragraphs 4.12-4.14.)

The judgment of the district court of The Hague is in line with Privacy First’s earlier position. Privacy First hopes that this will be confirmed on appeal by the Hague Court of Appeal and that it will also lead to the rejection of the curfew by both the Dutch House of Representatives and the Senate.

Published in Mobility
Page 1 of 3

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon