Today, the European Court of Justice in Luxembourg (EU Court) has come up with its long awaited judgment in four Dutch cases related to the storage of fingerprints under the Dutch Passport Act. The EU Court did so at the request of the Dutch Council of State. The EU Court deems the storage of fingerprints in databases to fall outside the scope of the European Passport Regulation. Therefore, the Court leaves the judicial review of such storage to national judges and the European Court of Human Rights.

Cause for the ruling

In all four Dutch cases citizens refused to give their fingerprints (and facial scans) when they requested a new Dutch passport or ID card. For this reason, their requests for a new passport or ID card were rejected. In 2012, their subsequent lawsuits ended up before the Dutch Council of State (Raad van State), which decided to ask the EU Court to clarify relevant European law (European Passport Regulation) before coming up with its own ruling. Subsequently, in 2013, the EU Court judged in a similar German case that the obligation to give ones fingerprints under the Passport Regulation is not unlawful. However, in this case, the EU Court failed to carry out a thorough review on the basis of the privacy-related legal requirements of necessity and proportionality. Moreover, the EU Court refused to merge the (more substantiated) Dutch cases with the German one, even though this was an explicit request from the Council of State. The ruling of the EU Court in the German case presented the Council of State (along with 300 million European citizens) with a disappointing fait accompli. During the case before the EU Court at the end of 2014, new arguments and new evidence in the Dutch cases fell on deaf ears: the EU Court wished not to deviate from the German case and appeared uninterested in the, by now, proven lack of necessity and proportionality of taking fingerprints (low passport fraud rates) and the enormous error rates when it comes to the biometric verification of fingerprints (25-30%). In that sense, the current ruling of the EU Court comes as no surprise to the Privacy First Foundation.

Bright spot: ID card without fingerprints

The only chink of light in the ruling of the EU Court is the confirmation that national ID cards don't fall within the scope of the European Passport Regulation. The Dutch government seemed to have already been anticipating this judgment by ending the compulsory taking of fingerprints for ID cards as of January 20, 2014. In this respect, the ruling of the EU court doesn't bring any change to the current situation in the Netherlands, but it does confirm that the introduction of ID cards without fingerprints at the start of 2014 was the right choice of the Dutch government. Most other EU Member States have never actually had ID cards with fingerprints; under the European Passport Act, the compulsory taking of fingerprints only applied to passports. The fact that in between 2009 and 2014 the Netherlands wished to go further than the rest of Europe, was therefore at its own risk.

EU Court leaves judgement on database storage of fingerprints to national judges and the European Court of Human Rights

The EU Court in Luxemburg rules that possible storage and use of fingerprints in databases doesn't fall within the scope of the European Passport Regulation and leaves the judicial review of such storage to national judges and the European Court of Human Rights in Strasbourg. However, in various (over a dozen) pending individual cases in the Netherlands against the Dutch Passport Act, administrative judges have so far always decided that such judicial review falls outside of their powers, as the relevant provisions of the Passport Act have not (yet) entered into force. It's now up to the Council of State to adjudicate on this matter. At the same time, the Dutch Supreme Court is currently looking into the collective civil Passport Trial of Privacy First and 19 co-plaintiffs (citizens), where such judicial review has already successfully been carried out by the Hague Court of Appeal and is now before the Supreme Court. In February 2014, the Hague Court of Appeal rightly judged that central storage of fingerprints is in breach of the right to privacy. In that sense the case of Privacy First is in line with the EU Court: review of database storage by a national judge, possibly followed by the European Court of Human Rights. Current individual cases before the Council of State may soon be resumed before the European Court of Human Rights as well. Privacy First hopes that this complex interaction between different judges will lead to the desired results with regard to privacy: a repeal of the taking and storage of fingerprints for passports!

Read the entire ruling of the EU Court HERE.

Update 17 April 2015: unfortunately, the ruling of the EU Court led to a lot of misleading media reporting in the Netherlands through Dutch press agency ANP (for example in Dutch national newspaper Volkskrant). Better comments can be found at the website of SOLV Attorneys, in this blog post by British professor Steve Peers and in Dutch newspaper Telegraaf, translated below:

"Monstrosity.

A database with fingerprints, relinquished by people who request a new passport, seems to have come a step closer. This could be deduced from a ruling of the European Court of Justice.

The Council of State asked the judges in Luxembourg for an opinion on four cases of citizens who refused to give their fingerprints. They appealed not getting a passport because of this. In a similar German case, the EU Court ruled that the compulsory taking of fingerprints isn't unlawful under European law.

Yesterday, the EU Court ruled in the Dutch case that the storage of fingerprints is a responsibility of the Member States. So the national judge will have to review this. As the only Member State, the Netherlands wanted a central register of fingerprints: a register that would even be accessible by secret services. The Passport Act that regulated this has not yet entered into force and last year the Hague Court of Appeal ruled that the central storage is in breach of the right to privacy.

Research points out that such a database brings along many risks, varying from security leaks to improper use and criminal manipulation. This proves that the whole system is a monstrosity that should never be introduced." 
Source: Telegraaf 17 April 2015, p. 2.

Published in Biometrics

On Thursday 28 February 2013 there will be an important debate about the Dutch 'OV-chipkaart' (Public Transport chip card) in the Dutch House of Representatives (permanent commission for Infrastructure and Environment). In preparation of this debate the Privacy First Foundation today brought the following points to the attention of relevant Dutch Members of Parliament:  

  1. The 'anonymous' OV chip card is not anonymous because it contains a unique identification number in the Radio Frequency Identification (RFID)-chip with which travellers can be identified and tracked afterwards through the linking of transaction data. In the view of Privacy First, this constitutes a violation of two human rights, namely the freedom of movement in conjunction with the right to privacy, in other words the classic right to travel freely and anonymously within one’s own country. Privacy First is eager to learn from the House of Representatives as well as the responsible member of government which steps have already been taken for the introduction of an anonymous OV chip card that is truly anonymous, for example through the development of new chip technology and modern forms of encryption without a unique identification number (privacy by design).
  2. As long as (truly) anonymous OV chip cards and anonymous discount cards do not exist, printed travel tickets are to remain available for travellers who want to travel anonymously. Moreover, a special, anonymous discount card for children and elderly people should also be introduced.
  3. Compulsory check-ins and check-outs for students carrying student OV chip cards contravenes with the right of students to travel freely and anonymously. Compulsory check-ins and check-outs therefore have to be abolished.
  4. The planned closure of turnstiles at Dutch National Railway stations (Nederlandse Spoorwegen, NS) constitutes an unnecessary restriction to people's freedom of movement and can lead to dangerous situations in the event of calamities. It also creates unsafe situations in individual cases, for example for children, elderly people, ill or incapacitated people who need to be accompanied through the station by family or friends. Therefore Privacy First makes an urgent appeal to leave the turnstiles open at all times or to get rid of them and replace them with anonymous check-in and check-out poles.
  5. The current retention period of OV chip card data should be reduced to an absolute minimum. Moreover, travellers should be offered the option to erase their travel history at any given moment.
  6. The OV chip card dramatically increases costs for travellers, either when purchasing a chip card, when forgetting to check out, in the event of a malfunctioning card or check-out pole or when deciding to travel anonymously with a printed ticket. Privacy First is eager to hear from the House of Representatives as well as the responsible government member which measures will be taken to make travelling with an OV chip card cheaper while preserving people's privacy.
Published in Mobility

This week the Dutch House of Representatives will vote on a legislative proposal on the taking of 10 fingerprints of all foreigners (immigrants) for criminal investigation and prosecution purposes. This legislative proposal originally dates back to March 2009, the period in which all the Dutch government could come up with was privacy-intrusive legislation. The Privacy First Foundation deems this legislative proposal to be in breach of the right to privacy and the prohibition of self-incrimination. Below is the email that Privacy First sent to relevant Members of Parliament this afternoon:

Dear Members of Parliament,

Next Tuesday you will cast your vote on a legislative proposal aimed at extending the use of biometric features (fingerprints, facial scans) of immigrants. Hereby the Privacy First Foundation advises you to vote against this legislative proposal, especially in light of its disproportionate character. This disproportionality is demonstrated by the lack of relevant statistics and the relatively low fraud figures mentioned in the annotation to the legislative proposal dated 13 July 2012 by former Minister for Immigration, Integration and Asylum Gerd Leers (Christian-democratic party CDA).[1] As with all human rights, any infringement of the right to privacy (Article 8 of the European Convention on Human Rights, ECHR) requires a concrete statistical necessity instead of vague suspicions and wishful thinking. Therefore, it is all the more worrying that under this legislative proposal the prints of as many as 10 fingers will be taken of every immigrant to ‘compensate’ for the fact that the biometric technology is inadequate to suffice with just one or two fingerprints. However, are these 10 fingerprints not actually meant to serve the interests of criminal investigation behind this legislative proposal...? In this respect, a comparison could be made with the following consideration by the Minister of Justice Benk Korthals (Dutch political party VVD), dated 10 December 2001:

‘‘In response to the question by the CDA, I am not prepared to proceed to the taking of fingerprints of all Dutch citizens in the interests of criminal investigation. This would be disproportionate, considering for example the number of print cases offered on an annual basis, in the whole of the Netherlands around 10,000. Furthermore, it is basically impracticable because prints have to be made of all ten fingers and possibly the hand palms for them to be of any use for criminal investigation. Apart from the administrative processing and control, this would require too big a drain on police resources. In the context of the new ID card, a new biometric feature such as a fingerprint will possibly be adopted. This will be about determining whether the holder of the ID card is in actual fact the very person that is mentioned on it. Perhaps just one fingerprint will be enough for that, but that is absolutely insufficient for criminal investigation.’’[2]

In other words: under the guise of combating fraud, with this legislative proposal a centralised search register of immigrants is created, exactly in the same way that this was about to happen a few years ago with the fingerprints of all Dutch citizens. Privacy First assumes that the various reasons why this last project was reversed midway through 2011 at the insistence of your Parliament (!) are known to you and apply just as much for the current legislative proposal. In addition, this proposal has a stigmatizing effect since it causes a whole population group (immigrants) to be seen as potential suspects. This creates an inversion of the presumption of innocence and conflicts with the prohibition of self-incrimination. In that sense the legislative proposal constitutes a collective violation of both Article 6 (nemo tenetur) and Article 8 ECHR (privacy and physical integrity). With regard to the Passport Act, this has led to a Dutch and European snowball effect of lawsuits since 2009. Therefore, Privacy First hopes that the House of Representatives has the progressive insight to prevent a repetition of this history.

Yours sincerely,

The Privacy First Foundation

[1] See Annotation on account of the report, Parliamentary Documents II, 2011-2012, 33192, no. 6, at 2-3, 5-6, 23, 25-27.

[2] Letter of the Minister of Justice (Benk Korthals) dated 10 december 2001, Parliamentary Documents II, 2001-2002, 19637 (Policy on refugees), no. 635, at 7.

Update 29 January 2013: the legislative proposal (no. 33192) has unfortunately been accepted by the House of Representatives this afternoon (video; starting at 19m36s). Dutch political parties D66, SP, ChristenUnie and the Party for the Animals voted against. Read also the report by Privacy Barometer and today’s article in newspaper NRC Handelsblad. Next stop: the Senate...

Update 29 January 2013, 21:45: Left-wing party GroenLinks ('GreenLeft') has notified that it had intended to vote against and will have the voting record corrected.

Update 30 January 2013: today GroenLinks notified the House of Representatives of its vote against the legislative proposal.

Update 31 January 2013: the article in NRC Handelsblad was also published in the affiliated newspaper NRC Next. Read also today's article in newspaper Nederlands Dagblad.

Update 8 February 2013: for the current status of the legislative proposal in the Dutch Senate, click HERE.

Update 6 March 2013: today Privacy First has sent a similar version of the email above to the Commission for Immigration and Asylum of the Dutch Senate.

Published in Law & Politics

The appeal by Privacy First and 19 citizens against the Dutch government takes place today. Privacy First is of the opinion that the new Dutch Passport Act violates the right to privacy. Despite criticism from the Dutch House of Representatives, the Dutch government recently decided to push this controversial law ahead. The case of Privacy First primarily concentrates on the centralised storage of fingerprints. This lawsuit is the first of its kind.

Clarification
On February 2, 2011, the Privacy First Foundation and 21 co-plaintiffs (citizens) were declared inadmissible by the district court of The Hague in our civil case against the Netherlands regarding the 2009 Dutch Passport Act. A proposal by the Dutch Minister of the Interior, Ms. Liesbeth Spies, to revise the Passport Act has been presented to the House of Representatives on 17 October this year. However, in this legislative proposal the original provision (Article 4b) concerning a centralised database remains intact for the greater part. Under this provision, biometric data of every Dutch citizen will be used for criminal investigation and prosecution purposes as well as intelligence work, disaster control and counter-terrorism. This constitutes a flagrant violation of, among other things, European privacy law. Efforts by individual citizens to challenge this through individual administrative court cases have thus far not yielded any results, since the administrative courts proved unwilling to evaluate the provision in question. Nevertheless, the Dutch Council of State (Raad van State) has recently made a preliminary reference to the European Court of Justice in Luxembourg regarding the European Passport Regulation. In anticipation of the Court’s response, all Dutch administrative proceedings have been put on hold for at least one and a half years, which means that protesting citizens have to fend for themselves during that period without valid identity documents. Enough reason for Privacy First to again haul up the civil-law sails in the public interest and to appeal in our Passport Act lawsuit.

To that end we have today presented our Statement of Appeal to the Court of Appeal in The Hague. In this Statement Christiaan Alberdingk Thijm and Vita Zwaan (SOLV Attorneys) outline why Privacy First and co-plaintiffs have to be declared admissible. Subsequently, it will be possible for the Passport Act to be legally scrutinized in its entirety by the court and be measured up against higher law, including European privacy legislation. Our entire Statement of Appeal can be downloaded HERE (in Dutch). The Appeals Court of The Hague is expected to deliver its judgment before the summer.

Urgent appeal
Privacy First makes an urgent appeal to all Dutch citizens to contribute to the financing of this lawsuit. This can be done by donating on account number 49.55.27.521 attn. Stichting Privacy First in Amsterdam, mentioning the following reference: ‘Paspoortproces’. We kindly thank you for your support!

Published in Litigation

This afternoon the Privacy First Foundation sent the following email to the Dutch Senate: 

Dear Members of the Senate,

Recently the international Amsterdam Privacy Conference 2012 took place. In his opening speech at this conference, Dutch politician Lodewijk Asscher principally addressed the current legislative proposal of regulating prostitution. Asscher voiced the expectation that the envisaged registration of prostitutes will lead to lawsuits that will end up before the European Court of Human Rights in Strasbourg. The Privacy First Foundation shares this expectation. Therefore, we hereby make an urgent appeal to you not to let things get this far and to reject the legislative proposal during the plenary discussion this coming Tuesday, October 30th. Privacy First does so on the following grounds:

1. Compulsory registration of prostitutes will lead to a shift of prostitution to the illegal circuit. Thereby this legislative proposal will prove to be counterproductive, with all the risks this entails. The social (legal) status of prostitutes will become further weakened instead of strengthened.
2. Compulsory registration of prostitutes violates the right to privacy because it concerns the registration of sensitive personal information. This is prohibited under Article 16 of the
Dutch Data Protection Act and is in breach of Article 8 of the European Convention on Human Rights.
3. Registration of prostitutes has a stigmatizing effect. Moreover, the security of this registration cannot possibly be guaranteed and there is also the danger of function creep. Therefore, the supposed advantages of registering do not outweigh the risks of data breaches, hacking, unauthorised and unforeseen use - now and in the future. This, in turn, also implies new risks of abuse and blackmailing.  
4. Combating criminality and human trafficking ought not to happen through the risky registration of prostitutes, but rather through more effective criminal investigation, prosecution and adjudication of the culprits without putting the victims in danger. For that purpose it is up to the Minister to develop alternative, privacy-friendly instruments in consultation with relevant NGOs.

We are willing to supply further information on the above points upon request.

Yours sincerely,

Privacy First Foundation

Update 30 October 2012: this afternoon the Senate heavily criticised (especially) the privacy aspects of compulsory registration of prostitutes. As a result, Minister Ivo Opstelten has decided to reconsider his approach to the issue. It now seems that compulsory registration is shelved. The discussion on other parts of the legislative proposal is postponed until further notice. Click HERE for an audio recording of the parliamentary debate (in Dutch) until its suspension (mp3, 2u53m, 119 MB).

Published in Law & Politics

Since a few days there is justified commotion over two new Dutch government plans that will grossly invade people's privacy. The first one is a plan by Dutch Minister for Immigration, Integration and Asylum Affairs Gerd Leers of the Christian-democratic party CDA to start creating automatic risk profiles of every airplane passenger. Before going on a business trip or on vacation, you will get a little green, yellow, orange or red flag behind your name. Without you knowing it. This is no hint at a surprise party, no, it’s because in the eyes of the Dutch government you may be a dangerous terrorist. At Schiphol Airport you are hopefully amongst those who can quickly go passed the security checks for people with green flags. In case you have a different flag you’ll be taken apart, thoroughly checked and interrogated and as a consequence you might miss your flight. The legislative proposal hasn’t yet been sent to the Dutch House of Representatives, but the government is already starting to build the corresponding central infrastructure (PARDEX). This is the state of democracy in the Netherlands in 2012.

The second plan has been concocted by Dutch State Secretary for Social Affairs and Employment Paul de Krom of the liberal party VVD. In terms of protection of privacy, De Krom happens to be just as uncompromising: his idea is to create comprehensive profiles of everyone entitled to social welfare from now on, on the basis of all the possible databases that can be linked to the municipal population register. In case an anomaly is found in your digital profile, you immediately appear on the radar of a central control room, a sort of Central Command for public benefits. Subsequently, it’s up to you to prove something’s not right with your profile, otherwise you may lose your benefit.  

Both proposals are all about profiling: creating and keeping up-to-date detailed risk profiles of ordinary citizens. In an ocean of information that for 99% derives from innocent people, Leers and De Krom are hoping to catch that 1% of (potential) troublemakers. (Do you remember 'The One Percent Doctrineby Dick Cheney?) In other words, it’s an inversion of the classic principle that the government is only allowed to intrude upon your privacy once there’s a reasonable suspicion of a crime. After all, through profiling everyone is treated as a (potential) suspect beforehand. This effectively turns the right to privacy into fiction.

Yesterday night this topic was discussed on Dutch radio programme Dichtbij Nederland (‘Close to the Netherlands’) on NTR, Radio 5. Apart from Vincent Böhre of Privacy First, two experts took part in the debate: criminologist Marianne van den Anker (former municipal councillor of the regional political party Leefbaar (‘Livable’) Rotterdam, dealing with security) and Marc Jacobs (writer and former police commissioner). The whole discussion can be listened to HERE (starting at 17m48s).

Published in Profiling
Monday, 19 December 2011 12:40

The Catalogue: having a good time shopping?

'The customer is king.' But does this saying also apply when during shopping you are completely screened and profiled by cameras, databases and Radio Frequency Identification (RFID) tags? Without you knowing it and without being able to do anything about it? How kinglike is that? A short film by British video artist Chris Oakley shows a shopping mall where everyone is unwittingly reduced into a digital consumption profile: click HERE to watch the video 'The Catalogue' (2004). Will this become the shopping mall of the future? Certainly not if it were up to Privacy First to decide. After all, as a customer you should remain king, and that includes remaining king over your own 'profile'.

Published in Art Collection

This afternoon Privacy First sent the following letter to the Electronic Health Record spokespersons in the Dutch House of Representatives:

‘‘Dear Members of Parliament,

Recently the Senate, quite rightly, unanimously rejected the legislative proposal to introduce a national Electronic Health Record (Elektronisch Patiëntendossier, EPD), especially in light of the enormous privacy risks this EPD would entail. It is therefore with great concern that Privacy First has taken note of developments that indicate a possible restart of that very same EPD along a private, extra-parliamentary route. Such a restart is not only disdainful with regard to our democratic process, it is also a denial of the risks and worries on the basis of which a legal introduction of a national EPD recently did not go ahead. To this end, Privacy First makes an urgent appeal to you to call a halt to this development and to call the relevant persons in charge to account. From a privacy-legal point of view, Privacy First is of the opinion that the Dutch government remains unabatedly responsible for any privacy-infringements that will result from a private, national EPD, especially in light of the fact that such a system has been emphatically rejected by the Senate for privacy reasons.    

In line with the recently adopted Franken motion, in this respect Privacy First also urges you to have an independent, public Privacy Impact Assessment (PIA) carried out as soon as possible with regard to both 1) a national EPD as envisaged by the private parties involved as well as 2) possible alternatives for this national EPD. In carrying out this PIA, necessity, proportionality, subsidiarity and freedom of choice are to be guiding criteria. Privacy by design and privacy enhancing technologies, among which for instance technologically advanced patient cards or personal health records, are to fulfil an important role in such a PIA. Until the moment the PIA has been rounded off, no irreversible steps towards a private restart of the national EPD are to be taken.

In the view of Privacy First, the National Switch Point (Landelijk Schakelpunt, LSP) of the national EPD is to be transformed to small-scale, regional systems in accordance with the desire of the Senate. For regional exchange of data an LSP is unnecessary: to this end regional switch points are sufficient, possibly complemented by supra-regional 'push-communication'. This enhances security and reduces the risks of abuse that are inherent to a national EPD.’’

Published in Medical Privacy
Thursday, 26 May 2011 22:56

DigiMe – Identity in the Digital Age

‘I’ve got nothing to hide’ is what people say who have never had to deal with the consequences of loss of data, an annoying agency or an uncooperative government. Perhaps that’s naive, but why would you worry about something that won’t happen to you anyway?

At the end of the day, though, everyone will reach a turning point and realize that privacy – the right to have a private life – is actually important. Some people may have reached this point with the introduction of compulsory identification, today many people scratch their heads when they have their fingerprints taken for an ID-card. For Mariette Hummel it concerned the simple fact that she found her address and mobile telephone number on the internet. That’s why Mariette has started the DigiMe project, taking a close look at her own profile to find out which digital traces she has left behind.

Take a look at her website and in case you wonder exactly what kind of information goes around on the internet, then please consider contributing to this research project.

Published in Identity Theft

This afternoon a long-awaited irrevocable decision has been made: the introduction of the national Electronic Health Record (Elektronisch Patiënten Dossier, EPD) was unanimously rejected by the Dutch Senate. After 14 years and spending 300 million euros, the national EPD has ended up where it should have been years earlier: at the Scrapyard of Draconian Laws. Two years ago the Dutch House of Representatives accepted by a large majority the same plan for the national exchange of very sensitive patient’s data: almost all of the large Dutch political parties, namely PvdA, GroenLinks, D66, VVD, ChristenUnie, SGP and CDA voted in favour. This afternoon all these parties made a historic U-turn. Even the Christian-democratic CDA now seems to be cured. Progressive insight? Who knows... In any case, this development fits in with a wider trend that has been ongoing for a year and which sees politics being increasingly considerate about the privacy of citizens. Privacy First welcomes this development and expects that many other privacy-violating laws will equally be rejected.

Published in Medical Privacy
Page 2 of 3

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon