It’s of paramount importance that the Netherlands leads the way not only in terms of digitalization, but also in the field of digital privacy. Public authorities should make people aware of the privacy risks in the digital world and set a good example by providing sufficient privacy-friendly alternatives to existing apps and platforms. This call was made today by a broad coalition of organizations and companies – the Privacy Coalition – to members of the Dutch House of Representatives, who were handed a manifesto. 

The new Privacy Coalition notes in a joint manifesto that more and more digital platforms, services and apps are collecting users’ data without them realizing it. Those data are resold and integrated and then used to track people, follow their online behavior and influence them. “This creates digital profiles on the basis of which companies and even public authorities make decisions that have a major impact on our lives, without us being able to influence it”, the coalition states. It also warns of further polarization in society because people are no longer in control of what information they can and cannot see online.

Freedom of choice

Legislation is being drafted at both the European and national level to curb the unbridled use of personal data. But regulations and supervision alone will not be enough; developments are so rapid that we will always be lagging behind, the Privacy Coalition asserts.

The Privacy Coalition is calling on the Standing Committee on Digital Affairs of the Dutch House of Representatives to much more actively raise awareness among the citizenry about the importance of digital privacy. Public authorities, but also the business community, could set a good example by only using digital platforms and services that respect privacy. The coalition also advocates greater support for privacy-friendly alternatives to existing apps and platforms, so that people have freedom of choice.

High price

“Digital platforms are becoming more adept at collecting data from users without being transparent about it”, says Haykush Hakobyan of Privacy First, one of the initiators of the Privacy Coalition. “People believe many services are offered for free, but they are unknowingly paying a high price with their personal data. We need to stop that trend now. It is a social responsibility of companies, public authorities and other organizations to actively promote digital privacy. There are plenty of technological possibilities to be active in the digital realm without having your privacy violated.”

Hakobyan called on the House of Representatives to organize a technical briefing with providers of privacy-friendly solutions. “Recently, the House held a hearing with Google and Facebook, among others. It is now time to consult with parties that do respect people’s privacy.” The Privacy Coalition invited the Committee on Digital Affairs to continue the conversation with stakeholders and seek solutions.

“As far as I’m concerned, privacy is non-negotiable”, commented Lisa van Ginneken upon receiving the manifesto. Van Ginneken is a member of the Digital Affairs Committee on behalf of D66. “It is a basic principle that guarantees our freedom and our right not to be spied upon either in physical space or on the Internet. Digital human rights should not be the final element, but rather the starting point of any technological development.”

You can read the current manifesto of the Privacy Coalition and all co-signatories HERE.

Would your company or organization like to support the Privacy Coalition’s call? Then This email address is being protected from spambots. You need JavaScript enabled to view it.!

https://www.privacycoalitie.org 

Published in Online Privacy

Over a decade ago, around the years 2009-2011, there was enormous social resistance in the Netherlands to a centralized database containing the biometric data (fingerprints and facial scans) of all Dutch citizens. The development of that database was halted in early 2011 over privacy concerns. However, the Dutch State Secretary for Digital Affairs, Alexandra van Huffelen, now seems intent on introducing such a database after all. Below you find the first response of Privacy First to the recent internet consultation on this wretched plan: 


Your Excellency, 

The Privacy First Foundation was perplexed to learn of your intention to amend the Dutch Passport Act in order to create a centralized database of everyone's biometric data (including facial scans and – for the time being – ‘temporary’ fingerprints). This comes after the original plan for such a database was binned in 2011, and rightly so, following two years of large-scale resistance from all sections of Dutch society and all sorts of legal, political, administrative and technical objections. Back then, not a single public official could be found even within the Dutch Ministry of the Interior who dared to openly advocate the development of such a database. In the years since, this ‘progressive insight’ within your ministry has apparently disappeared entirely, which is remarkable at a time when international developments compel you not to forget the historical lessons about the risks of centralized population registers. A centralized biometric database inevitably creates an extremely risky target for people with malicious intent. The necessity and proportionality of such a database are not amply elaborated in the draft Explanatory Memorandum to the current Bill, in fact, are not elaborated at all and, for that matter, are inconceivable. Moreover, experience has shown that such databases will always be used and abused over time for all kinds of unforeseen purposes (function creep) and that original retention periods will be stretched further and further. In this context, Privacy First would like to remind you of the fact that the previously planned centralized biometric database included clandestine, secluded access to the Dutch secret services (who, to this end, were also involved in the development of this database), one of which – the General Intelligence and Security Service (AIVD) – in the end considered the realization of this database too hazardous. There is no reason to believe the considerations of that time should not apply today.

Fingerprints 

Ever since Privacy First was founded in 2008, we have opposed the mandatory collection of fingerprints for passports and identity cards. Since the introduction of the new Passport Act in 2009, Privacy First has done this through lawsuits, campaigns, Freedom of Information Act requests, political lobbying and outreach to the media. Despite the subsequent termination of the (planned) centralized storage of fingerprints in both a national and municipal databases in 2011, fingerprints are still taken of everyone applying for a passport and again also for Dutch identity cards (under the new EU regulation on strengthening the security of identity cards), after this requirement was abolished in 2014. To date, however, all of the millions of fingerprints collected from virtually the entire Dutch adult population have in practice not been used, or have hardly been used as this had already proved to be technically unsound and unworkable in 2009. The compulsory collection of everyone’s fingerprints under the Passport Act is therefore still the most massive and longest-lasting privacy violation that the Netherlands has ever known. Against this background, we request you to withdraw the present draft bill and to replace it with a new bill to abolish the taking of fingerprints under the Passport Act, even if that runs counter to European policy. Please take the following into account: 

1. Already in May 2016, the Dutch Council of State (Raad van State) ruled that fingerprints in Dutch identity cards violate the right to privacy due to a lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956.

2. Freedom of Information Act requests from Privacy First have shown that the phenomenon to be defeated (lookalike fraud through passports and identity cards) is so small in scale that the compulsory taking of everyone’s fingerprints to make an end tot this problem, is completely disproportionate and therefore unlawful. See https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.

3. The fingerprints in passports and identity cards previously had a biometric error rate of no less than 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (State Secretary Fred Teeven, January 31, 2013). Before that, Minister Piet Hein Donner admitted there’s an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (27 April, 2011). How high are these error rates in 2022? 

4. Partly because of the aforementioned high error rates, the fingerprints in passports and identity cards have hardly been used to date, neither in the Netherlands nor at the national borders or airports.

5. Because of these high error rates, former State Secretary Ank Bijleveld instructed all Dutch municipalities as early as September 2009 to refrain in principle from fingerprint verifications when issuing passports and identity cards. In the event of a ‘mismatch’, the ID document concerned would have to be returned to the passport manufacturer, which would lead to rapid social disruption if the number of such cases were high. In this context, the Ministry was also concerned about possible large-scale unrest and even violence at municipal counters. These concerns and the instruction of State Secretary Bijleveld still apply today.

6. A statutory exception must still be created for people who, for whatever reason, do not wish to have their fingerprints taken (biometric conscientious objectors, Article 9 ECHR).

For further background information on the biometric passport, see the report by the Advisory Council on Government Policy (WRR) titled ‘Happy Landings’, written in 2010 by the undersigned. Partly as a result of this critical report (and large-scale legal action by Privacy First against the Passport Act), the decentralized (municipal) storage of fingerprints was largely abolished in 2011 and the planned centralized storage of fingerprints was discontinued.

We sincerely hope that it will not have to come to another lawsuit by Privacy First to turn the tide. 

If desired, we would be happy to elaborate on the above aspects in greater detail.


Yours sincerely,

Privacy First Foundation 


Source: https://www.internetconsultatie.nl/biometrischegegevenspaspoortwet/b1 --> reacties --> reactie directeur Privacy First (Vincent Böhre) dated May 31, 2022.

Published in Law & Politics

CEDO, a newly established Coalition for Fair Digital Education in the Netherlands, has recently launched a manifesto and a petition for privacy-friendly education. The coalition consists of parents, teachers, IT professionals and privacy advocates. Privacy First has for years been concerned about the increasing lack of privacy of children and school pupils. We therefore strongly support this initiative.

CEDO notes that public education – i.e. today’s digital learning systems – are dominated by a handful of tech giants and is deeply worried that fundamental rights, such as the privacy of children, parents and teachers, cannot be adequately safeguarded.

Whether it concerns the processing and storage of digital educational projects or the use of email services, online notepads and video tools, the digital infrastructure of Dutch education is almost entirely in the hands of foreign companies such as Google and Microsoft. This can be convenient – it allowed for homeschooling to come off the ground quickly during the first Covid lockdowns for example – but these companies restrict the right to privacy and are not transparent about what happens with the data they collect.

The presence of Big Tech in education means that digital security of pupils cannot be guaranteed by schools. In fact, children lose control over their data as early as kindergarten. They are offered only limited and one-sided knowledge of the products they use, instead of the (digital) skills to learn critical thinking.

The coalition therefore advocates an alternative way of designing digital learning environments, one that does indeed safeguard public values and autonomy in education.

Digital education must and can be organized differently! 

Sign the petition HERE and support the manifesto!

Published in Online Privacy

Today – European Data Protection Day – the Dutch Privacy Awards were handed out during the National Privacy Conference, a joint initiative by Privacy First and Dutch Platform for the Information Society ECP. The winners of the 2022 Dutch Privacy Awards are:
- Street Art Museum Amsterdam (SAMA)
- Quodari
- Summitto
- Center for Information Security and Privacy Protection (CIP).

The Dutch Privacy Awards provide a platform for companies and government agencies that see Privacy as an opportunity to positively stand out and make privacy-friendly entrepreneurship and innovation the norm. "These Awards have been handed out each year since 2015 and every time the jury nominated special, innovative and inspiring candidates. That’s been no different in 2022. Most of the time, privacy becomes a news item only when things have gone terribly wrong, when hefty fines are issued or certain parties incur serious reputational damage in court. In this respect, it would be a good thing if more attention would go out to ‘the bright side of privacy’ – to solutions that save time and money, strengthen trust, offer insights to people who need it and increase the overall effectiveness of various sorts of applications. The Dutch Privacy Awards are there to put the most inspiring initiatives in the spotlight and give these the recognition they deserve," said Awards jury chairman Wilmar Hendriks.

Nominations  

There are four categories in which applicants are awarded:

1. the category of Consumer solutions (business-to-consumer)

2. the category of Business solutions (within a company or business-to-business)

3. the category of Public services (public authority-to-citizen)

4. The incentive Award for a groundbreaking technology or person.

From the various entries, the independent expert panel chose the following nominees per category (listed in arbitrary order):

  1. Scoor voor je Club
  2. Summitto
  3. Privacy Rating
  4. PiM, the Personal identity Manager by KPN
  5. Street Art Museum Amsterdam (SAMA) 
  6. Quodari
  7. Shuttercam. 

During the National Privacy Conference all nominees presented their projects to the digital audience in Award pitches. Thereafter, the Awards were handed out. Click HERE for the entire expert panel report (pdf in Dutch), which includes participation criteria and explanatory notes on all the nominees and winners.

WINNER Consumer solutions: Street Art Museum Amsterdam (SAMA) 

Connecting privacy and art in a project that aims to raise awareness among neighborhood residents is unique and pleasantly surprised the jury. With its Privacy Project, SAMA allows such themes as privacy, digital rights, anonymity on the internet and the impact of technology on society to capture the imagination. More than 80 artists were invited to create a design for a mural, and out of their designs three were chosen to actually be produced on the streets. Local residents were involved in the choice for the design through voting.

Offering critical reflections through their art, artists encouraged residents to think about the issue of privacy. Raising awareness was in fact one of the main goals of this project. For SAMA, the project was a new adventure that saw murals being created in three vulnerable districts in Amsterdam: Nieuw-West, Noord and Zuidoost.

The jury believes that this project shows that graffiti-art murals can help raise awareness among residents about privacy issues. The whole process whereby residents think about both these issues as well as the realization of the murals equally contributes to give meaning to an abstract concept like privacy.

The jury expresses the wish that this project will be replicated in many other cities and especially in vulnerable neighborhoods where residents are still insufficiently aware of what happens to their personal data, and how important it is to be able to make choices about who you share these data with.

WINNER Business solutions: Quodari

Quodari is a privacy-friendly social media platform that puts users in control of their own data and content. It enables users to share collections of data online with friends, but also to make these data public. Taking European values as point of departure, Quodari aims to be a privacy-friendly alternative to existing social media platforms. Quodari’s business model is based on providing true value for users through additional storage space and other features for business or personal use. Quodari does not aim to attract users to its platform for as long as possible, does not exploit personal data and is free of advertising. In this way, privacy risks on the platform are reduced and financial conflicts of interest are avoided. Quodari is a Dutch initiative launched in 2021. The company expects a European rollout as well as the start to a new marketing campaign this year.

In the jury’s opinion, Quodari is a successful attempt to provide an alternative to existing social media platforms, where privacy is paramount and users truly control their own data. With Quodari, users who attach great importance to their privacy have a fair alternative to what Big Tech has to offer. That was the primary reason for the jury to grant Quodari a Dutch Privacy Award.

WINNER Public services: Summitto 

Summitto develops software for tax authorities to combat VAT fraud. Whereas existing solutions collect massive amounts of data that are often stored in plain text in a centralized way, this solution ensures that VAT fraud can be fought without actually storing data. Summitto’s method is based on modern cryptography to optimally protect invoicing. The product is a commercial off-the-shelf product that is open-source and can help tax authorities digitize VAT in a privacy-friendly way. Summitto has received grants from Horizon 2020, the EU program for research and innovation. The company is in close contact with a number of key players which in one way or another deal with VAT, including the European Commission, various government bodies and the International Bureau of Fiscal Documentation (IBFD).

With its original approach, Summitto links the social importance of combating VAT fraud with high privacy values. The approach has drawn a lot of attention from experts throughout Europe. The jury is impressed with the practical applicability of the software in combination with its high privacy standards and has therefore declared Summitto the winner in the public services category.

WINNER Incentive Award: Centrum Informatiebeveiliging en Privacybescherming (CIP) 

This year, the jury chose to present the Incentive Award to the Dutch Center for Information Security and Privacy Protection (CIP).

In spite of the pandemic, CIP has over the past year made a tremendous effort to keep its network updated through digital webinars, podcasts, workshops and games that span a range of topics. The center has built up a remarkable database of videos that are accessible to everyone on YouTube. Privacy is an important topic for CIP: up until now it has made public 22 different sorts of productions on this issue.

CIP is a public-private network organization that operates on the basis of the principle "for all, by all". It is made up of a team of passionate professionals who work together with the members of the network and its partners on practical and usable products in the field of privacy protection, ethics and information security. CIP is also on top of the news and is constantly coming up with new hot topics that are proposed by its participants and partners.

The jury expresses its great appreciation for the achievements of CIP and encourages the center to continue with the important work it is doing. Not least because the results of this work are freely accessible to public authorities, industry, organizations and citizens.

National Privacy Conference

The Dutch National Privacy Conference is a ECP|Platform for the Information Society and Privacy First initiative. Once a year, the conference brings together Dutch industry, public authorities, the academic community and civil society with the aim to build a privacy-friendly information society. The mission of both the National Privacy Conference and Privacy First is to turn the Netherlands into a guiding nation in the field of privacy. To this end, privacy by design is key.

These were the speakers during the 2022 National Privacy Conference in successive order:

Marjolijn Bonthuis (ECP deputy director)
Monique Verdier (Dutch Data Protection Authority vice chairwoman)
Martin Vliem (National Security Officer, Microsoft)
Max Schrems (founder of None of Your Business - NOYB)
Haroon Sheikh (senior scientist, Dutch Advisory Council on Government Policy, WRR)
Gry Hasselbalch (cofounder of European ThinkDoTank DataEthics)
Paul Korremans (Privacy First chairman)
Wilmar Hendriks (chairman of the expert panel of the Dutch Privacy Awards).

Both the conference as well as the Awards session – which were livestreamed from Nieuwspoort in The Hague: https://www.nieuwspoort.nl/stream/privacy-first-ecp/ – were moderated by Dutch television host Tom Jessen.

Expert panel Dutch Privacy Awards

The independent expert Award panel consists of privacy experts from different fields, all of whom participated in their personal capacity:

  • Wilmar Hendriks, founder of Control Privacy, chairman of CUIC and Privacy First board member (panel chairman)
  • Paul Korremans (Privacy First chairman)
  • Melanie Rieback, CEO and cofounder of Radically Open Security
  • Nico Mookhoek, legal expert in the field of privacy and founder of DePrivacyGuru
  • Rion Rijker, privacy and IT security expert, partner at Fresa Consulting
  • Magdalena Magala, privacy officer at the municipality of Zaanstad
  • Mathieu Paapst, university lecturer IT law at the University of Groningen and projectlead of cookiedatabase.org
  • Jaap van der Wel, IT expert and legal expert in the field of privacy, managing partner at Comfort Information Architects
  • Erik Bruinsma, legal expert; director Strategy and management advice, Statistics Netherlands (CBS). 

In order to make sure that the Award process is run objectively, panel members may not judge on any entry from their own organization or an organization in which a panel member has an interest.

In collaboration with the Dutch Platform for the Information Society (ECP), Privacy First organizes the Dutch Privacy Awards with the support of the Democracy & Media Foundation and The Privacy Factory.

Preregistrations for the 2023 Dutch Privacy Awards are welcome!

Would you like to become a sponsor or (media) partner of the Dutch Privacy Awards? Then please get in touch with Privacy First! 

 

FG7A4979m
Published in Actions

Recently, the Netherlands Standardisation Forum issued an advice to the government to ensure that public Wi-Fi networks for guest use are always secure. The independent advisory body recommends improving Wi-Fi security by using the WPA2-Enterprise standard. This recommendation applies to all public and semi-public institutions in the Netherlands and therefore has an impact on thousands of Wi-Fi networks.

The Standardisation Forum facilitates digital cooperation (interoperability) between government organizations and between government, businesses and citizens. It is the advisory body for the public sector regarding the use of open standards. According to its own website, all standards that the Forum recommends have been thoroughly tested, lower costs and reduce the risk of internet fraud and data abuse. The recent recommendation came after a request over a year ago by Privacy First and Wi-Fi roaming provider Publicroam. Privacy First and Publicroam requested the Forum to mandate WPA2-Enterprise as the standard for access to guest Wi-Fi. The Standardization Forum then decided to conduct further research, resulting in its current opinion.

Stop offering insecure guest Wi-Fi 

Privacy First chairman Paul Korremans is delighted with the advice: "It took a while, but now there is a clear recommendation. The Standardisation Forum calls for the secure provision of guest Wi-Fi, preferably using the WPA2-Enterprise standard. This recommendation creates clarity for all parties involved in setting up and managing public Wi-Fi networks within government institutions. Moreover, the recommendation will likely have a broader effect: in our view, the Forum is saying that we need to stop offering insecure guest Wi-Fi altogether." 

The Netherlands at the vanguard 

The Standardisation Forum made its decision in the summer of 2021 after several expert meetings and a public consultation. The recommendation was added to the existing obligation around WPA2-Enterprise in early September. The Netherlands is one of the first countries to have such an obligation.

WPA2-Enterprise 

Experts consider the standard WPA2-Enterprise (and its successor WPA3-Enterprise) to be the most suitable method for achieving secure Wi-Fi access. The standard is mandatory for Wi-Fi access for government employees and is widely used by businesses and educational institutions among others. Because it is a long-standing open standard, it is widely available and easy to implement.

Published in Online Privacy

A coalition of civil rights organizations in the Netherlands that had previously won a lawsuit against System Risk Indication (SyRI) is calling on the Dutch Senate to reject an even more sweeping Bill dubbed ‘Super SyRI’. According to the parties, the proposal is on a collision course with the rule of law while the Dutch government refuses to learn lessons from the childcare benefits scandal, one of the largest scandals in Dutch politics in recent decades.

The Data Processing by Partnerships Act (Wet Gegevensverwerking door Samenwerkingsverbanden, WGS) enables Dutch government agencies and companies to link together the data stored about citizens and companies through partnerships. Public authorities and companies that take part in such cooperative frameworks are obliged to pool together their data. This should help in the fight against all kinds of crime and offenses.

Under the Act, it is not just data that companies and public authorities share with each other. Signals, suspicions and blacklists are also exchanged and linked together. On the basis of this form of shadow record-keeping, these parties can coordinate with each other enforcement ‘interventions’ against citizens who end up in their crosshairs.

Public authorities and companies targeting citizens through data surveillance

In order to enable the large-scale sharing of personal data between public authorities and companies, the Act casts aside numerous confidentiality obligations, privacy rights and legal safeguards that have traditionally applied to the processing of personal data. This leads to a "far-reaching, large-scale erosion of the legal protection of citizens", according to the opposing coalition of which Privacy First is a member: "If this Bill is adopted, the door will be left wide open for the executive branch of the government and private parties to subject both citizens and companies to arbitrary data surveillance."

Through the Act, the Dutch government also wants to create the possibility to start new partnerships in case of ‘urgency’, without providing Parliament the opportunity of examination. The Dutch House of Representatives will be informed about such partnerships only after their establishment, then having to decide whether to pass them into law. This is contrary to the Dutch Constitution, which stipulates that legislation approved by Parliament should include privacy protections. The parties find it unacceptable that Parliament is not involved in the formation of new partnerships and can decide on them only after they have been established.

Legitimizing unlawful practices that have lasted for years

In addition to the possibility of establishing new partnerships, the Act includes four partnerships that have been around for years, but have never been laid down in law. The cabinet now wants to retroactively create a legal basis for these partnerships.

The parties that brought legal proceedings against System Risk Indication (SyRI) point out that SyRI, which was prohibited by the court, was also used for years without a legal basis. According to the parties, there are strong similarities with the partnerships that the new Bill is now intended to legitimize: "Drastic practices in which personal data are processed in violation of the fundamental rights of citizens were set up as a trial and continued for years, only to be given a legal basis as a fait accompli. Fundamental rights that should protect citizens against unjustified government action thereby become mere obstacles for the government to overcome."

Risk assessments, blacklists and suspicions

The coalition previously wrote that the practices under the Act are in many ways similar to the data processing that preceded the childcare benefits scandal that sent shock waves through Dutch society. Based on secret data analyses, lists of citizens who had been falsely labeled by the tax authorities as criminal fraudsters were distributed through various agencies, ruining the personal lives of tens of thousands of families. Under the partnerships that would be made possible by the Act, public authorities and companies would be able to abundantly share risk analyses, blacklists and many other types of data, suspicions and signals about citizens. The Dutch Data Protection Authority advised the Senate in November 2021 not to pass the law, stating that the proposal could lead to "Kafkaesque situations for large numbers of people".

The civil society coalition against SyRI consists of the Dutch Civil Rights Platform (Platform Bescherming Burgerrechten), the Dutch Lawyers Committee for Human Rights (NJCM), Dutch trade union FNV, the Dutch National Clients Council, Privacy First, the KDVP Foundation and authors Maxim Februari and Tommy Wieringa.

Download the recent letter by the coalition to the Dutch Senate HERE (pdf in Dutch).

Source: https://bijvoorbaatverdacht.nl/syri-coalitie-eerste-kamer-moet-datasurveillancewet-super-syri-afwijzen/, 15 February 2022.

Published in Law & Politics

A Dutch court has ruled on appeal in the summary proceedings brought by Privacy First concerning the Ultimate Beneficial Owners (UBO) register. Like the preliminary relief court, the Court of Appeal of The Hague unfortunately rejected Privacy First’s claims.

The court in preliminary relief proceedings earlier confirmed that there is every reason to doubt the legal validity of the European money laundering directives that form the basis for the UBO register. The judge ruled that it cannot be precluded that the highest European court, the Court of Justice of the EU (CJEU), will conclude that the public nature of the UBO register is not in line with the principle of proportionality. The ruling of the CJEU is expected in mid-2022.

Existing legal entities in the Netherlands do not have to register their UBOs until 27 March 2022. This is different for new legal entities: these have to register their UBOs immediately. The Court of Appeal of The Hague deems it unlikely that these UBOs will suffer serious damage in the short term and points out that UBOs fearing to be at risk from the disclosure of personal data can immediately shield these data from the general public. Dutch law provides for this possibility. The Hague Court of Appeal called this ‘a simple way to prevent UBO data from becoming or remaining public’. UBOs can apply to the Trade Register for shielding. As long as such applications are pending, UBO data will actually be protected. Now that the Court of Appeal has so emphatically pointed out this possibility, it is expected that many UBOs will follow this route.

‘The solution must come from the highest European court, the Court of Justice of the EU’, comments Privacy First’s attorney, Otto Volgenant of Boekx Attorneys. ‘It will rule on this in mid-2022. I expect that the Court will mark the end of the open nature of the UBO register. Thus far hardly any data have been entered into the register and I advise everyone to just wait as long as possible. The Dutch government has arbitrarily chosen a date by which UBOs must provide their data, namely 27 March 2022. It would be wise to postpone that end date by a few months until after the CJEU has provided clarity. That would prevent a lot of trouble and unnecessary costs.’

The judgment (in Dutch) of the district court in preliminary relief proceedings can be found here:
http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBDHA:2021:2457  
while the judgment (in Dutch) of the Court of Appeal can be found here:
http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:GHDHA:2021:2176

Update 14 April 2022: further legal action by Privacy First against the UBO register may follow in mid-2022, depending on the outcome of similar Luxembourg lawsuits at the EU Court. Recently, Dutch Parliament passed a motion that until the ruling of the EU Court no fines should be imposed on organizations that have not yet registered their UBOs. It also seems that the UBO registration obligation of foundations and associations will not be enforced for the time being. Privacy First closely follows these developments and tries to have a positive influence on them as much as possible.

Published in Litigation

Despite an urgent call by Privacy First to the Dutch House of Representatives to block the coronavirus entry pass, the introduction of this pass throughout The Netherlands as of 25 September 2021 unfortunately seems to be a reality. Privacy First expects that this will lead to division of Dutch society, exclusion of vulnerable groups, discrimination and violation of everyone’s right to privacy. Moreover, the introduction of this pass leads to vaccination coercion, which violates everyone’s right to dispose freely of their own body. This is incompatible with the right to physical integrity and self-determination and fuels the undermining of our trust in the democratic rule of law, in which these fundamental rights are enshrined.

With massive encroachment and violation of human rights looming, it is up to the courts to intervene and correct the government. In line with our statutory objective to take action in the public interest, the current lawsuit by Dutch attorney Bart Maes and others to stop the coronavirus entry pass therefore has our full support. Privacy First would like to emphasize that this is not a statement against vaccination (on the contrary), but that it is crucial to fully respect and protect everyone’s human rights, especially in these times. Critical voices should be taken seriously and not be dismissed on emotional grounds. In both the short and the long term, this is the best guarantee for an open, free and healthy society.

Published in Law & Politics

Today, Privacy First sent the following plea to the Dutch House of Representatives: 

Dear Members of Parliament, 

It is with great disapproval that the Privacy First Foundation has taken note of the planned introduction of coronavirus entry passes for bars and restaurants, events and cultural institutions. This will lead to a division in society, exclusion of vulnerable groups and a massive violation of everyone’s right to privacy. Below, Privacy First will briefly explain this.

Serious violation of fundamental rights

The coronavirus entry pass (‘corona pass’) constitutes a serious infringement of numerous fundamental human rights, including the right to privacy, physical self-determination, bodily integrity and freedom of movement in conjunction with other classic human rights such as the right to participate in cultural life and various children’s rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. In the case of the corona pass, however, this has not been demonstrated to date and the required necessity is simply being assumed in the public interest. More privacy-friendly alternatives to reopen and normalize society seem never to have been seriously considered. For these reasons alone, the corona pass cannot pass the human rights test and should therefore be repealed. In this context, Privacy First would also like to remind you of countries such as England, Belgium and Denmark where a similar pass was deliberately not introduced, or has been done way with not long after its introduction. In the Netherlands, there has been a great lack of support in recent days for the corona pas and many thousands of entrepreneurs have already let it be known that they will not cooperate. Privacy First therefore expects that the introduction of the corona pass will lead to massive civil disobedience and successful lawsuits against the Dutch government.

Social exclusion

The introduction of the corona pass violates the general prohibition of discrimination, as it introduces a broad social distinction based on medical status. This puts a strain on social life and may lead to widespread inequality, stigmatization, social segregation and even possible tensions, as large groups in society will not (or not systematically) want to, or will not be able to get tested or vaccinated (for a variety of reasons), or obtain a digital test or vaccination certificate. During our National Privacy Conference in early 2021, Privacy First already took the position that the introduction of a mandatory ‘corona passport’ would have a socially disruptive effect.[1] On that occasion, the Dutch Data Protection Authority, among others, explicitly took a stand against the introduction of such a passport. The aforementioned social risks apply all the more strongly to the vaccination coercion that is caused by the introduction of the corona pass. In this regard, Privacy First would like to remind you of the fact that both your House of Representatives and the Parliamentary Assembly of the Council of Europe have expressed their opposition to a direct or indirect vaccination requirement.[2] In addition, the corona pass will have the potential to set precedent for other medical conditions and other sectors of society, putting pressure on a much wider range of socio-economic human rights. For these reasons, Privacy First calls on you to block the introduction of the corona pass.

Multiple privacy violations

From the perspective of the right to privacy, there are a number of yet other specific concerns and questions. First of all, the corona pass introduces a mandatory ‘health proof’ for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Through the mandatory display of an ID card in addition to the corona pass, an entirely new identification requirement is created in public places. The existing anonymity in the public space is thus removed, with all the dangers and risks that this entails. Moreover, this new identification requirement raises questions about the capacities of entrepreneurs to determine the identity of a person and to assess the state of health by means of the corona pass.

Moreover, the underlying legislation results in the inconsistent application of existing legislation with regard to the same act, i.e. testing, with far-reaching consequences on the one hand for an important attainment such as medical confidentiality and the public’s trust in that confidentiality, and on the other for the practical implementation of retention periods of the test results while the processing of these results does not change. After all, it is not the result of the test that should determine whether the registration of the testing falls under the Dutch Medical Treatment Agreement Act (‘Wgbo’, which requires medical confidentiality and a 20-year retention period) or the Dutch Public Health Act (‘Wpg’, which requires a 5-year retention period), but the act of testing itself. Besides, it is questionable why a connection was sought with the Wpg and/or Wgbo now that it is about obtaining a certificate for participation in society and it does not concern medical treatment (Wgbo) or public health tasks for that purpose. The only ground for processing personal data for the purpose of ascertaining the presence of the coronavirus and for breaching medical confidentiality, should be consent. However, in this case there cannot be the legally required freely given consent, since testing and vaccination will be a mandatory condition for participation in society.

Privacy requires clarity

Many other things are and remain unclear: what data will be stored, where, by whom and in which systems? To what extent will there be an international and European exchange of such data? Which parties with which purposes will have access to or will copy the data, or put these in huge new national databases together with our health data? Will we have constant personal localization and identification, or only occasional verification and authentication? Why can test results be kept for an unnecessarily long time? How great are the risks of hacking, data breaches, fraud and forgery? To what extent have decentralized, privacy-friendly technologies and privacy by design, open source software, data minimization and anonymization seriously been considered? How long will test certificates remain free of charge? Is work already underway to introduce an ‘alternative digital medium’ to the Dutch CoronaCheck app, namely a chip (card), with all the objections and risks that entails? Why has there been no independent Privacy Impact Assessment (PIA)? How many more times must the country accept emergency laws to close privacy leaks, when our overburdened and understaffed Data Protection Authority is already noting that there is no legal basis for the processing of the data concerned? How will unforeseen uses and abuses, function creep and profiling be prevented, and how is privacy oversight arranged? Will non-digital, paper alternatives remain available at all times? Why is the ‘yellow booklet’ not accepted as a privacy-friendly alternative, as it is in other countries? What happens with the test material – i.e. everyone’s DNA – at the various testing sites? And when will the corona pass be abolished? In other words, to what extent is this actually a ‘temporary’ measure?

In the view of Privacy First, the introduction of the corona pass will lead merely to an impractical burden on entrepreneurs, innumerable deficiencies and destruction of capital for society. Privacy First therefore requests that the members of the House of Representatives block the introduction of the corona pass. Failing to do so, Privacy First reserves the right to have the legislation introducing the corona pass reviewed against international and European law and declared inoperative by the courts. Preparations for such legal proceedings by us and many others are already underway.

Yours sincerely,

Privacy First Foundation 

[1] See National Privacy Conference 28 January 2021, https://youtu.be/asEX1jy4Tv0?t=9378, starting at 2h 36 min 18 sec.
[2] See Council of Europe, Parliamentary Assembly, Resolution 2361 (2021): Covid-19 vaccines: ethical, legal and practical considerations, https://pace.coe.int/en/files/29004/html, par. 7.3.1-7.3.2: ‘‘Ensure that citizens are informed that the vaccination is NOT mandatory and that no one is politically, socially, or otherwise pressured to get themselves vaccinated, if they do not wish to do so themselves; ensure that no one is discriminated against for not having been vaccinated, due to possible health risks or not wanting to be vaccinated.’’ See also, inter alia, Dutch House of Representatives, Motion by Member Azarkan on no corona vaccination requirement (28 October 2020), House of Representatives, 25295-676, https://zoek.officielebekendmakingen.nl/kst-25295-676.html: ‘‘The House of Representatives (...) expresses that there should never be a direct or indirect corona vaccination obligation in the future’’; Motion by Member Azarkan on access to public benefits for all regardless of vaccination or testing status (5 January 2021), House of Representatives 25295-864, https://zoek.officielebekendmakingen.nl/kst-25295-864.html: "The House of Representatives (...) requests the government to allow access to public benefits for all regardless of vaccination or testing status."


An earlier, similar version of this commentary appeared as early as March 2021: https://www.privacyfirst.eu/focus-areas/law-and-politics/695-privacy-first-position-concerning-the-dutch-draft-bill-on-covid-19-test-certificates.html.

Published in Law & Politics

The controversial and compulsory inclusion of fingerprints in passports has been in place in the EU since 2009. From that year on, fingerprints were also included in Dutch identity cards, even though under EU law there was no such obligation. While the inclusion of fingerprints in identity cards in the Netherlands was reversed in January 2014 due to privacy concerns, there is now new European legislation that will make the inclusion of fingerprints in identity cards compulsory as of August 2, 2021.

Dutch citizens can apply for a new identity card without fingerprints until August 2. After that, only people can do so who are ‘temporarily or permanently unable physically to have fingerprints taken’.

The Dutch Senate is expected to debate and vote on the amendment of the Dutch Passport Act in connection with the reintroduction of fingerprints in Dutch identity cards on July 13. In that context, Privacy First sent the following email to the Dutch Senate yesterday:


Dear Members of Parliament,

Since Privacy First was founded in 2008, we have opposed the mandatory collection of fingerprints for passports and identity cards. Since the introduction of the new Passport Act in 2009, Privacy First has done so through lawsuits, campaigns, freedom of information requests, political lobbying and by activating the media. Despite the subsequent Dutch discontinuation of the (planned) central storage of fingerprints in both national and municipal databases in 2011, everyone’s fingerprints are still taken when applying for a passport, and soon (as a result of the new European Regulation on ID cards) again for Dutch ID cards after this was retracted in 2014.

To date, however, the millions of fingerprints taken from virtually the entire adult population in the Netherlands have hardly been used in practice, as the biometric technology had already proven to be unsound and unworkable in 2009. The compulsory collection of everyone’s fingerprints under the Dutch Passport Act therefore still constitutes the most massive and longest-lasting privacy violation that the Netherlands has ever known.

Having read the current report of the Senate on the amendment of the Passport Act to reintroduce fingerprints in ID cards, Privacy First hereby draws your attention to the following concerns. In this context, we ask you to vote against the amendment of the law, in contravention of European policy. After all:

  1. As early as May 2016, the Dutch Council of State (Raad van State) ruled that fingerprints in Dutch identity cards violated the right to privacy due to a lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956 (in Dutch).
  2. Freedom of information requests from Privacy First have revealed that the phenomenon to be tackled (look-alike fraud with passports and identity cards) is so small in scale that the compulsory collection of everyone’s fingerprints is completely disproportionate and therefore unlawful. See: https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.
  3. In recent years, fingerprints in passports and identity cards have had a biometric error rate as high as 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (Dutch State Secretary Teeven, January 31, 2013). Before that, Minister Donner (Security & Justice) admitted an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (April 27, 2011). How high are these error rates today?
  4. Partly because of the high error rates mentioned above, fingerprints in passports and ID cards are virtually not used to date, either domestically, at borders or at airports.
  5. Because of these high error percentages, former Dutch State Secretary Bijleveld (Interior and Kingdom Relations) instructed all Dutch municipalities as early as September 2009 to (in principle) refrain from conducting biometric fingerprint verifications when issuing passports and identity cards. After all, in the event of a ‘mismatch’, the ID document concerned would have to be returned to the passport manufacturer, which would lead to rapid societal disruption if the numbers were high. In this respect, the Ministry of the Interior and Kingdom Relations was also concerned about large-scale unrest and even possible violence at municipal counters. These concerns and the instruction of State Secretary Bijleveld still apply today.
  6. Since 2016, several individual Dutch lawsuits are still pending at the European Court of Human Rights in Strasbourg, challenging the mandatory issuing of fingerprints for passports and ID cards on the grounds of violation of Art. 8 ECHR (right to privacy).
  7. In any case, an exception should be negotiated for people who, for whatever reason, do not wish to give their fingerprints (biometric conscientious objectors, Art. 9 ECHR).
  8. Partly for the above reasons, fingerprints have not been taken for the Dutch identity card since January 2014. It is up to your Chamber to maintain this status quo and also to push for the abolition of fingerprints for passports.

For background information, see the report ‘Happy Landings' by the Scientific Council for Government Policy (WRR) that Privacy First director Vincent Böhre wrote in 2010. Partly as a result of this critical report (and the large-scale lawsuit brought by Privacy First et al. against the Passport Act), the decentralized (municipal) storage of fingerprints was largely abolished in 2011 and the planned central storage of fingerprints was halted.

For further information or questions regarding the above, Privacy First can be reached at any time.

Yours sincerely,

The Privacy First Foundation

Published in Law & Politics
Page 1 of 4

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
privacy coalitie deelnemer

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon