PC World (USA), 12 January 2015: 'Dutch government sued over data retention law'
"The Dutch data retention law will have its day in court on Feb. 18, when the District Court of the Hague hears a legal challenge to it filed by a broad coalition of organizations.
The law requires telecommunications and Internet companies to retain their customer's location and traffic metadata for six to 12 months, depending on the type of data, for investigatory purposes.
However, the complainants want the court to invalidate the law because it violates fundamental privacy rights, said their law firm Boekx Advocaten. The main reason the law should be scrapped, they say, is a ruling from the Court of Justice of the European Union (CJEU) last year, which invalidated the EU's Data Retention Directive on which the Dutch law is based because it violates fundamental privacy rights.
After evaluating that ruling, though, the Dutch government decided in November largely to maintain the national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances.
By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws.
The challenge, filed by civil rights organization Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, aims to get the law invalidated as soon as possible.
Data retention laws in other EU countries have been ruled unconstitutional. The Constitutional Court of Austria for instance axed the local data retention law in the wake of the CJEU ruling, and in Germany the local data retention law was already ruled unconstitutional in 2010, long before the CJEU ruling.
In Sweden though things are much the same as in the Netherlands. There, the government maintains that the Swedish national legislation can still be applied, causing trouble for Swedish ISP Bahnhof, which had stopped retaining and deleted data after being given permission by the Swedish Post and Telecom Authority (PTS) to do so in wake of the CJEU ruling.
However, Bahnhof was told to start retaining data again later last year. To protect its customers, the ISP has set up a free VPN (virtual private network) service to hide their communication metadata from the police. It also asked to the European Commission to intervene and vowed to fight the law in court.
Meanwhile, the European Parliament's Legal Service also reached a conclusion about the CJEU ruling. It means that EU countries no longer have any obligation but rather an option to keep retaining data, it said in its analysis of the implications of the judgement that was leaked by digital rights group Access Now last week.
As a result of the CJEU ruling, countries run an even higher risk than before of having their national legislation annulled by national courts in a similar way to what has happened in some EU countries, the Legal Service said. (...)"
Source: http://www.pcworld.com/article/2867792/dutch-government-sued-over-data-retention-law.html, 12 January 2015.
Interim Injunction Proceedings Against Dutch Data Retention Act
A broad coalition of organizations and companies is starting interim injunction proceedings against the Dutch government. The Privacy First Foundation, internet provider BIT, the Dutch Association of Journalists and the Dutch Association of Defence Counsel among others are demanding the abolition of the Dutch Telecommunications Data Retention Act. The Dutch Council of State and the European Court of Justice have already ruled that the Act is in violation of fundamental rights that protect private life, communications and personal data. However, the Dutch government refuses to render the Telecommunications Data Retention Act inoperative.
On 8 April 2014 the European Court of Justice declared the European Data Retention Directive (2006/24/EC) invalid with retroactive effect. According to the Court, retaining communications data of everyone without any concrete suspicion is in violation of the fundamental right to privacy. Objective criteria should be applied to determine the necessity of collection and retention of data and there should be prior control from an independent body or judge. Randomly and unrestrictedly collecting metadata (traffic data) in the context of 'mass surveillance' is not permitted, according to the Court.
In the Netherlands, regulations in this area are enshrined in the Dutch Telecommunications Data Retention Act, which largely mirrors the European Data Retention Directive. The Act provides that telecommunications companies and internet providers have to retain various data regarding internet and telephone usage for at least six and at most twelve months in order for judicial authorities to be able to use those data for criminal investigation purposes. Recently the Dutch Council of State ('Raad van State') judged that the Act does not comply with fundamental rights that protect private life, communications and personal data. However, the Dutch government does not heed the advice of the Council of State and refuses to repeal the Act. Compliance with the Act will be maintained by the government.
Vincent Böhre of Privacy First: "Mass surveillance constitutes a massive violation of citizens' privacy rights. It is unacceptable that the Dutch government clings to this practice after the highest European judge has already clearly stated back in April that this privacy violation is not permitted."
Thomas Bruning, Secretary of the Dutch Association of Journalists: "Telecommunications companies and internet providers are now obliged to retain a vast amount of communications data of all citizens. This includes journalists. Companies have to disclose these data at the request of the government. There is no guarantee whatsoever for the journalistic right of non-disclosure."
"The Dutch regulations are in breach of the applicable European fundamental rights", states Fulco Blokhuis, partner at Boekx Attorneys, who has meanwhile drafted a subpoena. "This situation is as disconcerting as it is undesirable. Maintaining this Act is unlawful, both towards citizens as well as companies who are forced to stay in possession of traffic data."
Alex Bik of internet provider BIT: "When the Dutch government introduced the Act, it hid behind the argument that the introduction was simply imposed upon by Europe, but since the European Data Retention Directive has been repealed with retroactive effect, this argument all of a sudden is no longer deemed valid by the government. That is not right."
Otto Volgenant of Boekx Attorneys: "As the Dutch Minister of Security and Justice, Ivo Opstelten, is unwilling to abolish the Telecommunications Data Retention Act, we will request the court to either render the Act inoperative or to prohibit its application any longer. We will shortly be issuing interim injunction proceedings."
Update 12 January 2015: the interim injunction proceedings against the Dutch government pertaining to the retention of telecommunications data will take place before the district court of The Hague in a public hearing on Wednesday 18 February 2015 at 11:00 hours. Meanwhile, the renowned Netherlands Committee of Jurists for Human Rights (NJCM) has joined the coalition of claimant organizations. Click 
HERE (pdf, in Dutch) for the subpoena, click HERE for a press release from Boekx Attorneys (in Dutch) and HERE for an article (in Dutch) which appeared on the website of Dutch newspaper Telegraaf this morning.
Update 30 January 2015: yesterday a hearing (roundtable) about the Dutch Data Retention Act took place in the Dutch House of Representatives. Click HERE for a schedule of the hearing (pdf) and HERE (pdf, in Dutch) for the talking points that Privacy First sent to the House of Representatives prior to the hearing (pdf). The lack of necessity and proportionality of the current Data Retention Act were the main topics that were discussed by Privacy First during the roundtable. Other aspects that were raised by Privacy First related to the chilling effect in society as well as the potential for function creep that the Act brings about.
Update 13 February 2015: today, on behalf of the State, the Dutch State Attorney submitted a Statement of Defence; click HERE (pdf in Dutch, 9 MB). The admissibility of the claimant organizations will not be challenged by the Dutch government, the State Attorney told our own attorneys by telephone. Therefore the proceedings will immediately focus on the merits of the case, rather than on procedural requirements. This is a breakthrough development: in similar cases the admissibility of the claimant parties was almost always contested by the State. A crucial lawsuit concerning such admissibility (our Passport Trial against the storage of fingerprints) is currently being conducted by Privacy First against the Dutch government before the Supreme Court of the Netherlands. Privacy First is of the opinion that the recognition of admissibility by the State Attorney in the interim injunction proceedings against the Telecommunications Data Retention Act puts Privacy First in a stronger position for this and future lawsuits that revolve around the right to privacy. Moreover, in times when access to justice of individual citizens in the Netherlands is increasingly under financial pressure, the admissibility of civil society organizations such as Privacy First forms an important safeguard for a well functioning Dutch democracy under the rule of law.
Update 18 February 2015: in front of a full courtroom (many civil servants, citizens, students and journalists were in attendance), today Privacy First et al. crossed swords with the State; click HERE for the plea of our attorneys (pdf in Dutch) and HERE for the pleadings of the State Attorney (pdf, in Dutch). The judge listened carefully but didn't ask any questions. As yet, Wednesday 11 March 2015 has been determined as the date of the judgment.
Update 11 March 2015: in a break-through verdict today, the district court of The Hague has rendered the Dutch Data Retention Act inoperative; click HERE.
Lexology (United Kingdom), 15 July 2014: 'Dutch government violated article 8 ECHR by requesting and saving personal data in central register'
"Recently, the Court of Appeal of The Hague held that the storage of Dutch citizens' personal data in a central register is an unjustified violation of the right to privacy.
In light of, amongst other things, the implementation of the European regulation on standards for security features and biometrics in passports and travel documents, and to comply with this regulation, the Dutch Passport Act was amended in 2009. This new Passport Act states that future passports would have to contain a chip with a digital facial image and two fingerprints of each applicant. The Dutch government therefore planned to create a central register to hold the facial image files and four fingerprints of each applicant (two of which are included in the passport for identity verification). This new register would also serve other purposes: it would help passport fraud control, and it would allow applicants to renew their passport in any municipality in the Netherlands. The national government acknowledged that the request and saving of these personal data would form a violation of the right to privacy of Dutch citizens, but the government stated that the data storage was proportionate and justified, considering the intended purposes.
The interest group Privacy First disagreed with the government. This group, which seeks to publicly promote the enhancement and preservation of the right to privacy, believed that the creation of this central register violates this fundamental right enshrined in several international laws and regulations. The group launched legal proceedings against the Dutch government. The district court of The Hague ruled that Privacy First did not have a cause of action. Privacy First then appealed against this verdict.
Remarkably, the government meanwhile reviewed their amendments to the new Passport Act. The government concluded that the storage of these personal data in a central register did not achieve its purpose, namely passport fraud control via one's identity verification. Therefore, the Act's provisions that related to the storage of personal data in a central register would be suspended. Furthermore, the number of fingerprints to be taken for the filing would be reduced from four to two in accordance with European regulation.
On appeal, the Court of Appeal ruled that since Privacy First and the government now share the same views about the central register, Privacy First would have lost its standing in their cause of actions, so it dismissed the interest group's claims. However, the Court of Appeal found that the district court had erred when it held that Privacy First did not have a cause of action at the time. Since Privacy First is an interest group advocating the protection of the general interest of Dutch nationals' right to privacy, it should have been able to bring proceedings before the civil court according to Article 3:305 of the Dutch Civil Code (Burgerlijk Wetboek). This would only have been different if the interest group had represented the combined interest of individuals. The Court of Appeal further ruled that Privacy First incurred a financial risk.
The Court of Appeal also ruled that in view of all the circumstances of the case at first instance, the district court should have ruled in favour of Privacy First concerning their arguments against the setting up of a central register. This central register's storage of Dutch citizens' personal data is an unjustified violation of one's right to privacy enshrined in Article 8 ECHR because it did not fulfill its purpose. The Court of Appeal understands that this was a violation from the start, but this had only become evident after the first ruling."
Source: http://www.lexology.com/library/detail.aspx?g=27bf8f03-ada9-47d4-ac7f-4e4aece29cd3, 15 July 2014.
District court of The Hague wide off the mark in Citizens v. Plasterk case
Today the district court of The Hague ruled in the case Citizens v. [Dutch Minister of Home Affairs] Plasterk ("Burgers tegen Plasterk"). In this lawsuit a coalition of citizens and organizations (including Privacy First) demands the Dutch General Intelligence and Security Service (AIVD) and the Dutch Military Intelligence and Security Service (MIVD) to put an end to the receipt and use (''laundering'') of illegally collected foreign intelligence on Dutch citizens, for example through the infamous PRISM program of the American NSA. Unfortunately the court has rejected all of the claims. Below are some first observations by Privacy First.
A positive aspect of the judgment is that the court deems all plaintiffs (citizens and organizations) admissible. This is a very welcome development for Privacy First with regard to our current Passport Trial before the Supreme Court of the Netherlands, wherein such admissibility will be crucial. However, this bright spot is overshadowed by the way the district court of The Hague has dealt with the merits of the case.
First of all, the court failed to carry out a fact-finding study: in fact no witnesses and experts were heard at all, even though this was offered to the court on forehand and Dutch law offers sufficient opportunity for this.
Furthermore, it is striking that the court deems less strict procedural safeguards necessary when it comes to the exchange of massive amounts of raw data in bulk. For the exchange of information on such a large scale, stricter – not less strict – procedural safeguards are necessary, as most of these data relate to innocent citizens.
In addition, the court wrongfully makes a distinction between metadata (traffic data) and the content of communications, while both types of data overlap and require the same high level of judicial protection.
The court is also wide off the mark by judging that the legal requirement of foreseeability (including privacy guarantees) of Article 8 of the European Convention on Human Rights (ECHR) would be less applicable to the international exchange of data between secret services. As yet, in the Netherlands the legal basis of such exchange of data is formed by a relatively obscure legal provision: Article 59 of the Dutch Intelligence and Security Services Act (Wiv). This article is far from fulfilling the modern requirements that article 8 ECHR imposes on such provisions. Therefore, the current practice of exchange between the AIVD/MIVD and foreign secret services in essence takes place within a legal vacuum, a legal black hole.
In the view of Privacy First, the current judgment of the Hague court comes down to the ''legal laundering'' of this practice. Privacy First expects that higher courts will deem this situation to be a violation of Article 8 ECHR and is looking forward to the appeal before the Hague Court of Appeals with confidence.
Read the whole judgment of the district court of The Hague HERE as well as the first comments by Privacy First's lawyers of Bureau Brandeis (both in Dutch only).
European Parliament wants cars to be fitted with spying device
Privacy First is considering taking legal steps.
Without any regard to all the privacy objections, this week the European Parliament has voted in favor of mandatory introduction of the eCall system in new cars. This system forms a direct threat to the privacy of every motorist. In case the European Council (i.e. a majority of EU Member States) approves the decision of the European Parliament, the eCall device will become mandatory in every car in Europe as of October 2015. Privacy First demands that eCall will become voluntary instead of mandatory and to this end is prepared to start a lawsuit if necessary.
In case of a road accident eCall automatically alerts the emergency services by calling 112. However, the eCall alarm system also leaves behind a trail of location data without the motorist having given his prior consent to this. It's an in-vehicle system that doesn't have an on/off button but does continuously leave behind traces (metadata) to the surrounding GSM networks. This constitutes a flagrant breach of the right to privacy and anonymity in public space. Moreover, the system could be used for purposes other than road safety only by organizations such as the police, insurance companies, tax authorities, intelligence services and possibly even criminals. There has hardly been any public debate about the possible introduction of eCall. Therefore the mandatory introduction is not only unlawful but also undemocratic. A few years ago the introduction of the electronic toll system with the accompanying 'spying device' was rejected by the Dutch in mass numbers. Now it seems they will be put up with a spying device in their cars via a European back door after all. This is unworthy of a democratic constitutional State such as the Netherlands.
The Privacy First Foundation intervenes as soon as the right to privacy is about to be violated on a massive scale. In case the eCall system will be mandatorily introduced in the Netherlands, Privacy First will start a lawsuit to turn this decision around. If needed, Privacy First is prepared to litigate all the way up to the European Court of Justice in Luxembourg and is confident about the outcome of any legal steps it may take.
ZDNet, 19 Feb. 2014: 'No, you can't store people's fingerprints in a central database, Dutch court rules'
"The Court of Justice in the Hague has ruled that fingerprints gathered from individuals getting a new passport can't be held centrally and used in criminal investigations.
Dutch authorities have been prevented from storing citizens' fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.
In the Netherlands, individuals' fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.
However, the system turned out to be far from perfect — 21 percent of fingerprints collected by the authorities in the Netherlands were unusable to identify individuals.
The court found such a high level unacceptable: "This can mean nothing other than the storage of fingerprints in a central register is not suitable for the purpose originally envisioned, that is, the determination and verification of one's identity.
"This means that it is also not suitable for the prevention of identity fraud or for the process of requesting a new travel document or using a travel document, which is one of the main purposes of the Act [the legislation which requires fingerprints in Dutch passports]. Therefore the conclusion is that the invasion of privacy formed by the central storage of fingerprints is unjustified."
No immediate effect
Although the ruling is a significant victory for Privacy First, the privacy group that brought the case before the Court of Justice, it won't have immediate consequences for the Dutch government.
The European Court of Justice had already ruled in October last year that the directive requiring European member states to include two fingerprints in their passports did not provide a legal basis for then also including all citizens' prints in a central repository.
In addition, the court stipulated that fingerprints given by individuals for such purposes could not to be used for criminal investigations.
(...)
However, according to Christiaan Alberdingk Thijm, the lawyer representing Privacy First, the ruling will have a bearing on any future government attempts to collect sensitive data, such as photos.
"This is not only good news for those opposing plans of a central fingerprint database, but for those opposing any central government owned database," he said."
Source: http://www.zdnet.com/no-you-cant-store-peoples-fingerprints-in-a-central-database-dutch-court-rules-7000026505/, 19 February 2014.
Hague Court of Appeal: central storage of fingerprints unlawful
In a groundbreaking judgment, the Hague Court of Appeal has today decided that centralised storage of fingerprints under the Dutch Passport Act is unlawful. The Privacy First Foundation and 19 co-plaintiffs (Dutch citizens) had put forward this legal issue to the Court of Appeal in a so-called 'action of general interest' ("algemeen-belangactie"). In February 2011, the district court of The Hague had declared Privacy First inadmissible. Because of this, the district court couldn't address the merits of the case. The Court of Appeal has now declared Privacy First to be admissible after all and has quashed the judgment of the district court. Moreover, the Appeals Court deems centralised storage of fingerprints under the Dutch Passport Act to be unlawful since it violates the right to privacy. Therefore it seems that centralised storage of fingerprints under the Dutch Passport Act will be shelved once and for all.
In May 2010, Privacy First et al. took the Dutch government (Ministry of Home Affairs) to court on account of the centralised storage of fingerprints under the new Dutch Passport Act. Such storage had mainly been intended to prevent small-scale identity fraud with Dutch passports (look-alike fraud).
Partly due to the pressure exerted by this lawsuit of Privacy First, central storage of fingerprints was brought to a halt in the Summer of 2011. The judgment by the Hague Court of Appeal has now made any future centralised storage of fingerprints legally impossible: the Court deems centralised storage of fingerprints an "inappropriate means" to prevent identity fraud with travel documents. According to the Court "this cannot but lead to the conclusion that the infringement upon the right to privacy caused by centralised storage of fingerprints is not justified. In that regard the district court should have awarded the claim of Privacy First." (Para. 4.4.)
This is a great victory for Privacy First and for all the citizens who have stood up against centralised storage of fingerprints under the Dutch Passport Act in recent years. The judgment by the Court also paves the way for Privacy First (and other civil society organizations) to continue to initiate lawsuits in the general interest for the preservation and promotion of the right to privacy, for example the new lawsuit by Privacy First et al. against the Dutch government on account of illegal data espionage (NSA case). Recently the Dutch State Attorney deemed Privacy First to be admissible in this case too. These developments are a great impetus for Privacy First to continue to take legal steps in the coming years for the sake of everyone's right to privacy.
Read the entire judgment by the Hague Court of Appeal HERE (pdf in Dutch; for a text-version on the website of the Netherlands Judiciary, click HERE).
Click HERE for the press release by our attorneys of Bureau Brandeis.
Update 21 May 2014: the Dutch government appears to be a sore loser: earlier this week the State Attorney has lodged an appeal (in Dutch: 'cassatie') against the ruling of the Hague Court of Appeal at the Supreme Court of the Netherlands; click HERE (pdf in Dutch) for the appeal summons. The Dutch government wants Privacy First to be declared inadmissible after all and calls on the Supreme Court to still declare central storage of fingerprints lawful. This must not happen. Privacy First is considering its options in its own defence.
Update 21 November 2014: today Privacy First et al. have submitted to the Supreme Court their statement of defence against the appeal summons; click HERE for the document (pdf in Dutch). In the appeal, Privacy First et al. are being represented by Alt Kam Boer Attorneys in The Hague; this law-office is specialised in Supreme Court litigation. On behalf of the Dutch government (Ministry of Home Affairs) the State Attorney has today submitted a written explanation to the previous appeal summons; click HERE (pdf in Dutch). The next steps could consist of a written reply and rejoinder, followed by advice (''conclusion'') from the Procurator General at the Supreme Court (to which Privacy First et al. would be able to respond) and a judgment by the Supreme Court midway through 2015.
Update 5 December 2014: today Privacy First et al. have delivered an early Christmas present to the Dutch Minister of Home Affairs: our written reply (rejoinder) to the recent explanation of the Ministry of Home Affairs to the previous appeal summons. Click HERE for the document (pdf in Dutch). The Dutch government, in turn, submitted a short reply to the recent statement of defence by Privacy First et al.; click HERE (pdf in Dutch). On 9 January 2015 the Supreme Court will set a date on which the Procurator General will issue his advice.
Update 12 January 2015: the Procurator General at the Supreme Court will issue his advice ("conclusion") on 10 April 2015.
Update 12 March 2015: Much earlier than expected, Advocate General Mr. Jaap Spier delivered his advice (''conclusion'') in the case to the Supreme Court on 20 February 2015; click HERE
(pdf in Dutch, 7 MB). Its conservative contents and tone are notable aspects of his advice. Furthermore, the Advocate General wrongfully assumes that the contested provisions of the Dutch Passport Act had never become legislation. While he upholds Privacy First's admissibility, he does so on the wrong legal grounds. Moreover, the Advocate General does not touch on the substance of the privacy issues at all, is incorrect in his view that proceedings could have taken place before an administrative judge and, erroneously, wants Privacy First et al. to still pay for the legal costs of the proceedings. In response to the advice of the Advocate General, within the formal term of two weeks Privacy First submitted a response letter ("Borgers brief") to the Supreme Court; click HERE (pdf in Dutch). No such letter has been submitted by the Dutch State Attorney. Therefore, Privacy First has had the final say in this case. We will now have to wait for the Supreme Court ruling, which is expected later this year.
Lawsuit against the Dutch government on account of illegal data espionage
By now basically everyone is aware of the far-reaching eavesdropping practices by the American National Security Agency (NSA). For years the NSA has been secretly eavesdropping on millions of people around the world, varying from ordinary citizens to journalists, politicians, attorneys, judges, scientists, CEOs, diplomats and even presidents and heads of State. In doing so, the NSA has completely ignored the territorial borders and laws of other countries, as we have learned from the revelations by Edward Snowden in the PRISM scandal. Instead of calling the Americans to order, secret services in other countries appear to be all too eager to make use of the intelligence that the NSA has unlawfully obtained. In this way national, European and international legislation that should safeguard citizens against such practices is being violated in two ways: on the one hand by foreign secret services such as the NSA that collect intelligence unlawfully, and on the other hand by secret services in other countries that subsequently use this intelligence. This constitutes an immediate threat to everyone’s privacy and to the proper functioning of every democratic constitutional State. This is also the case in the Netherlands, where neither the national Parliament nor the responsible minister (Mr. Ronald Plasterk, Home Affairs) has so far taken appropriate action. This situation cannot continue any longer. Therefore a national coalition of Dutch citizens and organizations (including the Privacy First Foundation) has today decided to take the Dutch government to court and demand that the inflow and use of illegal foreign intelligence on Dutch soil is instantly brought to a halt. Furthermore, the coalition demands that the Dutch government notifies all citizens whose personal data have been illegally obtained. These data must also be deleted.
These legal proceedings by the Privacy First Foundation primarily serve the general interest and aim to restore the right to privacy of every citizen in the Netherlands. The lawsuit is conducted by bureau Brandeis; this law firm also represents Privacy First and 19 co-plaintiffs (Dutch citizens) in our Passport Trial against the Dutch government. Privacy First is confident it will soon have positive outcomes in both of these cases.
Click HERE to read the subpoena as it was presented to minister Plasterk today. (Dutch only)
Apart from Privacy First, the coalition of plaintiff parties consists of the following organizations and citizens:
- The Dutch Association of Defence Counsel (Nederlandse Vereniging van Strafrechtadvocaten, NVSA)
- The Dutch Association of Journalists (Nederlandse Vereniging van Journalisten, NVJ)
- The Dutch chapter of the Internet Society (ISOC.nl)
- Jeroen van Beek
- Rop Gonggrijp
- Bart Nooitgedagt (represented by the NVSA)
- Matthieu Paapst (represented by ISOC.nl)
- Brenno de Winter (represented by the NVJ).
Update 5 February 2014: today the Dutch government (Ministries of Home Affairs and Defence) has responded to the subpoena in a comprehensive statement of defence; click HERE for the entire document (pdf; MIRROR) and HERE for the press release by our attorneys of bureau Brandeis (in Dutch). It is remarkable that the State Attorney only deems the Privacy First Foundation admissible (see p. 31). This means that Privacy First is only one step away from standing before the judges of the district court of The Hague. This development is also of great importance for our Passport Trial, in which that same court at an earlier stage deemed Privacy First et al. inadmissible. The Hague Court of Appeal is currently looking into this legal issue once more. In the point of view of Privacy First, the court should declare all plaintiffs (citizens and organizations) admissible in both the court case concerning the NSA as well as our lawsuit regarding the Dutch biometric passport.
Privacy First nominations for the Dutch Big Brother Awards
At the end of this summer our colleagues from Bits of Freedom will once again be organizing the annual Big Brother Awards. Below are our nominations for the biggest Dutch privacy violations of the past year:
- Automatic Number Plate Recognition plans from Minister Opstelten
If it’s up to the Dutch Minister of Security and Justice, Ivo Opstelten, the travels of every motorist in the Netherlands will soon be stored in a police database for four weeks through automatic number plate recognition (ANPR) for criminal investigation and prosecution purposes. This means that, in the view of Mr. Opstelten, every motorist is a potential criminal. Privacy First deems this proposal absolutely disproportional and therefore in breach with the right to privacy as stipulated under Article 8 of the European Convention on Human Rights. In case Dutch Parliament accepts this legislative proposal, Privacy First will summon the - Proposal for hacking scheme from Minister Opstelten
A second miserable plan from Minister Ivo Opstelten is to authorize the Dutch police force to hack into your computer and to oblige citizens to decrypt their encrypted files for the police. In the view of Privacy First this plan, too, is entirely in breach with the right to privacy, since it’s unnecessary and disproportional. Moreover, the proposal contravenes with the ban on self-incrimination (nemo tenetur). The proposal will lay the basis for future abuse of power and forms a typical building block for a police State instead of a democratic constitutional State. For our main objections, see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/599-privacy-first-objections-against-opstelten-hacking-scheme.html. - License plate parking
As of late, in an ever greater number of Dutch cities (among which - Highway section controls
Section speed checks on Dutch highways make that the journeys of motorists are continuously being monitored. This forms a massive infringement of the right to privacy. Such an infringement requires a specific legal basis with guarantees against abuse. Moreover, function creep is just around the corner; this already becomes obvious from the current plans of Dutch Minister Opstelten to soon use all highway speed cameras for automatic number plate recognition (ANPR) for investigation and prosecution purposes of a whole range of criminal offences as well as the collection of outstanding fines, tax debts, etc. - Drones
Besides the ‘usual’ cameras in neighbourhoods, shops, stations, above highways etc., citizens are increasingly – and almost unnoticed – being spied upon by flying cameras: so-called drones. The government does this (mainly the police) and so are private parties, yet without any sufficient legislation. Because of this the privacy risks and the likelihood of an accident are enormous. Privacy First therefore pleas for a moratorium on the use of drones until proper national legislation is put in place. Furthermore, drones should only be allowed to be used by the government in exceptional cases, for instance in disaster situations or for the investigation of suspects of very serious crimes, and only in case no other adequate means can be deployed. For private parties a license system is to be introduced with strict supervision and enforcement. Moreover, every drone is to be equipped with a transponder that is publically cognizable. - Police Taser weapons
In September 2012 it became known that Dutch Minister Opstelten was planning to equip the entire Dutch police force with Taser weapons. In the view of Privacy First, the use of Taser weapons can easily lead to violations of the international ban on torture and the related right to physical integrity (which is part of the right to privacy). Taser weapons lower the threshold for police violence and hardly leave behind any external scars. At the same time they can inflict serious physical damage and mental harm. In conjunction with the current lack of firearms training for Dutch police officers, this produces serious risks for the Dutch population. In May 2013 the Dutch government had to justify itself over Opstelten’s plans in front of the UN Committee against Torture in Geneva; see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/595-dutch-taser-weapons-on-agenda-of-un-committee-against-torture.html. Nevertheless, for the moment Opstelten’s intentions seem to be unchanged... - Electronic Health Record
In April 2011 the introduction of a Dutch national Electronic Health Record (Elektronisch Patiëntendossier, EPD) was unanimously binned by the Dutch Senate due to privacy objections and security risks. However, the national introduction of almost the same EPD was subsequently worked towards along a private route and this included the exchange of medical data through a National Switch Point (Landelijk Schakelpunt, LSP). This will by definition lead to 'function creep by design' instead of privacy by design. The digital ‘regional walls’ in and around the LSP will easily be circumvented or removed. Therefore the entire system can take on its old central form again at any given moment in the future, with all the privacy and security risks this entails. Furthermore, the current layout is characterized by generic instead of specific permission of the patient to share medical data with healthcare providers (and future third parties). This constitutes an imminent danger for the medical privacy of citizens as well as the professional confidentiality of medical specialists.
Input by Privacy First for the Dutch ‘State of Fundamental Rights’
The Dutch Ministry of the Interior is currently conducting an assessment of the fundamental rights situation in the Netherlands. Later this year this will probably result in a report called ‘De Staat van de Grondrechten’ (‘The State of Fundamental Rights’) and an accessory entitled ‘Nationaal Actieplan Mensenrechten’ (‘National Human Rights Action Plan’). In this context the Ministry recently requested input from several NGOs, among which Privacy First. Below is our advice:
Top 7 of issues that deserve a place in the State of Fundamental Rights and the National Human Rights Action Plan:
1. Active adherence to as well as protection, fulfilment and promotion of the right to privacy
Clarification: privacy is both a Dutch constitutional right as well as a universal human right. As with all human rights, the Dutch government accordingly has the obligation to 1) respect, 2) protect, 3) fulfil and 4) promote the right to privacy through proper legislation and policy. However, since '9/11' there have almost solely been made restrictions to the right to privacy, instead of enhancements of it. This constitutes a violation of the above-mentioned general duty to actively fulfil the right to privacy. The same goes for related rights and principles such as the presumption of innocence and the ban on self-incrimination (nemo tenetur).
2. Constitutional review
Clarification: the Netherlands is only familiar with constitutional ‘‘review’’ by civil servants and members of the Dutch House of Representatives when it comes to the development of new legislation. Unfortunately there is no Dutch Constitutional Court and, oddly enough, constitutional review of formal legislation by the judiciary is outlawed in the Netherlands. It is partly on account of this that the Dutch Constitution has become a dead letter over the last decades. It is therefore recommended to create a Constitutional Court as soon as possible and to abrogate the ban on constitutional review.
3. Collective legal means
Clarification: owing to a development of legal restrictions within the case law of the Dutch Supreme Court, over the last decades it has become increasingly difficult for foundations and associations to legally defend the social interests they advocate for through the collective right to action (Article 3:305a Dutch Civil Code and Article 1:2 paragraph 3 Dutch General Administrative Law Act, both links are in Dutch). Because of this the effective and efficient functioning of the Dutch constitutional State and legal economy have come under severe pressure. It is therefore recommended for the government to actively respect, protect and fulfil the collective right to action. For instance by no longer instructing the State attorney to plea for the inadmissability of foundations and associations in relevant lawsuits. Moreover, the ban on direct appeal against generally binding regulations (Article 8:3 Dutch General Administrative Law Act, in Dutch) is to be abrogated.
4. Voluntary instead of compulsory biometrics
Clarification: the premise in a healthy democracy under the Rule of Law should be that citizens may never be obliged to cede their unique physical characteristics (biometric personal data) to the government or the business sector. After all, this constitutes a violation of the right to privacy and physical integrity. Moreover, within companies, service providers, employers, etc. this leads to unfair trading practices. With the planned introduction of an ID card without fingerprints, in this area the Dutch government is taking a first step in the right direction. In line with this, we advise the Dutch government to plea at the European level for a passport with voluntary instead of compulsory taking of fingerprints.
5. Anonimity in public space
Clarification: the right to be able to travel anonymously and not to be spied upon has become increasingly illusory in recent years, especially through technological developments such as public transport chip cards, camera surveillance, cell phone tracking, etc. Both the government as well as the business sector are obliged to actively reinstate, protect and fulfil the right to privacy in terms of anonymity in public space through the introduction of public transport chip cards that are truly anonymous (privacy by design), the abrogation of camera surveillance unless strictly necessary, the development of privacy-friendly mobile telephony and apps, etc. For all the legislation and policies in this field, privacy, individual freedom of choice, necessity, proportionality and subsidiarity are to be leading principles.
6. Privacy by design
Clarification: all privacy-sensitive information technology is to comply with the highest standards of privacy by design. This can be achieved through the use of privacy enhancing technologies (PET), among which are state-of-the-art encryption and compartmentalization instead of centralization and the coupling of ICT. At the European level this is to become a strict legal duty for governments as well as the business sector, with active supervision and enforcement in this area.
7. Privacy education
Clarification: in terms of human rights education the Netherlands is threatening to become a third world country. In the long run this puts the continued existence of our democratic constitutional State at stake. It equally puts the right to privacy in danger. A privacy-friendly future begins with the youth of today. To that end privacy education is to become compulsory in primary, secondary and higher education. The government should play an active role in this.
