Online Privacy

Privacy First New Year’s column

Looking back on 2016, Privacy First perceives a renewed attack on our democratic constitutional State from within. Incident-driven politics based on the everyday humdrum prevails and the Dutch government’s frenzy efforts to control the masses is relentless, arrogant and driven by industry and political lobbying. The democratic principles of our constitutional State are being lost out of sight ever more while the reversion of legal principles has become commonplace. Every (potential) attack thus becomes an attack on our civil rights.

Current constitutional State unable to defend itself

Barely a single day has gone past in the current mediacracy and governors without any historical or cultural awareness hand us, our children and our future over to a new electronic dictatorship fenced off by 4G masts. Citizens who autonomously seek to inform themselves have become ‘populists that spread fake news’. It’s not just the government that has lost its way, but so have the mainstream media, so it seems. The model characterized by fear, hate and control adopted by many authoritarian states headed by a strong leader is increasingly seen as the way to go.

Privacy First has said it before but will reiterate: we are of the opinion that State terrorists who continuously change legislation restricting civil liberties are ultimately much more harmful to our society than a single ‘street terrorist’, however terrible and shocking an attack is for those directly involved. The galling thing is that our constitutional State cannot adequately defend itself against the erosion of democratic principles from within: among other things, there is a lack of independent review of our Constitution. Therefore we are very happy that the European Court of Justice has recently ruled all forms of trawl net technology unlawful in advance. A great verdict that has far-reaching consequences for the State terrorists among our politicians and civil servants. A clear line in the sand.

Our democratic constitutional State came into existence out of the 19th century way of thinking and will have to be reshaped through a public debate, provided this is done taking into account the basic principles of living together - a human experience that goes back thousands of years. Love, trust en freedom are fundamental pillars. Privacy First discerns a number of changes over the past 150 years to which our constitutional State has no adequate answer, if any answer at all. These changes will have to be integrated into a newly structured democratic constitutional State which will have to be partly parliamentary and partly shared. In other words: the democratic foundation is there, but will have to be adapted to the desires and developments of our time.

Towards a Shared Democracy: adjusting parliamentary democracy to our present time

Privacy First calls on (and challenges, if necessary) every Dutch citizen to participate in a broad public discussion in order to shape a democracy 3.0. After Athens (1.0) and our parliamentary democracy from the 19th century onwards (2.0), in our eyes it’s time for the concept of a Shared Democracy (3.0), which is both a disruptive way of thinking as well as a social model for which we identify seven big drivers that help adjust our current 19th century system. Privacy First notices that these seven drivers are currently undermining our model from the inside and the outside. But by thinking differently, one will find that these pillars also offer an opportunity to move towards a new form for the future: the so-called Shared Democracy.

1. Changing role of the media; towards a mediacracy

Originally, in the 19th century model, the media didn’t yet have the scale and level of outreach today’s media have. The influence of the media has become large to the extent it will have to be one of the pillars of the future Shared Democracy.

2. Changing role of citizens

The enormous financial and social emancipation, the elevated level of education and the individualization of citizens is currently leading to huge tensions in the democracy of parliamentary representation. As part of the old way of thinking, citizens are still regarded as an unassertive, inferior, necessary evil. However, citizens want to have decision-making power on numerous issues and this – supported by the newest technologies and means of communication - will have to be structurally implemented in the Shared Democracy on the basis of various structures of representation and participatory leadership based on personal responsibility, an area in which politics and the government are still falling far behind in their relationship with citizens.

3. Scientific, technological and information revolution

These revolutions create new opportunities and offer an almost real-time insight in the developments and events within society. Moreover, the internet and associated infrastructures enable completely new forms of exchange and marketplaces of ideas and decisions. This happens on a worldwide scale between like-minded people and people who hold different views. Where supply and demand are ill-aligned, new services that have a disruptive effect on old structures pop up. Think of the clear imbalance between citizens and politics. A solution for that problem can be found in completely new and invigorating systems and structures, set up with an open and free attitude, with privacy by design enshrined in legislation and with the application of advanced technology - all elements that distinguishes the Shared Democracy.

4. Unrestrained proliferation of public authorities

The house is ready to move into, but the contractor keeps coming back every day to see whether there are still tasks to be done... likewise our government exerts its influence on our daily life and on today’s economy. The unrestrained proliferation of public authorities has got to stop immediately and the government has to be brought back to normal proportions, in line with a standard that has yet to be established. By now, citizens serve the government instead of the other way around. The power of (central) public authorities is no longer commensurate with those of individual citizens. A key trait of the Shared Democracy will be the size, power and scope of the government.

5. Lifelong professional politicians

Another thing the founders of the 19th century model didn’t take into account (despite the seperation of powers) is the fact that many current (national) representatives are fulltime politicians, some of whom carry out public sector activities quite directly related to their political function. Particularly these latter ones have lost all connection to society and virtually live off taxpayers’ money without any risks. In the Shared Democracy we envisage, we advocate that representatives of citizens make clear choices and are in favour of all possible mixed forms of citizens and representatives in order to create a much larger engagement and responsibility among individual citizens when it comes to being active politically.

6. Financial sector, upscaling and mass control

The centralization and management of financial flows disconnected from the underlying value, erodes both the economy and society. The human dimension is disappearing into the background in upscaling and efficiency models dominated by financial flows. By introducing mantras such as ‘cash is criminal’, paying anonymously is being phased out while bank runs that could endanger and destabilize the system are being prevented. Here too, the web continually gets tighter around citizens and money no longer belongs to them, but to banks and the government. With a view to the future and on the basis of current and future technological possibilities, in the Shared Democracy, ownership relationships and the right to anonymous means of payment will have to be firmly embedded in law.

7. Supranational elite of individuals and companies

One of the effects of globalization is the rise of a large group of supranational companies and individuals that are disconnected from their nation-states and societies, benefitting from the rights they have but not fulfilling the duties that society equally brings along. Now that information and power are concentrated within a few very large, global conglomerates, there are many financial corporations and companies that have become larger than nation-states. The intransparent power of lobbygroups backing these conglomerates thrives under the old, authoritarian pyramid structure of centralized political representation. In the Shared Democracy, special attention will have to go out to democratic shaping and modelling on all levels, while the centralized and decentralized power structures have to be continually in balance and be measurable with the most advanced technology.

How will the Shared Democracy deal with all this? How much more freedom are we prepared to give up for the sake of (false) security? 100% security = 0% freedom. How are we going to restructure our society and democratic system in order to hold on to our principles with the seven drivers of development in mind? And on which scale are we willing to do so?

To better define these questions and look for answers, Privacy First will organize a New Year's Reception on 19 January 2017, at 7:30 pm in the Volkshotel in Amsterdam. The reception (in Dutch) will revolve around the Shared Democracy.

Privacy First encourages everyone to contribute to this new movement towards a Shared Democracy in an open and free debate on all available communication channels!

Bas Filippini
Privacy First Foundation chairman

The Privacy First Foundation presents its 2015 Annual Report: click HERE to download the pdf version. In this report, you will read everything about Privacy First’s daily fight to preserve and promote everyone’s right to privacy. To be able to continue this fight, our organization largely depends on individual donors. The more donors, the more effectively Privacy First can operate by way of political lobbying, targeted actions, campaigns, public events and lawsuits. Click HERE to become a donor of Privacy First!

EU Passenger Name Records: every airline passenger a potential suspect.

Today is a historic day in both a positive and a negative sense: on the one hand European Parliament has taken an important step forward in the area of privacy by adopting the General Data Protection Regulation. On the other hand, that same parliament has today concurred with large-scale storage of data of European airline passengers. As a result, every airline passenger becomes a potential suspect.

The General Data Protection Regulation will replace national privacy legislation in all EU Member States (this includes the Dutch Data Protection Act, Wet bescherming persoonsgegevens) and, in broad terms, will lead to better privacy protection throughout the European Union. Privacy Impact Assessments and Privacy by Design will become obligatory. These are two important features which Privacy First has for years been advocating for. Fundamental privacy principles such as necessity, proportionality and subsidiarity (obligatory use of privacy-friendly alternatives) will be more strongly enshrined and better elaborated.

In this light it is surprising that on the same day European Parliament has also adopted a measure that is in blatant disregard of these selfsame principles: the European Passenger Name Records (PNR) Directive. Under this PNR Directive, the data of all European airline passengers will be stored in centralized government databases for the duration of five years for the detection and prosecution of serious crimes, counter-terrorism, intelligence gathering, etc. Large amounts of travel data (names and addresses, telephone numbers, destinations, credit card data, even meals and service requests) of millions of people will therefore remain available to law enforcement and intelligence services for the purpose of datamining and profiling.

However, in 99.99% of all cases this concerns innocent citizens, most of which are people on vacation and business travellers. This constitutes a flagrant violation of their right to privacy and freedom of movement. Because of this, in recent years there had been a lot of political resistance against this plan which, since 2010, has been repealed on various occasions by both the Dutch House of Representatives as well as European Parliament. Last year, Dutch ruling parties VVD (Liberals) and PvdA (Labour) were still resolutely opposed to PNR. At the time, these parties referred to it as a ‘vacation register’ and even threatened to turn to the European Court of Justice in case the EU PNR Directive were to be approved of. But after the attacks in Paris and Brussels, many political reservations now seem to have disappeared like snow melting in the sun. Meanwhile, the necessity and proportionality of large-scale PNR storage has still not been proven. In the view of Privacy First, this PNR Directive is therefore unlawful in advance.

At the moment Privacy First is looking into legal steps to sweep this directive aside after all, either through a Dutch court or by lodging a direct appeal before the European Court of Justice in Luxembourg. Additionally, Privacy First will continue to advocate for a privacy-friendly PNR system which records and monitors only suspected individuals and leaves the vast majority of travellers alone.

 © RTL Nieuws

In the Dutch Citizens v. Plasterk case about the international exchange of data between secret services, the coalition of citizens and organizations (including Privacy First) has explained its appeal before the Hague Court of Appeals. In its statement of appeal, which was submitted to the Court on 2 February 2016, the coalition details why the ruling of the district court of The Hague (in Dutch) is wrong.  

In summary, the district court of the Hague has ruled that the collaboration and exchange of data on the basis of trust between Dutch secret services and foreign secret services (among which the American NSA) may simply be continued. According to the judge, the importance of national security is the determining factor, thereby essentially giving the Dutch AIVD (general intelligence and security service) and MIVD (military intelligence and security service) carte blanche to collect bulk data of Dutch citizens via foreign intelligence agencies without any legal protection, only because of the designation ‘national security’.

The Citizens v. Plasterk coalition deems this ruling to be in flagrant breach of the right to privacy and has lodged an appeal. It must be noted that the coalition isn’t seeking to ban the collaboration with foreign services as such. However, we find that when it comes to collaborating and receiving data, strict safeguards should be maintained. Failure to do so means that data that has been obtained by the NSA and other intelligence services in violation of Dutch law, illegally end up in the hands of Dutch intelligence services. This comes down to the laundering of data through an illegitimate U-turn.

"By using NSA data, minister Plasterk and his services are laundering illegally obtained data. This case should put an end to that", says our lawyer Christiaan Alberdingk Thijm of bureau Brandeis. Read our entire statement of appeal HERE (pdf in Dutch).

What’s next?

The Dutch government will first have to react to our statement of appeal in a statement of defence on appeal, after which the Hague Court of Appeals will schedule a hearing and render a ruling.

Meanwhile, our coalition has been admitted to intervene in the legal proceedings against the British government that the British organization Big Brother Watch et al. have brought before the European Court of Human Rights (ECtHR). This is a significant development because as a result, the ECtHR may, at an early stage, be able to issue a verdict that is relevant to our Dutch case. Click HERE (pdf) for the recent decision on admissibility by the European Court and HERE for more information about the British case on the Court's website.

The Citizens v. Plasterk case

At the end of 2013, the Citizens v. Plasterk coalition summoned the Dutch government, represented by the Dutch minister of the Interior, Ronald Plasterk. This was prompted by Edward Snowden’s revelations about the practices of (foreign) intelligence services. The coalition demands that the Netherlands stops using data that have been obtained in violation of Dutch law.

In February 2014 the case almost led to minister Plasterk’s withdrawal from office. It had emerged that Plasterk had wrongfully informed the Dutch House of Representatives on the exchange of data between Dutch and foreign intelligence services. The Dutch services had passed on 1.8 million items of data to the Americans and not the other way around, as he had previously claimed.

In July 2014 the district court of The Hague rejected the claims of the coalition, after which the coalition lodged an appeal before the Hague Court of Appeals.

At the end of 2015 it became known that the coalition may participate in a British lawsuit before the European Court of Human Rights in Strasbourg.

The participating citizens in the coalition are: Rop Gonggrijp, Jeroen van Beek, Bart Nooitgedagt, Brenno de Winter and Mathieu Paapst. The participating organizations are: the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ) and Internet Society Netherlands.

The case is taken care of by bureau Brandeis, in particular by our lawyers Christiaan Alberdingk Thijm and Caroline de Vries, who make use of the bureau Brandeis’s pro-bono fund.

Update 9 February, 2016: today the coalition submitted its written submissions to the European Court of Human Rights, click HERE (pdf).

"Facebook continues to breach personal data privacy rights in Europe, says a group of human rights organizations, and it demands that Facebook’s EU-US data transfers stop by February 6, 2016. Facebook has formally responded.

As previously reported, the Privacy First Foundation, Public Interest Litigation Project PILP and the Dutch Platform for the Protection of Civil Rights (collectively, “Privacy First”) sent Facebook a demand letter, to which Facebook has now replied in writing.

Facebook’s written response

Facebook responded to Privacy First’s demand letter by giving written assurances of data protection in accordance with current law–that is, those parts of the Privacy Directive that survived the ruling in Schrems, the case that invalidated Safe Harbor.

Specifically, Facebook states that “the grounds for transfer of data set out in Article 26 of the Directive remain entirely lawful,” and that it complies with “these other grounds to transfer data legally from the European Union to the United States .” Facebook further challenged the Dutch tribunal Privacy First plans to use, as lacking competence over Facebook Ireland, the party it asserts is the data controller for data of Facebook Netherlands.

Privacy First’s reply

Privacy First, in its reply through its counsel Boekx, Amsterdam, reiterated its position that the other instruments currently used as basis for EU-US data transfers (such as Standard Contractual Clauses or individual consent) are “fundamentally flawed, as these options do not resolve the problems identified by the European Court of Justice in the Schrems judgment.”

Privacy First’s reply further reserves its rights to initiate legal proceedings in the Hague “requesting a preliminary injunction and/or raising prejudicial questions with the European Court of Justice” if Facebook doesn’t stop EU-US data transfers or provide adequate protections by February 6th, 2016.

Clearly, Privacy First and its co-plaintiffs are not happy with Facebook's response. (...)

Competent court

Facebook’s letter also challenges the competence of Dutch courts to hear proceedings in the Netherlands against Facebook Ireland, which it alleges is the true data controller, not Facebook Netherlands B.V. Regarding the competence issue, [Boekx] said that Dutch courts have rendered decisions in the past against both Facebook parties.

As reported, the EU and US are currently negotiating replacement of the Safe Harbor Agreement; there is a meeting of the negotiating parties scheduled for February 2nd to discuss EU-US data transfers and how to ensure protections for EU citizens in the legal uncertainties left by Schrems.

Further delays possible

Due to delay in legislation in the U.S. that may be one of the EU’s preconditions to Safe Harbor (the Judicial Redress Act), further delays in Safe Harbor resolution are expected (by some) that could take those negotiations beyond the February 6 deadline set by Privacy First. These delays could set Facebook up for proceedings that, if successful, would result in a shutdown of its EU-US data transfers. (...)"

Source: http://www.forbes.com/sites/lisabrownlee/2016/01/27/facebook-fires-back-in-eu-privacy-dispute/#2fe9f2801d5b, 27 January 2016.

"Non siamo la pecora nera, e rispettiamo le stesse regole degli altri. Potremmo così sintetizzare il nocciolo della difesa di Facebook contro le accuse di alcune organizzazioni pro-privacy e utenti olandesi che hanno chiesto, con lettera formale, di impedire il trasferimento di dati personali degli iscritti verso gli Stati Uniti, dove risiedono molti suoi data center e molte delle sue aziende inserzioniste. Minacciando azioni legali nel caso il social network non interrompa questa pratica prima del 16 gennaio. Le radici della vicenda sono note: dalla denuncia inoltrata nel 2013 dallo studente austriaco Max Schrems, fino alla recente decisione della Corte di Giustizia dell’Unione Europea di invalidare gli accordi regolati dal Safe Harbor.Vero è che le nuove regole comunitarie travolgono non solo la creatura di Mark Zuckerberg bensì circa quattromila aziende statunitensi presenti sul Web, però è altrettanto vero che l’attenzione mediatica e le preoccupazioni si concentrano inevitabilmente su Facebook, luogo dove più di ogni altro le vite private diventano condivise. Ma anche il social network delle immagini, Instagram, e la più popolare fra le applicazioni di messaggistica, WhatsApp (entrambe proprietà dell’azienda di Menlo Park) sono coinvolti.

La lettera in questione, infatti, è stata inviata alle sedi di Facebook in California, in Olanda e in Irlanda così come alle sedi di Instagram e Whatsapp. Il mittente è uno studio legale di Amsterdam, Boekx, che parla in rappresentanza di tre associazioni pro-privacy (Stichting Privacy First, Public Interest Litigation Project e Dutch Platform for the Protection of Civil Rights) e di privati cittadini olandesi. La richiesta è, appunto, quella di interrompere il trasferimento dei dati verso gli States entro le ore 18 del gennaio, a meno di non voler incorrere in azioni legali.

Nelle parole dell’avvocato Otto Volgenant dello studio Boekx, “Vogliamo fare pressione su Facebook” e indurre Zuckerberg a pronunciarsi in merito al dibattito sulla privacy in corso nei governi di diversi Paesi. Se poi Facebook facesse ostruzionismo, la protesta degli olandesi potrebbe arrivare dapprima in un tribunale nazionale e poi da qui alla Corte Europea di Giustizia.

La replica della società californiana, arrivata tramite Forbes da un portavoce dell’azienda, Matt Steinfeld, esordisce ribadendo che il social network “utilizza i medesimi meccanismi impiegati da migliaia di altre aziende per trasferire legittimamente dati dall’Europa agli Stati Uniti e ad altri Paesi in tutto in mondo”. E poi fa una proposta: “Crediamo che il modo migliore per risolvere l’attuale dibattito sul trasferimento dei dati oltre l’oceano sia creare un nuovo patto di Safe Harbour, che garantisca adeguate tutele ai cittadini europei”. Il social network, dunque, non si sottrae alla possibilità di modifiche del regolamento ma anzi si auspica che le discussioni in corso fra organismi regolatori europei e statunitensi, e fra essi e i rispettivi governi sfocino presto in un “esito positivo”, ha dichiarato Steinfeld."

Source: http://www.ictbusiness.it/cont/news/l-attacco-olandese-e-la-difesa-facebook-non-siamo-peggio-di-altri/36065/1.html#.VoJYKfFIiUn, 17 December 2015.

Christmas column by Bas Filippini,
Chairman of the Privacy First Foundation 

Principles of our democratic constitutional State are still very relevant 

‘‘Your choice in a free society’’ is the slogan of the Privacy First Foundation. Privacy First has defined its principles on the basis of universal human rights and our Dutch Constitution and is reputed for professional and, if necessary, legal action in line with our free constitutional State. The mere fact that Privacy First exists, means that in recent years the aforementioned principles have come under increasing pressure. We base our (legal) actions and judgements on thorough fact-finding, to the extent possible in our working area.

‘The Netherlands as a secure global pioneer in the field of privacy’, that’s our motto. This country should also serve as an example of how to use technology whilst maintaining the principles of our open and free society. This can be achieved through legislative, executive and IT infrastructures, starting from privacy by design and making use of privacy enhanced technology.

Whereas the industrial revolution has environmental pollution as a negative side effect, the information revolution has the ‘pollution of privacy and freedom’ as an unwanted side effect.

Therefore, the question is how to preserve the basic principles of our democratic constitutional State and how to support new structures and services towards the future. As far as we’re concerned, these basic principles are neither negotiable nor exchangeable. Yet time and again we see the same incident-driven politics based on the misconceptions of the day strike at times when the constitutional State is at its most vulnerable and cannot defend itself against the emotional tide of the moment.

Paris as yet another excuse to pull through ‘new’ laws

Various politicians feed on the attacks in Paris and tumble over one another to express Orwellian macho talk, taking things further and further in legislative proposals or in emotional speeches characterized by belligerence and rhetoric. And it’s always so predictable: further restraining existing freedoms of all citizens instead of focusing further on the group of adolescents (on average, terrorist attackers are between 18 and 30 years old) that intelligence agencies already have in sight. Instead of having a discussion about how intelligence agencies can more effectively tackle the already defined group that needs to be monitored and take preventive measures in the communication with and education of this target group, the focus too easily shifts to familiar affairs whereby necessity, proportionality and subsidiarity are hard to find.

So in the meanwhile we’ve witnessed the prolonged state of emergency in France, the far reaching extension of powers of the police, the judiciary and intelligence services (also to the detriment of innocent citizens), extra controls in public space, the retention of passenger data, etc., etc. All this apparently for legitimate reasons in the heat of the moment, but it will be disastrous for our freedom both in the short as well as in the long run. In this respect the blurring definition of the term ‘terrorism’ is striking. Privacy First focuses on government powers in relation to the presumption of innocence that citizens have. We’re in favour of applying special powers in dealing with citizens who are under reasonable suspicion of criminal offences and violate the rights of others with their hate and violence. In fact, that’s exactly what the law says. Let’s first implement this properly, instead of introducing legislative proposals that throw out the baby with the bathwater.

The governments is committed to impossible 100 per cent security solutions

What often strikes me in conversations with civil servants is the idea that the government should provide 100 per cent solutions for citizens and applies a risk exclusion principle. This leads to a great deal of compartmentalization and paralyzation when it comes to possible government solutions in the area of security. Technology-based quick fixes are adhered to by default, without properly analyzing the cause of problems and looking at the implementation of existing legislation.

The government way of thinking is separate from citizens, who are not trusted in having legal capacity and are regarded as a necessary evil, as troublesome and as inconvenient in the performance of the government’s tasks. The idea that the government, serving its citizens, should offer as high a percentage as possible but certainly not a 100 per cent security (the final 10 per cent are very costly on the one hand and suffocating for society on the other) is not commonly shared. No civil servant and no politician is prepared to introduce policies to maintain an open society today (and 50 years from now) that entail any risk factors. However, in reality there will always be risks in an open society and it should be noted that a society is not a matter of course but something we should treat with great care.

Here in the Netherlands we’ve seen other forms of government before: from rule by royal decree to a bourgeoisie society and an actual war dictatorship. Every time we chose not to like these forms of society. What could possibly be a reason to be willing to go back to any of these forms and give up our freedoms instead of increasing them and enforcing them with technology? Especially in a society that has high levels of education and wherein citizens show to be perfectly able to take their own decisions on various issues. We hire the government and politics as our representatives, not the other way around. However, we’re now put up with a government that doesn’t trust us, is only prepared to deliver information on the basis of FOIA requests and requires us to hand over all information and communications about us and our deepest private lives as if we were prima facie suspects. That puts everything back to front and to me it embodies a one way trip to North Korea. You’ll be more than welcome there!

Political lobby of the industry

The industry’s persistence to overload the government and citizens with ICT solutions is unprecedented. Again and again here in the Netherlands and in Silicon Valley the same companies pop up that want to secure their Christmas bonus by marketing their products in exchange for our freedom. We’re talking about various electronic health records like the Child record and the Orwellian and centralized electronic patient record, the all-encompassing System Risk-Indication database, travel and residency records, road pricing, chips in number plates and cars, so-called automated guided vehicles (including illegal data collection by car manufacturers), number plate parking, automatic number plate recognition cameras, facial recognition in public space and counter-hacking by government agencies while voting computers are back on the agenda. Big Data, the Internet of things, the list goes on.

With huge budgets these companies promote these allegedly smart solutions, without caring about their dangers for our freedom. It’s alienating to see that the reversal of legal principles is creeping in and is being supported by various government and industry mantras. It’s as if a parasitic wasp erodes civil liberties: the outside looks intact but the inside is already empty and rotten.

From street terrorism to State terrorism

As indicated above, the information revolution leads to the restriction of freedom. It’s imperative to realize that after 4000 years of struggle, development and evolution we have come to our refined form of society and principles that are (relatively) universal for every free citizen. Just as most of us are born out of love, freedom and trust, to me these are also the best principles with which to build a society. We’re all too familiar with societies founded on hate, fear and government control and we have renounced them not so long ago as disastrous and exceptionally unpleasant. At the expense of many sacrifices and lives these principles have been enshrined in treaties, charters and constitutions and are therefore non-negotiable.

It’s high time to continue to act on the basis of these principles and make policy implementation and technology subordinate to this, taking into account the people’s needs and their own responsibility. In my eyes, a civil servant in the service of the people who places security above everything else, is nothing more than a State terrorist or a white collar terrorist who in the long term causes much more damage to our constitutional State and freedom than a so called street terrorist. The government and industry should have an immediate integrity discussion about this, after which clear codes can be introduced for privacy-sustainable governing and entrepreneurship.

Towards a secure global pioneer in the field of privacy

Privacy First would like to see government and industry take their own responsibility in protecting and promoting the personal freedom of citizens and in so doing use a 80/20 rule as far as security is concerned. By focusing on risk groups a lot of money and misery can be saved. Exceptions prove the rule, which in this case is a free and democratic constitutional State and not the other way around. Say yes to a free and secure Netherlands as a global pioneer in the field of privacy!

"Facebook, Inc. and related entities have received a letter demanding them to stop EU-US data transfers until U.S. laws comply with the EU data protection regime, or risk lawsuit in the Netherlands. Facebook must cease transfer by 15 January 2016. The complaining parties have reserved rights to file suit if compliance is not forthcoming.

The demand and summons letter was sent today by the Boekx law firm in Amsterdam on behalf of numerous plaintiffs including:
• Privacy First Foundation (Stichting Privacy First)
• Public Interest Litigation Project PILP
• Dutch Platform for the Protection of Civil Rights
and other users of Facebook, Instagram and WhatsApp. The letter was sent to Facebook Netherlands B.V., Facebook Ireland Limited, Facebook Inc. and Instagram LLC (California), and WhatsApp Inc. (California).

Facebook response

Facebook spokesperson Matt Steinfeld provided (...) the following written statement:

“Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world. We believe that the best solution to the on-going debate around transatlantic data transfers is for there to be a new Safe Harbor agreement with appropriate safeguards for EU citizens.”
“We understand that authorities in the EU and US are working hard to put such an agreement in place as soon as possible. We trust that these groups are engaging with their respective governments on this process to help it reach a successful conclusion.”

Lawsuit intended to pressure Facebook

Otto Volgenant of the Boekx stated to Dutch outlet RTLZ, “We want to put pressure on Facebook. Mark Zuckerberg must make its voice heard in the debate about privacy, the US government has the solution for this problem.” According to Volgenant (as reported), the case would first be brought in The Hague, which could exercise its option to refer the case to the European Court of Justice.

Volgenant predicted that such referral would not be made, given the clarity of law on the topic since the recent Schrems ruling of the European Court of Justice (discussed further below).

U.S. compliant-laws required

Specifically, the demand requires that Facebook “end the current unlawful transfer of personal data from the European Union to the United States” until the U.S. adopts laws “essentially equivalent to” European data protection laws, or face lawsuit in the Netherlands. The summons gives Facebook until Friday 15 January 2016 (18:00 CET) to cease EU-US transfers, or risk having a court force it and related Facebook entities, through an injunction, to cease such transfers.

Facebook “remarkably absent” in data privacy discussions

In its letter, Boekx accuses Facebook of being “remarkably absent” in the public debate over EU-US data transfers, following the European Court of Justice decision in Schrems, which decision invalidated the so-called “Safe Harbor Agreement” between the U.S. and the E.U. and thus made such transfers illegal under E.U. law., effective immediately upon rendering of that decision. (...)

The demand letter further articulates the specifics of the Schrems decision, including that court’s conclusions that the NSA violated “European fundamental rights to respect for private life” by its “access on a generalized basis to the content of electronic communications.”
(...)
The letter concludes:

If we cannot find an amicable solution and Facebook does not refrain from further transfer of personal data of data subjects from the European Union to the United States by then, we reserve the right to initiate legal proceedings in the Netherlands and to request a preliminary injunction from the competent Dutch Court."

Source: http://www.forbes.com/sites/lisabrownlee/2015/12/15/facebook-threatened-with-lawsuit-over-eu-us-data-transfers-facebook-response/, 15 December 2015.

Today the Privacy First Foundation and three other public interest groups as well as a number of Dutch individual users of Facebook, WhatsApp and Instagram request Mark Zuckerberg to join the public debate following the landmark Schrems-judgment of the European Court of Justice.

On 6 October 2015, the European Court of Justice invalidated the Safe Harbour Decision, which was the basis for Facebook’s transfer of personal data from the European Union to the United States. The Grand Chamber of the Court found that the legislation of the United States fails to ensure a level of protection essentially equivalent to that guaranteed in the legal order of the European Union. The NSA has access to Facebook content of users from the European Union, without any judicial redress being available to them. The Court held that this compromises the essence of the fundamental right to privacy. These issues have not been resolved yet.

Following the judgment, Facebook continued the transfer of personal data from the European Union to the United States. Bas Filippini of Privacy First says: ‘Absent an adequate level of protection in the United States, the continued transfer of personal data is clearly incompatible with European data protection laws. Such transfer violates the rights of millions of individuals. If this is not resolved shortly, we will initiate legal action.’

To date, Facebook has been remarkably absent in the public debate that followed this landmark judgment. Ton Siedsma of Bits of Freedom says: ‘We invite Facebook to publicly engage in a meaningful and transparent dialogue aimed at finding a solution, and to pressure the authorities to find such solution. Facebook is invited to publicly share its current and intended policies and practice on data transfer.’

Today, Facebook was summoned to come up with an adequate solution ultimately by 15 January 2016. If it fails to do so, civil rights groups and a number of Dutch individuals will request the Court in The Hague to grant an injunction ordering Facebook to immediately cease the transfer of personal data to the United States. This pertains to all services of Facebook, including WhatsApp and Instagram.

‘As long as the United States fails to provide an adequate level of protection against mass surveillance, personal data may not be transferred to the United States. Taking Facebook to court emphasizes the urgency of resolving this issue.’ says Jelle Klaas of the Public Interest Litigation Project of NJCM, the Dutch section of the International Commission of Jurists. ‘Our goal is not to put the screens of millions of users to black, but to enhance the current level of privacy protection. Hopefully, a solution can be found shortly by the legislators.’

Click HERE for our entire letter of summons to Mark Zuckerberg (pdf).

Update 21 January 2016: shortly before the deadline Facebook responded to our letter of summons by fax, click HERE (pdf). According to Facebook, there is still a suitable legal basis for the transfer of personal data from the EU to the US, despite the invalidity of Safe Harbour. Privacy First et al. contest this and have today sent a response to Facebook, click HERE (pdf).

In the discussion about a newly proposed surveillance bill in England, Facebook, following our summons letter, has made it publicly clear that:

“Governments should not be able to compel the production of private communications content absent authorization from an independent and impartial judicial official. (...) Surveillance laws should not permit bulk collection of information. The principles require that the Government specifically identify the individuals or accounts to be targeted and should expressly prohibit bulk surveillance.”

However, it is precisely these aspects where, according to the European Court of Justice, the legal protection in the US is inadequate. In our letter of this afternoon, Privacy First et al. have therefore requested Facebook to present their standpoint also in the debate about mass surveillance in the US. Negotiations about this issue are currently ongoing between the EU and the US. It would be good if Facebook gets involved in this debate, in line with the standpoint it voiced in relation to the English legislative proposal.

If in the short term a solution will not be found for the fundamental privacy issues the European Court of Justice has identified, Privacy First et al. will consider bringing interim injunction proceedings before the district court of The Hague.

It is Privacy First’s established policy to focus its attention primarily on (impending) privacy violations that (can) hit large groups of people at once. Selecting our themes, we are guided by 1) the scale, 2) the seriousness and 3) the possible impact and consequences of a certain violation. Privacy First prioritizes and publicly identifies mass violations of a grave nature. It then tries to make an end to the violation by means of quiet diplomacy and political lobbying, a public campaign, legal action or – as a last resort – a lawsuit. Click HERE to read all about our activities in our annual report 2014! (pdf)