"Non siamo la pecora nera, e rispettiamo le stesse regole degli altri. Potremmo così sintetizzare il nocciolo della difesa di Facebook contro le accuse di alcune organizzazioni pro-privacy e utenti olandesi che hanno chiesto, con lettera formale, di impedire il trasferimento di dati personali degli iscritti verso gli Stati Uniti, dove risiedono molti suoi data center e molte delle sue aziende inserzioniste. Minacciando azioni legali nel caso il social network non interrompa questa pratica prima del 16 gennaio. Le radici della vicenda sono note: dalla denuncia inoltrata nel 2013 dallo studente austriaco Max Schrems, fino alla recente decisione della Corte di Giustizia dell’Unione Europea di invalidare gli accordi regolati dal Safe Harbor.Vero è che le nuove regole comunitarie travolgono non solo la creatura di Mark Zuckerberg bensì circa quattromila aziende statunitensi presenti sul Web, però è altrettanto vero che l’attenzione mediatica e le preoccupazioni si concentrano inevitabilmente su Facebook, luogo dove più di ogni altro le vite private diventano condivise. Ma anche il social network delle immagini, Instagram, e la più popolare fra le applicazioni di messaggistica, WhatsApp (entrambe proprietà dell’azienda di Menlo Park) sono coinvolti.
La lettera in questione, infatti, è stata inviata alle sedi di Facebook in California, in Olanda e in Irlanda così come alle sedi di Instagram e Whatsapp. Il mittente è uno studio legale di Amsterdam, Boekx, che parla in rappresentanza di tre associazioni pro-privacy (Stichting Privacy First, Public Interest Litigation Project e Dutch Platform for the Protection of Civil Rights) e di privati cittadini olandesi. La richiesta è, appunto, quella di interrompere il trasferimento dei dati verso gli States entro le ore 18 del gennaio, a meno di non voler incorrere in azioni legali.
Nelle parole dell’avvocato Otto Volgenant dello studio Boekx, “Vogliamo fare pressione su Facebook” e indurre Zuckerberg a pronunciarsi in merito al dibattito sulla privacy in corso nei governi di diversi Paesi. Se poi Facebook facesse ostruzionismo, la protesta degli olandesi potrebbe arrivare dapprima in un tribunale nazionale e poi da qui alla Corte Europea di Giustizia.
La replica della società californiana, arrivata tramite Forbes da un portavoce dell’azienda, Matt Steinfeld, esordisce ribadendo che il social network “utilizza i medesimi meccanismi impiegati da migliaia di altre aziende per trasferire legittimamente dati dall’Europa agli Stati Uniti e ad altri Paesi in tutto in mondo”. E poi fa una proposta: “Crediamo che il modo migliore per risolvere l’attuale dibattito sul trasferimento dei dati oltre l’oceano sia creare un nuovo patto di Safe Harbour, che garantisca adeguate tutele ai cittadini europei”. Il social network, dunque, non si sottrae alla possibilità di modifiche del regolamento ma anzi si auspica che le discussioni in corso fra organismi regolatori europei e statunitensi, e fra essi e i rispettivi governi sfocino presto in un “esito positivo”, ha dichiarato Steinfeld."
Source: http://www.ictbusiness.it/cont/news/l-attacco-olandese-e-la-difesa-facebook-non-siamo-peggio-di-altri/36065/1.html#.VoJYKfFIiUn, 17 December 2015.
Christmas column by Bas Filippini,
Chairman of the Privacy First Foundation
Principles of our democratic constitutional State are still very relevant
‘‘Your choice in a free society’’ is the slogan of the Privacy First Foundation. Privacy First has defined its principles on the basis of universal human rights and our Dutch Constitution and is reputed for professional and, if necessary, legal action in line with our free constitutional State. The mere fact that Privacy First exists, means that in recent years the aforementioned principles have come under increasing pressure. We base our (legal) actions and judgements on thorough fact-finding, to the extent possible in our working area.
‘The Netherlands as a secure global pioneer in the field of privacy’, that’s our motto. This country should also serve as an example of how to use technology whilst maintaining the principles of our open and free society. This can be achieved through legislative, executive and IT infrastructures, starting from privacy by design and making use of privacy enhanced technology.
Whereas the industrial revolution has environmental pollution as a negative side effect, the information revolution has the ‘pollution of privacy and freedom’ as an unwanted side effect.
Therefore, the question is how to preserve the basic principles of our democratic constitutional State and how to support new structures and services towards the future. As far as we’re concerned, these basic principles are neither negotiable nor exchangeable. Yet time and again we see the same incident-driven politics based on the misconceptions of the day strike at times when the constitutional State is at its most vulnerable and cannot defend itself against the emotional tide of the moment.
Paris as yet another excuse to pull through ‘new’ laws
Various politicians feed on the attacks in Paris and tumble over one another to express Orwellian macho talk, taking things further and further in legislative proposals or in emotional speeches characterized by belligerence and rhetoric. And it’s always so predictable: further restraining existing freedoms of all citizens instead of focusing further on the group of adolescents (on average, terrorist attackers are between 18 and 30 years old) that intelligence agencies already have in sight. Instead of having a discussion about how intelligence agencies can more effectively tackle the already defined group that needs to be monitored and take preventive measures in the communication with and education of this target group, the focus too easily shifts to familiar affairs whereby necessity, proportionality and subsidiarity are hard to find.
So in the meanwhile we’ve witnessed the prolonged state of emergency in France, the far reaching extension of powers of the police, the judiciary and intelligence services (also to the detriment of innocent citizens), extra controls in public space, the retention of passenger data, etc., etc. All this apparently for legitimate reasons in the heat of the moment, but it will be disastrous for our freedom both in the short as well as in the long run. In this respect the blurring definition of the term ‘terrorism’ is striking. Privacy First focuses on government powers in relation to the presumption of innocence that citizens have. We’re in favour of applying special powers in dealing with citizens who are under reasonable suspicion of criminal offences and violate the rights of others with their hate and violence. In fact, that’s exactly what the law says. Let’s first implement this properly, instead of introducing legislative proposals that throw out the baby with the bathwater.
The governments is committed to impossible 100 per cent security solutions
What often strikes me in conversations with civil servants is the idea that the government should provide 100 per cent solutions for citizens and applies a risk exclusion principle. This leads to a great deal of compartmentalization and paralyzation when it comes to possible government solutions in the area of security. Technology-based quick fixes are adhered to by default, without properly analyzing the cause of problems and looking at the implementation of existing legislation.
The government way of thinking is separate from citizens, who are not trusted in having legal capacity and are regarded as a necessary evil, as troublesome and as inconvenient in the performance of the government’s tasks. The idea that the government, serving its citizens, should offer as high a percentage as possible but certainly not a 100 per cent security (the final 10 per cent are very costly on the one hand and suffocating for society on the other) is not commonly shared. No civil servant and no politician is prepared to introduce policies to maintain an open society today (and 50 years from now) that entail any risk factors. However, in reality there will always be risks in an open society and it should be noted that a society is not a matter of course but something we should treat with great care.
Here in the Netherlands we’ve seen other forms of government before: from rule by royal decree to a bourgeoisie society and an actual war dictatorship. Every time we chose not to like these forms of society. What could possibly be a reason to be willing to go back to any of these forms and give up our freedoms instead of increasing them and enforcing them with technology? Especially in a society that has high levels of education and wherein citizens show to be perfectly able to take their own decisions on various issues. We hire the government and politics as our representatives, not the other way around. However, we’re now put up with a government that doesn’t trust us, is only prepared to deliver information on the basis of FOIA requests and requires us to hand over all information and communications about us and our deepest private lives as if we were prima facie suspects. That puts everything back to front and to me it embodies a one way trip to North Korea. You’ll be more than welcome there!
Political lobby of the industry
The industry’s persistence to overload the government and citizens with ICT solutions is unprecedented. Again and again here in the Netherlands and in Silicon Valley the same companies pop up that want to secure their Christmas bonus by marketing their products in exchange for our freedom. We’re talking about various electronic health records like the Child record and the Orwellian and centralized electronic patient record, the all-encompassing System Risk-Indication database, travel and residency records, road pricing, chips in number plates and cars, so-called automated guided vehicles (including illegal data collection by car manufacturers), number plate parking, automatic number plate recognition cameras, facial recognition in public space and counter-hacking by government agencies while voting computers are back on the agenda. Big Data, the Internet of things, the list goes on.
With huge budgets these companies promote these allegedly smart solutions, without caring about their dangers for our freedom. It’s alienating to see that the reversal of legal principles is creeping in and is being supported by various government and industry mantras. It’s as if a parasitic wasp erodes civil liberties: the outside looks intact but the inside is already empty and rotten.
From street terrorism to State terrorism
As indicated above, the information revolution leads to the restriction of freedom. It’s imperative to realize that after 4000 years of struggle, development and evolution we have come to our refined form of society and principles that are (relatively) universal for every free citizen. Just as most of us are born out of love, freedom and trust, to me these are also the best principles with which to build a society. We’re all too familiar with societies founded on hate, fear and government control and we have renounced them not so long ago as disastrous and exceptionally unpleasant. At the expense of many sacrifices and lives these principles have been enshrined in treaties, charters and constitutions and are therefore non-negotiable.
It’s high time to continue to act on the basis of these principles and make policy implementation and technology subordinate to this, taking into account the people’s needs and their own responsibility. In my eyes, a civil servant in the service of the people who places security above everything else, is nothing more than a State terrorist or a white collar terrorist who in the long term causes much more damage to our constitutional State and freedom than a so called street terrorist. The government and industry should have an immediate integrity discussion about this, after which clear codes can be introduced for privacy-sustainable governing and entrepreneurship.
Towards a secure global pioneer in the field of privacy
Privacy First would like to see government and industry take their own responsibility in protecting and promoting the personal freedom of citizens and in so doing use a 80/20 rule as far as security is concerned. By focusing on risk groups a lot of money and misery can be saved. Exceptions prove the rule, which in this case is a free and democratic constitutional State and not the other way around. Say yes to a free and secure Netherlands as a global pioneer in the field of privacy!
"Facebook, Inc. and related entities have received a letter demanding them to stop EU-US data transfers until U.S. laws comply with the EU data protection regime, or risk lawsuit in the Netherlands. Facebook must cease transfer by 15 January 2016. The complaining parties have reserved rights to file suit if compliance is not forthcoming.
The demand and summons letter was sent today by the Boekx law firm in Amsterdam on behalf of numerous plaintiffs including:
• Privacy First Foundation (Stichting Privacy First)
• Public Interest Litigation Project PILP
• Dutch Platform for the Protection of Civil Rights
and other users of Facebook, Instagram and WhatsApp. The letter was sent to Facebook Netherlands B.V., Facebook Ireland Limited, Facebook Inc. and Instagram LLC (California), and WhatsApp Inc. (California).
Facebook spokesperson Matt Steinfeld provided (...) the following written statement:
“Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world. We believe that the best solution to the on-going debate around transatlantic data transfers is for there to be a new Safe Harbor agreement with appropriate safeguards for EU citizens.”
“We understand that authorities in the EU and US are working hard to put such an agreement in place as soon as possible. We trust that these groups are engaging with their respective governments on this process to help it reach a successful conclusion.”
Lawsuit intended to pressure Facebook
Otto Volgenant of the Boekx stated to Dutch outlet RTLZ, “We want to put pressure on Facebook. Mark Zuckerberg must make its voice heard in the debate about privacy, the US government has the solution for this problem.” According to Volgenant (as reported), the case would first be brought in The Hague, which could exercise its option to refer the case to the European Court of Justice.
Volgenant predicted that such referral would not be made, given the clarity of law on the topic since the recent Schrems ruling of the European Court of Justice (discussed further below).
U.S. compliant-laws required
Specifically, the demand requires that Facebook “end the current unlawful transfer of personal data from the European Union to the United States” until the U.S. adopts laws “essentially equivalent to” European data protection laws, or face lawsuit in the Netherlands. The summons gives Facebook until Friday 15 January 2016 (18:00 CET) to cease EU-US transfers, or risk having a court force it and related Facebook entities, through an injunction, to cease such transfers.
Facebook “remarkably absent” in data privacy discussions
In its letter, Boekx accuses Facebook of being “remarkably absent” in the public debate over EU-US data transfers, following the European Court of Justice decision in Schrems, which decision invalidated the so-called “Safe Harbor Agreement” between the U.S. and the E.U. and thus made such transfers illegal under E.U. law., effective immediately upon rendering of that decision. (...)
The demand letter further articulates the specifics of the Schrems decision, including that court’s conclusions that the NSA violated “European fundamental rights to respect for private life” by its “access on a generalized basis to the content of electronic communications.”
The letter concludes:
If we cannot find an amicable solution and Facebook does not refrain from further transfer of personal data of data subjects from the European Union to the United States by then, we reserve the right to initiate legal proceedings in the Netherlands and to request a preliminary injunction from the competent Dutch Court."
Today the Privacy First Foundation and three other public interest groups as well as a number of Dutch individual users of Facebook, WhatsApp and Instagram request Mark Zuckerberg to join the public debate following the landmark Schrems-judgment of the European Court of Justice.
On 6 October 2015, the European Court of Justice invalidated the Safe Harbour Decision, which was the basis for Facebook’s transfer of personal data from the European Union to the United States. The Grand Chamber of the Court found that the legislation of the United States fails to ensure a level of protection essentially equivalent to that guaranteed in the legal order of the European Union. The NSA has access to Facebook content of users from the European Union, without any judicial redress being available to them. The Court held that this compromises the essence of the fundamental right to privacy. These issues have not been resolved yet.
Following the judgment, Facebook continued the transfer of personal data from the European Union to the United States. Bas Filippini of Privacy First says: ‘Absent an adequate level of protection in the United States, the continued transfer of personal data is clearly incompatible with European data protection laws. Such transfer violates the rights of millions of individuals. If this is not resolved shortly, we will initiate legal action.’
To date, Facebook has been remarkably absent in the public debate that followed this landmark judgment. Ton Siedsma of Bits of Freedom says: ‘We invite Facebook to publicly engage in a meaningful and transparent dialogue aimed at finding a solution, and to pressure the authorities to find such solution. Facebook is invited to publicly share its current and intended policies and practice on data transfer.’
Today, Facebook was summoned to come up with an adequate solution ultimately by 15 January 2016. If it fails to do so, civil rights groups and a number of Dutch individuals will request the Court in The Hague to grant an injunction ordering Facebook to immediately cease the transfer of personal data to the United States. This pertains to all services of Facebook, including WhatsApp and Instagram.
‘As long as the United States fails to provide an adequate level of protection against mass surveillance, personal data may not be transferred to the United States. Taking Facebook to court emphasizes the urgency of resolving this issue.’ says Jelle Klaas of the Public Interest Litigation Project of NJCM, the Dutch section of the International Commission of Jurists. ‘Our goal is not to put the screens of millions of users to black, but to enhance the current level of privacy protection. Hopefully, a solution can be found shortly by the legislators.’
Click HERE for our entire letter of summons to Mark Zuckerberg (pdf).
Update 21 January 2016: shortly before the deadline Facebook responded to our letter of summons by fax, click HERE (pdf). According to Facebook, there is still a suitable legal basis for the transfer of personal data from the EU to the US, despite the invalidity of Safe Harbour. Privacy First et al. contest this and have today sent a response to Facebook, click HERE (pdf).
In the discussion about a newly proposed surveillance bill in England, Facebook, following our summons letter, has made it publicly clear that:
“Governments should not be able to compel the production of private communications content absent authorization from an independent and impartial judicial official. (...) Surveillance laws should not permit bulk collection of information. The principles require that the Government specifically identify the individuals or accounts to be targeted and should expressly prohibit bulk surveillance.”
However, it is precisely these aspects where, according to the European Court of Justice, the legal protection in the US is inadequate. In our letter of this afternoon, Privacy First et al. have therefore requested Facebook to present their standpoint also in the debate about mass surveillance in the US. Negotiations about this issue are currently ongoing between the EU and the US. It would be good if Facebook gets involved in this debate, in line with the standpoint it voiced in relation to the English legislative proposal.
If in the short term a solution will not be found for the fundamental privacy issues the European Court of Justice has identified, Privacy First et al. will consider bringing interim injunction proceedings before the district court of The Hague.
It is Privacy First’s established policy to focus its attention primarily on (impending) privacy violations that (can) hit large groups of people at once. Selecting our themes, we are guided by 1) the scale, 2) the seriousness and 3) the possible impact and consequences of a certain violation. Privacy First prioritizes and publicly identifies mass violations of a grave nature. It then tries to make an end to the violation by means of quiet diplomacy and political lobbying, a public campaign, legal action or – as a last resort – a lawsuit. Click HERE to read all about our activities in our annual report 2014! (pdf)
Column by Bas Filippini,
Privacy First chairman
The Dutch police is currently running a pilot with Radio Frequency Identification (RFID)-chips in license plates. According to an internal report, fraud with license plates is alleged to be a big problem. A chip which is compulsory for every motorist and which can be read from a distance through a 'read-out portal' at all times on public roads, would supposedly be THE solution. However, Privacy First perceives the setting up of a national control system to track all movements in public space of all 17 million Dutch citizens as a great danger to society. Privacy First finds a compulsory spychip disproportional and unfit for a decent democracy under the rule of law.
A comprehensive electronic control system
Enquiries by Privacy First reveal that the license plate chip is part of a much larger plan to equip all roads in the Netherlands with so-called 'portals' with measurement equipment. These portals would record all cars 24 hours a day and thus the movements of all 17 million citizens in public space. The Dutch Bicycle and Automobile Industry (RAI) Association strongly recommends the use of such a chip in a recently leaked report. Moreover, new regulations, which make chips inside cars compulsory alongside license plate chips, are being prepared by European Parliament. According to the basic concept, over 60 details would be recorded and stored in the European database EUCARIS. The chip should enable immobilizers as well as a digital license plate database, online license plate requests, a European general periodical car inspection and could eventually grow into a European system for travel and residence rights and taxes.
For the time being, the project is traded as a solution for identity fraud and license plate related crimes in order to get citizens 'aboard'. However, in Privacy First's eyes the system is yet another attempt to be able to record citizens in public space, either through the public transport chip card or chips in license plates and/or cars. A license plate chip for all citizens as if it were an ankle bracelet is a dogged principle in the current control oriented way of thinking by the Dutch government and now the European Parliament, too. Which role do Dutch lobbyists outside Dutch parliament play in order to introduce these chips from Dutch manufacturer NXP in all European license plates on the basis of a Europe measure, or, in other words, by way of a political U-turn? Privacy First thinks it's high time for some serious journalistic research into this.
Current license plate issues: facts or suggestions?
Upon enquiry into the real problem, none of the authorities have been able to provide any clarity about the presupposed 40,000 cases of fraud with license plates. Even though it's important for citizens to know if there's a problem, and how substantial this problem is, the figure cannot be confirmed. Therefore, the question is raised whether it's legally justified to introduce such a system. Even in case of an estimated 40,000 license plates (a mere 0.5 per mil of the total) it's dubious whether the privacy of the entire society should be sacrificed. It's also altogether unclear how high the costs of such a system would be, and how high the gains in respect of the current alleged costs of identity fraud and license plate related crimes.
Are there no alternative solutions to 'the problem'? From a recent letter from the Dutch minister of Security and Justice, Ard van der Steur, it emerges that fraud with license plates occurs less frequently already due to measures such as the controlled online management and issuing and returning of license plates, requirements for recognized manufacturers and laminators (laminate code) as well as the obligation to report stolen or lost blank plates or license plates that have not yet been issued. Moreover, in 2000, the system of duplicate codes on license plates was introduced. Furthermore, faulty license plates are entered in the database for Automatic Number Plate Recognition (ANPR) control.
Whether it concerns black boxes, chips for theft prevention in (as of yet only more expensive) cars, eCall for crash analyses (also manufactured by NXP), dashcams, speed checks or the network of ANPR cameras, time and again Privacy First sees a pattern whereby the Dutch government tries to turn the complete recording of travel behaviour of citizens into reality. Now we're about to witness a spychip in every license plate and in every car, through undemocratic EU law – the ICT industry lobbied a number of MEPs in order to circumvent national parliaments – and the central database EUCARIS.
Reasons to opt for free choice and very selective use of a passive chip
Privacy First sees many reasons to not give a control infrastructure the go-ahead:
• A lack of necessity due to the absence of concrete figures regarding the 'alleged problem' and the availability of alternative solution-paths and measures, some of which have already been introduced.
• A complete lack of a cost-benefit analysis of a control infrastructure. The only one benefitting from the system in the short term is the chip manufacturer: in the future, chip manufacturer NXP will spy on you alongside the NSA! Under American surveillance legislation that is.
• The alleged problem is not commensurate with the measure, which is entirely disproportional and in breach of Article 8 ECHR. In the fight against identity fraud with license plates, a passive registration chip suffices and citizens should be able to choose freely whether or not they want to have a RFID license plate.
• The system will enable real-time identification, monitoring and recording of all citizens, including lawyers, journalists, politicians, activists – a very serious privacy infringement
• A central infrastructure and central data storage are particularly susceptible to fraud. If criminals get access to databases containing all the travel and residency data of cars and people in the Netherlands and the rest of Europe, all floodgates will be opened.
• There is a risk of function creep. The tax authorities, police and other law enforcement agencies already have real-time access to systems that have been intended for entirely different purposes, think of systems related to car parks and speed checks.
• Eventually a system like that could be deployed to burden citizens even more in various ways, such as road pricing and other travel & residency taxes and sanction systems, something that is perhaps the underlying thought of this draconian measure. Meanwhile ANPR cameras are used to fine drivers of old diesel cars in inner cities. What's next?
• Permanently recording citizens in public space will lead to self-censorship and an 'apology society' in which citizens have to have an alibi all time to explain what they were doing in a given location and why they were there. Citizens are already pestered by the police and authorities as a result of their travel behaviour – complaints about this reach Privacy First ever more often.
• Finally, an infrastructure like this affects our constitutional democracy by inverting the legal principle that there should be a reasonable suspicion of a criminal offence to be tracked: every citizen would be considered a potential suspect and would be continuously spied on.
An over-zealous control oriented way of thinking by a distrustful government
The policies of the Dutch government are tenaciously moving in one direction only. New technological gadgets are mandatorily deployed to record all citizens and central systems are subsequently linked together. After that, a flawed law and its implementation are being proposed and finally there are talks with privacy organizations and guileless citizens, who are left behind in an electronic prison. Nowadays Big Data, data mining and profiling are the magic words in all government departments. It all concerns 'OPD' (other people's data) anyway, very convenient indeed. In this case we're talking about equipping each car with three chips and implementing and maintaining a comprehensive ICT network on all roads, a market potentially worth billions of euros. And in the relationship that is then being formed between the public and the government, the latter is a distrustful partner that wants to know who the former is communicating with and what its travel movements look like. It also wants to dispose of systems with which errors can be checked, but in the worst case, it deals carelessly with all the data it collects. Such a relation, based on mistrust, certainly isn't sustainable.
The Netherlands, a global pioneer in the field of privacy
Time and again people forget: it's the legitimate task of the government to protect and promote the privacy of its citizens! Privacy First wants the Netherlands to become a global pioneer in the field of privacy with advanced technologies, based on the principles of our constitutional democracy and independent of the misconceptions of the day and our incident-driven political system. After all, this is about a fundamental turnaround in the relationship with the public, something Privacy First is opposed to. We therefore challenge politics, industry and science to turn the Netherlands into THE nation that is at the vanguard of privacy matters while maintaining security, and not the other way around!
After years of legal proceedings against the storage of fingerprints under the Dutch Passport Act — one of the gravest privacy violations in the Netherlands — Privacy First and 19 co-plaintiffs were declared inadmissible by the Dutch Supreme Court.
Since May 2010, a large-scale lawsuit against the central storage of fingerprints under the Dutch Passport Act by Privacy First and 19 co-plaintiffs (Dutch citizens) has been under way. This so-called 'Passport Trial' was a civil case because with regard to the merits of the case, individual citizens were not able to turn to an administrative court.
Citizens could only go to an administrative court if they would first provoke an individual decision: an administrative refusal to issue a passport or ID card after an individual refusal to give one's fingerprints. Hence, they could only litigate on an administrative level if they were prepared to live without a passport or ID card for years.
Moreover, the provision in the Passport Act on the central storage of fingerprints (Article 4b) still hasn't entered into force. Therefore, the administrative courts were unauthorized to assess this provision. Moreover, contrary to other countries, a direct administrative appeal against Dutch law (Acts and statutes) isn't possible in the Netherlands.
Subsequently, an administrative court would only have been able to individually and indirectly ("exceptionally") assess this provision on the basis of higher privacy legislation after that same provision would have entered into force, that is to say, after the central storage (and exchange) of everyone's fingerprints would have become a fait accompli.
To prevent such a massive violation of privacy, only the civil courts were authorized to rule in the case of Privacy First et al. For many years civil courts have been the perfect type court for the direct assessment of national legislation on the basis of higher (privacy) legislation, even if the national legislation in question has not yet entered into force but does entail an imminent privacy violation.
As a relevant foundation, Privacy First was able to take civil action in the general interest, on behalf of the Dutch population at large. Since the early 90s this is possible via a special procedure under Article 3:305a of the Dutch Civil Code: the so-called "action of general interest." Up until May 2010, when Privacy First et al. summoned the Dutch government, the Dutch Supreme Court seemed to have given the green light for this.
However, in July 2010, the Supreme Court disregarded its earlier case law by declaring that interest groups can only turn to a civil court if individual citizens cannot pursue legal proceedings before an administrative court. But in Privacy First's Passport Trial, citizens could not apply to an administrative court. So Privacy First et al. still had a very strong case. What's more, the admissibility criteria of the Supreme Court seemed not to apply to actions of general interest, but merely to 'group actions' that are organized on behalf of a specific group of people instead of the entire population.
In February 2011, the district court of The Hague wrongly declared our Passport Trial inadmissible. This decision was subsequently appealed by Privacy First et al. Courtesy also of the pressure exerted by this appeal, the central (as well as municipal) storage of fingerprints was largely discontinued in the summer of 2011 and the taking of fingerprints for Dutch ID Cards was halted altogether at the start of 2014.
In February 2014, The Hague Court of Appeal declared Privacy First — in the general interest — admissible after all and judged that the central storage of fingerprints under the Passport Act was in violation of the right to privacy. The Dutch Minister of the Interior, Ronald Plasterk, was not amused and demanded an appeal in cassation before the Dutch Supreme Court.
Against all odds (as Privacy First had virtually all Dutch legislation, legislative history, case law and legal literature on its side), on May 22, 2015, the Dutch Supreme Court declared Privacy and its 19 co-plaintiffs inadmissible once more. According to the Supreme Court, the citizens can turn to an administrative court, which has also blocked the road to a civil court for Privacy First.
All this while in the last few years it had been established that the co-plaintiffs could not turn to an administrative court, at least not for the review of Article 4b of the Passport Act concerning the central storage of fingerprints. In innumerable administrative cases over the past few years, judges of various Dutch administrative courts have declined jurisdiction in this respect. That meant that for Privacy First as an interested organization, the road to an administrative court was equally blocked.
The fact that the Supreme Court rules as if that isn't so is simply incomprehensible. Furthermore, litigating citizens can neither be expected to get by without a passport for years, nor can they be expected to first let their privacy be violated (giving up fingerprints, even for storage) before a judge can determine whether this is legal. The fact that the Supreme Court seems to require this just the same is not just inconceivable (as well as in breach of its own case law) but also reprehensible.
Gap in the legal protection
The ruling by the Dutch Supreme Court creates a legal vacuum in the Netherlands: if citizens or organizations want massive and imminent privacy violations, such as the central storage of fingerprints under the Passport Act, to be reviewed, then they may not be able to turn to either a civil or an administrative court. This creates a gap in the legal protection that has been in place in the Netherlands over the past few decades.
The Supreme Court may now have passed on this case to the highest Dutch administrative court (the Council of State), but it's all but certain that the Council of State is able and still prepared to review the central storage of fingerprints under the Passport Act. In light of this, the Supreme Court should have waited for the ruling by the Council of State in four current and parallel administrative cases revolving around the Passport Act, prior to coming up with its ruling in Privacy First's Passport Trial. By not doing this, the Supreme Court has taken a huge risk, has prematurely stepped into the shoes of the Council of State and has put the Council of State under severe pressure.
If the Council of State were soon to judge differently than the Supreme Court (that is to say, if the Council of State would judge that it is equally unauthorized to rule in this matter), the two institutions would make an enormous blunder and would create a huge gap in the legal protection in the Netherlands, in contravention of the European Convention on Human Rights (ECHR)
Multiple ECHR violations
Privacy First et al. await the ruling of the Council of State with considerable anticipation. In the meantime, Privacy First et al. will already prepare to file a complaint with the European Court of Human Rights in Strasbourg on account of a breach of Article 8 ECHR (right to privacy) and Articles 6 and 13 EHCR (right to access to justice and an effective legal remedy). Despite the Kafkaesque anti-climax before the Dutch Supreme Court, a European conviction of the Netherlands would thus be on the cards once the complaint has been filed.
Read the entire judgment by the Dutch Supreme Court HERE (in Dutch).
Click HERE for our entire case file.
A similar version of this article was published on http://www.liberties.eu/en/news/bad-day-for-privacy-in-the-netherlands.
Today, the European Court of Justice in Luxembourg (EU Court) has come up with its long awaited judgment in four Dutch cases related to the storage of fingerprints under the Dutch Passport Act. The EU Court did so at the request of the Dutch Council of State. The EU Court deems the storage of fingerprints in databases to fall outside the scope of the European Passport Regulation. Therefore, the Court leaves the judicial review of such storage to national judges and the European Court of Human Rights.
Cause for the ruling
In all four Dutch cases citizens refused to give their fingerprints (and facial scans) when they requested a new Dutch passport or ID card. For this reason, their requests for a new passport or ID card were rejected. In 2012, their subsequent lawsuits ended up before the Dutch Council of State (Raad van State), which decided to ask the EU Court to clarify relevant European law (European Passport Regulation) before coming up with its own ruling. Subsequently, in 2013, the EU Court judged in a similar German case that the obligation to give ones fingerprints under the Passport Regulation is not unlawful. However, in this case, the EU Court failed to carry out a thorough review on the basis of the privacy-related legal requirements of necessity and proportionality. Moreover, the EU Court refused to merge the (more substantiated) Dutch cases with the German one, even though this was an explicit request from the Council of State. The ruling of the EU Court in the German case presented the Council of State (along with 300 million European citizens) with a disappointing fait accompli. During the case before the EU Court at the end of 2014, new arguments and new evidence in the Dutch cases fell on deaf ears: the EU Court wished not to deviate from the German case and appeared uninterested in the, by now, proven lack of necessity and proportionality of taking fingerprints (low passport fraud rates) and the enormous error rates when it comes to the biometric verification of fingerprints (25-30%). In that sense, the current ruling of the EU Court comes as no surprise to the Privacy First Foundation.
Bright spot: ID card without fingerprints
The only chink of light in the ruling of the EU Court is the confirmation that national ID cards don't fall within the scope of the European Passport Regulation. The Dutch government seemed to have already been anticipating this judgment by ending the compulsory taking of fingerprints for ID cards as of January 20, 2014. In this respect, the ruling of the EU court doesn't bring any change to the current situation in the Netherlands, but it does confirm that the introduction of ID cards without fingerprints at the start of 2014 was the right choice of the Dutch government. Most other EU Member States have never actually had ID cards with fingerprints; under the European Passport Act, the compulsory taking of fingerprints only applied to passports. The fact that in between 2009 and 2014 the Netherlands wished to go further than the rest of Europe, was therefore at its own risk.
EU Court leaves judgement on database storage of fingerprints to national judges and the European Court of Human Rights
The EU Court in Luxemburg rules that possible storage and use of fingerprints in databases doesn't fall within the scope of the European Passport Regulation and leaves the judicial review of such storage to national judges and the European Court of Human Rights in Strasbourg. However, in various (over a dozen) pending individual cases in the Netherlands against the Dutch Passport Act, administrative judges have so far always decided that such judicial review falls outside of their powers, as the relevant provisions of the Passport Act have not (yet) entered into force. It's now up to the Council of State to adjudicate on this matter. At the same time, the Dutch Supreme Court is currently looking into the collective civil Passport Trial of Privacy First and 19 co-plaintiffs (citizens), where such judicial review has already successfully been carried out by the Hague Court of Appeal and is now before the Supreme Court. In February 2014, the Hague Court of Appeal rightly judged that central storage of fingerprints is in breach of the right to privacy. In that sense the case of Privacy First is in line with the EU Court: review of database storage by a national judge, possibly followed by the European Court of Human Rights. Current individual cases before the Council of State may soon be resumed before the European Court of Human Rights as well. Privacy First hopes that this complex interaction between different judges will lead to the desired results with regard to privacy: a repeal of the taking and storage of fingerprints for passports!
Read the entire ruling of the EU Court HERE.
Update 17 April 2015: unfortunately, the ruling of the EU Court led to a lot of misleading media reporting in the Netherlands through Dutch press agency ANP (for example in Dutch national newspaper Volkskrant). Better comments can be found at the website of SOLV Attorneys, in this blog post by British professor Steve Peers and in Dutch newspaper Telegraaf, translated below:
A database with fingerprints, relinquished by people who request a new passport, seems to have come a step closer. This could be deduced from a ruling of the European Court of Justice.
The Council of State asked the judges in Luxembourg for an opinion on four cases of citizens who refused to give their fingerprints. They appealed not getting a passport because of this. In a similar German case, the EU Court ruled that the compulsory taking of fingerprints isn't unlawful under European law.
Yesterday, the EU Court ruled in the Dutch case that the storage of fingerprints is a responsibility of the Member States. So the national judge will have to review this. As the only Member State, the Netherlands wanted a central register of fingerprints: a register that would even be accessible by secret services. The Passport Act that regulated this has not yet entered into force and last year the Hague Court of Appeal ruled that the central storage is in breach of the right to privacy.
Research points out that such a database brings along many risks, varying from security leaks to improper use and criminal manipulation. This proves that the whole system is a monstrosity that should never be introduced."
Source: Telegraaf 17 April 2015, p. 2.
"A Dutch court on Wednesday struck down a law requiring telecoms and Internet service providers to store their clients' private phone and email data, saying it breached European privacy rules.
"The judge ruled that data retention is necessary and effective to combat serious crime. Dutch legislation however infringes on the individual's right to privacy and the protection of personal data," the Hague district court said.
"The law therefore contravenes the Charter of Fundamental Rights of the European Union," the court said in a statement.
Seven groups and organisations including privacy watchdog Privacy First and the Dutch Association of Journalists dragged the Dutch state to court last month over the issue.
The Dutch court's decision comes after the European Court of Justice in April 2014 struck down the European Union law that forced telecoms operators to store private phone and email data for up to two years, judging it too invasive, despite its usefulness in combating terrorism.
Advocate General Pedro Cruiz Villalon declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.
The 2006 directive called for EU states to store individuals' Internet, mobile telephone and text metadata -- the time, date, duration and destination, but not the content of the communications themselves -- for six months to two years.
This data could then be accessed by national intelligence and police agencies.
"The privacy rights of Dutch citizens were violated en masse by this mass surveillance," said Vincent Boehre of Privacy First.
"Privacy First fights for a society in which innocent civilians do not have to feel that they are being constantly monitored," he said on the organisation's website in response to the ruling.
"The verdict of the Hague tribunal is an important step in that direction," said Boehre."
Source: http://thepeninsulaqatar.com/news/international/326442/dutch-court-nixes-data-storage-law-says-privacy-breached, 12 March 2015.
"La justice néerlandaise a annulé mercredi une loi exigeant le stockage de données personnelles, assurant que bien qu'utile à la lutte contre le crime, le texte violait la vie privée des utilisateurs des réseaux téléphoniques et d'internet.
"Les juges ont estimé que le stockage de données était nécessaire et efficace pour combattre le crime, mais la législation néerlandaise est contraire aux droits des personnes à une vie privée et à la protection de leurs données personnelles", a indiqué le tribunal de La Haye dans un communiqué.
"La loi est donc contraire à la Charte des droits fondamentaux de l'Union européenne", a ajouté le tribunal.
Sept organisations, dont l'organisation de défense de la vie privée Privacy First et l'Association néerlandaise des Journalistes, avaient entamé une action contre l?État le mois dernier.
Cette décision des juges intervient environ un an après une décision de la justice européenne, qui avait imposé en avril 2014 une révision de la législation sur la conservation des données personnelles, la jugeant "disproportionnée" malgré son utilité dans la lutte contre le terrorisme.
La directive en question datait de 2006 et exigeait des opérateurs de télécoms et des fournisseurs d'accès internet de stocker les données des communications téléphoniques ou de courriels pendant six mois à deux ans.
Étaient donc conservées les métadonnées desdites communications, comme l'heure, la date, la durée et la destination, mais pas leur teneur.
Ces données pouvaient ensuite être consultées par les services de renseignement ou la police.
"Les droits à une vie privée des citoyens néerlandais ont été violés en masse par cette surveillance", a affirmé Vincent Boehre, le directeur des opérations de Privacy First, cité dans un communiqué publié sur le site internet de l'organisation.
Privacy First "lutte pour une société dans laquelle des civils innocents ne doivent pas se sentir comme s'ils étaient constamment surveillés", a-t-il ajouté, soulignant que ce jugement est "une étape importante dans cette direction"."
Source: http://www.leparisien.fr/high-tech/la-justice-neerlandaise-annule-une-loi-sur-les-donnees-personnelles-11-03-2015-4595081.php, 11 March 2015.