The Dutch citizenry has rejected the new Dutch Intelligence and Security Services Act. This act will now have the be amended. If not, legal action will be pursued.
Historic red line
Wednesday 21 March 2018 is a historic day: for the first time ever, the populace of a nation has spoken out against a law on intelligence services in a referendum. In this referendum, the Dutch had the chance to cast their ballots on the new Dutch Intelligence and Security Services Act, better known as the ‘Tapping law’. By now, it is known that a clear majority is AGAINST the law. Privacy First considers this as a historic victory and hopes that, as a result, similar developments will unfold in other countries: developments that contravene mass surveillance and the creation of controlled societies, and that lead to better legislation with true respect for the liberty of innocent citizens.
Objections against the Tapping law
The main objections of Privacy First against the Tapping law relate to the fact that it authorizes not only large-scale tapping into the Internet traffic and communications of innocent citizens, but also allows for the storage of these data for many years and the unsupervised exchange of these data with foreign secret services. These and other concerns of Privacy First have been listed in alphabetical order. The liberty-restricting Tapping law should not be viewed in isolation, but is part of a wider negative trend, as can be read in a recent column (in Dutch) by Privacy First chairman Bas Filippini.
Right from the very start, Privacy First has supported the organization of the Dutch referendum against the Tapping law. Alongside Privacy First, there are numerous other civil organizations that have been very active over the past few months to inform the citizenry about the Act. Most of the work, however, has been done by the referendum instigators: the students of the University of Amsterdam who, at the end 2017, collected enough signatures to make this referendum possible. For this unique achievement, Privacy First gave them a Dutch Privacy Award at the start of this year. Privacy First has recently called on all political parties at municipal level to take a stand against the Tapping law. Furthermore, through public debates, advertisements and social media and through interviews on the radio, on television and in newspapers, we have been as active as possible to create a critical mass. Moreover, Privacy First organized a public debate about the Tapping law in Amsterdam. It featured various renowned speakers, among them our attorney Otto Volgenant and the Dutch National Coordinator for Counter Terrorism and Security Dick Schoof. This debate (in Dutch) has been broadcasted on NPO Politiek several times and can also be viewed on our website and on YouTube. Even according to advocates of the Tapping law, this referendum was characterized by a substantive discussion among critical and well-informed members of the public. It is also in this regard that the referendum can be called a great success, a bright day for democracy and something that has increased general awareness about privacy in the Netherlands. After today, abolishing the referendum, which is what the Dutch government intends to do, should really be out of the question.
The law should be improved. Otherwise there will be legal action.
The consequences of the Dutch referendum about the Tapping law are clear: the law should be modified and improved immediately. If not, Privacy First and various other plaintiffs (organizations) will start a large-scale lawsuit with the express purpose of having various parts of the Act declared unlawful and rendered inoperative by a judge. In 2015, Privacy First and coalition partners succeeded in suspending the Dutch Data Retention Act in the same way. In recent years, Privacy First has on several occasions warned the Dutch government as well as both houses of Dutch Parliament that a similar lawsuit against the Tapping law would be imminent. The result of the current referendum has bolstered our position enormously. By now, the summons against the government has been prepared and our attorneys are ready to litigate. The choice is up to the government: change course or back down!
Tomorrow morning the Netherlands will be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. Since 2008, the Human Rights Council reviews the human rights situation in each UN Member State once every five years. This procedure is called the Universal Periodic Review (UPR).
Privacy First shadow report
During the previous two UPR sessions in 2008 and 2012, the Netherlands endured a fair amount of criticism. At the moment, the perspectives with regard to privacy in the Netherlands are worse than they’ve ever been before. This is reason for Privacy First to actively bring a number of issues to the attention of the UN. Privacy First did so in September 2016 (a week prior to the UN deadline), through a so-called shadow report: a report in which civil society organizations express their concerns about certain issues. (It’s worth pointing out that the Human Rights Council imposes rigorous requirements on these reports, a strict word limit being one of them.) UN diplomats rely on these reports in order to properly carry out their job. Otherwise, they would depend on one-sided State-written reports that mostly provide a far too optimistic view. So Privacy First submitted its own report about the Netherlands (pdf), which includes the following recommendations:
Better opportunities in the Netherlands for civil society organizations to collectively institute legal proceedings.
Introduction of constitutional review of laws by the Dutch judiciary.
Better legislation pertaining to profiling and datamining.
No introduction of automatic number plate recognition (ANPR) as is currently being envisaged.
Suspension of the unregulated border control system @MIGO-BORAS.
No reintroduction of large scale data retention (general Data Retention Act).
No mass surveillance under the new Intelligence and Security Services Act and closer judicial supervision over secret services.
Withdrawal of the Computer Criminality Act III , which will allow the Dutch police to hack into any ICT device.
A voluntary and regionally organized (instead of a national) Electronic Health Record system with privacy by design.
Introduction of an anonymous public transport chip card that is truly anonymous.
Privacy First did not sent its report only to the Human Rights Council but also forwarded it to all the foreign embassies in The Hague. Consequently, Privacy First had extensive (confidential) meetings in recent months with the embassies of Argentina, Australia, Bulgaria, Chili, Germany, Greece and Tanzania. The positions of our interlocutors varied from senior diplomats to ambassadors. Furthermore, Privacy First received positive reactions to its report from the embassies of Mexico, Sweden and the United Kingdom. Moreover, several passages from our report were integrated in the UN summary of the overall human rights situation in the Netherlands; click HERE ('Summary of stakeholders' information', par. 47-50).
Our efforts will hopefully prove to have been effective tomorrow. However, this cannot be guaranteed as it concerns an inter-State, diplomatic process and many issues in our report (and in recent talks) are sensitive subjects in countless other UN Member States as well.
UN Human Rights Committee
In December 2016, Privacy First submitted a similar report to the UN Human Rights Committee in Geneva. This Committee periodically reviews the compliance of the Netherlands with the International Covenant on Civil and Political Rights (ICCPR). Partly as a result of this report, last week the Committee put the Intelligence and Security Services Act, camera system @MIGO-BORAS and the Data Retention Act among other things, on the agenda for the upcoming Dutch session in 2018 (see par. 11, 27).
We hope that our input will be used by both the UN Human Rights Council as well as the UN Human Rights Committee and that it will lead to constructive criticism and internationally exchangeable best practices.
The Dutch UPR session will take place tomorrow between 9am and 12.30pm and can be followed live online.
Update 10 May 2017: during the UPR session in Geneva today, the Dutch government delegation (led by Dutch Minister of Home Affairs Ronald Plasterk) received critical recommendations on human rights and privacy in relation to counter-terrorism by Canada, Germany, Hungary, Mexico and Russia. The entire UPR session can be viewed HERE. Publication of all recommendations by the UN Human Rights Council follows May 12th.
Update 12 May 2017: Today all recommendations to the Netherlands have been published by the UN Human Rights Council, click HERE (pdf). Useful recommendations to the Netherlands regarding the right to privacy were made by Germany, Canada, Spain, Hungary, Mexico and Russia, see paras. 5.29, 5.30, 5.113, 5.121, 5.128 & 5.129. You can find these recommendations below. Further comments by Privacy First will follow.
Extend the National Action Plan on Human Rights to cover all relevant human rights issues, including counter-terrorism, government surveillance, migration and human rights education (Germany);
Extend the National Action Plan on Human Rights, published in 2013 to cover all relevant human rights issues, including respect for human rights while countering terrorism, and ensure independent monitoring and evaluation of the Action Plan (Hungary);
Review any adopted or proposed counter-terrorism legislation, policies, or programs to provide adequate safeguards against human rights violations and minimize any possible stigmatizing effect such measures might have on certain segments of the population (Canada);
Take necessary measures to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons (Spain);
Adopt and implement specific legislation on collection, use and accumulation of meta-data and individual profiles, including in security and anti-terrorist activities, guaranteeing the right to privacy, transparency, accountability, and the right to decide on the use, correction and deletion of personal data (Mexico);
Ensure the protection of private life and prevent cases of unwarranted access of special agencies in personal information of citizens in the Internet that have no connection with any illegal actions (Russian Federation). [sic]
Update 26 May 2017: a more comprehensive UN report of the UPR session has now been published (including the 'interactive dialogue' between UN Member States and the Netherlands); click HERE (pdf). In September this year, the Dutch government will announce which recommendations it will accept and implement.
On November 2nd 2016, the Dutch House of Representatives will address a controversial legislative proposal that will introduce four week storage of the travel movements of all motorists in the Netherlands. In case both chambers of Dutch Parliament adopt this proposal, Privacy First will try to overturn this in court.
Large scale breach of privacy
It is Privacy First’s constant policy to challenge large scale privacy violations in court and have them declared unlawful. Privacy First successfully did so with the central storage of everyone’s fingerprints under the Dutch Passport Act and the storage of everyone’s communications data under the Dutch Telecommunications Retention Act. A current and similar legislative proposal that lends itself for another major lawsuit is legislative proposal 33542 (in Dutch) of the Dutch Minister of Security and Justice, Ard van der Steur, in relation to Automatic Number Plate Recognition (ANPR). Under this legislative proposal, the number plate codes of all motorists in the Netherlands, i.e. everyone’s travel movements, will be collected through camera surveillance and stored for four weeks in police databases for criminal investigation purposes. As a result, every motorist will become a potential suspect. This is a completely unnecessary, wholly disproportionate and ineffective measure. Therefore the proposal is in breach of the right to privacy and thus unlawful.
The current ANPR legislative proposal was already submitted to the Dutch House of Representatives in February 2013 by the then Minister of Security and Justice, Ivo Opstelten. Before that, in 2010, Opstelten’s predecessor Hirsch Ballin had the intention to submit a similar proposal, albeit with a storage period of 10 days. However, back then the House of Representatives declared this subject to be controversial. Opstelten and Van der Steur have thus now taken things a few steps further. Due to privacy concerns, the parliamentary scrutiny of this proposal was at a standstill for several years, but now seems to be reactivated and even reinforced through a six-fold increase of the proposed retention period, courtesy of the ruling parties VVD and PvdA.
Under current Dutch national law, ANPR data of innocent citizens must be erased within 24 hours. In the eyes of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), all number plate codes that are not suspect (so-called ‘no-hits’) are to be removed from relevant databases immediately. Van der Steur’s plan to also store the number plate codes of unsuspected citizens for four weeks directly flies in the face of this. VVD and PvdA are even willing to increase this retention period to six months. The inevitable consequence, a haystack of data, would constitute a blatant violation of the right to privacy of every motorist. Any possible judicial oversight of the use of these data would do nothing to alter this.
UN Human Rights Council
In recent years, Privacy First has repeatedly expressed this position to both the House of Representatives (standing committee on Security and Justice) as well as to relevant MPs personally. Privacy First has also made its stance clear in personal meetings with Minister Opstelten (July 2012) and Minister Van der Steur (July 2014, at that time still a VVD MP). Moreover, Privacy First has recently raised this issue with the United Nations. In May 2017, the Dutch government can be held accountable for this at the UN Human Rights Council in Geneva.
In case both the House of Representatives and the Dutch Senate will adopt the ANPR legislative proposal in its current form, Privacy First (in a broad coalition together with other civil organizations) will immediately summon the Dutch government in order to render the law inoperative on account of violation of the right to privacy. If necessary, Privacy First and co-plaintiffs will litigate all the way up to the European Court of Human Rights in Strasbourg. Considering the European and Dutch case law on the subject, Privacy First rates its chances of legal success very high.
Update 20 December 2018: today the Dutch government has announced that the ANPR Act will enter into force on 1 January 2019. The summary proceedings of Privacy First against the ANPR Act will soon take place at the District Court of The Hague.
Mass storage of fingerprints violates the right to privacy
Following the Court of Appeal of The Hague, today the Dutch Council of State (Raad van State) judged that municipal (‘decentral’) storage of fingerprints under the Dutch Passport Act is unlawful on account of violation of the right to privacy. The Council of State reached this conclusion in seven administrative law cases of Dutch individual citizens (supported by civil organization Vrijbit). At the start of 2014, the Court of Appeal of The Hague handed down a similar ruling in the civil Passport case by the Privacy First Foundation and 19 (other) citizens against the Dutch government. Subsequently however, our Passport trial was declared inadmissible by the Dutch Supreme Court and was redirected to the administrative judge: the Dutch Council of State. Privacy First then submitted its entire case file to the Council of State in order to reinforce the individual passport cases pending before this body. The Council of State (the supreme administrative court of the Netherlands) now rules similar to the way the Court of Appeal of The Hague has done before. Notwithstanding the later inadmissibility before the Supreme Court, the ban on the storage of everyone’s fingerprints in databases thus stands firm once again.
Faulty judgement and procedure
As was the case with the previous judgement by the Court of Appeal of The Hague, Privacy First regrets that the Council of State was unwilling to declare the storage of fingerprints unlawful on strictly principal grounds (that is, because of a lack of societal necessity, proportionality and subsidiarity), but merely on the basis of technical imperfections. Therefore, Privacy First will advise the concerned citizens to keep on litigating all the way up to the European Court of Human Rights (ECtHR) in Strasbourg. Considering the existing Strasbourg case law, there is a high likeliness that the Netherlands will still be condemned on principal grounds on account of violation of the right to privacy (art. 8 European Convention on Human Rights, ECHR). Privacy First also expects a condemnation on account of violation of the right of access to justice and an effective legal remedy (art. 6 and 13 ECHR). After all, civil litigation against the Dutch Passport Act proved to be impossible, and administrative legal action was possible only indirectly after the rejection of individual requests for new passports or ID cards (in case the applicants refused to have their fingerprints taken). In order to obtain their current victory before the Council of State, these citizens thus have had to get by for years without passports or ID cards, with all the problems and risks this entailed.
Exceptions for conscientious objectors
In today’s judgement, the Council of State also decided that the compulsory taking of two fingerprints for a new passport applies equally to everyone and that there can be no exceptions for people who do not want to have their fingerprints taken out of conscientious objections. Privacy First is doubtful whether this verdict will stand the scrutiny of the ECtHR. Apart from a violation of the right to privacy, it seems this decision is also in breach of the freedom of conscience (art. 9 ECHR). The fact that the European Passport Regulation does not include such an exception is irrelevant as this Regulation is subordinate to the ECHR.
RFID chips and facial scans
Privacy First also deplores the fact that the Council of State was not prepared to make a critical assessment of the risks of Radio Frequency Identification (RFID) chips (which include sensitive personal data that can be read remotely) in passports and ID cards. The same goes for the compulsory storage of facial scans in municipal databases. But these aspects, too, can still be challenged in Strasbourg.
Municipalities’ own responsibility
A small ray of hope in the judgement by the Council of State is that municipalities and mayors have their own responsibility to respect human rights (including the right to privacy) independently, even if this means independently refraining from applying national legislation because it violates higher international or European law:
"Insofar as the mayor claims that there is no possibility to deviate from the provisions (laid down in national law), the [Council of State] holds that pursuant to Article 94 of the [Dutch] Constitution, current statutory provisions within the Kingdom [of the Netherlands] do not apply if such application is not compatible with any binding provisions of treaties and of resolutions of international organizations.’’ (Source in Dutch, paragraph 6.)
This decision by the Council of State applies to all domains and could have far-reaching consequences in the future.
New ID cards for free
The ruling of the Council of State entails that for applications of new ID cards, fingerprints have been taken (and stored) on a massive scale but without a legal basis since 2009. Accordingly, Privacy First advises everyone in the possession of an ID card with fingerprints to change it (if desired) at his or her municipality for a free new one without fingerprints. If municipalities refuse to offer this service, Privacy First reserves the right to take new legal steps in this regard.
Christmas column by Bas Filippini,
Chairman of the Privacy First Foundation
Principles of our democratic constitutional State are still very relevant
‘‘Your choice in a free society’’ is the slogan of the Privacy First Foundation. Privacy First has defined its principles on the basis of universal human rights and our Dutch Constitution and is reputed for professional and, if necessary, legal action in line with our free constitutional State. The mere fact that Privacy First exists, means that in recent years the aforementioned principles have come under increasing pressure. We base our (legal) actions and judgements on thorough fact-finding, to the extent possible in our working area.
‘The Netherlands as a secure global pioneer in the field of privacy’, that’s our motto. This country should also serve as an example of how to use technology whilst maintaining the principles of our open and free society. This can be achieved through legislative, executive and IT infrastructures, starting from privacy by design and making use of privacy enhanced technology.
Whereas the industrial revolution has environmental pollution as a negative side effect, the information revolution has the ‘pollution of privacy and freedom’ as an unwanted side effect.
Therefore, the question is how to preserve the basic principles of our democratic constitutional State and how to support new structures and services towards the future. As far as we’re concerned, these basic principles are neither negotiable nor exchangeable. Yet time and again we see the same incident-driven politics based on the misconceptions of the day strike at times when the constitutional State is at its most vulnerable and cannot defend itself against the emotional tide of the moment.
Paris as yet another excuse to pull through ‘new’ laws
Various politicians feed on the attacks in Paris and tumble over one another to express Orwellian macho talk, taking things further and further in legislative proposals or in emotional speeches characterized by belligerence and rhetoric. And it’s always so predictable: further restraining existing freedoms of all citizens instead of focusing further on the group of adolescents (on average, terrorist attackers are between 18 and 30 years old) that intelligence agencies already have in sight. Instead of having a discussion about how intelligence agencies can more effectively tackle the already defined group that needs to be monitored and take preventive measures in the communication with and education of this target group, the focus too easily shifts to familiar affairs whereby necessity, proportionality and subsidiarity are hard to find.
So in the meanwhile we’ve witnessed the prolonged state of emergency in France, the far reaching extension of powers of the police, the judiciary and intelligence services (also to the detriment of innocent citizens), extra controls in public space, the retention of passenger data, etc., etc. All this apparently for legitimate reasons in the heat of the moment, but it will be disastrous for our freedom both in the short as well as in the long run. In this respect the blurring definition of the term ‘terrorism’ is striking. Privacy First focuses on government powers in relation to the presumption of innocence that citizens have. We’re in favour of applying special powers in dealing with citizens who are under reasonable suspicion of criminal offences and violate the rights of others with their hate and violence. In fact, that’s exactly what the law says. Let’s first implement this properly, instead of introducing legislative proposals that throw out the baby with the bathwater.
The governments is committed to impossible 100 per cent security solutions
What often strikes me in conversations with civil servants is the idea that the government should provide 100 per cent solutions for citizens and applies a risk exclusion principle. This leads to a great deal of compartmentalization and paralyzation when it comes to possible government solutions in the area of security. Technology-based quick fixes are adhered to by default, without properly analyzing the cause of problems and looking at the implementation of existing legislation.
The government way of thinking is separate from citizens, who are not trusted in having legal capacity and are regarded as a necessary evil, as troublesome and as inconvenient in the performance of the government’s tasks. The idea that the government, serving its citizens, should offer as high a percentage as possible but certainly not a 100 per cent security (the final 10 per cent are very costly on the one hand and suffocating for society on the other) is not commonly shared. No civil servant and no politician is prepared to introduce policies to maintain an open society today (and 50 years from now) that entail any risk factors. However, in reality there will always be risks in an open society and it should be noted that a society is not a matter of course but something we should treat with great care.
Here in the Netherlands we’ve seen other forms of government before: from rule by royal decree to a bourgeoisie society and an actual war dictatorship. Every time we chose not to like these forms of society. What could possibly be a reason to be willing to go back to any of these forms and give up our freedoms instead of increasing them and enforcing them with technology? Especially in a society that has high levels of education and wherein citizens show to be perfectly able to take their own decisions on various issues. We hire the government and politics as our representatives, not the other way around. However, we’re now put up with a government that doesn’t trust us, is only prepared to deliver information on the basis of FOIA requests and requires us to hand over all information and communications about us and our deepest private lives as if we were prima facie suspects. That puts everything back to front and to me it embodies a one way trip to North Korea. You’ll be more than welcome there!
Political lobby of the industry
The industry’s persistence to overload the government and citizens with ICT solutions is unprecedented. Again and again here in the Netherlands and in Silicon Valley the same companies pop up that want to secure their Christmas bonus by marketing their products in exchange for our freedom. We’re talking about various electronic health records like the Child record and the Orwellian and centralized electronic patient record, the all-encompassing System Risk-Indication database, travel and residency records, road pricing, chips in number plates and cars, so-called automated guided vehicles (including illegal data collection by car manufacturers), number plate parking, automatic number plate recognition cameras, facial recognition in public space and counter-hacking by government agencies while voting computers are back on the agenda. Big Data, the Internet of things, the list goes on.
With huge budgets these companies promote these allegedly smart solutions, without caring about their dangers for our freedom. It’s alienating to see that the reversal of legal principles is creeping in and is being supported by various government and industry mantras. It’s as if a parasitic wasp erodes civil liberties: the outside looks intact but the inside is already empty and rotten.
From street terrorism to State terrorism
As indicated above, the information revolution leads to the restriction of freedom. It’s imperative to realize that after 4000 years of struggle, development and evolution we have come to our refined form of society and principles that are (relatively) universal for every free citizen. Just as most of us are born out of love, freedom and trust, to me these are also the best principles with which to build a society. We’re all too familiar with societies founded on hate, fear and government control and we have renounced them not so long ago as disastrous and exceptionally unpleasant. At the expense of many sacrifices and lives these principles have been enshrined in treaties, charters and constitutions and are therefore non-negotiable.
It’s high time to continue to act on the basis of these principles and make policy implementation and technology subordinate to this, taking into account the people’s needs and their own responsibility. In my eyes, a civil servant in the service of the people who places security above everything else, is nothing more than a State terrorist or a white collar terrorist who in the long term causes much more damage to our constitutional State and freedom than a so called street terrorist. The government and industry should have an immediate integrity discussion about this, after which clear codes can be introduced for privacy-sustainable governing and entrepreneurship.
Towards a secure global pioneer in the field of privacy
Privacy First would like to see government and industry take their own responsibility in protecting and promoting the personal freedom of citizens and in so doing use a 80/20 rule as far as security is concerned. By focusing on risk groups a lot of money and misery can be saved. Exceptions prove the rule, which in this case is a free and democratic constitutional State and not the other way around. Say yes to a free and secure Netherlands as a global pioneer in the field of privacy!
"Facebook, Inc. and related entities have received a letter demanding them to stop EU-US data transfers until U.S. laws comply with the EU data protection regime, or risk lawsuit in the Netherlands. Facebook must cease transfer by 15 January 2016. The complaining parties have reserved rights to file suit if compliance is not forthcoming.
The demand and summons letter was sent today by the Boekx law firm in Amsterdam on behalf of numerous plaintiffs including:
• Privacy First Foundation (Stichting Privacy First)
• Public Interest Litigation Project PILP
• Dutch Platform for the Protection of Civil Rights
and other users of Facebook, Instagram and WhatsApp. The letter was sent to Facebook Netherlands B.V., Facebook Ireland Limited, Facebook Inc. and Instagram LLC (California), and WhatsApp Inc. (California).
Facebook spokesperson Matt Steinfeld provided (...) the following written statement:
“Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world. We believe that the best solution to the on-going debate around transatlantic data transfers is for there to be a new Safe Harbor agreement with appropriate safeguards for EU citizens.”
“We understand that authorities in the EU and US are working hard to put such an agreement in place as soon as possible. We trust that these groups are engaging with their respective governments on this process to help it reach a successful conclusion.”
Lawsuit intended to pressure Facebook
Otto Volgenant of the Boekx stated to Dutch outlet RTLZ, “We want to put pressure on Facebook. Mark Zuckerberg must make its voice heard in the debate about privacy, the US government has the solution for this problem.” According to Volgenant (as reported), the case would first be brought in The Hague, which could exercise its option to refer the case to the European Court of Justice.
Volgenant predicted that such referral would not be made, given the clarity of law on the topic since the recent Schrems ruling of the European Court of Justice (discussed further below).
U.S. compliant-laws required
Specifically, the demand requires that Facebook “end the current unlawful transfer of personal data from the European Union to the United States” until the U.S. adopts laws “essentially equivalent to” European data protection laws, or face lawsuit in the Netherlands. The summons gives Facebook until Friday 15 January 2016 (18:00 CET) to cease EU-US transfers, or risk having a court force it and related Facebook entities, through an injunction, to cease such transfers.
Facebook “remarkably absent” in data privacy discussions
In its letter, Boekx accuses Facebook of being “remarkably absent” in the public debate over EU-US data transfers, following the European Court of Justice decision in Schrems, which decision invalidated the so-called “Safe Harbor Agreement” between the U.S. and the E.U. and thus made such transfers illegal under E.U. law., effective immediately upon rendering of that decision. (...)
The demand letter further articulates the specifics of the Schrems decision, including that court’s conclusions that the NSA violated “European fundamental rights to respect for private life” by its “access on a generalized basis to the content of electronic communications.”
The letter concludes:
If we cannot find an amicable solution and Facebook does not refrain from further transfer of personal data of data subjects from the European Union to the United States by then, we reserve the right to initiate legal proceedings in the Netherlands and to request a preliminary injunction from the competent Dutch Court."
Column by Bas Filippini,
Privacy First chairman
The Dutch police is currently running a pilot with Radio Frequency Identification (RFID)-chips in license plates. According to an internal report, fraud with license plates is alleged to be a big problem. A chip which is compulsory for every motorist and which can be read from a distance through a 'read-out portal' at all times on public roads, would supposedly be THE solution. However, Privacy First perceives the setting up of a national control system to track all movements in public space of all 17 million Dutch citizens as a great danger to society. Privacy First finds a compulsory spychip disproportional and unfit for a decent democracy under the rule of law.
A comprehensive electronic control system
Enquiries by Privacy First reveal that the license plate chip is part of a much larger plan to equip all roads in the Netherlands with so-called 'portals' with measurement equipment. These portals would record all cars 24 hours a day and thus the movements of all 17 million citizens in public space. The Dutch Bicycle and Automobile Industry (RAI) Association strongly recommends the use of such a chip in a recently leaked report. Moreover, new regulations, which make chips inside cars compulsory alongside license plate chips, are being prepared by European Parliament. According to the basic concept, over 60 details would be recorded and stored in the European database EUCARIS. The chip should enable immobilizers as well as a digital license plate database, online license plate requests, a European general periodical car inspection and could eventually grow into a European system for travel and residence rights and taxes.
For the time being, the project is traded as a solution for identity fraud and license plate related crimes in order to get citizens 'aboard'. However, in Privacy First's eyes the system is yet another attempt to be able to record citizens in public space, either through the public transport chip card or chips in license plates and/or cars. A license plate chip for all citizens as if it were an ankle bracelet is a dogged principle in the current control oriented way of thinking by the Dutch government and now the European Parliament, too. Which role do Dutch lobbyists outside Dutch parliament play in order to introduce these chips from Dutch manufacturer NXP in all European license plates on the basis of a Europe measure, or, in other words, by way of a political U-turn? Privacy First thinks it's high time for some serious journalistic research into this.
Current license plate issues: facts or suggestions?
Upon enquiry into the real problem, none of the authorities have been able to provide any clarity about the presupposed 40,000 cases of fraud with license plates. Even though it's important for citizens to know if there's a problem, and how substantial this problem is, the figure cannot be confirmed. Therefore, the question is raised whether it's legally justified to introduce such a system. Even in case of an estimated 40,000 license plates (a mere 0.5 per mil of the total) it's dubious whether the privacy of the entire society should be sacrificed. It's also altogether unclear how high the costs of such a system would be, and how high the gains in respect of the current alleged costs of identity fraud and license plate related crimes.
Are there no alternative solutions to 'the problem'? From a recent letter from the Dutch minister of Security and Justice, Ard van der Steur, it emerges that fraud with license plates occurs less frequently already due to measures such as the controlled online management and issuing and returning of license plates, requirements for recognized manufacturers and laminators (laminate code) as well as the obligation to report stolen or lost blank plates or license plates that have not yet been issued. Moreover, in 2000, the system of duplicate codes on license plates was introduced. Furthermore, faulty license plates are entered in the database for Automatic Number Plate Recognition (ANPR) control.
Whether it concerns black boxes, chips for theft prevention in (as of yet only more expensive) cars, eCall for crash analyses (also manufactured by NXP), dashcams, speed checks or the network of ANPR cameras, time and again Privacy First sees a pattern whereby the Dutch government tries to turn the complete recording of travel behaviour of citizens into reality. Now we're about to witness a spychip in every license plate and in every car, through undemocratic EU law – the ICT industry lobbied a number of MEPs in order to circumvent national parliaments – and the central database EUCARIS.
Reasons to opt for free choice and very selective use of a passive chip
Privacy First sees many reasons to not give a control infrastructure the go-ahead:
• A lack of necessity due to the absence of concrete figures regarding the 'alleged problem' and the availability of alternative solution-paths and measures, some of which have already been introduced.
• A complete lack of a cost-benefit analysis of a control infrastructure. The only one benefitting from the system in the short term is the chip manufacturer: in the future, chip manufacturer NXP will spy on you alongside the NSA! Under American surveillance legislation that is.
• The alleged problem is not commensurate with the measure, which is entirely disproportional and in breach of Article 8 ECHR. In the fight against identity fraud with license plates, a passive registration chip suffices and citizens should be able to choose freely whether or not they want to have a RFID license plate.
• The system will enable real-time identification, monitoring and recording of all citizens, including lawyers, journalists, politicians, activists – a very serious privacy infringement
• A central infrastructure and central data storage are particularly susceptible to fraud. If criminals get access to databases containing all the travel and residency data of cars and people in the Netherlands and the rest of Europe, all floodgates will be opened.
• There is a risk of function creep. The tax authorities, police and other law enforcement agencies already have real-time access to systems that have been intended for entirely different purposes, think of systems related to car parks and speed checks.
• Eventually a system like that could be deployed to burden citizens even more in various ways, such as road pricing and other travel & residency taxes and sanction systems, something that is perhaps the underlying thought of this draconian measure. Meanwhile ANPR cameras are used to fine drivers of old diesel cars in inner cities. What's next?
• Permanently recording citizens in public space will lead to self-censorship and an 'apology society' in which citizens have to have an alibi all time to explain what they were doing in a given location and why they were there. Citizens are already pestered by the police and authorities as a result of their travel behaviour – complaints about this reach Privacy First ever more often.
• Finally, an infrastructure like this affects our constitutional democracy by inverting the legal principle that there should be a reasonable suspicion of a criminal offence to be tracked: every citizen would be considered a potential suspect and would be continuously spied on.
An over-zealous control oriented way of thinking by a distrustful government
The policies of the Dutch government are tenaciously moving in one direction only. New technological gadgets are mandatorily deployed to record all citizens and central systems are subsequently linked together. After that, a flawed law and its implementation are being proposed and finally there are talks with privacy organizations and guileless citizens, who are left behind in an electronic prison. Nowadays Big Data, data mining and profiling are the magic words in all government departments. It all concerns 'OPD' (other people's data) anyway, very convenient indeed. In this case we're talking about equipping each car with three chips and implementing and maintaining a comprehensive ICT network on all roads, a market potentially worth billions of euros. And in the relationship that is then being formed between the public and the government, the latter is a distrustful partner that wants to know who the former is communicating with and what its travel movements look like. It also wants to dispose of systems with which errors can be checked, but in the worst case, it deals carelessly with all the data it collects. Such a relation, based on mistrust, certainly isn't sustainable.
The Netherlands, a global pioneer in the field of privacy
Time and again people forget: it's the legitimate task of the government to protect and promote the privacy of its citizens! Privacy First wants the Netherlands to become a global pioneer in the field of privacy with advanced technologies, based on the principles of our constitutional democracy and independent of the misconceptions of the day and our incident-driven political system. After all, this is about a fundamental turnaround in the relationship with the public, something Privacy First is opposed to. We therefore challenge politics, industry and science to turn the Netherlands into THE nation that is at the vanguard of privacy matters while maintaining security, and not the other way around!
After years of legal proceedings against the storage of fingerprints under the Dutch Passport Act — one of the gravest privacy violations in the Netherlands — Privacy First and 19 co-plaintiffs were declared inadmissible by the Dutch Supreme Court.
Since May 2010, a large-scale lawsuit against the central storage of fingerprints under the Dutch Passport Act by Privacy First and 19 co-plaintiffs (Dutch citizens) has been under way. This so-called 'Passport Trial' was a civil case because with regard to the merits of the case, individual citizens were not able to turn to an administrative court.
Citizens could only go to an administrative court if they would first provoke an individual decision: an administrative refusal to issue a passport or ID card after an individual refusal to give one's fingerprints. Hence, they could only litigate on an administrative level if they were prepared to live without a passport or ID card for years.
Moreover, the provision in the Passport Act on the central storage of fingerprints (Article 4b) still hasn't entered into force. Therefore, the administrative courts were unauthorized to assess this provision. Moreover, contrary to other countries, a direct administrative appeal against Dutch law (Acts and statutes) isn't possible in the Netherlands.
Subsequently, an administrative court would only have been able to individually and indirectly ("exceptionally") assess this provision on the basis of higher privacy legislation after that same provision would have entered into force, that is to say, after the central storage (and exchange) of everyone's fingerprints would have become a fait accompli.
To prevent such a massive violation of privacy, only the civil courts were authorized to rule in the case of Privacy First et al. For many years civil courts have been the perfect type court for the direct assessment of national legislation on the basis of higher (privacy) legislation, even if the national legislation in question has not yet entered into force but does entail an imminent privacy violation.
As a relevant foundation, Privacy First was able to take civil action in the general interest, on behalf of the Dutch population at large. Since the early 90s this is possible via a special procedure under Article 3:305a of the Dutch Civil Code: the so-called "action of general interest." Up until May 2010, when Privacy First et al. summoned the Dutch government, the Dutch Supreme Court seemed to have given the green light for this.
However, in July 2010, the Supreme Court disregarded its earlier case law by declaring that interest groups can only turn to a civil court if individual citizens cannot pursue legal proceedings before an administrative court. But in Privacy First's Passport Trial, citizens could not apply to an administrative court. So Privacy First et al. still had a very strong case. What's more, the admissibility criteria of the Supreme Court seemed not to apply to actions of general interest, but merely to 'group actions' that are organized on behalf of a specific group of people instead of the entire population.
In February 2011, the district court of The Hague wrongly declared our Passport Trial inadmissible. This decision was subsequently appealed by Privacy First et al. Courtesy also of the pressure exerted by this appeal, the central (as well as municipal) storage of fingerprints was largely discontinued in the summer of 2011 and the taking of fingerprints for Dutch ID Cards was halted altogether at the start of 2014.
In February 2014, The Hague Court of Appeal declared Privacy First — in the general interest — admissible after all and judged that the central storage of fingerprints under the Passport Act was in violation of the right to privacy. The Dutch Minister of the Interior, Ronald Plasterk, was not amused and demanded an appeal in cassation before the Dutch Supreme Court.
Against all odds (as Privacy First had virtually all Dutch legislation, legislative history, case law and legal literature on its side), on May 22, 2015, the Dutch Supreme Court declared Privacy and its 19 co-plaintiffs inadmissible once more. According to the Supreme Court, the citizens can turn to an administrative court, which has also blocked the road to a civil court for Privacy First.
All this while in the last few years it had been established that the co-plaintiffs could not turn to an administrative court, at least not for the review of Article 4b of the Passport Act concerning the central storage of fingerprints. In innumerable administrative cases over the past few years, judges of various Dutch administrative courts have declined jurisdiction in this respect. That meant that for Privacy First as an interested organization, the road to an administrative court was equally blocked.
The fact that the Supreme Court rules as if that isn't so is simply incomprehensible. Furthermore, litigating citizens can neither be expected to get by without a passport for years, nor can they be expected to first let their privacy be violated (giving up fingerprints, even for storage) before a judge can determine whether this is legal. The fact that the Supreme Court seems to require this just the same is not just inconceivable (as well as in breach of its own case law) but also reprehensible.
Gap in the legal protection
The ruling by the Dutch Supreme Court creates a legal vacuum in the Netherlands: if citizens or organizations want massive and imminent privacy violations, such as the central storage of fingerprints under the Passport Act, to be reviewed, then they may not be able to turn to either a civil or an administrative court. This creates a gap in the legal protection that has been in place in the Netherlands over the past few decades.
The Supreme Court may now have passed on this case to the highest Dutch administrative court (the Council of State), but it's all but certain that the Council of State is able and still prepared to review the central storage of fingerprints under the Passport Act. In light of this, the Supreme Court should have waited for the ruling by the Council of State in four current and parallel administrative cases revolving around the Passport Act, prior to coming up with its ruling in Privacy First's Passport Trial. By not doing this, the Supreme Court has taken a huge risk, has prematurely stepped into the shoes of the Council of State and has put the Council of State under severe pressure.
If the Council of State were soon to judge differently than the Supreme Court (that is to say, if the Council of State would judge that it is equally unauthorized to rule in this matter), the two institutions would make an enormous blunder and would create a huge gap in the legal protection in the Netherlands, in contravention of the European Convention on Human Rights (ECHR)
Multiple ECHR violations
Privacy First et al. await the ruling of the Council of State with considerable anticipation. In the meantime, Privacy First et al. will already prepare to file a complaint with the European Court of Human Rights in Strasbourg on account of a breach of Article 8 ECHR (right to privacy) and Articles 6 and 13 EHCR (right to access to justice and an effective legal remedy). Despite the Kafkaesque anti-climax before the Dutch Supreme Court, a European conviction of the Netherlands would thus be on the cards once the complaint has been filed.
Read the entire judgment by the Dutch Supreme Court HERE (in Dutch).
Click HERE for our entire case file.
A similar version of this article was published on http://www.liberties.eu/en/news/bad-day-for-privacy-in-the-netherlands.
Today, the European Court of Justice in Luxembourg (EU Court) has come up with its long awaited judgment in four Dutch cases related to the storage of fingerprints under the Dutch Passport Act. The EU Court did so at the request of the Dutch Council of State. The EU Court deems the storage of fingerprints in databases to fall outside the scope of the European Passport Regulation. Therefore, the Court leaves the judicial review of such storage to national judges and the European Court of Human Rights.
Cause for the ruling
In all four Dutch cases citizens refused to give their fingerprints (and facial scans) when they requested a new Dutch passport or ID card. For this reason, their requests for a new passport or ID card were rejected. In 2012, their subsequent lawsuits ended up before the Dutch Council of State (Raad van State), which decided to ask the EU Court to clarify relevant European law (European Passport Regulation) before coming up with its own ruling. Subsequently, in 2013, the EU Court judged in a similar German case that the obligation to give ones fingerprints under the Passport Regulation is not unlawful. However, in this case, the EU Court failed to carry out a thorough review on the basis of the privacy-related legal requirements of necessity and proportionality. Moreover, the EU Court refused to merge the (more substantiated) Dutch cases with the German one, even though this was an explicit request from the Council of State. The ruling of the EU Court in the German case presented the Council of State (along with 300 million European citizens) with a disappointing fait accompli. During the case before the EU Court at the end of 2014, new arguments and new evidence in the Dutch cases fell on deaf ears: the EU Court wished not to deviate from the German case and appeared uninterested in the, by now, proven lack of necessity and proportionality of taking fingerprints (low passport fraud rates) and the enormous error rates when it comes to the biometric verification of fingerprints (25-30%). In that sense, the current ruling of the EU Court comes as no surprise to the Privacy First Foundation.
Bright spot: ID card without fingerprints
The only chink of light in the ruling of the EU Court is the confirmation that national ID cards don't fall within the scope of the European Passport Regulation. The Dutch government seemed to have already been anticipating this judgment by ending the compulsory taking of fingerprints for ID cards as of January 20, 2014. In this respect, the ruling of the EU court doesn't bring any change to the current situation in the Netherlands, but it does confirm that the introduction of ID cards without fingerprints at the start of 2014 was the right choice of the Dutch government. Most other EU Member States have never actually had ID cards with fingerprints; under the European Passport Act, the compulsory taking of fingerprints only applied to passports. The fact that in between 2009 and 2014 the Netherlands wished to go further than the rest of Europe, was therefore at its own risk.
EU Court leaves judgement on database storage of fingerprints to national judges and the European Court of Human Rights
The EU Court in Luxemburg rules that possible storage and use of fingerprints in databases doesn't fall within the scope of the European Passport Regulation and leaves the judicial review of such storage to national judges and the European Court of Human Rights in Strasbourg. However, in various (over a dozen) pending individual cases in the Netherlands against the Dutch Passport Act, administrative judges have so far always decided that such judicial review falls outside of their powers, as the relevant provisions of the Passport Act have not (yet) entered into force. It's now up to the Council of State to adjudicate on this matter. At the same time, the Dutch Supreme Court is currently looking into the collective civil Passport Trial of Privacy First and 19 co-plaintiffs (citizens), where such judicial review has already successfully been carried out by the Hague Court of Appeal and is now before the Supreme Court. In February 2014, the Hague Court of Appeal rightly judged that central storage of fingerprints is in breach of the right to privacy. In that sense the case of Privacy First is in line with the EU Court: review of database storage by a national judge, possibly followed by the European Court of Human Rights. Current individual cases before the Council of State may soon be resumed before the European Court of Human Rights as well. Privacy First hopes that this complex interaction between different judges will lead to the desired results with regard to privacy: a repeal of the taking and storage of fingerprints for passports!
Read the entire ruling of the EU Court HERE.
Update 17 April 2015: unfortunately, the ruling of the EU Court led to a lot of misleading media reporting in the Netherlands through Dutch press agency ANP (for example in Dutch national newspaper Volkskrant). Better comments can be found at the website of SOLV Attorneys, in this blog post by British professor Steve Peers and in Dutch newspaper Telegraaf, translated below:
A database with fingerprints, relinquished by people who request a new passport, seems to have come a step closer. This could be deduced from a ruling of the European Court of Justice.
The Council of State asked the judges in Luxembourg for an opinion on four cases of citizens who refused to give their fingerprints. They appealed not getting a passport because of this. In a similar German case, the EU Court ruled that the compulsory taking of fingerprints isn't unlawful under European law.
Yesterday, the EU Court ruled in the Dutch case that the storage of fingerprints is a responsibility of the Member States. So the national judge will have to review this. As the only Member State, the Netherlands wanted a central register of fingerprints: a register that would even be accessible by secret services. The Passport Act that regulated this has not yet entered into force and last year the Hague Court of Appeal ruled that the central storage is in breach of the right to privacy.
Research points out that such a database brings along many risks, varying from security leaks to improper use and criminal manipulation. This proves that the whole system is a monstrosity that should never be introduced."
Source: Telegraaf 17 April 2015, p. 2.
"A Dutch court on Wednesday struck down a law requiring telecoms and Internet service providers to store their clients' private phone and email data, saying it breached European privacy rules.
"The judge ruled that data retention is necessary and effective to combat serious crime. Dutch legislation however infringes on the individual's right to privacy and the protection of personal data," the Hague district court said.
"The law therefore contravenes the Charter of Fundamental Rights of the European Union," the court said in a statement.
Seven groups and organisations including privacy watchdog Privacy First and the Dutch Association of Journalists dragged the Dutch state to court last month over the issue.
The Dutch court's decision comes after the European Court of Justice in April 2014 struck down the European Union law that forced telecoms operators to store private phone and email data for up to two years, judging it too invasive, despite its usefulness in combating terrorism.
Advocate General Pedro Cruiz Villalon declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.
The 2006 directive called for EU states to store individuals' Internet, mobile telephone and text metadata -- the time, date, duration and destination, but not the content of the communications themselves -- for six months to two years.
This data could then be accessed by national intelligence and police agencies.
"The privacy rights of Dutch citizens were violated en masse by this mass surveillance," said Vincent Boehre of Privacy First.
"Privacy First fights for a society in which innocent civilians do not have to feel that they are being constantly monitored," he said on the organisation's website in response to the ruling.
"The verdict of the Hague tribunal is an important step in that direction," said Boehre."
Source: http://thepeninsulaqatar.com/news/international/326442/dutch-court-nixes-data-storage-law-says-privacy-breached, 12 March 2015.