"The Dutch data retention law will have its day in court on Feb. 18, when the District Court of the Hague hears a legal challenge to it filed by a broad coalition of organizations.

The law requires telecommunications and Internet companies to retain their customer's location and traffic metadata for six to 12 months, depending on the type of data, for investigatory purposes.

However, the complainants want the court to invalidate the law because it violates fundamental privacy rights, said their law firm Boekx Advocaten. The main reason the law should be scrapped, they say, is a ruling from the Court of Justice of the European Union (CJEU) last year, which invalidated the EU's Data Retention Directive on which the Dutch law is based because it violates fundamental privacy rights.

After evaluating that ruling, though, the Dutch government decided in November largely to maintain the national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances.

By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws.

The challenge, filed by civil rights organization Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, aims to get the law invalidated as soon as possible.

Data retention laws in other EU countries have been ruled unconstitutional. The Constitutional Court of Austria for instance axed the local data retention law in the wake of the CJEU ruling, and in Germany the local data retention law was already ruled unconstitutional in 2010, long before the CJEU ruling.

In Sweden though things are much the same as in the Netherlands. There, the government maintains that the Swedish national legislation can still be applied, causing trouble for Swedish ISP Bahnhof, which had stopped retaining and deleted data after being given permission by the Swedish Post and Telecom Authority (PTS) to do so in wake of the CJEU ruling.

However, Bahnhof was told to start retaining data again later last year. To protect its customers, the ISP has set up a free VPN (virtual private network) service to hide their communication metadata from the police. It also asked to the European Commission to intervene and vowed to fight the law in court.

Meanwhile, the European Parliament's Legal Service also reached a conclusion about the CJEU ruling. It means that EU countries no longer have any obligation but rather an option to keep retaining data, it said in its analysis of the implications of the judgement that was leaked by digital rights group Access Now last week.

As a result of the CJEU ruling, countries run an even higher risk than before of having their national legislation annulled by national courts in a similar way to what has happened in some EU countries, the Legal Service said. (...)"

Source: http://www.pcworld.com/article/2867792/dutch-government-sued-over-data-retention-law.html, 12 January 2015.

A broad coalition of organizations and companies is starting interim injunction proceedings against the Dutch government. The Privacy First Foundation, internet provider BIT, the Dutch Association of Journalists and the Dutch Association of Defence Counsel among others are demanding the abolition of the Dutch Telecommunications Data Retention Act. The Dutch Council of State and the European Court of Justice have already ruled that the Act is in violation of fundamental rights that protect private life, communications and personal data. However, the Dutch government refuses to render the Telecommunications Data Retention Act inoperative.

On 8 April 2014 the European Court of Justice declared the European Data Retention Directive (2006/24/EC) invalid with retroactive effect. According to the Court, retaining communications data of everyone without any concrete suspicion is in violation of the fundamental right to privacy. Objective criteria should be applied to determine the necessity of collection and retention of data and there should be prior control from an independent body or judge. Randomly and unrestrictedly collecting metadata (traffic data) in the context of 'mass surveillance' is not permitted, according to the Court.

In the Netherlands, regulations in this area are enshrined in the Dutch Telecommunications Data Retention Act, which largely mirrors the European Data Retention Directive. The Act provides that telecommunications companies and internet providers have to retain various data regarding internet and telephone usage for at least six and at most twelve months in order for judicial authorities to be able to use those data for criminal investigation purposes. Recently the Dutch Council of State ('Raad van State') judged that the Act does not comply with fundamental rights that protect private life, communications and personal data. However, the Dutch government does not heed the advice of the Council of State and refuses to repeal the Act. Compliance with the Act will be maintained by the government.

Vincent Böhre of Privacy First: "Mass surveillance constitutes a massive violation of citizens' privacy rights. It is unacceptable that the Dutch government clings to this practice after the highest European judge has already clearly stated back in April that this privacy violation is not permitted."

Thomas Bruning, Secretary of the Dutch Association of Journalists: "Telecommunications companies and internet providers are now obliged to retain a vast amount of communications data of all citizens. This includes journalists. Companies have to disclose these data at the request of the government. There is no guarantee whatsoever for the journalistic right of non-disclosure."

"The Dutch regulations are in breach of the applicable European fundamental rights", states Fulco Blokhuis, partner at Boekx Attorneys, who has meanwhile drafted a subpoena. "This situation is as disconcerting as it is undesirable. Maintaining this Act is unlawful, both towards citizens as well as companies who are forced to stay in possession of traffic data."

Alex Bik of internet provider BIT: "When the Dutch government introduced the Act, it hid behind the argument that the introduction was simply imposed upon by Europe, but since the European Data Retention Directive has been repealed with retroactive effect, this argument all of a sudden is no longer deemed valid by the government. That is not right."

Otto Volgenant of Boekx Attorneys: "As the Dutch Minister of Security and Justice, Ivo Opstelten, is unwilling to abolish the Telecommunications Data Retention Act, we will request the court to either render the Act inoperative or to prohibit its application any longer. We will shortly be issuing interim injunction proceedings."

Update 12 January 2015: the interim injunction proceedings against the Dutch government pertaining to the retention of telecommunications data will take place before the district court of The Hague in a public hearing on Wednesday 18 February 2015 at 11:00 hours. Meanwhile, the renowned Netherlands Committee of Jurists for Human Rights (NJCM) has joined the coalition of claimant organizations. Click pdfHERE (pdf, in Dutch) for the subpoena, click HERE for a press release from Boekx Attorneys (in Dutch) and HERE for an article (in Dutch) which appeared on the website of Dutch newspaper Telegraaf this morning.

Update 30 January 2015: yesterday a hearing (roundtable) about the Dutch Data Retention Act took place in the Dutch House of Representatives. Click pdfHERE for a schedule of the hearing (pdf) and pdfHERE (pdf, in Dutch) for the talking points that Privacy First sent to the House of Representatives prior to the hearing (pdf). The lack of necessity and proportionality of the current Data Retention Act were the main topics that were discussed by Privacy First during the roundtable. Other aspects that were raised by Privacy First related to the chilling effect in society as well as the potential for function creep that the Act brings about.

Update 13 February 2015: today, on behalf of the State, the Dutch State Attorney submitted a Statement of Defence; click pdfHERE (pdf in Dutch, 9 MB). The admissibility of the claimant organizations will not be challenged by the Dutch government, the State Attorney told our own attorneys by telephone. Therefore the proceedings will immediately focus on the merits of the case, rather than on procedural requirements. This is a breakthrough development: in similar cases the admissibility of the claimant parties was almost always contested by the State. A crucial lawsuit concerning such admissibility (our Passport Trial against the storage of fingerprints) is currently being conducted by Privacy First against the Dutch government before the Supreme Court of the Netherlands. Privacy First is of the opinion that the recognition of admissibility by the State Attorney in the interim injunction proceedings against the Telecommunications Data Retention Act puts Privacy First in a stronger position for this and future lawsuits that revolve around the right to privacy. Moreover, in times when access to justice of individual citizens in the Netherlands is increasingly under financial pressure, the admissibility of civil society organizations such as Privacy First forms an important safeguard for a well functioning Dutch democracy under the rule of law.

Update 18 February 2015: in front of a full courtroom (many civil servants, citizens, students and journalists were in attendance), today Privacy First et al. crossed swords with the State; click pdfHERE for the plea of our attorneys (pdf in Dutch) and pdfHERE for the pleadings of the State Attorney (pdf, in Dutch). The judge listened carefully but didn't ask any questions. As yet, Wednesday 11 March 2015 has been determined as the date of the judgment.

Update 11 March 2015: in a break-through verdict today, the district court of The Hague has rendered the Dutch Data Retention Act inoperative; click HERE.

Published in Litigation

"Holland sammelt unbändig Daten. Neue digitale Produkte dienen der totalen Überwachung. Und sind eine große Gefahr für die Gesellschaft.

Hinter den Dünen, ein paar hundert Meter vom Strand entfernt, liegt in Noordwijk der futuristische Bau von Decos. Das niederländische Software-Unternehmen hat sich eine neue Zentrale geleistet – einem eingeschlagenen Meteoriten ist sie nachempfunden, es könnte auch ein Raumschiff sein. Hier setzen IT-Spezialisten die digitale Zukunft durch: den völlig papierlosen Betrieb. Mitarbeiter kommunizieren ausschließlich elektronisch, und wer dem Unternehmen einen Brief schreibt, bekommt ihn zurück mit der Aufforderung, ihn nochmals zu senden, aber bitte als E-Mail.

Auch seinen Kunden bietet Decos Digitalisierung pur: Das Unternehmen liefert ihnen Software, um alle Dokumente elektronisch zu speichern – aber auch Produkte zur totalen Überwachung von Mitarbeitern. Sein „Cartracker" verfolgt jede Dienstreise, alle fünf Sekunden wird das Fahrzeug frisch verortet. „Hiermit haben Sie immer eine aktuelle Übersicht, wo sich Ihre Autos und Mitarbeiter befinden", wirbt Decos. Mehr noch: Der Fahrstil wird ständig überwacht und sogar benotet: „Aufgrund der Höchstgeschwindigkeit, des Bremsverhaltens und der Beschleunigung berechnet ,Decos Cartracker' eine individuelle Zensur für das Fahrverhalten jedes Fahrers."

Digitalisierung wird zur Norm

Nun mag es bei Geldtransportern noch sinnig sein, ihnen aus Sicherheitsgründen aus der Ferne zu folgen. In allen anderen Fällen gilt: Wohl dem, der einen weniger progressiven Arbeitgeber hat – einen, der vertraut, statt nonstop zu überwachen. Aber die Digitalisierung nimmt zu, sie wird zur Norm – und das nicht nur im Beruf, auch im öffentlichen Raum. Und die Niederlande sind hier in mancherlei Hinsicht schon weiter fortgeschritten als Deutschland.

Im Juli schaffte das Land endgültig die Fahrkarte aus Papier im öffentlichen Verkehr ab – für die zuvor schon schrittweise eingeführte „ÖV-Chipkarte", die den Preis in der Regel je Kilometer berechnet. Für den Kunden bedeutet sie außer 7,50 Euro Anschaffungskosten vor allem Umstände: für das Aufladen, für das Ein- und Auschecken bei jeder Fahrt. Wer das versäumt oder an einen kaputten Kartenleser gerät, ist schnell ein Sümmchen los; man muss dann auf Kulanz hoffen und per Online-Antrag versuchen, es erstattet zu bekommen.

Anonymität hat ihren Preis

Was aber noch schwerer wiegt: Die Chipkarte speichert so die Fahrstrecke – und da die Standardversion alle wesentlichen Nutzerdaten enthält (inklusive Kontonummer), kann sie das Reiseverhalten des Bürgers erfassen. Wer anonym mit einem Einmal-Ticket fahren will, muss Aufschlag zahlen – nicht viel, einen Euro momentan, aber immerhin; und vielleicht ist das ja auch nur der Anfang. Viel gravierender noch: Wer eine Studenten- oder Rentnerkarte braucht, muss zwingend die personengebundene Version mit den Daten wählen. Natürlich versichern die Betreiber, alles vertraulich zu behandeln. Aber wer sich darauf verlässt, ist naiv. Wo immer auf der Welt digital gespeichert wird: Die Vorfälle sind Legion, in denen Patienten-, Sozial- oder andere Daten missbraucht wurden – oder massenweise verfügbar, sei es versehentlich, sei es durch Hacker.

Natürlich gibt es in Deutschland den ähnlichen Fall: wenn jemand mit seiner Bahncard Punkte sammelt. Aber das macht er dann freiwillig. Und es ist wichtig aufzupassen, dass die öffentlichen Verkehrsträger hierzulande nicht dem Beispiel aus dem Ausland folgen. Generell ist Obacht schon geboten, wann immer die Preisgabe von Daten belohnt wird – wie bei dem Vorstoß eines deutschen Autoversicherers, Rabatt zu gewähren, wenn der Autohalter einen digitalen Fahrtenschreiber (Blackbox) installiert. Denn das läuft schnell darauf hinaus, dass er umgekehrt für das Recht auf Anonymität einen Malus bekommt.

Erstaunlich ist, dass ein Land wie die Niederlande so unbändig Daten sammelt – sieht es sich doch gerne als „gidsland": als internationales Vorbild, wenn es um Politik, Verwaltung, gesellschaftliche Werte und Normen geht. „Von allen Menschenrechten steht das Recht auf Privatsphäre in den Niederlanden am meisten unter Druck", befindet die Stiftung Privacy First.

Mal führen die Behörden Sicherheit als Argument für die Digitalisierung an, mal Effizienz. Nach Amsterdam führt jetzt auch Rotterdam stadtweit das „Kennzeichenparken" ein: Wer das Auto abstellt, muss am Automaten die Buchstaben und Ziffern des Nummernschilds eingeben. Mit Bargeld darf er auch nicht mehr zahlen, nur mit Karte oder per Mobiltelefon – auch dies ein nationaler Trend. Wieder eine digitale Spur hinterlassen, wieder ein Stück Anonymität dahin. (...) [A]ls Nächstes eine Pflicht für Smart Meters in Wohnungen: Ablesegeräte, die viel mehr erfassen können als nur den Energieverbrauch in den Wohnungen. Die Industrie lobbyiere schon kräftig dafür. Nicht zu reden von den zahllosen Überwachungskameras in Städten, der massenweisen Kennzeichenerfassung auf Autobahnen und Polizeidrohnen mit Kamera. Die Bedenken der Datenschützer werden gerne abgetan: Wer nichts zu verbergen hat, muss doch nichts befürchten? Aber das ist die falsche Haltung, sie kehrt ein grundlegendes Recht um: das Recht, sich unbewacht zu bewegen."

Source: http://www.faz.net/aktuell/wirtschaft/wirtschaftspolitik/digitalisierung-big-brother-in-holland-13092653.html, 12 August 2014.

"Recently, the Court of Appeal of The Hague held that the storage of Dutch citizens' personal data in a central register is an unjustified violation of the right to privacy.

In light of, amongst other things, the implementation of the European regulation on standards for security features and biometrics in passports and travel documents, and to comply with this regulation, the Dutch Passport Act was amended in 2009. This new Passport Act states that future passports would have to contain a chip with a digital facial image and two fingerprints of each applicant. The Dutch government therefore planned to create a central register to hold the facial image files and four fingerprints of each applicant (two of which are included in the passport for identity verification). This new register would also serve other purposes: it would help passport fraud control, and it would allow applicants to renew their passport in any municipality in the Netherlands. The national government acknowledged that the request and saving of these personal data would form a violation of the right to privacy of Dutch citizens, but the government stated that the data storage was proportionate and justified, considering the intended purposes.

The interest group Privacy First disagreed with the government. This group, which seeks to publicly promote the enhancement and preservation of the right to privacy, believed that the creation of this central register violates this fundamental right enshrined in several international laws and regulations. The group launched legal proceedings against the Dutch government. The district court of The Hague ruled that Privacy First did not have a cause of action. Privacy First then appealed against this verdict.

Remarkably, the government meanwhile reviewed their amendments to the new Passport Act. The government concluded that the storage of these personal data in a central register did not achieve its purpose, namely passport fraud control via one's identity verification. Therefore, the Act's provisions that related to the storage of personal data in a central register would be suspended. Furthermore, the number of fingerprints to be taken for the filing would be reduced from four to two in accordance with European regulation.

On appeal, the Court of Appeal ruled that since Privacy First and the government now share the same views about the central register, Privacy First would have lost its standing in their cause of actions, so it dismissed the interest group's claims. However, the Court of Appeal found that the district court had erred when it held that Privacy First did not have a cause of action at the time. Since Privacy First is an interest group advocating the protection of the general interest of Dutch nationals' right to privacy, it should have been able to bring proceedings before the civil court according to Article 3:305 of the Dutch Civil Code (Burgerlijk Wetboek). This would only have been different if the interest group had represented the combined interest of individuals. The Court of Appeal further ruled that Privacy First incurred a financial risk.

The Court of Appeal also ruled that in view of all the circumstances of the case at first instance, the district court should have ruled in favour of Privacy First concerning their arguments against the setting up of a central register. This central register's storage of Dutch citizens' personal data is an unjustified violation of one's right to privacy enshrined in Article 8 ECHR because it did not fulfill its purpose. The Court of Appeal understands that this was a violation from the start, but this had only become evident after the first ruling."

Source: http://www.lexology.com/library/detail.aspx?g=27bf8f03-ada9-47d4-ac7f-4e4aece29cd3, 15 July 2014.

"The Court of Justice in the Hague has ruled that fingerprints gathered from individuals getting a new passport can't be held centrally and used in criminal investigations.

Dutch authorities have been prevented from storing citizens' fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.

In the Netherlands, individuals' fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.

However, the system turned out to be far from perfect — 21 percent of fingerprints collected by the authorities in the Netherlands were unusable to identify individuals.

The court found such a high level unacceptable: "This can mean nothing other than the storage of fingerprints in a central register is not suitable for the purpose originally envisioned, that is, the determination and verification of one's identity.

"This means that it is also not suitable for the prevention of identity fraud or for the process of requesting a new travel document or using a travel document, which is one of the main purposes of the Act [the legislation which requires fingerprints in Dutch passports]. Therefore the conclusion is that the invasion of privacy formed by the central storage of fingerprints is unjustified."

No immediate effect

Although the ruling is a significant victory for Privacy First, the privacy group that brought the case before the Court of Justice, it won't have immediate consequences for the Dutch government.

The European Court of Justice had already ruled in October last year that the directive requiring European member states to include two fingerprints in their passports did not provide a legal basis for then also including all citizens' prints in a central repository.

In addition, the court stipulated that fingerprints given by individuals for such purposes could not to be used for criminal investigations.

(...)

However, according to Christiaan Alberdingk Thijm, the lawyer representing Privacy First, the ruling will have a bearing on any future government attempts to collect sensitive data, such as photos.

"This is not only good news for those opposing plans of a central fingerprint database, but for those opposing any central government owned database," he said."

Source: http://www.zdnet.com/no-you-cant-store-peoples-fingerprints-in-a-central-database-dutch-court-rules-7000026505/, 19 February 2014.

In a groundbreaking judgment, the Hague Court of Appeal has today decided that centralised storage of fingerprints under the Dutch Passport Act is unlawful. The Privacy First Foundation and 19 co-plaintiffs (Dutch citizens) had put forward this legal issue to the Court of Appeal in a so-called 'action of general interest' ("algemeen-belangactie"). In February 2011, the district court of The Hague had declared Privacy First inadmissible. Because of this, the district court couldn't address the merits of the case. The Court of Appeal has now declared Privacy First to be admissible after all and has quashed the judgment of the district court. Moreover, the Appeals Court deems centralised storage of fingerprints under the Dutch Passport Act to be unlawful since it violates the right to privacy. Therefore it seems that centralised storage of fingerprints under the Dutch Passport Act will be shelved once and for all.

In May 2010, Privacy First et al. took the Dutch government (Ministry of Home Affairs) to court on account of the centralised storage of fingerprints under the new Dutch Passport Act. Such storage had mainly been intended to prevent small-scale identity fraud with Dutch passports (look-alike fraud).

Partly due to the pressure exerted by this lawsuit of Privacy First, central storage of fingerprints was brought to a halt in the Summer of 2011. The judgment by the Hague Court of Appeal has now made any future centralised storage of fingerprints legally impossible: the Court deems centralised storage of fingerprints an "inappropriate means" to prevent identity fraud with travel documents. According to the Court "this cannot but lead to the conclusion that the infringement upon the right to privacy caused by centralised storage of fingerprints is not justified. In that regard the district court should have awarded the claim of Privacy First." (Para. 4.4.)

This is a great victory for Privacy First and for all the citizens who have stood up against centralised storage of fingerprints under the Dutch Passport Act in recent years. The judgment by the Court also paves the way for Privacy First (and other civil society organizations) to continue to initiate lawsuits in the general interest for the preservation and promotion of the right to privacy, for example the new lawsuit by Privacy First et al. against the Dutch government on account of illegal data espionage (NSA case). Recently the Dutch State Attorney deemed Privacy First to be admissible in this case too. These developments are a great impetus for Privacy First to continue to take legal steps in the coming years for the sake of everyone's right to privacy.

Read the entire judgment by the Hague Court of Appeal HEREpdf (pdf in Dutch; for a text-version on the website of the Netherlands Judiciary, click HERE).
Click HERE for the press release by our attorneys of Bureau Brandeis.

Update 21 May 2014: the Dutch government appears to be a sore loser: earlier this week the State Attorney has lodged an appeal (in Dutch: 'cassatie') against the ruling of the Hague Court of Appeal at the Supreme Court of the Netherlands; click HEREpdf (pdf in Dutch) for the appeal summons. The Dutch government wants Privacy First to be declared inadmissible after all and calls on the Supreme Court to still declare central storage of fingerprints lawful. This must not happen. Privacy First is considering its options in its own defence.

Update 21 November 2014: today Privacy First et al. have submitted to the Supreme Court their statement of defence against the appeal summons; click HEREpdf for the document (pdf in Dutch). In the appeal, Privacy First et al. are being represented by Alt Kam Boer Attorneys in The Hague; this law-office is specialised in Supreme Court litigation. On behalf of the Dutch government (Ministry of Home Affairs) the State Attorney has today submitted a written explanation to the previous appeal summons; click HEREpdf (pdf in Dutch). The next steps could consist of a written reply and rejoinder, followed by advice (''conclusion'') from the Procurator General at the Supreme Court (to which Privacy First et al. would be able to respond) and a judgment by the Supreme Court midway through 2015.

Update 5 December 2014: today Privacy First et al. have delivered an early Christmas present to the Dutch Minister of Home Affairs: our written reply (rejoinder) to the recent explanation of the Ministry of Home Affairs to the previous appeal summons. Click HEREpdf for the document (pdf in Dutch). The Dutch government, in turn, submitted a short reply to the recent statement of defence by Privacy First et al.; click HEREpdf (pdf in Dutch). On 9 January 2015 the Supreme Court will set a date on which the Procurator General will issue his advice.

Update 12 January 2015: the Procurator General at the Supreme Court will issue his advice ("conclusion") on 10 April 2015.

Update 12 March 2015: Much earlier than expected, Advocate General Mr. Jaap Spier delivered his advice (''conclusion'') in the case to the Supreme Court on 20 February 2015; click HEREpdf (pdf in Dutch, 7 MB). Its conservative contents and tone are notable aspects of his advice. Furthermore, the Advocate General wrongfully assumes that the contested provisions of the Dutch Passport Act had never become legislation. While he upholds Privacy First's admissibility, he does so on the wrong legal grounds. Moreover, the Advocate General does not touch on the substance of the privacy issues at all, is incorrect in his view that proceedings could have taken place before an administrative judge and, erroneously, wants Privacy First et al. to still pay for the legal costs of the proceedings. In response to the advice of the Advocate General, within the formal term of two weeks Privacy First submitted a response letter ("Borgers brief") to the Supreme Court; click HEREpdf (pdf in Dutch). No such letter has been submitted by the Dutch State Attorney. Therefore, Privacy First has had the final say in this case. We will now have to wait for the Supreme Court ruling, which is expected later this year.

Published in Litigation

"Eine der wichtigsten Errungenschaften der EU ist ohne Zweifel der freie Personenverkehr. Wie frei dieser in Zukunft sein wird, ist allerdings die Frage.

Ende August gab Innenministerin Johanna Mikl-Leitner ihre Absicht bekannt, die Grenzen künftig mit computergesteuerten Kameras zu überwachen. Als Beispiel dient ein ähnliches System an den holländischen Grenzen. Laut Robert Strondl, Abteilungsleiter in der Generaldirektion für öffentliche Sicherheit, soll es demnächst eine Erkundungsmission in die Niederlande geben. „Es ist nicht die Absicht, das System eins zu eins zu übernehmen, sondern wir wollen uns die ‚Goodies' rausholen."

Proteste aus Deutschland

@migo boras heißt das System, das seit einem Jahr die wichtigsten niederländischen Grenzübergänge bewacht. Ein Computerprogramm in der Kamera registriert Kennzeichen, Typus und Passagiere der Fahrzeuge. Wenn es eine Übereinstimmung mit Polizeidaten gibt, wird das Auto angehalten. Nicht nur wegen seines Namens ruft das System Erinnerungen an Orwells Big Brother wach. Ist es Zufall, dass Big Brother auch der Name eines der erfolgreichsten niederländischen Fernsehformate ist? Wie es jetzt aussieht, dürfte @migo boras ein ähnlicher Exportschlager werden, denn auch in Großbritannien und den USA wird die Technologie inzwischen verwendet.

Unumstritten ist das Ganze allerdings nicht. Als die niederländische Regierung ihre Pläne bekannt machte, gab es massive Proteste von deutschen Datenschützern und Politikern, die meinten, dass es gegen das Schengener Abkommen verstoßen würde. Und aus diesem Grund wurde das System in einer abgeschwächten Form eingeführt. So dürfen die Kameras maximal 90 Stunden pro Monat und nicht mehr als sechs Stunden pro Tag eingeschaltet sein. (...)

Nur dumme Verbrecher

Ähnlich sieht es Vincent Böhre von der niederländischen Organisation Privacy First, die sich für den Schutz der Privatsphäre einsetzt. Gegenüber Public meint Böhre, dass nur „dumme Verbrecher" erwischt werden. „Die organisierte Kriminalität passt sich an. Die nehmen Schleichwege oder fahren statt mit rumänischen Kleinbussen mit französischen oder mit deutschen BMWs." Möglicherweise ist das System sogar kontraproduktiv: „Die Gefahr besteht, dass sich die Polizei zu sehr auf die Technik verlässt und viel Zeit verliert mit der Anhaltung von unbescholtenen Bürgern." Den Erfolg bei der Bekämpfung von illegaler Immigration sieht Böhre im Promillebereich: „Das wirft die Frage auf nach der Verhältnismäßigkeit eines Systems, das an die 20 Millionen Euro gekostet hat."

Noch bedenklicher findet er, dass juristische Grundsätze umgekehrt werden: „Früher war es so, dass die Polizei ein Auto nur anhielt, wenn es einen begründeten Verdacht auf ein Verbrechen gab. Bei @migo boras wird automatisch jedes Fahrzeug registriert und mit der Datenbank verglichen." Das Ganze erinnere laut Böhre an eine „militärische Operation". „Eines der größten Probleme des Systems ist aber, dass es keine gesetzliche Grundlage gibt, obwohl das eigentlich der Fall sein sollte bei einer Beschränkung der Privatsphäre."

Eines müssen die Kritiker aber zugeben: Zu einem großen öffentlichen Aufschrei hat @migo boras bisher nicht geführt. Abgesehen von einigen kritischen Zeitungs- und Fernsehberichten konnte die Regierung es quasi durch die Hintertür einführen. Wie bei den traditionellen holländischen Fenstern mit offenen Vorhängen, durch die jeder gleich ins Wohnzimmer blicken kann, haben die Niederländer anscheinend wenige Probleme damit, dass der Staat durch ihr Autofenster schaut. Ohne Zweifel spielt dabei eine Rolle, dass Ereignisse wie die Morde an Pim Fortuyn und dem Filmemacher Theo van Gogh das Gefühl von Sicherheit nachhaltig zerstört haben.

Keine bösartigen Regierungen

Der Journalist Bart de Koning, Autor des Buches „Alles onder controle" („Alles unter Kontrolle"), sieht aber auch tiefere Gründe: „Themen wie Bürgerrechte bekommen hier sehr wenig Aufmerksamkeit. Im Grunde genommen sind die Holländer da ziemlich naiv. Wenn man ihnen sagt, dass es um die Sicherheit geht, nehmen sie leicht eine Beschränkung der Privatsphäre in Kauf." Zu einem Teil würde dies mit der Geschichte zusammenhängen: „Während die Deutschen ihre Erfahrungen mit der Nazizeit und der Stasi gemacht haben, können sich die Holländer noch immer schwer vorstellen, dass der Staat auch bösartig sein kann." (...)

Ein Amigo an jeder Laterne

In dieser Hinsicht können sich die holländischen Datenschützer auf etwas gefasst machen. Vor kurzem kündigte Innenminister Ivo Opstelten seine Pläne an, nicht nur an den Grenzen, sondern an allen Autobahnen die Kennzeichen automatisch registrieren zu lassen und die Daten vier Wochen lang zu speichern. Für Bas Filippini, den Gründer von Privacy First, ist @migo boras nur der Anfang einer unheilvollen Entwicklung: „Ich lebe gerne in einer freien Umgebung und suche selbst meine Freunde aus ... Bald hängt aber an jeder Laterne ein Amigo, der registriert, was wir machen.""

Source: Public (magazine for Austrian municipalities), November 2013, pp. 36-37. Click HERE to read the full article online on the Public website.

At the end of this summer our colleagues from Bits of Freedom will once again be organizing the annual Big Brother Awards. Below are our nominations for the biggest Dutch privacy violations of the past year:

  1. Automatic Number Plate Recognition plans from Minister Opstelten
    If it’s up to the Dutch Minister of Security and Justice, Ivo Opstelten, the travels of every motorist in the Netherlands will soon be stored in a police database for four weeks through automatic number plate recognition (ANPR) for criminal investigation and prosecution purposes. This means that, in the view of Mr. Opstelten, every motorist is a potential criminal. Privacy First deems this proposal absolutely disproportional and therefore in breach with the right to privacy as stipulated under Article 8 of the European Convention on Human Rights. In case Dutch Parliament accepts this legislative proposal, Privacy First will summon the Dutch State on account of unlawful legislation in violation with the right to privacy; see http://www.privacyfirst.eu/focus-areas/cctv/item/580-every-motorist-becomes-potential-suspect.html
  2. Proposal for hacking scheme from Minister Opstelten
    A second miserable plan from Minister Ivo Opstelten is to authorize the Dutch police force to hack into your computer and to oblige citizens to decrypt their encrypted files for the police. In the view of Privacy First this plan, too, is entirely in breach with the right to privacy, since it’s unnecessary and disproportional. Moreover, the proposal contravenes with the ban on self-incrimination (nemo tenetur). The proposal will lay the basis for future abuse of power and forms a typical building block for a police State instead of a democratic constitutional State. For our main objections, see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/599-privacy-first-objections-against-opstelten-hacking-scheme.html.
  3. License plate parking
    As of late, in an ever greater number of Dutch cities (among which Amsterdam) license plate parking is becoming compulsory. Privacy First stands up for the classical right of citizens to travel freely and anonymously in their own country. The right to park anonymously is a part of this. License plate parking clearly disregards these rights. Moreover, it leads to function creep in breach with the right to privacy. The prime example here is the already proven abuse of parking information of lease drivers by the Dutch tax authorities; see http://www.nrc.nl/nieuws/2013/07/29/privacywaakhond-het-servicehuis-parkeren-overtreedt-de-wet/ (in Dutch).
  4. Highway section controls
    Section speed checks on Dutch highways make that the journeys of motorists are continuously being monitored. This forms a massive infringement of the right to privacy. Such an infringement requires a specific legal basis with guarantees against abuse. Moreover, function creep is just around the corner; this already becomes obvious from the current plans of Dutch Minister Opstelten to soon use all highway speed cameras for automatic number plate recognition (ANPR) for investigation and prosecution purposes of a whole range of criminal offences as well as the collection of outstanding fines, tax debts, etc.  
  5. Drones
    Besides the ‘usual’ cameras in neighbourhoods, shops, stations, above highways etc., citizens are increasingly – and almost unnoticed – being spied upon by flying cameras: so-called drones. The government does this (mainly the police) and so are private parties, yet without any sufficient legislation. Because of this the privacy risks and the likelihood of an accident are enormous. Privacy First therefore pleas for a moratorium on the use of drones until proper national legislation is put in place. Furthermore, drones should only be allowed to be used by the government in exceptional cases, for instance in disaster situations or for the investigation of suspects of very serious crimes, and only in case no other adequate means can be deployed. For private parties a license system is to be introduced with strict supervision and enforcement. Moreover, every drone is to be equipped with a transponder that is publically cognizable. 
  6. Police Taser weapons
    In September 2012 it became known that Dutch Minister Opstelten was planning to equip the entire Dutch police force with Taser weapons. In the view of Privacy First, the use of Taser weapons can easily lead to violations of the international ban on torture and the related right to physical integrity (which is part of the right to privacy). Taser weapons lower the threshold for police violence and hardly leave behind any external scars. At the same time they can inflict serious physical damage and mental harm. In conjunction with the current lack of firearms training for Dutch police officers, this produces serious risks for the Dutch population. In May 2013 the Dutch government had to justify itself over Opstelten’s plans in front of the UN Committee against Torture in Geneva; see http://www.privacyfirst.eu/focus-areas/law-and-politics/item/595-dutch-taser-weapons-on-agenda-of-un-committee-against-torture.html. Nevertheless, for the moment Opstelten’s intentions seem to be unchanged...
  7. Electronic Health Record
    In April 2011 the introduction of a Dutch national Electronic Health Record (Elektronisch Patiëntendossier, EPD) was unanimously binned by the Dutch Senate due to privacy objections and security risks. However, the national introduction of almost the same EPD was subsequently worked towards along a private route and this included the exchange of medical data through a National Switch Point (Landelijk Schakelpunt, LSP). This will by definition lead to 'function creep by design' instead of privacy by design. The digital ‘regional walls’ in and around the LSP will easily be circumvented or removed. Therefore the entire system can take on its old central form again at any given moment in the future, with all the privacy and security risks this entails. Furthermore, the current layout is characterized by generic instead of specific permission of the patient to share medical data with healthcare providers (and future third parties). This constitutes an imminent danger for the medical privacy of citizens as well as the professional confidentiality of medical specialists.
Published in Law & Politics

The Dutch Ministry of the Interior is currently conducting an assessment of the fundamental rights situation in the Netherlands. Later this year this will probably result in a report called ‘De Staat van de Grondrechten’ (‘The State of Fundamental Rights’) and an accessory entitled ‘Nationaal Actieplan Mensenrechten’ (‘National Human Rights Action Plan’). In this context the Ministry recently requested input from several NGOs, among which Privacy First. Below is our advice:

Top 7 of issues that deserve a place in the State of Fundamental Rights and the National Human Rights Action Plan:

1. Active adherence to as well as protection, fulfilment and promotion of the right to privacy

Clarification: privacy is both a Dutch constitutional right as well as a universal human right. As with all human rights, the Dutch government accordingly has the obligation to 1) respect, 2) protect, 3) fulfil and 4) promote the right to privacy through proper legislation and policy. However, since '9/11' there have almost solely been made restrictions to the right to privacy, instead of enhancements of it. This constitutes a violation of the above-mentioned general duty to actively fulfil the right to privacy. The same goes for related rights and principles such as the presumption of innocence and the ban on self-incrimination (nemo tenetur). 

2. Constitutional review

Clarification: the Netherlands is only familiar with constitutional ‘‘review’’ by civil servants and members of the Dutch House of Representatives when it comes to the development of new legislation. Unfortunately there is no Dutch Constitutional Court and, oddly enough, constitutional review of formal legislation by the judiciary is outlawed in the Netherlands. It is partly on account of this that the Dutch Constitution has become a dead letter over the last decades. It is therefore recommended to create a Constitutional Court as soon as possible and to abrogate the ban on constitutional review.

3. Collective legal means

Clarification: owing to a development of legal restrictions within the case law of the Dutch Supreme Court, over the last decades it has become increasingly difficult for foundations and associations to legally defend the social interests they advocate for through the collective right to action (Article 3:305a Dutch Civil Code and Article 1:2 paragraph 3 Dutch General Administrative Law Act, both links are in Dutch). Because of this the effective and efficient functioning of the Dutch constitutional State and legal economy have come under severe pressure. It is therefore recommended for the government to actively respect, protect and fulfil the collective right to action. For instance by no longer instructing the State attorney to plea for the inadmissability of foundations and associations in relevant lawsuits. Moreover, the ban on direct appeal against generally binding regulations (Article 8:3 Dutch General Administrative Law Act, in Dutch) is to be abrogated.

4. Voluntary instead of compulsory biometrics

Clarification: the premise in a healthy democracy under the Rule of Law should be that citizens may never be obliged to cede their unique physical characteristics (biometric personal data) to the government or the business sector. After all, this constitutes a violation of the right to privacy and physical integrity. Moreover, within companies, service providers, employers, etc. this leads to unfair trading practices. With the planned introduction of an ID card without fingerprints, in this area the Dutch government is taking a first step in the right direction. In line with this, we advise the Dutch government to plea at the European level for a passport with voluntary instead of compulsory taking of fingerprints.

5. Anonimity in public space

Clarification: the right to be able to travel anonymously and not to be spied upon has become increasingly illusory in recent years, especially through technological developments such as public transport chip cards, camera surveillance, cell phone tracking, etc. Both the government as well as the business sector are obliged to actively reinstate, protect and fulfil the right to privacy in terms of anonymity in public space through the introduction of public transport chip cards that are truly anonymous (privacy by design), the abrogation of camera surveillance unless strictly necessary, the development of privacy-friendly mobile telephony and apps, etc. For all the legislation and policies in this field, privacy, individual freedom of choice, necessity, proportionality and subsidiarity are to be leading principles.

6. Privacy by design

Clarification: all privacy-sensitive information technology is to comply with the highest standards of privacy by design. This can be achieved through the use of privacy enhancing technologies (PET), among which are state-of-the-art encryption and compartmentalization instead of centralization and the coupling of ICT. At the European level this is to become a strict legal duty for governments as well as the business sector, with active supervision and enforcement in this area.

7. Privacy education

Clarification: in terms of human rights education the Netherlands is threatening to become a third world country. In the long run this puts the continued existence of our democratic constitutional State at stake. It equally puts the right to privacy in danger. A privacy-friendly future begins with the youth of today. To that end privacy education is to become compulsory in primary, secondary and higher education. The government should play an active role in this.

Published in Law & Politics
Thursday, 28 February 2013 00:13

Panopticon

Panopticon was released on the internet in October 2012. In the view of Privacy First, this is the best Dutch privacy documentary to date. Watch it below in English subtitles:

Published in Video Corner
Page 4 of 5

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon