This morning in Geneva the long-awaited Universal Periodic Review (UPR) of the Netherlands took place before the Human Rights Council of the United Nations (UN). In the run up to this four-year session, the Privacy First Foundation and various other organisations had emphatically voiced their privacy concerns about the Netherlands to both the UN and to almost all UN Member States; you can read more about this HERE. The Dutch delegation for the UPR session was led by Interior Minister Ms. Liesbeth Spies. The opening statement by Spies contained the following, remarkable passage about privacy:

"The need to strike a balance between different interests has sometimes been hotly debated in the Dutch political arena, for example in the context of privacy measures and draft legislation limiting privacy. The compatibility of this kind of legislation with human rights standards is of utmost importance. This requires a thorough scrutiny test, which is guaranteed by our professionals and institutions. Improvements in this regard have been made when necessary, especially in the starting phase of new draft legislation. This has been done in the field of privacy, where making Privacy Impact Assessments (PIAs), describing the modalities for the planned processing of personal data, are compulsory now." (pp. 5-6, italics Privacy First)

A "thorough scrutiny test" and compulsory Privacy Impact Assessments are the terms that positively stand out for Privacy First.

Prior to the UPR session, the United Kingdom had already put the following questions to the Netherlands: "Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?" (Source) On behalf of the Netherlands, Minister Spies responded to this question in Geneva this morning saying: "On the review of our laws on data protection, The Netherlands are currently working on a legislative proposal on data breach notification, following announcements of this proposal in the present coalition agreement. The proposal, which would require those responsible for personal data to notify the data protection authorities in case of "leakage" of personal data with specific risks for privacy (including identity theft), is expected to be tabled in Parliament in the coming months." This answer is rather concise and unfortunately it doesn’t contain any new elements. However, a new Dutch law on compulsory notification for data leakages will hopefully become a best practice for other UN Member States. The credits for this go to our colleagues of the Dutch NGO Bits of Freedom who have worked on this for a long time.  

During the UPR session Estonia called the protection of privacy and personal data a "human rights challenge of the 21st century". Morocco then asked a critical question about the privacy issue: "Quelles sont les mesures concrètes entreprises par les autorités néerlandaises pour sécuriser l'utilisation des donnés personnelles?" ("What are the concrete measures taken by the Dutch authorities to protect the use of personal data?") The Philippines also raised the issue of the right to privacy, but only in these words: "The Philippine delegation appreciates the frank assessment of the Netherlands of the obstacles and challenges it has to hurdle in the implementation of the right to privacy especially in the area of protection of personal information." The comments by Greece, India, Russia and Uzbekistan were more content-focused. Greece addressed the practice of preventive searches: "We take note of reports regarding the issue of preventive body searches. We recommend that the Netherlands ensure that in its application of preventive body searches, all relevant human rights are adequately protected, in particular the right to privacy and physical integrity and the prohibition of discrimination on the basis of race and religion." India exhorted the Netherlands on ethnic profiling of citizens: "We encourage the Dutch Government to take concrete measures to combat discrimination including discrimination by the Government such as ethnic profiling." Russia too advised the Netherlands "to introduce measures to stamp out discrimination arising as a result of the practice of racist, ethnic or religious profiling." The Netherlands was addressed about this very issue by Uzbekistan as well: "We are concerned over the existence of information on the increasingly broad use by the police of racist profiling."

As a reaction to these points Minister Spies referred to recent research by the Dutch police, scientists and the National, the Amsterdam and the Rotterdam Ombudsman about preventive body searches, discrimination and ethnic profiling. With regard to digital profiling (in general), she moreover proclaimed the following: "In its recent proposal for a general Data Protection Regulation, the [European] Commission has included rules on profiling, which can address the problems associated with profiling and the protection of personal data. The Netherlands endorses the need for clear legislative rules with regard to this topic, given the specific challenges for privacy protection that this technique entails. This is also the background against which the Netherlands welcomed in 2010 the Council of Europe Resolution on this topic, which contained a useful definition of profiling that would also be beneficial for inclusion in the [European] Commission proposals. The Netherlands will draw attention to this ongoing discussion in Brussels. The Regulation, once in force, will be directly applicable in the Netherlands." 

By and large this is a reasonable result, given that up until now the privacy issue had hardly played any role at all within the UN Human Rights Council. However, it’s a shame that most countries still hardly dare to confront this issue, let alone ask specific and critical questions about it. Many of the recommendations by Privacy First have not been touched upon during this UPR session, although diplomats in Geneva and The Hague had earlier shown great interest in them. Perhaps they were stopped by their Foreign Affairs departments in capital cities because many privacy issues are also sensitive in their own domestic politics? Who knows... However, the fact remains that the international community was informed by Privacy First well in advance, which was part of the reason that the Dutch UN delegation headed by Minister Spies was properly focussed on the job at hand. This can only be to the benefit of general awareness and the protection of privacy, both inside and outside the Netherlands. In the end, for us this is what it’s all about. 

Update 4 June 2012: This afternoon, a working group of the Human Rights Council adopted a draft report on the Dutch UPR session. The final version of this report will be adopted by the Human Rights Council in September 2012, accompanied by a (motivated) acceptance or rejection by the Netherlands of each individual recommendation in the report. Furthermore, this will also be discussed by the Dutch House of Representatives.

A total of 49 countries have taken part in the Dutch UPR session. It is noteworthy that Belgium, Italy and Austria did not take part in the session (although Belgium and Italy had in fact enrolled beforehand). As far as Austria is concerned this is particularly regrettable, because of all the UN Member States it was actually Austria which had in advance expressed the most interest in the Privacy First UPR shadow report and had intimated to be able to make a powerful, overall recommendation to the Netherlands about the right to privacy.  

Update 21 September 2012: This morning, the UN Human Rights Council discussed its recommendations to the Netherlands. The Dutch Permanent Representative in Geneva declared which recommendations have been accepted or rejected by the Netherlands; see this UN document and this video. The two recommendations by the Human Rights Council that related to ethnic profiling and preventive body searches have both been accepted by the Netherlands under the following clarification:

ethnic profiling: "The Dutch government rejects the use of ethnic profiling for criminal investigation purposes as a matter of principle." About profiling in a more general sense: "In its recent proposal for a General Data Protection Regulation, the European Commission included rules on profiling that address problems that may arise due to the increasing technical possibilities for in-depth searches of databases containing personal data. The Netherlands endorses the need for clear legislative rules on this subject, given the specific challenges for privacy protection that this technology entails." (Source, 98.57 & n. 75).
- preventive body searches: "The power to stop and search is strictly regulated in the Netherlands. The mayor of a municipality may designate an area where, for a limited period of time, preventive searches may be carried out in response to a disturbance of or grave threats to public order due to the presence of weapons. The public prosecutor then has discretion to order actual body searches and searches of vehicles and luggage for weapons."
(Source, 98.74 & n. 95).

See also this statement by the Netherlands Committee of Jurists for Human Rights (Dutch abbreviation: NJCM) from this morning (video). Just like the NJCM, Privacy First regrets the lack of government consultation in the run up to today’s UPR session.

Below you can watch the 31 May 2012 UPR session in its entirety (click HERE for video segments of individual countries). 

Published in Law & Politics

The following article by Privacy First employee Vincent Böhre was published this month in the periodical De Filosoof (‘The Philosopher’, University of Utrecht). Tomorrow the Dutch Passport Act will be high on the Dutch political agenda: in a debate with the Minister of the Interior Liesbeth Spies the compulsory taking of fingerprints for Dutch passports and ID cards will be discussed. Privacy First has recently (again) emphasized to all political parties in the Dutch House of Representatives to have passports without fingerprints introduced as soon as possible and to make a request to the government to have the Passport Regulation revised at the European level. This in order for the compulsory taking of fingerprints to be done away with also for passports, or at least to become of a voluntarily nature. The text below offers a quick recap with a positive twist. A pdf version of the original article in Dutch can be found HERE (pp. 6-7).

The biometric passport as an unintended privacy gift

‘‘Late 2001, the Christian-democratic political party CDA proposed storing the fingerprints of every Dutch citizen through passports for criminal investigation purposes. However, this proposal was immediately scrapped by other political parties because it would lead to a Big Brother society. Nonetheless, an even more far-reaching proposal became law seven years later almost inconspicuously. Under the new Dutch Passport Act, apart from criminal investigation and prosecution, everyone’s fingerprints and facial scan (biometric data) could also be used for counter-terrorism, domestic and foreign State security, disaster control and personal identification. However, none of these legal purposes had been discussed in Parliament.[1] In fact, the new Passport Act was accepted by the Senate even without a vote. The media merely stood by and watched how it happened. How could things have gotten this far?

‘Bystander syndrome’

In a certain way the Passport Act was (and is) emblematic for the Dutch era after '9/11'. An era in which (presupposed) anti-terrorism measures could be steered through Parliament with the greatest of ease. After all, such measures would enhance our security, we were continuously told. By nature people are inclined to believe the authorities and to accept the status quo. From a human rights point of view, one could consider the post-9/11 era as a huge Milgram experiment: without too much resistance many human rights have for years been put to the rack of society. The realization of the new Passport Act is no exception. Every Member of the Senate could at least have made a request for a parliamentary vote. Journalists and scientists could have blown the whistle on time. Instead, they all stood there and watched since, of course, the law would make the Netherlands a ‘more secure’ place. But what was this assumption based on? Wasn’t the Netherlands actually going to be less secure by the massive storage of fingerprints in travel documents and affiliated databases? This question has never been asked in public, let alone discussed and answered.

Disproportionate

The prime argument by the Dutch government for the introduction of fingerprints in passports and ID cards has, since the late 90s, been the following: it would prevent look-alike fraud with travel documents. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his or her appearance resembles. Questions about the scale of this type of fraud have hardly ever been asked in Parliament. From a recent FOIA-request filed by Privacy First, it appeared that we’re dealing with only a few dozen cases each year (with Dutch travel documents on Dutch territory).[2] In light thereof the introduction of fingerprints in travel documents of 17 million Dutch citizens is completely disproportionate. Not to mention the dozens, if not hundreds of millions of Euros that the government has spent on this project.

Risks

With the introduction of a ‘biometric identity infrastructure’ a new form of fraud comes to life that is extremely difficult to trace and combat: biometric identity fraud, for instance through hacking. Not just with guileless citizens and companies, but also in the public sphere (espionage). Moreover, it has been pointed out that in 21-25% of cases the biometric data in the chip of Dutch travel documents cannot be read (verified). So in the event of passport control, there is a high risk that citizens become unjustly suspected of fraud. The biometric passport is no good for combating terrorism either: terrorists generally use their own, authentic travel documents. Unfortunately, little is publicly known about the way security and intelligence agencies use biometrics, even though some purposes are easy to predict: identification of suspects unwilling to speak and ‘interesting’ persons in public space, the recognition of emotions, lie detection and the recognition or use of doubles. The same applies to the domain of criminal investigation and prosecution, also in conjunction with camera surveillance and automatic facial recognition. In addition, the RFID (Radio Frequency Identification)-aspect of the chip in the document enables it to be read from a distance: citizens can be identified and tracked without it being noticed. With regard to personal identification, one could think of the possible introduction of fingerprints at banks, social services, the internet, etc. (Since the end of last year, a Dutch pilot project with mobile finger scanners for the police is ongoing.) Finally, there’s the domain of fighting disasters: biometrics used for the identification of casualties in the event of large-scale disasters or as a logistic means. All in all these possibilities for the use of biometrics go dozens, if not a hundred steps beyond the mere combating of look-alike fraud with travel documents. One ought to realize that all of these possibilities will sooner or later be put into practice. In jargon this is called ‘function creep’; historically seen it’s inevitable. Scientific research into future applications of biometrics continuously takes place. What’s more, even in our part of the world a democratic constitutional State is no invariable matter of fact. It is therefore very dubious whether our world will become ‘more secure’ by the large-scale use of biometrics.  

Positive change

It is exactly this concern which brought about a small Dutch revolution in the summer of 2009: at the time, the enactment of the new Passport Act led to a torrent of criticism and to the coming into being of the current Dutch privacy movement. New privacy organizations such as Privacy First proliferated, social coalitions were forged and lawsuits against the new Passport Act were filed.[3] This boomerang effect within society continues to this day. Since that time the right to privacy is ever higher on the societal and political agenda. In that sense the biometric passport has so far proved to be an unintended gift from heaven.''



[1]
See Vincent Böhre, Happy Landings? Het biometrische paspoort als zwarte doos (Happy landings? The biometric passport as a black box), Wetenschappelijke Raad voor het Regeringsbeleid, WRR (Scientific Council for Government Policy) October 2010, http://www.wrr.nl/publicaties/publicatie/article/happy-landings-het-biometrische-paspoort-als-zwarte-doos-46/.
[2]
See Privacy First, Revealing figures about look-alike fraud with Dutch travel documents (20 March 2012).
[3]
See Böhre supra footnote 1, p. 111 ff.
Published in Meta-Privacy

Thanks to a FOIA-request by the Privacy First Foundation, the official figures about look-alike fraud with Dutch passports and ID-cards have today, for the first time, become public. From these figures it emerges that the Dutch biometric passport with fingerprints is an absolutely disproportionate measure, the introduction of which should never have been allowed.

The primary argument from the Dutch government for introducing fingerprints in passports and ID-cards has for years been the same: fighting look-alike fraud. Look-alike fraud is a form of abuse whereby someone uses an authentic travel document of someone else to whom his appearance resembles. This kind of swindler is also called an impostor. Questions about the scale of this type of fraud have hardly ever been asked, not by members of Dutch Parliament, nor by scientists or journalists. Those who raised a question about it in the last ten years were usually provided with an answer that left them none the wiser: figures about look-alike fraud would be ‘unknown’, ‘not publicly available’, ‘confidential’, or ‘secret’. The answer to the most recent parliamentary question in this respect dates back to October 2010:

- Question: ‘‘Is it true that the figures of look-alike fraud with ID documents are known, but that you are unwilling to provide them to the House of Representatives? Are you actually prepared to provide these figures to the House of Representatives?’’
- Answer by Dutch State Secretary Ank Bijleveld (Ministry of the Interior): ‘‘No, this is not true. Since such figures are unknown to me, it’s obvious I cannot send them to you.’’ (Dutch source)

Those who have been asking supplementary questions in recent years were often told we would be facing a massive phenomenon. In this way the idea of a 'dark figure' of crime of almost mythical proportions came into existence. That is to say, without any trace of evidence. So recently the Privacy First Foundation filed a FOIA-request to the department of the Dutch government that has been keeping track of the figures on look-alike fraud for years: the Dutch Expertise Centre on Identity fraud and Documents (Expertisecentrum Identiteitsfraude & Documenten, ECID) based at Schiphol Airport. The ECID falls under the Royal Netherlands Marechaussee (KMar) and is thus part of the Dutch Ministry of Defence. Privacy First knew from a reliable source that those figures could be found in the clear annual reports of the ECID from 2008 onwards. So recently we have simply made a request for those reports by email. Subsequently Privacy First received the Statistic Annual Overviews on Document Fraud (Statistische Jaaroverzichten Documentfraude) from 2008 to 2010 from the Ministry of Defence. (Update: the statistics from 2011 followed on 29 May 2012.) The following figures result from these annual reports relating to look-alike fraud with Dutch passports and ID-cards on Dutch soil:   

2008: 46 cases (source: Statistisch Jaaroverzicht Documentfraude 2008, p. 45)

2009: 33 cases (source: Statistisch Jaaroverzicht Documentfraude 2009, pp. 42-43)

2010: 21 cases (source: Statistisch Jaaroverzicht Documentfraude 2010, pp. 52-53)

2011: 19 cases (source: Statistisch Jaaroverzicht Documentfraude 2011, pp. 52-53).

The Netherlands has 17 million inhabitants. By now almost 7.5 million of those had their fingerprints taken to combat a handful of cases of look-alike fraud. By any standard this is a completely disproportionate situation and thereby forms a collective violation of the right to privacy of all Dutch citizens. Privacy First regards these figures as a strong backing in its lawsuit against the Dutch government regarding the new Dutch Passport Act and hereby makes a call to the government to immediately stop the compulsory taking of fingerprints for passports and ID-cards. Regardless of whether or not that’s against European policy.

Update 22 March 2012: At first Privacy First showed the numbers 63 (2009) and 52 (2010). However, those figures were based on a calculating error (they were counted twice), for which we apologise.  

Update 30 March 2012: internal documents from the Dutch Ministry of the Interior from 2004 also imply a relatively low figure for fraud and, moreover, high costs for introducing biometric technology in travel documents. Privacy First recently obtained these documents through a large-scale FOIA investigation that has been ongoing since April 2011.

Update 29 May 2012: Today Privacy First finally received the long-awaited Statistisch Jaaroverzicht Documentfraude 2011 from the Dutch Ministry of Defence. The number of cases of look-alike fraud with Dutch passports and ID-cards on Dutch soil (as far as the KMar is aware) according to this report were respectively... 11 and 8, so just 19 in total. We have updated the list of cases from 2008 to 2010 above with the figures from 2011. So the idea of look-alike fraud as a very small-scale phenomenon is once more confirmed. To burden the entire Dutch population with biometric passports and ID-cards as a countermeasure is and will be completely disproportionate and therefore unlawful.

Published in FOIA Requests

Today Privacy First sent the following email to the Electronic Health Record spokespersons in the Dutch House of Representatives: 

Dear Members of Parliament,

On Tuesday 13 December 2012 an important General Meeting with Minister Edith Schippers about the Electronic Health Record (Elektronisch Patiëntendossier, EPD) will take place. The Privacy First Foundation is keen to provide you with the following points of interest in order for you to prepare for and make possible contributions to the debate:

1) As far as Privacy First is aware, at the moment one is working towards an opportunistic spurious solution along private lines, namely a regional exchange of data through the National Switch Point (Landelijk Schakelpunt, LSP). By definition this leads to function creep by design. The digital ‘regional walls’ in and around the LSP can of course easily be circumvented or removed. Therefore the entire system can take on its old central form again at any given moment in the future, with all the privacy and security risks this entails.   

2) Those same risks around the LSP will neither be annulled by henceforth indicating the EPD as a ‘Personal Health Record’ (Persoonlijk Gezondheidsdossier, PGD). This is merely privacy by semantics which, moreover, has a misleading effect. Indeed, the infrastructure that’s behind the LSP remains virtually unchanged.

3) A privacy-friendly EPD first of all demands an independent Privacy Impact Assessment (PIA) by which various solutions characterized by privacy by design can be established. As long as such a PIA has not been conducted and subsequently evaluated in Parliament, no irrevocable steps regarding the design and possible extension of the EPD are to be taken. 

4) When further designing the EPD, it is absolutely key to leave space for research, innovation and competition. The recent DigiNotar affair shows that dependence on one party (or a select group of parties) is to be avoided. Apart from suboptimal, privacy-unfriendly products, this prevents cartel formations.

5) Apart from proper security, privacy-friendly transparency for patients also requires individual freedom of choice. Access by patients to their own records, for example, is not to be made dependent on the linking up with the LSP. Such access via the internet also creates new privacy related risks.

6) Within the governance structure around the EPD, independent privacy and security experts are to be appointed.

7) In terms of human rights the Netherlands continues to be unabatedly responsible for the protection of the medical privacy of its citizens, even in the event of a privatized EPD. At the initiative of Privacy First the Netherlands will have to be able to account for this in front of the United Nations Human Rights Council in May 2012.

Yours faithfully,

The Privacy First Foundation

Published in Medical Privacy

Unfortunately it has been on the cards for weeks. Now it seems it will happen after all: a private restart of the Dutch national Electronic Health Record (Elektronisch Patiëntendossier, EPD). Albeit under the name ‘personal health record’ (privacy by semantics), which at first will above all be used ‘regionally’ and only with the permission of each individual patient. However, the underlying infrastructure (National Switch Point, in Dutch: Landelijk Schakelpunt, LSP) is still national in orientation and was voted down unanimously by the Dutch Senate earlier this year due to privacy objections. So by now the private EPD looks suspiciously like a nuclear transport with the LSP as its radioactive cargo. In anticipation of this development, Privacy First has recently (shortly before the reporting deadline) raised some issues with the United Nations Human Rights Council in Geneva. At the end of May 2012, the Dutch human rights situation (including Dutch national privacy policy) will be on the agenda there. The Netherlands will then have to publicly explain which solutions it has found to still safeguard privacy around the EPD. For instance by implementing privacy by design in the coming months through technical compartmentalization, data minimalization, freedom of choice and transparency for patients. In that case perhaps the Netherlands will cut a good figure in Geneva after all...

Published in Medical Privacy

Privacy-wise these are turbulent times. Partly because of the pressure by Privacy First, a positive change is ongoing since last year. Privacy is higher up on the Dutch political agenda. Dutch media more often and more extensively report on privacy matters. This enhances privacy awareness among the Dutch population. It also reinforces our democratic constitutional State. Examples of positive developments are the abandonment of the electronic toll system (no ‘espionage units’ in cars), voluntary instead of compulsory ‘smart energy meters’, voluntary instead of compulsory body-scans at airports, abandonment of the storage of fingerprints under the Dutch Passport Act and the introduction of Privacy Impact Assessments for new legislation that invades the privacy of citizens. All of these developments go hand in hand with Privacy First’s motto: ‘‘your choice in a free society’’. Meanwhile, privacy restricting forces from the old days still have their say. Bad habits die hard. In recent months this became particularly obvious through developments towards a private restart of the Dutch Electronic Health Record (Elektronisch Patiëntendossier, EPD). Earlier this year the Senate had rightly binned the EPD. Apparently some policy makers and commercial parties are having none of this. With similar stubbornness others are currently trying to press through their old plans for Automatic Number Plate Recognition (ANPR) and camera surveillance along the Dutch border. These plans were already on the drawing board years ago, in a time in which privacy increasingly seemed to become a taboo. A time in which the American Bush administration was able to burden the entire European Union with biometric passports and associated databases. That time is over, but the heritage of that era still exerts its influence to this day...

In the meantime privacy is back where it once was. Privacy is the ‘‘new green.’’ In that respect advocates of the national EPD and ANPR are behaving like a bunch of old environmental polluters. They’re like rusty old factories from the 70s being teletransported to the year 2011, without them realizing it. The Dutch House of Representatives seemed to have a good sense for this when last week it unanimously accepted a motion about something that Privacy First has been emphasizing since its foundation: ‘‘Privacy by Design’’. In other words, incorporating privacy from scratch in a technical sense, at the micro level, through Privacy Enhancing Technologies (PET). In the view of Privacy First, however, the principle of ‘‘Privacy by Design’’ also applies to the meso- and macro-levels. That is to say, in an organizational and legislative sense. After all, this is the way you get to a privacy-friendly design as well as a privacy-friendly reality of a sustainable information society as a whole. Well, you can pursue your own line of thoughts here. As a source of inspiration Privacy First is pleased to provide the entire text of the parliamentary motion:

The House of Representatives,

on the advice of the deliberation,

considering that in ICT projects of the government there is too little attention for the protection of privacy and too little attention for the prevention of abuse of these systems;

considering that the privacy of citizens is not to be invaded any more than is strictly necessary and that insecure systems can put privacy in danger;

considering that systems that can easily be hacked seriously affect the reputation of government;

considering that modifying systems to safeguard privacy and enhancing security afterward, is usually more expensive and more often leads to a lower level of protection compared to when privacy and security are prerequisites from the outset of the project;  

requests the government to apply privacy by design and security by design in the development of all new ICT projects in order for new ICT systems to be more secure and better prepared against abuse and only to contain privacy-sensitive information when strictly necessary,

and proceeds to the order of the day.

Published in Law & Politics
Wednesday, 26 October 2011 16:15

Mobile finger scanners? Not in my backyard.

This summer it was already announced (and commented on by Privacy First) but yesterday it again popped up in the media: this fall four regional Dutch police forces will carry out a pilot experiment with mobile finger scanners to track down illegal immigrants. In official jargon this experimental project is called a ‘learning park’, according to a long-awaited response (after three months) to earlier Parliamentary questions. What will our friends at the police learn in the 'park' called the Netherlands? Privacy First sheds some light on a number of possible 'learning moments':

1) collectively intruding upon other people’s privacy and physical integrity by taking fingerprints of everyone who, in the eyes of the policeman, could perhaps be ‘illegal’,

2) this is very likely to go hand in hand with discriminatory enforcement, ethnic profiling and increasing stigmatization of certain societal groups,

3) initially the scanners will mostly be used for ‘illegal’ immigrants (undocumented migrants) but will then be used for other groups and eventually for every citizen, for instance for the collection of outstanding fines or tax debts (so-called 'function creep'),

4) this year it already appeared that the current state of biometric technology (with current error rates in passports and ID cards of at least 21%) is still in its infancy and isn’t suitable for use on a massive scale,

5) with all the consequences this entails, among which are unjustified suspicions, unjustified immigration detention placements, mutual feelings of insecurity and risks of irritation, confrontations and aggression on the streets,

6) all of this not even considering possible data leakages and hacking of the used equipment,

7) and all of this without public Privacy Impact Assessments and cost-benefit analysis of the matter in hand.

Hence, these mobile finger scanners are dangerous toys. Our advice: don’t start using them. This ‘learning park’ is nothing less than a privacy swamp.

Published in Biometrics

This week Big Brother suffered a well deserved defeat in the Dutch city of Groningen: an experiment with 'listening cameras' in the Groningen inner city has turned out to be a complete failure. The aim of the experiment was to be able to detect ‘deviant behavior’. However, this happens to be technically infeasible: the microphones mounted onto the cameras cannot even distinguish a fight from a scooter passing by. Mayor Peter Rehwinkel has therefore decided to get rid of the microphones.

The decision by the mayor fits into a current European trend: on behest of the European Parliament the flow of money to the European Big Brother-project INDECT has recently been called to a halt. This project too was intended for detecting ‘deviant behavior’. With it the police expected to be able to predict and prevent crimes, much like in the Hollywood film Minority Report.

We will now need to wait for the development of new software to detect deviant Big Brother behavior of policy makers. Privacy First will keep you posted...! ;)

Sources: Dutch newspaper Volkskrant, July 20Webwereld 8 June 2011.

Published in CCTV

This afternoon Privacy First sent the following letter to the Electronic Health Record spokespersons in the Dutch House of Representatives:

‘‘Dear Members of Parliament,

Recently the Senate, quite rightly, unanimously rejected the legislative proposal to introduce a national Electronic Health Record (Elektronisch Patiëntendossier, EPD), especially in light of the enormous privacy risks this EPD would entail. It is therefore with great concern that Privacy First has taken note of developments that indicate a possible restart of that very same EPD along a private, extra-parliamentary route. Such a restart is not only disdainful with regard to our democratic process, it is also a denial of the risks and worries on the basis of which a legal introduction of a national EPD recently did not go ahead. To this end, Privacy First makes an urgent appeal to you to call a halt to this development and to call the relevant persons in charge to account. From a privacy-legal point of view, Privacy First is of the opinion that the Dutch government remains unabatedly responsible for any privacy-infringements that will result from a private, national EPD, especially in light of the fact that such a system has been emphatically rejected by the Senate for privacy reasons.    

In line with the recently adopted Franken motion, in this respect Privacy First also urges you to have an independent, public Privacy Impact Assessment (PIA) carried out as soon as possible with regard to both 1) a national EPD as envisaged by the private parties involved as well as 2) possible alternatives for this national EPD. In carrying out this PIA, necessity, proportionality, subsidiarity and freedom of choice are to be guiding criteria. Privacy by design and privacy enhancing technologies, among which for instance technologically advanced patient cards or personal health records, are to fulfil an important role in such a PIA. Until the moment the PIA has been rounded off, no irreversible steps towards a private restart of the national EPD are to be taken.

In the view of Privacy First, the National Switch Point (Landelijk Schakelpunt, LSP) of the national EPD is to be transformed to small-scale, regional systems in accordance with the desire of the Senate. For regional exchange of data an LSP is unnecessary: to this end regional switch points are sufficient, possibly complemented by supra-regional 'push-communication'. This enhances security and reduces the risks of abuse that are inherent to a national EPD.’’

Published in Medical Privacy

On Tuesday 24 May 2011, the Dutch Senate accepted an important motion in which a number of privacy guarantees in new legislation are being confirmed and reinforced. The motion was accepted by an overwhelming majority (Dutch liberal party VVD was the only party to vote against). The previous week the motion was filed (during the Parliamentary debate about digital data processing) by senator Hans Franken (of the Christian-democratic party CDA) and even the Minister of the Interior and Kingdom Relations Piet Hein Donner (CDA) and the State Secretary for Security and Justice Fred Teeven (VVD) had remarked that ‘‘there are a lot of things in there that we can live with just fine’’. Even though formally the motion is not legally binding, part of its contents are and a great deal of political importance is accrued to it. The entire motion reads as follows: 

MOTION BY MEMBER OF THE SENATE FRANKEN AND OTHERS

Proposed 17 May 2011

The House of Representatives,

on the advice of the deliberation,

considering that the fundamental right to the protection of privacy is of great importance in our democratic constitutional State,

considering that there are tendencies to increase and reinforce possible limitations to this fundamental right in new legislation,

considering also that in the event of making new legislation, particular attention should be paid to the question whether or not limitations to the fundamental right to the protection of privacy are justified,

considering that in order to answer this question, it must subsequently be measured up against treaty obligations on the basis of the following criteria:

  • 1. The necessity, effectiveness and practicality of the measure,
  • 2. The proportionality; the infringement may not be greater than is strictly necessary,
  • 3. The results of a Privacy Impact Assessment, in order for the risks that the measure implies to be examined beforehand,
  • 4. The possibility of effective supervision and control of the bringing into practice of the measure, which is to be realized through audits by an independent supervisor,
  • 5. Limitations to the period of validity through a sunset clause or at least an evaluation clause,

requests the government to take the above mentioned criteria into consideration in the deliberation and decision-making process of developing legislative proposals in which there are limitations to the fundamental right to protection of privacy, and to report about this in the explanatory memorandum of the legislative proposal concerned,

and proceeds to the order of the day.

Signed by:

Franken (CDA)

Tan (PvdA)

Strik (GroenLinks)

Holdijk (SGP)

Slagter-Roukema (SP)

Staal (D66)

Published in Law & Politics
Page 4 of 5

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon