Privacy-wise these are turbulent times. Partly because of the pressure by Privacy First, a positive change is ongoing since last year. Privacy is higher up on the Dutch political agenda. Dutch media more often and more extensively report on privacy matters. This enhances privacy awareness among the Dutch population. It also reinforces our democratic constitutional State. Examples of positive developments are the abandonment of the electronic toll system (no ‘espionage units’ in cars), voluntary instead of compulsory ‘smart energy meters’, voluntary instead of compulsory body-scans at airports, abandonment of the storage of fingerprints under the Dutch Passport Act and the introduction of Privacy Impact Assessments for new legislation that invades the privacy of citizens. All of these developments go hand in hand with Privacy First’s motto: ‘‘your choice in a free society’’. Meanwhile, privacy restricting forces from the old days still have their say. Bad habits die hard. In recent months this became particularly obvious through developments towards a private restart of the Dutch Electronic Health Record (Elektronisch Patiëntendossier, EPD). Earlier this year the Senate had rightly binned the EPD. Apparently some policy makers and commercial parties are having none of this. With similar stubbornness others are currently trying to press through their old plans for Automatic Number Plate Recognition (ANPR) and camera surveillance along the Dutch border. These plans were already on the drawing board years ago, in a time in which privacy increasingly seemed to become a taboo. A time in which the American Bush administration was able to burden the entire European Union with biometric passports and associated databases. That time is over, but the heritage of that era still exerts its influence to this day...

In the meantime privacy is back where it once was. Privacy is the ‘‘new green.’’ In that respect advocates of the national EPD and ANPR are behaving like a bunch of old environmental polluters. They’re like rusty old factories from the 70s being teletransported to the year 2011, without them realizing it. The Dutch House of Representatives seemed to have a good sense for this when last week it unanimously accepted a motion about something that Privacy First has been emphasizing since its foundation: ‘‘Privacy by Design’’. In other words, incorporating privacy from scratch in a technical sense, at the micro level, through Privacy Enhancing Technologies (PET). In the view of Privacy First, however, the principle of ‘‘Privacy by Design’’ also applies to the meso- and macro-levels. That is to say, in an organizational and legislative sense. After all, this is the way you get to a privacy-friendly design as well as a privacy-friendly reality of a sustainable information society as a whole. Well, you can pursue your own line of thoughts here. As a source of inspiration Privacy First is pleased to provide the entire text of the parliamentary motion:

The House of Representatives,

on the advice of the deliberation,

considering that in ICT projects of the government there is too little attention for the protection of privacy and too little attention for the prevention of abuse of these systems;

considering that the privacy of citizens is not to be invaded any more than is strictly necessary and that insecure systems can put privacy in danger;

considering that systems that can easily be hacked seriously affect the reputation of government;

considering that modifying systems to safeguard privacy and enhancing security afterward, is usually more expensive and more often leads to a lower level of protection compared to when privacy and security are prerequisites from the outset of the project;  

requests the government to apply privacy by design and security by design in the development of all new ICT projects in order for new ICT systems to be more secure and better prepared against abuse and only to contain privacy-sensitive information when strictly necessary,

and proceeds to the order of the day.

Published in Law & Politics

This week an important policy debate took place in the Dutch Senate with the Minister of the Interior and Kingdom Relations Piet Hein Donner (of the Christian-democratic party CDA) and the State Secretary for Security and Justice Fred Teeven (of the liberal party VVD) about ‘the role of the government in digital data processing’. In the week following up to the debate Privacy First had expressed its views to the Senate. We are pleased to see that many of our views have been accepted (and even literally copied by some parties) throughout the Senate and that even government members Donner and Teeven proved not to be insensitive to them. This goes for both classic rights and principles that need to be reconfirmed as well as some new starting points:

- the right to express, prior and fully informed consent of citizens in the use of their personal data, both by the government and corporations;

- strict purpose limitation and necessity when using personal data;

- the right of citizens to access, correction and deletion of their personal data;

- privacy, freedom of choice, transparency and effectiveness as leading principles in the drafting of new legislation;

- the importance of evaluation and sunset clauses in (new) legislation;

- public cost-benefit analyses;

- public disclosure of departmental feasibility studies, pilot projects and research reports;

- introduction of privacy impact assessments (PIAs) and privacy by design;

- support of the legislative process by means of expert meetings and external advice.

However, the statement by minister Donner that destroying the fingerprints which are stored by Dutch municipalities would still take months is a great disappointment. The same goes for the fact that there is still no ‘fingerprint-free’ ID card; this too could have been implemented a long time ago. Recently Privacy First urged the minister to execute this process as quickly as possible (be it through modifying relevant legislation or through technical modifications).

A draft report of the Parliamentary debate can be found HERE. Our own audio recordings of the debate can be downloaded HERE. A great number of interesting passages from the debate (both by Members of Parliament as well as members of the government) can be found HERE (in Dutch).

Published in Law & Politics

For the benefit of the policy debate in the Dutch Senate on 17 May 2011 about digital data processing the Privacy First Foundation today has sent the following focal points to Senate members. Privacy First hopes that these focal points will take on a guiding role in the debate between the members of the Senate and members of the Dutch government.

Privacy’s First motto is ‘‘your choice in a free society’’ For citizens, this translates into:

- the right to express, prior and fully informed consent of citizens in the use of their personal data, both by the government and corporations;

- any use of personal data is to be strictly necessary and purpose bound;

- citizens have the right to access, correction and deletion of their personal data at all times;

- relevant legislation needs to be known and to be accessible to citizens;

- no new legislation without prior democratic (public) debate.

For the government and Parliament, this translates into:

- privacy, freedom of choice, transparency and efficiency as guiding principles in the drafting of new legislation;

- a preference for formal laws instead of Orders in Council and ministerial regulations;

- no so-called ‘gold-plating’ (add-ons) in the implementation of European legislation;

- mandatory evaluation and sunset clauses;

- an integral approach by considering every new law in conjunction with other, already existing laws and treaties;

- an integral approach by considering all new technical applications in conjunction with other, already existing technical applications;

- public cost-benefit analyses;

- public disclosure of relevant official feasibility studies, pilot projects and research reports;

- making privacy impact assessments (PIAs), privacy by design and privacy enhancing technologies (PET) compulsory;

- support of the legislative process by means of expert meetings and external advice.

For further information or questions regarding the above Privacy First is available at all times.

Published in Law & Politics
Wednesday, 16 February 2011 19:38

Privacy First appeals in Passport Trial

On 2 February this year, the district court of The Hague gave its judgement in the civil lawsuit on the Dutch Passport Act which had been initiated by the Privacy First Foundation and 21 co-plaintiffs (citizens) against the Dutch government on 6 May 2010. The main request in this case is that the new Passport Act is to be declared unlawful on account of violating human rights, in particular the right to privacy. However, to the astonishment of many, the court declared both Privacy First as well as the 21 co-plaintiffs inadmissible. Hence the court didn’t proceed to the stage of dealing with the merits of the legal questions regarding the new Passport Act.

A striking aspect about the judgement is, first of all, how short it is. Privacy First cannot help thinking that the court wanted to be done with this case quickly. The court motivated its judgement by declaring that Privacy First would not have an own interest in this case and that for the co-plaintiffs (citizens) a legal avenue to an administrative judge would be all that remains. However, as a matter of fact, Privacy First as a relevant foundation has every interest in this case. What’s more, citizens are not in a position to (directly) object to the storage of fingerprints for their new passport or ID-card. Making such individual objections is only possible through time-consuming and cumbersome proceedings.

Privacy First has decided to appeal against the court’s judgement. On the basis of an analysis by our attorneys of SOLV we deem the judgement to be perfectly contestable, especially with regard to the inadmissibility of Privacy First as well as our co-plaintiffs. (This analysis is being shared by other legal experts.) The appeal will take place before the Court of Appeal in The Hague. Once the earlier judgement on inadmissibility has been overturned, the merits of the case can be dealt with there.

The press release by Privacy First announcing its appeal can be read HERE (Dutch pdf).

Update 17 February 2011: See also this article on Webwereld (in Dutch).

Published in Litigation
Tuesday, 14 December 2010 16:45

Vincent Böhre, Director and Legal advisor

Vincent Böhre, Director and Legal advisor 

Vincent Böhre studied International and European Law as well as Dutch Law at the University of Amsterdam. During his studies he worked as a researcher at the law firm Loyens & Loeff. He then worked at Amnesty International and was commissioned by the Scientific Council for Government Policy (WRR) to conduct a study into the Dutch biometric passport. In the field of the right to privacy and data protection, he has been active for several years at the Netherlands Committee of Jurists for Human Rights (NJCM). From 2010 - 2013 he was also chairman of the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten).

Published in Organisation
Wednesday, 01 December 2010 10:27

Passport Trial photo series, November 29, 2010

Below is an extensive photo impression of the day of our Passport Trial at the Palace of Justice in The Hague. These pictures were taken by press photographer Guus Schoonewille of Fastfoto and can be used freely under the following title: "Privacy First Foundation, 29 November 2010, Trial against the new Passport Act. Photo: Guus Schoonewille". Click on the picture of your choice to see a larger version which you can download using your right mouse button.

gs_paspoortwet 025-220

gs_paspoortwet 063-220

gs_paspoortwet 071-220

gs_paspoortwet 007-vincent-christiaan220

gs_paspoortwet 008_christiaan-vincent220

gs_paspoortwet 076c-220

gs_paspoortwet 055-220



gs_paspoortwet 050c-220

gs_paspoortwet_021c-220


gs_paspoortwet 015-220

gs_paspoortwet 019-220

gs_paspoortwet 038-rechters-publiek220

gs_paspoortwet 052e-220

gs_paspoortwet 069-220

Published in Press Materials
Monday, 29 November 2010 21:25

Hague impressions of the Passport Trial

Below is an extensive photo impression of the day of our Passport Trial at the Palace of Justice in The Hague. These pictures were taken by press photographer Guus Schoonewille of Fastfoto and can be used freely under the following title: "Privacy First Foundation, 29 November 2010, Trial against the new Passport Act. Photo: Guus Schoonewille". Click on the picture of your choice to see a larger version which you can download using your right mouse button.


gs_paspoortwet 025-220

gs_paspoortwet 063-220

gs_paspoortwet 071-220

gs_paspoortwet 007-vincent-christiaan220

gs_paspoortwet 008_christiaan-vincent220

gs_paspoortwet 076c-220

gs_paspoortwet 055-220



gs_paspoortwet 050c-220

gs_paspoortwet_021c-220


gs_paspoortwet 015-220

gs_paspoortwet 019-220

gs_paspoortwet 038-rechters-publiek220

gs_paspoortwet 052e-220

gs_paspoortwet 069-220

Published in Litigation

Art photographer Maarten Tromp has made a beautiful photo series of the co-plaintiffs in our Passport Trial. Three of these photos are on the left and below in small size. A large number of pictures appeared on February 2, 2011 in Dutch newspaper NRC Next. The entire series of photographs can be seen on the website of Maarten Tromp.


paspoortproces03paspoortproces04
                                 

Published in Litigation

On this page you can find up-to-date information and documents relating to the civil lawsuit (Passport Trial, 'Paspoortproces') that Privacy First has lodged against the Dutch government which, in this case, is being represented by the Dutch Ministry of the Interior and Kingdom Relations.

 

Current STATE OF AFFAIRS

On 18 February 2014, Privacy First gained two important victories in the Passport trial: the Hague Court of Appeal declared Privacy First admissible after all and deemed the central storage of fingerprints under the Passport Act to be unlawful as it concerns a violation of the right to privacy; read our report about it and the whole ruling HERE. In May 2014, the Dutch government lodged an appeal at the Dutch Supreme Court against the ruling of the Hague Court: the government wanted Privacy First to be declared inadmissible once more and requested the Supreme Court to declare the central storage of fingerprints lawful after all.

On 19 May 2014, the State Attorneys submitted the appeal summons to the Supreme Court. On 21 November 2014, Privacy First et al. submitted their statement of defence against the appeal summons. The State Attorney, in turn, submitted a written explanation to its appeal summons. On 5 December 2014, Privacy First et al. submitted their written reply and rejoinder. Much earlier than expected, the Advocate General of the Supreme Court delivered his advice ('conclusion') in the case, upon which Privacy First et al. submitted a response letter ('Borgers brief') to the Supreme Court. No such letter was submitted by the Dutch State Attorney. Therefore, Privacy First has had the final say in this case. We will now have to wait for the Supreme Court ruling, which is expected later this year. In the appeal, Privacy First et al. are being represented by Alt Kam Boer Attorneys in The Hague.
 

trial documents (in Dutch)

- Response letter ('Borgersbrief') from Privacy First and co-plaintiffs dated 6 March 2015, by Barbara van Dorp (Alt Kam Boer Attorneys; click HERE (pdf in Dutch).

- Advice from the Advocate General of the Supreme Court Jaap Spier dated 20 February 2015; click HERE (pdf in Dutch, 7 MB).

- Rejoinder from Privacy First and co-plaintiffs dated 5 December 2014, by Barbara van Dorp (Alt Kam Boer Attorneys); click HERE (pdf in Dutch).

- Reply from the State Attorneys Hans van Wijk and Gijsbrecht Nieuwland dated 5 December 2014; click HERE (pdf in Dutch).

- Written explanation to the appeal summons from the State Attorneys Hans van Wijk and Gijsbrecht Nieuwland dated 21 November 2014; click HERE (pdf in Dutch).

- Statement of Defence (written explanation) from Privacy First and co-plaintiffs dated 21 November 2014, by Barbara van Dorp (Alt Kam Boer Attorneys); click HERE (pdf in Dutch).

- Appeal Summons from State Attorneys Hans van Wijk en Gijsbrecht Nieuwland dated 19 May 2014; click HERE (pdf in Dutch).

- Ruling of the Hague Court of Appeal dated 18 February 2014; click HERE (pdf in Dutch), which was also published on rechtspraak.nl and in Jurisprudentie Bestuursrecht 2014/76, with annotation by professor R. Schutgens.

- Reply to the Statement of Appeal by the State Attorney Cécile Bitter dated 26 March 2013: click HERE (pdf in Dutch).

- Statement of Appeal by the Privacy First Foundation and co-plaintiffs, dated 18 December 2012 pdfclick HERE.
- Judgement by the district court of The Hague dated 2 February 2011:  pdfclick HERE. LJN: BP2860. Annotations: JB 2011/78 by Prof. R. Schutgens , NJB 2011, No 15 (Kroniek Bestuursrecht, 'Chronicle of Administrative Law'), p. 939; NJB 2012/11 (Prof. T. Barkhuysen, Ruim baan voor belangenorganisaties, 'Make way for interest groups').

- Brief by Christiaan Alberdingk Thijm (SOLV Attorneys): pdfclick HERE.
- Brief by State Attorney Cécile Bitter: pdfclick HERE
- Statement of Defence by State Attorney Cécile Bitter: pdfclick HERE.
- Summons of the State by the Privacy First Foundation, by Christiaan Alberdingk Thijm (SOLV Attorneys): pdfclick HERE.
- Pre-advice by Judith van Schie (Bousie Attorneys): pdfclick HERE

 

Background: LegAL grounds

The source for our current passport: EU Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States: pdfclick HERE.

The EU rules for dealing with passport data: Directive 95/46/EC dated 24 October 1995 (European Privacy Directive): click HERE.

Jurisprudence: the famous Marper case. Is it lawful to store the fingerprints of someone who isn't being accused of anything? According to the European Court of Human Rights (ECHR), it isn't. For the judgment by the ECHR in Strasbourg in the case of S. and Marper vs. United Kingdom dated December 4, 2008, click HERE.

The Dutch Passport Act of 15 July 2009, in force as of 21 September 2009, pdfclick HERE. For the 2008 Explanatory Memorandum to the new Passport Act click HERE.
 

Background information: REPORTS & RECOMMENDATIONS

In this section we present links to relevant reports.

In October 2010 the Scientific Council for Government Policy (Dutch abbreviation: WRR) published the report ‘Happy landings? The biometric passport as a black box’ by Mr. Vincent Böhre. Click HERE for this WRR publication (in Dutch). A month later a second, complementary WRR publication called ‘The biometric passport in The Netherlands, crash or soft landing’ by Mr. Max Snijder appeared; click HERE. These two publications are the most important official reports that for the greater part underwrite Privacy First’s argumentation. These reports make reference to a whole range of other reports and recommendations concerning the passport and the Passport Act unnecessary.

In the context of our lawsuit, on 20 January 2010 a meeting took place at the Dutch Ministry of the Interior between representatives of Privacy First and the Ministry. Click HERE for a record of this meeting.

On 14 July 2009 Justice Minister Hirsch Ballin was admonished by the United Nations Human Rights Committee in Geneva over the new Passport Act that had just been accepted. Afterwards he said that the inclusion of fingerprints in the passport wasn’t actually such a good idea. Read the article from Dutch newspaper NRC Handelsblad of 15 July 2009 HERE.

On 22 January 2009 the Dutch 'Brouwer Commission' released a report entitled ‘Gewoon Doen’ (which in Dutch can mean both "Act Normal" or "Just Do It"). Click HERE for the report or click HERE for the original internet location of publication. It is in this report that Privacy First found the inspiration and the necessity to effectively get things started.

Published in Litigation
Friday, 08 October 2010 22:17

The Fair Information Principles

The general philosophy of the Fair Information Principles

1. Notice/Awareness

The most fundamental principle is notice. Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below -- choice/consent, access/participation, and enforcement/redress -- are only meaningful when a consumer has notice of an entity's policies, and his or her rights with respect thereto.

While the scope and content of notice will depend on the entity's substantive information practices, notice of some or all of the following have been recognized as essential to ensuring that consumers are properly informed before divulging personal information:

  • identification of the entity collecting the data;
  • identification of the uses to which the data will be put;
  • identification of any potential recipients of the data;
  • the nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information);
  • whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; and
  • the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.

Some information practice codes state that the notice should also identify any available consumer rights, including: any choice respecting the use of the data; whether the consumer has been given a right of access to the data; the ability of the consumer to contest inaccuracies; the availability of redress for violations of the practice code; and how such rights can be exercised.

In the Internet context, notice can be accomplished easily by the posting of an information practice disclosure describing an entity's information practices on a company's site on the Web. To be effective, such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any Web page where information is collected from the consumer. It should also be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge.

2. Choice/Consent

The second widely-accepted core principle of fair information practice is consumer choice or consent. At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information -- i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.

Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out. Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule when no affirmative steps are taken by the consumer. Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. Thus, for example, consumers can be provided separate choices as to whether they wish to be on a company's general internal mailing list or a marketing list sold to third parties. In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice.

In the online environment, choice easily can be exercised by simply clicking a box on the computer screen that indicates a user's decision with respect to the use and/or dissemination of the information being collected. The online environment also presents new possibilities to move beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their preferences regarding information use before entering a Web site, thus effectively eliminating any need for default rules.

3. Access/Participation

Access is the third core principle. It refers to an individual's ability both to access data about him or herself -- i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness. Both are essential to ensuring that data are accurate and complete. To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.

4. Integrity/Security

The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.

Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers that are inaccessible by modem.

5. Enforcement/Redress

It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core fair information practice principles.

 

 

The Fair Information Principles as put into Canadian Law

Klik hier voor de bron.

These principles are usually referred to as “fair information principles”.

They are included in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law, and called "Privacy Principles".

Privacy Principles

Principle 1 — Accountability

An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.

Principle 2 — Identifying Purposes

The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.

Principle 3 — Consent

The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.

Principle 4 — Limiting Collection

The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.

Principle 5 — Limiting Use, Disclosure, and Retention

Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.

Principle 6 — Accuracy

Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.

Principle 7 — Safeguards

Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

Principle 8 — Openness

An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.

Principle 9 — Individual Access

Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.

Principle 10 — Challenging Compliance

An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.

 

Published in Philosophy
Page 15 of 15

Our Partners

logo Voys Privacyfirst
logo greenhost
logo platfrm
logo AKBA
logo boekx
logo brandeis
 
 
 
banner ned 1024px1
logo demomedia
 
 
 
 
 
Pro Bono Connect logo
Procis

Follow us on Twitter

twitter icon

Follow our RSS-feed

rss icon

Follow us on LinkedIn

linked in icon

Follow us on Facebook

facebook icon