Today, Privacy First sent the following plea to the Dutch House of Representatives:
Dear Members of Parliament,
It is with great disapproval that the Privacy First Foundation has taken note of the planned introduction of coronavirus entry passes for bars and restaurants, events and cultural institutions. This will lead to a division in society, exclusion of vulnerable groups and a massive violation of everyone’s right to privacy. Below, Privacy First will briefly explain this.
Serious violation of fundamental rights
The coronavirus entry pass (‘corona pass’) constitutes a serious infringement of numerous fundamental human rights, including the right to privacy, physical self-determination, bodily integrity and freedom of movement in conjunction with other classic human rights such as the right to participate in cultural life and various children’s rights such as the right to recreation. Any curtailment of these rights must be strictly necessary, proportionate and effective. In the case of the corona pass, however, this has not been demonstrated to date and the required necessity is simply being assumed in the public interest. More privacy-friendly alternatives to reopen and normalize society seem never to have been seriously considered. For these reasons alone, the corona pass cannot pass the human rights test and should therefore be repealed. In this context, Privacy First would also like to remind you of countries such as England, Belgium and Denmark where a similar pass was deliberately not introduced, or has been done way with not long after its introduction. In the Netherlands, there has been a great lack of support in recent days for the corona pas and many thousands of entrepreneurs have already let it be known that they will not cooperate. Privacy First therefore expects that the introduction of the corona pass will lead to massive civil disobedience and successful lawsuits against the Dutch government.
The introduction of the corona pass violates the general prohibition of discrimination, as it introduces a broad social distinction based on medical status. This puts a strain on social life and may lead to widespread inequality, stigmatization, social segregation and even possible tensions, as large groups in society will not (or not systematically) want to, or will not be able to get tested or vaccinated (for a variety of reasons), or obtain a digital test or vaccination certificate. During our National Privacy Conference in early 2021, Privacy First already took the position that the introduction of a mandatory ‘corona passport’ would have a socially disruptive effect. On that occasion, the Dutch Data Protection Authority, among others, explicitly took a stand against the introduction of such a passport. The aforementioned social risks apply all the more strongly to the vaccination coercion that is caused by the introduction of the corona pass. In this regard, Privacy First would like to remind you of the fact that both your House of Representatives and the Parliamentary Assembly of the Council of Europe have expressed their opposition to a direct or indirect vaccination requirement. In addition, the corona pass will have the potential to set precedent for other medical conditions and other sectors of society, putting pressure on a much wider range of socio-economic human rights. For these reasons, Privacy First calls on you to block the introduction of the corona pass.
Multiple privacy violations
From the perspective of the right to privacy, there are a number of yet other specific concerns and questions. First of all, the corona pass introduces a mandatory ‘health proof’ for participation in a large part of social life, in flagrant violation of the right to privacy and the protection of personal data. Through the mandatory display of an ID card in addition to the corona pass, an entirely new identification requirement is created in public places. The existing anonymity in the public space is thus removed, with all the dangers and risks that this entails. Moreover, this new identification requirement raises questions about the capacities of entrepreneurs to determine the identity of a person and to assess the state of health by means of the corona pass.
Moreover, the underlying legislation results in the inconsistent application of existing legislation with regard to the same act, i.e. testing, with far-reaching consequences on the one hand for an important attainment such as medical confidentiality and the public’s trust in that confidentiality, and on the other for the practical implementation of retention periods of the test results while the processing of these results does not change. After all, it is not the result of the test that should determine whether the registration of the testing falls under the Dutch Medical Treatment Agreement Act (‘Wgbo’, which requires medical confidentiality and a 20-year retention period) or the Dutch Public Health Act (‘Wpg’, which requires a 5-year retention period), but the act of testing itself. Besides, it is questionable why a connection was sought with the Wpg and/or Wgbo now that it is about obtaining a certificate for participation in society and it does not concern medical treatment (Wgbo) or public health tasks for that purpose. The only ground for processing personal data for the purpose of ascertaining the presence of the coronavirus and for breaching medical confidentiality, should be consent. However, in this case there cannot be the legally required freely given consent, since testing and vaccination will be a mandatory condition for participation in society.
Privacy requires clarity
Many other things are and remain unclear: what data will be stored, where, by whom and in which systems? To what extent will there be an international and European exchange of such data? Which parties with which purposes will have access to or will copy the data, or put these in huge new national databases together with our health data? Will we have constant personal localization and identification, or only occasional verification and authentication? Why can test results be kept for an unnecessarily long time? How great are the risks of hacking, data breaches, fraud and forgery? To what extent have decentralized, privacy-friendly technologies and privacy by design, open source software, data minimization and anonymization seriously been considered? How long will test certificates remain free of charge? Is work already underway to introduce an ‘alternative digital medium’ to the Dutch CoronaCheck app, namely a chip (card), with all the objections and risks that entails? Why has there been no independent Privacy Impact Assessment (PIA)? How many more times must the country accept emergency laws to close privacy leaks, when our overburdened and understaffed Data Protection Authority is already noting that there is no legal basis for the processing of the data concerned? How will unforeseen uses and abuses, function creep and profiling be prevented, and how is privacy oversight arranged? Will non-digital, paper alternatives remain available at all times? Why is the ‘yellow booklet’ not accepted as a privacy-friendly alternative, as it is in other countries? What happens with the test material – i.e. everyone’s DNA – at the various testing sites? And when will the corona pass be abolished? In other words, to what extent is this actually a ‘temporary’ measure?
In the view of Privacy First, the introduction of the corona pass will lead merely to an impractical burden on entrepreneurs, innumerable deficiencies and destruction of capital for society. Privacy First therefore requests that the members of the House of Representatives block the introduction of the corona pass. Failing to do so, Privacy First reserves the right to have the legislation introducing the corona pass reviewed against international and European law and declared inoperative by the courts. Preparations for such legal proceedings by us and many others are already underway.
Privacy First Foundation
 See National Privacy Conference 28 January 2021, https://youtu.be/asEX1jy4Tv0?t=9378, starting at 2h 36 min 18 sec.
 See Council of Europe, Parliamentary Assembly, Resolution 2361 (2021): Covid-19 vaccines: ethical, legal and practical considerations, https://pace.coe.int/en/files/29004/html, par. 7.3.1-7.3.2: ‘‘Ensure that citizens are informed that the vaccination is NOT mandatory and that no one is politically, socially, or otherwise pressured to get themselves vaccinated, if they do not wish to do so themselves; ensure that no one is discriminated against for not having been vaccinated, due to possible health risks or not wanting to be vaccinated.’’ See also, inter alia, Dutch House of Representatives, Motion by Member Azarkan on no corona vaccination requirement (28 October 2020), House of Representatives, 25295-676, https://zoek.officielebekendmakingen.nl/kst-25295-676.html: ‘‘The House of Representatives (...) expresses that there should never be a direct or indirect corona vaccination obligation in the future’’; Motion by Member Azarkan on access to public benefits for all regardless of vaccination or testing status (5 January 2021), House of Representatives 25295-864, https://zoek.officielebekendmakingen.nl/kst-25295-864.html: "The House of Representatives (...) requests the government to allow access to public benefits for all regardless of vaccination or testing status."
An earlier, similar version of this commentary appeared as early as March 2021: https://www.privacyfirst.eu/focus-areas/law-and-politics/695-privacy-first-position-concerning-the-dutch-draft-bill-on-covid-19-test-certificates.html.
The hearing at the court of appeal in The Hague in the proceedings of Privacy First against the register for Ultimate Beneficial Owners (UBO) is scheduled for Monday, 27 September 2021.
Following the very critical advice of the European Data Protection Supervisor (EDPS), the district court of The Hague confirmed on 18 March 2021 that there is every reason to doubt the validity of the European money laundering directives that form the basis for the UBO register. The judge ruled that it cannot be excluded that the highest European court, the Court of Justice of the EU (CJEU), will conclude that the public nature of the UBO register is not in line with the principle of proportionality. Since a Luxembourg local court has already refered questions about this to the CJEU, the Dutch court in summary proceedings did not find it necessary to ask questions about it as well. Privacy First has appealed the judgment in these summary proceedings, taking the case to the court of appeal of The Hague. Our appeal summons can be found here (pdf in Dutch).
Privacy First requests the court of appeal to ask preliminary questions on the UBO register to the European Court of Justice and calls for the suspension of the operation of the UBO register until these questions have been answered. Privacy First also asks the court to temporarily suspend the public accessibility of the UBO register, at least until the CJEU has ruled on this matter. The court of appeal's ruling is expected a few weeks after the hearing on 27 September 2021.
‘‘The UBO register will put privacy-sensitive data of millions of people up for grabs’’, Privacy First’s attorney Otto Volgenant of Boekx Attorneys comments. ‘‘There are doubts from all sides whether this is an effective tool in the fight against money laundering and terrorism financing. It’s like using a sledgehammer to crack a nut. The Court of Justice of the EU will ultimately rule on this. I expect that it will annul the UBO register – at least its public accessibility. Until then, I advise UBOs not to submit any data to the UBO register. Once data have been made public, they cannot be retrieved.’’
Background of the lawsuit against the UBO register
Privacy First is bringing a lawsuit against the Dutch government regarding the UBO Register which was introduced in 2020. In summary proceedings, the invalidity of the EU regulations on which the UBO register is based are being invoked. The consequences of this new legislation are far-reaching. After all, it concerns very privacy-sensitive information. Data about the financial situation of natural persons will be out in the open. More than 1.5 million legal entities in the Netherlands that are listed in the Dutch Trade Register will have to disclose information about their ultimate beneficial owners. The UBO register is accessible to everyone, for €2.50 per retrieval. This level of public accessibility is not proportionate.
On 24 June 2020, the Dutch ‘Implementation Act on Registration of Ultimate Beneficial Owners of Companies and Other Legal Entities’ entered into force. Based on this new Act, a new UBO register linked to the Trade Register of the Netherlands Chamber of Commerce will contain information on all ultimate beneficial owners of companies and other legal entities incorporated in the Netherlands. This information must indicate the interest of the UBO, i.e. 25-50%, 50-75% or more than 75%. In any case, the UBO’s name, month and year of birth as well as nationality will be publicly available for everyone to consult, with all the privacy risks this entails.
Since 27 September 2020, newly established entities must register their UBO in the UBO Register. Existing legal entities have until March 27 2022 to register their UBOs. The law gives only very limited options for shielding information. This is only possible for persons secured by the police, for minors and for those under guardianship. The result will be that the interests of almost all UBOs will become public knowledge.
European Anti-Money Laundering Directive
This new law stems from the Fifth European Anti-Money Laundering Directive, which requires EU Member States to register and disclose to the public the personal data of UBOs. The aim of this is to combat money laundering and terrorist financing. According to the European legislator, the registration and subsequent disclosure of personal data of UBOs, including the interest that the UBO has in a company, contributes to that objective. The public nature of the register would have a deterrent effect on persons wishing to launder money or finance terrorism. But the effectiveness of a UBO register in the fight against money laundering and terrorism has never been substantiated.
Massive privacy violation and fundamental criticism
The question is whether the means does not defeat the purpose. Registering the personal data of all UBOs and making it accessible to everyone is a blanket measure of a preventive nature. 99.99% of all UBOs have nothing to do with money laundering or terrorist financing. If it was in fact proportionate to collect information on UBOs, it should be sufficient if that information is available to those government agencies involved in combating money laundering and terrorism. Making the information completely public is going too far. The European Data Protection Supervisor already ruled that this privacy violation is not proportionate. But this opinion has not led to an amendment of the European directive.
Leading up to the the debate on this law in the Dutch House of Representatives, fundamental criticism came from various quarters. The business community agitated because it feared – and now experiences – an increase in burdens and perceives privacy risks. UBOs of family-owned companies that have remained out of the public eye up until now are running major privacy and security risks. There was also a great deal of attention for the position of parties that attach great importance to the protection of data subjects, such as church communities and social organizations. As for associations and foundations that do not have owners, things are cumbersome: they have to put the data that is already in the Trade Register in another register. Unfortunately, this has not led to any changes in the regulations.
Dutch investigative journalism platform Follow the Money looked into the social costs of the Dutch UBO register. Follow the Money writes: ‘‘The UBO register entails costs, hassle and sometimes slightly absurd bureaucracy for millions of entrepreneurs and directors. The Ministry of Finance reckons the total costs of the register for the business community is 99 million Euros. Another 9 million Euros must be added for one-time implementation costs. When lawyer Volgenant hears about this amount, he reacts with dismay: 'The total costs are much higher than I thought! If you extrapolate that to the whole EU, the costs are astronomical.’’’
Favourable outcome of lawsuit is likely
Privacy First has initiated a lawsuit against the UBO register for violation of the fundamental right to privacy and the protection of personal data. Privacy First requests the Dutch judiciary to render the UBO register inoperative in the short term and to submit preliminary questions on this subject to the Court of Justice of the European Union. It would not be the first time privacy-violating regulations are repealed by the courts, something that previous Privacy First lawsuits attest to.
The Dutch law and also the underlying European directive are in conflict with the European Charter of Fundamental Rights as well as the General Data Protection Regulation. The legislator has created these regulations, but it is up to the courts to conduct a thorough review of them. Ultimately the judge will have the final say. If the (European) legislator does not pay enough attention to the protection of fundamental rights, then the (European) judge can cast the regulations aside. The Court of Justice of the European Union has previously declared regulations invalid due to privacy violations, for example the Telecom Data Protection Directive and the Privacy Shield. The Dutch courts also regularly invalidate privacy-invading regulations. Privacy First has previously successfully challenged the validity of legislation, for example in the proceedings about the Telecommunications Data Retention Act and in the proceedings against SyRI. Viewed against this background, the lawsuit against the UBO register is considered very promising.
Update 27 September 2021: this afternoon the court session took place in The Hague; click HERE for the pleading of our lawyer (pdf in Dutch). The judgment of the court of appeal is scheduled for 16 November 2021.
The controversial and compulsory inclusion of fingerprints in passports has been in place in the EU since 2009. From that year on, fingerprints were also included in Dutch identity cards, even though under EU law there was no such obligation. While the inclusion of fingerprints in identity cards in the Netherlands was reversed in January 2014 due to privacy concerns, there is now new European legislation that will make the inclusion of fingerprints in identity cards compulsory as of August 2, 2021.
Dutch citizens can apply for a new identity card without fingerprints until August 2. After that, only people can do so who are ‘temporarily or permanently unable physically to have fingerprints taken’.
The Dutch Senate is expected to debate and vote on the amendment of the Dutch Passport Act in connection with the reintroduction of fingerprints in Dutch identity cards on July 13. In that context, Privacy First sent the following email to the Dutch Senate yesterday:
Dear Members of Parliament,
Since Privacy First was founded in 2008, we have opposed the mandatory collection of fingerprints for passports and identity cards. Since the introduction of the new Passport Act in 2009, Privacy First has done so through lawsuits, campaigns, freedom of information requests, political lobbying and by activating the media. Despite the subsequent Dutch discontinuation of the (planned) central storage of fingerprints in both national and municipal databases in 2011, everyone’s fingerprints are still taken when applying for a passport, and soon (as a result of the new European Regulation on ID cards) again for Dutch ID cards after this was retracted in 2014.
To date, however, the millions of fingerprints taken from virtually the entire adult population in the Netherlands have hardly been used in practice, as the biometric technology had already proven to be unsound and unworkable in 2009. The compulsory collection of everyone’s fingerprints under the Dutch Passport Act therefore still constitutes the most massive and longest-lasting privacy violation that the Netherlands has ever known.
Having read the current report of the Senate on the amendment of the Passport Act to reintroduce fingerprints in ID cards, Privacy First hereby draws your attention to the following concerns. In this context, we ask you to vote against the amendment of the law, in contravention of European policy. After all:
- As early as May 2016, the Dutch Council of State (Raad van State) ruled that fingerprints in Dutch identity cards violated the right to privacy due to a lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956 (in Dutch).
- Freedom of information requests from Privacy First have revealed that the phenomenon to be tackled (look-alike fraud with passports and identity cards) is so small in scale that the compulsory collection of everyone’s fingerprints is completely disproportionate and therefore unlawful. See: https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.
- In recent years, fingerprints in passports and identity cards have had a biometric error rate as high as 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (Dutch State Secretary Teeven, January 31, 2013). Before that, Minister Donner (Security & Justice) admitted an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (April 27, 2011). How high are these error rates today?
- Partly because of the high error rates mentioned above, fingerprints in passports and ID cards are virtually not used to date, either domestically, at borders or at airports.
- Because of these high error percentages, former Dutch State Secretary Bijleveld (Interior and Kingdom Relations) instructed all Dutch municipalities as early as September 2009 to (in principle) refrain from conducting biometric fingerprint verifications when issuing passports and identity cards. After all, in the event of a ‘mismatch’, the ID document concerned would have to be returned to the passport manufacturer, which would lead to rapid societal disruption if the numbers were high. In this respect, the Ministry of the Interior and Kingdom Relations was also concerned about large-scale unrest and even possible violence at municipal counters. These concerns and the instruction of State Secretary Bijleveld still apply today.
- Since 2016, several individual Dutch lawsuits are still pending at the European Court of Human Rights in Strasbourg, challenging the mandatory issuing of fingerprints for passports and ID cards on the grounds of violation of Art. 8 ECHR (right to privacy).
- In any case, an exception should be negotiated for people who, for whatever reason, do not wish to give their fingerprints (biometric conscientious objectors, Art. 9 ECHR).
- Partly for the above reasons, fingerprints have not been taken for the Dutch identity card since January 2014. It is up to your Chamber to maintain this status quo and also to push for the abolition of fingerprints for passports.
For background information, see the report ‘Happy Landings' by the Scientific Council for Government Policy (WRR) that Privacy First director Vincent Böhre wrote in 2010. Partly as a result of this critical report (and the large-scale lawsuit brought by Privacy First et al. against the Passport Act), the decentralized (municipal) storage of fingerprints was largely abolished in 2011 and the planned central storage of fingerprints was halted.
For further information or questions regarding the above, Privacy First can be reached at any time.
The Privacy First Foundation
As an NGO that promotes civil rights and privacy protection, Privacy First has been concerned with financial privacy for years. Since 2017, we have been keeping close track of the developments surrounding the second European Payment Services Directive (PSD2), pointing out the dangers to the privacy of consumers. In particular, we focus on privacy issues related to ‘account information service providers’ (AISPs) and on the dangerous possibilities offered by PSD2 to process personal data in more extensive ways.
At the end of 2017, we assumed that providing more adequate information and more transparency to consumers would be sufficient to mitigate the risks associated with PSD2. However, these risks turned out to be greater and of a more fundamental nature. We therefore decided to launch a bilingual (Dutch & English) website called PSD2meniet.nl in order to outline both our concerns and our solutions with regard to PSD2.
Central to our project is the Don’t-PSD2-Me-Register, an idea we launched on 7 January 2019 in the Dutch television program Radar and in this press release. The aim of the Don’t-PSD2-Me-Register is to provide a real tool to consumers with which they can filter out and thus protect their personal data. In time, more options to filter out and restrict the use of data should become available. With this project, Privacy First aims to contribute to positive improvements to PSD2 and its implementation.
Protection of special personal data
In this project, which is supported by the SIDN Fund, Privacy First has focused particularly on ‘special personal data’, such as those generated through payments made to trade unions, political parties, religious organizations, LGBT advocacy groups or medical service providers. Payments made to the Dutch Central Judicial Collection Agency equally reveal parts of people’s lives that require extra protection. These special personal data directly touch upon the issue of fundamental human rights. When consumers use AISPs under PSD2, their data can be shared more widely among third parties. PSD2 indirectly allows data that are currently protected, to become widely known, for example by being included in consumer profiles or black lists.
The best form of protection is to prevent special personal data from getting processed in the first place. That is why we have built the Don’t-PSD2-Me-Register, with an Application Programming Interface (API) – essentially a privacy filter – wrapped around it. With this filter, AISPs can detect and filter out account numbers and thus prevent special personal data from being unnecessarily processed or provided to third parties. Moreover, the register informs consumers and gives them a genuine choice as to whether or not they wish to share their data.
We have outlined many of the results we have achieved in a Whitepaper, which has been sent to stakeholders such as the European Commission, the European Data Protection Board (EDPB) and the Dutch Data Protection Authority. And of course, to as many AISPs as possible, because if they decide to adopt the measures we propose, they would be protecting privacy by design. Our Whitepaper contains a number of examples and good practices on how to enhance privacy protection. Among other things, it lays out how to improve the transparency of account information services. We hope that AISPs will take the recommendations in our Whitepaper to heart.
Our Application Programming Interface (API) has already been adopted by a service provider called Gatekeeper for Open Banking. We support this start up’s continued development, and we make suggestions on how the privacy filter can be best incorporated into their design and services. When AISPs use Gatekeeper, consumers get the control over their data that they deserve.
Knowing that the European Commission will not be evaluating PSD2 until 2022, we are glad to have been able to convey our own thoughts through our Whitepaper. Along with the API we have developed and distributed, it is an important tool for any AISP that takes the privacy of its consumers seriously.
Privacy First will continue to monitor all developments related to the second Payment Services Directive. Our website PSD2meniet.nl will remain up and running and will continue to be the must-visit platform for any updates on this topic.
A Dutch court has today handed down a judgment in preliminary injunction proceedings brought by Privacy First concerning the UBO register. The district court of The Hague confirmed that there is every reason to doubt the legality of the European money laundering directives which are the foundation of the UBO register. On this point the judge follows the very critical opinion of the European Data Protection Supervisor. The interim proceedings court rules that it cannot be excluded that the Court of Justice of the European Union (CJEU) will come to the conclusion that the public character of the UBO register is at odds with the proportionality principle. Questions over its legality were recently referred to the CJEU by a Luxembourg national court. As such, the Dutch court felt there is no need to do the same.
Privacy First had also requested a temporary deactivation of the UBO register. This, however, is a step too far for the court, which states that deactivating the register is not possible as long as the underlying EU guideline is still in force. It would put the Netherlands in a position in which it operates in violation of the European guideline. With this claim, the judge says, Privacy First is getting ahead of itself. Privacy First will examine the ruling on this point, also in view of possibly going into appeal.
‘The introduction of the UBO register would mean that privacy-sensitive data of millions of people will be up for grabs’, comments Privacy First’s attorney Otto Volgenant of Boekx Attorneys.’On all sides there are strong doubts whether this is actually an effective means in the fight against money laundering and terrorism. It’s like using a sledgehammer to crack a nut. The Court of Justice of the European Union will eventually adjudicate the case, and I expect it will annul the UBO register.’
At the start of this year, the Privacy First Foundation initiated fundamental legal action against the Dutch government on account of the new UBO register, which is linked to the Trade Register of the Dutch Chamber of Commerce. Under the law the UBO register is based on, all 1.5 million Dutch legal entities that are included in the Trade Register will have to make public all sorts of privacy-sensitive data about their Ultimate Beneficial Owners. This concerns personal data of millions of directors, shareholders and high executives of companies (including family businesses), foundations, associations, churches, social organizations, charities, etc. Privacy First deems that this is a massive privacy violation, one which also creates personal safety risks. That is why Privacy First has asked the court to immediately declare the UBO register unlawful. A lot of information in the register will be publicly available and can be requested by anyone. In Privacy First’s opinion this is completely disproportionate and an infringement of European privacy law. The CJEU will examine whether the European legislation on which the UBO register is based violates the fundamental right to privacy.
The ruling (in Dutch) by the interim proceedings court can be found here: http://deeplink.rechtspraak.nl/uitspraak?id=ECLI:NL:RBDHA:2021:2457.
Update 15 April 2021: yesterday Privacy First filed an urgent appeal against the entire judgment with the Court of Appeal of The Hague. The appeal subpoena can be found HERE (pdf in Dutch). Privacy First requests the Court, inter alia, to ask preliminary questions about the UBO register to the European Court of Justice and to suspend the UBO register until these questions are answered. In view of the major interests at stake, Privacy First hopes that the Court of Appeal of The Hague will hear this case as soon as possible.
Update 17 August 2021: the court hearing in the urgent appeal of Privacy First against the judgment will take place on Monday 27 September at the Court of Appeal in The Hague.
Privacy First initiates legal action against the Dutch government on account of the recently-introduced UBO register. The preliminary injunction proceedings point at the invalidity of the legislation on which this register is based. The consequences of this new piece of legislation are far-reaching as the register contains very privacy-sensitive information. Data relating to the financial situation of natural persons will be up for grabs. More than 1.5 million legal entities that are registered in the Dutch Trade Register will have to make public details about their Ultimate Beneficial Owners (UBOs). The UBO register is publicly accessible: a request for information costs €2.50.
The UBO register aims to prevent money laundering but will lead to defamation.
The privacy breach that is the result of the UBO register and the public accessibility of sensitive data are disproportionate. The goal of the register is to thwart money laundering and terrorist financing. In order to achieve this goal there is no need for a UBO register, at least not one that is publicly accessible.
That is why Privacy First wants the UBO register to be rendered inoperative by a court, which, in case necessary, should submit questions of interpretation to the highest court in Europe: the European Court of Justice. In cases like these, the judiciary will have the final say. It is not uncommon for a court to overrule privacy-violating legislation and in this respect, Privacy First’s litigation has been successful in the past.
The proceedings will take place before The Hague District Court on 25 February 2021 at 12pm. The entire summons can be found HERE (pdf in Dutch). The ruling will follow two or three weeks after the hearing.
Background of the UBO register case
On 24 June 2020, the Dutch ‘Implementation Act for the Registration of Ultimate Beneficial Owners of Companies and Other Legal Entities’ came into effect in the Netherlands. On the basis of this new Act, a new UBO register which is linked to the Commercial Register of the Dutch Chamber of Commerce will contain information about all ultimate beneficial owners of companies and other legal entities founded in the Netherlands. The register should indicate how many shares are owned by the UBO: 25-50%, 50-75% or more than 75%. Furthermore, the name, month and year of birth as well as the nationality of the UBO will be made public, with all the privacy risks this entails.
Since 27 September 2020, newly founded entities have to register the ultimate beneficial owners in the UBO register. Existing legal entities will have to do so before 27 March 2022.
The Act provides very few possibilities to safeguard information. This is possible only for persons that are protected by the police, minors and those placed under guardianship. This means that the shares of practically every UBO will become a matter of public record. Anyone has access to the UBO register, with extracts coming at a price of €2.50.
European money laundering directive
The new Act stems from the fifth European money laundering directive, which obliges EU Member States to register UBOs and disclose their details to the public. According to the European legislator, this contributes to the proclaimed objective of countering money laundering and terrorist financing. The transparency is supposed to be a deterrent for persons who set out to launder money or finance terrorism.
Massive privacy violation and fundamental criticism
The question is whether this produces a windfall effect. Registering the personal data of all UBOs and making these publicly available is a generic precautionary measure. 99.99% of UBOs have nothing to do with money laundering or terrorist financing. Even if it were proportionate to collect information on all UBOs, making that information available only to government agencies engaged in combating money laundering and terrorism should suffice. It is not appropriate to disclose that information to everyone. The European Data Protection Supervisor (EDPS) deemed this privacy violation to be disproportionate. This opinion, however, did not lead to an amendment of the European Directive.
When this Act was discussed in Dutch Parliament, fundamental criticism came from various corners of society. The business community made its voice heard because it perceived privacy risks and feared − and now indeed experiences − an increase in costs. UBOs of family-owned companies that have remained out of the public eye up until now are running major privacy and security risks. There was also a great deal of attention for the position of social organizations − such as church communities and NGOs − that attach great importance to the protection of those affiliated with them. Associations and foundations that do not have owners face a different burden: they have to put the data that are already in the Trade Register in yet another register. Unfortunately these complaints have not resulted in any changes to the legislation.
Legal proceedings look promising
Privacy First has initiated legal proceedings against the UBO register for violation of the fundamental right to privacy and the protection of personal data. Privacy First asks the Dutch court to render the UBO register inoperative in the short term and, if necessary, to submit questions of interpretation on this matter to the highest court in Europe, the Court of Justice of the European Union.
The Dutch Act as well as the underlying European directive are in conflict with both the European Charter of Fundamental Rights and the GDPR. It is the legislator who has created this legislation, but it will be up to the court to do a thorough review thereof. Ultimately, the court has the last word. If the (European) legislator fails to take adequate account of the protection of fundamental rights, then the (European) court can invalidate this legislation. This would not be unique. The Court of Justice of the European Union has previously declared legislation invalid due to privacy violations, for example the Data Retention Directive and, more recently, the Privacy Shield. Dutch courts too regularly annul privacy-invading regulations. Privacy First has previously successfully challenged the validity of legislation, for example in the proceedings concerning the Telecommunications Data Retention Act and the System Risk Indication (SyRI). Viewed against this background, a positive outcome in the case against the UBO register is all but unlikely.
Today an important debate will take place in the Dutch House of Representatives about the introduction of Passenger Name Records (PNR): the large scale, years-long storage of all sorts of data of airline passengers, supposedly to fight crime and terrorism. Privacy First has major objections and at the end of last week has sent the following letter to the House. Today’s parliamentary debate was first scheduled to take place on 14 May 2018, but was cancelled (following a similar letter from Privacy First) until further notice. Following new parliamentary questions, the debate will now take place today after all. Here is the full text of our most recent letter:
Dear Members of the House of Representatives,
On Monday afternoon, this 11 March, you will discuss the Dutch implementation of the European directive on Passenger Name Records (PNR) with minister Grapperhaus (Justice and Security). In Privacy First’s view, both the European PNR directive as well as the Dutch implementation thereof are legally untenable. We shall here briefly elucidate our position.
Under the minister’s legislative proposal concerning PNR, numerous data of every single airline passenger travelling to or from the Netherlands will be stored for five years in a central government database of the new Passenger Information Unit and will be used to prevent, investigate and prosecute crimes and terrorism. Sensitive personal data (such as names, addresses, telephone numbers, email addresses, dates of birth, travel data, ID document numbers, destinations, fellow passengers and payment data) of many millions of passengers will, as a result, become available for many years for the purpose of data mining and profiling. In essence, this means that every airline passenger will be treated as a potential criminal or terrorist. In 99.9% of all cases, however, this concerns perfectly innocent citizens, mainly holidaymakers and business travellers. This is a flagrant breach of their right to privacy and freedom of movement. Last year, Privacy First had already made these arguments in the Volkskrant and on BNR Nieuwsradio. Because of privacy objections, in recent years there has been a lot of political resistance to such large scale PNR storage of data, which has been rejected by both the House of Representatives as well as the European Parliament on several occasions since 2010. In 2015, Dutch ruling parties VVD and PvdA were absolutely opposed to PNR as well. Back then, they called it a ‘holiday register’ and they themselves threatened to take to the European Court of Justice in case the PNR directive would be adopted. However, after the attacks in Paris and Brussels, it seemed that many political restraints had evaporated and in 2016, the PNR directive finally came about after all. Up to now however, the legally required necessity and proportionality of this directive have still to be demonstrated.
In the summer of 2017, the European Court of Justice issued an important ruling with regard to the similar PNR agreement between the EU and Canada. The Court declared this agreement invalid because it violates the right to privacy. Among other things, the Court held that the envisaged agreement must, “limit the retention of PNR data after the air passengers’ departure to that of passengers in respect of whom there is objective evidence from which it may be inferred that they may present a risk in terms of the fight against terrorism and serious transnational crime.” (See Opinion 1/15 (26 July 2017), par. 207.) Ever since this ruling, the European PNR directive is a legal uncertainty. Therefore, the Dutch government has valid ‘‘concerns about the future viability of the PNR directive” (see Note in response to report, p. 23, in Dutch). Privacy First expects that the current PNR directive will soon be submitted to the European Court of Justice for judicial review and will then be declared unlawful. Subsequently, a situation will arise that is similar to the one we have witnessed a few years ago with regard to the European Telecommunications Data Retention Act: as soon as this European directive will be annulled, the Dutch implementing provisions will equally be invalidated in interim injunction proceedings.
The current Dutch PNR legislative proposal seems unlawful a priori because of a lack of demonstrable necessity, proportionality and subsidiarity. The legislative proposal comes down to mass surveillance of mostly innocent citizens; in the 2016 Tele2 case the European Court already ruled that this type of legislation is unlawful. Thereupon the Netherlands pledged before the UN Human Rights Council “to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons.” The Netherlands now seems to renege on that promise. After all, a lot of completely unnecessary data of every airline passenger will be stored for years and can be used by various Dutch, European and even non-European government agencies. Moreover, the effectiveness of PNR has to date never been demonstrated, the minister himself affirmed: ‘‘There is no statistical support” (see Note in response to report, p. 8, in Dutch). The risk of unjust suspicion and discrimination (due to fallible algorithms used for profiling) under the proposed PNR system is serious, which also increases the likelihood of delays and missed flights for innocent passengers. All the while, wanted persons will often stay under the radar and choose alternative travel routes. Furthermore, the legislative proposal entirely fails to address the role and capabilities of secret services, which will be granted secret and shielded access to the central PNR database under the new Dutch Intelligence and Security Services Act. However, the most questionable aspect of the Dutch PNR legislative proposal is that it goes even two steps further than the European PNR directive itself: After all, it is the Dutch government's own decision to also store the data of passengers on all intra-EU flights. This is not obligatory under the PNR directive, and the Netherlands could have limited this to preselected flights (judged to be at risk) only. This would have been in line with the advice of most experts in this field who argue for targeted actions as opposed to mass surveillance. In other words, to focus on persons with a reasonable suspicion about them, in accordance with the principles of our democracy under the rule of law.
Privacy First Advice
Privacy First strongly advises you to reject the current legislative proposal and to replace it with a privacy-friendly version. In case this will lead to the European Commission referring the Netherlands to the European Court of Justice due to a lack of implementation of the present PNR directive, Privacy First would be confident this would end in a clear victory for the Netherlands. EU Member States simply cannot be expected to implement privacy-violating EU rules. This applies equally to the national implementation of relevant resolutions of the UN Security Council (in this case UNSC Res. 2396 (2017)) which is similarly at odds with international human rights law. In this respect, Privacy First has already warned of the abuse of the Dutch TRIP system (which is also used for PNR) by other UN Member States. In this regard, the Netherlands has its own responsibility under the Dutch Constitution as well as under international law.
Privacy First Foundation
Update 19 March 2019: Regrettably, today the House of Representatives has adopted the legislative proposal almost unchanged; only GroenLinks, SP, PvdD and Denk voted against. Unfortunately, a motion by GroenLinks and SP to provoke legal action by the European Commission against the Dutch government about the PNR directive was rejected. The only bright spot is the widely adopted motion for the judicial reassessment and possible revision of the PNR directive at a European political level. (Only PVV and FvD voted against this motion.) Next stop: the Senate.
Update 4 June 2019: despite sending the above letter for a second time and despite other critical input by Privacy First, the Senate today has unfortunately adopted the legislative proposal. Only GroenLinks, PvdD and SP voted against. Even in spite of the enormous error rates (false positives) of 99.7% that recently came to light in the comparable German PNR system, see https://www.sueddeutsche.de/digital/fluggastdaten-bka-falschtreffer-1.4419760. Meanwhile, large scale cases have been brought against the European PNR directive in Germany and Austria in order for the European Court of Justice to nullify it on account of violations of the right to privacy, see the German-English campaign website https://nopnr.eu and https://www.nrc.nl/nieuws/2019/05/15/burgers-in-verzet-tegen-opslaan-passagiersgegevens-a3960431. As soon as the European Court rules that the PNR directive is unlawful, Privacy First will start interim injunction proceedings in order for the Dutch PNR law to be rendered inoperative. Moreover, yesterday Privacy First has put the PNR law on the agenda of the UN Human Rights Committee in Geneva. On 1 and 2 July 2019, the overall human rights situation in the Netherlands (including violations of the right to privacy) will be critically reviewed by this Committee.
The Dutch Ministry of Finance is about to oblige companies to export personal data on a large scale. The measure is hidden in a subordinate clause of a letter from the Minister of Finance, although it has major consequences. The measure obliges companies that trade in 'virtual assets' (such as bitcoins, real estate, but also purchases in computer games) to include personal data of customers in the transaction records and messages. The information from all parties involved needs to remain visible and available to everyone in the value chain.
Consumers, companies and citizens cannot object to this mandatory addition of their personal data. The topic is not receiving the proper amount of political attention because it is presented as a technical measure. In his letter to Dutch Parliament of 21 March 2019, the Minister fails to point out the large scope and impact. It is, however, suggested that a consultation round will take the market responses to the envisaged rules onboard.
Privacy First and VBNL (United Bitcoin Companies Netherlands) have meanwhile understood that the worldwide objections to the proposed measure are being ignored. That is why they are today sending an urgent letter to the Dutch Minister of Finance. They ask him to study the issue better, with all relevant Ministries and in particular: to better inform Parliament. In doing so, they point to the conflicts of law that may arise as the measure may well violate international agreements and treaties that protect privacy.
Where it is known that consumers are very reluctant to make their own data available to private and commercial institutions, the government must be similarly reluctant on their behalf. Privacy First finds it extremely unfortunate that the Ministry of Finance seems to intend to give this all-in permission for unbridled export of personal data without giving it proper attention and without applying due process.
There is no merit to the claim that the measure is required for counter-terrorism purposes. Experts at Europol (!) indicate that the international proposal is "overkill" and not necessary for investigative purposes. The rule adds nothing to the existing European framework against money laundering and terrorist financing and only increases the risk of unwanted data breaches.
Privacy First and VBNL hope that their letter will make Dutch Parliament aware that this is a proposal that goes far beyond the much-debated access-regime of the recent second European Payment Services Directive (PSD2). With PSD2, consumers can decide to share data themselves. With this proposal, they will become deprived of that fundamental right for all kinds of economic acts. Privacy First and VBNL are calling on parliamentarians to protect consumers and businesses against this unnecessary planned measure.
The letter can be downloaded here (pdf).
PSD2 opt-out register
Is it possible to have innovation in the field of payment data while preserving privacy? Under the new European banking law PSD2, payment data can be shared with non banking parties. The legislator has, however, failed to implement privacy by design. Therefore, the Privacy First Foundation has taken the initiative to launch a PSD2 opt-out register in the Netherlands. We are happy to report that the SIDN Fund is supporting us in this. With this opt-out register bank account numbers can be filtered. This can be useful in case bank account numbers are linked to sensitive personal data, such as a payment to a trade union, a healthcare insurer, a political party or an organization that reveals one’s sexual preference. It can also be useful when consumers wish to filter their contra accounts. The Dutch PSD2 opt-out register could become trendsetting at a European level.
Source: https://www.sidnfonds.nl/nieuws/de-eerste-pioniers-van-2019, 22 May 2019 (in Dutch).
Follow https://psd2meniet.nl for updates and become a member of our PSD2 Privacy Panel! (in Dutch)
For all its projects and affiliated activities, Privacy First is largely dependent on donations. The more financial support and donations we receive, the sooner Privacy First will be able to launch the PSD2 opt-out register.
Writing a New Year’s Column about the state of affairs concerning the protection of everyone’s privacy weighs me down this year. With the exception of a few bright spots, privacy in the Netherlands and the rest of the world has greatly deteriorated. For a while it seemed that the revelations of Edward Snowden in 2013 about secret services tracking everyone’s online behavior would be a rude wake-up call for the world. It was thought that an increasing number of data breaches and a rising number of governments and companies getting hacked, would make people realize that large amounts of data stored centrally is not the solution. The Arab Spring in 2015 would bring about major change through the unprecedented use of (social) media.
The European Union successfully voted against the exchange of data relating to travel movements, paved the way for the current General Data Protection Regulation and seemed to become the shining alternative example under the guidance of Germany, a country known for its vigilance when it comes to privacy. Unfortunately, things turned out differently. Under the Obama administration, Snowden was shunned as a traitor and other whistleblowers were clamped down on harder than ever before. Julian Assange was forced into exile while murdering people with the use of drones and without any form of trial was implemented on a large scale. Extrajudicial killings with collateral damage... While the discussion was about waterboarding... Discussions on such ‘secondary topics’ have by now become commonplace in politics, and so has the framing and blaming of opponents in the polarized public debate (the focus is usually on the person rather than on the argument itself).
Looking back on 2018, Privacy First identifies a great number of areas where the breakdown of privacy is evident:
Government & privacy
In March, an advisory referendum in the Netherlands was held on the introduction of the so-called Tapping law. Immediately after that, the referendum was abrogated. This happened in a time of unprecedented technological possibilities to organize referendums in various ways in a shared democracy. That’s outrageous. The outcome of the referendum was not taken into account and the Tapping law was introduced just like that. Moreover, it turned out that all along, the Dutch Minister of the Interior had withheld an important report on the functioning of the Dutch General Intelligence and Security Service.
Apparently this was nothing to worry about and occurred without any consequences. The recent report by the Dutch State Commission on the (re)introduction of referendums will likely end up in a drawer, not to be looked at again.
Fear of losing one’s role and the political mood of the day are all too important in a culture in which ‘professional politicians’ are afraid to make mistakes, but which is full of incidents nonetheless. One’s job or profession comes first, representing citizens comes second. Invariably, incidents are put under a magnifying glass in order to push through binding legislation with a broad scope. Without the review of compliance with guiding principles such as necessity, purpose limitation, subsidiarity and proportionality. There is an ever wider gap between government and citizens, who are not trusted but are expected to be fully transparent towards that self-same government. A government that time and again appears to be concealing matters from citizens. A government that is required by law to protect and promote privacy, but is itself still the most prominent privacy-violator.
The medical establishment & privacy
In this area things got really out of hand in 2018. Through various coordinated media offensives, the EU and the member states are trying to make us believe in the advantages of relinquishing our right to physical integrity and our humanity. Sharing biometric data with the United States continues unabatedly. We saw the police calling for compulsory DNA databases, compulsory vaccination programs, the use of smart medicines with microchips and the phasing out of alternative therapies. Furthermore, health insurance companies cautiously started to cover genetic testing and increasingly doing away with medical confidentiality, the Organ Donation Act was introduced and microchips implanted in humans (the cyborg as the highest ideal in Silicon Valley propaganda) became ever more popular.
How long before microchips become compulsory for all citizens? All (domestic) animals in the EU have already preceded us. And then there’s the Electronic Health Record, which was first rejected in the Dutch Senate but has reappeared on the minister’s agenda via a detour. Driven by commercial interests, it is being rammed down the throats of general practitioners while alternatives such as Whitebox are not taken seriously. The influence of Big Pharma through lobbying with government bodies and participating in government working groups is particularly acute. They closely cooperate with a few IT companies to realize their ideal of large and centralized networks and systems. It’s their year-end bonus and growth at the expense of our freedom and well-being.
Media & privacy
Naturally, we cannot overlook ‘fake news’. One of the premises for having privacy is being able to form your own opinion and respect and learn from the opinions of others. Furthermore, independent left and right-wing media are essential in a democratic constitutional State. It's their task to monitor the functioning of elected and unelected representatives in politics and in government. Journalists should be able to penetrate into the capillaries of society in order to produce local, national and global news.
Ever since free news gathering came about, it has been a challenge to obtain news based on facts. It’s not always easy to distinguish a press service, PR and propaganda from one another. In times of rapid technological changes and new opportunities, they should be continuously reviewed according to the principles of journalism. That’s nothing new. What is new, however, is that the European Union and our own Minister for the Interior, Kajsa Ollongren, feel they’re doing the right thing by outsourcing censorship to social media companies that are active on a global scale and have proven to be unreliable.
While Facebook and Google have to defend themselves in court for spreading fake news and censoring accounts, the governments hand over the monitoring task to them. The privacy violators and fake news distributors as the guardians of our privacy and journalism. That’s the world upside down. By so doing, this minister and this government undermine the constitutional State and show disdain for intelligent citizens. It’s time for a structural change in our media system, based on new technologies such as blockchain and the founding of a government media office whose task is to fund all media outlets through citizens’ contributions, taking into account the media’s scope and number of members. So that concerns all media, including the so-called alternative media, which should not be censored.
Finance & privacy
The erosion of one’s privacy increasingly manifests itself at a financial level too. The fact of the matter is, that the tax authorities already know in detail what the spending pattern of all companies and citizens looks like. Thanks to the Tapping Law, they can now pass on this information in real-time to the secret services (the General Intelligence and Security Service is watching along). Furthermore, a well-intended initiative such as PSD2 is being introduced in a wholly improvident and privacy-unfriendly way: basic conditions relating to the ownership of bank details (of citizens, account holders) are devoid of substance. Simple features such as selective sharing of banking details, for example according to the type of payment or time period, are not available. What’s more, payment details of third parties who have not given their consent, are sent along.
In the meantime, the ‘cash = criminal’ campaign goes on relentlessly. The right to cash and anonymous payment disappears, despite even the Dutch Central Bank now warning that the role of cash is crucial to our society. Privacy First has raised its opinion on this topic already in 2016 during a public debate. The latest development in this regard is the further linking of information through Big Data and profiling by debt-collecting agencies and public authorities. Excluding citizens from the electronic monetary system as a new form of punishment instead of letting them pay fines is a not so distant prospect. In this regard, a lot of experimentation is going on in China and there have been calls in Europe to move in the same direction, supposedly in order to fight terrorism. In other words, in the future it will become increasingly difficult to raise your voice and organize against abuse of power by governments and companies: from on high it takes only the press of a button and you may no longer be able to withdraw cash, travel or carry out online activities. In which case you have become an electronic outcast, banished from society.
Public domain & privacy
In 2018, privacy in public space has all but improved. Whereas 20 years ago, the Netherlands was deemed too small to require everyone out on the streets to be able to identify themselves, by now, all governments and municipalities in Europe are developing ‘smart city’ concepts. If you ask what the benefits and use of a smart city are (beyond the permanent supervision of citizens), proponents will say something vague about traffic problems and that the 'killer applications' will become visible only once the network of beacons is in place. In other words, there are absolutely no solid figures which would justify the necessity, subsidiarity and proportionality of smart cities. And that’s not even taking basic civil rights such as privacy into consideration.
Just to give a few examples:
- ANPR legislation applies from 1 January 2019 (all travel movements on public roads will be stored in a centralized police database for four weeks)
- A database consisting of all travel movements and stays of European citizens and toll rates as per 2023
- Emergency chips in every vehicle with a two-way communication feature (better known as spyware) as per 1 January 2019
- Cameras and two-way communication in public space, built into the lampposts among other objects as part of smart city projects
- A decision to introduce additional cameras in public transport as per 2019
- The introduction of Smart Cities and the introduction of unlimited beacons (doesn’t it sound so much better than electronic concentration camp posts?)
- Linking together all traffic centers and control rooms (including those of security companies operating on the private market)
- Citizens are permanently monitored by invisible and unknown eyes.
Private domain & privacy
It’s well known that governments and companies are keen to take a peek in our homes, but the extent to which this was being advanced last year, was outside of all proportion. Let’s start with energy companies, who foist compulsory smart meters on citizens. By way of ‘appointment to install a smart meter’, which you didn’t ask for, it’s almost impossible to stay clear of red tape. After several cancellations on my part and phone calls to energy provider Nuon, they simply continued to push forward. I still don’t have a smart meter and it will stay like that.
Once again Silicon Valley featured prominently in the news in 2018. Unelected dictatorial executives who are no less powerful than many a nation state, promote their utopias as trendy and modern among citizens. Self-driving cars take the autonomy and joy away from citizens (the number of accidents is very small considering the millions of cars on the road each day), while even children can tell that a hybrid approach is the only option. The implementation of smart speakers by these social media companies is downright spooky. By bringing smart toys onto the market, toy manufacturers equally respond to the needs that we all seem to have. We can all too readily guess what these developments will mean for our privacy. The manipulation of facts and images as well as distortion, will starkly increase.
Children & privacy
Children and youths represent the future and nothing of the above bodes well for them. Screen addiction is sharply on the rise and as children are being raised amidst propaganda and fake news, much more attention should go out to forming one’s own opinion and taking responsibility. Centralized pupil monitoring systems are introduced indifferently in the education system, information is exchanged with parents and not having interactive whiteboards and Ipads in the classroom has become unthinkable. The first thing children see every single day, is a screen with Google on it... Big Brother.
Dependence on the internet and social media results in impulsive behaviour among children, exposes them to the madness of the day and affects their historical awareness and ability to discern underlying links. The way of thinking at universities is becoming increasingly one-sided and undesirable views are marginalized. The causes of problems are not examined, books are not read though there is certainly no lack of opinions. It’s all about making your voice heard within the limits of self-censorship that’s in force in order to prevent becoming the odd one out in the group. The same pattern can be identified when it comes to forming opinions in politics, where discussing various issues based on facts seems no longer possible. Not to mention that the opinions of citizens are considered irrelevant by our politicians. Good quality education focused on forming opinions and on creating self-reflective minds instead of a robot-way of thinking, is essential for the development of a healthy democracy.
Are there any positive developments?
It's no easy task to identify any positive developments in the field of privacy. The fact is that the introduction of the GDPR and the corresponding option to impose fines has brought privacy more sharply into focus among companies and citizens than the revelations of Snowden have been able to do. The danger of the GDPR, however, is that it narrows down privacy to data protection and administrative red tape.
Another positive development is the growing number of (as of yet small) initiatives whereby companies and governments consider privacy protection as a business or PR opportunity. This is proved by the number of participants in the 2019 Dutch Privacy Awards. Recurring themes are means of anonymous communication (email, search engines, browsers), possible alternatives to social networks (messaging services like WhatsApp, Facebook, Instagram and Twitter) on the basis of subscriptions, blockchain technology and privacy by design projects by large organizations and companies.
Privacy First has teamed up with a few top quality pro bono attorneys who are prepared to represent us in court. However, judges are reluctant to go off the beaten track and come up with progressive rulings in cases such as those concerning number plate parking, average speed checks, Automatic Number Plate Recognition, the Tapping Law, etc. For years, Privacy First has been suffering from a lack of funding. Many of those who sympathize with us, find the topic of privacy a bit eerie. They support us morally but don’t dare to make a donation. After all, you draw attention to yourself when you’re concerned with issues such as privacy. That’s how bad things have become; fear and self-censorship... two bad counsellors! It’s high time for a government that seriously deals with privacy issues.
Constitutional reform should urgently be placed on the agenda
Privacy First is a great proponent of constitutional reform (see our 2017 New Year’s column about Shared Democracy), based on the principles of the democratic constitutional State and the European Convention on Human Rights (ECHR). Our democracy is only 150 years old and should be adapted to this current day and age. This means that the structure of the EU should be changed. Citizens should take on a central and active role. Government policies should focus on technological developments in order to reinforce democracy and formulate a response to the concentration of power of multinational companies.
Privacy First argues that the establishment of a Ministry of Technology has the highest priority in order to be able to stay up to date with the rapid developments in this field and produce adequate policies accordingly. It should live up to the standards of the ECHR and the Dutch Constitution and avoid becoming a victim of the increasing lobbying efforts in this sector. Moreover, it is time for a Minister of IT & Privacy who stays up to date on all developments and acts with sufficient powers and in accordance with the review of a Constitutional Court.
The protection of citizens’ privacy should be facilitated and there should be privacy-friendly alternatives for current services by technology companies. For 2019, Privacy First has a few tips for ordinary citizens:
- Watch out for and stay away from ‘smart’ initiatives on the basis of Big Data and profiling!
- Keep an eye on the ‘cash = criminal’ campaign. Make at least 50% of your payments anonymously in cash.
- Be cautious when communicating through Google, Apple, Facebook and Microsoft. Look for or develop new platforms based on Quantum AI encryption and use alternative browsers (TOR), networks (VPN) and search engines (Startpage).
- Be careful when it comes to medical data and physical integrity. Use your right for there to be no exchange of medical data as long as initiatives such as Whitebox are not used.
- Be aware of your right to stay anonymous, at home and in public space. Campaign against toll payment, microchips in number plates, ANPR and number plate parking.
- Be aware of your legal rights to bring lawsuits, for example against personalized waste disposal passes, camera surveillance, etc.
- Watch out for ‘smart’ meters, speakers, toys and other objects in the house connected to the internet. Purchase only privacy by design solutions with privacy enhanced technology!
The Netherlands and Europe as guiding nations in the field of privacy, with groundbreaking initiatives and solutions for apparent contradictions concerning privacy and security issues - that’s Privacy First's aim. There’s still a long way to go, however, and we’re being blown off course ever more. That’s due in part because a comprehensive vision on our society and a democracy 3.0 is lacking. So we continue to drift rudderless, ending up in the big manipulation machine of large companies one step at a time. We need many more yellow vests before things change. Privacy First would like to contribute to shaping and promoting a comprehensive, positive vision for the future. A future based on the principles that our society was built on and the need for greater freedom, with all the inevitable restrictions this entails. We will have to do it together. Please support Privacy First actively with a generous donation for your own freedom and that of your children in 2019!
To an open and free society! I wish everyone a lot of privacy in 2019 and beyond!
Bas Filippini, Privacy First chairman