Over a decade ago, around the years 2009-2011, there was enormous social resistance in the Netherlands to a centralized database containing the biometric data (fingerprints and facial scans) of all Dutch citizens. The development of that database was halted in early 2011 over privacy concerns. However, the Dutch State Secretary for Digital Affairs, Alexandra van Huffelen, now seems intent on introducing such a database after all. Below you find the first response of Privacy First to the recent internet consultation on this wretched plan:
Your Excellency,
The Privacy First Foundation was perplexed to learn of your intention to amend the Dutch Passport Act in order to create a centralized database of everyone's biometric data (including facial scans and – for the time being – ‘temporary’ fingerprints). This comes after the original plan for such a database was binned in 2011, and rightly so, following two years of large-scale resistance from all sections of Dutch society and all sorts of legal, political, administrative and technical objections. Back then, not a single public official could be found even within the Dutch Ministry of the Interior who dared to openly advocate the development of such a database. In the years since, this ‘progressive insight’ within your ministry has apparently disappeared entirely, which is remarkable at a time when international developments compel you not to forget the historical lessons about the risks of centralized population registers. A centralized biometric database inevitably creates an extremely risky target for people with malicious intent. The necessity and proportionality of such a database are not amply elaborated in the draft Explanatory Memorandum to the current Bill, in fact, are not elaborated at all and, for that matter, are inconceivable. Moreover, experience has shown that such databases will always be used and abused over time for all kinds of unforeseen purposes (function creep) and that original retention periods will be stretched further and further. In this context, Privacy First would like to remind you of the fact that the previously planned centralized biometric database included clandestine, secluded access to the Dutch secret services (who, to this end, were also involved in the development of this database), one of which – the General Intelligence and Security Service (AIVD) – in the end considered the realization of this database too hazardous. There is no reason to believe the considerations of that time should not apply today.
Fingerprints
Ever since Privacy First was founded in 2008, we have opposed the mandatory collection of fingerprints for passports and identity cards. Since the introduction of the new Passport Act in 2009, Privacy First has done this through lawsuits, campaigns, Freedom of Information Act requests, political lobbying and outreach to the media. Despite the subsequent termination of the (planned) centralized storage of fingerprints in both a national and municipal databases in 2011, fingerprints are still taken of everyone applying for a passport and again also for Dutch identity cards (under the new EU regulation on strengthening the security of identity cards), after this requirement was abolished in 2014. To date, however, all of the millions of fingerprints collected from virtually the entire Dutch adult population have in practice not been used, or have hardly been used as this had already proved to be technically unsound and unworkable in 2009. The compulsory collection of everyone’s fingerprints under the Passport Act is therefore still the most massive and longest-lasting privacy violation that the Netherlands has ever known. Against this background, we request you to withdraw the present draft bill and to replace it with a new bill to abolish the taking of fingerprints under the Passport Act, even if that runs counter to European policy. Please take the following into account:
1. Already in May 2016, the Dutch Council of State (Raad van State) ruled that fingerprints in Dutch identity cards violate the right to privacy due to a lack of necessity and proportionality, see https://www.raadvanstate.nl/pers/persberichten/tekst-persbericht.html?id=956.
2. Freedom of Information Act requests from Privacy First have shown that the phenomenon to be defeated (lookalike fraud through passports and identity cards) is so small in scale that the compulsory taking of everyone’s fingerprints to make an end tot this problem, is completely disproportionate and therefore unlawful. See https://www.privacyfirst.nl/rechtszaken-1/wob-procedures/item/524-onthullende-cijfers-over-look-alike-fraude-met-nederlandse-reisdocumenten.html.
3. The fingerprints in passports and identity cards previously had a biometric error rate of no less than 30%, see https://zoek.officielebekendmakingen.nl/kst-32317-163.html (State Secretary Fred Teeven, January 31, 2013). Before that, Minister Piet Hein Donner admitted there’s an error rate of 21-25%: see https://zoek.officielebekendmakingen.nl/kst-25764-47.html (27 April, 2011). How high are these error rates in 2022?
4. Partly because of the aforementioned high error rates, the fingerprints in passports and identity cards have hardly been used to date, neither in the Netherlands nor at the national borders or airports.
5. Because of these high error rates, former State Secretary Ank Bijleveld instructed all Dutch municipalities as early as September 2009 to refrain in principle from fingerprint verifications when issuing passports and identity cards. In the event of a ‘mismatch’, the ID document concerned would have to be returned to the passport manufacturer, which would lead to rapid social disruption if the number of such cases were high. In this context, the Ministry was also concerned about possible large-scale unrest and even violence at municipal counters. These concerns and the instruction of State Secretary Bijleveld still apply today.
6. A statutory exception must still be created for people who, for whatever reason, do not wish to have their fingerprints taken (biometric conscientious objectors, Article 9 ECHR).
For further background information on the biometric passport, see the report by the Advisory Council on Government Policy (WRR) titled ‘Happy Landings’, written in 2010 by the undersigned. Partly as a result of this critical report (and large-scale legal action by Privacy First against the Passport Act), the decentralized (municipal) storage of fingerprints was largely abolished in 2011 and the planned centralized storage of fingerprints was discontinued.
We sincerely hope that it will not have to come to another lawsuit by Privacy First to turn the tide.
If desired, we would be happy to elaborate on the above aspects in greater detail.
Yours sincerely,
Privacy First Foundation
Source: https://www.internetconsultatie.nl/biometrischegegevenspaspoortwet/b1 --> reacties --> reactie directeur Privacy First (Vincent Böhre) dated May 31, 2022.
