Privacy First New Year’s column
Looking back on 2016, Privacy First perceives a renewed attack on our democratic constitutional State from within. Incident-driven politics based on the everyday humdrum prevails and the Dutch government’s frenzy efforts to control the masses is relentless, arrogant and driven by industry and political lobbying. The democratic principles of our constitutional State are being lost out of sight ever more while the reversion of legal principles has become commonplace. Every (potential) attack thus becomes an attack on our civil rights.
Current constitutional State unable to defend itself
Barely a single day has gone past in the current mediacracy and governors without any historical or cultural awareness hand us, our children and our future over to a new electronic dictatorship fenced off by 4G masts. Citizens who autonomously seek to inform themselves have become ‘populists that spread fake news’. It’s not just the government that has lost its way, but so have the mainstream media, so it seems. The model characterized by fear, hate and control adopted by many authoritarian states headed by a strong leader is increasingly seen as the way to go.
Privacy First has said it before but will reiterate: we are of the opinion that State terrorists who continuously change legislation restricting civil liberties are ultimately much more harmful to our society than a single ‘street terrorist’, however terrible and shocking an attack is for those directly involved. The galling thing is that our constitutional State cannot adequately defend itself against the erosion of democratic principles from within: among other things, there is a lack of independent review of our Constitution. Therefore we are very happy that the European Court of Justice has recently ruled all forms of trawl net technology unlawful in advance. A great verdict that has far-reaching consequences for the State terrorists among our politicians and civil servants. A clear line in the sand.
Our democratic constitutional State came into existence out of the 19th century way of thinking and will have to be reshaped through a public debate, provided this is done taking into account the basic principles of living together - a human experience that goes back thousands of years. Love, trust en freedom are fundamental pillars. Privacy First discerns a number of changes over the past 150 years to which our constitutional State has no adequate answer, if any answer at all. These changes will have to be integrated into a newly structured democratic constitutional State which will have to be partly parliamentary and partly shared. In other words: the democratic foundation is there, but will have to be adapted to the desires and developments of our time.
Towards a Shared Democracy: adjusting parliamentary democracy to our present time
Privacy First calls on (and challenges, if necessary) every Dutch citizen to participate in a broad public discussion in order to shape a democracy 3.0. After Athens (1.0) and our parliamentary democracy from the 19th century onwards (2.0), in our eyes it’s time for the concept of a Shared Democracy (3.0), which is both a disruptive way of thinking as well as a social model for which we identify seven big drivers that help adjust our current 19th century system. Privacy First notices that these seven drivers are currently undermining our model from the inside and the outside. But by thinking differently, one will find that these pillars also offer an opportunity to move towards a new form for the future: the so-called Shared Democracy.
1. Changing role of the media; towards a mediacracy
Originally, in the 19th century model, the media didn’t yet have the scale and level of outreach today’s media have. The influence of the media has become large to the extent it will have to be one of the pillars of the future Shared Democracy.
2. Changing role of citizens
The enormous financial and social emancipation, the elevated level of education and the individualization of citizens is currently leading to huge tensions in the democracy of parliamentary representation. As part of the old way of thinking, citizens are still regarded as an unassertive, inferior, necessary evil. However, citizens want to have decision-making power on numerous issues and this – supported by the newest technologies and means of communication - will have to be structurally implemented in the Shared Democracy on the basis of various structures of representation and participatory leadership based on personal responsibility, an area in which politics and the government are still falling far behind in their relationship with citizens.
3. Scientific, technological and information revolution
These revolutions create new opportunities and offer an almost real-time insight in the developments and events within society. Moreover, the internet and associated infrastructures enable completely new forms of exchange and marketplaces of ideas and decisions. This happens on a worldwide scale between like-minded people and people who hold different views. Where supply and demand are ill-aligned, new services that have a disruptive effect on old structures pop up. Think of the clear imbalance between citizens and politics. A solution for that problem can be found in completely new and invigorating systems and structures, set up with an open and free attitude, with privacy by design enshrined in legislation and with the application of advanced technology - all elements that distinguishes the Shared Democracy.
4. Unrestrained proliferation of public authorities
The house is ready to move into, but the contractor keeps coming back every day to see whether there are still tasks to be done... likewise our government exerts its influence on our daily life and on today’s economy. The unrestrained proliferation of public authorities has got to stop immediately and the government has to be brought back to normal proportions, in line with a standard that has yet to be established. By now, citizens serve the government instead of the other way around. The power of (central) public authorities is no longer commensurate with those of individual citizens. A key trait of the Shared Democracy will be the size, power and scope of the government.
5. Lifelong professional politicians
Another thing the founders of the 19th century model didn’t take into account (despite the seperation of powers) is the fact that many current (national) representatives are fulltime politicians, some of whom carry out public sector activities quite directly related to their political function. Particularly these latter ones have lost all connection to society and virtually live off taxpayers’ money without any risks. In the Shared Democracy we envisage, we advocate that representatives of citizens make clear choices and are in favour of all possible mixed forms of citizens and representatives in order to create a much larger engagement and responsibility among individual citizens when it comes to being active politically.
6. Financial sector, upscaling and mass control
The centralization and management of financial flows disconnected from the underlying value, erodes both the economy and society. The human dimension is disappearing into the background in upscaling and efficiency models dominated by financial flows. By introducing mantras such as ‘cash is criminal’, paying anonymously is being phased out while bank runs that could endanger and destabilize the system are being prevented. Here too, the web continually gets tighter around citizens and money no longer belongs to them, but to banks and the government. With a view to the future and on the basis of current and future technological possibilities, in the Shared Democracy, ownership relationships and the right to anonymous means of payment will have to be firmly embedded in law.
7. Supranational elite of individuals and companies
One of the effects of globalization is the rise of a large group of supranational companies and individuals that are disconnected from their nation-states and societies, benefitting from the rights they have but not fulfilling the duties that society equally brings along. Now that information and power are concentrated within a few very large, global conglomerates, there are many financial corporations and companies that have become larger than nation-states. The intransparent power of lobbygroups backing these conglomerates thrives under the old, authoritarian pyramid structure of centralized political representation. In the Shared Democracy, special attention will have to go out to democratic shaping and modelling on all levels, while the centralized and decentralized power structures have to be continually in balance and be measurable with the most advanced technology.
How will the Shared Democracy deal with all this? How much more freedom are we prepared to give up for the sake of (false) security? 100% security = 0% freedom. How are we going to restructure our society and democratic system in order to hold on to our principles with the seven drivers of development in mind? And on which scale are we willing to do so?
To better define these questions and look for answers, Privacy First will organize a New Year's Reception on 19 January 2017, at 7:30 pm in the Volkshotel in Amsterdam. The reception (in Dutch) will revolve around the Shared Democracy.
Privacy First encourages everyone to contribute to this new movement towards a Shared Democracy in an open and free debate on all available communication channels!
Privacy First Foundation chairman
The Privacy First Foundation presents its 2015 Annual Report: click HERE to download the pdf version. In this report, you will read everything about Privacy First’s daily fight to preserve and promote everyone’s right to privacy. To be able to continue this fight, our organization largely depends on individual donors. The more donors, the more effectively Privacy First can operate by way of political lobbying, targeted actions, campaigns, public events and lawsuits. Click HERE to become a donor of Privacy First!
In the Dutch Citizens v. Plasterk case about the international exchange of data between secret services, the coalition of citizens and organizations (including Privacy First) has explained its appeal before the Hague Court of Appeals. In its statement of appeal, which was submitted to the Court on 2 February 2016, the coalition details why the ruling of the district court of The Hague (in Dutch) is wrong.
In summary, the district court of the Hague has ruled that the collaboration and exchange of data on the basis of trust between Dutch secret services and foreign secret services (among which the American NSA) may simply be continued. According to the judge, the importance of national security is the determining factor, thereby essentially giving the Dutch AIVD (general intelligence and security service) and MIVD (military intelligence and security service) carte blanche to collect bulk data of Dutch citizens via foreign intelligence agencies without any legal protection, only because of the designation ‘national security’.
The Citizens v. Plasterk coalition deems this ruling to be in flagrant breach of the right to privacy and has lodged an appeal. It must be noted that the coalition isn’t seeking to ban the collaboration with foreign services as such. However, we find that when it comes to collaborating and receiving data, strict safeguards should be maintained. Failure to do so means that data that has been obtained by the NSA and other intelligence services in violation of Dutch law, illegally end up in the hands of Dutch intelligence services. This comes down to the laundering of data through an illegitimate U-turn.
"By using NSA data, minister Plasterk and his services are laundering illegally obtained data. This case should put an end to that", says our lawyer Christiaan Alberdingk Thijm of bureau Brandeis. Read our entire statement of appeal HERE (pdf in Dutch).
The Dutch government will first have to react to our statement of appeal in a statement of defence on appeal, after which the Hague Court of Appeals will schedule a hearing and render a ruling.
Meanwhile, our coalition has been admitted to intervene in the legal proceedings against the British government that the British organization Big Brother Watch et al. have brought before the European Court of Human Rights (ECtHR). This is a significant development because as a result, the ECtHR may, at an early stage, be able to issue a verdict that is relevant to our Dutch case. Click HERE (pdf) for the recent decision on admissibility by the European Court and HERE for more information about the British case on the Court's website.
The Citizens v. Plasterk case
At the end of 2013, the Citizens v. Plasterk coalition summoned the Dutch government, represented by the Dutch minister of the Interior, Ronald Plasterk. This was prompted by Edward Snowden’s revelations about the practices of (foreign) intelligence services. The coalition demands that the Netherlands stops using data that have been obtained in violation of Dutch law.
In February 2014 the case almost led to minister Plasterk’s withdrawal from office. It had emerged that Plasterk had wrongfully informed the Dutch House of Representatives on the exchange of data between Dutch and foreign intelligence services. The Dutch services had passed on 1.8 million items of data to the Americans and not the other way around, as he had previously claimed.
In July 2014 the district court of The Hague rejected the claims of the coalition, after which the coalition lodged an appeal before the Hague Court of Appeals.
At the end of 2015 it became known that the coalition may participate in a British lawsuit before the European Court of Human Rights in Strasbourg.
The participating citizens in the coalition are: Rop Gonggrijp, Jeroen van Beek, Bart Nooitgedagt, Brenno de Winter and Mathieu Paapst. The participating organizations are: the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ) and Internet Society Netherlands.
The case is taken care of by bureau Brandeis, in particular by our lawyers Christiaan Alberdingk Thijm and Caroline de Vries, who make use of the bureau Brandeis’s pro-bono fund.
Update 9 February, 2016: today the coalition submitted its written submissions to the European Court of Human Rights, click HERE (pdf).
"Facebook continues to breach personal data privacy rights in Europe, says a group of human rights organizations, and it demands that Facebook’s EU-US data transfers stop by February 6, 2016. Facebook has formally responded.
As previously reported, the Privacy First Foundation, Public Interest Litigation Project PILP and the Dutch Platform for the Protection of Civil Rights (collectively, “Privacy First”) sent Facebook a demand letter, to which Facebook has now replied in writing.
Facebook’s written response
Facebook responded to Privacy First’s demand letter by giving written assurances of data protection in accordance with current law–that is, those parts of the Privacy Directive that survived the ruling in Schrems, the case that invalidated Safe Harbor.
Specifically, Facebook states that “the grounds for transfer of data set out in Article 26 of the Directive remain entirely lawful,” and that it complies with “these other grounds to transfer data legally from the European Union to the United States .” Facebook further challenged the Dutch tribunal Privacy First plans to use, as lacking competence over Facebook Ireland, the party it asserts is the data controller for data of Facebook Netherlands.
Privacy First’s reply
Privacy First, in its reply through its counsel Boekx, Amsterdam, reiterated its position that the other instruments currently used as basis for EU-US data transfers (such as Standard Contractual Clauses or individual consent) are “fundamentally flawed, as these options do not resolve the problems identified by the European Court of Justice in the Schrems judgment.”
Privacy First’s reply further reserves its rights to initiate legal proceedings in the Hague “requesting a preliminary injunction and/or raising prejudicial questions with the European Court of Justice” if Facebook doesn’t stop EU-US data transfers or provide adequate protections by February 6th, 2016.
Clearly, Privacy First and its co-plaintiffs are not happy with Facebook's response. (...)
Facebook’s letter also challenges the competence of Dutch courts to hear proceedings in the Netherlands against Facebook Ireland, which it alleges is the true data controller, not Facebook Netherlands B.V. Regarding the competence issue, [Boekx] said that Dutch courts have rendered decisions in the past against both Facebook parties.
As reported, the EU and US are currently negotiating replacement of the Safe Harbor Agreement; there is a meeting of the negotiating parties scheduled for February 2nd to discuss EU-US data transfers and how to ensure protections for EU citizens in the legal uncertainties left by Schrems.
Further delays possible
Due to delay in legislation in the U.S. that may be one of the EU’s preconditions to Safe Harbor (the Judicial Redress Act), further delays in Safe Harbor resolution are expected (by some) that could take those negotiations beyond the February 6 deadline set by Privacy First. These delays could set Facebook up for proceedings that, if successful, would result in a shutdown of its EU-US data transfers. (...)"
Source: http://www.forbes.com/sites/lisabrownlee/2016/01/27/facebook-fires-back-in-eu-privacy-dispute/#2fe9f2801d5b, 27 January 2016.
"Non siamo la pecora nera, e rispettiamo le stesse regole degli altri. Potremmo così sintetizzare il nocciolo della difesa di Facebook contro le accuse di alcune organizzazioni pro-privacy e utenti olandesi che hanno chiesto, con lettera formale, di impedire il trasferimento di dati personali degli iscritti verso gli Stati Uniti, dove risiedono molti suoi data center e molte delle sue aziende inserzioniste. Minacciando azioni legali nel caso il social network non interrompa questa pratica prima del 16 gennaio. Le radici della vicenda sono note: dalla denuncia inoltrata nel 2013 dallo studente austriaco Max Schrems, fino alla recente decisione della Corte di Giustizia dell’Unione Europea di invalidare gli accordi regolati dal Safe Harbor.Vero è che le nuove regole comunitarie travolgono non solo la creatura di Mark Zuckerberg bensì circa quattromila aziende statunitensi presenti sul Web, però è altrettanto vero che l’attenzione mediatica e le preoccupazioni si concentrano inevitabilmente su Facebook, luogo dove più di ogni altro le vite private diventano condivise. Ma anche il social network delle immagini, Instagram, e la più popolare fra le applicazioni di messaggistica, WhatsApp (entrambe proprietà dell’azienda di Menlo Park) sono coinvolti.
La lettera in questione, infatti, è stata inviata alle sedi di Facebook in California, in Olanda e in Irlanda così come alle sedi di Instagram e Whatsapp. Il mittente è uno studio legale di Amsterdam, Boekx, che parla in rappresentanza di tre associazioni pro-privacy (Stichting Privacy First, Public Interest Litigation Project e Dutch Platform for the Protection of Civil Rights) e di privati cittadini olandesi. La richiesta è, appunto, quella di interrompere il trasferimento dei dati verso gli States entro le ore 18 del gennaio, a meno di non voler incorrere in azioni legali.
Nelle parole dell’avvocato Otto Volgenant dello studio Boekx, “Vogliamo fare pressione su Facebook” e indurre Zuckerberg a pronunciarsi in merito al dibattito sulla privacy in corso nei governi di diversi Paesi. Se poi Facebook facesse ostruzionismo, la protesta degli olandesi potrebbe arrivare dapprima in un tribunale nazionale e poi da qui alla Corte Europea di Giustizia.
La replica della società californiana, arrivata tramite Forbes da un portavoce dell’azienda, Matt Steinfeld, esordisce ribadendo che il social network “utilizza i medesimi meccanismi impiegati da migliaia di altre aziende per trasferire legittimamente dati dall’Europa agli Stati Uniti e ad altri Paesi in tutto in mondo”. E poi fa una proposta: “Crediamo che il modo migliore per risolvere l’attuale dibattito sul trasferimento dei dati oltre l’oceano sia creare un nuovo patto di Safe Harbour, che garantisca adeguate tutele ai cittadini europei”. Il social network, dunque, non si sottrae alla possibilità di modifiche del regolamento ma anzi si auspica che le discussioni in corso fra organismi regolatori europei e statunitensi, e fra essi e i rispettivi governi sfocino presto in un “esito positivo”, ha dichiarato Steinfeld."
Source: http://www.ictbusiness.it/cont/news/l-attacco-olandese-e-la-difesa-facebook-non-siamo-peggio-di-altri/36065/1.html#.VoJYKfFIiUn, 17 December 2015.
Christmas column by Bas Filippini,
Chairman of the Privacy First Foundation
Principles of our democratic constitutional State are still very relevant
‘‘Your choice in a free society’’ is the slogan of the Privacy First Foundation. Privacy First has defined its principles on the basis of universal human rights and our Dutch Constitution and is reputed for professional and, if necessary, legal action in line with our free constitutional State. The mere fact that Privacy First exists, means that in recent years the aforementioned principles have come under increasing pressure. We base our (legal) actions and judgements on thorough fact-finding, to the extent possible in our working area.
‘The Netherlands as a secure global pioneer in the field of privacy’, that’s our motto. This country should also serve as an example of how to use technology whilst maintaining the principles of our open and free society. This can be achieved through legislative, executive and IT infrastructures, starting from privacy by design and making use of privacy enhanced technology.
Whereas the industrial revolution has environmental pollution as a negative side effect, the information revolution has the ‘pollution of privacy and freedom’ as an unwanted side effect.
Therefore, the question is how to preserve the basic principles of our democratic constitutional State and how to support new structures and services towards the future. As far as we’re concerned, these basic principles are neither negotiable nor exchangeable. Yet time and again we see the same incident-driven politics based on the misconceptions of the day strike at times when the constitutional State is at its most vulnerable and cannot defend itself against the emotional tide of the moment.
Paris as yet another excuse to pull through ‘new’ laws
Various politicians feed on the attacks in Paris and tumble over one another to express Orwellian macho talk, taking things further and further in legislative proposals or in emotional speeches characterized by belligerence and rhetoric. And it’s always so predictable: further restraining existing freedoms of all citizens instead of focusing further on the group of adolescents (on average, terrorist attackers are between 18 and 30 years old) that intelligence agencies already have in sight. Instead of having a discussion about how intelligence agencies can more effectively tackle the already defined group that needs to be monitored and take preventive measures in the communication with and education of this target group, the focus too easily shifts to familiar affairs whereby necessity, proportionality and subsidiarity are hard to find.
So in the meanwhile we’ve witnessed the prolonged state of emergency in France, the far reaching extension of powers of the police, the judiciary and intelligence services (also to the detriment of innocent citizens), extra controls in public space, the retention of passenger data, etc., etc. All this apparently for legitimate reasons in the heat of the moment, but it will be disastrous for our freedom both in the short as well as in the long run. In this respect the blurring definition of the term ‘terrorism’ is striking. Privacy First focuses on government powers in relation to the presumption of innocence that citizens have. We’re in favour of applying special powers in dealing with citizens who are under reasonable suspicion of criminal offences and violate the rights of others with their hate and violence. In fact, that’s exactly what the law says. Let’s first implement this properly, instead of introducing legislative proposals that throw out the baby with the bathwater.
The governments is committed to impossible 100 per cent security solutions
What often strikes me in conversations with civil servants is the idea that the government should provide 100 per cent solutions for citizens and applies a risk exclusion principle. This leads to a great deal of compartmentalization and paralyzation when it comes to possible government solutions in the area of security. Technology-based quick fixes are adhered to by default, without properly analyzing the cause of problems and looking at the implementation of existing legislation.
The government way of thinking is separate from citizens, who are not trusted in having legal capacity and are regarded as a necessary evil, as troublesome and as inconvenient in the performance of the government’s tasks. The idea that the government, serving its citizens, should offer as high a percentage as possible but certainly not a 100 per cent security (the final 10 per cent are very costly on the one hand and suffocating for society on the other) is not commonly shared. No civil servant and no politician is prepared to introduce policies to maintain an open society today (and 50 years from now) that entail any risk factors. However, in reality there will always be risks in an open society and it should be noted that a society is not a matter of course but something we should treat with great care.
Here in the Netherlands we’ve seen other forms of government before: from rule by royal decree to a bourgeoisie society and an actual war dictatorship. Every time we chose not to like these forms of society. What could possibly be a reason to be willing to go back to any of these forms and give up our freedoms instead of increasing them and enforcing them with technology? Especially in a society that has high levels of education and wherein citizens show to be perfectly able to take their own decisions on various issues. We hire the government and politics as our representatives, not the other way around. However, we’re now put up with a government that doesn’t trust us, is only prepared to deliver information on the basis of FOIA requests and requires us to hand over all information and communications about us and our deepest private lives as if we were prima facie suspects. That puts everything back to front and to me it embodies a one way trip to North Korea. You’ll be more than welcome there!
Political lobby of the industry
The industry’s persistence to overload the government and citizens with ICT solutions is unprecedented. Again and again here in the Netherlands and in Silicon Valley the same companies pop up that want to secure their Christmas bonus by marketing their products in exchange for our freedom. We’re talking about various electronic health records like the Child record and the Orwellian and centralized electronic patient record, the all-encompassing System Risk-Indication database, travel and residency records, road pricing, chips in number plates and cars, so-called automated guided vehicles (including illegal data collection by car manufacturers), number plate parking, automatic number plate recognition cameras, facial recognition in public space and counter-hacking by government agencies while voting computers are back on the agenda. Big Data, the Internet of things, the list goes on.
With huge budgets these companies promote these allegedly smart solutions, without caring about their dangers for our freedom. It’s alienating to see that the reversal of legal principles is creeping in and is being supported by various government and industry mantras. It’s as if a parasitic wasp erodes civil liberties: the outside looks intact but the inside is already empty and rotten.
From street terrorism to State terrorism
As indicated above, the information revolution leads to the restriction of freedom. It’s imperative to realize that after 4000 years of struggle, development and evolution we have come to our refined form of society and principles that are (relatively) universal for every free citizen. Just as most of us are born out of love, freedom and trust, to me these are also the best principles with which to build a society. We’re all too familiar with societies founded on hate, fear and government control and we have renounced them not so long ago as disastrous and exceptionally unpleasant. At the expense of many sacrifices and lives these principles have been enshrined in treaties, charters and constitutions and are therefore non-negotiable.
It’s high time to continue to act on the basis of these principles and make policy implementation and technology subordinate to this, taking into account the people’s needs and their own responsibility. In my eyes, a civil servant in the service of the people who places security above everything else, is nothing more than a State terrorist or a white collar terrorist who in the long term causes much more damage to our constitutional State and freedom than a so called street terrorist. The government and industry should have an immediate integrity discussion about this, after which clear codes can be introduced for privacy-sustainable governing and entrepreneurship.
Towards a secure global pioneer in the field of privacy
Privacy First would like to see government and industry take their own responsibility in protecting and promoting the personal freedom of citizens and in so doing use a 80/20 rule as far as security is concerned. By focusing on risk groups a lot of money and misery can be saved. Exceptions prove the rule, which in this case is a free and democratic constitutional State and not the other way around. Say yes to a free and secure Netherlands as a global pioneer in the field of privacy!
"Facebook, Inc. and related entities have received a letter demanding them to stop EU-US data transfers until U.S. laws comply with the EU data protection regime, or risk lawsuit in the Netherlands. Facebook must cease transfer by 15 January 2016. The complaining parties have reserved rights to file suit if compliance is not forthcoming.
The demand and summons letter was sent today by the Boekx law firm in Amsterdam on behalf of numerous plaintiffs including:
• Privacy First Foundation (Stichting Privacy First)
• Public Interest Litigation Project PILP
• Dutch Platform for the Protection of Civil Rights
and other users of Facebook, Instagram and WhatsApp. The letter was sent to Facebook Netherlands B.V., Facebook Ireland Limited, Facebook Inc. and Instagram LLC (California), and WhatsApp Inc. (California).
Facebook spokesperson Matt Steinfeld provided (...) the following written statement:
“Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world. We believe that the best solution to the on-going debate around transatlantic data transfers is for there to be a new Safe Harbor agreement with appropriate safeguards for EU citizens.”
“We understand that authorities in the EU and US are working hard to put such an agreement in place as soon as possible. We trust that these groups are engaging with their respective governments on this process to help it reach a successful conclusion.”
Lawsuit intended to pressure Facebook
Otto Volgenant of the Boekx stated to Dutch outlet RTLZ, “We want to put pressure on Facebook. Mark Zuckerberg must make its voice heard in the debate about privacy, the US government has the solution for this problem.” According to Volgenant (as reported), the case would first be brought in The Hague, which could exercise its option to refer the case to the European Court of Justice.
Volgenant predicted that such referral would not be made, given the clarity of law on the topic since the recent Schrems ruling of the European Court of Justice (discussed further below).
U.S. compliant-laws required
Specifically, the demand requires that Facebook “end the current unlawful transfer of personal data from the European Union to the United States” until the U.S. adopts laws “essentially equivalent to” European data protection laws, or face lawsuit in the Netherlands. The summons gives Facebook until Friday 15 January 2016 (18:00 CET) to cease EU-US transfers, or risk having a court force it and related Facebook entities, through an injunction, to cease such transfers.
Facebook “remarkably absent” in data privacy discussions
In its letter, Boekx accuses Facebook of being “remarkably absent” in the public debate over EU-US data transfers, following the European Court of Justice decision in Schrems, which decision invalidated the so-called “Safe Harbor Agreement” between the U.S. and the E.U. and thus made such transfers illegal under E.U. law., effective immediately upon rendering of that decision. (...)
The demand letter further articulates the specifics of the Schrems decision, including that court’s conclusions that the NSA violated “European fundamental rights to respect for private life” by its “access on a generalized basis to the content of electronic communications.”
The letter concludes:
If we cannot find an amicable solution and Facebook does not refrain from further transfer of personal data of data subjects from the European Union to the United States by then, we reserve the right to initiate legal proceedings in the Netherlands and to request a preliminary injunction from the competent Dutch Court."
Today the Privacy First Foundation and three other public interest groups as well as a number of Dutch individual users of Facebook, WhatsApp and Instagram request Mark Zuckerberg to join the public debate following the landmark Schrems-judgment of the European Court of Justice.
On 6 October 2015, the European Court of Justice invalidated the Safe Harbour Decision, which was the basis for Facebook’s transfer of personal data from the European Union to the United States. The Grand Chamber of the Court found that the legislation of the United States fails to ensure a level of protection essentially equivalent to that guaranteed in the legal order of the European Union. The NSA has access to Facebook content of users from the European Union, without any judicial redress being available to them. The Court held that this compromises the essence of the fundamental right to privacy. These issues have not been resolved yet.
Following the judgment, Facebook continued the transfer of personal data from the European Union to the United States. Bas Filippini of Privacy First says: ‘Absent an adequate level of protection in the United States, the continued transfer of personal data is clearly incompatible with European data protection laws. Such transfer violates the rights of millions of individuals. If this is not resolved shortly, we will initiate legal action.’
To date, Facebook has been remarkably absent in the public debate that followed this landmark judgment. Ton Siedsma of Bits of Freedom says: ‘We invite Facebook to publicly engage in a meaningful and transparent dialogue aimed at finding a solution, and to pressure the authorities to find such solution. Facebook is invited to publicly share its current and intended policies and practice on data transfer.’
Today, Facebook was summoned to come up with an adequate solution ultimately by 15 January 2016. If it fails to do so, civil rights groups and a number of Dutch individuals will request the Court in The Hague to grant an injunction ordering Facebook to immediately cease the transfer of personal data to the United States. This pertains to all services of Facebook, including WhatsApp and Instagram.
‘As long as the United States fails to provide an adequate level of protection against mass surveillance, personal data may not be transferred to the United States. Taking Facebook to court emphasizes the urgency of resolving this issue.’ says Jelle Klaas of the Public Interest Litigation Project of NJCM, the Dutch section of the International Commission of Jurists. ‘Our goal is not to put the screens of millions of users to black, but to enhance the current level of privacy protection. Hopefully, a solution can be found shortly by the legislators.’
Click HERE for our entire letter of summons to Mark Zuckerberg (pdf).
Update 21 January 2016: shortly before the deadline Facebook responded to our letter of summons by fax, click HERE (pdf). According to Facebook, there is still a suitable legal basis for the transfer of personal data from the EU to the US, despite the invalidity of Safe Harbour. Privacy First et al. contest this and have today sent a response to Facebook, click HERE (pdf).
In the discussion about a newly proposed surveillance bill in England, Facebook, following our summons letter, has made it publicly clear that:
“Governments should not be able to compel the production of private communications content absent authorization from an independent and impartial judicial official. (...) Surveillance laws should not permit bulk collection of information. The principles require that the Government specifically identify the individuals or accounts to be targeted and should expressly prohibit bulk surveillance.”
However, it is precisely these aspects where, according to the European Court of Justice, the legal protection in the US is inadequate. In our letter of this afternoon, Privacy First et al. have therefore requested Facebook to present their standpoint also in the debate about mass surveillance in the US. Negotiations about this issue are currently ongoing between the EU and the US. It would be good if Facebook gets involved in this debate, in line with the standpoint it voiced in relation to the English legislative proposal.
If in the short term a solution will not be found for the fundamental privacy issues the European Court of Justice has identified, Privacy First et al. will consider bringing interim injunction proceedings before the district court of The Hague.
It is Privacy First’s established policy to focus its attention primarily on (impending) privacy violations that (can) hit large groups of people at once. Selecting our themes, we are guided by 1) the scale, 2) the seriousness and 3) the possible impact and consequences of a certain violation. Privacy First prioritizes and publicly identifies mass violations of a grave nature. It then tries to make an end to the violation by means of quiet diplomacy and political lobbying, a public campaign, legal action or – as a last resort – a lawsuit. Click HERE to read all about our activities in our annual report 2014! (pdf)
After years of legal proceedings against the storage of fingerprints under the Dutch Passport Act — one of the gravest privacy violations in the Netherlands — Privacy First and 19 co-plaintiffs were declared inadmissible by the Dutch Supreme Court.
Since May 2010, a large-scale lawsuit against the central storage of fingerprints under the Dutch Passport Act by Privacy First and 19 co-plaintiffs (Dutch citizens) has been under way. This so-called 'Passport Trial' was a civil case because with regard to the merits of the case, individual citizens were not able to turn to an administrative court.
Citizens could only go to an administrative court if they would first provoke an individual decision: an administrative refusal to issue a passport or ID card after an individual refusal to give one's fingerprints. Hence, they could only litigate on an administrative level if they were prepared to live without a passport or ID card for years.
Moreover, the provision in the Passport Act on the central storage of fingerprints (Article 4b) still hasn't entered into force. Therefore, the administrative courts were unauthorized to assess this provision. Moreover, contrary to other countries, a direct administrative appeal against Dutch law (Acts and statutes) isn't possible in the Netherlands.
Subsequently, an administrative court would only have been able to individually and indirectly ("exceptionally") assess this provision on the basis of higher privacy legislation after that same provision would have entered into force, that is to say, after the central storage (and exchange) of everyone's fingerprints would have become a fait accompli.
To prevent such a massive violation of privacy, only the civil courts were authorized to rule in the case of Privacy First et al. For many years civil courts have been the perfect type court for the direct assessment of national legislation on the basis of higher (privacy) legislation, even if the national legislation in question has not yet entered into force but does entail an imminent privacy violation.
As a relevant foundation, Privacy First was able to take civil action in the general interest, on behalf of the Dutch population at large. Since the early 90s this is possible via a special procedure under Article 3:305a of the Dutch Civil Code: the so-called "action of general interest." Up until May 2010, when Privacy First et al. summoned the Dutch government, the Dutch Supreme Court seemed to have given the green light for this.
However, in July 2010, the Supreme Court disregarded its earlier case law by declaring that interest groups can only turn to a civil court if individual citizens cannot pursue legal proceedings before an administrative court. But in Privacy First's Passport Trial, citizens could not apply to an administrative court. So Privacy First et al. still had a very strong case. What's more, the admissibility criteria of the Supreme Court seemed not to apply to actions of general interest, but merely to 'group actions' that are organized on behalf of a specific group of people instead of the entire population.
In February 2011, the district court of The Hague wrongly declared our Passport Trial inadmissible. This decision was subsequently appealed by Privacy First et al. Courtesy also of the pressure exerted by this appeal, the central (as well as municipal) storage of fingerprints was largely discontinued in the summer of 2011 and the taking of fingerprints for Dutch ID Cards was halted altogether at the start of 2014.
In February 2014, The Hague Court of Appeal declared Privacy First — in the general interest — admissible after all and judged that the central storage of fingerprints under the Passport Act was in violation of the right to privacy. The Dutch Minister of the Interior, Ronald Plasterk, was not amused and demanded an appeal in cassation before the Dutch Supreme Court.
Against all odds (as Privacy First had virtually all Dutch legislation, legislative history, case law and legal literature on its side), on May 22, 2015, the Dutch Supreme Court declared Privacy and its 19 co-plaintiffs inadmissible once more. According to the Supreme Court, the citizens can turn to an administrative court, which has also blocked the road to a civil court for Privacy First.
All this while in the last few years it had been established that the co-plaintiffs could not turn to an administrative court, at least not for the review of Article 4b of the Passport Act concerning the central storage of fingerprints. In innumerable administrative cases over the past few years, judges of various Dutch administrative courts have declined jurisdiction in this respect. That meant that for Privacy First as an interested organization, the road to an administrative court was equally blocked.
The fact that the Supreme Court rules as if that isn't so is simply incomprehensible. Furthermore, litigating citizens can neither be expected to get by without a passport for years, nor can they be expected to first let their privacy be violated (giving up fingerprints, even for storage) before a judge can determine whether this is legal. The fact that the Supreme Court seems to require this just the same is not just inconceivable (as well as in breach of its own case law) but also reprehensible.
Gap in the legal protection
The ruling by the Dutch Supreme Court creates a legal vacuum in the Netherlands: if citizens or organizations want massive and imminent privacy violations, such as the central storage of fingerprints under the Passport Act, to be reviewed, then they may not be able to turn to either a civil or an administrative court. This creates a gap in the legal protection that has been in place in the Netherlands over the past few decades.
The Supreme Court may now have passed on this case to the highest Dutch administrative court (the Council of State), but it's all but certain that the Council of State is able and still prepared to review the central storage of fingerprints under the Passport Act. In light of this, the Supreme Court should have waited for the ruling by the Council of State in four current and parallel administrative cases revolving around the Passport Act, prior to coming up with its ruling in Privacy First's Passport Trial. By not doing this, the Supreme Court has taken a huge risk, has prematurely stepped into the shoes of the Council of State and has put the Council of State under severe pressure.
If the Council of State were soon to judge differently than the Supreme Court (that is to say, if the Council of State would judge that it is equally unauthorized to rule in this matter), the two institutions would make an enormous blunder and would create a huge gap in the legal protection in the Netherlands, in contravention of the European Convention on Human Rights (ECHR)
Multiple ECHR violations
Privacy First et al. await the ruling of the Council of State with considerable anticipation. In the meantime, Privacy First et al. will already prepare to file a complaint with the European Court of Human Rights in Strasbourg on account of a breach of Article 8 ECHR (right to privacy) and Articles 6 and 13 EHCR (right to access to justice and an effective legal remedy). Despite the Kafkaesque anti-climax before the Dutch Supreme Court, a European conviction of the Netherlands would thus be on the cards once the complaint has been filed.
Read the entire judgment by the Dutch Supreme Court HERE (in Dutch).
Click HERE for our entire case file.
A similar version of this article was published on http://www.liberties.eu/en/news/bad-day-for-privacy-in-the-netherlands.