Privacy First has had a turbulent year. At the start of 2018, we organized the Dutch Privacy Awards and they were a great success. Soon this event will take place again. The greatest success of the year, however, was the referendum against the new Dutch Intelligence and Security Services Act (better known as the Tapping Law), which was won by the initiators and their many supporters. Subsequently however, the Dutch government decided to ruthlessly abolish the referendum and Privacy First and others unfortunately were not in a position to prevent the Tapping Law from entering into force almost unaltered. Unless the Dutch government and the House of Representatives decide to thoroughly overhaul the Act, a large scale new lawsuit to challenge it will be on the cards.
In terms of organization, the year has been marked mostly by positive developments. Since the summer, we have a new board of directors, a new advisory board and a new and relatively cheap (small) office on an excellent location. We have switched to privacy-friendly telecom provider Voys. Increasingly, Privacy First is approached by public authorities and companies to cooperate on privacy projects, for example with regard to the infamous European payments directive PSD2, which will soon enter into force in the Netherlands. In addition, Privacy First almost continuously pursues political lobbying and quiet diplomacy. Earlier this year, we’ve lobbied successfully with the Dutch State Commission on the Parliamentary System for the introduction of a binding referendum and a Constitutional Court. Moreover, we’ve made our critical voice heard with regard to the possible introduction of Passenger Name Records (PNR) in aviation and Taser weapons among the Dutch police force. After all, privacy is a broad term and is about much more than data protection only.
However, history has taught us that sustainable privacy protection usually requires legal action at a national or European level. That’s why Privacy First also pursues litigation. Those who’ve been acquainted with us for some time, know that when Privacy First starts legal proceedings, something is really going on - something, to be precise, which isn’t for the better. As soon as large scale privacy violations are imminent, it’s time for Privacy First to step in. This is one such moment. Your support of our operations is indispensable.
Case against ANPR Act
In recent years, Privacy First has regularly warned against the introduction of a new draconian Dutch law which allows for the continuous storage of data relating to travel movements of millions of motorists for four weeks in a central police database, regardless of whether or not these motorists are suspected of any wrongdoing. This is the Automatic Number Plate Recognition Act (ANPR). At the end of 2017, the Dutch Senate adopted this Act, after which Privacy First announced it would initiate legal proceedings. Subsequently, Privacy First had a meeting with the Dutch State Attorney, which was followed by a prolonged silence. Today however, the Dutch government announced it will introduce the ANPR Act as per 1 January 2019. Therefore, Privacy First is currently preparing interim injunction proceedings in order to render this Act inoperative on account of violation of the right to privacy. If necessary, these proceedings will be followed by proceedings which are broader in scope and will deal with the merits of the case. Indeed, this Act is a massive breach of privacy for which there is simply no place in a free and democratic constitutional State. Through Pro Bono Connect, Privacy First has hired law firm CMS to carry out proceedings on our behalf. Ideally, this would happen in coalition with other relevant organizations.
Urgent call for donations
Due to unexpected fundraising setbacks, at present Privacy First urgently needs financial support, including your support as a (potential) donor. The more support we get, the more thorough and therefore the more effective we will be able to conduct these legal proceedings and the more likely it will be we will come out victorious. Would you like to support Privacy First? Donating is very easy on the dedicated page on our website. Otherwise, please donate directly to account number NL95ABNA0495527521 (BIC: ABNANL2A) in the name of Stichting Privacy First in Amsterdam, the Netherlands, stating ‘donation’. Privacy First is recognized by the Dutch Tax and Customs Administration as an Institution for General Benefit (ANBI). Therefore your donations are tax-deductible.
In recent years, Privacy First has had a lot of positive influence thanks to your support. We hope to be able to count on you once again!
Privacy First wishes you happy holidays and a privacy-friendly 2019!
Since 2013, the Dutch Association of General Practitioners has, in an essential civil case, been litigating against the private successor of the Dutch Electronic Health Record (Elektronisch Patiëntendossier, EPD): the National Switch Point (Landelijk Schakelpunt, LSP). At the end of last week, the Dutch Supreme Court decided that, for the time being, the LSP is not in violation of current privacy law. However, the Supreme Court has laid down in its judgment that the LSP will soon have to comply with the legislative requirement of privacy-by-design. This constitutes an important precedent and raises the bar with a view to the future.
Private relaunch of EPD: National Switch Point
In April 2011, the Dutch Senate unanimously rejected the EPD, primarily on account of privacy objections. However, almost directly afterwards, various market participants (among which health insurance companies) made sure there was a relaunch of the same EPD in private form: the LSP, intended for the large-scale, central exchange of medical data. Since then, the LSP has been introduced nationally and many practitioners have aligned themselves with it, oftentimes under pressure of health insurers. Millions of people in the Netherlands have given their ‘consent’ to the exchange of their medical records via the LSP. However, this ‘consent’ is so broad and general, it’s virtually impossible to deem it lawful. This was one of the main objections the court case of the Association of General Practitioners against the LSP revolved around. Other objections against the LSP are related to the fact that its architecture is inherently insecure and in breach of privacy. Through the LSP, every connected medical record is accessible for thousands of health care providers. This is in violation of the right to privacy of patients and the medical confidentiality of treating physicians. What’s more, there is no privacy-by-design, for example through end-to-end encryption. The LSP is basically as leaky as a sieve, which means that it’s ideal for function creep and possible abuse by malicious actors.
Specific Consent Campaign
Over the last couple of years, Privacy First has repeatedly raised the alarm about this in the media. We have brought the issue to the attention even of the United Nations Human Rights Council. In April 2014, a large scale Internet campaign was launched on the initiative of Privacy First and the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten) in order to retain and enhance the right to medical confidentiality: www.SpecifiekeToestemming.nl. Ever since, this campaign is being supported by numerous civil organizations, healthcare providers and scholars. The essence of the campaign is that specific consent should (again) become the leading principle when it comes to the exchange of medical data. In case of specific consent, prior to sharing medical data, clients have to be able to decide whether or not, and if so, which data to share with which healthcare providers and for which purposes. This minimizes risks and enables patients to control the exchange of their medical data. This is in contrast to the generic consent that applies to the LSP. In the case of generic consent, it is unforeseeable who can access, use and exchange someone’s medical data. In this respect, generic consent is in contravention of two classic privacy principles: the purpose limitation principle and the right to free, prior and fully informed consent for the processing of personal data.
Privacy by design
Courtesy also of the pressure exerted by our campaign SpecifiekeToestemming.nl, the Dutch legislative proposal Clients’ Rights in relation to the processing of data in healthcare (legislative proposal 33509), was strenghtened by the House of Representatives in 2014 and was adopted by the Senate in 2016 as a result of two crucial motions: 1) the motion Bredenoord (D66) about the further elaboration of data-protection-by-design as the starting point for the electronic processing of medical data and 2) the motion Teunissen (Party for the Animals) related to keeping medical records accessible on a decentral (instead of a central) level. Under the new law, specific (‘specified’) consent is obligatory. This should now be implemented in all existing and future systems for the exchange of medical data, including the LSP. Moreover, privacy-by-design will become an inexorable legal duty under the new European General Protection Data Regulation (GDPR), that is to say, privacy and data protection should be incorporated in all relevant hardware and software from the very first design. In this context, there have been several developments on the Dutch market in recent years, all of which indicate that both specific consent as well as privacy-by-design are indeed becoming standards in new systems. A prime example of this in a medical context is Whitebox Systems, which won a Dutch National Privacy Innovation Award in 2015 already.
Court case of Association of General Practitioners
Since March 2013, the Dutch Association of General Practitioners (Vereniging Praktijkhoudende Huisartsen, VPH) has been litigating in a large-scale civil case against the private administrator of the LSP: the Association of Healthcare Providers for Healthcare Communication (Vereniging van zorgaanbieders voor zorgcommunicatie, VZVZ). Following unsatisfactory rulings by the district court of Utrecht and the Arnhem Court of Appeal, VPH appealed before the Dutch Supreme Court at the end of 2016. Since then, this case has, on the recommendation of Privacy First, received pro bono support from law firm Houthoff Buruma. As amicus curiae, Privacy First and the Platform for the Protection of Civil Rights filed a letter (PDF) with the Supreme Court in support of the general practitioners and in line with our joint campaign SpecifiekeToestemming.nl. In her conclusion, the Advocate general of the Supreme Court referred extensively to the amicus curiae letter. On 1 December 2016, the Supreme Court finally came up with its ruling. Regrettably, the Supreme Court by and large agreed with the line of reasoning of the Arnhem Court of Appeal. Privacy First cannot help thinking that the LSP (even before the Supreme Court) is apparently too big too fail: by now this faulty system has grown to the extend that no one dares to declare it unlawful. There is, however, an important positive note, which can be found in the final consideration of the Supreme Court:
‘‘[The Court has] acknowledged that the healthcare infrastructure can be designed in such a way that a clearer distinction can be made between (sorts of) data and (categories of) healthcare providers and, particularly, in such a way that the exchange of data on the basis of consent can beforehand be limited to cases of urgency. The Court takes the view that such infrastructure would be better in line with the principles of the Privacy Directive and the Personal Data Protection Act, but that it could not have been demanded from VZVZ at the time of the contested ruling. According to the Court, VZVZ can be expected, however, to alter its system offering greater freedom of choice, as soon as this is technically possible and feasible.
These considerations are not incomprehensible. It is worthwhile noting that, considering (...) the regulatory changes and VZVZ’s ambitions in relation to the system (...), privacy by design and privacy by default as explicit points of departure (art. 25, paragraphs 1 and 2 General Data Protection Regulation), is what the Court can reasonably expect from VZVZ.’' (5.4.4)
Just like the Arnhem Court of Appeal, the Supreme Court clearly homes in on the implementation of specific consent and privacy-by-design when it comes to the LSP. The Supreme Court thereby creates a positive precedent which will set the scene for the future, also in a broader sense. Privacy First will continue to actively follow the developments in this case and, if necessary, will not hesitate to bring certain aspects to the attention of the courts once more.
HERE you find the amicus curiae letter written by Privacy First and the Dutch Platform for the Protection of Civil Rights (pdf in Dutch).
Comments from the Dutch Association of General Practitioners: http://www.vphuisartsen.nl/nieuws/cassatieberoep-vphuisartsen-verloren-toch-winst/
Comments from SpecifiekeToestemming.nl: http://specifieketoestemming.nl/werk-aan-de-winkel-na-teleurstellend-vonnis-over-lsp/.
The Dutch government and Parliament aim to quickly introduce the privacy-violating Tapping law. A coalition of privacy advocates will start interim injunction proceedings to prevent this from happening.
Implementation of unaltered Tapping law imminent
In recent months, there has been a thorough public debate in the Netherlands about the new Dutch Intelligence and Security Services Act, the so-called ‘Tapping law’. In a referendum that was held on 21 March 2018, a majority of the Dutch citizenry voted AGAINST this act. In response to this, the Dutch government has promised only a few minor, superficial policy changes as well as a few non-fundamental legislative amendments. Both the Dutch government and the House of Representatives have with full intent pushed for a prompt entry into force of the Tapping law in its unaltered form, as per 1 May to be exact. The envisaged legislative amendments will be presented by the government only after the summer. Regrettably, a motion to postpone the implementation of the Tapping law until after these legislative amendments have been discussed, was yesterday repealed by the House of Representatives. With that, it seems Parliament has had its say and it is now again up to society to make a move.
Interim injunction proceedings
It is Privacy First’s established policy to try to prevent massive privacy violations. Unmistakeably, the implementation of the current Tapping law is a massive privacy breach, because as a result of it, there will be large-scale tapping into the Internet traffic of innocent citizens and, moreover, the data of innocent citizens will be exchanged with foreign secret services without first being evaluated. This is a blatant violation of the right to privacy. Therefore, we cannot wait for any possible legislative amendments that serve to ‘rectify retrospectively’. After all, by that time the violations will have already occurred. Today, a coalition of Privacy First and various other civil organizations and companies urge the government to postpone the introduction of the Tapping law (or at least those parts of it that constitute the gravest privacy violations) until all legislative amendments have been discussed in Parliament. In case the government refuses this request, our coalition will not hesitate to start interim injunction proceedings in order to enforce the postponement of the Tapping law before court.
Alongside Privacy First, the coalition that has been created for these proceedings is comprised of the Netherlands Committee of Jurists for Human Rights (NJCM), Bits of Freedom, the Dutch Association of Criminal Defence Lawyers (NVSA), the Dutch Platform for the Protection of Civil Rights, Free Press Unlimited, BIT, Voys, Speakup, Greenpeace International, Waag Society and Mijndomein Hosting. The case is taken care of by Boekx Attorneys and is coordinated by the Public Interest Litigation Project (PILP) of the Netherlands Committee of Jurists for Human Rights. Apart from said interim injunction proceedings, since March 2017 Privacy First and other organizations are preparing a larger scale lawsuit in order for multiple parts of the Tapping law to be declared unlawful as it contravenes international and European privacy law.
Today, on behalf of the coalition, our attorneys will send a letter to the Dutch government (the ministers of the Interior and Defence) requesting the postponement of the implementation of the Tapping law. The government will have the opportunity to respond to this request until Friday, 20 April.
Update 20 April 2018: the government has rejected the appeal of the coalition. The coalition will now continue preparing interim injunction proceedings.
Update 17 May 2018: today the coalition summons has been sent to the Dutch state attorney; click HERE for the full version (pdf in Dutch). The summary proceedings will take place at the District Court of The Hague on Thursday 7 June 2018, 10.00 am - 12.00 pm CET.
Update 7 June 2018: this morning the hearing took place before the District Court of The Hague; click HERE for the pleading of our attorneys (pdf in Dutch). The court is expected to deliver a ruling on Tuesday, 26 June 2018.
Update 26 June 2018: to the great disappointment of Privacy First, today the District Court of The Hague has unfortunately rejected the case. Find the complete ruling (in Dutch) HERE. From a legal point of view, the bar was set high in these interim injunction proceedings: in order to be able to win our case, the judge had to declare the Tapping law ‘unequivocally ineffective’ on account of blatant (unequivocal) violation of international or European privacy law. However, the court ruling reads like a foregone conclusion in favor of the State, not least because various objections of our coalition have remained unidentified. That being said, it needs to be stressed (as the court itself does too), that this ruling constitutes only a preliminary opinion and that a thorough (‘full’) review was lacking in this case.
The coalition of organizations that has initiated these proceedings regrets the judgment. In view also of the result of the referendum, the coalition is of the opinion that the government should have waited to introduce the contested parts of the Tapping law until the parliamentary legislative process in response to the referendum is finished. Introducing the Tapping law unchanged on 1 May 2018 before proposing amendments at a later stage (after the summer) is and remains incorrect.
The coalition will soon discuss possible follow-up legal action.
Today the district court of The Hague ruled in the case Citizens v. [Dutch Minister of Home Affairs] Plasterk ("Burgers tegen Plasterk"). In this lawsuit a coalition of citizens and organizations (including Privacy First) demands the Dutch General Intelligence and Security Service (AIVD) and the Dutch Military Intelligence and Security Service (MIVD) to put an end to the receipt and use (''laundering'') of illegally collected foreign intelligence on Dutch citizens, for example through the infamous PRISM program of the American NSA. Unfortunately the court has rejected all of the claims. Below are some first observations by Privacy First.
A positive aspect of the judgment is that the court deems all plaintiffs (citizens and organizations) admissible. This is a very welcome development for Privacy First with regard to our current Passport Trial before the Supreme Court of the Netherlands, wherein such admissibility will be crucial. However, this bright spot is overshadowed by the way the district court of The Hague has dealt with the merits of the case.
First of all, the court failed to carry out a fact-finding study: in fact no witnesses and experts were heard at all, even though this was offered to the court on forehand and Dutch law offers sufficient opportunity for this.
Furthermore, it is striking that the court deems less strict procedural safeguards necessary when it comes to the exchange of massive amounts of raw data in bulk. For the exchange of information on such a large scale, stricter – not less strict – procedural safeguards are necessary, as most of these data relate to innocent citizens.
In addition, the court wrongfully makes a distinction between metadata (traffic data) and the content of communications, while both types of data overlap and require the same high level of judicial protection.
The court is also wide off the mark by judging that the legal requirement of foreseeability (including privacy guarantees) of Article 8 of the European Convention on Human Rights (ECHR) would be less applicable to the international exchange of data between secret services. As yet, in the Netherlands the legal basis of such exchange of data is formed by a relatively obscure legal provision: Article 59 of the Dutch Intelligence and Security Services Act (Wiv). This article is far from fulfilling the modern requirements that article 8 ECHR imposes on such provisions. Therefore, the current practice of exchange between the AIVD/MIVD and foreign secret services in essence takes place within a legal vacuum, a legal black hole.
In the view of Privacy First, the current judgment of the Hague court comes down to the ''legal laundering'' of this practice. Privacy First expects that higher courts will deem this situation to be a violation of Article 8 ECHR and is looking forward to the appeal before the Hague Court of Appeals with confidence.
"Gestern hat ein Bündnis aus niederländischen Aktivisten und NGOs Klage gegen ihren Innenminister Ronald Plasterk eingereicht – darunter unter anderem der Journalist Brenno de Winter, der Hacker und ehemalige Wikileaks-Mitarbeiter Rop Gonggrijp der niederländische Strafverteidiger- und Journalistenverband, die Privacy First Foundation und der niederländische Zweig des ISOC. Das Bündnis nennt sich selbst “The Dutch against Plasterk” und kritisiert vor allem die scheinheilige öffentliche Verurteilung der NSA-Spionagetätigkeiten, während im Hintergrund Geheimdienstinformationen ausgetauscht werden.
Die Kläger werden durch die Anwaltskanzlei bureau Brandeis vertreten, die erst im August diesen Jahres gegründet wurde und die sich besonders mit der juristischen Vertretung von gesellschaftlich relevanten Fällen aus den Bereichen Copyright, Datenschutz und Medienrecht befasst. Einer der Gründer, Christiaan Alberdingk Thijm, wurde als Verteidiger der File-Sharing-Anwendung KaZaA bekannt."
Source: http://netzpolitik.org/2013/niederlaender-verklagen-ihre-regierung-wegen-nsa-kooperation/, 7 November 2013.
"A coalition of Dutch citizens and organizations initiated legal proceedings against the Dutch State, represented by Minister of Interior Affairs Ronald Plasterk on Wednesday, demanding Dutch intelligent services to stop using NSA data.The subpoena was filed by a coalition of citizens and organizations, among which the Dutch Association of Defense Counsels, the Dutch Association of Journalists, the Internet Society Netherlands Chapter and Privacy First Foundation.
They question the legality of the exchange of data between the Dutch intelligence service (AIVD) and the United States National Security Agency (NSA), and demand that the Dutch State stops using data that has not been obtained in accordance with Dutch law.
Last week Minister Plasterk confirmed the monitoring of mail and phone traffic in the Netherlands by the NSA. He also acknowledged that the Dutch Intelligence Agency had supplied information to the NSA and vice versa, but condemned the interception of phone calls and mails without permission.
"Plasterk has indeed condemned the NSA eavesdropping and spying without permission, but at the same time he is exchanging data with the NSA," told lawyer Christiaan Alberdingk Thijm, who represents the coalition of citizens and organizations, to Xinhua. "So based on the exchange of information regime the AIVD will eventually get the illegally obtained data."
"By using data that has been illegally acquired through the NSA, these data are sort of laundered by Plasterk and his secret services," Alberdingk Thijm added. "This case should put an end to that unlawful conduct. Our goal is that the Netherlands will act according to Dutch law. We cannot do much on what the Americans are doing here, but we can ensure that the Netherlands complies with the law. Furthermore we want citizens to be informed when their data was illegally obtained and used."
Alberdingk Thijm thinks their case could be followed in other European countries. "We based our case on European jurisdiction, so the case could simply be copied in other countries. However, they should sue their own state," he said.
Minister Plasterk was informed by the subpoena on Wednesday and he will, according to the administrative rules, have to appear in court on November 27. After that he will have six weeks, until January 8, to file a response."
Source: http://www.shanghaidaily.com/article/article_xinhua.aspx?id=178503, 7 November 2013.
"A coalition of defense lawyers, privacy advocates, and journalists has sued the Dutch government over its collaboration and exchange of data with the U.S. National Security Agency and other foreign intelligence services.
The coalition is seeking a court order to stop Dutch intelligence services AIVD and MIVD from using data received from foreign agencies like the NSA that was not obtained in accordance with European and Dutch law. It also wants the government to inform Dutch citizens whose data was obtained in this manner.
The legal proceedings were initiated in the Hague district court by the Dutch Association of Defense Counsels, the Dutch Association of Journalists, the Internet Society Netherlands Chapter, the Privacy First Foundation and five private citizens.
The coalition wants to close a loophole through which the Dutch intelligence services can obtain data on Dutch citizens from foreign intelligence partners that it wouldn't have been able to acquire through legal means in the country.
The coalition's lawyers argue that mass data-collection programs like those of the NSA and the U.K. Government Communications Headquarters (GCHQ) violate human rights guaranteed by international and European treaties including the European Convention on Human Rights, the International Covenant on Civil and Political Rights and the Charter of Fundamental Rights of the European Union.
As such, it was illegal in many countries, particularly in the European Union, to obtain data through those programs.
Civil society organizations and citizens in other European countries can and should launch similar legal actions, said Christiaan Alberdingk Thijm, a founding partner of Bureau Brandeis, the law firm that represents the Dutch coalition in this case."
Source: http://www.pcworld.com/article/2061581/dutch-civil-society-groups-sue-government-over-nsa-data-sharing.html, 6 November 2013.
"In Nederland heeft een groep burgers en organisaties een rechtszaak ingespannen tegen minister van Binnenlandse Zaken Roland Plasterk. De groep 'Burgers tegen Plasterk' eist dat de Nederlandse overheid geen informatie gebruikt die het via de Amerikaanse NSA heeft verkregen.
Burgers tegen Plasterk wil dat minister Plasterk verantwoording aflegt over het beleid van de Nederlandse overheid inzake het gebruik van NSA-gegevens. De geteisterde Amerikaanse inlichtingendienst zou illegaal informatie verzamelen over Nederlandse burgers, en die vervolgens doorspelen aan zijn Nederlandse tegenhanger AIVD.
Het initiatief komt onder meer van hacker Rop Gonggrijp en ICT-journalist Brenno De Winter. Ook de Nederlandse Vereniging voor Strafrechtadvocaten en de Nederlandse Vereniging voor Journalisten hebben zich aangesloten bij de rechtszaak, net als de Internet Society Nederland en de Stichting Privacy First.
De advocaat van de groep, Christaan Alberdingk Thijm, [stelt] dat Plasterk en de inlichtingendienst (...) illegaal verkregen data witwassen. 'Deze zaak moet daar een einde aan maken', aldus Alberdingk Thijm.
Minister Plasterk, die eerder al de Nederlandse inlichtingendienst verdedigde, is er van overtuigd dat de AIVD niets verkeerds doen en zich aan het wettelijk kader houdt. (...)"
Source: http://www.standaard.be/cnt/dmf20131106_00826456, 6 November 2013.
Model Municipality Guarantee Letter 2.0
In case you are in need of a new Dutch passport or ID card even though you find it a problem having your fingerprints taken, you can protest against this and cover yourself against the possible consequences of how the Dutch government will deal with your personal data by using the letter below. You can download the Municipality Guarantee Letter for personal use in PDFor in Word-format.
Privacy First has already filled in some possible objections in the model letter. However, you can alter or complete the letter to your own wishes.
At your request your municipality is obliged to accept this Municipality Guarantee Letter, according also to the Dutch National Ombudsman. See also the report about this in Dutch national newspaper De Telegraaf of 22 April 2010.
MODEL MUNICIPALITY GUARANTEE LETTER IN CASE OF A NEW PASSPORT OR ID CARD WITH FINGERPRINTS
Municipality [name of your municipality]
Attn [name of the mayor or the name of the authorised representative of the municipality]
[Address town hall]
[Postal code] [City]
[Your place of residency], [Date]
Dear Sir/Madam [name of the mayor],
You, or one of your officials has stated that on account of the new Dutch Passport Act it is not possible for me to apply for a passport and/or ID card without me providing fingerprints. These fingerprints will be stored in an RFID-chip in my passport or ID card that can be read from a distance.
I hereby protest against the taking of my fingerprints on the following grounds:
1) Having my fingerprints taken constitutes a violation of my human dignity. Fingerprints are to be taken of criminal suspects. Not of innocent citizens.
2) My fingerprints are, and remain, my property. The government has no say over this.
3) Current fingerprint technology (biometrics) does not work in 21-25% of cases. Going ahead with it is a waste of funds at the expense of citizens.
4) By having my fingerprints taken I risk becoming a victim of (biometric) identity fraud, for example after (the RFID-chip in) my passport or ID card has been stolen, lost or hacked into.
This situation constitutes an illicit restriction of my right to the protection of my private life as laid down in Article 8 of the European Convention on Human Rights. Therefore I only provide my fingerprints under protest of having to do so.
Moreover, I would like to point out to you that all actions carried out by the municipality with regard to my fingerprints have to comply with the rules of the Dutch Data Protection Act (Wet bescherming persoonsgegevens, Wbp).
I hereby request you to declare, by signing this letter, that the municipality has taken note of my objections and will only process my fingerprints in compliance with the Wbp. This implies, among other things, that the municipality:
1) will process my fingerprints in a fair and accurate way;
2) will not proceed to further process my fingerprints in ways incompatible with the purposes for which the fingerprints have been obtained (viz., the issuance of a passport and/or ID card);
3) will not provide my fingerprints to any third parties without my explicit prior approval;
4) will not store my fingerprints any longer than is necessary for the realization of the purposes for which the fingerprints have been collected or processed (viz., the issuance of a passport and/or ID card); and
5) will protect my fingerprints against any loss or any form of unlawful processing by means of suitable technical and organizational measures.
I would like to receive this signed letter five days from now at the latest at the address indicated below.
Nothing in this letter may be assumed to be a recognition of the right of the municipality to carry out the above-described actions with my fingerprints. The content of this letter does not restrict any of my rights, all of which are reserved. Furthermore, I would like to point out to you that in case the municipality will process my fingerprints without taking the Wbp into account, or in any other illicit way, the municipality is bound to reimburse any possible damage suffered by me as a consequence.
Signed for agreement on behalf of the municipality,
The Dutch Ministry of Justice wants to track all motorists. The Privacy First Foundation is preparing for legal action.
Under a new, far-reaching legislative proposal, the Dutch Minister of Security and Justice Ivo Opstelten aims to enhance criminal investigation by introducing a four week storage period of the number plates of all cars through camera surveillance and Automatic Number Plate Recognition (ANPR). Current rules dictate that these data have to be deleted within 24 hours. In 2010, the previous Dutch Minister of Justice (Hirsch Ballin) planned to make a similar proposal with a storage period of 10 days. However, the Dutch House of Representatives then declared this topic to be controversial. In his current proposal, Opstelten takes things a few steps further. Early 2010 the Dutch Data Protection Authority (College Bescherming Persoonsgegevens, CBP) ruled that police forces were not adhering to Dutch privacy rules by storing number plates for a greater period than was legally allowed. According to the CBP, all number plates that are not suspect (so-called ‘no hits’) are to be removed from relevant databases immediately. Opstelten’s plan to store the number plates of unsuspected citizens for four weeks directly flies in the face of this.
The Privacy First Foundation considers Opstelten’s legislative proposal to be a threat to society. ‘‘Under this measure every citizen becomes a potential suspect. You ought to trust the government, but it’s that very government that distrusts its own citizens’’, Privacy First chairman Bas Filippini declares. In a healthy democratic constitutional State the government should leave innocent citizens alone. Under this legislative proposal the government crosses that fundamental line. Collectively monitoring all motorists for criminal investigation and prosecution purposes is completely disproportionate and therefore unlawful.
In case Dutch Parliament adopts this legislative proposal, Privacy First will summon the Netherlands and have the legislative Act in question declared null and void on account of being in violation with the right to privacy. If needed, Privacy First and individual co-plaintiffs will be prepared to litigate all the way up to the European Court of Human Rights in