Earlier this year the Dutch Minister of Justice and Security Ivo Opstelten came up with the miserable plan to authorize the Dutch police force to hack into your computer (both at home and abroad!) and to enable the police to demand that you decrypt your encrypted files in the presence of a policeman and obediently hand them over to the State. In the context of an online consultation (in Dutch), Privacy First notified to the Minister that it has a number of principal objections against his plans:
The Privacy First Foundation hereby advises you to withdraw the legislative proposal ‘enforcement of the fight against cybercrime’ on the basis of the following eleven principal grounds:
- In our view, this legislative proposal forms a typical building block for a police State, not for a democratic constitutional State based on freedom and trust.
- The Netherlands has a general human rights duty to continuously fulfil the right to privacy instead of restricting it. With this legislative proposal the Netherlands violates this general duty.
- This legislative proposal is not strictly necessary (contrary to possibly being ‘useful’ or 'handy') in a democratic society. Therefore the legislative proposal is in breach of Article 8 of the European Convention on Human Rights.
- Moreover, this legislative proposal violates the prohibition of self-incrimination (nemo tenetur se ipsum accusare).
- Function creep is a universal phenomenon. This will also apply to this legislative proposal, which will form the basis for future abuse of power.
- This legislative proposal puts the relationship of trust between the Dutch government and the Dutch people to the test. This will lead to a chilling effect in Dutch society.
- Through this legislative proposal age-old assets such as freedom of the press and the protection of journalistic sources, whistleblowers, freedom of speech, free information gathering, freedom of communication and the right to a fair trial are put under severe pressure. This is detrimental to the dynamics within a free democratic constitutional State.
- This legislative proposal and the accompanying technology will be imported and abused by less democratic governments abroad. Therefore the legislative proposal forms an international precedent for a worldwide Rule of the Jungle instead of the Rule of Law.
- As of yet the legislative proposal lacks a thorough and independent Privacy Impact Assessment.
- This legislative proposal stimulates suboptimal (i.e. crackable by the government, because otherwise illegal?) instead of optimal (‘uncrackable’) ICT security.
- Fighting cybercrime demands multilateral cooperation and coordination instead of unilateral panic-mongering as is the case with this legislative proposal.
The Privacy First Foundation
Shocking news reached us last week from the United States regarding the eavesdropping scandal that involves the US government. The digital state terrorism under Obama Bin Laden (the difference is really just a mere letter) has only been further institutionalized in his terms of office and undermines the basis of the democratic constitutional state inside and outside of America. Everyone’s a suspect, massive data storage and then continuous, real-time profiling of every citizen, in particular the citizens and organizations the governments dislikes. ‘’Just trust us, we don’t actually trust you.’’ One-sided transparency, citizens without any form of privacy, the government shielded by so-called state security protocols and always at war with an unknown enemy, so ‘’everything is permissible‘’.
- A democracy is characterized by administrative transparency and respect for the private life of citizens. Within a dictatorship things are exactly the other way around: transparency of private life and administrative secrecy are the norm. To what extent is America still democratic? Over there whistleblowers that represent fundamental rights and real patriots in the true sense of the word are portrayed as terrorists.
- 29-year old Edward Snowden is committed to his own principles and is now forced to seek asylum far away from the United States.
- After having revealed abuses by that same government, Julian Assange felt the need to flee to the Ecuadorian embassy in London where, by now, he’s been holed up for over a year.
- Where are the days when such people got the credit they deserved? Not that long ago, during the Watergate Scandal, the American president had to resign. It also brings to mind George Orwell’s newspeak: simply turning everything around, denying, lying, deceiving. So here we have it: the government that sold "change" and "hope" to its own people and the world.
A few hopeful changes à la Obama:
- Guantanamo Bay is still open and its prisoners have been held there for years without any form of fair trial and with no way out; secret courts are the norm.
- Everywhere in the world, unwanted citizens and innocent citizens are pre-emptively eliminated without any form of trial, judicial process or evidence through the use of drones, which additionally violates the sovereign airspace of foreign states. In case a drone crashes, instead of apologizing for violating international law, the drone is ordered back in no uncertain terms.
- By now hundreds of pilots are trained to fly drones and to kill "suspects" in a computer game-like way.
- Echelon, Carnivore and other data-collection programs are now complemented by PRISM, in order to be able to create a "digital life file" of every citizen, used to analyze the past, the present and possibly future behavior and ways of thinking. In case these ways of thinking are not to the government’s liking, the words "terrorist" and "part of a criminal organization" are immediately proclaimed and a profiling program commenced. This shameless infringement of the right to a private life takes place under the guise of terrorism prevention.
- Whereas in the past citizens under reasonable suspicion of a crime could be tracked on the basis of a judicial decision and whereas control was specifically aimed at foreigners in the home country, nowadays it’s every citizen’s turn without judicial interference and in the US, already 5 million officials of the State have access to such classified information. And the target within PRISM very clearly is the entire world and all (forms of) communication. Welcome to the new world! Data macht frei!
- Now the Obama administration is in the possession of these data, they are directly abused as well, for example by not handing out permits or by carrying out extra tax controls on dissenting groups. For years Privacy First has warned of function creep when it comes to this kind of legislation and the execution thereof. In this respect the Patriot Act is the least patriotic law (newspeak) since the coming into existence of the US and is applied all the time to be infinitely abused by the government, also outside of the US.
This was just a brief overview of cases that have come to the surface. Privacy First is especially bothered by the lack of self-reflection and self-control that governments display. "Is it technically possible? Then let’s do it!"
Instead of having a democratic discussion and offering a content-related reaction including apologies, or instead of the people responsible resigning, an immediate attack is launched and a sideway discussion started, exactly similar to the Wikileaks Affair:
- Everything is inverted, the whistleblowers are terrorists and privacy fetishists who are actually weak and sensitive, characteristics that need to be eliminated immediately.
- Immediately diverting the question away from the topic and focussing on the mistakes made within the organization with the aim to eliminate whistleblowers; how can it be these whistleblowers have not been detected earlier?
- The subsequent phase is the stigmatization of the whistleblower, saying that more resolute action is needed to discourage other intelligent people with common sense and a democratic vision to undertake any such actions.
- After that comes the stigmatization of those holding different views and the press; the disgraceful free press that dares to publish such information: there has already been a call to prosecute any press that collaborates with whistleblowers. An immediate counter attack and you don’t need to talk about the content, a very easy option!
- It is allowed by law through the Patriot Act! Instead of calling this law into question when true patriots that are committed to principles reveal abuses.
- Shamelessly asserting that nothing’s going on when information is shared without the permission of citizens from other countries, with the argument that it’s convenient and that the government knows what is good for citizens. And all of this from a line of thinking dominated by fear, without a privacy-friendly alternative.
Time and again the government evades the real debate about reinforcing the fundamental principles of the democratic society on the basis of faith, about stimulating individual responsibility of citizens and, where necessary, about modifying the system with technology in order to improve the democratic process. The US government, like many other governments, has totally gone out of its mind and has forgotten it serves the interests of its citizens and the democratic fundamental principles instead of the other way around.
Privacy First makes a call to all pressure groups and government institutions to have a broad debate in society about this; in this digital age we are in need of a concrete alternative for the organization of a democratic society in order to stop the explosive growth of government terror that targets innocent and defenceless citizens. In this way Western democracies rapidly become totalitarian dictatorships while our society turns into an "electronic concentration camp".
→ What difference is there still between a dictatorship or a single-party state like China and the big leader of the free Western world, the US? That they are capitalistic societies?
→ What meaning does the message of progress, faith and love still have on a model of society that offers a hopeful future to the fully participating citizen?
At the end of the day scaling up, distancing of citizens, negative messages on the basis of fear, suspicion and black and white thinking will not lead to a more pleasant society. Nevertheless these are everyday occurrences since 9/11. A few years ago Privacy First already decided to choose for a free and inspiring society that had been fought for for 2000 years and to draw a line in the sand for citizens. We pay tribute to the whistleblowers! Who’s next?
Chairman of the Privacy First Foundation
Since September 2012, Dutch Minister Ivo Opstelten has been planning to equip the entire Dutch police force with Taser weapons. At the request of the Privacy First Foundation, the Dutch government will have to answer some tough questions about this before the UN Committee against Torture.
One of the most important and most ratified human rights treaties in the world is the 1984 United Nations Convention against Torture. Under this Convention, torture is prohibited under all circumstances. Anyone who is guilty of torture anywhere in the world is to be prosecuted or extradited. This also applies to civil servants, ministers, presidents and heads of State. The Netherlands has been a party to the UN Convention against Torture since 1988. Periodically, every country that has ratified the Convention is examined by the supervisory treaty body in Geneva: the UN Committee against Torture (CAT). This upcoming Tuesday and Wednesday it's the Netherlands' turn to come under CAT's scrutiny: on Tuesday the Netherlands will be cross-examined by the Committee on various issues, after which the Dutch delegation will come up with answers on Wednesday. Subsequently, the Committee will make a number of critical recommendations (''Concluding Observations'') to the Netherlands.
In preparation of the Dutch session, the Privacy First Foundation, the Dutch National Human Rights Institute (College voor de Rechten van de Mens) and the Dutch section of the International Commission of Jurists (Nederlands Juristen Comité voor de Mensenrechten, NJCM) have recently sent so-called 'shadow reports' about the Netherlands to the Committee in Geneva. Both Privacy First and NJCM emphatically raised the issue of Taser weapons for the Dutch police. Privacy First did so through a special letter to the Committee: click HERE. In this letter Privacy First draws the Committee's attention to the intention of the Dutch Minister of Security and Justice Mr. Ivo Opstelten to soon supply every Dutch police officer with his/her own Taser weapon. (Currently 'only' the arrest teams of the Dutch police force are equipped with Taser weapons.) In the view of Privacy First, the use of Taser weapons can easily lead to a violation of the international ban on torture as well as the related right to physical integrity, which in turn is part of the right to privacy. Taser weapons lower the treshold for police violence and hardly leave behind any scars. At the same time Taser weapons can inflict serious physical damage and mental harm. In conjunction with the current lack of firearms training for Dutch police officers, this produces serious risks for the Dutch population. Therefore we have requested the Committee to critically examine the Netherlands about this and to advise against introducing Taser weapons for the entire Dutch police force. Last Friday, Privacy First was notified from Geneva that the UN Committee will indeed critically examine this issue. This week Privacy First will keep you up-to-date of the latest developments.
Update 13 May 2013, 23.00h: a livestream of the Dutch session can be viewed online HERE (Tuesday 10am-3pm, Wednesday 3pm).
Update 14 May 2013, 15.00h: Today the Dutch delegation in Geneva (under the chairmanship of the Dutch Permanent Representative to the UN) was critically questioned by the Committee on various issues, among which... Tasers. The Dutch answers will follow tomorrow afternoon at 15.00h. Below are the relevant parts both in text as well as in mp3:
Committee member Nora Sveaass (Norway): "I then want to bring the attention to something that I've been informed of, namely that the State [of the Netherlands] is planning on a pilot of using Taser weapons as a regular weapon within the police force. And the pilot is supposed to take place, I understand, the last half of this year, so it's probably just around the corner. This Committee has on many different occasions warned against the use of Tasers, both in special situations and especially as a regular weapon to all the police, as I understand the plans are. And there are a lot of reasons for this, I won't go into the detail, because these have been described both by this Committee and by a lot of others, because, first of all, health reasons, physical as well as psychological. So I would hope that you would rethink and perhaps change the decision of implementing a pilot and also doing it in practice."
Committee member Fernando Mariño Menéndez (Spain): "I'm also concerned by the decision that we've heard about to generalize the use of Tasers by all regular police officers, as just referred to by Mrs. Sveaass, that the Tasers will be used as an [armament] for standard use across the Kingdom of the Netherlands. That's our understanding, perhaps we're wrong, perhaps there is a special protocol governing the use of Tasers. Our position as a Committee is that Tasers shouldn't be used at all. If they are to be used, and this seems to be dangerous, then they need to be used in very specific cases and properly regulated. We'd like to know what's happening in the Kingdom of the Netherlands."
Update 14 May 2013, 16.45h: This afternoon Privacy First employee Vincent Böhre was interviewed about this topic on Dutch radio station FunX. You can listen to the entire interview (in Dutch) here:
Update 15 May 2013: This afternoon the Netherlands had the opportunity to answer the questions that were asked by the UN Committee yesterday. In the audio file below you can hear how the Dutch Permanent Representative to the UN in Geneva denies and downplays the Dutch plans concerning Taser weapons. For the Committee members this was no reason to tone down or withdraw their critical remarks made yesterday. Therefore, Privacy First expects the Committee to express sharp criticism on the Dutch Taser plans in its Concluding Observations that are soon to be issued. Tonight the Committee already published a press release about the Dutch session; click HERE.
Update 16 May 2013: An integral video registration of both session days of the UN Committee is online HERE. The Concluding Observations of the Committee about the Netherlands will follow on Friday afternoon 31 May 2013 (June 3rd at the latest), Privacy First was told by telephone from Geneva today.
Update 22 May 2013: as a result of the Dutch session before the UN Committee last week, Dutch opposition party D66 today has posed a series of critical Parliamentary questions to Minister Opstelten; click HERE (in Dutch).
Update 31 May 2013: As predicted earlier by Privacy First and as reported tonight by Dutch television news program EenVandaag, the UN Committee against Torture has issued a negative statement today about Minister Opstelten's plans to equip the entire Dutch police force with Taser weapons:
"The Committee is concerned about the pilot plan to be reportedly launched to distribute electrical discharge weapons to the entire Dutch police force, without due safeguards against misuse and proper training for the personnel. The Committee is concerned that this may lead to excessive use of force (arts. 2, 11 and 16). The Committee recommends to the State party, in accordance with articles 2 and 16 of the Convention, to refrain from flat distribution and use of electrical discharge weapons by police officers. It also recommends adopting safeguards against misuse and providing proper training for the personnel to avoid excessive use of force. In addition, the Committee recommends that electrical discharge weapons should be used exclusively in extreme limited situations where there is a real and immediate threat to life or risk of serious injury, as a substitute for lethal weapons." (para. 27. Click HERE for the entire document.)
The Privacy First Foundation hopes that this negative stance by the UN Committee will lead to a reconsideration and withdrawal of the Dutch plans to equip every Dutch police officer with a Taser weapon. Privacy First also hopes that the announced pilot will not be executed.
From the response to Parliamentary questions (in Dutch) it emerged this week that there is no specific legal basis for the secret use of drones by police in the
Without a specific legal basis in accordance with Article 8 paragraph 2 ECHR, every police drone constitutes an inadequate means of criminal investigation that shouldn't be used. Therefore the use of such drones should be suspended with immediate effect. In individual criminal cases, it is up to the judge to exclude information gathered with police drones from legal proceedings as it concerns unlawfully obtained evidence.
Privacy First hereby makes an urgent appeal to the Dutch House of Representatives to institute a moratorium on the further use of drones. Such a moratorium should only be lifted after a broad democratic debate has taken place and the use of drones has been properly regulated. In case the current Dutch situation will continue to be politically tolerated, Privacy First reserves the right to enforce a moratorium in court.
As of 2 October 2012, the new Dutch National Human Rights Institute (College voor de Rechten van de Mens, CRM) will open its doors. Recently the Institute under formation established the essential pillars of its policy for the coming years, namely 1) care for the elderly, 2) immigrants and 3) discrimination on the labor market. However, of all human rights, in recent years the right to privacy is worst off in the Netherlands. Contrary to the above mentioned pillars (that concern vulnerable groups of people), the right to privacy appertains to anyone who finds him or herself on Dutch soil. In essence this has turned the entire Dutch population into a vulnerable group, especially in comparison to the situation in other countries where the protection of privacy is much better regulated. A few years ago the right to privacy was even about to become a complete illusion in the Netherlands. In May 2009 this state of affairs led to the foundation of the Dutch Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten) in which various non-governmental organisations (NGOs) have joined forces. This week the Platform sent the below appeal (co-authored and signed by Privacy First) to the chairman of the future National Human Rights Institute, Laurien Koster:
Dear Ms. Koster,
Today, of all human rights, the right to privacy finds itself under the most pressure. Therefore, it is with concern that the Platform for the Protection of Civil Rights recently took note of the three essential pillars of the National Human Rights Institute for the coming years, namely 1) care for the elderly, 2) immigrants and 3) discrimination on the labor market. Not willing to take anything away from the social importance of these three pillars, in this letter we ask you to still consider adopting privacy as one of the pillars of your Institute.
In recent years, there seems to be the tendency in the Netherlands to confront every social problem with a standard formula, that is say, more digital registration, more linkage of files, opening up systems and central databases that become accessible to ever more officials and third parties, restriction of professional autonomy, preventive controls and profiling. It seems as if people, especially politicians, influenced as they are by the media and the vox populi – which in turn is affected by the media – think that these instruments exert a certain control over society that should lead to more order, tranquillity and security. In our opinion the opposite effect is increasingly the case. After all, digitalization implies that the quantity of data that is stored of every citizen becomes ever greater and less clear and less controllable. This especially applies to data that have been inserted or linked up erroneously or that are obsolete. The exponential growth of digital registrations sees a dramatic increase in risks of data leakages while new forms of identity fraud and identity theft arise. This means that the insecurity of digital systems becomes a direct threat to citizens. Furthermore, there’s a risk that citizens become their own digital ‘doubles’ through digital profiling. This implies that the autonomy of the free citizen who participates in society – a characteristic so very important in a democratic constitutional State – is seriously put at stake.
Going back to a society without the Internet or digital files is by no means what we advocate for (if it were possible anyway). However, a sensible use of technological means, among which data storage, biometrics and other such technological assets, will be necessary to retain our democratic constitutional State and affiliated fundamental rights. Particularly in these times of unforeseen technological possibilities we should once more realize how important the fundamental principles of our society are. Therefore, it should every time be assessed what is within the boundaries of acceptability and to what extent possible alternatives on a human scale, such as personal contact but also assistance and service, are desirable or necessary.
Privacy constitutes the basis of our democratic constitutional State. Without privacy many other human rights are at issue, among which are the right to confidential communication and freedom of speech, non-discrimination, freedom of movement, association and assembly, demonstration, culture and religion, press freedom as well as the right to a fair trial. Apart from that we observe that in the Netherlands the right to privacy can only rely on patchy protection by government supervision, that is to say, it only concerns the protection of personal data. As far as the protection of personal privacy in the broadest sense of the word is concerned (and this includes the inviolability of the home and the right to physical integrity) there is hardly any government supervision. Moreover, with regard to the realization and compliance to as well as the protection and promotion of the right to privacy in conjunction with other human rights, government supervision is lacking altogether. It is especially in these areas that your Institute has added value and can help overcome the ‘human rights gap’ that has come into existence in the Netherlands in recent decades.
We hope that your Institute will still make the right to privacy one of its policy pillars. If you wish, the organizations that together form the Platform for the Protection of Civil Rights are happy to supply you with information and advice.
On behalf of the participants of the Platform for the Protection of Civil Rights I remain respectfully yours.
chairman of the Platform for the Protection of Civil Rights
On behalf of the Platform participants:
Humanistisch Verbond (Humanist Association)
Stichting KDVP (KDVP Foundation; Dome of DBC Free Practices)
Stichting Meldpunt Misbruik ID-plicht (Contact Point on Abuse of Mandatory Identification)
Ouders Online (Parents Online)
Stichting Privacy First (Privacy First Foundation)
Burgerrechtenvereniging Vrijbit (Civil rights society Vrijbit)
Jacques Barth (on behalf of Stichting Brein en Hart i.o. (Brain and Heart Foundation under formation)
Joyce Hes (advisor to the Platform for the Protection of Civil Rights)
Kaspar Mengelberg (on behalf of DeVrijePsych (The Free Psychiatrist))
A pdf version of this letter can be found HERE (in Dutch)
Update: in a written reply (pdf) the Institute under formation notifies that in the Netherlands there is indeed ‘‘still a lot to be done to safeguard the right to privacy’’. The Institute also acknowledges the limited mandate of the Dutch Data Protection Authority (College Bescherming Persoonsgegevens). However, for the time being the Institute sticks to its intended strategic agenda. Nevertheless, in the future (also the coming three years) the Institute ‘‘can’t and won’t distance itself from problems when realizing the right to privacy’’. Privacy First will be eager to remind the Institute of this in urgent cases.
"Courts are investigating the legality of a European Union regulation requiring biometric passports in Europe. Last month, the Dutch Council of State (Raad van State, the highest Dutch administrative court) asked the European Court of Justice (ECJ) to decide if the regulation requiring fingerprints in passports and travel documents violates citizens’ right to privacy. The case entered the courts when three Dutch citizens were denied passports and another citizen was denied an ID card for refusing to provide their fingerprints. The ECJ ruling will play an important role in determining the legality of including biometrics in passports and travel documents in the European Union.
The Dutch Council referred the question of legality to the ECJ, arguing that the restrictions on privacy do not outweigh the ostensible aim of fraud prevention, and questioning the RFID technique. The Council also questioned whether fingerprints could be safeguarded so that they would only be used in passports or identity cards and not in databases for other purposes (known as function creep). The four cases that prompted this challenge to the biometric passport regulation are suspended pending the ECJ’s response.
The Netherlands has mandated fingerprints in passports and ID-cards since 2009. The Dutch biometric Passport Act is the misshapen offspring of the European Regulation compelling security features and biometrics in passports. The Regulation mandates that passports include two fingerprints taken flat in interoperable formats.
The Netherlands' storage of a biometric database was suspended in 2011, following privacy concerns as well as questions over the reliability of biometric technology. The Mayor of the City of Roermond reported that 21 percent of fingerprints collected in the city could not be used to identify any individuals. In April 2011, the Dutch Minister of Interior, in a letter to the Dutch House of Representatives, asserted that the number of false rejections was too high to warrant using fingerprints for verification and identification. Currently, only fingerprints stored in Radio Frequency Identification (RFID) chips embedded in ID documents are being collected.
The Amsterdam-based Privacy First Foundation (Stichting Privacy First) appreciates the critical stance on biometrics taken by the Dutch Council of State in line with the position taken by a German court: "We hope the ECJ will soon rule that the European Passport Regulation is invalid both in a formal, procedural sense (having been improperly adopted in 2004) and in a material sense (violating the human right to privacy and data protection). In the meantime, we hope the Dutch Parliament will scrap compulsory fingerprinting for Dutch ID cards as soon as possible."
A government proposal to this effect is currently before the Dutch House of Representatives.
The Dutch Council concerns echo questions raised by a German court earlier this year regarding the legality of the German biometric passports with RFID chips. The German court has questioned whether the EU regulation is compatible with the Charter of Fundamental Rights of the European Union (EU Charter) and the European Convention of Human Rights (ECHR). The German case was preempted when a German citizen, Michael Schwarz, refused to provide his fingerprints to obtain his new passport and the City of Bochum decided not to issue him one.
Mr. Schwarz argued that the regulation infringes privacy as protected under the ECHR and the EU Charter. In this case, the German court argued that the European Union has no legislative competence to enact rules on standards for security features and biometrics in passports as there is no direct relation of such rules to the protection and security of EU external frontiers.
The German court decided that the requirement of biometric data in passports is a “serious infringement” on privacy, arguing that the measure does not satisfy the proportionality test of being appropriate, necessary, or reasonable."
Read the entire article (including sources) on the website of the Electronic Frontier Foundation (EFF) HERE.
In the context of a public consultation, the Dutch Ministry of the Interior recently requested Privacy First to react to the current government proposal to revise Article 13 of the Dutch Constitution (right to confidentiality of postal mail, telephone and telegraph). Below are our comments on the current draft of the legislative proposal (click HERE for the original Dutch version in pdf):
Ministry of the Interior and Kingdom Relations
Deputy Director for Constitutional Affairs and Legislation
Mr. W.J. Pedroli, LL.M.
PO Box 20011
2500 EA The Hague
Amsterdam, 29 December 2012
Re: Comments by Privacy First on the revision of Article 13 of the Constitution
Dear Mr. Pedroli,
On October 16th 2012 you requested the Privacy First Foundation to react to the draft legislative proposal to revise Article 13 of our Constitution. Privacy First is grateful for your request and is happy to hereby provide you with critical comments. In the first place, Privacy First fully endorses the desire of this government to modernise the current, archaic Article 13 of the Constitution. However, Privacy First regrets the fact that the government has not seized the opportunity to also renew and reinforce other ‘fundamental rights in the digital age’.
In the view of Privacy First, the first and third paragraphs of the current draft legislative proposal to revise Article 13 of the Constitution form powerful anchors for a future-proof right to confidential communication. The first paragraph rightly upgrades the old confidentiality of postal mail, telephone and telegraph to a technology-independent (or technology-neutral) confidentiality of mail and telecommunication. The third paragraph forms a correct guarantee for the horizontal effect thereof. Moreover, Privacy First endorses the broad interpretation that is being given by the draft Explanatory Memorandum (EM) to various relevant concepts. However, the second paragraph of the draft proposal contains a systematic imbalance which, in times less democratic, could endanger the rule of law in our society. It is precisely this paragraph which most of Privacy First’s criticism is focused upon. Other points of criticism concern compulsory notification towards citizens in the event that special powers have been used by the intelligence and security services, traffic data as well as the lack of a comparative legal section in the EM.
Judicial authorisation and national security
The EM rightly states that "in light of Article 13 (...) the protection of citizens against violations by the government is paramount, especially in light of the actions by the police and intelligence services. Demanding a judicial authorisation under the Constitution provides a strong and clear constitutional guarantee." It is therefore incomprehensible that in the second paragraph of the draft legislative proposal the domain of national security is being excluded from judicial supervision. After all, where the concentration of power is supreme, judicial checks and balances should be the most potent to prevent any (future) abuses of power. In light of European history, the exception in paragraph 2 is in fact entirely irresponsible: unfortunately, even in our part of the world a democratic constitutional State is not a static matter of fact. Apart from that, the current draft proposal sends out a dangerous signal to foreign governments. Furthermore, Privacy First deems the exception in paragraph 2 unwise in view of possible technological developments in the (far) future. The same holds true in relation to the (further) expansion of the notion of ‘national security’. Also in the future, the Dutch population needs to be protected against arbitrary violations of confidentiality of communication; in this regard the current wording of paragraph 2 offers no guarantee whatsoever.
Adding an extra ‘judicial layer’ would strengthen the current system of internal and external supervision on the intelligence and security services (and hence reinforce our democratic constitutional State). In this regard, the system of judicial supervision in a country like Canada could be a source of inspiration. Such judicial control would also be in line with the case-law of the European Court of Human Rights:
“The Court has indicated, when reviewing legislation governing secret surveillance in the light of Article 8 [ECHR], that in a field where abuse is potentially so easy in individual cases and could have such harmful consequences for democratic society as a whole, it is in principle desirable to entrust supervisory control to a judge.”
In light hereof, the current wording of paragraph 2 is not expedient. Privacy First thus advises a revision of this paragraph as follows:
“This right can be restricted in cases defined by law with the authorisation of a judge or, in the interest of national security, with authorisation from one or more ministers appointed by law.’’ [lining through by Privacy First]
As a possible alternative to the introduction of judicial supervision in the security domain, Privacy First advises to upgrade the existing Dutch Review Committee on the Intelligence and Security Services (CTIVD) into a more powerful, independent supervisory body, similar to the Belgian or German model with overall compulsory inspections beforehand instead of random supervisory inspections afterwards.
A second point of criticism concerns the lack of an explicit constitutional notion of compulsory notification in the event of any infringement of the confidentiality of mail and telecommunication. Compulsory notification provides legal protection to citizens and contributes to the correct enforcement of law by the government, also in the security domain. Like judicial authorisation, this offers the best guarantuees against short-term as well as long-term violations.
From Privacy First's point of view, traffic data too need to fall within the scope of Article 13 of the Constitution. These data are often related to the content of communication; this even follows from the text of the EM itself, where text messages ('SMS') and the email subject line are rightly mentioned as examples. The same goes for instance for search terms in search engines. Apart from that, it is possible to deduce the content of communication between individuals and/or companies from traffic data in conjunction with other data (possibly collected in real-time). So here too, a vigorous regime of Article 13 of the Constitution in conjunction with judicial supervision is essential.
Finally, in the current EM Privacy First misses a comparative legal paragraph in which current Article 13 of the Constitution is compared with constitutional best practices from countries with either a civil law or a common law tradition. Additionally, with a new Article 13 of the Constitution that is state-of-the-art internationally, the Netherlands could positively distinguish itself and to some degree regain its former position as a leader in human rights.
Privacy First hopes that this advice will be of use to you. We are willing to give clarifications on the above points upon request.
Privacy First Foundation
Director of Operations
 EM, at 18, 20.
 Compare EM at 11, 1st paragraph.
 ECHR 22 November 2012, Telegraaf vs. Netherlands (Appl.no. 39315/06), para. 98. Compare also ibid., paras. 98-102.
 EM, at 18.
Update 8 February 2013: see also the critical comments by the Netherlands Committee of Jurists for Human Rights (NJCM), Bits of Freedom and the newly established Netherlands Institute for Human Rights (in Dutch).
This morning in Geneva the long-awaited Universal Periodic Review (UPR) of the Netherlands took place before the Human Rights Council of the United Nations (UN). In the run up to this four-year session, the Privacy First Foundation and various other organisations had emphatically voiced their privacy concerns about the Netherlands to both the UN and to almost all UN Member States; you can read more about this HERE. The Dutch delegation for the UPR session was led by Interior Minister Ms. Liesbeth Spies. The opening statement by Spies contained the following, remarkable passage about privacy:
"The need to strike a balance between different interests has sometimes been hotly debated in the Dutch political arena, for example in the context of privacy measures and draft legislation limiting privacy. The compatibility of this kind of legislation with human rights standards is of utmost importance. This requires a thorough scrutiny test, which is guaranteed by our professionals and institutions. Improvements in this regard have been made when necessary, especially in the starting phase of new draft legislation. This has been done in the field of privacy, where making Privacy Impact Assessments (PIAs), describing the modalities for the planned processing of personal data, are compulsory now." (pp. 5-6, italics Privacy First)
A "thorough scrutiny test" and compulsory Privacy Impact Assessments are the terms that positively stand out for Privacy First.
Prior to the UPR session, the United Kingdom had already put the following questions to the Netherlands: "Given recent concerns about data collection and security, including the unintended consequences of cases of identity theft, does the Netherlands have plans for measures to ensure more comprehensive oversight of the collection, use and retention of personal data?" (Source) On behalf of the Netherlands, Minister Spies responded to this question in Geneva this morning saying: "On the review of our laws on data protection, The Netherlands are currently working on a legislative proposal on data breach notification, following announcements of this proposal in the present coalition agreement. The proposal, which would require those responsible for personal data to notify the data protection authorities in case of "leakage" of personal data with specific risks for privacy (including identity theft), is expected to be tabled in Parliament in the coming months." This answer is rather concise and unfortunately it doesn’t contain any new elements. However, a new Dutch law on compulsory notification for data leakages will hopefully become a best practice for other UN Member States. The credits for this go to our colleagues of the Dutch NGO Bits of Freedom who have worked on this for a long time.
During the UPR session Estonia called the protection of privacy and personal data a "human rights challenge of the 21st century". Morocco then asked a critical question about the privacy issue: "Quelles sont les mesures concrètes entreprises par les autorités néerlandaises pour sécuriser l'utilisation des donnés personnelles?" ("What are the concrete measures taken by the Dutch authorities to protect the use of personal data?") The Philippines also raised the issue of the right to privacy, but only in these words: "The Philippine delegation appreciates the frank assessment of the Netherlands of the obstacles and challenges it has to hurdle in the implementation of the right to privacy especially in the area of protection of personal information." The comments by Greece, India, Russia and Uzbekistan were more content-focused. Greece addressed the practice of preventive searches: "We take note of reports regarding the issue of preventive body searches. We recommend that the Netherlands ensure that in its application of preventive body searches, all relevant human rights are adequately protected, in particular the right to privacy and physical integrity and the prohibition of discrimination on the basis of race and religion." India exhorted the Netherlands on ethnic profiling of citizens: "We encourage the Dutch Government to take concrete measures to combat discrimination including discrimination by the Government such as ethnic profiling." Russia too advised the Netherlands "to introduce measures to stamp out discrimination arising as a result of the practice of racist, ethnic or religious profiling." The Netherlands was addressed about this very issue by Uzbekistan as well: "We are concerned over the existence of information on the increasingly broad use by the police of racist profiling."
As a reaction to these points Minister Spies referred to recent research by the Dutch police, scientists and the National, the Amsterdam and the Rotterdam Ombudsman about preventive body searches, discrimination and ethnic profiling. With regard to digital profiling (in general), she moreover proclaimed the following: "In its recent proposal for a general Data Protection Regulation, the [European] Commission has included rules on profiling, which can address the problems associated with profiling and the protection of personal data. The Netherlands endorses the need for clear legislative rules with regard to this topic, given the specific challenges for privacy protection that this technique entails. This is also the background against which the Netherlands welcomed in 2010 the Council of Europe Resolution on this topic, which contained a useful definition of profiling that would also be beneficial for inclusion in the [European] Commission proposals. The Netherlands will draw attention to this ongoing discussion in Brussels. The Regulation, once in force, will be directly applicable in the Netherlands."
By and large this is a reasonable result, given that up until now the privacy issue had hardly played any role at all within the UN Human Rights Council. However, it’s a shame that most countries still hardly dare to confront this issue, let alone ask specific and critical questions about it. Many of the recommendations by Privacy First have not been touched upon during this UPR session, although diplomats in Geneva and The Hague had earlier shown great interest in them. Perhaps they were stopped by their Foreign Affairs departments in capital cities because many privacy issues are also sensitive in their own domestic politics? Who knows... However, the fact remains that the international community was informed by Privacy First well in advance, which was part of the reason that the Dutch UN delegation headed by Minister Spies was properly focussed on the job at hand. This can only be to the benefit of general awareness and the protection of privacy, both inside and outside the Netherlands. In the end, for us this is what it’s all about.
Update 4 June 2012: This afternoon, a working group of the Human Rights Council adopted a draft report on the Dutch UPR session. The final version of this report will be adopted by the Human Rights Council in September 2012, accompanied by a (motivated) acceptance or rejection by the Netherlands of each individual recommendation in the report. Furthermore, this will also be discussed by the Dutch House of Representatives.
A total of 49 countries have taken part in the Dutch UPR session. It is noteworthy that Belgium, Italy and Austria did not take part in the session (although Belgium and Italy had in fact enrolled beforehand). As far as Austria is concerned this is particularly regrettable, because of all the UN Member States it was actually Austria which had in advance expressed the most interest in the Privacy First UPR shadow report and had intimated to be able to make a powerful, overall recommendation to the Netherlands about the right to privacy.
Update 21 September 2012: This morning, the UN Human Rights Council discussed its recommendations to the Netherlands. The Dutch Permanent Representative in Geneva declared which recommendations have been accepted or rejected by the Netherlands; see this UN document and this video. The two recommendations by the Human Rights Council that related to ethnic profiling and preventive body searches have both been accepted by the Netherlands under the following clarification:
- ethnic profiling: "The Dutch government rejects the use of ethnic profiling for criminal investigation purposes as a matter of principle." About profiling in a more general sense: "In its recent proposal for a General Data Protection Regulation, the European Commission included rules on profiling that address problems that may arise due to the increasing technical possibilities for in-depth searches of databases containing personal data. The Netherlands endorses the need for clear legislative rules on this subject, given the specific challenges for privacy protection that this technology entails." (Source, 98.57 & n. 75).
- preventive body searches: "The power to stop and search is strictly regulated in the Netherlands. The mayor of a municipality may designate an area where, for a limited period of time, preventive searches may be carried out in response to a disturbance of or grave threats to public order due to the presence of weapons. The public prosecutor then has discretion to order actual body searches and searches of vehicles and luggage for weapons." (Source, 98.74 & n. 95).
See also this statement by the Netherlands Committee of Jurists for Human Rights (Dutch abbreviation: NJCM) from this morning (video). Just like the NJCM, Privacy First regrets the lack of government consultation in the run up to today’s UPR session.
Below you can watch the 31 May 2012 UPR session in its entirety (click HERE for video segments of individual countries).
A broad international alliance of NGOs demands that there will be a European investigation into biometric data storage. Governments increasingly lay claim to people's biometric data (such as fingerprints), which are then stored on radio-frequency identification (RFID)-chips in passports and ID-cards. Some countries, such as the
The alliance of more than 60 organisations (including Privacy First) has urgently requested the Secretary-General of the Council of Europe, Mr. Thorbjørn Jagland, to request the countries concerned for an explanation about whether or not their legislation on these matters complies with the European Convention on Human Rights (ECHR) as speedily as possible. The alliance is of the opinion that a thorough investigation is to be conducted on whether the guarantees and criteria of human rights with respect to the necessity, proportionality, subsidiarity and security guarantees that the ECHR demands for the use of biometrics, are in actual fact being adhered to. This is very much put in doubt by a recent report of the Council of Europe.
It is actually worth pointing out that the idea for the current European enrolment and storage of biometric data has partly come into existence in the Council of Europe itself, that is to say, at the behest of a few working groups that devoted themselves to combating terrorism around 2004. One of these working groups was the Group of Specialists on Identity and Terrorism (CJ-S-IT) which operated under Dutch chairmanship. In April 2004, this working group made the following recommendation:
"The creation or development of systems which allow identity checks with reference
Give consideration to and promote research and ongoing cooperation between police
Meanwhile, it is up to that very Council of Europe to map European national laws that since that time have lost their balance in this area. Where national laws do not respect human rights, the Member States in question are to be called to order. Privacy First looks forward with confidence to the Secretary-General of the Council of Europe carrying out these duties.
The general philosophy of the Fair Information Principles
The most fundamental principle is notice. Consumers should be given notice of an entity's information practices before any personal information is collected from them. Without notice, a consumer cannot make an informed decision as to whether and to what extent to disclose personal information. Moreover, three of the other principles discussed below -- choice/consent, access/participation, and enforcement/redress -- are only meaningful when a consumer has notice of an entity's policies, and his or her rights with respect thereto.
While the scope and content of notice will depend on the entity's substantive information practices, notice of some or all of the following have been recognized as essential to ensuring that consumers are properly informed before divulging personal information:
- identification of the entity collecting the data;
- identification of the uses to which the data will be put;
- identification of any potential recipients of the data;
- the nature of the data collected and the means by which it is collected if not obvious (passively, by means of electronic monitoring, or actively, by asking the consumer to provide the information);
- whether the provision of the requested data is voluntary or required, and the consequences of a refusal to provide the requested information; and
- the steps taken by the data collector to ensure the confidentiality, integrity and quality of the data.
Some information practice codes state that the notice should also identify any available consumer rights, including: any choice respecting the use of the data; whether the consumer has been given a right of access to the data; the ability of the consumer to contest inaccuracies; the availability of redress for violations of the practice code; and how such rights can be exercised.
In the Internet context, notice can be accomplished easily by the posting of an information practice disclosure describing an entity's information practices on a company's site on the Web. To be effective, such a disclosure should be clear and conspicuous, posted in a prominent location, and readily accessible from both the site's home page and any Web page where information is collected from the consumer. It should also be unavoidable and understandable so that it gives consumers meaningful and effective notice of what will happen to the personal information they are asked to divulge.
The second widely-accepted core principle of fair information practice is consumer choice or consent. At its simplest, choice means giving consumers options as to how any personal information collected from them may be used. Specifically, choice relates to secondary uses of information -- i.e., uses beyond those necessary to complete the contemplated transaction. Such secondary uses can be internal, such as placing the consumer on the collecting company's mailing list in order to market additional products or promotions, or external, such as the transfer of information to third parties.
Traditionally, two types of choice/consent regimes have been considered: opt-in or opt-out. Opt-in regimes require affirmative steps by the consumer to allow the collection and/or use of information; opt-out regimes require affirmative steps to prevent the collection and/or use of such information. The distinction lies in the default rule when no affirmative steps are taken by the consumer. Choice can also involve more than a binary yes/no option. Entities can, and do, allow consumers to tailor the nature of the information they reveal and the uses to which it will be put. Thus, for example, consumers can be provided separate choices as to whether they wish to be on a company's general internal mailing list or a marketing list sold to third parties. In order to be effective, any choice regime should provide a simple and easily-accessible way for consumers to exercise their choice.
In the online environment, choice easily can be exercised by simply clicking a box on the computer screen that indicates a user's decision with respect to the use and/or dissemination of the information being collected. The online environment also presents new possibilities to move beyond the opt-in/opt-out paradigm. For example, consumers could be required to specify their preferences regarding information use before entering a Web site, thus effectively eliminating any need for default rules.
Access is the third core principle. It refers to an individual's ability both to access data about him or herself -- i.e., to view the data in an entity's files -- and to contest that data's accuracy and completeness. Both are essential to ensuring that data are accurate and complete. To be meaningful, access must encompass timely and inexpensive access to data, a simple means for contesting inaccurate or incomplete data, a mechanism by which the data collector can verify the information, and the means by which corrections and/or consumer objections can be added to the data file and sent to all data recipients.
The fourth widely accepted principle is that data be accurate and secure. To assure data integrity, collectors must take reasonable steps, such as using only reputable sources of data and cross-referencing data against multiple sources, providing consumer access to data, and destroying untimely data or converting it to anonymous form.
Security involves both managerial and technical measures to protect against loss and the unauthorized access, destruction, use, or disclosure of the data. Managerial measures include internal organizational measures that limit access to data and ensure that those individuals with access do not utilize the data for unauthorized purposes. Technical security measures to prevent unauthorized access include encryption in the transmission and storage of data; limits on access through use of passwords; and the storage of data on secure servers or computers that are inaccessible by modem.
It is generally agreed that the core principles of privacy protection can only be effective if there is a mechanism in place to enforce them. Absent an enforcement and redress mechanism, a fair information practice code is merely suggestive rather than prescriptive, and does not ensure compliance with core fair information practice principles.
The Fair Information Principles as put into Canadian Law
Klik hier voor de bron.
These principles are usually referred to as “fair information principles”.
They are included in the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s private-sector privacy law, and called "Privacy Principles".
Principle 1 — Accountability
An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.
Principle 2 — Identifying Purposes
The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected.
Principle 3 — Consent
The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate.
Principle 4 — Limiting Collection
The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means.
Principle 5 — Limiting Use, Disclosure, and Retention
Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes.
Principle 6 — Accuracy
Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used.
Principle 7 — Safeguards
Personal information shall be protected by security safeguards appropriate to the sensitivity of the information.
Principle 8 — Openness
An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information.
Principle 9 — Individual Access
Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
Principle 10 — Challenging Compliance
An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization’s compliance.