"Twelve organizations teamed up to file a lawsuit to stop the implementation of a new data mining law in the Netherlands. The new law was adopted by the Dutch Senate on Tuesday and gives the intelligence services more capabilities to spy on internet traffic on a large scale.
"We trust that the Dutch judges will pull the brake and say: this law goes too far", human rights lawyer Jelle Klaas, who is representing the coalition of organizations in their lawsuit, said to RTL Nieuws. The coalition includes the Public Interest Litigation Project, civil rights organization Privacy First, the Dutch Association of Journalists, the Dutch Association of Criminal Law Attorneys and the Platform for the Protection of Civil Rights.
According to the organizations, this law is a serious violation of Dutch citizens' privacy. The case will first be presented to a Dutch court, who will test it against the European Convention of Human Rights. If the Dutch court rules against the organizations, they will take it to the European Court.
Klaas is currently preparing the case. He expects that the lawsuit will only actually start after the new law is implemented on January 1st, 2018, but he hopes it happens earlier."
Source: http://nltimes.nl/2017/07/12/lawsuit-started-new-dutch-data-mining-law, 12 July 2017.
Tomorrow morning the Netherlands will be examined in Geneva by the highest human rights body in the world: the United Nations Human Rights Council. Since 2008, the Human Rights Council reviews the human rights situation in each UN Member State once every five years. This procedure is called the Universal Periodic Review (UPR).
Privacy First shadow report
During the previous two UPR sessions in 2008 and 2012, the Netherlands endured a fair amount of criticism. At the moment, the perspectives with regard to privacy in the Netherlands are worse than they’ve ever been before. This is reason for Privacy First to actively bring a number of issues to the attention of the UN. Privacy First did so in September 2016 (a week prior to the UN deadline), through a so-called shadow report: a report in which civil society organizations express their concerns about certain issues. (It’s worth pointing out that the Human Rights Council imposes rigorous requirements on these reports, a strict word limit being one of them.) UN diplomats rely on these reports in order to properly carry out their job. Otherwise, they would depend on one-sided State-written reports that mostly provide a far too optimistic view. So Privacy First submitted its own report about the Netherlands (pdf), which includes the following recommendations:
Better opportunities in the Netherlands for civil society organizations to collectively institute legal proceedings.
Introduction of constitutional review of laws by the Dutch judiciary.
Better legislation pertaining to profiling and datamining.
No introduction of automatic number plate recognition (ANPR) as is currently being envisaged.
Suspension of the unregulated border control system @MIGO-BORAS.
No reintroduction of large scale data retention (general Data Retention Act).
No mass surveillance under the new Intelligence and Security Services Act and closer judicial supervision over secret services.
Withdrawal of the Computer Criminality Act III , which will allow the Dutch police to hack into any ICT device.
A voluntary and regionally organized (instead of a national) Electronic Health Record system with privacy by design.
Introduction of an anonymous public transport chip card that is truly anonymous.
Privacy First did not sent its report only to the Human Rights Council but also forwarded it to all the foreign embassies in The Hague. Consequently, Privacy First had extensive (confidential) meetings in recent months with the embassies of Argentina, Australia, Bulgaria, Chili, Germany, Greece and Tanzania. The positions of our interlocutors varied from senior diplomats to ambassadors. Furthermore, Privacy First received positive reactions to its report from the embassies of Mexico, Sweden and the United Kingdom. Moreover, several passages from our report were integrated in the UN summary of the overall human rights situation in the Netherlands; click HERE ('Summary of stakeholders' information', par. 47-50).
Our efforts will hopefully prove to have been effective tomorrow. However, this cannot be guaranteed as it concerns an inter-State, diplomatic process and many issues in our report (and in recent talks) are sensitive subjects in countless other UN Member States as well.
UN Human Rights Committee
In December 2016, Privacy First submitted a similar report to the UN Human Rights Committee in Geneva. This Committee periodically reviews the compliance of the Netherlands with the International Covenant on Civil and Political Rights (ICCPR). Partly as a result of this report, last week the Committee put the Intelligence and Security Services Act, camera system @MIGO-BORAS and the Data Retention Act among other things, on the agenda for the upcoming Dutch session in 2018 (see par. 11, 27).
We hope that our input will be used by both the UN Human Rights Council as well as the UN Human Rights Committee and that it will lead to constructive criticism and internationally exchangeable best practices.
The Dutch UPR session will take place tomorrow between 9am and 12.30pm and can be followed live online.
Update 10 May 2017: during the UPR session in Geneva today, the Dutch government delegation (led by Dutch Minister of Home Affairs Ronald Plasterk) received critical recommendations on human rights and privacy in relation to counter-terrorism by Canada, Germany, Hungary, Mexico and Russia. The entire UPR session can be viewed HERE. Publication of all recommendations by the UN Human Rights Council follows May 12th.
Update 12 May 2017: Today all recommendations to the Netherlands have been published by the UN Human Rights Council, click HERE (pdf). Useful recommendations to the Netherlands regarding the right to privacy were made by Germany, Canada, Spain, Hungary, Mexico and Russia, see paras. 5.29, 5.30, 5.113, 5.121, 5.128 & 5.129. You can find these recommendations below. Further comments by Privacy First will follow.
Extend the National Action Plan on Human Rights to cover all relevant human rights issues, including counter-terrorism, government surveillance, migration and human rights education (Germany);
Extend the National Action Plan on Human Rights, published in 2013 to cover all relevant human rights issues, including respect for human rights while countering terrorism, and ensure independent monitoring and evaluation of the Action Plan (Hungary);
Review any adopted or proposed counter-terrorism legislation, policies, or programs to provide adequate safeguards against human rights violations and minimize any possible stigmatizing effect such measures might have on certain segments of the population (Canada);
Take necessary measures to ensure that the collection and maintenance of data for criminal [investigation] purposes does not entail massive surveillance of innocent persons (Spain);
Adopt and implement specific legislation on collection, use and accumulation of meta-data and individual profiles, including in security and anti-terrorist activities, guaranteeing the right to privacy, transparency, accountability, and the right to decide on the use, correction and deletion of personal data (Mexico);
Ensure the protection of private life and prevent cases of unwarranted access of special agencies in personal information of citizens in the Internet that have no connection with any illegal actions (Russian Federation). [sic]
Update 26 May 2017: a more comprehensive UN report of the UPR session has now been published (including the 'interactive dialogue' between UN Member States and the Netherlands); click HERE (pdf). In September this year, the Dutch government will announce which recommendations it will accept and implement.
On November 2nd 2016, the Dutch House of Representatives will address a controversial legislative proposal that will introduce four week storage of the travel movements of all motorists in the Netherlands. In case both chambers of Dutch Parliament adopt this proposal, Privacy First will try to overturn this in court.
Large scale breach of privacy
It is Privacy First’s constant policy to challenge large scale privacy violations in court and have them declared unlawful. Privacy First successfully did so with the central storage of everyone’s fingerprints under the Dutch Passport Act and the storage of everyone’s communications data under the Dutch Telecommunications Retention Act. A current and similar legislative proposal that lends itself for another major lawsuit is legislative proposal 33542 (in Dutch) of the Dutch Minister of Security and Justice, Ard van der Steur, in relation to Automatic Number Plate Recognition (ANPR). Under this legislative proposal, the number plate codes of all motorists in the Netherlands, i.e. everyone’s travel movements, will be collected through camera surveillance and stored for four weeks in police databases for criminal investigation purposes. As a result, every motorist will become a potential suspect. This is a completely unnecessary, wholly disproportionate and ineffective measure. Therefore the proposal is in breach of the right to privacy and thus unlawful.
The current ANPR legislative proposal was already submitted to the Dutch House of Representatives in February 2013 by the then Minister of Security and Justice, Ivo Opstelten. Before that, in 2010, Opstelten’s predecessor Hirsch Ballin had the intention to submit a similar proposal, albeit with a storage period of 10 days. However, back then the House of Representatives declared this subject to be controversial. Opstelten and Van der Steur have thus now taken things a few steps further. Due to privacy concerns, the parliamentary scrutiny of this proposal was at a standstill for several years, but now seems to be reactivated and even reinforced through a six-fold increase of the proposed retention period, courtesy of the ruling parties VVD and PvdA.
Under current Dutch national law, ANPR data of innocent citizens must be erased within 24 hours. In the eyes of the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP), all number plate codes that are not suspect (so-called ‘no-hits’) are to be removed from relevant databases immediately. Van der Steur’s plan to also store the number plate codes of unsuspected citizens for four weeks directly flies in the face of this. VVD and PvdA are even willing to increase this retention period to six months. The inevitable consequence, a haystack of data, would constitute a blatant violation of the right to privacy of every motorist. Any possible judicial oversight of the use of these data would do nothing to alter this.
UN Human Rights Council
In recent years, Privacy First has repeatedly expressed this position to both the House of Representatives (standing committee on Security and Justice) as well as to relevant MPs personally. Privacy First has also made its stance clear in personal meetings with Minister Opstelten (July 2012) and Minister Van der Steur (July 2014, at that time still a VVD MP). Moreover, Privacy First has recently raised this issue with the United Nations. In May 2017, the Dutch government can be held accountable for this at the UN Human Rights Council in Geneva.
In case both the House of Representatives and the Dutch Senate will adopt the ANPR legislative proposal in its current form, Privacy First (in a broad coalition together with other civil organizations) will immediately summon the Dutch government in order to render the law inoperative on account of violation of the right to privacy. If necessary, Privacy First and co-plaintiffs will litigate all the way up to the European Court of Human Rights in Strasbourg. Considering the European and Dutch case law on the subject, Privacy First rates its chances of legal success very high.
Update 20 December 2018: today the Dutch government has announced that the ANPR Act will enter into force on 1 January 2019. The summary proceedings of Privacy First against the ANPR Act will soon take place at the District Court of The Hague.
Mass storage of fingerprints violates the right to privacy
Following the Court of Appeal of The Hague, today the Dutch Council of State (Raad van State) judged that municipal (‘decentral’) storage of fingerprints under the Dutch Passport Act is unlawful on account of violation of the right to privacy. The Council of State reached this conclusion in seven administrative law cases of Dutch individual citizens (supported by civil organization Vrijbit). At the start of 2014, the Court of Appeal of The Hague handed down a similar ruling in the civil Passport case by the Privacy First Foundation and 19 (other) citizens against the Dutch government. Subsequently however, our Passport trial was declared inadmissible by the Dutch Supreme Court and was redirected to the administrative judge: the Dutch Council of State. Privacy First then submitted its entire case file to the Council of State in order to reinforce the individual passport cases pending before this body. The Council of State (the supreme administrative court of the Netherlands) now rules similar to the way the Court of Appeal of The Hague has done before. Notwithstanding the later inadmissibility before the Supreme Court, the ban on the storage of everyone’s fingerprints in databases thus stands firm once again.
Faulty judgement and procedure
As was the case with the previous judgement by the Court of Appeal of The Hague, Privacy First regrets that the Council of State was unwilling to declare the storage of fingerprints unlawful on strictly principal grounds (that is, because of a lack of societal necessity, proportionality and subsidiarity), but merely on the basis of technical imperfections. Therefore, Privacy First will advise the concerned citizens to keep on litigating all the way up to the European Court of Human Rights (ECtHR) in Strasbourg. Considering the existing Strasbourg case law, there is a high likeliness that the Netherlands will still be condemned on principal grounds on account of violation of the right to privacy (art. 8 European Convention on Human Rights, ECHR). Privacy First also expects a condemnation on account of violation of the right of access to justice and an effective legal remedy (art. 6 and 13 ECHR). After all, civil litigation against the Dutch Passport Act proved to be impossible, and administrative legal action was possible only indirectly after the rejection of individual requests for new passports or ID cards (in case the applicants refused to have their fingerprints taken). In order to obtain their current victory before the Council of State, these citizens thus have had to get by for years without passports or ID cards, with all the problems and risks this entailed.
Exceptions for conscientious objectors
In today’s judgement, the Council of State also decided that the compulsory taking of two fingerprints for a new passport applies equally to everyone and that there can be no exceptions for people who do not want to have their fingerprints taken out of conscientious objections. Privacy First is doubtful whether this verdict will stand the scrutiny of the ECtHR. Apart from a violation of the right to privacy, it seems this decision is also in breach of the freedom of conscience (art. 9 ECHR). The fact that the European Passport Regulation does not include such an exception is irrelevant as this Regulation is subordinate to the ECHR.
RFID chips and facial scans
Privacy First also deplores the fact that the Council of State was not prepared to make a critical assessment of the risks of Radio Frequency Identification (RFID) chips (which include sensitive personal data that can be read remotely) in passports and ID cards. The same goes for the compulsory storage of facial scans in municipal databases. But these aspects, too, can still be challenged in Strasbourg.
Municipalities’ own responsibility
A small ray of hope in the judgement by the Council of State is that municipalities and mayors have their own responsibility to respect human rights (including the right to privacy) independently, even if this means independently refraining from applying national legislation because it violates higher international or European law:
"Insofar as the mayor claims that there is no possibility to deviate from the provisions (laid down in national law), the [Council of State] holds that pursuant to Article 94 of the [Dutch] Constitution, current statutory provisions within the Kingdom [of the Netherlands] do not apply if such application is not compatible with any binding provisions of treaties and of resolutions of international organizations.’’ (Source in Dutch, paragraph 6.)
This decision by the Council of State applies to all domains and could have far-reaching consequences in the future.
New ID cards for free
The ruling of the Council of State entails that for applications of new ID cards, fingerprints have been taken (and stored) on a massive scale but without a legal basis since 2009. Accordingly, Privacy First advises everyone in the possession of an ID card with fingerprints to change it (if desired) at his or her municipality for a free new one without fingerprints. If municipalities refuse to offer this service, Privacy First reserves the right to take new legal steps in this regard.
After numerous lawsuits in various European countries, the decision has finally been made: in a break-through ruling, the European Court of Justice has decided this week that a general requirement to retain telecommunications data (data retention) is unlawful because it is in violation of the right to privacy. This ruling has far-reaching consequences for surveillance legislation in all EU member States, including the Netherlands.
Previous data retention in the Netherlands
Under the 2009 Dutch Data Retention Act, the telecommunications data (telephony and internet traffic) of everyone in the Netherlands used to be retained for 12 months and 6 months, respectively, for criminal investigation purposes. This legislation stemmed from the 2006 European Data Retention Directive. However, in April 2014 the European Court of Justice declared this European Directive invalid because it violates the right to privacy. Subsequently, former Dutch minister of Security and Justice Ivo Opstelten refused to withdraw the Dutch Data Retention Act, after which a broad coalition of Dutch organizations and companies demanded in interim injunction proceedings that the Act would be rendered inoperative. The claimant organizations were the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ), the Netherlands Committee of Jurists for Human Rights (NJCM), Internet provider BIT and telecommunications providers VOYS and SpeakUp. Boekx Attorneys in Amsterdam took care of the proceedings, and successfully so: rather uniquely (laws are seldomly rendered inoperative by a judge, let alone in interim injunction proceedings), on 11 March, 2015, the Dutch district court in The Hague repealed the entire Act at once. The Dutch government decided not to appeal the ruling, which has been final since then. Consequently, all telecom operators concerned have deleted the relevant data. In relation to criminal investigations and prosecutions, so far this does not seem to have led to any problems.
European Court makes short shrift of mass storage once and for all
Unfortunately, the April 2014 decision of the European Court left some margin for interpretation under which broad, general retention of everyone’s telecommunications data could still be allowed, for example through close judicial supervision before access and use of those data. In a Swedish and a British case about data retention, the European Court has now ensured full clarity in favour of the right to privacy of every innocent person on European territory:
"The Charter of Fundamental Rights of the European Union must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication’’, the Court judges.
In other words: mass storage of everyone’s data for criminal investigation purposes is unlawful. After all, according to the Court this ‘‘exceeds the limits of what is strictly necessary and cannot be considered to be justified within a democratic society’’.
In conventional language, the Court basically says that such legislation doesn’t belong in a free democracy under the rule of law, but in a totalitatrian dictatorship instead. And this is exactly the raison d'être of the Charter of Fundamental Rights of the European Union (which was inspired by universal human rights), on which the verdict of the Court is based.
Consequences for the Netherlands
Recently the current Dutch minister of Security and Justice, Ard van der Steur, has again presented to the Dutch House of Representatives a legislative proposal to reintroduce a broad, general telecommunications retention Act. Moreover, a similar legislative proposal pending in the Dutch Senate concerns the recognition and retention of number plate codes of all cars in the Netherlands (i.e. everyone’s travel movements and location data). Following the EU Court ruling, both legislative proposals are unlawful in advance on account of violation of the right to privacy. The same goes for planned mass storage of data that flow in and out of the Netherlands through large internet cables under the new Dutch Intelligence and Security Services Act (and the international exchange thereof), the possible future reintroduction of central databases with everyone’s fingerprints, national DNA databases, national records which include everyone’s financial transactions, etc. etc.
Following the EU Court ruling, the Dutch government can draw one conclusion only: both the legislative proposal that regards the new telecommunications retention Act as well as the legislative proposal that relates to the registration on a massive scale of number plate codes, are to be withdrawn this instant. Otherwise Privacy First will again enforce this in court and will do likewise with every other legislative proposal that threathens to violate the right to privacy of innocent citizens on a large scale.
Privacy First wishes you happy holidays and a privacy-friendly 2017!
Privacy First New Year’s column
Looking back on 2016, Privacy First perceives a renewed attack on our democratic constitutional State from within. Incident-driven politics based on the everyday humdrum prevails and the Dutch government’s frenzy efforts to control the masses is relentless, arrogant and driven by industry and political lobbying. The democratic principles of our constitutional State are being lost out of sight ever more while the reversion of legal principles has become commonplace. Every (potential) attack thus becomes an attack on our civil rights.
Current constitutional State unable to defend itself
Barely a single day has gone past in the current mediacracy and governors without any historical or cultural awareness hand us, our children and our future over to a new electronic dictatorship fenced off by 4G masts. Citizens who autonomously seek to inform themselves have become ‘populists that spread fake news’. It’s not just the government that has lost its way, but so have the mainstream media, so it seems. The model characterized by fear, hate and control adopted by many authoritarian states headed by a strong leader is increasingly seen as the way to go.
Privacy First has said it before but will reiterate: we are of the opinion that State terrorists who continuously change legislation restricting civil liberties are ultimately much more harmful to our society than a single ‘street terrorist’, however terrible and shocking an attack is for those directly involved. The galling thing is that our constitutional State cannot adequately defend itself against the erosion of democratic principles from within: among other things, there is a lack of independent review of our Constitution. Therefore we are very happy that the European Court of Justice has recently ruled all forms of trawl net technology unlawful in advance. A great verdict that has far-reaching consequences for the State terrorists among our politicians and civil servants. A clear line in the sand.
Our democratic constitutional State came into existence out of the 19th century way of thinking and will have to be reshaped through a public debate, provided this is done taking into account the basic principles of living together - a human experience that goes back thousands of years. Love, trust en freedom are fundamental pillars. Privacy First discerns a number of changes over the past 150 years to which our constitutional State has no adequate answer, if any answer at all. These changes will have to be integrated into a newly structured democratic constitutional State which will have to be partly parliamentary and partly shared. In other words: the democratic foundation is there, but will have to be adapted to the desires and developments of our time.
Towards a Shared Democracy: adjusting parliamentary democracy to our present time
Privacy First calls on (and challenges, if necessary) every Dutch citizen to participate in a broad public discussion in order to shape a democracy 3.0. After Athens (1.0) and our parliamentary democracy from the 19th century onwards (2.0), in our eyes it’s time for the concept of a Shared Democracy (3.0), which is both a disruptive way of thinking as well as a social model for which we identify seven big drivers that help adjust our current 19th century system. Privacy First notices that these seven drivers are currently undermining our model from the inside and the outside. But by thinking differently, one will find that these pillars also offer an opportunity to move towards a new form for the future: the so-called Shared Democracy.
1. Changing role of the media; towards a mediacracy
Originally, in the 19th century model, the media didn’t yet have the scale and level of outreach today’s media have. The influence of the media has become large to the extent it will have to be one of the pillars of the future Shared Democracy.
2. Changing role of citizens
The enormous financial and social emancipation, the elevated level of education and the individualization of citizens is currently leading to huge tensions in the democracy of parliamentary representation. As part of the old way of thinking, citizens are still regarded as an unassertive, inferior, necessary evil. However, citizens want to have decision-making power on numerous issues and this – supported by the newest technologies and means of communication - will have to be structurally implemented in the Shared Democracy on the basis of various structures of representation and participatory leadership based on personal responsibility, an area in which politics and the government are still falling far behind in their relationship with citizens.
3. Scientific, technological and information revolution
These revolutions create new opportunities and offer an almost real-time insight in the developments and events within society. Moreover, the internet and associated infrastructures enable completely new forms of exchange and marketplaces of ideas and decisions. This happens on a worldwide scale between like-minded people and people who hold different views. Where supply and demand are ill-aligned, new services that have a disruptive effect on old structures pop up. Think of the clear imbalance between citizens and politics. A solution for that problem can be found in completely new and invigorating systems and structures, set up with an open and free attitude, with privacy by design enshrined in legislation and with the application of advanced technology - all elements that distinguishes the Shared Democracy.
4. Unrestrained proliferation of public authorities
The house is ready to move into, but the contractor keeps coming back every day to see whether there are still tasks to be done... likewise our government exerts its influence on our daily life and on today’s economy. The unrestrained proliferation of public authorities has got to stop immediately and the government has to be brought back to normal proportions, in line with a standard that has yet to be established. By now, citizens serve the government instead of the other way around. The power of (central) public authorities is no longer commensurate with those of individual citizens. A key trait of the Shared Democracy will be the size, power and scope of the government.
5. Lifelong professional politicians
Another thing the founders of the 19th century model didn’t take into account (despite the seperation of powers) is the fact that many current (national) representatives are fulltime politicians, some of whom carry out public sector activities quite directly related to their political function. Particularly these latter ones have lost all connection to society and virtually live off taxpayers’ money without any risks. In the Shared Democracy we envisage, we advocate that representatives of citizens make clear choices and are in favour of all possible mixed forms of citizens and representatives in order to create a much larger engagement and responsibility among individual citizens when it comes to being active politically.
6. Financial sector, upscaling and mass control
The centralization and management of financial flows disconnected from the underlying value, erodes both the economy and society. The human dimension is disappearing into the background in upscaling and efficiency models dominated by financial flows. By introducing mantras such as ‘cash is criminal’, paying anonymously is being phased out while bank runs that could endanger and destabilize the system are being prevented. Here too, the web continually gets tighter around citizens and money no longer belongs to them, but to banks and the government. With a view to the future and on the basis of current and future technological possibilities, in the Shared Democracy, ownership relationships and the right to anonymous means of payment will have to be firmly embedded in law.
7. Supranational elite of individuals and companies
One of the effects of globalization is the rise of a large group of supranational companies and individuals that are disconnected from their nation-states and societies, benefitting from the rights they have but not fulfilling the duties that society equally brings along. Now that information and power are concentrated within a few very large, global conglomerates, there are many financial corporations and companies that have become larger than nation-states. The intransparent power of lobbygroups backing these conglomerates thrives under the old, authoritarian pyramid structure of centralized political representation. In the Shared Democracy, special attention will have to go out to democratic shaping and modelling on all levels, while the centralized and decentralized power structures have to be continually in balance and be measurable with the most advanced technology.
How will the Shared Democracy deal with all this? How much more freedom are we prepared to give up for the sake of (false) security? 100% security = 0% freedom. How are we going to restructure our society and democratic system in order to hold on to our principles with the seven drivers of development in mind? And on which scale are we willing to do so?
To better define these questions and look for answers, Privacy First will organize a New Year's Reception on 19 January 2017, at 7:30 pm in the Volkshotel in Amsterdam. The reception (in Dutch) will revolve around the Shared Democracy.
Privacy First encourages everyone to contribute to this new movement towards a Shared Democracy in an open and free debate on all available communication channels!
Privacy First Foundation chairman
The Privacy First Foundation presents its 2015 Annual Report: click HERE to download the pdf version. In this report, you will read everything about Privacy First’s daily fight to preserve and promote everyone’s right to privacy. To be able to continue this fight, our organization largely depends on individual donors. The more donors, the more effectively Privacy First can operate by way of political lobbying, targeted actions, campaigns, public events and lawsuits. Click HERE to become a donor of Privacy First!
EU Passenger Name Records: every airline passenger a potential suspect.
Today is a historic day in both a positive and a negative sense: on the one hand European Parliament has taken an important step forward in the area of privacy by adopting the General Data Protection Regulation. On the other hand, that same parliament has today concurred with large-scale storage of data of European airline passengers. As a result, every airline passenger becomes a potential suspect.
The General Data Protection Regulation will replace national privacy legislation in all EU Member States (this includes the Dutch Data Protection Act, Wet bescherming persoonsgegevens) and, in broad terms, will lead to better privacy protection throughout the European Union. Privacy Impact Assessments and Privacy by Design will become obligatory. These are two important features which Privacy First has for years been advocating for. Fundamental privacy principles such as necessity, proportionality and subsidiarity (obligatory use of privacy-friendly alternatives) will be more strongly enshrined and better elaborated.
In this light it is surprising that on the same day European Parliament has also adopted a measure that is in blatant disregard of these selfsame principles: the European Passenger Name Records (PNR) Directive. Under this PNR Directive, the data of all European airline passengers will be stored in centralized government databases for the duration of five years for the detection and prosecution of serious crimes, counter-terrorism, intelligence gathering, etc. Large amounts of travel data (names and addresses, telephone numbers, destinations, credit card data, even meals and service requests) of millions of people will therefore remain available to law enforcement and intelligence services for the purpose of datamining and profiling.
However, in 99.99% of all cases this concerns innocent citizens, most of which are people on vacation and business travellers. This constitutes a flagrant violation of their right to privacy and freedom of movement. Because of this, in recent years there had been a lot of political resistance against this plan which, since 2010, has been repealed on various occasions by both the Dutch House of Representatives as well as European Parliament. Last year, Dutch ruling parties VVD (Liberals) and PvdA (Labour) were still resolutely opposed to PNR. At the time, these parties referred to it as a ‘vacation register’ and even threatened to turn to the European Court of Justice in case the EU PNR Directive were to be approved of. But after the attacks in Paris and Brussels, many political reservations now seem to have disappeared like snow melting in the sun. Meanwhile, the necessity and proportionality of large-scale PNR storage has still not been proven. In the view of Privacy First, this PNR Directive is therefore unlawful in advance.
At the moment Privacy First is looking into legal steps to sweep this directive aside after all, either through a Dutch court or by lodging a direct appeal before the European Court of Justice in Luxembourg. Additionally, Privacy First will continue to advocate for a privacy-friendly PNR system which records and monitors only suspected individuals and leaves the vast majority of travellers alone.
© RTL Nieuws
In the Dutch Citizens v. Plasterk case about the international exchange of data between secret services, the coalition of citizens and organizations (including Privacy First) has explained its appeal before the Hague Court of Appeals. In its statement of appeal, which was submitted to the Court on 2 February 2016, the coalition details why the ruling of the district court of The Hague (in Dutch) is wrong.
In summary, the district court of the Hague has ruled that the collaboration and exchange of data on the basis of trust between Dutch secret services and foreign secret services (among which the American NSA) may simply be continued. According to the judge, the importance of national security is the determining factor, thereby essentially giving the Dutch AIVD (general intelligence and security service) and MIVD (military intelligence and security service) carte blanche to collect bulk data of Dutch citizens via foreign intelligence agencies without any legal protection, only because of the designation ‘national security’.
The Citizens v. Plasterk coalition deems this ruling to be in flagrant breach of the right to privacy and has lodged an appeal. It must be noted that the coalition isn’t seeking to ban the collaboration with foreign services as such. However, we find that when it comes to collaborating and receiving data, strict safeguards should be maintained. Failure to do so means that data that has been obtained by the NSA and other intelligence services in violation of Dutch law, illegally end up in the hands of Dutch intelligence services. This comes down to the laundering of data through an illegitimate U-turn.
"By using NSA data, minister Plasterk and his services are laundering illegally obtained data. This case should put an end to that", says our lawyer Christiaan Alberdingk Thijm of bureau Brandeis. Read our entire statement of appeal HERE (pdf in Dutch).
The Dutch government will first have to react to our statement of appeal in a statement of defence on appeal, after which the Hague Court of Appeals will schedule a hearing and render a ruling.
Meanwhile, our coalition has been admitted to intervene in the legal proceedings against the British government that the British organization Big Brother Watch et al. have brought before the European Court of Human Rights (ECtHR). This is a significant development because as a result, the ECtHR may, at an early stage, be able to issue a verdict that is relevant to our Dutch case. Click HERE (pdf) for the recent decision on admissibility by the European Court and HERE for more information about the British case on the Court's website.
The Citizens v. Plasterk case
At the end of 2013, the Citizens v. Plasterk coalition summoned the Dutch government, represented by the Dutch minister of the Interior, Ronald Plasterk. This was prompted by Edward Snowden’s revelations about the practices of (foreign) intelligence services. The coalition demands that the Netherlands stops using data that have been obtained in violation of Dutch law.
In February 2014 the case almost led to minister Plasterk’s withdrawal from office. It had emerged that Plasterk had wrongfully informed the Dutch House of Representatives on the exchange of data between Dutch and foreign intelligence services. The Dutch services had passed on 1.8 million items of data to the Americans and not the other way around, as he had previously claimed.
In July 2014 the district court of The Hague rejected the claims of the coalition, after which the coalition lodged an appeal before the Hague Court of Appeals.
At the end of 2015 it became known that the coalition may participate in a British lawsuit before the European Court of Human Rights in Strasbourg.
The participating citizens in the coalition are: Rop Gonggrijp, Jeroen van Beek, Bart Nooitgedagt, Brenno de Winter and Mathieu Paapst. The participating organizations are: the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ) and Internet Society Netherlands.
The case is taken care of by bureau Brandeis, in particular by our lawyers Christiaan Alberdingk Thijm and Caroline de Vries, who make use of the bureau Brandeis’s pro-bono fund.
Update 9 February, 2016: today the coalition submitted its written submissions to the European Court of Human Rights, click HERE (pdf).
"Facebook continues to breach personal data privacy rights in Europe, says a group of human rights organizations, and it demands that Facebook’s EU-US data transfers stop by February 6, 2016. Facebook has formally responded.
As previously reported, the Privacy First Foundation, Public Interest Litigation Project PILP and the Dutch Platform for the Protection of Civil Rights (collectively, “Privacy First”) sent Facebook a demand letter, to which Facebook has now replied in writing.
Facebook’s written response
Facebook responded to Privacy First’s demand letter by giving written assurances of data protection in accordance with current law–that is, those parts of the Privacy Directive that survived the ruling in Schrems, the case that invalidated Safe Harbor.
Specifically, Facebook states that “the grounds for transfer of data set out in Article 26 of the Directive remain entirely lawful,” and that it complies with “these other grounds to transfer data legally from the European Union to the United States .” Facebook further challenged the Dutch tribunal Privacy First plans to use, as lacking competence over Facebook Ireland, the party it asserts is the data controller for data of Facebook Netherlands.
Privacy First’s reply
Privacy First, in its reply through its counsel Boekx, Amsterdam, reiterated its position that the other instruments currently used as basis for EU-US data transfers (such as Standard Contractual Clauses or individual consent) are “fundamentally flawed, as these options do not resolve the problems identified by the European Court of Justice in the Schrems judgment.”
Privacy First’s reply further reserves its rights to initiate legal proceedings in the Hague “requesting a preliminary injunction and/or raising prejudicial questions with the European Court of Justice” if Facebook doesn’t stop EU-US data transfers or provide adequate protections by February 6th, 2016.
Clearly, Privacy First and its co-plaintiffs are not happy with Facebook's response. (...)
Facebook’s letter also challenges the competence of Dutch courts to hear proceedings in the Netherlands against Facebook Ireland, which it alleges is the true data controller, not Facebook Netherlands B.V. Regarding the competence issue, [Boekx] said that Dutch courts have rendered decisions in the past against both Facebook parties.
As reported, the EU and US are currently negotiating replacement of the Safe Harbor Agreement; there is a meeting of the negotiating parties scheduled for February 2nd to discuss EU-US data transfers and how to ensure protections for EU citizens in the legal uncertainties left by Schrems.
Further delays possible
Due to delay in legislation in the U.S. that may be one of the EU’s preconditions to Safe Harbor (the Judicial Redress Act), further delays in Safe Harbor resolution are expected (by some) that could take those negotiations beyond the February 6 deadline set by Privacy First. These delays could set Facebook up for proceedings that, if successful, would result in a shutdown of its EU-US data transfers. (...)"
Source: http://www.forbes.com/sites/lisabrownlee/2016/01/27/facebook-fires-back-in-eu-privacy-dispute/#2fe9f2801d5b, 27 January 2016.