"The Court of Justice in the Hague has ruled that fingerprints gathered from individuals getting a new passport can't be held centrally and used in criminal investigations.
Dutch authorities have been prevented from storing citizens' fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.
In the Netherlands, individuals' fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.
However, the system turned out to be far from perfect — 21 percent of fingerprints collected by the authorities in the Netherlands were unusable to identify individuals.
The court found such a high level unacceptable: "This can mean nothing other than the storage of fingerprints in a central register is not suitable for the purpose originally envisioned, that is, the determination and verification of one's identity.
"This means that it is also not suitable for the prevention of identity fraud or for the process of requesting a new travel document or using a travel document, which is one of the main purposes of the Act [the legislation which requires fingerprints in Dutch passports]. Therefore the conclusion is that the invasion of privacy formed by the central storage of fingerprints is unjustified."
No immediate effect
Although the ruling is a significant victory for Privacy First, the privacy group that brought the case before the Court of Justice, it won't have immediate consequences for the Dutch government.
The European Court of Justice had already ruled in October last year that the directive requiring European member states to include two fingerprints in their passports did not provide a legal basis for then also including all citizens' prints in a central repository.
In addition, the court stipulated that fingerprints given by individuals for such purposes could not to be used for criminal investigations.
However, according to Christiaan Alberdingk Thijm, the lawyer representing Privacy First, the ruling will have a bearing on any future government attempts to collect sensitive data, such as photos.
"This is not only good news for those opposing plans of a central fingerprint database, but for those opposing any central government owned database," he said."
Source: http://www.zdnet.com/no-you-cant-store-peoples-fingerprints-in-a-central-database-dutch-court-rules-7000026505/, 19 February 2014.
"A coalition of lawyers, journalists and internet freedom activists launched legal action against the Dutch government, in an attempt to get it to stop using information about Dutch people gleaned from NSA surveillance.
After it recently emerged that information about 1.8 million Dutch people's calls had been purloined by the National Security Agency, the country's home affairs minister, Ronald Plasterk, expressed annoyance that the U.S. agency hadn't asked first. However, he said, the monitoring "only concerns metadata, like who called who."
Dutch lawyers and journalists aren't so quite so sanguine about the matter, largely because their professions require confidentiality – something you can't guarantee clients and sources when you're potentially being monitored. On Wednesday, the Dutch Association of Defense Counsels and the Dutch Association of Journalists joined a broad coalition in suing Plasterk and the country's government, demanding that the state stop using data recorded in the Netherlands by the NSA.
The coalition also includes internet freedom activist Rop Gonggrijp, security expert Jeroen van Beek, advocate Bart Nooitgedagt, investigative journalist Brenno de Winter and tech law expert Mathieu Paapst, as well as the Internet Society Netherlands Chapter and Privacy First Foundation.
At the heart of the complaint is a potential legal sleight-of-hand that many (including me) have long suspected is in play – namely that intelligence agencies are bypassing their own countries' privacy laws by getting allies to spy on their citizens for them.
Daphne van der Kroft, public policy advisor at the coalition's law firm, Bureau Brandeis (yes, named after the legendary American jurist), suggested Plasterk and the Dutch state were "whitewashing" data.
This is not the first such case to arise in Europe following Edward Snowden's NSA revelations. The activist group Privacy International has attempted to sue the British government over data-sharing between the NSA and its UK counterpart, GCHQ. However, it had to approach a secret court to do this, and it got no response.
It is now trying a different angle, complaining to the OECD about the collaboration of telecommunications firms with the NSA. A separate group, Privacy not Prism, has skipped the secret court bit and gone straight to the European Court of Human Rights. (...)"
Source: http://gigaom.com/2013/11/06/dutch-lawyers-and-journalists-sue-government-over-nsa-links/, 6 November 2013.
"Gestern hat ein Bündnis aus niederländischen Aktivisten und NGOs Klage gegen ihren Innenminister Ronald Plasterk eingereicht – darunter unter anderem der Journalist Brenno de Winter, der Hacker und ehemalige Wikileaks-Mitarbeiter Rop Gonggrijp der niederländische Strafverteidiger- und Journalistenverband, die Privacy First Foundation und der niederländische Zweig des ISOC. Das Bündnis nennt sich selbst “The Dutch against Plasterk” und kritisiert vor allem die scheinheilige öffentliche Verurteilung der NSA-Spionagetätigkeiten, während im Hintergrund Geheimdienstinformationen ausgetauscht werden.
Die Kläger werden durch die Anwaltskanzlei bureau Brandeis vertreten, die erst im August diesen Jahres gegründet wurde und die sich besonders mit der juristischen Vertretung von gesellschaftlich relevanten Fällen aus den Bereichen Copyright, Datenschutz und Medienrecht befasst. Einer der Gründer, Christiaan Alberdingk Thijm, wurde als Verteidiger der File-Sharing-Anwendung KaZaA bekannt."
Source: http://netzpolitik.org/2013/niederlaender-verklagen-ihre-regierung-wegen-nsa-kooperation/, 7 November 2013.
"A coalition of Dutch citizens and organizations initiated legal proceedings against the Dutch State, represented by Minister of Interior Affairs Ronald Plasterk on Wednesday, demanding Dutch intelligent services to stop using NSA data.The subpoena was filed by a coalition of citizens and organizations, among which the Dutch Association of Defense Counsels, the Dutch Association of Journalists, the Internet Society Netherlands Chapter and Privacy First Foundation.
They question the legality of the exchange of data between the Dutch intelligence service (AIVD) and the United States National Security Agency (NSA), and demand that the Dutch State stops using data that has not been obtained in accordance with Dutch law.
Last week Minister Plasterk confirmed the monitoring of mail and phone traffic in the Netherlands by the NSA. He also acknowledged that the Dutch Intelligence Agency had supplied information to the NSA and vice versa, but condemned the interception of phone calls and mails without permission.
"Plasterk has indeed condemned the NSA eavesdropping and spying without permission, but at the same time he is exchanging data with the NSA," told lawyer Christiaan Alberdingk Thijm, who represents the coalition of citizens and organizations, to Xinhua. "So based on the exchange of information regime the AIVD will eventually get the illegally obtained data."
"By using data that has been illegally acquired through the NSA, these data are sort of laundered by Plasterk and his secret services," Alberdingk Thijm added. "This case should put an end to that unlawful conduct. Our goal is that the Netherlands will act according to Dutch law. We cannot do much on what the Americans are doing here, but we can ensure that the Netherlands complies with the law. Furthermore we want citizens to be informed when their data was illegally obtained and used."
Alberdingk Thijm thinks their case could be followed in other European countries. "We based our case on European jurisdiction, so the case could simply be copied in other countries. However, they should sue their own state," he said.
Minister Plasterk was informed by the subpoena on Wednesday and he will, according to the administrative rules, have to appear in court on November 27. After that he will have six weeks, until January 8, to file a response."
Source: http://www.shanghaidaily.com/article/article_xinhua.aspx?id=178503, 7 November 2013.
"A coalition of defense lawyers, privacy advocates, and journalists has sued the Dutch government over its collaboration and exchange of data with the U.S. National Security Agency and other foreign intelligence services.
The coalition is seeking a court order to stop Dutch intelligence services AIVD and MIVD from using data received from foreign agencies like the NSA that was not obtained in accordance with European and Dutch law. It also wants the government to inform Dutch citizens whose data was obtained in this manner.
The legal proceedings were initiated in the Hague district court by the Dutch Association of Defense Counsels, the Dutch Association of Journalists, the Internet Society Netherlands Chapter, the Privacy First Foundation and five private citizens.
The coalition wants to close a loophole through which the Dutch intelligence services can obtain data on Dutch citizens from foreign intelligence partners that it wouldn't have been able to acquire through legal means in the country.
The coalition's lawyers argue that mass data-collection programs like those of the NSA and the U.K. Government Communications Headquarters (GCHQ) violate human rights guaranteed by international and European treaties including the European Convention on Human Rights, the International Covenant on Civil and Political Rights and the Charter of Fundamental Rights of the European Union.
As such, it was illegal in many countries, particularly in the European Union, to obtain data through those programs.
Civil society organizations and citizens in other European countries can and should launch similar legal actions, said Christiaan Alberdingk Thijm, a founding partner of Bureau Brandeis, the law firm that represents the Dutch coalition in this case."
Source: http://www.pcworld.com/article/2061581/dutch-civil-society-groups-sue-government-over-nsa-data-sharing.html, 6 November 2013.
"In Nederland heeft een groep burgers en organisaties een rechtszaak ingespannen tegen minister van Binnenlandse Zaken Roland Plasterk. De groep 'Burgers tegen Plasterk' eist dat de Nederlandse overheid geen informatie gebruikt die het via de Amerikaanse NSA heeft verkregen.
Burgers tegen Plasterk wil dat minister Plasterk verantwoording aflegt over het beleid van de Nederlandse overheid inzake het gebruik van NSA-gegevens. De geteisterde Amerikaanse inlichtingendienst zou illegaal informatie verzamelen over Nederlandse burgers, en die vervolgens doorspelen aan zijn Nederlandse tegenhanger AIVD.
Het initiatief komt onder meer van hacker Rop Gonggrijp en ICT-journalist Brenno De Winter. Ook de Nederlandse Vereniging voor Strafrechtadvocaten en de Nederlandse Vereniging voor Journalisten hebben zich aangesloten bij de rechtszaak, net als de Internet Society Nederland en de Stichting Privacy First.
De advocaat van de groep, Christaan Alberdingk Thijm, [stelt] dat Plasterk en de inlichtingendienst (...) illegaal verkregen data witwassen. 'Deze zaak moet daar een einde aan maken', aldus Alberdingk Thijm.
Minister Plasterk, die eerder al de Nederlandse inlichtingendienst verdedigde, is er van overtuigd dat de AIVD niets verkeerds doen en zich aan het wettelijk kader houdt. (...)"
Source: http://www.standaard.be/cnt/dmf20131106_00826456, 6 November 2013.
By now basically everyone is aware of the far-reaching eavesdropping practices by the American National Security Agency (NSA). For years the NSA has been secretly eavesdropping on millions of people around the world, varying from ordinary citizens to journalists, politicians, attorneys, judges, scientists, CEOs, diplomats and even presidents and heads of State. In doing so, the NSA has completely ignored the territorial borders and laws of other countries, as we have learned from the revelations by Edward Snowden in the PRISM scandal. Instead of calling the Americans to order, secret services in other countries appear to be all too eager to make use of the intelligence that the NSA has unlawfully obtained. In this way national, European and international legislation that should safeguard citizens against such practices is being violated in two ways: on the one hand by foreign secret services such as the NSA that collect intelligence unlawfully, and on the other hand by secret services in other countries that subsequently use this intelligence. This constitutes an immediate threat to everyone’s privacy and to the proper functioning of every democratic constitutional State. This is also the case in the Netherlands, where neither the national Parliament nor the responsible minister (Mr. Ronald Plasterk, Home Affairs) has so far taken appropriate action. This situation cannot continue any longer. Therefore a national coalition of Dutch citizens and organizations (including the Privacy First Foundation) has today decided to take the Dutch government to court and demand that the inflow and use of illegal foreign intelligence on Dutch soil is instantly brought to a halt. Furthermore, the coalition demands that the Dutch government notifies all citizens whose personal data have been illegally obtained. These data must also be deleted.
These legal proceedings by the Privacy First Foundation primarily serve the general interest and aim to restore the right to privacy of every citizen in the Netherlands. The lawsuit is conducted by bureau Brandeis; this law firm also represents Privacy First and 19 co-plaintiffs (Dutch citizens) in our Passport Trial against the Dutch government. Privacy First is confident it will soon have positive outcomes in both of these cases.
Click HERE to read the subpoena as it was presented to minister Plasterk today. (Dutch only)
Apart from Privacy First, the coalition of plaintiff parties consists of the following organizations and citizens:
- The Dutch Association of Defence Counsel (Nederlandse Vereniging van Strafrechtadvocaten, NVSA)
- The Dutch Association of Journalists (Nederlandse Vereniging van Journalisten, NVJ)
- The Dutch chapter of the Internet Society (ISOC.nl)
- Jeroen van Beek
- Rop Gonggrijp
- Bart Nooitgedagt (represented by the NVSA)
- Matthieu Paapst (represented by ISOC.nl)
- Brenno de Winter (represented by the NVJ).
Update 5 February 2014: today the Dutch government (Ministries of Home Affairs and Defence) has responded to the subpoena in a comprehensive statement of defence; click HERE for the entire document (pdf; MIRROR) and HERE for the press release by our attorneys of bureau Brandeis (in Dutch). It is remarkable that the State Attorney only deems the Privacy First Foundation admissible (see p. 31). This means that Privacy First is only one step away from standing before the judges of the district court of The Hague. This development is also of great importance for our Passport Trial, in which that same court at an earlier stage deemed Privacy First et al. inadmissible. The Hague Court of Appeal is currently looking into this legal issue once more. In the point of view of Privacy First, the court should declare all plaintiffs (citizens and organizations) admissible in both the court case concerning the NSA as well as our lawsuit regarding the Dutch biometric passport.
"Courts are investigating the legality of a European Union regulation requiring biometric passports in Europe. Last month, the Dutch Council of State (Raad van State, the highest Dutch administrative court) asked the European Court of Justice (ECJ) to decide if the regulation requiring fingerprints in passports and travel documents violates citizens’ right to privacy. The case entered the courts when three Dutch citizens were denied passports and another citizen was denied an ID card for refusing to provide their fingerprints. The ECJ ruling will play an important role in determining the legality of including biometrics in passports and travel documents in the European Union.
The Dutch Council referred the question of legality to the ECJ, arguing that the restrictions on privacy do not outweigh the ostensible aim of fraud prevention, and questioning the RFID technique. The Council also questioned whether fingerprints could be safeguarded so that they would only be used in passports or identity cards and not in databases for other purposes (known as function creep). The four cases that prompted this challenge to the biometric passport regulation are suspended pending the ECJ’s response.
The Netherlands has mandated fingerprints in passports and ID-cards since 2009. The Dutch biometric Passport Act is the misshapen offspring of the European Regulation compelling security features and biometrics in passports. The Regulation mandates that passports include two fingerprints taken flat in interoperable formats.
The Netherlands' storage of a biometric database was suspended in 2011, following privacy concerns as well as questions over the reliability of biometric technology. The Mayor of the City of Roermond reported that 21 percent of fingerprints collected in the city could not be used to identify any individuals. In April 2011, the Dutch Minister of Interior, in a letter to the Dutch House of Representatives, asserted that the number of false rejections was too high to warrant using fingerprints for verification and identification. Currently, only fingerprints stored in Radio Frequency Identification (RFID) chips embedded in ID documents are being collected.
The Amsterdam-based Privacy First Foundation (Stichting Privacy First) appreciates the critical stance on biometrics taken by the Dutch Council of State in line with the position taken by a German court: "We hope the ECJ will soon rule that the European Passport Regulation is invalid both in a formal, procedural sense (having been improperly adopted in 2004) and in a material sense (violating the human right to privacy and data protection). In the meantime, we hope the Dutch Parliament will scrap compulsory fingerprinting for Dutch ID cards as soon as possible."
A government proposal to this effect is currently before the Dutch House of Representatives.
The Dutch Council concerns echo questions raised by a German court earlier this year regarding the legality of the German biometric passports with RFID chips. The German court has questioned whether the EU regulation is compatible with the Charter of Fundamental Rights of the European Union (EU Charter) and the European Convention of Human Rights (ECHR). The German case was preempted when a German citizen, Michael Schwarz, refused to provide his fingerprints to obtain his new passport and the City of Bochum decided not to issue him one.
Mr. Schwarz argued that the regulation infringes privacy as protected under the ECHR and the EU Charter. In this case, the German court argued that the European Union has no legislative competence to enact rules on standards for security features and biometrics in passports as there is no direct relation of such rules to the protection and security of EU external frontiers.
The German court decided that the requirement of biometric data in passports is a “serious infringement” on privacy, arguing that the measure does not satisfy the proportionality test of being appropriate, necessary, or reasonable."
Read the entire article (including sources) on the website of the Electronic Frontier Foundation (EFF) HERE.
The appeal by Privacy First and 19 citizens against the Dutch government
On February 2, 2011, the Privacy First Foundation and 21 co-plaintiffs (citizens) were declared inadmissible by the district court of The Hague in our civil case against the Netherlands regarding the 2009 Dutch Passport Act. A proposal by the Dutch Minister of the Interior, Ms. Liesbeth Spies, to revise the Passport Act has been presented to the House of Representatives on 17 October this year. However, in this legislative proposal the original provision (Article 4b) concerning a centralised database remains intact for the greater part. Under this provision, biometric data of every Dutch citizen will be used for criminal investigation and prosecution purposes as well as intelligence work, disaster control and counter-terrorism. This constitutes a flagrant violation of, among other things, European privacy law. Efforts by individual citizens to challenge this through individual administrative court cases have thus far not yielded any results, since the administrative courts proved unwilling to evaluate the provision in question. Nevertheless, the Dutch Council of State (Raad van State) has recently made a preliminary reference to the European Court of Justice in
To that end we have today presented our Statement of Appeal to the Court of Appeal in The Hague. In this Statement Christiaan Alberdingk Thijm and Vita Zwaan (SOLV Attorneys) outline why Privacy First and co-plaintiffs have to be declared admissible. Subsequently, it will be possible for the Passport Act to be legally scrutinized in its entirety by the court and be measured up against higher law, including European privacy legislation. Our entire Statement of Appeal can be downloaded HERE (in Dutch). The Appeals Court of The Hague is expected to deliver its judgment before the summer.
Privacy First makes an urgent appeal to all Dutch citizens to contribute to the financing of this lawsuit. This can be done by donating on account number 18.104.22.1681 attn. Stichting Privacy First in
The Privacy First Foundation has, with pleasure, just taken cognisance of 1) the announcement earlier today of a Dutch legislative proposal to abrogate fingerprints in ID cards and 2) the decision by the Dutch Council of State (Raad van State) to make a request for a preliminary ruling to the European Court of Justice in Luxembourg on the legality and interpretation of the European Passport Regulation in four administrative cases of individual Dutch citizens. The Privacy First Foundation hereby makes an appeal to Dutch Parliament to adopt the legislative proposal to abrogate fingerprints in ID cards as soon as possible. In anticipation of the expected adoption of this legislative proposal, taking people's fingerprints for ID cards must be halted immediately or at least become voluntary as a temporary solution. Privacy First also hopes that the European Court of Justice will swiftly deal with the preliminary reference and conclude that taking fingerprints for passports and ID cards is unlawful because it violates the right to privacy. Further comments by Privacy First will follow.
Update 18.00h: listen to the interview (in Dutch) with Privacy First on Radio 1.
Update 29 September 2012: see also our reaction in the Dutch regional press.