Christmas column by Bas Filippini,
Chairman of the Privacy First Foundation
Principles of our democratic constitutional State are still very relevant
‘‘Your choice in a free society’’ is the slogan of the Privacy First Foundation. Privacy First has defined its principles on the basis of universal human rights and our Dutch Constitution and is reputed for professional and, if necessary, legal action in line with our free constitutional State. The mere fact that Privacy First exists, means that in recent years the aforementioned principles have come under increasing pressure. We base our (legal) actions and judgements on thorough fact-finding, to the extent possible in our working area.
‘The Netherlands as a secure global pioneer in the field of privacy’, that’s our motto. This country should also serve as an example of how to use technology whilst maintaining the principles of our open and free society. This can be achieved through legislative, executive and IT infrastructures, starting from privacy by design and making use of privacy enhanced technology.
Whereas the industrial revolution has environmental pollution as a negative side effect, the information revolution has the ‘pollution of privacy and freedom’ as an unwanted side effect.
Therefore, the question is how to preserve the basic principles of our democratic constitutional State and how to support new structures and services towards the future. As far as we’re concerned, these basic principles are neither negotiable nor exchangeable. Yet time and again we see the same incident-driven politics based on the misconceptions of the day strike at times when the constitutional State is at its most vulnerable and cannot defend itself against the emotional tide of the moment.
Paris as yet another excuse to pull through ‘new’ laws
Various politicians feed on the attacks in Paris and tumble over one another to express Orwellian macho talk, taking things further and further in legislative proposals or in emotional speeches characterized by belligerence and rhetoric. And it’s always so predictable: further restraining existing freedoms of all citizens instead of focusing further on the group of adolescents (on average, terrorist attackers are between 18 and 30 years old) that intelligence agencies already have in sight. Instead of having a discussion about how intelligence agencies can more effectively tackle the already defined group that needs to be monitored and take preventive measures in the communication with and education of this target group, the focus too easily shifts to familiar affairs whereby necessity, proportionality and subsidiarity are hard to find.
So in the meanwhile we’ve witnessed the prolonged state of emergency in France, the far reaching extension of powers of the police, the judiciary and intelligence services (also to the detriment of innocent citizens), extra controls in public space, the retention of passenger data, etc., etc. All this apparently for legitimate reasons in the heat of the moment, but it will be disastrous for our freedom both in the short as well as in the long run. In this respect the blurring definition of the term ‘terrorism’ is striking. Privacy First focuses on government powers in relation to the presumption of innocence that citizens have. We’re in favour of applying special powers in dealing with citizens who are under reasonable suspicion of criminal offences and violate the rights of others with their hate and violence. In fact, that’s exactly what the law says. Let’s first implement this properly, instead of introducing legislative proposals that throw out the baby with the bathwater.
The governments is committed to impossible 100 per cent security solutions
What often strikes me in conversations with civil servants is the idea that the government should provide 100 per cent solutions for citizens and applies a risk exclusion principle. This leads to a great deal of compartmentalization and paralyzation when it comes to possible government solutions in the area of security. Technology-based quick fixes are adhered to by default, without properly analyzing the cause of problems and looking at the implementation of existing legislation.
The government way of thinking is separate from citizens, who are not trusted in having legal capacity and are regarded as a necessary evil, as troublesome and as inconvenient in the performance of the government’s tasks. The idea that the government, serving its citizens, should offer as high a percentage as possible but certainly not a 100 per cent security (the final 10 per cent are very costly on the one hand and suffocating for society on the other) is not commonly shared. No civil servant and no politician is prepared to introduce policies to maintain an open society today (and 50 years from now) that entail any risk factors. However, in reality there will always be risks in an open society and it should be noted that a society is not a matter of course but something we should treat with great care.
Here in the Netherlands we’ve seen other forms of government before: from rule by royal decree to a bourgeoisie society and an actual war dictatorship. Every time we chose not to like these forms of society. What could possibly be a reason to be willing to go back to any of these forms and give up our freedoms instead of increasing them and enforcing them with technology? Especially in a society that has high levels of education and wherein citizens show to be perfectly able to take their own decisions on various issues. We hire the government and politics as our representatives, not the other way around. However, we’re now put up with a government that doesn’t trust us, is only prepared to deliver information on the basis of FOIA requests and requires us to hand over all information and communications about us and our deepest private lives as if we were prima facie suspects. That puts everything back to front and to me it embodies a one way trip to North Korea. You’ll be more than welcome there!
Political lobby of the industry
The industry’s persistence to overload the government and citizens with ICT solutions is unprecedented. Again and again here in the Netherlands and in Silicon Valley the same companies pop up that want to secure their Christmas bonus by marketing their products in exchange for our freedom. We’re talking about various electronic health records like the Child record and the Orwellian and centralized electronic patient record, the all-encompassing System Risk-Indication database, travel and residency records, road pricing, chips in number plates and cars, so-called automated guided vehicles (including illegal data collection by car manufacturers), number plate parking, automatic number plate recognition cameras, facial recognition in public space and counter-hacking by government agencies while voting computers are back on the agenda. Big Data, the Internet of things, the list goes on.
With huge budgets these companies promote these allegedly smart solutions, without caring about their dangers for our freedom. It’s alienating to see that the reversal of legal principles is creeping in and is being supported by various government and industry mantras. It’s as if a parasitic wasp erodes civil liberties: the outside looks intact but the inside is already empty and rotten.
From street terrorism to State terrorism
As indicated above, the information revolution leads to the restriction of freedom. It’s imperative to realize that after 4000 years of struggle, development and evolution we have come to our refined form of society and principles that are (relatively) universal for every free citizen. Just as most of us are born out of love, freedom and trust, to me these are also the best principles with which to build a society. We’re all too familiar with societies founded on hate, fear and government control and we have renounced them not so long ago as disastrous and exceptionally unpleasant. At the expense of many sacrifices and lives these principles have been enshrined in treaties, charters and constitutions and are therefore non-negotiable.
It’s high time to continue to act on the basis of these principles and make policy implementation and technology subordinate to this, taking into account the people’s needs and their own responsibility. In my eyes, a civil servant in the service of the people who places security above everything else, is nothing more than a State terrorist or a white collar terrorist who in the long term causes much more damage to our constitutional State and freedom than a so called street terrorist. The government and industry should have an immediate integrity discussion about this, after which clear codes can be introduced for privacy-sustainable governing and entrepreneurship.
Towards a secure global pioneer in the field of privacy
Privacy First would like to see government and industry take their own responsibility in protecting and promoting the personal freedom of citizens and in so doing use a 80/20 rule as far as security is concerned. By focusing on risk groups a lot of money and misery can be saved. Exceptions prove the rule, which in this case is a free and democratic constitutional State and not the other way around. Say yes to a free and secure Netherlands as a global pioneer in the field of privacy!
"Facebook, Inc. and related entities have received a letter demanding them to stop EU-US data transfers until U.S. laws comply with the EU data protection regime, or risk lawsuit in the Netherlands. Facebook must cease transfer by 15 January 2016. The complaining parties have reserved rights to file suit if compliance is not forthcoming.
The demand and summons letter was sent today by the Boekx law firm in Amsterdam on behalf of numerous plaintiffs including:
• Privacy First Foundation (Stichting Privacy First)
• Public Interest Litigation Project PILP
• Dutch Platform for the Protection of Civil Rights
and other users of Facebook, Instagram and WhatsApp. The letter was sent to Facebook Netherlands B.V., Facebook Ireland Limited, Facebook Inc. and Instagram LLC (California), and WhatsApp Inc. (California).
Facebook spokesperson Matt Steinfeld provided (...) the following written statement:
“Facebook uses the same mechanisms that thousands of others companies across the EU use to transfer data legally from the EU to the US, and to other countries around the world. We believe that the best solution to the on-going debate around transatlantic data transfers is for there to be a new Safe Harbor agreement with appropriate safeguards for EU citizens.”
“We understand that authorities in the EU and US are working hard to put such an agreement in place as soon as possible. We trust that these groups are engaging with their respective governments on this process to help it reach a successful conclusion.”
Lawsuit intended to pressure Facebook
Otto Volgenant of the Boekx stated to Dutch outlet RTLZ, “We want to put pressure on Facebook. Mark Zuckerberg must make its voice heard in the debate about privacy, the US government has the solution for this problem.” According to Volgenant (as reported), the case would first be brought in The Hague, which could exercise its option to refer the case to the European Court of Justice.
Volgenant predicted that such referral would not be made, given the clarity of law on the topic since the recent Schrems ruling of the European Court of Justice (discussed further below).
U.S. compliant-laws required
Specifically, the demand requires that Facebook “end the current unlawful transfer of personal data from the European Union to the United States” until the U.S. adopts laws “essentially equivalent to” European data protection laws, or face lawsuit in the Netherlands. The summons gives Facebook until Friday 15 January 2016 (18:00 CET) to cease EU-US transfers, or risk having a court force it and related Facebook entities, through an injunction, to cease such transfers.
Facebook “remarkably absent” in data privacy discussions
In its letter, Boekx accuses Facebook of being “remarkably absent” in the public debate over EU-US data transfers, following the European Court of Justice decision in Schrems, which decision invalidated the so-called “Safe Harbor Agreement” between the U.S. and the E.U. and thus made such transfers illegal under E.U. law., effective immediately upon rendering of that decision. (...)
The demand letter further articulates the specifics of the Schrems decision, including that court’s conclusions that the NSA violated “European fundamental rights to respect for private life” by its “access on a generalized basis to the content of electronic communications.”
The letter concludes:
If we cannot find an amicable solution and Facebook does not refrain from further transfer of personal data of data subjects from the European Union to the United States by then, we reserve the right to initiate legal proceedings in the Netherlands and to request a preliminary injunction from the competent Dutch Court."
Today the Privacy First Foundation and three other public interest groups as well as a number of Dutch individual users of Facebook, WhatsApp and Instagram request Mark Zuckerberg to join the public debate following the landmark Schrems-judgment of the European Court of Justice.
On 6 October 2015, the European Court of Justice invalidated the Safe Harbour Decision, which was the basis for Facebook’s transfer of personal data from the European Union to the United States. The Grand Chamber of the Court found that the legislation of the United States fails to ensure a level of protection essentially equivalent to that guaranteed in the legal order of the European Union. The NSA has access to Facebook content of users from the European Union, without any judicial redress being available to them. The Court held that this compromises the essence of the fundamental right to privacy. These issues have not been resolved yet.
Following the judgment, Facebook continued the transfer of personal data from the European Union to the United States. Bas Filippini of Privacy First says: ‘Absent an adequate level of protection in the United States, the continued transfer of personal data is clearly incompatible with European data protection laws. Such transfer violates the rights of millions of individuals. If this is not resolved shortly, we will initiate legal action.’
To date, Facebook has been remarkably absent in the public debate that followed this landmark judgment. Ton Siedsma of Bits of Freedom says: ‘We invite Facebook to publicly engage in a meaningful and transparent dialogue aimed at finding a solution, and to pressure the authorities to find such solution. Facebook is invited to publicly share its current and intended policies and practice on data transfer.’
Today, Facebook was summoned to come up with an adequate solution ultimately by 15 January 2016. If it fails to do so, civil rights groups and a number of Dutch individuals will request the Court in The Hague to grant an injunction ordering Facebook to immediately cease the transfer of personal data to the United States. This pertains to all services of Facebook, including WhatsApp and Instagram.
‘As long as the United States fails to provide an adequate level of protection against mass surveillance, personal data may not be transferred to the United States. Taking Facebook to court emphasizes the urgency of resolving this issue.’ says Jelle Klaas of the Public Interest Litigation Project of NJCM, the Dutch section of the International Commission of Jurists. ‘Our goal is not to put the screens of millions of users to black, but to enhance the current level of privacy protection. Hopefully, a solution can be found shortly by the legislators.’
Click HERE for our entire letter of summons to Mark Zuckerberg (pdf).
Update 21 January 2016: shortly before the deadline Facebook responded to our letter of summons by fax, click HERE (pdf). According to Facebook, there is still a suitable legal basis for the transfer of personal data from the EU to the US, despite the invalidity of Safe Harbour. Privacy First et al. contest this and have today sent a response to Facebook, click HERE (pdf).
In the discussion about a newly proposed surveillance bill in England, Facebook, following our summons letter, has made it publicly clear that:
“Governments should not be able to compel the production of private communications content absent authorization from an independent and impartial judicial official. (...) Surveillance laws should not permit bulk collection of information. The principles require that the Government specifically identify the individuals or accounts to be targeted and should expressly prohibit bulk surveillance.”
However, it is precisely these aspects where, according to the European Court of Justice, the legal protection in the US is inadequate. In our letter of this afternoon, Privacy First et al. have therefore requested Facebook to present their standpoint also in the debate about mass surveillance in the US. Negotiations about this issue are currently ongoing between the EU and the US. It would be good if Facebook gets involved in this debate, in line with the standpoint it voiced in relation to the English legislative proposal.
If in the short term a solution will not be found for the fundamental privacy issues the European Court of Justice has identified, Privacy First et al. will consider bringing interim injunction proceedings before the district court of The Hague.
After years of legal proceedings against the storage of fingerprints under the Dutch Passport Act — one of the gravest privacy violations in the Netherlands — Privacy First and 19 co-plaintiffs were declared inadmissible by the Dutch Supreme Court.
Since May 2010, a large-scale lawsuit against the central storage of fingerprints under the Dutch Passport Act by Privacy First and 19 co-plaintiffs (Dutch citizens) has been under way. This so-called 'Passport Trial' was a civil case because with regard to the merits of the case, individual citizens were not able to turn to an administrative court.
Citizens could only go to an administrative court if they would first provoke an individual decision: an administrative refusal to issue a passport or ID card after an individual refusal to give one's fingerprints. Hence, they could only litigate on an administrative level if they were prepared to live without a passport or ID card for years.
Moreover, the provision in the Passport Act on the central storage of fingerprints (Article 4b) still hasn't entered into force. Therefore, the administrative courts were unauthorized to assess this provision. Moreover, contrary to other countries, a direct administrative appeal against Dutch law (Acts and statutes) isn't possible in the Netherlands.
Subsequently, an administrative court would only have been able to individually and indirectly ("exceptionally") assess this provision on the basis of higher privacy legislation after that same provision would have entered into force, that is to say, after the central storage (and exchange) of everyone's fingerprints would have become a fait accompli.
To prevent such a massive violation of privacy, only the civil courts were authorized to rule in the case of Privacy First et al. For many years civil courts have been the perfect type court for the direct assessment of national legislation on the basis of higher (privacy) legislation, even if the national legislation in question has not yet entered into force but does entail an imminent privacy violation.
As a relevant foundation, Privacy First was able to take civil action in the general interest, on behalf of the Dutch population at large. Since the early 90s this is possible via a special procedure under Article 3:305a of the Dutch Civil Code: the so-called "action of general interest." Up until May 2010, when Privacy First et al. summoned the Dutch government, the Dutch Supreme Court seemed to have given the green light for this.
However, in July 2010, the Supreme Court disregarded its earlier case law by declaring that interest groups can only turn to a civil court if individual citizens cannot pursue legal proceedings before an administrative court. But in Privacy First's Passport Trial, citizens could not apply to an administrative court. So Privacy First et al. still had a very strong case. What's more, the admissibility criteria of the Supreme Court seemed not to apply to actions of general interest, but merely to 'group actions' that are organized on behalf of a specific group of people instead of the entire population.
In February 2011, the district court of The Hague wrongly declared our Passport Trial inadmissible. This decision was subsequently appealed by Privacy First et al. Courtesy also of the pressure exerted by this appeal, the central (as well as municipal) storage of fingerprints was largely discontinued in the summer of 2011 and the taking of fingerprints for Dutch ID Cards was halted altogether at the start of 2014.
In February 2014, The Hague Court of Appeal declared Privacy First — in the general interest — admissible after all and judged that the central storage of fingerprints under the Passport Act was in violation of the right to privacy. The Dutch Minister of the Interior, Ronald Plasterk, was not amused and demanded an appeal in cassation before the Dutch Supreme Court.
Against all odds (as Privacy First had virtually all Dutch legislation, legislative history, case law and legal literature on its side), on May 22, 2015, the Dutch Supreme Court declared Privacy and its 19 co-plaintiffs inadmissible once more. According to the Supreme Court, the citizens can turn to an administrative court, which has also blocked the road to a civil court for Privacy First.
All this while in the last few years it had been established that the co-plaintiffs could not turn to an administrative court, at least not for the review of Article 4b of the Passport Act concerning the central storage of fingerprints. In innumerable administrative cases over the past few years, judges of various Dutch administrative courts have declined jurisdiction in this respect. That meant that for Privacy First as an interested organization, the road to an administrative court was equally blocked.
The fact that the Supreme Court rules as if that isn't so is simply incomprehensible. Furthermore, litigating citizens can neither be expected to get by without a passport for years, nor can they be expected to first let their privacy be violated (giving up fingerprints, even for storage) before a judge can determine whether this is legal. The fact that the Supreme Court seems to require this just the same is not just inconceivable (as well as in breach of its own case law) but also reprehensible.
Gap in the legal protection
The ruling by the Dutch Supreme Court creates a legal vacuum in the Netherlands: if citizens or organizations want massive and imminent privacy violations, such as the central storage of fingerprints under the Passport Act, to be reviewed, then they may not be able to turn to either a civil or an administrative court. This creates a gap in the legal protection that has been in place in the Netherlands over the past few decades.
The Supreme Court may now have passed on this case to the highest Dutch administrative court (the Council of State), but it's all but certain that the Council of State is able and still prepared to review the central storage of fingerprints under the Passport Act. In light of this, the Supreme Court should have waited for the ruling by the Council of State in four current and parallel administrative cases revolving around the Passport Act, prior to coming up with its ruling in Privacy First's Passport Trial. By not doing this, the Supreme Court has taken a huge risk, has prematurely stepped into the shoes of the Council of State and has put the Council of State under severe pressure.
If the Council of State were soon to judge differently than the Supreme Court (that is to say, if the Council of State would judge that it is equally unauthorized to rule in this matter), the two institutions would make an enormous blunder and would create a huge gap in the legal protection in the Netherlands, in contravention of the European Convention on Human Rights (ECHR)
Multiple ECHR violations
Privacy First et al. await the ruling of the Council of State with considerable anticipation. In the meantime, Privacy First et al. will already prepare to file a complaint with the European Court of Human Rights in Strasbourg on account of a breach of Article 8 ECHR (right to privacy) and Articles 6 and 13 EHCR (right to access to justice and an effective legal remedy). Despite the Kafkaesque anti-climax before the Dutch Supreme Court, a European conviction of the Netherlands would thus be on the cards once the complaint has been filed.
Read the entire judgment by the Dutch Supreme Court HERE (in Dutch).
Click HERE for our entire case file.
A similar version of this article was published on http://www.liberties.eu/en/news/bad-day-for-privacy-in-the-netherlands.
Today, the European Court of Justice in Luxembourg (EU Court) has come up with its long awaited judgment in four Dutch cases related to the storage of fingerprints under the Dutch Passport Act. The EU Court did so at the request of the Dutch Council of State. The EU Court deems the storage of fingerprints in databases to fall outside the scope of the European Passport Regulation. Therefore, the Court leaves the judicial review of such storage to national judges and the European Court of Human Rights.
Cause for the ruling
In all four Dutch cases citizens refused to give their fingerprints (and facial scans) when they requested a new Dutch passport or ID card. For this reason, their requests for a new passport or ID card were rejected. In 2012, their subsequent lawsuits ended up before the Dutch Council of State (Raad van State), which decided to ask the EU Court to clarify relevant European law (European Passport Regulation) before coming up with its own ruling. Subsequently, in 2013, the EU Court judged in a similar German case that the obligation to give ones fingerprints under the Passport Regulation is not unlawful. However, in this case, the EU Court failed to carry out a thorough review on the basis of the privacy-related legal requirements of necessity and proportionality. Moreover, the EU Court refused to merge the (more substantiated) Dutch cases with the German one, even though this was an explicit request from the Council of State. The ruling of the EU Court in the German case presented the Council of State (along with 300 million European citizens) with a disappointing fait accompli. During the case before the EU Court at the end of 2014, new arguments and new evidence in the Dutch cases fell on deaf ears: the EU Court wished not to deviate from the German case and appeared uninterested in the, by now, proven lack of necessity and proportionality of taking fingerprints (low passport fraud rates) and the enormous error rates when it comes to the biometric verification of fingerprints (25-30%). In that sense, the current ruling of the EU Court comes as no surprise to the Privacy First Foundation.
Bright spot: ID card without fingerprints
The only chink of light in the ruling of the EU Court is the confirmation that national ID cards don't fall within the scope of the European Passport Regulation. The Dutch government seemed to have already been anticipating this judgment by ending the compulsory taking of fingerprints for ID cards as of January 20, 2014. In this respect, the ruling of the EU court doesn't bring any change to the current situation in the Netherlands, but it does confirm that the introduction of ID cards without fingerprints at the start of 2014 was the right choice of the Dutch government. Most other EU Member States have never actually had ID cards with fingerprints; under the European Passport Act, the compulsory taking of fingerprints only applied to passports. The fact that in between 2009 and 2014 the Netherlands wished to go further than the rest of Europe, was therefore at its own risk.
EU Court leaves judgement on database storage of fingerprints to national judges and the European Court of Human Rights
The EU Court in Luxemburg rules that possible storage and use of fingerprints in databases doesn't fall within the scope of the European Passport Regulation and leaves the judicial review of such storage to national judges and the European Court of Human Rights in Strasbourg. However, in various (over a dozen) pending individual cases in the Netherlands against the Dutch Passport Act, administrative judges have so far always decided that such judicial review falls outside of their powers, as the relevant provisions of the Passport Act have not (yet) entered into force. It's now up to the Council of State to adjudicate on this matter. At the same time, the Dutch Supreme Court is currently looking into the collective civil Passport Trial of Privacy First and 19 co-plaintiffs (citizens), where such judicial review has already successfully been carried out by the Hague Court of Appeal and is now before the Supreme Court. In February 2014, the Hague Court of Appeal rightly judged that central storage of fingerprints is in breach of the right to privacy. In that sense the case of Privacy First is in line with the EU Court: review of database storage by a national judge, possibly followed by the European Court of Human Rights. Current individual cases before the Council of State may soon be resumed before the European Court of Human Rights as well. Privacy First hopes that this complex interaction between different judges will lead to the desired results with regard to privacy: a repeal of the taking and storage of fingerprints for passports!
Read the entire ruling of the EU Court HERE.
Update 17 April 2015: unfortunately, the ruling of the EU Court led to a lot of misleading media reporting in the Netherlands through Dutch press agency ANP (for example in Dutch national newspaper Volkskrant). Better comments can be found at the website of SOLV Attorneys, in this blog post by British professor Steve Peers and in Dutch newspaper Telegraaf, translated below:
A database with fingerprints, relinquished by people who request a new passport, seems to have come a step closer. This could be deduced from a ruling of the European Court of Justice.
The Council of State asked the judges in Luxembourg for an opinion on four cases of citizens who refused to give their fingerprints. They appealed not getting a passport because of this. In a similar German case, the EU Court ruled that the compulsory taking of fingerprints isn't unlawful under European law.
Yesterday, the EU Court ruled in the Dutch case that the storage of fingerprints is a responsibility of the Member States. So the national judge will have to review this. As the only Member State, the Netherlands wanted a central register of fingerprints: a register that would even be accessible by secret services. The Passport Act that regulated this has not yet entered into force and last year the Hague Court of Appeal ruled that the central storage is in breach of the right to privacy.
Research points out that such a database brings along many risks, varying from security leaks to improper use and criminal manipulation. This proves that the whole system is a monstrosity that should never be introduced."
Source: Telegraaf 17 April 2015, p. 2.
"The first hearing of the appeal against the Dutch data retention legislation will be heard 18 February, announced ISP BIT, one of the organisations bringing the suit. BIT as well as a number of NGOs claim the legislation is in violation of personal privacy rights. The lawsuit was filed in December in cooperation with Privacy First, the Dutch association of defense lawyers, the Dutch journalists union, the Dutch committee of lawyers for human rights and the telecom operators BIT, Voys and SpeakUp. The Amsterdam law fim Boekx Advocaten is handling the case."
Source: http://www.telecompaper.com/news/dutch-data-retention-appeal-hearing-scheduled-for-18-feb--1059022, 12 January 2015.
"The Dutch data retention law will have its day in court on Feb. 18, when the District Court of the Hague hears a legal challenge to it filed by a broad coalition of organizations.
The law requires telecommunications and Internet companies to retain their customer's location and traffic metadata for six to 12 months, depending on the type of data, for investigatory purposes.
However, the complainants want the court to invalidate the law because it violates fundamental privacy rights, said their law firm Boekx Advocaten. The main reason the law should be scrapped, they say, is a ruling from the Court of Justice of the European Union (CJEU) last year, which invalidated the EU's Data Retention Directive on which the Dutch law is based because it violates fundamental privacy rights.
After evaluating that ruling, though, the Dutch government decided in November largely to maintain the national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances.
By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws.
The challenge, filed by civil rights organization Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, aims to get the law invalidated as soon as possible.
Data retention laws in other EU countries have been ruled unconstitutional. The Constitutional Court of Austria for instance axed the local data retention law in the wake of the CJEU ruling, and in Germany the local data retention law was already ruled unconstitutional in 2010, long before the CJEU ruling.
In Sweden though things are much the same as in the Netherlands. There, the government maintains that the Swedish national legislation can still be applied, causing trouble for Swedish ISP Bahnhof, which had stopped retaining and deleted data after being given permission by the Swedish Post and Telecom Authority (PTS) to do so in wake of the CJEU ruling.
However, Bahnhof was told to start retaining data again later last year. To protect its customers, the ISP has set up a free VPN (virtual private network) service to hide their communication metadata from the police. It also asked to the European Commission to intervene and vowed to fight the law in court.
Meanwhile, the European Parliament's Legal Service also reached a conclusion about the CJEU ruling. It means that EU countries no longer have any obligation but rather an option to keep retaining data, it said in its analysis of the implications of the judgement that was leaked by digital rights group Access Now last week.
As a result of the CJEU ruling, countries run an even higher risk than before of having their national legislation annulled by national courts in a similar way to what has happened in some EU countries, the Legal Service said. (...)"
Source: http://www.pcworld.com/article/2867792/dutch-government-sued-over-data-retention-law.html, 12 January 2015.
A broad coalition of organizations and companies is starting interim injunction proceedings against the Dutch government. The Privacy First Foundation, internet provider BIT, the Dutch Association of Journalists and the Dutch Association of Defence Counsel among others are demanding the abolition of the Dutch Telecommunications Data Retention Act. The Dutch Council of State and the European Court of Justice have already ruled that the Act is in violation of fundamental rights that protect private life, communications and personal data. However, the Dutch government refuses to render the Telecommunications Data Retention Act inoperative.
On 8 April 2014 the European Court of Justice declared the European Data Retention Directive (2006/24/EC) invalid with retroactive effect. According to the Court, retaining communications data of everyone without any concrete suspicion is in violation of the fundamental right to privacy. Objective criteria should be applied to determine the necessity of collection and retention of data and there should be prior control from an independent body or judge. Randomly and unrestrictedly collecting metadata (traffic data) in the context of 'mass surveillance' is not permitted, according to the Court.
In the Netherlands, regulations in this area are enshrined in the Dutch Telecommunications Data Retention Act, which largely mirrors the European Data Retention Directive. The Act provides that telecommunications companies and internet providers have to retain various data regarding internet and telephone usage for at least six and at most twelve months in order for judicial authorities to be able to use those data for criminal investigation purposes. Recently the Dutch Council of State ('Raad van State') judged that the Act does not comply with fundamental rights that protect private life, communications and personal data. However, the Dutch government does not heed the advice of the Council of State and refuses to repeal the Act. Compliance with the Act will be maintained by the government.
Vincent Böhre of Privacy First: "Mass surveillance constitutes a massive violation of citizens' privacy rights. It is unacceptable that the Dutch government clings to this practice after the highest European judge has already clearly stated back in April that this privacy violation is not permitted."
Thomas Bruning, Secretary of the Dutch Association of Journalists: "Telecommunications companies and internet providers are now obliged to retain a vast amount of communications data of all citizens. This includes journalists. Companies have to disclose these data at the request of the government. There is no guarantee whatsoever for the journalistic right of non-disclosure."
"The Dutch regulations are in breach of the applicable European fundamental rights", states Fulco Blokhuis, partner at Boekx Attorneys, who has meanwhile drafted a subpoena. "This situation is as disconcerting as it is undesirable. Maintaining this Act is unlawful, both towards citizens as well as companies who are forced to stay in possession of traffic data."
Alex Bik of internet provider BIT: "When the Dutch government introduced the Act, it hid behind the argument that the introduction was simply imposed upon by Europe, but since the European Data Retention Directive has been repealed with retroactive effect, this argument all of a sudden is no longer deemed valid by the government. That is not right."
Otto Volgenant of Boekx Attorneys: "As the Dutch Minister of Security and Justice, Ivo Opstelten, is unwilling to abolish the Telecommunications Data Retention Act, we will request the court to either render the Act inoperative or to prohibit its application any longer. We will shortly be issuing interim injunction proceedings."
Update 12 January 2015: the interim injunction proceedings against the Dutch government pertaining to the retention of telecommunications data will take place before the district court of The Hague in a public hearing on Wednesday 18 February 2015 at 11:00 hours. Meanwhile, the renowned Netherlands Committee of Jurists for Human Rights (NJCM) has joined the coalition of claimant organizations. Click HERE (pdf, in Dutch) for the subpoena, click HERE for a press release from Boekx Attorneys (in Dutch) and HERE for an article (in Dutch) which appeared on the website of Dutch newspaper Telegraaf this morning.
Update 30 January 2015: yesterday a hearing (roundtable) about the Dutch Data Retention Act took place in the Dutch House of Representatives. Click HERE for a schedule of the hearing (pdf) and HERE (pdf, in Dutch) for the talking points that Privacy First sent to the House of Representatives prior to the hearing (pdf). The lack of necessity and proportionality of the current Data Retention Act were the main topics that were discussed by Privacy First during the roundtable. Other aspects that were raised by Privacy First related to the chilling effect in society as well as the potential for function creep that the Act brings about.
Update 13 February 2015: today, on behalf of the State, the Dutch State Attorney submitted a Statement of Defence; click HERE (pdf in Dutch, 9 MB). The admissibility of the claimant organizations will not be challenged by the Dutch government, the State Attorney told our own attorneys by telephone. Therefore the proceedings will immediately focus on the merits of the case, rather than on procedural requirements. This is a breakthrough development: in similar cases the admissibility of the claimant parties was almost always contested by the State. A crucial lawsuit concerning such admissibility (our Passport Trial against the storage of fingerprints) is currently being conducted by Privacy First against the Dutch government before the Supreme Court of the Netherlands. Privacy First is of the opinion that the recognition of admissibility by the State Attorney in the interim injunction proceedings against the Telecommunications Data Retention Act puts Privacy First in a stronger position for this and future lawsuits that revolve around the right to privacy. Moreover, in times when access to justice of individual citizens in the Netherlands is increasingly under financial pressure, the admissibility of civil society organizations such as Privacy First forms an important safeguard for a well functioning Dutch democracy under the rule of law.
Update 18 February 2015: in front of a full courtroom (many civil servants, citizens, students and journalists were in attendance), today Privacy First et al. crossed swords with the State; click HERE for the plea of our attorneys (pdf in Dutch) and HERE for the pleadings of the State Attorney (pdf, in Dutch). The judge listened carefully but didn't ask any questions. As yet, Wednesday 11 March 2015 has been determined as the date of the judgment.
Update 11 March 2015: in a break-through verdict today, the district court of The Hague has rendered the Dutch Data Retention Act inoperative; click HERE.
"Recently, the Court of Appeal of The Hague held that the storage of Dutch citizens' personal data in a central register is an unjustified violation of the right to privacy.
In light of, amongst other things, the implementation of the European regulation on standards for security features and biometrics in passports and travel documents, and to comply with this regulation, the Dutch Passport Act was amended in 2009. This new Passport Act states that future passports would have to contain a chip with a digital facial image and two fingerprints of each applicant. The Dutch government therefore planned to create a central register to hold the facial image files and four fingerprints of each applicant (two of which are included in the passport for identity verification). This new register would also serve other purposes: it would help passport fraud control, and it would allow applicants to renew their passport in any municipality in the Netherlands. The national government acknowledged that the request and saving of these personal data would form a violation of the right to privacy of Dutch citizens, but the government stated that the data storage was proportionate and justified, considering the intended purposes.
The interest group Privacy First disagreed with the government. This group, which seeks to publicly promote the enhancement and preservation of the right to privacy, believed that the creation of this central register violates this fundamental right enshrined in several international laws and regulations. The group launched legal proceedings against the Dutch government. The district court of The Hague ruled that Privacy First did not have a cause of action. Privacy First then appealed against this verdict.
Remarkably, the government meanwhile reviewed their amendments to the new Passport Act. The government concluded that the storage of these personal data in a central register did not achieve its purpose, namely passport fraud control via one's identity verification. Therefore, the Act's provisions that related to the storage of personal data in a central register would be suspended. Furthermore, the number of fingerprints to be taken for the filing would be reduced from four to two in accordance with European regulation.
On appeal, the Court of Appeal ruled that since Privacy First and the government now share the same views about the central register, Privacy First would have lost its standing in their cause of actions, so it dismissed the interest group's claims. However, the Court of Appeal found that the district court had erred when it held that Privacy First did not have a cause of action at the time. Since Privacy First is an interest group advocating the protection of the general interest of Dutch nationals' right to privacy, it should have been able to bring proceedings before the civil court according to Article 3:305 of the Dutch Civil Code (Burgerlijk Wetboek). This would only have been different if the interest group had represented the combined interest of individuals. The Court of Appeal further ruled that Privacy First incurred a financial risk.
The Court of Appeal also ruled that in view of all the circumstances of the case at first instance, the district court should have ruled in favour of Privacy First concerning their arguments against the setting up of a central register. This central register's storage of Dutch citizens' personal data is an unjustified violation of one's right to privacy enshrined in Article 8 ECHR because it did not fulfill its purpose. The Court of Appeal understands that this was a violation from the start, but this had only become evident after the first ruling."
Source: http://www.lexology.com/library/detail.aspx?g=27bf8f03-ada9-47d4-ac7f-4e4aece29cd3, 15 July 2014.
Today the district court of The Hague ruled in the case Citizens v. [Dutch Minister of Home Affairs] Plasterk ("Burgers tegen Plasterk"). In this lawsuit a coalition of citizens and organizations (including Privacy First) demands the Dutch General Intelligence and Security Service (AIVD) and the Dutch Military Intelligence and Security Service (MIVD) to put an end to the receipt and use (''laundering'') of illegally collected foreign intelligence on Dutch citizens, for example through the infamous PRISM program of the American NSA. Unfortunately the court has rejected all of the claims. Below are some first observations by Privacy First.
A positive aspect of the judgment is that the court deems all plaintiffs (citizens and organizations) admissible. This is a very welcome development for Privacy First with regard to our current Passport Trial before the Supreme Court of the Netherlands, wherein such admissibility will be crucial. However, this bright spot is overshadowed by the way the district court of The Hague has dealt with the merits of the case.
First of all, the court failed to carry out a fact-finding study: in fact no witnesses and experts were heard at all, even though this was offered to the court on forehand and Dutch law offers sufficient opportunity for this.
Furthermore, it is striking that the court deems less strict procedural safeguards necessary when it comes to the exchange of massive amounts of raw data in bulk. For the exchange of information on such a large scale, stricter – not less strict – procedural safeguards are necessary, as most of these data relate to innocent citizens.
In addition, the court wrongfully makes a distinction between metadata (traffic data) and the content of communications, while both types of data overlap and require the same high level of judicial protection.
The court is also wide off the mark by judging that the legal requirement of foreseeability (including privacy guarantees) of Article 8 of the European Convention on Human Rights (ECHR) would be less applicable to the international exchange of data between secret services. As yet, in the Netherlands the legal basis of such exchange of data is formed by a relatively obscure legal provision: Article 59 of the Dutch Intelligence and Security Services Act (Wiv). This article is far from fulfilling the modern requirements that article 8 ECHR imposes on such provisions. Therefore, the current practice of exchange between the AIVD/MIVD and foreign secret services in essence takes place within a legal vacuum, a legal black hole.
In the view of Privacy First, the current judgment of the Hague court comes down to the ''legal laundering'' of this practice. Privacy First expects that higher courts will deem this situation to be a violation of Article 8 ECHR and is looking forward to the appeal before the Hague Court of Appeals with confidence.