"A Dutch court has scrapped a national data retention law. The judge ruled that, although saving metadata might help solve crimes, it certainly breached the privacy of telephone and Internet users.
A court in the Netherlands struck down a law requiring telecoms and Internet service providers to store their clients' private phone and email data, saying it breached EU privacy rules. The decision took effect immediately on Wednesday, but officials announced that the Security and Justice Ministry could appeal.
"The judge ruled that data retention is necessary and effective to combat serious crime," according to the district court in The Hague. "Dutch legislation, however, infringes on the individual's right to privacy and the protection of personal data." The court added that "the law therefore contravenes the Charter of Fundamental Rights of the European Union."
The law had previously required telephone companies in the Netherlands to store information about all fixed and mobile calls for a year. Internet providers had to store information on their clients' use for six months.
In April 2014, the European Court of Justice struck down a 2006 EU law forcing telecoms to store electronic metadata - the time, date, duration and destination of communiques, but not the content - for up to two years. The practice was ruled to be invasive, despite the claimed anti-terror potential. Advocate General Pedro Cruz Villalon had declared the 2006 legislation illegal and told the European Union's 28 member states to take the necessary steps to withdraw it.
The written ruling by Gerard van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes," but, the judge added, this could not justify the privacy breaches that the law entails. The judge did not set a deadline for disposing of the data.
According to Privacy First, one of seven organizations that took the government to court last month, the ruling "will bring to an end years of massive privacy breaches." The Dutch Association of Journalists was also a party to the suit.
After last year's ruling in the EU court, the government had announced that it would amend its law. However, in a written statement released on Wednesday, officials from the Security and Justice Ministry criticized the court's decision.
"Providers are no longer required to store data for investigations," the officials complained in the statement. "The ministry is seriously concerned about the effect this will have on fighting crime."
The extent to which governments and corporations monitor private individuals has risen to the forefront in the wake of a series of documents released since 2013 by the American intelligence whistleblower Edward Snowden. According to the latest report, New Zealand has monitored neighbors in the Asia-Pacific region. A new anti-terror law in China requires that foreign corporations allow the government to access their data.
The Wikimedia Foundation has sued the US National Secutiry Agency over its mass surveillance of private individuals. And consumer advocates have lashed out at large corporations that harvest personal data for commercial purposes."
Source: http://www.dw.de/in-hague-court-rules-for-dutch-tech-privacy-advocates/a-18308553, 11 March 2015.
"A judge scrapped the Netherlands' data retention law Wednesday, saying that while it helps solve crimes it also breaches the privacy of telephone and Internet users.
The ruling by a judge in The Hague followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.
The Security and Justice Ministry said it was considering an appeal.
Under the Dutch law, telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' Internet use for six months.
The written judgment by Judge G.P. van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entails.
The judge did not set a deadline for disposing of the data.
Privacy First, one of the organizations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.
The government said after last year's European court ruling that it would amend its law.
In a written statement, the Security and Justice Ministry said it regretted the court's decision.
"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime.""
Source: http://abcnews.go.com/Technology/wireStory/court-scraps-dutch-data-retention-law-cites-privacy-29551938, 12 March 2015.
"Judge in The Hague says country's regime for retaining telephone and internet users helps to solve crime but is too intrusive.
A judge has scrapped the Netherlands' data retention law, saying that while it helps solve crime it also breaches the privacy of telephone and Internet users.
The ruling by a judge in The Hague followed a similar decision in April by the European Union's top court that wiped out EU data collection legislation it deemed too broad and offering too few privacy safeguards.
The Dutch security and justice ministry said it was considering an appeal.
Under the Dutch law telephone companies were required to store information about all fixed and mobile phone calls for a year. Internet providers had to store information on their clients' internet use for six months.
The written judgment by Judge GP van Ham conceded that scrapping the data storage "could have far-reaching consequences for investigating and prosecuting crimes" but added that this could not justify the privacy breaches the law entailed.
The judge did not set a deadline for disposing of the data.
Privacy First, one of the organisations that took the government to court, said the ruling "will bring to an end years of massive privacy breaches" in the Netherlands.
The Dutch government said after last year's European court ruling that it would amend its law. In a written statement the security and justice ministry said it regretted the court's decision.
"Providers are no longer required to store data for investigations," the statement said. "The ministry is seriously concerned about the effect this will have on fighting crime."
Data retention has been a heated issue in light of Edward Snowden's revelations about the activities of the National Security Agency in the US and its affiliates overseas.
In Australia, a key US intelligence ally, the government is currently considering its own data retention package, which would store certain types of Australians' phone and web data for two years.
Privacy concerns have been raised and a lengthy political debate has ensued amid confusion within the government itself over how far the laws would extend or what would be retained. But the bill is now closer to passing with the support of a parliamentary committee involving both major parties.
The government in Canberra has agreed to hold a separate hearing into the issues of law enforcement agencies access to journalists' metadata, and news outlets will appear before a parliamentary hearing on 20 March."
Source: http://www.theguardian.com/technology/2015/mar/12/data-retention-netherlands-court-strikes-down-law-as-breach-of-privacy, 12 March 2015.
"The Dutch data retention law requiring telecommunications operators and ISPs to store customer metadata for police investigations was scrapped by the District Court of the Hague on Wednesday.
The court found that the law violates fundamental European Union privacy rights. The question remains though whether the law should be inactivated indefinitely, as the case can be appealed by the Dutch state, a court spokesman said. However, pending the outcome of any possible legal procedures the law will remain inactive, he said.
The Dutch Ministry of Security and Justice declined to comment as it was still studying the verdict.
The law suspended by the court was based on the EU's Data Retention Directive, which was invalidated by the Court of Justice of the EU (CJEU) last year, also because it violated fundamental privacy rights.
Despite that ruling though, the Dutch government decided in November last year to largely maintain its national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments were made, which mainly tightened who had access to what data and under what circumstances.
Not satisfied with that approach, a broad coalition of organizations, including Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, sued the government in January to get the law invalidated.
The court, ruling in their favor, criticized the overly broad scope of the law in its verdict.
Data retention rules were introduced after terror attacks in London and Madrid in 2004 and 2005 with the aim of fighting serious crime. However, the Dutch law also allowed law enforcement to retrieve data in the case of a bicycle theft, the court noted. And while the government promised not to use the law lightly, the fact remains that the opportunity to do so exists and there are no safeguards to effectively restrict access to information to what is strictly necessary for the fight against only serious crime, the court found.
What's more, under the scrapped law, access to data is not subject to a prior review by a court or independent administrative authority, the court said. Thus, the law violates articles 7 and 8 of the Charter of Fundamental Rights of the EU, which cover the right to a private life and the protection of personal data.
While the inactivation of the law may have profound implications for the investigation and prosecution of criminal offenses, that does not justify the persistence of the infringement, the court said.
The verdict probably means that ISPs and telecom companies can now stop retaining data, but when or whether they will do so is unclear. BIT did not immediately respond to a request for comment. A spokesman for Dutch ISP XS4ALL said the company can probably stop retaining data and delete existing records but wants the legal department to make absolutely sure it can before it will do so.
The Netherlands is not the only country where a law based on the EU Data Retention Directive was invalidated. A similar law was axed by the Constitutional Court of Austria in the wake of the CJEU ruling, for example, while Germany's data retention law was ruled unconstitutional long before the CJEU ruling.
In Sweden, meanwhile, the government maintains that the national data retention law can still be applied. And in the U.K., a new data retention law was rushed through by the U.K. government in December, replacing the one that was based on the EU directive. That new law will be reviewed by the country's High Court though to determine if it violates human rights."
Source: http://www.pcworld.com/article/2895356/dutch-court-scraps-telecommunications-data-retention-law.html, 11 March 2015.
"The first hearing of the appeal against the Dutch data retention legislation will be heard 18 February, announced ISP BIT, one of the organisations bringing the suit. BIT as well as a number of NGOs claim the legislation is in violation of personal privacy rights. The lawsuit was filed in December in cooperation with Privacy First, the Dutch association of defense lawyers, the Dutch journalists union, the Dutch committee of lawyers for human rights and the telecom operators BIT, Voys and SpeakUp. The Amsterdam law fim Boekx Advocaten is handling the case."
Source: http://www.telecompaper.com/news/dutch-data-retention-appeal-hearing-scheduled-for-18-feb--1059022, 12 January 2015.
"The Dutch data retention law will have its day in court on Feb. 18, when the District Court of the Hague hears a legal challenge to it filed by a broad coalition of organizations.
The law requires telecommunications and Internet companies to retain their customer's location and traffic metadata for six to 12 months, depending on the type of data, for investigatory purposes.
However, the complainants want the court to invalidate the law because it violates fundamental privacy rights, said their law firm Boekx Advocaten. The main reason the law should be scrapped, they say, is a ruling from the Court of Justice of the European Union (CJEU) last year, which invalidated the EU's Data Retention Directive on which the Dutch law is based because it violates fundamental privacy rights.
After evaluating that ruling, though, the Dutch government decided in November largely to maintain the national data retention law on the grounds that it "is indispensable for the investigation and prosecution of serious criminal offenses." Only a few adjustments to the law were deemed necessary, mainly tightening who has access to the data and under which circumstances.
By maintaining the law, the government also ignored the advice given by the Council of State, a constitutional advisory body that concluded that the Dutch data retention law should be withdrawn because it violates fundamental privacy laws.
The challenge, filed by civil rights organization Privacy First, the Dutch Association of Criminal Defense Lawyers, the Dutch Association of Journalists, the Dutch Section of the International Commission of Jurists, ISP BIT and telecom companies VOYS and SpeakUp, aims to get the law invalidated as soon as possible.
Data retention laws in other EU countries have been ruled unconstitutional. The Constitutional Court of Austria for instance axed the local data retention law in the wake of the CJEU ruling, and in Germany the local data retention law was already ruled unconstitutional in 2010, long before the CJEU ruling.
In Sweden though things are much the same as in the Netherlands. There, the government maintains that the Swedish national legislation can still be applied, causing trouble for Swedish ISP Bahnhof, which had stopped retaining and deleted data after being given permission by the Swedish Post and Telecom Authority (PTS) to do so in wake of the CJEU ruling.
However, Bahnhof was told to start retaining data again later last year. To protect its customers, the ISP has set up a free VPN (virtual private network) service to hide their communication metadata from the police. It also asked to the European Commission to intervene and vowed to fight the law in court.
Meanwhile, the European Parliament's Legal Service also reached a conclusion about the CJEU ruling. It means that EU countries no longer have any obligation but rather an option to keep retaining data, it said in its analysis of the implications of the judgement that was leaked by digital rights group Access Now last week.
As a result of the CJEU ruling, countries run an even higher risk than before of having their national legislation annulled by national courts in a similar way to what has happened in some EU countries, the Legal Service said. (...)"
Source: http://www.pcworld.com/article/2867792/dutch-government-sued-over-data-retention-law.html, 12 January 2015.
"Holland sammelt unbändig Daten. Neue digitale Produkte dienen der totalen Überwachung. Und sind eine große Gefahr für die Gesellschaft.
Hinter den Dünen, ein paar hundert Meter vom Strand entfernt, liegt in Noordwijk der futuristische Bau von Decos. Das niederländische Software-Unternehmen hat sich eine neue Zentrale geleistet – einem eingeschlagenen Meteoriten ist sie nachempfunden, es könnte auch ein Raumschiff sein. Hier setzen IT-Spezialisten die digitale Zukunft durch: den völlig papierlosen Betrieb. Mitarbeiter kommunizieren ausschließlich elektronisch, und wer dem Unternehmen einen Brief schreibt, bekommt ihn zurück mit der Aufforderung, ihn nochmals zu senden, aber bitte als E-Mail.
Auch seinen Kunden bietet Decos Digitalisierung pur: Das Unternehmen liefert ihnen Software, um alle Dokumente elektronisch zu speichern – aber auch Produkte zur totalen Überwachung von Mitarbeitern. Sein „Cartracker" verfolgt jede Dienstreise, alle fünf Sekunden wird das Fahrzeug frisch verortet. „Hiermit haben Sie immer eine aktuelle Übersicht, wo sich Ihre Autos und Mitarbeiter befinden", wirbt Decos. Mehr noch: Der Fahrstil wird ständig überwacht und sogar benotet: „Aufgrund der Höchstgeschwindigkeit, des Bremsverhaltens und der Beschleunigung berechnet ,Decos Cartracker' eine individuelle Zensur für das Fahrverhalten jedes Fahrers."
Digitalisierung wird zur Norm
Nun mag es bei Geldtransportern noch sinnig sein, ihnen aus Sicherheitsgründen aus der Ferne zu folgen. In allen anderen Fällen gilt: Wohl dem, der einen weniger progressiven Arbeitgeber hat – einen, der vertraut, statt nonstop zu überwachen. Aber die Digitalisierung nimmt zu, sie wird zur Norm – und das nicht nur im Beruf, auch im öffentlichen Raum. Und die Niederlande sind hier in mancherlei Hinsicht schon weiter fortgeschritten als Deutschland.
Im Juli schaffte das Land endgültig die Fahrkarte aus Papier im öffentlichen Verkehr ab – für die zuvor schon schrittweise eingeführte „ÖV-Chipkarte", die den Preis in der Regel je Kilometer berechnet. Für den Kunden bedeutet sie außer 7,50 Euro Anschaffungskosten vor allem Umstände: für das Aufladen, für das Ein- und Auschecken bei jeder Fahrt. Wer das versäumt oder an einen kaputten Kartenleser gerät, ist schnell ein Sümmchen los; man muss dann auf Kulanz hoffen und per Online-Antrag versuchen, es erstattet zu bekommen.
Anonymität hat ihren Preis
Was aber noch schwerer wiegt: Die Chipkarte speichert so die Fahrstrecke – und da die Standardversion alle wesentlichen Nutzerdaten enthält (inklusive Kontonummer), kann sie das Reiseverhalten des Bürgers erfassen. Wer anonym mit einem Einmal-Ticket fahren will, muss Aufschlag zahlen – nicht viel, einen Euro momentan, aber immerhin; und vielleicht ist das ja auch nur der Anfang. Viel gravierender noch: Wer eine Studenten- oder Rentnerkarte braucht, muss zwingend die personengebundene Version mit den Daten wählen. Natürlich versichern die Betreiber, alles vertraulich zu behandeln. Aber wer sich darauf verlässt, ist naiv. Wo immer auf der Welt digital gespeichert wird: Die Vorfälle sind Legion, in denen Patienten-, Sozial- oder andere Daten missbraucht wurden – oder massenweise verfügbar, sei es versehentlich, sei es durch Hacker.
Natürlich gibt es in Deutschland den ähnlichen Fall: wenn jemand mit seiner Bahncard Punkte sammelt. Aber das macht er dann freiwillig. Und es ist wichtig aufzupassen, dass die öffentlichen Verkehrsträger hierzulande nicht dem Beispiel aus dem Ausland folgen. Generell ist Obacht schon geboten, wann immer die Preisgabe von Daten belohnt wird – wie bei dem Vorstoß eines deutschen Autoversicherers, Rabatt zu gewähren, wenn der Autohalter einen digitalen Fahrtenschreiber (Blackbox) installiert. Denn das läuft schnell darauf hinaus, dass er umgekehrt für das Recht auf Anonymität einen Malus bekommt.
Erstaunlich ist, dass ein Land wie die Niederlande so unbändig Daten sammelt – sieht es sich doch gerne als „gidsland": als internationales Vorbild, wenn es um Politik, Verwaltung, gesellschaftliche Werte und Normen geht. „Von allen Menschenrechten steht das Recht auf Privatsphäre in den Niederlanden am meisten unter Druck", befindet die Stiftung Privacy First.
Mal führen die Behörden Sicherheit als Argument für die Digitalisierung an, mal Effizienz. Nach Amsterdam führt jetzt auch Rotterdam stadtweit das „Kennzeichenparken" ein: Wer das Auto abstellt, muss am Automaten die Buchstaben und Ziffern des Nummernschilds eingeben. Mit Bargeld darf er auch nicht mehr zahlen, nur mit Karte oder per Mobiltelefon – auch dies ein nationaler Trend. Wieder eine digitale Spur hinterlassen, wieder ein Stück Anonymität dahin. (...) [A]ls Nächstes eine Pflicht für Smart Meters in Wohnungen: Ablesegeräte, die viel mehr erfassen können als nur den Energieverbrauch in den Wohnungen. Die Industrie lobbyiere schon kräftig dafür. Nicht zu reden von den zahllosen Überwachungskameras in Städten, der massenweisen Kennzeichenerfassung auf Autobahnen und Polizeidrohnen mit Kamera. Die Bedenken der Datenschützer werden gerne abgetan: Wer nichts zu verbergen hat, muss doch nichts befürchten? Aber das ist die falsche Haltung, sie kehrt ein grundlegendes Recht um: das Recht, sich unbewacht zu bewegen."
Source: http://www.faz.net/aktuell/wirtschaft/wirtschaftspolitik/digitalisierung-big-brother-in-holland-13092653.html, 12 August 2014.
"Recently, the Court of Appeal of The Hague held that the storage of Dutch citizens' personal data in a central register is an unjustified violation of the right to privacy.
In light of, amongst other things, the implementation of the European regulation on standards for security features and biometrics in passports and travel documents, and to comply with this regulation, the Dutch Passport Act was amended in 2009. This new Passport Act states that future passports would have to contain a chip with a digital facial image and two fingerprints of each applicant. The Dutch government therefore planned to create a central register to hold the facial image files and four fingerprints of each applicant (two of which are included in the passport for identity verification). This new register would also serve other purposes: it would help passport fraud control, and it would allow applicants to renew their passport in any municipality in the Netherlands. The national government acknowledged that the request and saving of these personal data would form a violation of the right to privacy of Dutch citizens, but the government stated that the data storage was proportionate and justified, considering the intended purposes.
The interest group Privacy First disagreed with the government. This group, which seeks to publicly promote the enhancement and preservation of the right to privacy, believed that the creation of this central register violates this fundamental right enshrined in several international laws and regulations. The group launched legal proceedings against the Dutch government. The district court of The Hague ruled that Privacy First did not have a cause of action. Privacy First then appealed against this verdict.
Remarkably, the government meanwhile reviewed their amendments to the new Passport Act. The government concluded that the storage of these personal data in a central register did not achieve its purpose, namely passport fraud control via one's identity verification. Therefore, the Act's provisions that related to the storage of personal data in a central register would be suspended. Furthermore, the number of fingerprints to be taken for the filing would be reduced from four to two in accordance with European regulation.
On appeal, the Court of Appeal ruled that since Privacy First and the government now share the same views about the central register, Privacy First would have lost its standing in their cause of actions, so it dismissed the interest group's claims. However, the Court of Appeal found that the district court had erred when it held that Privacy First did not have a cause of action at the time. Since Privacy First is an interest group advocating the protection of the general interest of Dutch nationals' right to privacy, it should have been able to bring proceedings before the civil court according to Article 3:305 of the Dutch Civil Code (Burgerlijk Wetboek). This would only have been different if the interest group had represented the combined interest of individuals. The Court of Appeal further ruled that Privacy First incurred a financial risk.
The Court of Appeal also ruled that in view of all the circumstances of the case at first instance, the district court should have ruled in favour of Privacy First concerning their arguments against the setting up of a central register. This central register's storage of Dutch citizens' personal data is an unjustified violation of one's right to privacy enshrined in Article 8 ECHR because it did not fulfill its purpose. The Court of Appeal understands that this was a violation from the start, but this had only become evident after the first ruling."
Source: http://www.lexology.com/library/detail.aspx?g=27bf8f03-ada9-47d4-ac7f-4e4aece29cd3, 15 July 2014.
"Der militärische Geheimdienst der Niederlande (MIVD) hat illegaler Weise Daten an ausländische Geheimdienste weitergegeben. Das geht aus einem Bericht hervor, den das niederländische Parlament beim dafür zuständigen Geheimdienst-Kontrollgremium (CTIVD) beantragt hat. Das CTIVD ist ein dreiköpfiges Gremium, das Einsicht in alle Geheimdienstinformationen hat. Es kann ausserdem Zeugen befragen, auch unter Eid.
Der Geheimdienst hat zwar die Erlaubnis, im Rahmen von Abkommen Daten an andere Staaten weiterzugeben. Es wurden aber Beweise gefunden, dass Art und Umfang der Datenweitergabe unrechtmäßig waren. Welche Daten genau illegal weitergegeben wurden, und vor allem an wen, sagt der öffentlich gemachte Bericht leider nicht.
In einem weniger beachteten Snowden-Leak hatte die niederländische Zeitung NRC Handelsblad allerdings erst vor wenigen Tagen über ein Beispiel der Zusammenarbeit berichtet. Dabei geht es um das flächendeckende Abschöpfen von Telefonverkehr in Somalia durch die niederländischen Geheimdienste MIVD und AIVD. Durch die Weitergabe an die NSA dürften diese Informationen auch für Drohneneinsätze eine wichtige Rolle spielen.
Im November hatte ein Bündnis aus Personen und Organisationen, darunter der Journalistenverband und die Privacy First Foundation, die niederländische Regierung verklagt, weil diese zwar öffentlich Empörung über Spähaktionen geäußert hatte, allerdings schon damals klar war, dass niederländische Geheimdienste ebenso wie die Dienste anderer europäischer Staaten fleissig mitmachen beim Überwachen und Datentauschen."
Source: https://netzpolitik.org/2014/militaergeheimdienst-der-niederlande-der-illegalen-datenweitergabe-ueberfuehrt/, 12 March 2014.
"The Court of Justice in the Hague has ruled that fingerprints gathered from individuals getting a new passport can't be held centrally and used in criminal investigations.
Dutch authorities have been prevented from storing citizens' fingerprints in a central database following a ruling this week by the Court of Justice in the Hague.
In the Netherlands, individuals' fingerprints are gathered by the local municipality when they apply for a new passport. The government had proposed gathering those different sets of fingerprints into a central database, which could then be accessed by police for the purposes of matching fingerprints found in criminal investigations.
However, the system turned out to be far from perfect — 21 percent of fingerprints collected by the authorities in the Netherlands were unusable to identify individuals.
The court found such a high level unacceptable: "This can mean nothing other than the storage of fingerprints in a central register is not suitable for the purpose originally envisioned, that is, the determination and verification of one's identity.
"This means that it is also not suitable for the prevention of identity fraud or for the process of requesting a new travel document or using a travel document, which is one of the main purposes of the Act [the legislation which requires fingerprints in Dutch passports]. Therefore the conclusion is that the invasion of privacy formed by the central storage of fingerprints is unjustified."
No immediate effect
Although the ruling is a significant victory for Privacy First, the privacy group that brought the case before the Court of Justice, it won't have immediate consequences for the Dutch government.
The European Court of Justice had already ruled in October last year that the directive requiring European member states to include two fingerprints in their passports did not provide a legal basis for then also including all citizens' prints in a central repository.
In addition, the court stipulated that fingerprints given by individuals for such purposes could not to be used for criminal investigations.
However, according to Christiaan Alberdingk Thijm, the lawyer representing Privacy First, the ruling will have a bearing on any future government attempts to collect sensitive data, such as photos.
"This is not only good news for those opposing plans of a central fingerprint database, but for those opposing any central government owned database," he said."
Source: http://www.zdnet.com/no-you-cant-store-peoples-fingerprints-in-a-central-database-dutch-court-rules-7000026505/, 19 February 2014.