The coronavirus has plunged the whole world into a deep crisis and governments do their utmost to control the dissemination. As I wrote in my previous column, it is important especially now to keep our heads cool and to protect our civil rights and privacy. A short and temporary infringement of our privacy in the general interest may be legitimate. The western model should imply a partial, temporary lockdown, lasting at most twice the incubation period so as to control the spread of the virus based on increased testing, and to facilitate the healthcare system, augmenting the number of critical care beds.
Moreover, this should be a participatory lockdown, based on voluntary participation and citizens’ individual responsibility. This is only logical, as trust is the cornerstone of our democratic society, even though at times there is a lack of it. This concerns trust in fellow citizens, the government and first of all, oneself. At this point in time I have a lot of confidence in the Dutch approach, which is a combination of common sense and relying on healthcare experts. Ultimately, we will have to learn to live with this virus and control potential outbreaks.
To measure is to know and therefore it is essential to scale up the number of tests with the right test equipment without delay. There are tests which can indicate quickly whether someone is infected. It is interesting to note that in Germany, where practically everyone with symptoms is being tested, the percentages of gravely ill and deceased people are considerably lower than in countries where testing is very limited. For policy makers and politicians it is thus very important to take the right decisions on the basis of facts.
If not, there will be a long-standing and emotionally-driven struggle, the encroachment on our freedom will not be short and temporary and power will shift disproportionately into the hands of the State. Such a scenario will see us move towards a forced surveillance society (see the current situation Israel is in, the newly introduced legislation in the UK as well as EU proposals with regard to telecom location data), characterised by the abolishment of anonymous (cash) payments (see the current guidelines in the Dutch retail sector), the dissolution of medical confidentiality and physical integrity in the context of potential virus infections (compulsory vaccinations and apps) and censorship of any alternative or undesired sources of information that counter the prevailing narrative. Besides, commercial interests of IT and pharmaceutical companies would come to dominate even more.
In the best case scenario, both society and the economy will soon be able to revive on the basis of individual and aggregate test results, with this lesson to bear in mind: let’s not lose the importance of our freedom, health and individual responsibility out of sight. All of a sudden, citizens have been left to their own devices and this experience will make them realize that life is not malleable and our society is not a mere paper exercise. This situation could lead to increased civic participation and less government, i.e. greater focus on critical functions. When we take a look around now, we see positive-minded, well-informed and responsible citizens and there is no need to keep focusing on a handful of exceptions. That is, as long as the measures in place are comprehensible, measurable and very temporary, and are not packaged into structural legislation, thereby misusing the crisis in order to grant certain organizations and sectors greater influence and power.
Finally, it’s worth realizing that all entrepreneurial Dutchmen without whom we would not be able to pay our fine public services, also deserve a round of applause. And perhaps the idea of a basic income for every citizen could be reviewed once more. In other words: let’s aim for more individual decisions in a freer society that is supported by technology and common sense!
Here’s to a free 2020!
Privacy First chairman
(in personal capacity)
Many questions have been raised about Privacy First’s point of view in relation to the protection of privacy in crisis situations, such as the one we’re currently experiencing as a result of the coronavirus. As indicated previously, I support the precautionary principle, i.e., we don’t know what we don’t know and what in fact is effective. A strict, western-style approach on the basis of a temporary (partial) lockdown for a (very) short period of time will drastically flatten the coronavirus curve and will make sure the healthcare system does not collapse. This also allows us to gain time to find a vaccine or medicine. We still don’t know exactly what kind of virus we’re dealing with, how it came into existence and how to control it.
Our society is built on trust. In a crisis situation like we’re in now, authorities will have to take temporary crisis measures which allow citizens to do the right thing voluntarily and on the basis of trust. This may temporarily restrict privacy, such as freedom of movement and/or physical integrity (think of being in quarantine). The government can choose to have a full or partial lockdown. Making this choice, it is essential that we rely on the norms and values of our free, democratic society, and that there is trust both in the citizenry and in the means and measures that may be employed. Ideally, this would result in a participatory lockdown based on everyone’s freedom and sense of responsibility.
Past experience shows that when there is open and honest communication, citizens act responsibly and in the general interest. This implies that draconian and structural legislative measures that restrict freedom can be kept at bay, much to the benefit of the people and the economy. In this respect, it is significant that practically all companies, institutions and organizations currently comply with the protocols, and even do more than what is required. After a period of inaction, the Dutch government has decided to act and take responsibility, which is most welcome. After all, this concerns a potentially great number of very sick patients and fatalities, including many elderly and vulnerable people.
Our government has opted for a democratic instead of a dictatorial approach, and that is to be applauded. So let’s use this moment to keep our head cool instead of infringing upon everyone’s freedom and right to privacy, freedom of movement, bodily integrity and cash payments. I see there is a bitter wind sweeping through Denmark, where a coronavirus emergency law has been rushed through, allowing the authorities to force people to be vaccinated (even though there is no vaccine yet), and in France too, where permanent crisis measures seem to have been implemented. All this is incompatible with a decent society and creates misplaced precedents. Let’s act in the general interest on the basis of trust and everyone’s own responsibility. For that, we need neither to be locked up, nor do we want to see the army in the streets, or any other draconian measures or laws to be put in place.
Let’s strive for a free and trustworthy Netherlands and Europe.
Privacy First chairman
(in personal capacity)
On June 11, 2012, the long-awaited National Privacy Debate took place in The Hague. Privacy First summarizes the most noteworthy aspects for you, starting with the striking plea (in Dutch) for a Privacy Delta Plan by Brenno de Winter:
"The National Privacy Debate is a unique opportunity to start something beautiful and to challenge people into engaging in open discussion. Let us seize this opportunity and work on a Delta Plan. To make the Netherlands a guiding country again. A model for the rule of law as to the protection of the citizen. That's what we are best at!"
The floor was then given to Anthony House (Google), who at the end of his keynote speech posed the following question to the audience:
“Are the principles of data protection that were developed in the 1970s still good today? Do we need to start from scratch on privacy principles?”
From the silence in the audience and some answers that followed, it could (fortunately) be inferred that the classic privacy principles still suffice today, at least to a large extent.
The event then turned to the first panel discussion, which was focused on the question of what is currently preferred most: more legislation or more self-regulation? The responses from the panel and from the audience showed a predominant preference for both options together instead of just one or the other. As in the financial sector, good laws and strict enforcement have become a bitter necessity for the ICT sector. However, such laws only represent a rapidly aging minimum level of privacy protection. It follows that it is up to the ICT sector itself to operate continuously at the highest, most privacy-friendly (i.e. customer-friendly) level. This is an important selling point which offers significant competitive advantages. In this sense, legislation and self-regulation can complement each other well.
Then there was a speech by Joost Farwerck (KPN) who stated, inter alia, that privacy now has a high priority among a broad Dutch audience: research by KPN had shown that the public attaches most value to this after good healthcare and education. Therefore, KPN has set up an internal Privacy Awareness program and an external Privacy Mission. Farwerck finally pleaded to make the National Privacy Debate a recurring event. (So did Arie van Bellen (ECP-EPN) later that day.) Privacy First is happy to join this plea.
During the second panel session (on privacy and security) some interesting parallels were drawn with security in other sectors such as the food industry and the aviation industry, both in terms of legislation and self-regulation as well as supervision and enforcement. Earlier in the day, Vincent Böhre (Privacy First) had drawn a similar parallel with past developments in the field of environmental protection. Many participants in the debate agreed that, on the one hand, the Dutch Data Protection Authority (DPA) lacks adequate resources and powers, while on the other hand its enforcement of existing privacy laws is too weak. In addition, Walter van Holst (Mitopics) rightly noted from the audience that more emphasis should be put on data minimization. Indeed, without any data no security is needed.
The floor was then given to Bart de Koning: journalist and author of the Dutch book 'Alles onder controle, de overheid houdt u in de gaten' ("Everything under control, the government is watching you"). In his speech, De Koning pointed out some positive recent developments, such as the Dutch resistance to passport fingerprinting, the new Dutch law on cookies, net neutrality and political attention to the risks of the U.S. Patriot Act. At the same time he warned about negative developments such as the Dutch proposal to provide all car number plates with RFID chips. Furthermore, the Netherlands is still champion in eavesdropping. In addition, De Koning noted that Dutch media (including Elsevier magazine) are devoting more attention to privacy than before and that citizens are increasingly keeping an eye on their government instead of vice versa. "The citizen peeks back" and this can have "a disciplining effect on the State", De Koning said. As to the future, De Koning suggested the following guidelines to the audience: 1) think before you act, 2) data minimization, 3) transparancy, 4) effectiveness, 5) sunset clauses and 6) an ongoing debate. De Koning further argued for the introduction of Dutch constitutional review (at the judiciary), a Constitutional Court and stronger oversight by the Dutch DPA. In this connection he made a comparison with Germany, where ANPR (automatic number plate recognition) is prohibited.
Then there was room for discussion with the audience, at which point Joyce Hes (Foundation for the Protection of Civil Rights) made an especially important remark: many public debates (including the periodic Privacy Cafes in Felix Meritis) are conducted with privacy advocates. Politicians and officials who are critical of privacy rarely show up at these debates. This is not good for the discussion.
Finally, Bart de Koning stated that the ethnic 'underclass' has become the main victim of systematic privacy violations, including preventive home visits. Privacy First endorses all of these points.
The topic of the third panel session was "privacy and government":
On behalf of Privacy First, Bas Filippini kicked off as follows:
"What we focus on are private choices in a free environment. Private choice means the freedom to choose, and a free environment means that we endeavor to keep society as free as possible for the average citizen in the Netherlands. This unless you are suspected of a crime: then privacy can be exchanged for security. That is our philosophy. We argue things from principles first, tested against the Constitution. Then we look at the implementation: are there sufficient checks and balances? How is policy being set and how is it applied? Only finally we look at technology. I always use the following example: "With a knife you can stab someone, but you can also make a sandwich." For many people, technology is the "holy grail" to which everything is connected, without first having taken these three steps: 1) principles , 2) policy, 3) implementation, followed by smart use of technology. Often the principles of subsidiarity and proportionality are breached, which is very unfortunate. In government, there are many people who would like to do things differently, but if they disagree with something, they are quickly seen as whistleblowers, which has a stigmatizing effect. So the Titanic keeps on sailing towards the iceberg, currently resulting in more and more profiling. By that we don't mean targeted profiling in case of a reasonable suspicion of a criminal offence, but surveillance of an entire population to see if there is "anything wrong" somewhere, based on outliers, the deviations from the median. We consider this a great danger, because everyone will become suspect. This creates a lot of self-censorship among people, officials and citizens alike."
During the remainder of the panel debate, the observations by Ronald Leenes (Tilburg University) stood out: Leenes warned about loss of confidence among citizens in their government if that government didn't take the right to privacy seriously. "The consideration whether or not an infringement of privacy is necessary in a democratic society is hardly made by the Dutch government in a number of cases", Leenes said. According to Leenes, data are being collected simply "because it's possible", there is huge confidence in technology, it is thought that more information leads to better decisions, insufficient attention is paid by the government to alternatives to reach the same goals, and there is ignorance. Leenes warned about current plans to register prostitutes in a central database. He also stressed that privacy is not only an individual right, but that it also has a social function.
Others in the panel pointed to the dangers of risk profiling. Furthermore, the fallacy "if you have nothing to hide, you have nothing to fear" was unanimously invalidated: everyone has the right to keep his or her private life simply to themselves. Moreover, a core element of freedom is precisely that you may have something to hide. It was further noted that hard work must be made to increase privacy knowledge and awareness in government. Some in the panel emphasized incompetence in government rather than intent. Bas Filippini replied that there is often an agenda behind things, namely policy from the United States and the European Union. "How do you shape your society? Do you do that on a basis of fear, hatred and control, or on a basis of trust, freedom and love?", Filippini said.
Then there was a discussion with the audience, in which Jeroen Terstegge (PrivaSense) rightly stated that one should be wary of Privacy Impact Assessments (PIAs) conducted by directly involved officials rather than an independent regulator, such as a Chief Privacy Officer. In this field there should be more self-criticism in government, aside from the Dutch DPA's external role. Another striking remark from the audience was made at the end of the panel session by Dimitri Tokmetzis (Sargasso): insurance was originally intended to spread risk, but through profiling risks are being individualized. This comes at the expense of solidarity in our society.
Thereafter Pim Takkenberg (National Police Services Agency, KLPD) held a speech on the theme of privacy and criminal investigation, in which he specifically discussed the dilemmas around dismantling a so-called botnet: a network of hijacked computer systems. According to Takkenberg, the legal framework in this context is sometimes "insufficiently specific", e.g. in case of 1) remotely "entering" (or hacking) computer systems by the police and 2) international cooperation in fighting cybercrime. Also in public-private partnerships, the police in this context are still "walking on eggshells", Takkenberg noted. In reply to a question from the audience about the effectiveness of data retention, Takkenberg said that "sometimes you have to give things some time in order to see what they yield in the long-term". This strengthens the position of Privacy First that this measure should never have been introduced. Finally, Takkenberg rightly stated that the police does not benefit from too much information gathering and that one must be very selective.
The panel discussion on privacy and criminal investigation that followed took an unexpected turn due to the comments of Jan Grijpink (Utrecht University, formerly also Ministry of Justice) on the recent complications surrounding the Dutch biometric passport. When asked which aspect of the privacy debate annoyed him, Grijpink answered as follows:
"The discussion about the biometric passport, which I find a good example of how too persistent nagging - if I may say so - on the privacy side impairs the security side. If we have now come to the point of saying "let's remove the fingerprints from the passport", then I am satisfied. Back in 2002, I would have liked to avoid putting fingerprints on the passport, because it is unnecessary to use fingerprints to verify the holder. That has just been superfluous. But the moment you put fingerprints on the passport, you must be able to check whether those fingerprints are still the correct fingerprints and whether the person who says he belongs to them is truly that person. This has led to a decision by various [Dutch] ministers who were responsible for storing four fingers in a municipal database, and if you don't have that, then the citizen is actually lawless when he carries a document with two fingers, because that document is also intended to show to others. If it is just for yourself, then so be it, but a passport is meant to hand over to an authority. When we distribute a passport, we do not even check with the same biometrics whether it's really being distributed to the person who's the official holder. Either no fingerprints, or completely correct. Both these aspects are now threatened to be destroyed through a persistent nagging to one aspect of privacy only. That's what I worry about."
This led Vincent Böhre (Privacy First) to ask Grijpink about his assessment of the risk of function creep in the storage of fingerprints in municipal databases.
Grijpink answered as follows:
"If you put the fingers on the passport only, you just lose all control for the protection of the individual. I have always made the case for storing four fingers - two on the passport and two extra - with the municipality in order to be able to check whether it is still the right person and whether anything in the document has changed. This can also exonerate yourself if you're accused of something with such a document. Whether that can lead to function creep: yes, everything can lead to function creep. But I think that if you organize it well, and I'm naturally a strong supporter of that, also because of the fact that we build large-scale infrastructures with chain-computerization to manage it well, then I think you also have to put some confidence in the government in a certain sense. I have been part of it for 40 years. In my view, some sort of a ghost is often made of the government in privacy debates. I don't recognize that. Many government officials do their work faithfully."
It is up to the reader to draw his own conclusions from this... ;)
During the panel discussion another central issue concerned the question whether or not to release figures on Dutch telephone and internet wiretaps. On behalf of Bits of Freedom Simone Halink rightly pleaded for more transparency in this respect. From the KLPD corner (and a former AIVD intelligence officer in the audience) however, it quickly became clear that there was complete unwillingness to provide any openness. This then led to a hardening of the discussion in which privacy advocates and (former) representatives of police and justice became diametrically opposed to each other. During this discussion Grijpink made the following remarks:
"I want to bring attention to an aspect as to why you should also be careful with making such hard calls for data and surveys. Especially, very clear in my file, identity fraud, then you make use of someone else's identity. When successful, it is invisible. And if the person is dead, then he won't notice anything. So that's a good example that if you start measuring, you get the wrong answer. And false conclusions and false images may even be worse for criminal investigation than if something gets known. In the case of identity fraud it is quite clear. I was asked: "How bad is the problem?" I replied: "Asking that question means that you don't understand. You must first have a situation in which you are sure to have the person who succeeded in committing identity fraud." There is only one situation that I know: the prison cells of the Justice department. Then minister Donner said: "Let's have a look." And guess what: 15% had the wrong identity. Half of those we didn't even know. And those people are in jail. In other words: figures are only really useful to some extent, and in the public debate they often go wrong."
This led Böhre to emphasize the importance of the notion that privacy is a human right, in which the question of proportionality in both individual and collective sense is fundamental. The discussion should therefore always be based on hard facts and figures. Vague assumptions about look-alike fraud are no excuse to impose biometric passports on an entire population. No negative reaction to this followed from the panel. The importance of further discussions based on facts and figures also seemed to be recognized by the audience. In that sense, the National Privacy Debate hopefully marked the end of an era of fact-free politics.
Privacy First will be happy to actively attend the next National Privacy Debate. In the meantime, the debate between all relevant stakeholders should be permanent.
A full video recording of the whole (6.5 hour) National Privacy Debate can be viewed online HERE.
More pictures of the event can be found HERE and HERE.
Postscript: the above report has also been published in the Dutch journal Privacy & Compliance 3-4/2012, p. 46-49.