UPDATE 2013-11-27: here (.pdf, Nov 27) is the EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection — i.e., the EU-US expert group established in response to the revelations about NSA-related activities on European territory that is referred to in the post below.
UPDATE 2013-11-02: note that the below concerns the NSA program “BOUNDLESSINFORMANT” — that’s where the “1.8M” number comes from. See details at Cryptome and Wikipedia.
UPDATE 2013-11-01: according to this Parliamentary Paper (.pdf, in Dutch) of October 31st, the (unclassified) letter that the Dutch Minister received from the NSA contains the following (original) English text:
“statement on articles in European press alleging large numbers of phone call metadata collected by NSA in France, Spain, Italy. The assertions by reporters in France (Le Monde), Spain (El Mundo) and Italy (L’Espresso) that NSA collected 10s of millions of phone calls are completely false. They cite as evidence screen shots of the results of a web tool used for data management purposes, but both they and the person who stole the classified data did not understand what they were looking at. The web tool counts metadata records from around the world and displays the totals in several different formats. The sources of metadata include data legally collected by NSA under its various authorities, as well as metadata provided to NSA by foreign partners. To be perfectly clear, this is not information that we collected on European citizens. It represents information that we and our NATO allies have collected in defense of our countries and in support of military operations.”
Hence, as was already clear to the informed observer, the data collected by the NSA concerns metadata, not audio signals. If the NSA got that data without consulting AIVD/MIVD, that is illegal in the Netherlands — as stated by the Minister himself. Nu.nl reports (in Dutch) that the Dutch Public Prosecution Service is currently not investigating this matter.
UPDATE 2013-10-30+31: in the Dutch TV news program `Nieuwsuur Politiek’, the Dutch Minister of the Interior and Kingdom Relations, Ronald Plasterk, stated that the 1.8M telephone calls’ metadata were not collected by the Dutch govt or shared by Dutch govt with NSA. Plasterk stated that he received a written statement from the NSA confirming that the NSA collected such metadata in December 2012. The letter does not mention the reported number of “1.8M”. The question then is whether or not the data was collected with permission of the Dutch govt: an article from October 30th in El Mundo suggests (in Spanish), based on Snowden documents, that the Netherlands is one of 19 countries that have a ‘specific cooperation’ with the NSA, and that the NSA collected telecommunications (voice and internet data) in the Netherlands.
====== START OF ORIGINAL BLOGPOST FROM 2013-10-28 ======
On October 28th 2013, the Dutch cabinet 1) responded (.pdf, in Dutch) to the media report that the NSA intercepted 1.8M telephone calls in the Netherlands, and 2) responded (.pdf, in Dutch) to Parliamentary questions concerning that topic. Below is my English translation of both documents. Hyperlinks are mine.
WARNING: this is an unofficial translation.
Date: October 28th 2013 Subject: Response to the report “NSA intercepted about 1.8 million calls in one month in the Netherlands”.
On October 21st, a report was published on the website Tweakers on the eavesdropping of Dutch citizens by the U.S. National Security Agency (NSA). The report is based on an article in the French newspaper Le Monde of October 21st. The report in Le Monde provides further interpretation of a graph that was published on August 5th by the German weekly Der Spiegel. On October 22nd, the Parliament asked me to respond to this (Parliamentary Papers 2013Z20253/2013D41837). I hereby inform you on behalf of the Minister of Security and Justice, the Minister of Foreign Affairs and the Minister of Defense.
From the media reports it would appear that the U.S. services store telephone traffic for further analysis. This concerns, for instance, data on who is calling, when, for how long, and from what location. After this additional analysis, the NSA could choose to inspect the content of the communication, in accordance with U.S. law. Given the U.S. law, including the Foreign Intelligence Surveillance Act (FISA), the cabinet is aware of the possibility that the U.S. can intercept telephone communications. Using the analysis of metadata, networks of people and organizations can be identified, and the intensity of the contacts can be estimated.
Position of the Dutch cabinet
The cabinet considers the interception of metadata and the analysis thereof by itself in general an acceptable method for investigation of terrorists, other threats to national security or for military operations (see art. 26 and 27 of the Dutch Intelligence and Security Act 2002). The interception of telephone traffic and the wiretapping of email communications in the Netherlands by intelligence and security services can only be carried out within the legal framework provided by the Dutch Intelligence and Security Act 2002 (WIV 2002), and only by order of the relevant ministers. Any other form is not acceptable. It is possible that other countries believe there is good reasons to gather intelligence in or from the Netherlands. In that case, the country involved must address a request to the AIVD or MIVD. That request will then be examined within the WIV 2002. The cabinet considers any action outside that legal framework unacceptable.
The two services therefore carry out structural investigation of espionage by foreign powers in the Netherlands. If such espionage is detected, measures are always taken. This applies even if allies carry out unwanted spying activities in the Netherlands. In the Netherlands, the Dutch law applies, also to allies.
Action by Dutch cabinet
Following the revelations of Mr. Snowden I spoke with the director of the NSA on a bilateral solution, as reported in the general meeting of October 16th. Further consultations are taking place between the Dutch intelligence and security services and the NSA. The Netherlands assesses the initiative of Germany and France as positive, will contact both countries, and will actively contribute where possible. The Minister of Foreign Affairs has previously expressed the Dutch concerns during his visit to Washington to his Dutch colleague Kerry, and called for more transparency. The Minister of Security and Justice, as coordinating minister for cyber security, submitted the new government-wide National Cyber Security Strategy [.pdf, in Dutch] to the Parliament. This includes extensive attention to measures for increasing the overall resilience in the digital domain. Moreover, the State Secretary of Security and Justice and I are also actively involved in the negotiations on the new EU legislation on the protection of privacy.
Actions of Parliament and the EU
At the request of the Parliament, the Review Committee on the Intelligence and Security Services (CTIVD) is investigating the data processing by the AIVD and the MIVD concerning telecommunications. The report is expected this fall and will be sent to the Parliament as soon as possible with a cabinet response. At the EU level, an EU/US expert group started with the aim of getting insight in each other’s programs and how they are anchored in the rule of law. The cabinet supports the activities of this expert group. The report of the expert group is expected this fall. The European Parliament is also holding hearings, following the revelations by Mr. Snowden. The report on these hearings is also expected this fall. International cooperation The CTIVD supervises the legality of the activities of the services, including the cooperation with foreign intelligence and security services, and on that account has access to all information at the AIVD and MIVD. The CTIVD reports to Parliament through the responsible minister.
The Minister of the Interior and Kingdom Relations,
Dr. R.H.A. Plasterk
And here are the Parliamentary questions and answers:
Questions from members Verhoeven and Schouw (both D66) to the Ministers of Economic Affairs and the Interior and Kingdom Relations concerning the signals that the U.S. NSA is also eavesdropping leaders in the corporate sector (submitted October 25th, 2013) 1. Have you taken note of the report “Snowden leaks: France summons U.S. envoy over NSA surveillance claims”? 
2. Can you elaborate on the suggestion that not only potential terrorists are wiretapped, but also leaders in the corporate sector, and also respond to reports concerning the Brazilian Petrobras company?
The cabinet considers the interception of metadata and the analysis thereof by itself in general an acceptable method for investigation of terrorists, other threats to national security or for military operations (see art. 26 and 27 of the Dutch Intelligence and Security Act 2002). The interception of telephone traffic and the wiretapping of email communications in the Netherlands by intelligence and security services can only be carried out within the legal framework provided by the Dutch Intelligence and Security Act 2002 (WIV 2002), and only by order of the relevant ministers. Any other form is not acceptable.
3 Can you rule out that the U.S. security services are spying on Dutch companies for economic purposes?
4 How many examples of such corporate espionage are known to you, which sectors are involved, and what do you intend to do?
The AIVD investigates of espionage by foreign powers for the national security. No public statements can be made about the methods and information position of the AIVD, including examples of corporate espionage.
5. What are the risks to Dutch companies and Dutch citizens due to spying for economic purposes?
The AIVD has repeatedly highlighted the risks for espionage, including in the Annual Report 2012 [.pdf, in English] (Parliamentary Papers, 30977 No. 52). The [third] Cyber Security Assessment Netherlands [.pdf, in English] (Parliamentary Papers, 26643 No. 285), which is established under coordination by the Minister of Security and Justice, appoints digital espionage as one of the greatest threats to government and industry. Moreover, the vulnerability of ICT remains high.
6 To what extent does industrial espionage remain a priority for the AIVD? The AIVD investigates espionage by foreign powers for national security. Moreover, the AIVD supports the vital sectors in improving security. You have been informed about this, including through the Annual Report 2012. Investigations into corporate espionage outside the context of national security is not a task of the AIVD, this is a matter for the companies themselves (supported by the AIVD via the Espionage Vulnerability Analysis [.pdf, in Dutch] and advice).
7 Are you willing to send an explicit signal to the U.S. that corporate espionage does not fit into a relationship between friendly countries?
Yes, see the activities described in my letter of October 28th, 2013.
8 Are you prepared to answer these questions before Monday October 28th 12:00?
- 2013-11-27: EU Report on the Findings by the EU Co-chairs of the ad hoc EU-US Working Group on Data Protection (.pdf, Nov 27)
- 2013-10-26: UN Draft on Privacy
- 2013-10-25: SIGINT and wiretapping: the Dutch Intelligence and Security Act 2002
- 2013-10-18: Dutch govt response to Parliamentary questions concerning U.S. spying / AMS-IX expansion to U.S.
- 2013-10-11: Dutch govt response to Parliamentary questions about NSA wiretapping international phone traffic
- 2013-09-14: Dutch govt response to revelations by Edward Snowden