UPDATE 2014-07-25: I incorrectly stated it was a Supreme Court ruling. It is a ruling by the district court in The Hague. The plaintiffs will appeal the ruling. The ZDNet article (still) incorrectly mentions Supreme Court. Kudos to MV and @privacyfirst for correcting.
UPDATE 2014-07-24: article about it on ZDNet. (Note: its headline is unwarranted IMHO.)
After the news or PRISM broke, a bunch of Dutch individuals, represented by lawyers of Bureau Brandeis, filed a joint civil suit against the Dutch government concerning the exchange of telecommunications between the NSA and the Dutch intelligence & security services. One of the important issues in this case was the question whether the Dutch services should be allowed to use data intercepted by foreign partners in ways that would violate the ECHR or Dutch national legislation. Notably, the Dutch national legislation does not permit bulk interception of cable communications. (Bulk interception of wireless communications is permitted.)
Dutch news site Nu.nl reports (in Dutch), as does Bits of Freedom, on today’s ruling in that case by the
Supreme Court district court in The Hague. The full ruling is here (in Dutch). The plaintiffs will appeal this ruling.
Here is my translation of the summarized ruling:
The Hague, July 23rd 2014
The exchange of telecommunications between the Dutch General Intelligence and Security Service (AIVD) and Military Intelligence and Security Service (MIVD) and the U.S. National Security Agency (NSA) is acceptable. The possibility exists that the Dutch services,in exchanging telecommunications data with foreign services such as the NSA, receive data that are collected in foreign countries by foreign services using legal powers that are not available to the Dutch services. The mere possibility of this does not mean that the Netherlands violates international treaties and national legislation by receiving and possibly using that data. That has been decided by the court in The Hague in a civil case between a number of individuals, the Dutch Association of Criminal Defense Lawyers (NVS), the Dutch Association of Journalists (NVJ), the Internet Society Netherlands and the Privacy First Foundation.
Respect of privacy versus national security
The issue in this case is the relationship between the interests of individuals and of “everyone” whose interests the plaintiffs defend, including the interest in respecting the privacy of the individual, and the public interest of international cooperation for national security.
Exchange of telecommunications data
The court found that the Dutch intelligence & security services exchange data collections with the NSA, among others. It concerns data sets that contain both metadata (data about communication, such as who is calling and for how long, when and from what location) and data concerning the content of the communication.
Considering the practice of exchange between the intelligence and security services, the Dutch services in general do not know how the data sets that they receive from foreign partners and then possibly use, are collected. Therefore it cannot be ruled out that these data are collected in violation of international treaty obligations incumbent on the Netherlands, such as the respect to privacy of the individual, under the European Convention of Human Rights (ECHR).
The Dutch services themselves are not legally allowed to intercept telecommunications data from cable infrastructure in bulk and use it. The U.S. authorities are. This does not mean that the reception and possible use of such data are automatically impermissible.
Cooperation with foreign partners
Under Dutch law, the Dutch authorities can, considered in itself, cooperate with the U.S. and also receive data from them and use it. The U.S. is bound by its own regulations, which in general are not in conflict with the requirements of the ECHR concerning the protection of the right to respect for private life. Also to the extent that that regulation provides, in some ways, less protection to persons who are not citizens of the U.S., the activities of the Dutch government in general are not contrary to the ECHR or national regulations.
In the context of international cooperation, given the nature of the exchange, namely “in bulk” and without being assessed on importance, the reception of such data does not need to satisfy the strict requirements that the plaintiffs are considering. In addition, there is a difference between receiving data, and using it in individual cases. The general requirements of the ECHR have been satisfied.
The court held that the Dutch government rightly states that it can not be expected of them that they jeopardize the urgently necessary cooperation with foreign services, such as those of the U.S., merely because of unfamiliarity with their methods and the possibility that the Netherlands receives information in a way that is not permitted in our country [sic]. The overriding importance of national security is decisive here.
Assessment of individual interest
The important interests of claimants should, according to the court, be expressed in the protection offered to them on the basis of national regulation, namely by relying on the Dutch Review Committee on the Intelligence and Security Services (CTIVD), the National Ombudsman or national civil or administrative courts. The plaintiffs’ claims in this case were formulated in general terms. The court therefore limited itself to a review of the actions of the Dutch government in general.
As stated here, the Dutch Joint Sigint Cyber Unit (JSCU) is now operational. After the Parliamentary summer recess that ends on September 1st 2014, the Dutch government will send a proposal to the Dutch Parliament for changing the Intelligence & Security Act of 2002. Notably, it is expected that the proposal will include a broadening of interception powers such that the AIVD and MIVD are permitted to perform undirected (i.e., bulk/mass) interception of cable communications. That would allow the Dutch intelligence services to carry out programs such as GCHQ’s Tempora and NSA’s Special Source Operations (SSO), that feed PRISM. Our legislative regime and oversight mechanism is different from that in the U.S. and the U.K., but one thing is the same: the oversight on existing SIGINT powers in the Netherlands is broken too. It is still unclear how that problem will be addressed by the government.