UPDATE 2015-10-30: the Dutch government announced it has decided on a bill that revises the invalidated Telecommunications Data Retention Act of 2009. Changes are proposes to take into account recent Dutch and European jurisprudence: access to retained data will now require prior approval from a magistrate (specifically, in Dutch, a “rechter-commissaris”), and only be permitted regarding offenses that allow temporary remand (and thus only regarding offenses that carry a maximum penalty of four or more years imprisonment). The status of the bill can be viewed here (in Dutch). The government will consult the Council of State and then submit the bill to parliament.

UPDATE 2015-03-12: The European Commission plans no new data retention law; leaves it up to Member States (Reuters)

On March 11th 2015, the court of The Hague today ruled (in Dutch) the Dutch Telecommunications Data Retention Act of 2009 invalid, Nu.nl reports (in Dutch). The court ruled that the current law is necessary and has a legitimate purpose, but due to lack of safeguards, is too easily accessible by LE in case of for non-serious crimes. More on that in this post by Bits of Freedom — which also forecasts that data retention may be reintroduced in a form that has sufficient safeguards to meet the requirements set by the European Court of Justice in April 2014, but still long-term and in bulk, without discrimination between suspects and non-suspects. Here is a translation of the report by Nu.nl (some links original, some links added by me; the Dutch govt’s response to the ruling follows below):

Dutch telecom data retention law ruled invalid by court in The Hague

Dutch providers are no longer required to retain internet and phone traffic data. The telecommunications data retention law, that was fought in court by various privacy groups and small ISPs, is invalid.

That was ruled (.pdf, in Dutch) by the court of The Hague on Wednesday. The data retention law violated the Charter of Fundamental Rights of the European Union, specifically regarding the right to protection of private life and protection of personal data.

Earlier, the European Court of Justice ruled that the European Data Retention Directive was invalid. Former Minister Opstelten (Justice) however decided to uphold the Dutch interpretation of the European directive.

He did present a bill that would ensure that the telecommunications data can only be accessed after prior approval from a court. The State nonetheless pleaded, during the court case in February, that the current Dutch data retention law already provided sufficient safeguards. The bill still needs to be debated in the House of Representatives.

Serious crime

The plaintiffs, including Privacy First, internet provider BIT and the Dutch Associations of Criminal Defense Lawyers and Journalists, stated that the data retention law poses a disproportional infringement upon the privacy of Dutch citizens that are not suspected of crime.

Data about phone use, such was which numbers called which numbers, and when, are retained for twelve months. Data about internet use, such as who is logged in and with what IP address, are retained for six months. As the cell towers that cell phones contact are registered, a rough location of users is recorded and retained.

The judge finds that the collected data are too easily accessible for crimes that are not serious. The plaintiffs stated that, technically, theft of a bicycle could lead to access to data, although the government stated this does not happen.

“Fact of the matter is that the possibility exists and that no safeguards exist to limit access to the data to what is strictly necessary to fight (only) serious crime”, according to the judge.

Review

The court also finds it to be incorrect that no prior court approval is needed to access the data.

“The court is aware that the ruling can have profound implications for the investigation and prosecution of criminal offenses,” according to the ruling. “That does not justify that the aforementioned infringement persists.”

The Dutch Telecommunications Data Retention Act of 2009 is ruled invalid in its entirety.

Debate

Vincent Böhre, director of Privacy First, says in a first response to be “very happy” with a “breakthrough ruling”. “It rarely happens that a court decided to rule a law invalid during a summary proceedings. This is an important precedent and is relevant to the debate on data retention in the House of Representatives.”

A spokesperson of the Ministry of Security & Justice states that the ruling is being examined. Later today, the Ministry will provide a more elaborate response, and it will be announced whether the government decides to appeal the ruling.

Later that day, the Ministry of Security & Justice responded to the ruling as follows:

The Ministry of Security & Justice regrets the invalidation of the Telecommunications Data Retention Act of 2009, considering the prosecution of crimes. The Ministry has not yet decided whether to appeal the ruling.

Providers are no longer required the retain data for prosecution. The Ministry is seriously concerning about the effects for prosecution of crime.

The judge stated that data retention is necessary and effective, and that it serves a legitimate purpose. In de court’s view, the State has insufficiently substantiated that certain forms of crime can nearly only be prosecuted through the use of historic telecommunications data.

Meanwhile, there is a legislative proposal that changes the Telecommunications Data Retention Act of 2009. Last November, this draft regulation has been submitted to several institutions for advice. The contents of the ruling will be involved in the proposal, such that the protection of private life of those involves is sufficiently ensured. The ruling leaves ample opportunity for that.

In the interest of prosecution it is of great importance that the proposal can come into forces as soon as possible.

Note that the Dutch DPA in February stated that said bill, that is intended to change the existing law to comply with the requirements that follow from the April 2014 ECJ ruling, (still) is “disproportionate infringement of private life”. We’ll see what happens next.

Related:

• 2015-03-12: Dutch data retention law struck down – for now (Rejo Zenger / Bits of Freedom)
• 2015-02-16: Dutch DPA opinion about post-ECJ data retention bill: “disproportionate infringement of private life”
• 2014-11-26: Dutch govt response to ECJ’s April 2014 ruling on the EU Data Retention Directive

EOF