In light of upcoming expansion of interception powers, Dutch govt will commission a Privacy Impact Assessment

On February 10th 2015, a General Meeting took place in the Dutch House of Representatives concerning the Dutch Intelligence & Security Act of 2002 (Wiv2002), which is currently being revised: see the highlights. During that meeting, the Minister of the Interior promised to send a letter that provides information on three topics raised during the debate: the offer of a technical briefing on cable interception, the Privacy Impact Assessment requested by MP Gerard Schouw (D66), and an explanation of the further procedure of revising the Wiv2002. On March 17th 2015, the Minister sent the letter (.docx; mirror) he promised. The Privacy Impact Assessment (PIA) model for the National Office that is referenced in the letter, is available here. A different, yet unknown, PIA model, tailored to the legal tasks of the AIVD and MIVD, will be applied to the proposed changes to the existing Intelligence & Security Act of 2002. In theory, a PIA is a ‘live document’ that is intended to motivate policy makers to make privacy-friendly choices, if such alternatives are available.

Here is a translation of the Minister’s letter:

During the General Meeting on February 10th 2015 with the Standing Committee on Home Affairs, I promised to provide you with further information regarding three issues related to the revision of the Intelligence & Security Act of 2002 (Wiv2002). It is primarily a technical briefing of your members by the heads of the intelligence and security agencies, concerning interception of cable communications. Secondly, I promised to give a detailed explanation of the possibility of carrying out a Privacy Impact Assessment with respect to the new Intelligence & Security Act (Wiv), which is currently being prepared. Finally, you asked me to outline the further procedure concerning the revision of this law. Also on behalf of the Minister of Defense I consecutively address these three issues.

Technical briefing on cable interception

During the General Meeting I offered to illustrate, in a confidential meeting with the Committees on Interior and Defense, the need for the proposed modification of interception powers, that makes it possible to intercept large amounts of raw data from cables. I propose that this explanation is provided by the two heads of the intelligence & security services. I like to hear whether the House wants to accept this offer, so that it can be scheduled in further consultation with the House.

Privacy Impact Assessment

The government has earlier informed you that as of September 1st 2013, the Model Privacy Impact Assessment (PIA) of the National Office must be applied by default in the development of new legislation and policies that provide for the construction of new ICT systems or the creation of large databases (Parliamentary Papers II 2012/13, 26 643, no. 282, Annex 252 629, as well as in a letter dated November 10, 2014 in response to the motion-Segers/Oosenbrug, Papers II 2014/15, 34000 VII, no. 21). The PIA model was implemented in the coalition agreement and by the motion-Franken et al. (Papers I, 2010/11, 31051, D).

Said PIA model is specifically aimed at the National Office and based on the requirements to the processing of data, as set out by the Data Protection Act (DPA), according to the notes in the PIA questionnaire. Under Article 2, paragraph b of the Wiv2002, the Wiv2002 exempts the intelligence & security services from the DPA, and the PIA model as such is not tailored to regulations governing the intelligence and security services.

Although a PIA is not mandatory for the new Wiv, the government wants to make clear, in a transparent way, how privacy risks are weighed. The legislation related to the intelligence & security services in particular concerns the balance between protecting national security and protecting the privacy of citizens. The allocation and application of powers in specific cases, the construction of ICT systems, and the construction of databases must be reviewed on necessity, proportionality and subsidiarity. A PIA tailored to the legal tasks of the Dutch intelligence & security services may serve as a helpful tool. The government will therefore commission a privacy impact assessment, to be carried out by one or more independent experts, in parallel to submitted the proposed legislation for public consultation.

Procedure for revision of the Wiv2002

During the General Meeting it was requested that the procedure be outlined that applies from the moment the legislative proposal is submitted for public consultation. The (internet-based) consultation period will start this spring (the aim is — as I indicated in the General Meeting — April 2015) and lasts six weeks. After that, the opinions and comments are processed as appropriate. It is expected that this will take six weeks. The proposal will then be prepared for submission to the Council of Ministers. The aim is to have this take place before the summer recess [July 3rd – August 31st]. Once the Council of Ministers accepts the proposal, it may be offered to the Advisory Department of the Council of State. Depending on the time that the Advisory Department needs to give its opinion, the detailed report will be established. The time required varies depending on the nature and content of the opinion. Given the above, it is expected that the bill will be offered to the House by the end of 2015, or early 2016.