On February 10th 2015, a General Meeting took place in the Dutch House of Representatives concerning the Dutch Intelligence & Security Act of 2002 (Wiv2002), which is currently being revised: see the highlights. During that meeting, the Minister of the Interior promised to send a letter that provides information on three topics raised during the debate: the offer of a technical briefing on cable interception, the Privacy Impact Assessment requested by MP Gerard Schouw (D66), and an explanation of the further procedure of revising the Wiv2002. On March 17th 2015, the Minister sent the letter (.docx; mirror) he promised. The Privacy Impact Assessment (PIA) model for the National Office that is referenced in the letter, is available here. A different, yet unknown, PIA model, tailored to the legal tasks of the AIVD and MIVD, will be applied to the proposed changes to the existing Intelligence & Security Act of 2002. In theory, a PIA is a ‘live document’ that is intended to motivate policy makers to make privacy-friendly choices, if such alternatives are available.

Here is a translation of the Minister’s letter:

During the General Meeting on February 10th 2015 with the Standing Committee on Home Affairs, I promised to provide you with further information regarding three issues related to the revision of the Intelligence & Security Act of 2002 (Wiv2002). It is primarily a technical briefing of your members by the heads of the intelligence and security agencies, concerning interception of cable communications. Secondly, I promised to give a detailed explanation of the possibility of carrying out a Privacy Impact Assessment with respect to the new Intelligence & Security Act (Wiv), which is currently being prepared. Finally, you asked me to outline the further procedure concerning the revision of this law. Also on behalf of the Minister of Defense I consecutively address these three issues.

Technical briefing on cable interception

During the General Meeting I offered to illustrate, in a confidential meeting with the Committees on Interior and Defense, the need for the proposed modification of interception powers, that makes it possible to intercept large amounts of raw data from cables. I propose that this explanation is provided by the two heads of the intelligence & security services. I like to hear whether the House wants to accept this offer, so that it can be scheduled in further consultation with the House.

Privacy Impact Assessment

The government has earlier informed you that as of September 1st 2013, the Model Privacy Impact Assessment (PIA) of the National Office must be applied by default in the development of new legislation and policies that provide for the construction of new ICT systems or the creation of large databases (Parliamentary Papers II 2012/13, 26 643, no. 282, Annex 252 629, as well as in a letter dated November 10, 2014 in response to the motion-Segers/Oosenbrug, Papers II 2014/15, 34000 VII, no. 21). The PIA model was implemented in the coalition agreement and by the motion-Franken et al. (Papers I, 2010/11, 31051, D).

Said PIA model is specifically aimed at the National Office and based on the requirements to the processing of data, as set out by the Data Protection Act (DPA), according to the notes in the PIA questionnaire. Under Article 2, paragraph b of the Wiv2002, the Wiv2002 exempts the intelligence & security services from the DPA, and the PIA model as such is not tailored to regulations governing the intelligence and security services.

Although a PIA is not mandatory for the new Wiv, the government wants to make clear, in a transparent way, how privacy risks are weighed. The legislation related to the intelligence & security services in particular concerns the balance between protecting national security and protecting the privacy of citizens. The allocation and application of powers in specific cases, the construction of ICT systems, and the construction of databases must be reviewed on necessity, proportionality and subsidiarity. A PIA tailored to the legal tasks of the Dutch intelligence & security services may serve as a helpful tool. The government will therefore commission a privacy impact assessment, to be carried out by one or more independent experts, in parallel to submitted the proposed legislation for public consultation.

Procedure for revision of the Wiv2002

During the General Meeting it was requested that the procedure be outlined that applies from the moment the legislative proposal is submitted for public consultation. The (internet-based) consultation period will start this spring (the aim is — as I indicated in the General Meeting — April 2015) and lasts six weeks. After that, the opinions and comments are processed as appropriate. It is expected that this will take six weeks. The proposal will then be prepared for submission to the Council of Ministers. The aim is to have this take place before the summer recess [July 3rd – August 31st]. Once the Council of Ministers accepts the proposal, it may be offered to the Advisory Department of the Council of State. Depending on the time that the Advisory Department needs to give its opinion, the detailed report will be established. The time required varies depending on the nature and content of the opinion. Given the above, it is expected that the bill will be offered to the House by the end of 2015, or early 2016.

EOF

At the request (in Dutch) of MP Gerard Schouw (D66), the Dutch Minister of the Interior, Ronald Plasterk, on March 3rd 2015 responded to the report Mass surveillance (.pdf, Jan 26; mirror) that was written by Pieter Omtzigt, a Dutch member of the Parliamentary Assembly of the Council of Europe (PACE). (More on that report here.) Omtzigt’s report was the basis for a draft resolution (.pdf) of the PACE Committee on Legal Affairs and Human Rights. In his response, Plasterk rejects the proposal of a multilateral “Intelligence Codex”, i.e., a no-spy treaty between European countries, citing it is unrealistic and would irresponsibly limit intelligence collection:

Concerning the recommendation to provide a multilateral “Intelligence Codex”, as proposed, I have serious doubts. A Codex in which signatory countries lay down that they will not exercise investigatory powers against each other for, for instance, political reasons, is not realistic. The intelligence tasks of the AIVD and MIVD — that notably involve intelligence collection concerning covert political and military intentions and activities of other countries — would  be limited in an irresponsible manner.

(Original Dutch: “Wat betreft de aanbeveling om te voorzien in een multilaterale «Intelligence Codex», zoals wordt voorgesteld, bestaan bij mij ter zake ernstige aarzelingen. Een Codex waarbij de aangesloten landen zich er op vastleggen dat men geen onderzoeksbevoegdheden jegens elkaar zal toepassen voor bijvoorbeeld politieke redenen, is niet realistisch. De inlichtingentaken van de AIVD en de MIVD – waar het juist ook gaat om inlichtingen in te winnen omtrent heimelijke politieke en militaire intenties en activiteiten van andere landen – zouden zo op onverantwoorde wijze kunnen worden ingeperkt.”)

On March 12th, Dutch news paper Volkskrant published an article (in Dutch) about it. Here is a translation of that article (hyperlinks and parts in [] are mine):

Dutch Minister of the Interior rejects no-spy treaty proposal

by Huib Modderkolk

Following the revelations about spying, the Parliamentary Assembly of the Council of Europe wrote a comprehensive report [.pdf] about espionage. Led by Dutch MP Pieter Omtzigt (CDA), the Council spoke with several specialists, including NSA whistleblower Edward Snowden.

The report urges countries to make rules for the collection of information located in other European countries, and to establish a so-called “intelligence codex”. One of the recommendations is to allow Member States’ intelligence services to apply the same rules that also apply in their own country. That should prevent secret services from spying on citizens of other countries in a way that is not permitted in their own country.

Unrealistic

For instance, the British GCHQ hacked Belgian telecom operator Belgacom to covertly access, for 2.5 years, communications of European institutions. Countries that make a no-spy agreement mutually abstain from “political, economic and diplomatic” espionage. The codex is an idea of ​​former director of the German secret service and former Secretary of State for Justice, Hansjörg Geiger, and could for instance apply to a group of European countries.

Minister Plasterk does not find it realistic and does not see a use for it. “The intelligence tasks of the two services — that in fact includes intelligence collection about covert political and military intentions and activities of other countries — would then be limited in an irresponsible way,” Plasterk says. In October 2013 he said [in Dutch] a plan for a no-spy treaty with the United States was an “attractive idea”, and he would explore whether it is a viable path. Britain and the US have such an agreement.

Pieter Omtzigt, as one of the authors of the report, regrets Plasterk’s response. “Now that so much has become clear about the NSA eavesdropping in friendly nations, it is regrettable that the government did not support the proposal of the former head of the German BND, mr. Geiger, to establish a codex”, Omtzigt says.

“The NSA eavesdropped on more than 100 friendly governments (including Merkel), and sometimes entire countries. And there is no protection for data acquired ‘elsewhere’. It is also unwise for the Netherlands to reject the idea before other countries responded to it.”

Motion

In 2014, the House passed a motion [in Dutch] submitted by MP Segers (Christian Union) in which the government was requested “to consult with allied governments and agencies to establish explicit agreements concerning respect for human rights.” In response, Plasterk stated the General Intelligence & Security Service (AIVD) and the Military Intelligence & Security Service (MIVD) are working to establish standards for cooperation between European intelligence services, in which “respect for human rights sets boundaries for the framework.”

According to the report of the Council of Europe, current intelligence practice is  a “fundamental threat to human rights”. An “intelligence codex”, among others, should have changed that.

New Dutch intelligence law in the making

MP Recourt (Labour Party) therefore calls it a “sympathetic plan”. Recourt: “I support the basic idea, let’s do it.” Because he does not expect intelligence will abide by the rules, he also advocated sanctions for countries that violate the agreements.

MP Schouw (D66) does not understand the rejection of the no-spy treaty by Plasterk. He points out that a new intelligence law for the AIVD and MIVD is in the making. “But such a law is pointless if you do not first address this. Friendly services will go ahead regardless of what we put into law.” As an example, he mentions the hacking of SIM card manufacturer Gemalto service by the British GCHQ. Schouw: “Minister Plasterk has plenty of time, and he can leave an important legacy. Let him advocate a no-spy treaty. “

Other countries have yet to comment on the idea.

Related:

• 2015-03-04: Dutch govt response to PACE report “Mass surveillance”
• 2015-02-11: Highlights of Dutch parliamentary debate about upcoming bulk interception bill
• 2014-11-28: Germany signs no-spy deal with BlackBerry after NSA phone tapping (AP)
• 2014-11-22: Some details on Dutch govt seeking bulk cable-interception for intelligence and security services AIVD and MIVD
• 2014-02-13: No “No Spy” Agreements? (Ashley Deeks responds to statement by Obama)
• 2014-02-11: Obama: “There’s no country where we have a no-spy agreement” (TIME)
• 2013-11-12: Germans Rejected: US Unlikely to Offer ‘No-Spy’ Agreement (SPIEGEL)
• 2013-10-25: An exclusive club: The five countries that don’t spy on each other (PBS article on UKUSA & FVEY)
• 2013-09-15: Dutch govt response to revelations by Edward Snowden

EOF

UPDATE 2015-10-30: the Dutch government announced it has decided on a bill that revises the invalidated Telecommunications Data Retention Act of 2009. Changes are proposes to take into account recent Dutch and European jurisprudence: access to retained data will now require prior approval from a magistrate (specifically, in Dutch, a “rechter-commissaris”), and only be permitted regarding offenses that allow temporary remand (and thus only regarding offenses that carry a maximum penalty of four or more years imprisonment). The status of the bill can be viewed here (in Dutch). The government will consult the Council of State and then submit the bill to parliament.

UPDATE 2015-03-12: The European Commission plans no new data retention law; leaves it up to Member States (Reuters)

On March 11th 2015, the court of The Hague today ruled (in Dutch) the Dutch Telecommunications Data Retention Act of 2009 invalid, Nu.nl reports (in Dutch). The court ruled that the current law is necessary and has a legitimate purpose, but due to lack of safeguards, is too easily accessible by LE in case of for non-serious crimes. More on that in this post by Bits of Freedom — which also forecasts that data retention may be reintroduced in a form that has sufficient safeguards to meet the requirements set by the European Court of Justice in April 2014, but still long-term and in bulk, without discrimination between suspects and non-suspects. Here is a translation of the report by Nu.nl (some links original, some links added by me; the Dutch govt’s response to the ruling follows below):

Dutch telecom data retention law ruled invalid by court in The Hague

Dutch providers are no longer required to retain internet and phone traffic data. The telecommunications data retention law, that was fought in court by various privacy groups and small ISPs, is invalid.

That was ruled (.pdf, in Dutch) by the court of The Hague on Wednesday. The data retention law violated the Charter of Fundamental Rights of the European Union, specifically regarding the right to protection of private life and protection of personal data.

Earlier, the European Court of Justice ruled that the European Data Retention Directive was invalid. Former Minister Opstelten (Justice) however decided to uphold the Dutch interpretation of the European directive.

He did present a bill that would ensure that the telecommunications data can only be accessed after prior approval from a court. The State nonetheless pleaded, during the court case in February, that the current Dutch data retention law already provided sufficient safeguards. The bill still needs to be debated in the House of Representatives.

Serious crime

The plaintiffs, including Privacy First, internet provider BIT and the Dutch Associations of Criminal Defense Lawyers and Journalists, stated that the data retention law poses a disproportional infringement upon the privacy of Dutch citizens that are not suspected of crime.

Data about phone use, such was which numbers called which numbers, and when, are retained for twelve months. Data about internet use, such as who is logged in and with what IP address, are retained for six months. As the cell towers that cell phones contact are registered, a rough location of users is recorded and retained.

The judge finds that the collected data are too easily accessible for crimes that are not serious. The plaintiffs stated that, technically, theft of a bicycle could lead to access to data, although the government stated this does not happen.

“Fact of the matter is that the possibility exists and that no safeguards exist to limit access to the data to what is strictly necessary to fight (only) serious crime”, according to the judge.

Review

The court also finds it to be incorrect that no prior court approval is needed to access the data.

“The court is aware that the ruling can have profound implications for the investigation and prosecution of criminal offenses,” according to the ruling. “That does not justify that the aforementioned infringement persists.”

The Dutch Telecommunications Data Retention Act of 2009 is ruled invalid in its entirety.

Debate

Vincent Böhre, director of Privacy First, says in a first response to be “very happy” with a “breakthrough ruling”. “It rarely happens that a court decided to rule a law invalid during a summary proceedings. This is an important precedent and is relevant to the debate on data retention in the House of Representatives.”

A spokesperson of the Ministry of Security & Justice states that the ruling is being examined. Later today, the Ministry will provide a more elaborate response, and it will be announced whether the government decides to appeal the ruling.

Later that day, the Ministry of Security & Justice responded to the ruling as follows:

The Ministry of Security & Justice regrets the invalidation of the Telecommunications Data Retention Act of 2009, considering the prosecution of crimes. The Ministry has not yet decided whether to appeal the ruling.

Providers are no longer required the retain data for prosecution. The Ministry is seriously concerning about the effects for prosecution of crime.

The judge stated that data retention is necessary and effective, and that it serves a legitimate purpose. In de court’s view, the State has insufficiently substantiated that certain forms of crime can nearly only be prosecuted through the use of historic telecommunications data.

Meanwhile, there is a legislative proposal that changes the Telecommunications Data Retention Act of 2009. Last November, this draft regulation has been submitted to several institutions for advice. The contents of the ruling will be involved in the proposal, such that the protection of private life of those involves is sufficiently ensured. The ruling leaves ample opportunity for that.

In the interest of prosecution it is of great importance that the proposal can come into forces as soon as possible.

Note that the Dutch DPA in February stated that said bill, that is intended to change the existing law to comply with the requirements that follow from the April 2014 ECJ ruling, (still) is “disproportionate infringement of private life”. We’ll see what happens next.

Related:

• 2015-03-12: Dutch data retention law struck down – for now (Rejo Zenger / Bits of Freedom)
• 2015-02-16: Dutch DPA opinion about post-ECJ data retention bill: “disproportionate infringement of private life”
• 2014-11-26: Dutch govt response to ECJ’s April 2014 ruling on the EU Data Retention Directive

EOF

On Monday March 9th 2015, news site Nu.nl reports (in Dutch) that 900 employees (out of some 1500 total) of the Dutch General Intelligence & Security Service (AIVD) signed a petition calling for a collective labor agreement. Here is a translation of that report:

‘Secret service wants collective labor agreement’

Employees of intelligence service AIVD want a decent collective labor agreement with the Dutch government, unions report Monday.

Almost nine hundred employees signed a petition sent to Minister Stef Blok (State Service). According to the unions, that is a clear majority of AIVD personnel.

Government officials have been lacking a new collective labor agreement since four years. Since several months, the unions are petitioning to end this period without salary increases. Thousands of officials of various central government services already support the demand from the National Federation of Christian Trade Unions (CNV), Federation Dutch Labor Movement (FNV), AC Rijksvakbonden and CMHF.

That AIVD personnel now also make themselves heard is extraordinary, says Loek Schueler, director of CNV Government. “The employees organize themselves from the inside. The last weeks they have passed around a petition. Usually this would not attract much support, because of the personnel’s sense of duty and their task for the security of our country. That time is now over.”

The unions make inventory at the end of this month. They do not rule out strikes or work disruptions.

EOF

Voor eigen doeleinden post ik hieronder twee fragmentjes betreffende Nederlandse standpunten in de Europese onderhandelingen over een nieuwe privacyverordening, de General Data Protection Regulation (GDPR; 2012/0011 (COD)). Ze zijn een momentopname van (een deel van) de state of play. In de geannoteerde agenda (.doc, 4 maart 2015) van Opstelten en Teeven ter voorbereiding op de JBZ-Raad van 12 en 13 maart 2015 — die trouwens met een mooi voortgangsoverzicht (.pdf, 27 februari 2015) van JBZ-dossiers kwam — staat het volgende over “verenigbaar gebruik bij verdere verwerking”, één van de onderdelen die in de onderhandelingen naar voren zijn gekomen:

Verenigbaar gebruik bij verdere verwerking

Persoonsgegevens mogen in beginsel alleen worden verwerkt voor het doel waarvoor zij zijn verzameld. Onder omstandigheden mogen gegevens echter ook voor een ander doel worden verwerkt, mits het oorspronkelijk doel en het beoogde doel verenigbaar zijn. Of daarvan sprake is, is afhankelijk van de uitkomst van een toets, de verenigbaarheidstoets, waarbij diverse criteria een rol spelen. De verenigbaarheidstoets is een voor de praktijk uiterst belangrijk instrument, omdat deze toets burgers, bedrijven en de overheid bij de verwerking van gegevens een onmisbare mate van flexibiliteit verleent. De huidige regeling daarvan functioneert in grote lijnen goed. De voorgestelde regeling in de verordening bevat drie nieuwe elementen die tot discussie aanleiding gaven. 

1. De verordening opent, anders dan de huidige richtlijn de mogelijkheid om bij onverenigbaarheid van het oorspronkelijke en het beoogde doel de verwerking niettemin als rechtmatig aan te merken, wanneer voor de verdere verwerking een afzonderlijke rechtsbasis kan worden aangewezen.

Nederland acht deze nieuwe regeling overbodig en bovendien verwarringwekkend. Overbodig, omdat wanneer na een toets op de verenigbaarheid van oorspronkelijk en beoogd doeleinde blijkt dat sprake is van onverenigbaarheid, niets een verantwoordelijke belet om voor het nieuwe doeleinde een nieuwe zelfstandige verwerking aan te vangen. Het gebrek aan een dergelijke regeling is tot dusverre niet als gemis ervaren. Het is verwarringwekkend, omdat verenigbaarheid van doeleinden en rechtvaardigingsgronden voor een verwerking verschillende normen zijn die met elkaar verknoopt worden.

Het blijkt echter dat verreweg de meeste lidstaten en de Commissie wel voorstander zijn van de regeling. Nederland zal zich er daarom bij neerleggen. Het Europees Parlement toont zich overigens geen voorstander van de voorgestelde regeling.

2. Wanneer gegevens worden verwerkt voor een ander doeleinde dan waarvoor zij oorspronkelijk zijn verzameld, en oorspronkelijk en beoogd doeleinde bovendien verenigbaar blijken, is het de vraag of de rechtsgrondslag van het oorspronkelijke doeleinde ook als fungeren als rechtsgrondslag voor het beoogde doeleinde. Naar geldend recht is dat toestaan. Ongeveer de helft van de lidstaten acht het noodzakelijk dat ook in dergelijke gevallen voor dezelfde verwerking, bij verandering van doeleinde, ook een nieuwe rechtsgrondslag wordt gezocht. Dat is zeer belastend voor overheden, want dat kan impliceren dat wetswijziging nodig is. Het is ook belastend voor bedrijven, omdat contracten zouden moeten aangepast of dat toestemming moet worden verkregen. Nederland, de Commissie en de andere helft van de lidstaten achten dit daarom te stringent. Nederland gaat ervan uit dat dit punt bevredigend kan worden opgelost. Het Europees Parlement laat zich hierover niet expliciet uit.

3. Wanneer na uitvoering van de toets sprake is van onverenigbaar gebruik, kan volgens de verordening de verwerking niettemin worden voortgezet als er voor het beoogde doeleinde een rechtvaardigingsgrond kan worden aangewezen. De Commissie meent dat het zogenoemde “gerechtvaardigd belang van de verantwoordelijke” geen rechtsbasis kan vormen voor een verdere verwerking die niet verenigbaar is met de oorspronkelijke verwerking. Nederland begrijpt niet waarom dit niet zou kunnen. De meeste lidstaten neigen ook naar deze positie. Het Europees Parlement heeft zich daarover nog niet expliciet uitgelaten.

Over bijzondere persoonsgegevens wordt het volgende gesteld:

Bijzondere persoonsgegevens

De bestaande richtlijn laat de lidstaten een ruime mate van vrijheid bij het maken van uitzonderingen op het verbod om bijzondere persoonsgegevens te verwerken. De Wet bescherming persoonsgegevens kent dan ook een uitgebreid stelsel van bijzondere en algemene uitzonderingsgronden op dat verbod. Uitgangspunt is daarbij telkens geweest dat maatschappelijk volstrekt geaccepteerde verwerkingen niet nodeloos aan een verbod worden onderworpen en op het niveau van de formele wet hun positie geregeld zien. Zo is bijvoorbeeld geregeld dat de verwerking van medische gegevens door medische beroepsbeoefenaren zonder meer is toegestaan en dat politie en OM zonder beperkingen strafrechtelijke gegevens mogen verwerken. Die wettelijke vrijheid biedt optimale mogelijkheden rekening te houden met de specifieke positie van een lidstaat. Nederland heeft bijvoorbeeld een uniek pensioenstelsel. Geregeld is daarom dat pensioenfondsen medische gegevens mogen verwerken. Met de vervanging van de richtlijn door een verordening verdwijnt de vrijheid voor de lidstaten in betekende mate. Dit is in zoverre aanvaardbaar voor Nederland dat de opheffing van het verwerkingsverbod voor bestaande en redelijkerwijs te verwachten normale verwerkingen van bijzondere persoonsgegevens hetzij door de verordening, hetzij door de nationale wetgever worden vastgesteld, respectievelijk kunnen worden vastgesteld.

Gebleken is dat er veel onbegrip bestaat over sommige verwerkingen die in Nederland als algemeen aanvaard worden beschouwd, zoals de verwerking van medische en strafrechtelijke gegevens door verzekeraars of genetische gegevens door de strafvorderlijke autoriteiten en door artsen. Nederland heeft zich daarom krachtig verzet tegen voorstellen die erop gericht zijn om de nationale wetgever nog meer ruimte te ontzeggen. Hoewel dat tot dusverre succesvol is geweest, is het niet uitgesloten dat voorstellen om de nationale wetgever aan verdere restricties te binden nog terugkeren. Over de consequenties van deze eventualiteit zal voorafgaand aan deze JBZ-Raad door de Staatssecretaris van Veiligheid en Justitie een standpunt worden ingenomen, maar niet eerder dan dat Coreper zich daarover heeft gebogen.

Andere onderwerpen die in de geannoteerde agenda zijn opgenomen t.a.v. de privacyverordening zijn:

• Bescherming van jeugdigen.
• Doorgifte medische gegevens aan derde landen.
• Samenwerking tussen toezichthouders.
• Ondersteuning van het European Data Protection Board (EDPB).

Verder leesvoer:

• 2015-03-03: Leaked documents: European data protection reform is badly broken (EDRi)
• 2015-02-26: European privacy policy is not a cynical anti-competitive plot (WaPo)

EOF