The Constitution grants citizens an explicit right to privacy.[1896] Article 10 states: "(1) Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by, or pursuant to, Act of Parliament. (2) Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data. (3) Rules concerning the rights of persons to be informed of data recorded concerning them, of the use that is made thereof, and to have such data corrected shall be laid down by Act of Parliament." Article 12 states: "(1) Entry into a home against the will of the occupant shall be permitted only in the cases laid down by, or pursuant to, Act of Parliament, by those designated for this purpose by, or pursuant to, Act of Parliament. (2) Prior identification and notice of purpose shall be required in order to enter a home under the preceding paragraph, subject to the exceptions prescribed by Act of Parliament. A written report of the entry shall be issued to the occupant." Article 13 states, "(1) The privacy of correspondence shall not be violated, except in the cases laid down by Act of Parliament or by order of the courts. (2) The privacy of the telephone and telegraph shall not be violated, except in the cases laid down by Act of Parliament, by or with the authorization of those designated for this purpose by Act of Parliament."
In May 2000, the government-appointed Commission for Constitutional Rights in the Digital Age presented proposals for changes to the Dutch Constitution. The commission was set up after confusion about the legal status of e-mail under the constitutionally protected right to secrecy of correspondence. The commission's task was to investigate if existing constitutional rights should be made more technology-independent and if new rights should be introduced. According to this proposal, Article 10 will be expanded to the right of persons to be informed about the origin of data recorded about them and the right to correct that data. Article 13 would be made technology-neutral and would give the right to confidential communications. Only a judge or minister could authorize intrusions upon this right. Until now, no proposal for changes of the Constitution based on the commission's proposal has been brought before Parliament.
The Personal Data Protection Act of 2000[1897] is a revised and expanded version of the Data Registration Act of 1998 that brings Dutch law in line with the European Union Data Protection Directive and regulates the disclosure of personal data to countries outside of the European Union. The law went into effect in September 2001.
The Dutch data protection authority (College Bescherming Persoonsgegevens, or CBP) exercises supervision of the operation of personal data files in accordance with the Act.[1898] Previously known as the Registratiekamer, the CBP's functions have remained largely the same with the implementation of the new Act, although it has been given new powers of enforcement. It can now apply administrative measures and impose fines for non compliance with a decision. It can also levy fines, of up to EUR4,540 for breach of the notification requirements. Otherwise, the CBP continues to advise the government, deal with complaints submitted by data subjects, institute investigations and make recommendations to controllers of personal data files. In its 2002 annual report[1899] the CBP expresses its concern about the way various prominent Dutch administrators and politicians have characterized privacy in the public and political debate on security: "Privacy protection was portrayed as an impediment to public safety". The CBP criticizes this approach by arguing that "privacy protection is one of the success factors for effective government;" notices that the general political climate has hardened since "9/11" and there is a general shift in the public opinion towards supporting measures to ensure public safety and national security, and greater police powers, and that a simplistic introduction of greater police powers could seriously undermine the rights and interests of ordinary citizens.[1900] In 2002 the CBP received 164 complaints, conducted 16 investigations, managed 659 requests for information, answered 28 requests for opinion on legislation from the government[1901], and 104 requests for mediation (for, e.g., access or rectification of data).[1902] 18,500 notifications have already been registered with the CBP, as well as more than a hundred data protection officers.[1903] The CBP issued several reports during 2002, most notably on e-Government and privacy, the use of video surveillance cameras in public places, healthcare and information technology privacy, and data retention in telecommunications. CBP's recent focus has been on establishing privacy protections within information communication technology. It is a major participant in the European Privacy Incorporated Software Agents (PISA) project[1904] which was established to develop privacy enhancing technologies to protect user information in electronic transactions. In April 2002, it issued updated guidelines on e-mail and Internet privacy in the workplace. The report argues in favor of a balanced and common sense approach to e-mail and Internet monitoring at the workplace. It concludes that, although employees retain a reasonable expectation of privacy in the workplace, employers should be entitled to monitor e-mail and Internet use under certain conditions.[1905] The CBP's upcoming agenda includes the further development of a system of privacy certification, in conjunction with organizations interested in acting as accreditation bodies, and the preparation of its implementation, in order to promote compliance with privacy legislation by self-regulation; a more practical and effective interaction between the CBP and the body of Dutch data protection officers; an investigation of the use of video surveillance systems in public places; the performance of systematic checks of data controllers' processing activities and imposition of administrative penalties in case of non-compliance; the performance of checks of the records kept by the Criminal Investigation Units (Criminele inlichtingeneenheden); the release of information material designed to assist telecommunications service providers in complying with their data processing obligations, in collaboration with the Independent Post and Telecommunications Authority (Onafhankelijke Post en Telecommunicatie Autoriteit or OPTA); the publication of a study on the privacy issues related to the employees taking sick leave and similar issues.[1906]
Pursuant to the Personal Data Protection Act (PDPA) the Decree on Regulated Exemption[1907] has been enacted to exempt certain organizations from the registration requirements of the PDPA. There are also sectoral privacy laws regulating the Dutch police,[1908] medical exams,[1909] medical treatment,[1910] social security,[1911] the search of private homes,[1912] and the employment of minorities.[1913]
In March 2002, Internet Service Provider XS4ALL won a court order preventing well-known spam company Abfab from sending unsolicited commercial e-mail to its subscribers. Abfab has successfully appealed the decision but went bankrupt as a result of the negative publicity.[1914] The case is being brought before the Supreme Court.
Interception of communications is regulated by the Criminal Code and requires a court order.[1915] The Intelligence services do not need a court order for interception, but obtain their authorization from the Minister of Interior. The Special Investigation Powers Act which came into effect in February 2000 streamlines criminal investigatory methods.[1916] A new Telecommunications Act was approved in December 1998, requiring all ISPs to have the capability to intercept all traffic with a court order.[1917] The bill was enacted after ISP XS4ALL, refused to conduct a broad wiretap of electronic communications of one of its subscribers[1918]. The Dutch Forensics Institute has developed a so-called "black-box" that is used to intercept Internet traffic at an ISP. The black box is under control of the ISP and is turned on after receiving a court order. The box is believed to look at authentication traffic of the person to wiretap and divert the person's traffic to law enforcement if that person is online. Many ISPs use their own interception equipment and hand over the intercepted traffic by using a government-designed protocol. However, the protocol does not define how traffic should be intercepted, leaving the actual collection of evidence undefined and without standards for correctness and completeness.[1919] The cost of installing this technology varies between 250,000 euro's and 750.000 euro's and are reportedly forcing many of the small ISPs out of business.[1920] In May 2000, Dutch ISPs canceled a deal with the Justice Department to provide names and addresses of Internet users under criminal investigation without a court order if the case involves a serious crime. Dutch privacy law gives data controllers the right to voluntarily give out personal data to third parties when 'necessary for a criminal investigation.' The agreement between the providers and the Justice Department had to be halted nevertheless after a court ruled that the Justice Department was requesting information without a "clear urgency" (Dringende en gewichtige reden).[1921] The government recently proposeddata retention requirements and changes to Article 13 of the Constitution in the Telecommunications Data Requisition Bill, pursuant to the recommendations of the Committee on the Gathering of Information in Criminal Investigations (or "Mevis Committee"). The bill which aims at giving all 40,000 law enforcement agents direct access to names and addresses of telecommunications users, is under review in the Senate. The bill gives prosecutors the authority to obtain traffic data without a court order. In June 2003, Members of the Senate questioned the scope of the powers requested and required mandatory registration of all data retrievals in order to review the proportionality and effectiveness.
A survey by the Dutch Ministry of Justice in 1996 found that law enforcement in the Netherlands intercept more telephone calls than their counterparts in the United States, Germany or Britain.[1922] The Parliamentary Commission of Investigations into Police Methods released a 4,700-page report in 1996. The report was critical of the legal framework of police surveillance[1923] and found that there was a failure among judges, prosecutors and other officials to limit police abuses. Some analysts say that the reason for the high number of taps is that the Netherlands limits other forms of investigations such as police infiltration. A 2003 Freedom of Information Act request by non-governmental organization Bits of Freedom[1924] resulted in the release of 1998 statistics which reveal that law enforcement intercepted up to 10,000 telephone numbers. The Minister of Justice refused to deliver statistics from previous years stating that those were not available to him. Members of Parliament asked the government to record such statistics in the future but the Minister of Justice answered that it did not see the benefit of doing so. In 2002 several high profile cases have drawn public attention to flaws in the organization and overview of interception. In a criminal case State v. Baybasin,[1925] expert witnesses, both former law enforcement and military intelligence interception employees, testified, after reviewing the evidence, that the intercepted telephone recordings had been tampered with. A July 2003 report by the CBP criticized the unlawful police practice of recording calls between suspects and their lawyers.[1926]
There have been several proposals over past years to grant law enforcement increased authority. In 2001 the Mevis Committee issued a report proposing a wide range of increased powers for police to allow them to carry out "pro-active investigations" (verkennend onderzoek). The proposals would grant police access, without judicial warrant, to the personal information of whole groups of citizens stored by a wide variety of private entities, such as banks, telephone companies, credit card companies, hospitals and travel agents, in order to determine crime patterns.[1927] The Mevis Committee specifically recommended that telecommunications data be excluded from the constitutional right to confidential communications, stating that it should not be necessary for police to always obtain a warrant to intercept communications.[1928]
In October 2001, the Government released an Action Plan containing forty-three specific measures to be taken to combat terrorism and promote security.[1929] Among these were proposals to: expand information and security agencies; promote better cooperation among information and security services and the police; develop biometric identifiers; expand investigative and prosecuting capacity; regulate the use of strong encryption and force Trusted Third Parties to use key escrow or key recovery techniques to enable access to encrypted communications; ensure the quick implementation of the 1998 interception requirements for ISPs (above); expand satellite interception capacity to combat terrorism and "investigate further" the issue of data retention by telecommunications operators.
Proposals for mandatory key escrow for Trusted Third Parties were left behind after the release of a 2002 joint government and industry report examining costs and possible benefits. The report concluded that costs were high and law enforcement rarely ran into difficulties posed by encryption,[1930] Law enforcement can, however, order anyone, but for a suspect, who can reasonably be considered to know the means of encryption, to decrypt information encountered during an investigation. Failure to cooperate can be punished with a maximum of three months imprisonment.[1931] Intelligences services can order anyone to cooperate. Failure to comply with the request from an intelligence service is punishable with up to six months imprisonment if it was not intentional, and with up to two years' imprisonment if it was intentional.[1932]
The Intelligence and Security Services Act also authorizes the interception, search and keyword scanning of satellite communications. It allows intelligence services to store intercepted communications for up to one year. Previously, irrelevant communications had to be deleted immediately. Encrypted data can be stored for an unlimited time to facilitate possible decryption in the future.
In February 2002, the privacy and civil liberties organization, Bits of Freedom, organized the first Dutch Big Brother Awards.[1933] The awards were granted to: the Health Institute RIVM for archiving over one million blood samples of children, without any legal basis or permission from the children; the Mevis Committee for its 2001 report (above); the Organization for Applied Scientific Research (TNO) for the development of the Automatic Aggression Detection video processing software; and to the State Secretary of Transport, Public Works and Water Management, Monique de Vries, for re-introducing proposals for data retention.[1934]
In December 2002, legislation was proposed to provide for the introduction of compulsory identification for all persons from the age of fourteen. The bill is intended to increase general public safety. Dutch people already have partial identification requirements, for example when opening a bank account or at the workplace. Many critics have stated that the government failed to clarify the need to broaden the identification requirements. The proposal is widely seen as a symbolic gesture to satisfy public concerns over security and crime and will have huge civil liberties consequences.
Starting from 2004 the use of video surveillance in public places will require notice. The Hidden Camera Surveillance Act 2003 (Heimelijk Cameratoezicht) makes it unlawful to use hidden cameras in public places without notification. The use of hidden cameras in the workplace remains lawful if there is a suspicion of criminal behavior and if workers are notified of the likelihood of video surveillance. Journalists can still use hidden cameras for their work.
The Freedom of Information Act 1991 is based on the constitutional right of access to information. It creates a presumption that documents created by a public agency should be available to everyone. Information can be withheld if it relates to international relations of the state, the "economic or financial interest of the state," investigation of criminal offenses, inspections by public authorities or personal privacy. However, these exemptions must be balanced against the importance of the disclosure. Requesters can appeal denials to an administrative court that renders the final decision.
The Netherlands is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1935] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. In November 2001, the Netherlands signed, but not ratified, the Convention on Cybercrime.[1936] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.