II. Surveillance policies
National security, government surveillance and law enforcement
Wiretapping, access to, and interception of communications
Interception of communications is regulated by the Criminal Code and requires a court order.1 The intelligence services do not need a court order for interception, but obtain their authorisation from the Minister of the Interior. The Special Investigation Powers Act, which came into effect in February 2000, streamlines criminal investigatory methods.2 A Telecommunications Act was approved in December 1998, and requires all telecommunications providers to have the capability to intercept all traffic (phone and Internet) when presented with a court order.3 The Netherlands Radiocommunications Agency is responsible for enforcing the wiretap capabilities of the telecommunications sector.4 The ISP XS4ALL launched a court case in March 2005 against the Dutch State, seeking compensation for the cost of making its network ready for wiretaps. XS4ALL considered it unreasonable that these costs are not reimbursed because the investment is made purely in the interest of law enforcement and does not benefit the ISP in any way. According to XS4ALL, the law requiring providers to pay for the costs of wiretapping is a violation of property rights and an obstruction to freedom of speech. Moreover, the cost division also violates the principle of equal discharge of public burdens and European rules on free movement of services.5 In a decree, the government ordered a dramatic reduction in cost reimbursement to telecommunications companies for the handover of personal data or wiretaps.6 As of 1 April 2005, the companies only receive â‚¬13 for a wiretap and â‚¬6.75 for an extensive investigation into historical traffic data.
The Intelligence and Security Services Act also authorises the interception, search, and keyword scanning of satellite communications.7 It allows intelligence services to store intercepted communications for up to one year. Previously, irrelevant communications had to be deleted immediately. Encrypted data can be stored for an unlimited time to facilitate possible decryption in the future. In 2003, the National SIGINT Organisation (NSO) was established. The NSO operates all satellite communications interception by the Dutch intelligence services. The interception capabilities expanded from two satellite dishes at Zoutkamp to 20 dishes at Burum.
Over the past few years there have been several proposals to grant law enforcement increased authority. In 2001 the Mevis Committee issued a report proposing a wide range of increased powers for police to allow them to carry out "proactive investigations" (verkennend onderzoek). For the purpose of determining crime patterns, the proposals would grant police access, without the need to obtain judicial warrants, to the personal information of whole groups of citizens stored by a wide variety of private entities such as banks, telephone companies, credit card companies, hospitals, and travel agents.8 The Mevis Committee specifically recommended that telecommunications data be excluded from the constitutional right to confidential communications, stating that it should not always be necessary for police to obtain a warrant to intercept communications.9 A draft law incorporating the Mevis proposals(Wet vorderen gegevens) passed the House of Representatives in 2005. The Federation of Organisations of Libraries (FOBID) asked the Senate in an April 2005 letter not to pass the law, fearing that allowing law enforcement to seize library records would create a chilling effect on the use of libraries.
In May 2008, the Dutch police issued an oral press release stating that it would launch a pilot project to look for criminals on the Dutch social networking site Hyves.10 The â€˜Team Digital Expertiseâ€™ developed software that profiles the social network on which a suspect operates. This software will first be tested on police officers. If the pilot succeeds, a national roll-out of the software will be considered. Alongside this pilot, regional police departments have launched their own initiatives to use Hyvesas a platform to gather crime-related information. The police department of Ijsselland created a profile on Hyves to obtain information on a double homicide in a remote area of the region.11 Because the police obtained essential information to solve the case from Hyves, the department decided to start a joint venture with Hyves to use the website to find information to help in solving cases and look for missing persons.12 This website contains information about suspects and missing persons.13
The CBP, in collaboration with the Ministry of Justice and the Ministry of the Interior and Kingdom Relations, has researched the appropriate balance between the effort to achieve a safe society and the effort to safeguard the right to privacy.14 Further research and investigation will take place when the police tap telephone calls in the context of criminal investigations, particularly when conversations between lawyers and their clients are recorded.15 The CBP maintains that these "conversations with holders of confidential information entitled to privilege must be erased as soon as possible."16 The CBP investigation of the national wiretapping rooms shows that this is not generally the case and this privilege is rarely protected.17 As a result, the Public Prosecution Service has announced that measures for the improvement of this situation will be implemented.18
National security legislation
In August 2004, the Crimes of Terrorism Act came into force. Recruitment of fighters for the Islamic armed struggle or jihad and conspiracy to commit a serious act of terrorism will each be a separate, punishable criminal offence under the Act. The maximum prison sentence for crimes such as homicide, gross maltreatment, hijacking, or kidnapping will be higher if they have been committed with a "terrorist purpose." In addition, the conspiracy to commit serious acts of terrorism will be made a separate punishable criminal offence.
"At the end of 2007, at the request of the Senate, the CBP issued advice on a legislative proposal that would extend the powers that the intelligence and security services, in their efforts to combat terrorism, have to obtain data on travelling, payment traffic, and Internet use by citizens."19 The CBP believes that the need for these measures has not been sufficiently demonstrated and considers that the consequences of this data analysis for individual citizens may outweigh the policy goals.20
In September 2004, a new Act came into force that amends the power to request telecommunications data.21 The law (Vorderen gegevens telecommunicatie) enables the public prosecutor to request traffic data from providers of public telecommunications networks and services. This power may be applied when there is suspicion of a serious offence. In the event of suspicion of a criminal offence, any investigating officer can request a subscriber's personal information. A proposal to notify suspects when the subscriber's data has been requested was rejected by the Parliament. Members of the Senate questioned the scope of the powers requested and required mandatory registration of all data retrievals in order to review their proportionality and effectiveness.
On 4 April 2007, the Dutch Cabinet agreed to proposed legislation designed to implement the European Directive on Data Retention, a directive that requires member countries to set statutory retention of telephone and Internet traffic data.22 The legislative proposal sets the retention period at 18 months, a period the Ministry of Justice says is needed to accommodate the needs of police and judicial authorities.23 The CBP has criticised the proposed legislation, saying the need for a retention period of 18 months has not been demonstrated satisfactorily.24 The CBP argues, "retaining historical telephone and Internet information on every citizen in the Netherlands is an extremely radical measure whose need must be demonstrated irrefutably."25 The CBP has also criticised other aspects of the proposed legislation, including the categories of information that must be retained, the parameters for access to information currently in the bill, and the lack of control mechanisms for the lawful use of information.26
On 22 May 2008, the Dutch House of Representatives passed the Telecommunications Data Retention Act (Wet Bewaarplicht Telecommunicatiegegevens), which amended the data retention period from 18 months in the first draft to 12 months.27 The Act has been sent to the Senate for review. The Senate's Justice sub-committee found a lack of documentation for the necessity and proportionality of the Data Retention Act, and agreed to a hearing with an independent expert to address issues of technical feasibility. Specifically, Senators were concerned about the compatibility of the Act with Article 8 of the European Convention on Human Rights, the reimbursement of the costs for Internet Service Providers, and the security measures concerning the retained data.28 The law29 was approved by the Senate and went into force on 1 September 2009.30
National databases for law enforcement and security purposes
No specific information has been provided under this section.
National and international data disclosure agreements
No specific information has been provided under this section.
No specific information has been provided under this section.
No specific information has been provided under this section.
As of 2004, the use of covert video surveillance in public places requires notice. The Hidden Camera Surveillance Act 2003 (Heimelijk Cameratoezicht) makes it unlawful to use hidden cameras in public places without notification. The use of hidden cameras in the workplace remains lawful if there is suspicion of criminal behaviour and if workers are notified. Journalists can still use hidden cameras for their work. In April 2005, the House of Representatives passed the Camera Surveillance Act, which allows images to be retained for up to four weeks and also facilitates the use of cameras for law enforcement purposes, whereas before the main purpose of camera surveillance was keeping public order.
Location privacy (GPS, mobile phones, location based services, etc.)
In December 2007, several professors of information technology advised the government to pay explicit attention to privacy concerns when developing plans for the new pay-per-kilometre car tax system. Specific concerns included collecting more (personal) data than was technically needed to run the system and using the data for purposes other than those for which was collected.31
In January 2010, the second Chamber committee for road and water works asked the CBP to comment on legal proposals for the pay-per-kilometre system. The new system includes two user-definable ways to collect the location: one uses a built-in device that only transmits aggregate data to the tax authority; the other option is to have a thin client that transmits data to a trusted third party for aggregation.32 CBP explicitly advised that data collection for payments should take place only periodically and that third-party aggregation providers should conform to strict data protection regulations,33 in line with the CBP's advice of September 2008.34
Travel privacy (travel identification documents, biometrics, etc.) and border surveillance
Like all EU countries the Netherlands includes biometric information in its passport. Both fingerprints and facial images are stored in a contactless chip in Dutch passports.35 In January 2005, the Minister of the Interior announced plans to also store the biometric data in a central database, making it possible to identify, via fingerprints or facial recognition, people who are not carrying their passports.36 The CBP held a meeting in February 2006 to discuss the potential disadvantages of this large-scale storage of data.37 The results of the meeting were mixed: "central collation of biometric data can on the one hand protect identities by having one central reference point, but on the other hand it can undermine that protection as a result of security risks and potential use of biometric data for other purposes."38 Those present at the meeting pointed out to the government the risks of identity fraud and inadequate security associated with biometrics.39
According to the CBP's 2007 Annual Report, the OV-chipkaart system (Public Transport Chipcard or PTC) infringes Dutch Data Protection Law.40 In 2007 a pilot programme conducted on the Amsterdam Metro network researched the impact of the card and concluded that the OV-chipkaart system is being used unlawfully.41 Changes were made to the technical design for data storage so that there is now a distinction between name and address details and travel movements.42 The aim of these changes is to decrease the risk that individuals' travel behaviour can be unlawfully monitored.43 In 2009, the country-wide roll-out of the PTC started. The system tracks all travellers' movements (departure and end points for each leg of every journey), in most cases combined with the traveller's identity (although these data may be stored separately). It retains these data for seven years. Travellers can consult the stored data via special websites.44
In a 2010 investigation, the Dutch news website Webwereld concluded that it was not possible to travel anonymously on public transportation with a discount card (available for the elderly and students).45 Furthermore, they found that people who hold a monthly or yearly transport pass were required to check in and out every time they entered or exited, which was not technically necessary.46 When they confronted politicians, their findings drew angry reactions from the liberals, socialists, and Christian Democrats.47 Furthermore, the NGO Bits of Freedom demanded that the OV-chipkaart system be stopped.48
On 25 January 2008 the CBP warned Dutch hotels that they are breaking data protection laws by photocopying guests' passports and identification cards.49
In May 2008, the Article 29 Working Party, made up of representatives from all European privacy protection agencies, issued a statement on the European Commission's initiatives on intensifying border patrol, visa policy, and visa enforcement.50 In a letter to the Barrot Commission, the Working Group, in which the CBP participates, reacts to the increase in border controls by writing that "[a]ny general surveillance poses unacceptable risks to the freedom of individuals."51 Furthermore, the group mentioned that there has not been any evaluation of former measures that requires the intensification of border patrol and surveillance.52
National ID and smart cards
In January 2005, Extended Compulsory Identification Act came into force, making identification compulsory for all persons from the age of 14 with the stated goal of increasing general public safety. Many critics have claimed that the government failed to clarify the need to broaden the identification requirements. The Act is widely seen as a symbolic gesture to satisfy public concerns about security and crime, and will have huge civil liberties consequences. The Act does not require citizens to carry identification but to show it if asked to by police. No new identification card is introduced; the existing passport, European identification card, and driver licence are acceptable.
In March 2007, Justice Minister Ernst Hirsch Ballin asked authorities for their opinion of a bill expanding the use of photos and fingerprints to determine the identity of suspects and convicted persons.53 The bill would require all suspects to be immediately photographed and digitally fingerprinted on arrest.54 The bill is designed to prevent suspects and prisoners from withholding their identity or hiding behind someone else's identity.55 While the bill attempts to prevent identity theft, whenever new information is collected and stored about a person new privacy concerns surface regarding access to and retention of the data.
The Netherlands has seen little public debate about the use of RFID technology among retailers and supermarkets until recently. The main reason is that there are very few pilot projects in stores that make use of RFID tags with unique serial numbers (such as the Electronic Product Code, EPC). ECP.NL, an e-commerce industry platform, has begun writing the first report on the privacy implications of RFID.
Bits of Freedom has published a position paper on RFID,56 as has the small ChristenUnie faction in Parliament.57 The CBP published a discussion document in October 2006, "in order to further stimulate the debate about the benefits and drawbacks of RFID."58 The document discusses privacy concerns, the technology's effect on society, and general awareness of the issue.59
After a failed terrorist attack on an airplane travelling from the United States to Amsterdam's Schiphol Airport, the airport decided to buy 60 body scanners to be used to screen passengerson flights to the United States and all United Airlines flights.60 Schiphol notes that these scanners are not body scanners, but security scanners where, "A computer analyses images instead of a human operator by means of harmless millimetre wave technology."61
- 1. Article 125m of the Code of Criminal Procedure.
- 2. See Ministry of Justice Fact Sheet, Special Powers of Investigation Act, 8 August 2006, available at http://english.justitie.nl/currenttopics/factsheets/.
- 3. Telecommunications Act 1998.
- 4. Home Agentschap Telecom homepage http://www.agentschap-telecom.nl/.
- 5. XS4ALLl subpoena, English translation available at http://www.xs4all.nl/nieuws/pdf/XS4ALLdagvaarding-en.pdf.
- 6. Ministry of Economic Affairs, Decree on Cost Reimbursement for Legal Access to Telecommunications, 1 April 2005, in Dutch at http://www.bof.nl/docs/OPT_Concept_regeling_aftapkosten_23_maart_2005.pdf.
- 7. Stb. 2002, 148.
- 8. Jelle van Buuren, "Dutch Law Enforcement Should Get Easier Access to Personal Data Stored by Companies," Telepolis, 21 May 2001.
- 9. Report of the Mevis Commission, May 2001.
- 10. Novum, "Politie spoort criminelen op via Hyves" ("Police Finds Criminals via Hyves"), Trouw, 21 May 2008.
- 11. Algemeen Dagblad, "Politie gebruikt Hyves bij opsporing criminelen" ("Police Uses Hyves to Track Down Criminals"), 12 August 2010, in Dutch at http://www.ad.nl/ad/nl/1000/Nieuws/article/detail/504458/2010/08/12/Poli....
- 12. Id.
- 13. "De politie zoekt" ("The Police Investigates") , 30 October 2010, at http://depolitiezoekt.hyves.nl/?pageid=5183D0JKZ88WS88OG.
- 14. 11th Annual Report of the Article 29 Data Protection Working Party, supra.
- 15. Id.
- 16. Id.
- 17. Id.
- 18. Id.
- 19. Id.
- 20. Id.
- 21. Stb. 2004, 105.
- 22. Press Release, Ministry of Justice, "Dutch cabinet: telecommunications data to be retained for one and a half years," 4 April 2007, at http://english.justitie.nl/currenttopics/pressreleases/archives2007/-Dut....
- 23. Id.
- 24. Press Release, CBP, "European Directive on Data retention," 24 January 2007, at http://www.dutchdpa.nl/documenten/en_med_20070124_european_directive.shtml.
- 25. Id.
- 26. Id.
- 27. Dutch Telecommunications Data Retention Act 2008, available in Dutch at http://wetten.overheid.nl/BWBR0026191/geldigheidsdatum_15-08-2010.
- 28. Letter from the Dutch Senate, Justice subcommittee, 8 July 2008 http://www.eerstekamer.nl/9324000/1/j9vvgh5ihkk7kof/vhwginn7thzd/f=y.pdf.
- 29. Wet bewaarplicht telecommunicatiegegevens ("Dutch Telecommunications Data Retention Act"), 18 July 2009, available in Dutch at http://wetten.overheid.nl/BWBR0026191/geldigheidsdatum_15-02-2010.
- 30. Bits of Freedom, "Wet bewaarplicht telecommunicatiegegevens van kracht" ("Data Telecommunications Data Retention Act in Forceâ€), 30 October 2009, available in Dutch at https://www.bof.nl/2009/10/30/wet-bewaarplicht-telecommunicatiegegevens-....
- 31. Privacy kilometerheffing goed regelen' ("Privacy Aspects Pay per Kilometer Should Be Well Arranged), NRC Handelsblad, 5 December 2007, available in Dutch at http://www.nrc.nl/binnenland/article1856515.ece/Privacy_kilometerheffing....
- 32. CBP, "Advies CBP inzake wetsvoorstel kilometerprijs" ("Advice CBP Regarding Legal Proposal Pay-per-Kilometer System"), available in Dutch at http://www.cbpweb.nl/downloads_adv/z2009-01380.pdf.
- 33. Id.
- 34. CBP, "Het advies van 30 september 2008 inzake het wetsvoorstel kilometerprijs" ("Advice of 30 September 2008 Regarding Legal Proposal Pay-per-Kilometer System"), available in Dutch at http://www.cbpweb.nl/downloads_adv/z2008-01050_2.pdf.
- 35. Biometry in passports, page maintained by Professor of Software Security and Correctness Bart Jacobs, available at http://www.sos.cs.ru.nl/research/society/passport/.
- 36. Databank vingerafdrukken alle Nederlanders (Database Fingerprints all Dutch Citizens), Bits of Freedom, February 2005, available at http://www.bof.nl/nieuwsbrief/nieuwsbrief_2005_3.html.
- 37. CBP Annual Report for the Year 2006, supra.
- 38. Id., at 88.
- 39. Id., at 91.
- 40. CBP Annual Report for the Year 2009, supra.
- 41. Id.
- 42. Id.
- 43. Id.
- 44. See http://www.ov-chipkaart.nl/.
- 45. "CBP negeert privacyschending OV-chipkaart" ("CBP Ignores Privacy Intrusions by OV Chipcard"), Webwereld, 26 January 2010, in Dutch at http://webwereld.nl/nieuws/64947/cbp-negeert-privacyschending-ov-chipkaa....
- 46. Id.
- 47. "Politiek fel over privacyschending OV-chipkaart" ("Politicians Angry about Privacy Intrusions by OV Chipcard"), Webwereld, 25 January 2010, in Dutch at http://webwereld.nl/nieuws/64956/politiek-fel-over-privacyschending-ov-c....
- 48. Id.
- 49. "Dutch Hotels Must Stop Copying Guests' Passports", Privacy and Security Law Report, BNA, Vol. 7, No. 4 28 January 2008.
- 50. CBP, "Volledige controle alle reizigers disproportioneelKritiek Europese privacytoezichthouders op nieuwe EU-voorstellen" ("Full Controll All Passengers is Disproportional"), at http://www.cbpweb.nl/documenten/med_20080514_volledige_controle_reiziger....
- 51. Article 29 Data Protection Working Party. Letter to Commission Barrot enclosing the joint comments of the Article 29 Working Party and the Working Party on Police and Justice on the Communications from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of Regions, namely:"Preparing the next steps in border management in the European Union", COM (2008) 69 final, "Examining the creation of a European Border Surveillance System (EUROSUR)" COM (2008) 68 final, and "Report on the evaluation and future development of the Frontex Agency" COM (2008) 67 finalâ€, 15 May 2008, available at http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2008/wp149_en.pdf.
- 52. Id.
- 53. Press Release, Ministry of Justice, "No Longer Possible to Hide Behind Another Person's Identity," 4 March 2007, at http://english.justitie.nl/currenttopics/pressreleases/archives2007/-no-....
- 54. Id.
- 55. Id.
- 56. RFID position paper, Bits of Freedom, December 2004, available at http://www.bof.nl/rfid/RFIDpositionpaper.html.
- 57. Report on RFID, ChristenUnie, May 2005, available in Dutch at http://www.christenunie.nl/l/nl/library/download/19705.
- 58. CBP, "RFID: Promising or Irresponsible," October 2006, at http://www.dutchdpa.nl/documenten/en_av_29_rfid.shtml.
- 59. Id.
- 60. Schiphol Buys 60 Body Scanners, Denies Lax Security, Reuters, 4 January 2010, available at http://www.reuters.com/article/idUSLDE6031RJ20100104.
- 61. Schiphol Airport, Security Scan at Amsterdam Aiport Schiphol, at http://www.schiphol.nl/Travellers/AtSchiphol/CheckinControl/SecurityChec....