IV. Governance issues
With regard to government usage of the Internet, in 2007, "the Dutch DPA conducted an investigation into the municipality of Nijmegen's publication of planning permission data."1 The outcome was a finding that personal data â€“ application forms about certain properties and proposed alterations to them as well as information about applicants, including their signatures â€“ was published.2 The CBP concluded that "â€¦the municipality may only publish compulsory data on the Internet on the property in question and the alterations proposed," and not individuals' personal data.3
To date, the public law requirement on the assignment of Internet and personal data, does not justify a situation where an administrative body automatically publishes all data on the Internet.4
Many countries, including the Netherlands, have discussed or implemented electronic means for voting in elections. Usually the manipulation of election results, either by insiders (i.e., manufacturers) or outsiders (i.e., hackers) is a concern. The Dutch debate on electronic voting also has prominent privacy features.5 Machines began replacing ballot boxes in most precincts in the early 1990s. Controversy was initiated in 2006 by a pressure group. Besides concern about the opportunities afforded by electronic voting to manipulate election results, researchers found that the machines produced radiation that could be captured with an antenna, thereby revealing the voter's choice.6 The latter issue gave both the government and the pressure group a means of legally framing the problem, as election legislation provides for a secret ballot (Dutch Constitution, Art. 53.2; Election Law, Art. J 15), but not for verification of election results. This led first to the suspension of one type of voting machine, and finally, in 2007, to the withdrawal of the approval regulation, and thereby the abolition of all voting machines. In 2008, an expert group concluded that even with a printed ballot allowing voter verification (as proposed by the Election Process Advisory Commission, 2007),7 the privacy problems could not be solved as long as any electronic device was used to select the candidate and/or cast the vote.8 This shows that the secret ballot is seen as an important aspect of privacy. Similarly, allegations that an election advice service provider was storing political preferences alongside IP addresses raised discussion.9
In April 2010, the CBP responded to a letter from the director of Dutch government IT inquiring about the legality of the usage of the BSN by the Dutch government. Although the director concluded that this usage was legal in all cases, the CBP held that the usage is illegal because the law states that government bodies can only use the BSN if it is legally required for executing their task.10
The Government Information (Public Access) Act of 1991 is based on the constitutional right of access to information. It creates a presumption that documents created by a public agency should be available to everyone. Information can be withheld if it relates to international relations of the state, the "economic or financial interest of the state," investigation of criminal offences, inspections by public authorities, or personal privacy. However, these exemptions must be balanced against the importance of the disclosure. Requesters can appeal denials to an administrative court, which renders the final decision.11
There have been some recent developments with regard to privacy and work and social security. In one recent project, the Waterproof project, old-age pensioners and recipients of social assistance benefits in 65 municipalities in Friesland, Groningen, and Drenthe were checked for fraud based on data concerning their water consumption and the water contamination surcharge.12 The CBP investigated, found the computer files had been linked to water data, and ruled it unlawful.13 As a result of this ruling, the Social Security and Investigation Service(Sociale Inlicktingen en Opsoringsdienst, SIOD) is now working on the development of risk analyses using Privacy-Enhancing Technology (PET).14 Here, two goals are served: combating fraud and protecting personal data.
Another way of uncovering benefit fraud is through social security investigators. The CBP has laid down an efficient process for spotting illegal activity involving personal data connected with these activities.15 Research completed in 2006 showed that compliance with the obligation to inform citizens of the fact that they had been observed was at best fleeting. Accordingly, the process description was tightened up in 2007.16
At the end of 2007, the Netherlands decided to simplify the use of BCRs (Binding Corporate Rules) in outsourcing.17 "The authority is developing an approach whereby a permit will be granted to a multinational company acting as a processor on behalf of its affiliates in countries without adequate data protection laws." The processor applies for a permit on the behalf of the controllers it works for.18 The application is required to include practical examples of the kind of data processing involved.19 "Companies then need to submit, every six months, an updated list of the controllers whose data the company processes to the Netherlands Data Protection Authority."20
Non-government organisations' advocacy work
The Bits of Freedom NGO initiated the Dutch Big Brother Awards in 2002.21 In January 2006, Bits of Freedom organised the fourth annual Dutch Big Brother Awards.22 The group gave anegative Big Brother Award to Dutch Minister for Integration and Immigration Rita Verdonk because she supplied the status of rejected asylum seeker applicants to their country of origin.23 She also repeatedly denied her actions in Parliament and attempted to minimise the impact of the information she gave.24 A positive award was given for the first time to Hans Franken, a professor of Law and Information Science at the University of Leiden and member of the Senate for the Christian-democrat party, for his consistent resistance in the Senate to mandatory data retention.25
Bits of Freedom ceased its activities on 1 September 2006, after six years of successfully defending digital civil rights.26 Nonetheless, its former members organised the 2007 Dutch Big Brother Awards, awarding the 2007 prize in the individual category to the Dutch citizen.27 When people are asked about governmentsurveillance and data mining, many people respond by declaring: "I've got nothing to hide." This attitude is the major threat to privacy in the Netherlands.28 In the corporate category, the prize was granted to the Dutch National Railroad (NS) because of its proposal for the OV Chip Card. In the government category, the Dutch Central Bank (DNB) won because of its cooperation in the extra-legal transfer of Dutch financial records to American law enforcement agencies via SWIFT.29 In the category "proposal", the electronic child file (EKD) won the prize.30
In August 2009 Bits of Freedom reformed. It strives to influence legislation and self-regulation on both the national and European levels.31
International obligations and International cooperation
The Netherlands has signed and ratified the 1966 UN International Covenant on Civil and Political Rights (ICCPR) and its First Optional Protocol, which establishes an individual complaint mechanism.32
The Netherlands is a member of the Council of Europe (CoE) and has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. It has signed and ratified the CoE's Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108)33 and the CoE's Convention on Cybercrime.34
It is a member of the Organisation for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data.
- 1. 11th Annual Report of the Article 29 Data Protection Working Party, supra.
- 2. Id.
- 3. Id.
- 4. Id.
- 5. Wolter Pieters. Combatting Electoral Traces: the Dutch Tempest Discussion and Beyond, E-Voting and Identity: Second International Conference, VOTE-ID 2009, Lecture Notes in Computer Science 5767, Springer Verlag, 172-190 (2009), available at http://dx.doi.org/10.1007/978-3-642-04135-8_11.
- 6. SeeR. Gonggrijp, W.-J. Hengeveld, A. Bogk, D. Engling, H. Mehnert, F. Rieger, P. Scheffers, and B. Wels, Nedap/Groenendaal ES3B Voting Computer: a Security Analysis, 6 October, 2006, at http://www.wijvertrouwenstemcomputersniet.nl/images/9/91/Es3b-en.pdf.
- 7. Election Process Advisory Commission, Voting with Confidence, 27 September 2007, at http://www.kiesraad.nl/nl/Overige_Content/Bestanden/pdf_thema/Pdf_voor_E....
- 8. See Staatssecretaris van Binnenlandse Zaken en Koninkrijksrelaties. Vaststelling van de begrotingsstaten van het ministerie van binnenlandse zaken en koninkrijksrelaties (VII) voor het jaar 2008; brief staatssecretaris met oordeel kabinet over uitkomsten nader onderzoek naar haalbaarheid stemprinter en stemmenteller (Letter from Deputy Minister with Government Judgement on Results of Further Study on Feasibility Ballot Printer and Vote Counter), Kamerstuk 2007-2008 31200 VII, nr. 64, Tweede Kamer, 21 May 2008, available at http://wijvertrouwenstemcomputersniet.nl/images/c/c5/KST118412.pdf.
- 9. Bart Jacobs and Wouter Teepe, Raar dat stemhulp alles van u weet (Strange that Voting aid Knows All About You). Volkskrant, 5 March 2007, at http://repository.ubn.ru.nl/bitstream/2066/36383/1/36383.pdf.
- 10. CBP, "BSN in bedrijfsvoering" ("BSN in [government] operations"), 26 January 2009, available in Dutch at http://www.cbpweb.nl/downloads_med/med_20100427_gebruik_bsn_in_bedrijfsv....
- 11. Available at http://freedominfo.org/documents/NL%20public_access_government_info_10-9....
- 12. 11th Annual Report of the Article 29 Data Protection Working Party, supra.
- 13. Id.
- 14. Id.
- 15. Id.
- 16. Id.
- 17. Netherlands simplifies use of BCRs in outsourcing, Privacy Laws and Business: Data Protection and Privacy Information Worldwide, December 2007), at 24.
- 18. Id.
- 19. Id.
- 20. Id.
- 21. "Privacyprijzen schoppen tegen Nederlandse consensuscultuur" ("Privacy prices against Dutch consensus culture," Netkwesties, 21 February 2002, in Dutch at http://web.archive.org/web/20080504100555/http://www.netkwesties.nl/edit....
- 22. Big Brother Award for Dutch Immigration Minister, 28 January 2006 http://www.bigbrotherawards.nl/index_uk.html.
- 23. Id.
- 24. Id.
- 25. Id.
- 26. Bits of Freedom, at http://www.bof.nl/index_uk.html.
- 27. Winner Dutch Big Brother Awards 2007: 'You', 9 September 2009, at http://www.bigbrotherawards.nl/index_uk.html.
- 28. Daniel J. Solove, "I've Got Nothing to Hide" and Other Misunderstandings of Privacy, 44 San Diego Law Review, 745 (2007).
- 29. Id.
- 30. Id.
- 31. See new website https://www.bof.nl/over-ons/english/ (in English).
- 32. The Netherlands signed the ICCPR and its First Optional Protocol on 25 June 1969 and ratified them on 11 December 1978. The texts of the Covenant and of its First Optional Protocol are available at http://www2.ohchr.org/english/law/index.htm.
- 33. Signed 7 May 1982; ratified 28 May 1993; entered into force 1 September 1993.
- 34. Signed 23 November 2001; ratified 16 November 2006; entered into force 1 March 2007.