Dutch data retention law struck down – for now

By EDRi · March 12, 2015

Published originally by EDRi-member Bits of Freedom 

And then everything went BANG: from our Twitter-timeline to the champagne bottle at our office. This morning the court annulled the data retention law. Effective immediately. But what exactly did the judge say and what will happen now?

The data-retention law requires telecom providers to save communication- and location data from everyone in the Netherlands for as long as a year. The law, and the judges agreed, heavily impacts our freedom.

An infringement of this magnitude requires proper safeguards

The District court of The Hague decided we no longer have to blindly trust the Dutch government. The law’s underlying European directive was meant as a tool in the fight against serious crimes. The Dutch law, however, is much more expansive, including everything from terrorism to bike theft. During the hearing, the state’s attorneys avowed that the Public Prosecution does not take the law lightly, and would not call on the law to request data in case of a bicycle theft. The judge’s response: it doesn’t matter if you exploit the possibility or not, the fact that the possibility exists is already reason enough to conclude that the current safeguards are unsatisfactory.

Additionally, the court determined that insufficient thought has gone into how data is requested. Saving personal information for a lengthy amount of time is a huge infringement on privacy. Therefore, proper safeguards and guarantees are needed when it comes to acquiring access to this data. The judge deems it reasonable that before a request for information is granted, it is reviewed by a juridical entity or an independent administrative entity. During the hearing, a state’s attorney claimed that a district attorney counts as an independent entity. That claim was met with a wave of chuckles throughout the crowd, and now it turns out the court agrees that this is baloney – but you won’t catch a judge using smileys.

Furthermore, the court considered the substantiation of the necessity of the law. The State claims that the data retention law is necessary. This claim was illustrated during the hearing using a number of shocking criminal cases — but they failed to substantiate necessity. Regretfully, the court took this on board as a valid point, but mainly because during the preliminary injunction, this particular argument was not rebutted. Nonetheless, it is important to realize that necessity has not been proven: not in evaluations, not in the Parliament, and not during the preliminary injunction. The fact that no rebuttal was offered, doesn’t change that.

The question is: now what?

First of all, we have to wait for a response from the Ministry of Security and Justice. It is hard to predict what they’ll say. With the former Justice Minister Ivo Opstelten temporarly replaced by Stef Blok, all we can do is hope for the best, and prepare for the worst. We hope the ministry is finally convinced that the law, now and in the future, must be dissolved. And as far as the providers are concerned, they must part with the data they’ve been saving under the data retention law that has now been struck down. Update: KPN, Vodafone, Hi, XS4ALL, Telfort, BIT and Tweak have announced that they will cease to execute the data retention law.

What will happen on the long term is unclear. That is up to Parliament and Opstelten’s successor. As the law has already been struck down, it seems self-evident that the law in its entirety should be revoked. The political party GroenLinks has already submitted a proposal along these lines to Parliament. But one thing is clear: this is not a done deal.

Today the data retention law has been struck down. The government won’t leave it with that. Do you want us to continue to fight against the undirected and lengthy storage of our communication data? Support our cause!

Court ruling (only in Dutch, 11.03.2015)