Privacy and data protection in the Netherlands in 2008

By EDRi · January 28, 2009

(Dieser Artikel ist auch in deutscher Sprache verfügbar)

The year 2008 did not improve the course of privacy and data protection in
the Netherlands. The public debate focused on data collection systems
related to fundamental aspects of Dutch citizens’ lives, such as
communications, health and movement. Unfortunately, there are no signs that
concerns or incidental public outcry over privacy will lead to significant
improvements to the design of the systems or reconsideration of their goals,
merit and impact on society.

After years of negotiations, the Dutch Data Protection Authority (DPA)
approved the data protection guarantees in the smart card system for the
public transport sector. Besides other major implementation problems, the
smart card system introduces a major privacy concern due to the planned
registration of all travel movements of users of the Dutch public transport
system in a central database. At the end of 2008, the DPA approved the
system after receiving guarantees that only derived data would be used for
marketing purposes with an opt-out and that for any processing of personal
travel movements opt-in will be sought. As there are no hard guarantees
that all personal travel data will be deleted or that the system will not
make it possible to access travel movements in identifiable form, many have
expressed their disappointment with the approval. Another transport related
privacy problem that re-entered the public debate in 2008 was the planned
system for road charging. The current design for the system entails the
collection of details about personal travel movements.

The Dutch Parliament considered the data retention implementation law in the
first half of 2008. In this context, a group of prominent academics voiced
their concern that Dutch society is turning into a control society and a
police state. After the Parliament adopted the law, lowering the data
retention term from 18 to 12 months, the Senate has been critically looking
at the proposal ever since. The Senate has also another law under
consideration that would streamline access for the national security agency
to datasets in the public, communications, transport and financial sector.

Probably the most prominent discussion about privacy took place in the
health sector. The Electronic Patient File (EPD), a centralized system for
the collection and exchange of medical data for use by medical
professionals, caused widespread privacy concerns and generated 170 000
objections. Like the public transport smart card, the EPD has major
implementation problems and has recently been postponed. A similar national
dossier system for children, proposed to improve child care by building an
extensive digital dossier of each young individual, is still on the
political agenda. The broadly defined dataset, including medical data,
psychosocial data and subjective opinions about children and their parents,
will be updated for all children until they reach the age of nineteen, after
which it will be kept for another 15 years.

Finally, a government commissioned report on the balance between privacy and
security in the public sector was published. The report, titled “Do it
simply, Simply do it”, concludes that government and public agencies should
be pragmatic, but do much more to protect privacy and deal with the possible
tension between privacy and security while doing their work. The report
gives a number of recommendations and a reference framework for dealing with
privacy and security issues. It advises to “keep it simple, facilitate and
ensure that security and privacy are mutually reinforcing as far as
possible.” The report has been widely interpreted in the media as a call to
stop addressing fundamental questions related to the widespread processing
of personal data in the public sector.

EDRi-gram: Dutch Parliament lowers data retention term to 12 months
(4.06.2008)
http://www.edri.org/edrigram/number6.11/nl-data-retention-12-months

Report, ‘DO IT SIMPLY – SIMPLY DO IT, to protect security and privacy’, (in
Dutch, Bijlage 4 = English Summary, 22.01.2009)
http://www.minbzk.nl/aspx/download.aspx?file=/contents/pages/96602/rapportgewoondoenbeschermenvanveiligheidenpersoonlijkelevenssfeer.pdf

OV-Chipkaart roll-out creeps forward (16.01.2009)
http://www.railwaygazette.com/news_view/article/2009/01/9219/ov_chipkaart_roll_out_creeps_forward.html

(Contribution by Joris van Hoboken)