Key privacy concerns in Netherlands 2007
(Dieser Artikel ist auch in deutscher Sprache verfügbar)
The nominees and winners of the Dutch Big Brother Awards 2007 showed it
clearly: a proper level of data protection in The Netherlands cannot be
taken for granted. A number of big projects and ongoing legislative
efforts threaten the state of data protection in the Netherlands. The
government shows no signs of taking critics seriously. The disinterest
of the public and ease with which a majority of Dutch citizens are
willing to hand over their privacy for a promise of security, led the
jury of the Big Brother Awards declare the Dutch citizen the winner.
Other winners were the plans for an Electronic Child Dossier, the
National Railways for the RFID transit card system and De Nederlandsche
Bank for its reaction to the SWIFT scandal.
The Electronic Child Dossier is exemplary for data protection in the
Netherlands. The Child Dossier aims to improve child care by building an
extensive digital dossier of each young individual. Apart from
reasonable doubt that the project will result in significant
improvements in child care, the dossier seriously infringes the privacy
of children, their parents and young adults as well. The file will be
updated for every child until they reach the age of nineteen, after
which it will be kept for another 15 years. The dataset is very broadly
defined and will contain a wide variety of medical and psychosocial
data, including all sorts of subjective opinions about children and
their parents. Access restrictions are already insufficient and there is
ongoing pressure to relax them.
The RFID Transit card is another project that is problematic from the
perspective of data protection. Very recently, the Dutch Data Protection
Authority concluded that the current design of the system does not
respect data protection legislation. The system would entail the lengthy
storage of all travel movements in identifiable form. The system, which
is being tested in a number of Dutch cities, has other serious flaws
that make its future uncertain. Some critical parts of it have recently
been hacked, creating a serious political issue.
On the legislative front, the implementation of the data retention
directive is presently debated in the Dutch Parliament. Although in
early 2006, a majority of the Parliament seemed to agree that retention
periods in the Netherlands would be limited, the government now opted
for the almost maximum retention term of 18 months both for phone and
internet records. The Parliament is also passing legislation that gives
the Dutch Intelligence and Security Agency (AIVD) the power to claim
complete data files from the private and public sector. The new powers
are specifically directed at the transit, the electronic communications
and the financial sector, but also others could be targeted. The
legislation will allow the agency to profit maximally from the increased
storage of personal data in these sectors, resulting from data retention
legislation and the RFID public transport system discussed above.
A recent report “Data voor Daadkracht” on personal data processing in
the law enforcement and security sector, contained some serious
criticism with regard to the ongoing erosion of data protection in this
sector. It critically examined current data collection processed by law
enforcement and security agencies and warned the government that an
administration that is increasingly reproached for risking to loose the
value of privacy out of sight, has to worry. The government reacted by
rejecting the main conclusions of the report and installing a new
commission which will take another look at “security and the personal
sphere”. More specifically the government wants the commission to
consider that “law enforcement officials and social workers sometimes
feel restricted by norms and practices protecting privacy, personal data
in particular. Therefore, the commission will analyse how possible
obstacles can be removed that law enforcement officials and care takers
experience in their work.”
Finally, of special interest for data protection in the digital age are
the guidelines for publications of personal data on the Web of the Dutch
Data Protection Authority. The guidelines address a variety of issues,
ranging from the question about the responsibility of intermediaries,
the status of IP addresses, the special care expected from online
services to children and the exception for the media. The guidelines
have been translated into English.
Winner Dutch Big Brother Awards 2007: ‘You’ (26.09.2007)
http://www.bigbrotherawards.nl/index_uk.html
Dutch RFID Transit Card Hacked (21.01.2008)
http://www.schneier.com/blog/archives/2008/01/dutch_rfid_tran.html
Commission Security and Personal Sphere installed (in Dutch only,
17.01.2008)
http://www.justitie.nl/actueel/persberichten/archief-2008/80117commissie-veiligheid-en-persoonlijke-levenssfeer-geinstalleerd.aspx
Privacy legislation also applies on the Internet – Guidelines finalised
on the publication of personal data on the Internet (11.12.2007)
http://www.dutchdpa.nl/documenten/en_pb_2007_privacy_legislation_internet.shtml
(Contribution by Joris van Hoboken – EDRi-member Bits of Freedom –
Netherlands)