Netherlands: Central databases challenged, by Kees Hudig
01 January 2010
The creation of a database containing the fingerprints of all Dutch citizens is being legally challenged by a group of people supported by the Privacy First organisation.
On 6 May 2010 a civil challenge was lodged with the Dutch High Court in The Hague. A spokesperson for
Privacy First said that the action was taken after a complaint by the privacy protection organisation,
Stichting Vrijbit, at the European Court of Human Rights was rejected on the grounds that it should initially be heard at the national level.
The National fingerprint database
On 9 June 2009, the Upper House of the Dutch parliament (
Eerste Kamer) passed a law introducing biometric passports containing an RFID-microchip holding digital information on its owner (see
Statewatch Vol. 19 no 3). European regulation stipulates that a digital facial image and the fingerprints of the passport owner should be stored on the microchip for identification purposes and in order to prevent the passport’s fraudulent misuse. The Netherlands, however, has gone much further and will store the biometric data in a central database for criminal investigation purposes (including counter-terrorism), accessible 24-hours a day. The Dutch secret service (
Algemene Inlichtingen-en Veiligheidsdienst, AIVD) will have unlimited access to this database in situations they deem to represent a “threat to national security”. Under specified conditions biometric data and/or other personal details will be supplied to the public prosecutor for identification purposes.
Since 21 September 2009, anyone who applies for a passport or an ID card is obliged to have their fingerprints taken and stored by the local administration. Compliance is a precondition for issuing new identity documents. Those who refuse to provide their biometric data have their application rejected. Alongside a variety of privacy concerns, this obligation is contentious because, since the European elections of June 2009, Dutch voters are obliged to identify themselves with a passport or ID card at the polling station to be able to vote. The privacy protection organisation
Vrijbit announced on 18 April 2010 that during the municipal elections of 3 March 2010, voters showed up without (valid) identification papers at 85% of polling stations. This works out at an average of six voters at every polling station, or some 59,000 voters. One in every ten polling stations filed an official complaint involving one or more voters and 62% of municipalities had official complaints filed.
Vrijbit estimates that around 650,000 voters were unable to vote because of a lack of valid identification papers [1].
Aaron Boudewijn, a 24-year old student from Utrecht, was refused a passport because he would not be fingerprinted. He took his case to the local court and launched a campaign, urging others to join him. [2] Boudewijn said that he was not opposed to the registering of his fingerprints on the passport’s RFID chip but he refused to accept their storage in a central database, arguing that it was unnecessary and that the data was poorly protected against leaks, identity theft and access by third parties. Tragically, Boudewijn died on 24 March 2010 after having an epileptic attack.
Supported by 22 individuals,
Privacy First deposited its legal challenge against the interior ministry with the High Court in The Hague on 6 May 2010. The organisation is demanding the annulment of the new passport law on the grounds that it violates rights enshrined in other European legislation (such as the right to privacy under the European Convention on Human Rights) [3].
The claimants state that the passport law is incomplete because practical details about storage and access to data still have to be formulated. They also argue that the new practice goes beyond what was agreed at the EU level. European Council Regulation No 2252/2004 states that national law should clearly stipulate under what circumstances data stored on the passport’s RFID chip can be accessed. It does not mention the need to store this data in a central database.
The claimants’ lawyers also compare the Dutch transposition of EU law with that in other European countries. In Germany for instance, a law was adopted with the clear statement that the stored data can only be used for identification purposes (i.e. to confirm the identity of the person who tries to identify him/herself). The lawyers also pointed out that the United Kingdom was condemned by the European Court of Human Rights for storing the fingerprints of citizens who had been arrested but not charged or found guilty by a court of law.
Storing patients' personal data (EPD)
Another controversial database is the Electronic Patients' Dossier or EPD. The legislation to create a centralised database for medical information on each person in the Netherlands, accessible by many different health care institutions and even private health insurance firms, was passed by a majority of the Lower House (
Tweede Kamer) in February 2009. The Upper House (
Eerste Kamer) has to vote on 1 June 2010, but does not seem to be eager to approve the section of the law that would allow the linking of the pre-existing databases. The daily newspaper
De Pers [5] conducted a poll of Upper House members and found there to be much criticism and no majority for approving the law. The centralised database system would cost almost 50 million euro. Medical professionals have declared their opposition to the project, including the National Association of Family Doctors (
Landelijke Huisartsenvereniging, LHV). Their main criticism concerns the (costly) installation of a centralised national hub between local databases to which all care providers will be forced to provide data.
Storing children’s data (EKD)
Then there is the looming Electronic Child Dossier project (
Elektronisch Kind Dossier, EKD). This is based on the same concept as the patients’ database, but is designed to centralise information on children and their parents. Again the criticisms by privacy organisations, parents and professionals is that too much information is collected and stored; that the security of that information is badly organised and that it is unclear who will have access to the data. A parents’ organisation [6] points to the fact that the Dossier will collect needless information on parents, such as their behaviour during pregnancy, religious persuasion, hobbies etc.
These developments in the Netherlands have been met with surprise in other countries. The Belgian news website
appache.be [7], writes that: "The Netherlands is not a police state, but, according to experts, it has been developing methods that form part of such a state". The website says that the fact that police are being allowed to conduct stop and search operations without reasonable suspicion of any criminal offence being committed (“preventief fouilleren”) is an example of this trend. This was initially allowed temporarily in specific zones, but has been expanded both in duration and location. In the national elections on 9 June, the liberal-conservative
Volkspartij voor Vrijheid en Democratie has stated that it is in favour of allowing this practice “always and everywhere” [8].
“Smart meter”
The avalanche of privacy erosion is leading to a government that is allowed to permanently look “behind peoples' front doors”. One contested technical development that exacerbates this situation is the so-called “smart meter” (
slimme meter) which will register gas and electricity use by households via the internet. Minister of Economic Affairs, Maria van der Hoeve, tried to introduce this device as a compulsory measure, but had to back down after the Upper House declared it contrary to privacy rights because the it would be able to permanently monitor the behaviour of people in their homes. In May 2010 she announced that she would try to introduce the device a second time, with an opt-out provision for those who objected to being monitored [9]. The opt-out clause has also been used to deflect criticism from other contested measures. Privacy organisations condemn this tactic because it places the emphasis on the individual to reject unwanted and permanent state intrusions. It is argued that it is more appropriate to only allow such measures when they have peoples’ support. Another negative effect of the opt-out method is the demand that those who choose to should pay higher costs. This happened, for instance, with the introduction of the Dutch version of the Oyster Card (OV Chipcard) - those who wanted an anonymous card had to pay 7.50 Euro extra.
Sources
[1] Press release privacy first http://www.privacyfirst.nl/index.php/paspoortwetproces; Privacy First Eist ongeldig verklaren Paspoortwet, http://www.platformburgerrechten.nl/artikelen/2010/privacy_first_dagvaardt_staat1, http://www.vrijbit.nl/dossier/registratie/registratiemiddelen/item/775-groot-aantal-protesten-tegen-id-plicht-bij-gemeenteraadsverkiezingen.html
[2] See the weblog: http://www.idweblog.nl
[3] All information on the legal procedure (in Dutch) here: http://www.privacyfirst.nl/index.php/paspoortwetproces
The affidavit can be found here in pdf format: http://www.bigwobber.nl/wp-content/uploads/2010/05/geanonimiseerde-dagvaarding-PF.pdf
[4] http://www.platformburgerrechten.nl
[5] De Pers 9.5.10: http://www.depers.nl/binnenland/477506/Landelijk-e-dossier-afgeschoten.html
[6] http://www.ouders.nl
[7] Nederlandse burgers proberen privacy te redden, 16.4.10: http://www.apache.be/2010/04/nederlandse-burgers-proberen-privacy-te-redden
[8] Telegraaf 01.3.10: http://www.telegraaf.nl/binnenland/6171199/__VVD__preventief_fouilleren_toestaan__.html
[9] Nu.nl 18.5.10: http://www.nu.nl/economie/2233851/mogelijk-toch-slimme-energiemeter.html