Privacy First comments on draft legislation for secret services

Privacy First is deeply concerned about the proposed extension of powers in the bill. These powers could start giving the AIVD and MIVD almost unlimited visibility into everyone's private lives.

However, secret services are not above the law: like any other government agency, they must observe, protect, promote and even promote the right to privacy. This flows from the Universal Declaration of Human Rights, the European Convention on Human Rights (ECHR) and the Dutch Constitution. On this basis, Privacy First sent a critical commentary on the current bill to the responsible ministry this week. Click HERE for our letter (including footnotes) as published on internetconsultation.co.uk. Below is the full text:

Dear Sir/Madam,

Herewith, Privacy First Foundation is pleased to provide an initial reaction to the current draft bill revising the Intelligence and Security Services Act (Wiv) 2002. In doing so, Privacy First would first like to recall the content of the public speech made by the head of the AIVD (Mr Rob Bertholee) at Privacy First's offices in Amsterdam in September 2012. The speech published by Privacy First report of this speech was approved by the AIVD itself at the time. Some relevant passages from this report read as follows:

"[Bertholee] can imagine that correlation (interlinking) and international exchange of data is perceived by citizens as 'Big Brother' and that people are concerned about it," he said. As a citizen himself, Bertholee worries about this. (...)
Moreover, when the AIVD requests information from citizens, there should not be any form of pressure. The same goes for requesting information from journalists: journalists are completely free to cooperate or not. "If a journalist doesn't want to cooperate, that's unfortunate for the AIVD, but that's where it ends," Bertholee said. (...)
Regarding possible revision of the Wiv2002, Bertholee noted that the current legal scope for the AIVD is sufficient and that it does not need more powers. (…)
Bertholee ends his lecture by reiterating that the AIVD does not keep files on everyone, does not keep everyone under tap, (...) does not hack every computer, does not have enforcement powers [and] does not put pressure on people (...)."

Bertholee's main message to the public at the time was that "he was not in favour of Big Brother." In early 2015, he reiterated this message on the occasion of the semi-public ReuringCafé at the Association for Government Management: "The right to privacy is as sacred to me as it is to Privacy First," Bertholee said in front of a room full of top officials.

If the head of the AIVD himself already thinks he has sufficient powers and warns against Big Brother, any extension of these powers will give the Dutch government the appearance of being against it. In light of this, the following aspects of the current draft bill in particular are unacceptable in Privacy First's view:

Offences

First of all, it is striking that the current power of agents to commit crimes is left virtually untouched and not further legally framed. This despite the existing (but never implemented) mandate in the current Wiv to still provide this power with legal guarantees by means of an Order in Council (AMvB). The Dessens Commission also considered such further standardisation desirable - and rightly so. Nevertheless, the government wishes to abolish the basis for the relevant AMvB. The commission of criminal offences by officers will thus largely continue to take place in a legal vacuum. Privacy First considers this undesirable, risky and downright dangerous.

Hacking powers and decryption order

A second objectionable part of the bill is the power to be able to hack into everyone's computer and require people to decrypt encrypted files for the services, the latter under penalty of 2 years' imprisonment. Privacy First considers this completely contrary to the right to privacy, as not necessary and disproportionate. In addition, the proposal violates the ban on self-incrimination (nemo tenetur). The proposal lays the foundation for future abuse of power and, in Privacy First's view, is a typical building block for a police state rather than a democratic constitutional state. This also applies to the section in the bill relating to the introduction of a mass internet interception; this power is downright totalitarian. The government's supposed need for this is merely stated in the bill and barely substantiated, let alone demonstrated. However, in a democratic society, the social need for such a power is unthinkable at all. This proposal is thus a priori illegitimate.

Data mining & profiling

The powers to request and use data are virtually unlimited in the current bill. To this end, the proposal even allows direct access to the databases of third parties (government and industry). Moreover, it will be possible to request complete databases from all these parties. All this for the purpose of interconnection, data mining and profiling, which can be used to create an extremely detailed (even predictive) picture of groups and individuals. These powers are completely disproportionate and should be curtailed in this bill, at least where sensitive (e.g. medical or biometric) data is concerned.

Notification requirement

One bright spot in the bill is the enforcement of the notification requirement. However, this applies only to individuals and not to organisations which (as such) are equally targets may have been. Privacy First therefore recommends amending this provision in the sense that the notification obligation will also apply to organisations.

Active publicity

Privacy First recommends that the current Wiv should still include provisions for active disclosure of (historical) documents held by the services. The practice of "declassification and transparency" in other countries (including previously the United States) can be a source of inspiration in this regard.

Informants

Privacy First recommends that the current Wiv should still include a ban on using journalists as informants. This in the interests of a free press and journalistic source protection. In the interests of a healthy civil society, such a ban could also be introduced in relation to the deployment of agents and informants to civil society (non-governmental) organisations.

International exchange

The legal basis for international intelligence exchange in recent years has been the obscure Article 59 Wiv. This article falls far short of the modern requirements that Article 8 ECHR places on such a provision. In essence, the current practice of exchange between AIVD/MIVD and foreign secret services has therefore been taking place in a legal black hole for years. Privacy First therefore welcomes the fact that art. 59 Wiv is largely revised and human rights strengthened in new articles 76-78. This revision constitutes broadly a positive step forward. However, the problem remains the international exchange of unvalued bulk data; such exchange is wrongly legitimised by the draft bill and its Explanatory Memorandum (MoU). This issue has played a crucial role in the lawsuit Citizens v Plasterk of Privacy First et al against the State. The continuation of this case on appeal remains unabated and urgent due to the current bill.

International legal order

The Netherlands has a general human rights duty to continuously promote rather than restrict the right to privacy at home. Through this bill, the Netherlands violates this general duty; as it will massively restrict the right to privacy. This puts the trust relationship between the Dutch government and the Dutch people on edge, which will lead to a social chilling effect. This is disastrous for the free dynamics in our democratic rule of law. Moreover, the bill and associated technology will be copied and abused by less democratic regimes abroad. The bill thus sets an international precedent for a global Rule of the Jungle instead of the Rule of law. This violates the Dutch government's constitutional duty to promote the development of the international legal order. In the light of Dutch foreign policy, this bill should therefore be rejected.

Supervision

In the current bill, supervision of the services is too non-committal and too political in nature. In Privacy First's view, this supervision should be strengthened and made more independent, either through binding prior lawfulness supervision by the CTIVD or through binding prior judicial supervision. Such supervision should apply to the exercise of all special powers of the services. Only then will the constitutional exercise of these powers be optimally guaranteed and sufficiently future-proof.

Fingerprints

Finally, a salient detail is that on p. 44 of the MoT, it is noted that "a separate regulation for fingerprint verification has been abandoned because the results of such verification are not always usable in practice and, as a result, the use of this possibility is extremely limited." This is in line with the earlier admissions by former minister Donner and state secretary Teeven that biometric verification of fingerprints taken for the purpose of Dutch passports in recent years revealed an error rate of as much as 21-30%. Privacy First therefore once again calls for the immediate abolition of fingerprinting for passports.

Conclusion

The current draft bill amounts, in the words of the European Court of Human Rights, to "destroying democracy on the ground of defending it". This bill should therefore be thoroughly improved or rejected. Failing this, Privacy First reserves the right to have this bill, once in force, subjected to judicial review and declared unlawful.

Privacy First hopes to serve you with this opinion. If requested, we are happy to provide further clarification on the above points.

Sincerely,

Privacy First Foundation