Dutch privacy violations on agenda at UN Human Rights Committee

This committee is the UN body that monitors compliance with one of the world's oldest and most important human rights treaties: the International Covenant on Civil and Political Rights (ICCPR or BUPO Convention). Periodically, every country party to this treaty is reviewed by the UN Human Rights Committee. Early next week, the Dutch government will have to answer to the Committee on several current privacy issues that have been co-agendaed by Privacy First.

The last Dutch session at the UN Human Rights Committee dates back to July 2009, when Justice Minister Ernst Hirsch Ballin had to answer in Geneva for the then planned central storage of everyone's fingerprints under the new Passport Act. This drew criticism from the Dutch government at the time. Now, 10 years later, it is the Netherlands' turn again. In this context, Privacy First had already filed a critical reporting (pdf) on the Netherlands to the Committee and recently submitted it with a new report (pdf) completed. Briefly, Privacy First raised with the Committee the following topical issues, among others:

• limited admissibility of interest groups in class actions
• constitutional ban on review
• profiling
• Automatic number plate recognition (ANPR)
• border control camera system @MIGO-BORAS
• OV-chipcard
• digital healthcare communications (EHR)
• possible reintroduction of telecom retention obligation
• New Intelligence and Security Services Act ('Sleep Act')
• PSD2
• Passenger Name Records (PNR)
• abolition of consultative referendum
• ban on war propaganda.

The Dutch session at the Committee will be live on Monday afternoon 1 July and Tuesday morning 2 July next, via UN Web TV. In addition to various privacy issues, several Dutch organisations have also raised numerous other human rights issues with the Committee; click here for an overview, including the List of issues (including the new Intelligence and Security Services Act, possible reintroduction of a telecom retention obligation, camera system @MIGO-BORAS and medical privacy at health insurers). The Committee's final conclusions ('Concluding Observations') are likely to follow in a few weeks. Privacy First views a critical opinion with confidence.

Update 26 July 2019

Yesterday afternoon, the Committee issued its opinion ("Concluding Observations") on the Dutch human rights situation published, including the following critical opinions regarding two Dutch privacy issues that had been raised with the Committee, partly by Privacy First:

The Intelligence and Security Services Act

The Committee is concerned about the Intelligence and Security Act 2017, which provides intelligence and security services with broad surveillance and interception powers, including bulk data collection. It is particularly concerned that the Act does not seem to provide for a clear definition of bulk data collection for investigation-related purpose; clear grounds for extending retention periods for information collected; and effective independent safeguards against bulk data hacking. It is also concerned by the limited practical possibilities for complaining, in the absence of a comprehensive notification regime to the Dutch Oversight Board for the Intelligence and Security Services (CTIVD) (art. 17).
The State party should review the Act with a view to bringing its definitions and the powers and limits on their exercise in line with the Covenant and strengthen the independence and effectiveness of CTIVD and Toetsingscommissie Inzetings Bevoegdheden (TIB) that has been established by the Act.

The Market Healthcare Act

The Committee is concerned that the Act to amend the Market Regulation (Healthcare) Act allows health insurance company medical consultants access to individual records in the electronic patient registration without obtaining a prior, informed and specific consent of the insured and that such practice has been carried out by health insurance companies for many years (art. 17).
The State party should require insurance companies to refrain from consulting individual medical records without a consent of the insured and ensure that the Bill requires health insurance companies to obtain a prior and informed consent of the insured to consult their records in the electronic patient registration and provide for an opt-out option for patients that oppose access to their records.

The Committee expresses its concerns about the new Intelligence and Security Services Act (Wiv or 'Sleep Act') and argues that it needs to be revised. The Committee is particularly concerned about the new possibilities for large-scale interception and hacking, the extension of retention periods and the lack of possibilities to file complaints. Also, the independence and effectiveness of the Intelligence and Security Services Regulatory Commission (CTIVD) and the new Toetsingscommissie Inzet Bevoegdheden (TIB) should be strengthened.

With regard to the (formally already withdrawn, but in practice continued) Bill on access to medical records by health insurers judges that such access is only allowed after the patient's consent. The legislation should also provide for an opt-out for patients who do not want such inspection. The current practice of inspection of medical records by insurers should therefore be ended immediately.

The Geneva session also critically discussed the Dutch abolition of the referendum and the @MIGO-BORAS camera system. Privacy First regrets that the Committee left these (as well as several other topical) issues unmentioned in its final assessment. Nevertheless, the Committee's report today shows that the issue of privacy is increasingly higher and more critical on the agenda at the United Nations as well. Privacy First welcomes this development and will continue to push for it in the coming years. Privacy First will also ensure that the Netherlands will implement the Committee's various recommendations.

The full Dutch session at the UN Committee is online at UN Web TV (1 July and 2 July). See also the extensive UN reports, part 1 and part 2 (pdf).