Machine translations by Deepl

Privacy First warns House of Representatives about telecoms emergency bill

This week, the House of Representatives is debating a "temporary" Corona emergency law that will henceforth allow "anonymous" mapping of the movements of everyone in the Netherlands.

Earlier, Privacy First criticised this plan in a broadcast of Newsweek. As a follow-up, Privacy First today sent a letter to the House of Representatives.

Privacy First advises the House of Representatives to adopt the "temporary" RIVM disclosure bill in connection with COVID-19 to be rejected due to fundamental objections and risks.

Contrary to fundamental governance and privacy principles

  • There is no social need for this bill. After all, the Corona virus is currently ebbing away from Dutch society. Other forms of monitoring have already proved sufficiently effective. The need for this bill has not been demonstrated, nor are there any examples from abroad where application of similar techniques made a substantial contribution.
  • The bill is completely disproportionate as it covers all telecom location data throughout the Netherlands. There is no differentiation of any kind. The same applies to data minimisation: a sample could suffice.
  • The bill operates retroactively from 1 January 2020. This violates legal certainty and the principle of legality, especially since this date is well before the Dutch 'start' of the pandemic (11 March).
  • The system of further directions by the minister chosen in the bill is downright undemocratic. It further erodes the democratic rule of law and oversight by the people's parliament.
  • The bill makes no mention of privacy-by-design or how it will be applied, when that is exactly what this bill should be about.

Alternatives are less invasive: subsidiarity

  • Privacy-friendly alternatives have not been sufficiently explored by the secretary of state. Is she interested in these?
  • Data at telecom providers are pseudonymised with a unique ID number and delivered as such to CBS. Massive numbers of sensitive personal data become hugely vulnerable as a result. Anonymisation by CBS only happens at a later stage.
  • When used, the data are filtered by geographical origin. This creates a risk of prohibited discrimination by nationality.
  • It is unclear whether people will want to "enrich" the data used at CBS or RIVM with other data, with function creep (goal shifting) and possible data misuse as a result.

Transparency and independent oversight lacking

  • For now, the Privacy Impact Assessment (PIA) accompanying the bill is not publicly available.
  • Independent monitoring of measures and effects (by a judge or independent commission) is lacking.
  • The AVG may only partially apply to the bill, as anonymous data and statistics are exempted from its operation. This creates new risks of data misuse, poor security, data breaches, etc. General privacy principles should therefore be declared applicable in any case.

Structural changes and chilling effect

  • This bill now seems formally temporary, but the history surrounding such legislation shows that it will most likely become permanent.
  • Regardless of the "anonymity" of e.g., this bill will make many people feel monitored and behave unnaturally. The risk of a social chilling effect is huge.

Flawed method with high impact

  • The effectiveness of the bill is unknown. Thus, the bill essentially constitutes a mass experiment. However, Dutch society is not meant to be a living laboratory.
  • Anonymous data may still prove traceable through linking. Even at the chosen threshold of at least 15 units per data point, the risk of unique singling out and identification is probably still too high.
  • The bill leads to false signals and blind spots by people with multiple phones, vulnerable groups without phones etc.
  • There is a high risk of function creep (target shifting), covert use and misuse of data by other government departments (including AIVD), future governments, international exchange, etc.
  • Apart from the right to privacy, other human rights are also put under pressure by this bill, including freedom of movement and the right to demonstrate. This bill could easily lead to structural crowd control which has no place in a democratic society.

Specific prior consent

Besides the above objections and risks, Privacy First doubts whether the use of telecom data as envisaged by this bill for telecom providers is lawful at all. In Privacy First's view, this would require at least explicit, specific consent in advance (opt-in) by the customer in question, or the possibility of an opt-out afterwards and the individual right to delete all data.

It is up to the House of Representatives to save our society from this bill. Failing that, Privacy First reserves the right to take legal action on this bill.