Recommendations for cabinet formation

Yesterday afternoon, the Civil Rights Protection Platform a letter with recommendations to informateurs Wouter Bos and Henk Kamp on 1) privacy, 2) democracy & rule of law and 3) new technologies. The letter was co-authored and signed by Privacy First Foundation. Privacy First's key points in the letter are the mandatory implementation of Privacy Impact Assessments, strict review of legislation and policies against national and European privacy laws, the development of privacy by design and privacy enhancing technologies, the establishment of a Constitutional Court and removal of the ban on constitutional review, active open government, voluntary rather than mandatory use of biometrics and a ban on the introduction of mobile finger scanners in the police. Below is the full text of the letter:

Lower House of the States General
Attn: Informers
Mr W.J. Bos and Mr H.G.J. Kamp
PO Box 20018
2500 EA The Hague

Remittance to: parliamentary group chairs

Amsterdam, 20 September 2012
Subject: Civil Rights Protection Platform recommendations for cabinet formation

Dear Sirs,

As the Civil Rights Protection Platform, we would like to present you with a number of recommendations covering three areas, namely 1) privacy-protecting legislation and measures, 2) issues concerning the democratic rule of law and affecting all of us personal freedom and civil rights, and 3) new technologies and related privacy risks.

In recent years there has been a trend in the Netherlands where every social problem seems to be approached with a standard prescription, namely more digital registration, more linking of files and centralisation of systems and databases that become accessible to more and more officials and third parties, curtailment of professional autonomy, preventive control and profiling.

It seems like people, especially in politics, fuelled by media and the vox populi insofar as again influenced by the media, sees in these instruments a control of society that should lead to more order and peace and security.

In our view, the opposite is now increasingly the case.

Indeed, digitisation means that the amount of data stored about each citizen is becoming increasingly large, confusing and unmanageable. This is all the more true for data that has been entered incorrectly, linked incorrectly or is out of date.

With the exponential increase in digital registrations, the risks of data breaches increase correspondingly and new forms of identity fraud and theft emerge. Thus, the insecurity of digital systems becomes an insecurity that directly threatens citizens. In addition, there is a risk of citizens becoming their digital 'doubles' through digital profiling. This seriously jeopardises the autonomy of free and participating citizens that is so important in a democratic constitutional state.

However, returning to a society without internet or digital files is something we do not advocate at all and is substantively impossible.

However, judicious use of technical means, including data storage and biometrics and other technical achievements, will be necessary if we want to uphold our democratic rule of law and its fundamental rights.

Especially in these times of unforeseen technical possibilities, we must once again realise the importance of the basic principles of our society. Each time, we will have to weigh up where the limits of what is permissible lie and how possible alternatives in the human sphere, such as more personal checks but also help and services, are desirable or necessary.

To this end, we have made the following recommendations:

PRIVACY

1. The principles of necessity, proportionality and subsidiarity should play a defining role in the drafting of all legislation and policies that infringe on privacy.
2. In all legislation and policies that may affect personal privacy, an independent Privacy Impact Assessment (PIA) to be carried out.
3. Privacy by design should be the starting point for all ICT projects involving the processing of personal data and, by extension, the privacy of citizens. The development of privacy enhancing technologies (PET) is given high priority.
4. The Personal Data Protection Act (PDPA) and relevant provisions of the European Convention on Human Rights as well as the Charter of Fundamental Rights of the European Union should be more rigorously enforced.
5. There should be a universal opt-out possibility when processing and linking personal data and biometrics, subject to necessary exceptions.[1]
6. The Data Protection Board (CBP) should be given more resources and powers, including a power to impose fines. Citizens should be given a right to complain to the CBP.
7. The DDJGZ (Digitaal Dossier Jeugdgezondheidszorg, formerly EKD) remains exclusively a medical record with the associated privacy requirements.

DEMOCRACY & RULE OF LAW

8. There should be a Constitutional Court. Also, the ban on constitutional review and the ban on direct appeals against generally binding regulations (Art. 8:2 Awb) should be abolished.
9. There should be a public debate on the need to limit fundamental rights.[2]
10. The government should reaffirm four general human rights duties, namely, the Observance, Protection, Achievement and Promotion of all human rights, including civil rights.
11. The primacy of the formal legislature should be restored. Great care must be taken to avoid hollow framework legislation to be fleshed out by means of AMvBs and ministerial regulations, in which privacy may be at stake in the practice of implementation.[3]
12. In all legislation and policies, the presumption of innocence and the prohibition of self-incrimination should be (nemo tenetur) again as a starting point.
13. An enquiry or parliamentary inquiry into the cost of the surveillance state is being launched. As a result of that enquiry, costs should be reduced proportionately.[4]
14. The Human Rights Board should be given more financial resources and full litigation powers.
15. The government should become more transparent by modernising and strengthening the Public Access Act (Wob). The Wob will be based on active open government instead of the current passive open government.
16. There should be more transparency in European Union Council groups and working groups.
17. There should be a public record of each MP's voting record throughout his/her political career.
18. More attention should be paid to human rights education, including education on the risks of handing over your personal data to third parties.

NEW TECHNOLOGIES

19. Not everything that is technically possible should be applied. Clear limits should be set on the deployment of new control technologies. Technology should serve free people and free society rather than the other way around.
20. Biometric enrolment should be voluntary only.
21. Public camera surveillance with facial recognition, audio recording at call level and automatic behavioural profiling should be banned.
22. No mobile finger scanners will be introduced in the police.

We hope to be of service to you with these recommendations and are happy to elaborate further.

On behalf of the Civil Rights Protection Platform, I stay,
Sincerely,

Vincent Böhre
chairman Platform for the Protection of Civil Rights

On behalf of the following Platform participants:
Humanist Alliance
KDVP Foundation
Stichting Meldpunt Misbruik ID-plicht
Parents Online
Privacy First Foundation
Civil rights association Vrijbit
Jacques Barth (from Brain & Heart Foundation i.o.)
Joyce Hes (advisor Platform for Civil Rights Protection)
Kaspar Mengelberg (from DeVrijePsych)

[1] Opt-out possibilities should be possible in, among others: a) DBC system in the mental health sector, b) all forms of central registration and c) all forms of use of biometrics. As a note here, we would like to state that our first priority is to be cautious about record linkage and the use of biometrics and central registries at all, where alternatives should be considered.
[2] At present, the encroachment on fundamental rights is carried out almost as a matter of course in the context of, for example, combating fraud (social security) or cost reduction (mental health care) where professional autonomy and the principle of trust between practitioner and patient are encroached upon, or in "ordinary" bureaucratic control (education, police etc.). In our opinion, it is time to have a public debate on this in which bureaucratic centralism combined with so-called market forces and instrumentalism are juxtaposed with a type of approach in which professional autonomy and fundamental rights are again central.
[3] Now, more than once we see "avoidance" of formal legislation. The Lower and Upper Houses have to settle for vague promises from a minister "that it will all be fine" or even sometimes demonstrable inaccuracies. This particularly avenges itself in the area of privacy. After all, if in the practice of implementation a tension arises with the PDPA, the legislator cannot easily and certainly not retroactively intervene. Also in this context, a Privacy Impact Assessment useful.
[4] Bart de Koning gives an estimate of these costs in 2008 of €3.5 billion in his book Everything under control. However, if we were also to calculate the intangible costs of all (front-line) professionals forced to spend a large part of their time on administrative and inefficient control requirements, the arithmetic becomes much larger.