Why it hurts: More powers, less safeguards

Secret services in the Netherlands will soon be allowed to intercept communications from large groups of people without the need for prior criminal suspicion, to compel innocent people to decrypt their data or face serious criminal sanctions and to hack into personal computers and install malware. All of this without proper control on such far-reaching powers.

These powers constitute serious infringements on the rights of civilians. Unfortunately, we are not talking about a book of George Orwell, but about the new bill for the Intelligence and Security Services Act (Wiv), that has recently been accepted by at the Senate.

What makes privacy so important?

Privacy is a vague concept and can mean a lot of different things to different people, which possibly takes away from its importance. Privacy is essential for peoples’ development as it permits them to be themselves in all the different roles they have in life. They can choose which information they want to share with others. This is important as people behave differently in different roles, for example, towards one’s parents or one’s friends. People, for the most part, do not want all their information to be common knowledge and may want to hide their grocery habits from health insurance companies or weekend plans from their employers.

In the same vein, the state should not be able to gather all kinds of information without this serving a legitimate purpose. The gathering of information on such a large scale can have a ‘chilling effect’. People who do not dare to demonstrate anymore, or search for a certain topic online. It also breaches certain rights and safeguards which are vital for a well-functioning democracy and rule of law, like the protection of professional secrecy, such as journalistic sources and lawyer-client information.

You can also ask the question; Do we trust the state with all this information? The fact that they gather information that seems irrelevant presently does not guarantee that this will not change. After every election, a new administration is implemented that can consider information in different ways. Somebody who is homosexual can now openly communicate about this, but with a new administration this might suddenly be a reason for suspicion. Something which is not criminalized today, can become so in the future. And the state has then already gathered all the information.

Apart from that it is not clear whether the state can guarantee safe storage of the data. When the security of the storage of the data is not guaranteed, this increases the possibility of hacking by unwanted parties and the use of information for nefarious purposes.

The bill has been accepted by the Senate

The bill for the Intelligence and Security Services Act is set to replace the Intelligence and Security Services Act of 2002 and was published on 2th July 2015 for internet consultation. This amount of reactions to a draft bill from a wide array of groups does not happen often. This is a clear representation of the widespread concern surrounding the proposed changes. As a result, several amendments were put forward during parliamentary discussions. However, only three of these were accepted.

Unfortunately the Senate has now also accepted the bill. The new bill is expected to come into force in May 2018.

Special powers of the Wiv infringe heavily on privacy

Once the bill comes into force, the secret services of the Netherlands will experience new far-reaching powers of mass surveillance. Along with the expansion of such powers comes the removal of judicial preview and the restriction of safeguard measures to non-binding means.

One of the more contentious issues that received a lot of mediate an public attention under the draft bill concerns the bulk interception of communication. The Minister of National Affairs, Ronald Plasterk, refers to the practice as ‘research-assignment focused interception’, as the interception occurs in the context of a theme. However, the bill stretches these powers of bulk interception. As an example, Minister Plasterk states that the services will be able to intercept all communications between the Netherlands and Syria, in the context of a ‘research’. It is only once the data is intercepted that it will be analysed and divided into what is relevant and what is not. This method is known as ‘the dragnet’. In enabling the interception of large amounts of data, the dragnet has the potential to violate the right to privacy of large groups of people. As previously mentioned, it also creates issues for persons subject to professional secrecy such as doctors, lawyers, journalistic sources and NGOs.

In addition to these interception powers, the bill would also grant secret services far-reaching research capabilities. It would allow them to secretly hack into personal computers in order to analyse non-public documents and install malware (software used to disturb computer systems, gather information or unlawfully access systems). In other words, it would permit the authorities to use such intrusive measures on innocent people under the justification of gathering information on suspects. Particularly, the application of such powers on third parties is not foreseeable despite the far-reaching effects on their privacy and the justification for their use has yet to be proven.

The services may also order persons to decrypt their communications to any person reasonable suspected of possessing a key. Where the person concerned is a suspect such an order would breach their right not to incriminate themselves, whilst where the person concerned is a third party, such an order would breach their right to remain silent.

Lastly the services are empowered to create DNA-profiles on the basis of DNA-research based on cell material. However, this particular provision has yet to be clarified and requires further specification in a ruling as designed by the government. These DNA-profiles would be saved in a database for 5 years, with no safeguards to guarantee protected storage of sensitive and personal information.

So many powers; what about control and safeguards?

Despite the expansion of these powers, and with that the infringements of the right to privacy of large groups of persons, the safeguards and control mechanisms in the bill have been left behind. The obligation to notify persons who are subjected to such measures is lacking. As a result, people do not have an effective legal remedy against the misuse of such powers. They are therefore dependent on judicial review, which is limited only to special cases in the bill. The Netherlands Institute for Human Rights judges the draft bill to be insufficient, especially in light of the lack of an independent body issuing permission for these special powers. Apart from the Review Committee on the Intelligence and Security Services (CTIVD) who may issue judgments, the controlling organs under the bill are non-binding. This gap fails to meet the standards developed under the European case law, namely the need for independent review and approval of the application of special powers and the need for an independent body that controls the development of such operations. The European Court for Human Rights (ECHR) stresses the importance of such independent institutions in bringing an end to special measures where these are unlawful. The CTIVD itself speaks of the lack of supervision under the draft bill.

A lack of control and safeguards also exist where national services cooperate with foreign services. Data can be delivered to them without judicial preview. The former requirement that data could only be delivered to countries with a strong record of respect for human rights has been removed under the new act. Furthermore, the bill lacks clarity with respect to preventing and managing data unlawfully gathered by foreign services.

What is the PILP doing?

The Dutch Section of the International Commission of Jurists (NJCM), involved in lobbying against these measures, has made recommendations for a review of the draft bill on the Internet consultation facility. They demand stronger provisions for shorter and safer storage of data and the implementation of an independent and impartial body to consider complaints. Furthermore, they criticise the failure of the expansion of powers to meet a test of proportionality, necessity or efficacy. They argue that the infringement on rights caused by these measures must be proportionate to the purpose which these measure seeks to achieve. This infringement may not be more severe than absolutely necessary to achieve this aim. Lastly, the NJCM states that the delivery of data to foreign services has to be done with sufficient safeguards in place.

At this moment the PILP is, in coalition with other actors, researching the judicial possibilities in opposing the Wiv. The coalition will only start litigating after the Wiv comes into force on, as it now stands, 1 May 2018. This allows the PILP and the coalition to incorporate in their legal arguments the outcome of the referendum on the Wiv and the government’s response thereto.

Litigation to postpone Wiv

On the April 18th, 2018, a coalition of journalists, lawyers, NGO’s and IT- and tech-companies have asked the government to again postpone the entry into force of the Wiv.

The Wiv is not in compliance with human rights, and the Senate and the House of Representatives still have to discuss the amendments on important matters.

The government has responded that it will not postpone the Wiv. Therefore, the coalition has started an urgency procedure in order to postpone important issues of the Wiv 2017; the ‘hacking competence’, the collection of big data (the ‘dragnet’) and the exchange of this (unevaluated) data with foreign agencies, until these matters are discussed in the House of Representatives and the Senate.

The plaintiffs in this urgency procedure are the organisations NJCM, Bits of Freedom, the NVSA, Free Press Unlimited, Greenpeace International, De Waag Society, Privacy First and the Platform Bescherming Burgerrechten and the companies BIT, Speakup, VOYS and Mijndomein. The Public Interest Litigation Project (PILP) of the NJCM coordinates the coalition. Until January 2019 the case lawyers were Otto Volgenant, Fulco Blokhuis and Ron Lamme of law firm Boekx. Currently the PILP and Pro Bono Connect look after the case.

On June 26th, 2018, a judge of the district court of The Hague decided to decline the claims  in the summary proceedings by the coalition against the state regarding the new Bill for the Intelligence and Security Services Act (Wiv). The coalition is disappointed that the judge decided to decline their claims. The coalition will discuss possible legal follow-ups soon.

Read the summons here (in Dutch).