Statewatch article: RefNo# 29437
Netherlands: Biometric passport data linked to criminal databases by John van Someren (Vrijbit) and Katrin McGauran (Statewatch)
Statewatch Bulletin; vol 19 no 3 July-September 2009
The worldwide attack on civil liberties is reflected in the Dutch state, which has become known for its far-reaching control mechanisms and corporatist structures.

In 2005 the Christian Democrats (CDA) introduced a law on compulsory identification, the violation of which is punishable by a fine. 'Preventive stop and search operations' in which police ask passers-by to empty their pockets to detect weapons, were first introduced as local 'crime control' operations, but are now the rule rather than the exception. In 2008 it was revealed that the Netherlands intercepts more telephone conversations than the USA. Plans for the public transport 'OV-chipcard’, which track an individual's travel on any form of public transport have become reality, as has the biometric passport.

The authorities have also utilised the European regulation on 'passport security' to create a national biometric database of citizens. They issued limited public information about their plans which resulted in few protests. Similar proposals have been rejected by parliaments in the UK, Germany and France. [1] However, resistance to these increasingly technologically sophisticated attacks on privacy and civic freedoms is growing. An annual Freedom Not Fear protest was launched in 2008 operating across Europe. There are critical voices in the Netherlands as well. A 'Platform for the Protection of Civil Rights' (Platform Bescherming Burgerrechten) was established in May 2009 with the aim of bringing together privacy organisations, promoting common projects such as a privacy yearbook, and creating a fund for test cases. This article traces some of the civil liberties concerns and the civil society response.

The National fingerprint database

On 9 June, the Upper House of the Dutch parliament (Eerste Kamer) passed a law introducing biometric passports that contained an RFID-microchip holding digital information on its owner. [2] The European regulation [3] stipulates that a digital facial image and fingerprints of the passport owner should be stored on the microchip for identification purposes and in order to prevent the passport’s fraudulent misuse. The Netherlands, however, has gone much further and will store the biometric data in a central database for criminal investigation purposes (including counter-terrorism), accessible twenty-four hours a day. The Dutch secret service (Algemene Inlichtingen-en Veiligheidsdienst, AIVD) will have unlimited access to the database in situations they deem a 'threat to national security'. Under specified conditions biometric data and/or other personal details will be supplied to the public prosecutor for identification purposes. This will happen as follows: a suspect is arrested and brought to the police station. If they are not willing to give a name as required by the law on compulsory identification, fingerprints and photographs will be taken for comparison with the database, although the public prosecutor has no access to the database. If the suspect is willing, the information on their identity document will be compared with that on the database and the public prosecutor will receive confirmation that the document is registered in the passport index. While the public prosecutor has no direct access, biometric data is being used for identification purposes in the course of criminal prosecutions.

The response of the political parties

The bill to amend the Passport Act, which was presented to the Lower House of Representatives in April 2009, was passed a month later without a vote in the Senate (which scrutinises bills passed by the Lower House). The Socialist Party (SP), the Green Left (GroenLinks) and the Liberal party (D66) noted objections to the procedure. The EU Regulation does not lay down that passport biometric data should be stored in a database or used for the detection of suspects and the investigation of acts that threaten state security. MPs were therefore critical, observing that the national implementation went unnecessarily further than the EU law and warned that the Dutch law lacks definition and will therefore be broadly interpreted. At a public symposium [4] organised by the newly formed Dutch Civil Liberties Platform, former Green Member of the European Parliament, Kathelijne Buitenweg, said:

I think it's scandalous that the government is using European legislation this way and not telling you that fingerprints are used for criminal investigation purposes. In effect this is whitewashing legislation by pretending this is European law. These provisions were added and to be honest the majority of members of the Lower House of Parliament [Tweede Kamer] did not even know what they were voting on.

During the Upper House debate on the law, the Socialists noted that inadequately defined laws were an increasing problem because parliament effectively had no say about their content. The Green Party criticised the fact that in 2004 the European Council, under the Dutch presidency, did not allow the European Parliament to co-decide the matter. The storage and usage of fingerprints, they argued, should not be decided by ministers. As well as the SP and GroenLinks, D66 and the SGP (Staatkundig Gereformeerde Partij, an ultra-conservative Christian party) also voiced concerns. The discussion in the Upper House revolved around the question of whether a central passport index should be an instrument for detection and whether this violated the European Human Rights Convention. A 2008 decision by the European Court of Human Rights (S. and Marper v The United Kingdom) ruled that the British government was not allowed to retain fingerprints of innocent citizens indefinitely simply because it was useful for the police and prosecution.

The Social Democrats (PvdA), the Christian Democrats (CDA) and the right-wing liberal party (VVD) supported the new law on the grounds of fighting identity fraud. Deputy minister, Ank Bijleveld Schouten (CDA), denied the obvious crime fighting elements of the law arguing that the database was not an instrument for detection because the public prosecutor has no access to the passport index itself and only receives information on request. He contended that the law does not ask people whether they have a criminal record but whether or not they own a travel document - the purpose of the database is therefore to ascertain identity. According to the CDA's reasoning, there are no civil liberties issues and the European Court’s Marper case was not relevant.

Reception by civil society

The uncritical reception of the law by the main governing parties was not shared by political activists, the majority of civil liberties groups and the Dutch Data Protection Office (College Bescherming Persoonsgegevens, CBP). In March 2007 the CBP argued that the new passport index was intended for the detection of criminal acts and that by recording the private data of non-suspects it constituted a serious infringement of the personal life of citizens. In a shadow report [5] on the fourth periodic report by the Netherlands on the International Covenant on Civil and Political Rights (ICCPR), a group of Dutch NGOs severely criticised the database plans. This led the UN Human Rights Council to ask questions of Minister Hirsch Ballin. [6] The report, written by Art. 1 (the Dutch National Association Against Discrimination), Netwerk VN-Vrouwenverdrag (Dutch CEDAW Network), and Vluchtelingenwerk Nederland (Dutch Council for Refugees) and submitted on behalf of five human rights groups, refugee and gay rights organisations [7], states:

This ‘national fingerprint database’ will [...] come to include the fingerprints of every Dutch citizen, regardless of any criminal activity, hence turning people’s [sic] travel documents for personal use into security documents for use by the State. Citizens will hardly have any control over the biometric information stored about them. Many experts have also warned that data breaches and identity theft are inevitable. Both the Dutch Data Protection Authority and other experts have consequently found this new law on biometric passports to be in serious violation of the right to privacy.[8] The Dutch NGOs accordingly urge the Human Rights Committee to address this grave breach of Article 17 ICCPR in its upcoming session.

Although the UN Human Rights Committee failed to address the privacy infringements of the new law in its written questions to the government, it did voice criticisms at its hearing in Geneva on 15 July, which brought the database to the attention of the Dutch media. [9]

Increased danger of identity theft

In addition to the database’s infringement of privacy rights, several experts have also warned that it increases opportunities for identity theft and fraud. Specialist lawyers in technology and hackers have argued that the technology is vulnerable to attack and tests with fingerprint biometrics carried out for the authorities showed an error rate of 3 per cent. A documentary [10] by the Dutch news programme Netwerk (26 June) provided a convincing and foreboding picture of the dangers of such a centralised database, based on interviews with a professor in computer security, a biometrics expert and the European Data Protection Supervisor, Peter Hustinx. Hustinx said:

Once such a system is hacked, then the strongest weapon for fighting identity fraud becomes our biggest threat. [...] At the end of the whole exercise you have to ask yourself, what have we won and what have we lost?

Most people interviewed on the streets about the new law, thought that the national database was unproblematic, having adopted the authorities' argument that: "if you have nothing to hide you have nothing to fear". This led some commentators to conclude that the Dutch public, although anti-authoritarian in some respects, has a naive trust of the state, believing the authorities can do no wrong. Nevertheless, up until the day of the Senate debate letters of complaint continued to arrive from both individuals and organisations. They viewed a central database with photos and fingerprints as a serious infringement of their privacy. The privacy organisation Vrijbit, which was set up by activists to resist the government's plans to create a fingerprint database and organised the letter writing campaign, is in the process of filing a complaint [11] with the European Court of Human Rights on the grounds of a violation of Article 8 (right to privacy) of the European Convention on Human Rights.

Vrijbit argues that storing biometric data from 21 September in travel document databases, first at the local level and in future in a central database, will cause irreparable damage to privacy. Citizens, Vrijbit argued, will involuntarily be connected to the judicial sphere of criminal law by providing personal data for a totally different reason than was intended (i.e. the verification of travel documents). It comments that "there is no pressing social need in our democratic society for this disproportionate and threatening infringement of our private life."

The organisation points out that in recent years, laws have systematically been passed that compel citizens to identify themselves using a valid travel document or driving license, (the Netherlands does not have a special ID card like Germany or France). People who want to protect their personal data will not be able to renew their travel documents and face restrictions on their journeys and criminalisation within the country.

The Ministry of Interior said in its public information brochure that no legal objection can be made against the storage of fingerprints or photographs in the travel document register. In Dutch law there is indeed no provision to challenge this infringement of privacy unlike, for example, in Germany, where a Constitutional Court safeguards citizen's inalienable rights vis a vis the state. Vrijbit therefore wants the European Court in Strasbourg to challenge the Dutch legislation.

The critique of privacy invasion is finding resonance in broader civil society, with a national Civil Liberties Platform being set up in May this year, initiated by the Humanist Association (Humanistisch Verbond) and now comprising Bits of Freedom, Vrijbit and an umbrella organisation for privacy and the right to professional secrecy in psycho-therapeutic care (Koepel van DBC-vrije Praktijken). The Platform is creating a website with detailed background information on different privacy and civil liberties issues to provide information for lawyers and individuals and will arrange public debates.

"Every step you take, every move you make: we'll be watching you"

While resistance is growing, privacy-invading measures continue to be introduced. The latest is the public transport payment card system, the so-called OV-chip card. The Public Transport Law permits the minister to define regulations regarding travel tickets and in 2000, the minister made it mandatory for every traveller to swipe the chip card at the beginning and end of his/her journey - even those with a monthly pass. Ignoring this regulation can lead to a fine of 35 EUR.[12] Although there is an anonymous card, similar to the Oyster card in the UK, it is more expensive and cameras register the moment a person 'checks in'.

In a similar fashion to the passport law, the authorities are abusing a system set up for a single purpose (in this case, the central registration of travel movements for the purpose of payments among different travel companies) to adopt other functions that were not included in the original proposal or in law. Regarding monthly ticket-holders, the purpose of registration becomes superfluous and, under privacy regulations, it is unnecessary and therefore illegal. The systems law enforcement function became apparent in June 2007, when the public prosecution service demanded that the travel company, Trans Link Systems, disclose data, including passport pictures, of all travellers whose chip card recorded that they used the Rotterdam underground stations of Maashaven and Heemraadlaan on 6 May 2007, between 10 pm and midnight.[13] Trans Link Systems refused to disclose the pictures (although not the names) and went to court. In June this year, Rotterdam court ruled [14] in favour of Trans Link Systems, which cited EU and national privacy laws stipulating that pictures that disclosed information about a person's race (and sometimes religion) rendered the data sensitive and that a judicial order was required for its disclosure. Therefore, the company had adhered to its privacy regulations. The public prosecution has appealed against this decision.

Unfortunately, the Dutch Data Protection Office agrees with the OV-chip card travel registration system, arguing that checking in is "part of the system". [15]

Footnotes

[1] Elke Nederlander is verdachte door nieuwe paspoortwet [Every Dutch citizen is suspect due to new passport law], 21.7.09, http://www.ezpress.eu/news/11731/Elke_Nederlander_is_verdachte_door_nieuwe_paspoortwet

[2] Wijziging van de Paspoortwet in verband met het herinrichten van de reisdocumentenadministratie, adopted by the Dutch Senate on 9 June 2009. For the text of the law (in Dutch), see Parliamentary Documents I, 2008/09, 31 324 (R1844) A, 20 January 2009. This law is scheduled to enter into force (fully) on 21 September 2009

[3] Council Regulation (EC) No. 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States, arts. 1(2) and 4(3).

[4] The symposium website: http://www.degescandemens.nl/, video fragments of the debate from a film made by Vrijbit: http://www.youtube.com/watch?v=YJnkujy-1wo

[5] Addendum to the Commentary on the 4th periodic report of the Netherlands on the International Covenant on Civil and Political Rights (ICCPR), 25.6.09, http://www.njcm.nl/site/english/show/20.

[6] The UN Human Rights Committee is a body of independent experts that monitors implementation of the International Covenant on Civil and Political Rights (ICCPR) by its States parties on grounds of a report which States must submit every four years, often accompanied by a shadow report by civil society groups. The Committee examines each report and addresses its concerns and recommendations to the State party in the form of ‘concluding observations’. See http://www.netherlandsmission.org/ for background documents on the Dutch hearings and reports.

[7] Aim for Human Rights (former Humanist Committee on Human Rights), CG-Raad (Dutch Council for the Chronically Ill and the Disabled), COC Nederland (Dutch Association for Integration of Homosexuality), the Johannes Wier Foundation for Health and Human
Rights and Justitia et Pax Nederland.

[8] [footnote in original] See e.g. Data Protection Authority (‘College Bescherming Persoonsgegevens’), Advies betreffende wijziging Paspoortwet i.v.m de herinrichting van de reisdocumentenadministratie, 30 March 2007, available at http://www.cbpweb.nl/downloads_adv/z2007-00010.pdf; Tilburg University, Tilburg Institute for Law, Technology and Society (TILT), Open Letter to Parliament, 8 June 2009, available (in Dutch) at http://vortex.uvt.nl/TILTblog/?p=69#more-69; IKON Radio, 7 June 2009, Nederland: rechtsstaat of snuffelstaat?, available at www.ikonrtv.nl/daw/uitzending.asp?lIntItem=1&lIntEntityId=185. Cf. S. and Marper v. United Kingdom, ECtHR 4 December 2008, Appl. Nos. 30562/04 and 30566/04.

[9]
http://zaplog.nl/zaplog/article/de_vn_heeft_vorige_week_in_geneve_minister_hirsch_ballin_justitie_cda_onder<>/a

[10]
http://www.netwerk.tv/uitzending/2009-06-26/nieuw-paspoort-met-vingerafdrukken-onveilig

[11] http://www.vrijbit.nl/dossiers/dossier-vingerafdrukken/item/674-vrijbit-dient-klacht-in-tegen-nederlandse-staat

[12] GVB en RET bekeuren abonnees met chipkaart [GVB and RET fine subscribers with chipcard], 25.8.09, http://www.nu.nl/economie/2068153/gvb-en-ret-bekeuren-abonnees-met-chipkaart.html

[13] Justitie wilde pasfoto's van ov-chipreizigers [Ministry of Justice wanted passport photos of OV-chipcard travellers], 31.9.09, http://www.nu.nl/algemeen/2072224/justitie-wilde-pasfotos-van-ov-chipreizigers.html

[14] http://www.bigwobber.nl/wp-content/uploads/2009/08/BeschikkingTLS_001.pdf

[15] Justitie wilde pasfoto's van ov-chipreizigers, ibid.

© Statewatch ISSN 1756-851X. Personal usage as private individuals/"fair dealing" is allowed. We also welcome links to material on our site. Usage by those working for organisations is allowed only if the organisation holds an appropriate licence from the relevant reprographic rights organisation (eg: Copyright Licensing Agency in the UK) with such usage being subject to the terms and conditions oof that licence and to local copyright law. Statewatch is not responsible for the content of external websites and inclusion of a link does not constitute an endorsement.