By: Wido Potters
It has been ten years since BIT collaborated with Bits of Freedom, amongst others, started to fight the law on Data Retention for Telecommunication with bezwaarplicht.nl. This protest has not been able to prevent the introduction of the law. The day before yesterday we have made a new attempt to have the law removed. Together with the Privacy First Foundation, the Dutch Lawyers Committee for Human Rights, the Dutch Association for Criminal Defense Lawyers, the Dutch Association for Journalists and telecom operators SpeakUp and Voys Telecom, BIT has started a preliminary injunction, executed by Boekx Advocaten.
Despite the urging of many clients on stopdebewaarplicht.nu, the larger ISPs and telecom providers have not supported this preliminary injunction. It is a shame that the smaller parties are left to pull the chestnuts out of the fire.
In this blog, we identify a number of high profile cases we came across during the hearing. Since this is a legal battle, a little background information will provide a better understanding. The EU Data Retention Directive, drawn up in 2006, has imposed the Dutch government to develop legislation that ensures the recording of the following:
• name and address of the user of a telephone number, IP address and email address;
• to which phone numbers en email addresses has been called or texted, or emailed, at what times;
• the location of mobile devices for mobile phone numbers and several more.
In April 2014, the European Court concluded that the Data Retention Directive goes against the European Convention on Human Rights (ECHR). This meant that the directive was removed, effective immediately. As the Dutch law was a direct result of that directive, the expectation was that it too would be removed soon after. Additionally, the State Council, the First Chamber and many others have pointed out to the government that the law in its current form cannot continue to exist. To the surprise of all, Ivo Opstelten announced that the government would not be removing the law. We, and many that share our opinion, including the CBP, believe that the Dutch government contravenes the ECHR by keeping the law.
There are various reasons for us to get the Data Retention removed. First, there is the unpleasant position we have been placed in. On the one hand, the government forces us to retain data, but on the other hand we are running the risk of being held liable by our clients because the law that forces us to do so, has been declared illegitimate. Secondly, we have costs that our (foreign) competitors do not need to make, and all that for a measure even the ministry cannot even assess the effectiveness of. The last, but definitely not least, reason is that we are principally against cooperating in a situation where every citizen is treated as a suspect in advance.
The argument of the plaintiffs, including BIT, can be viewed here. Next to the legal aspects and consequences of the judgement of the European Court, the plaintiffs argue the negative effects of 'mass surveillance' for the citizens, with highlighted dangers for journalists, lawyers and providers.
The plea by the Dutch State can be viewed here. We think it’s remarkable that the State can only work with a very limited number of examples where the retention law has actually contributed to the investigation of suspects. Note that that number is not only limited, but nowhere does it even discuss the effect in preventing (major) crimes. One of the State's conclusions was that the plaintiffs seemed to be against solving crimes. An accusation that is not only unjustified, but has no class whatsoever.
Furthermore the State argues that they cannot demonstrate the effectiveness of the legislation because (part of) the data is available to providers for support and billing anyway. Of course the logical question would be whether a measure that has not proven to be effective, justifies the invasion of every citizen's privacy. According to the government, there is no alternative for investigations that use data from the retention law. Among others, the Dutch Hosting Provider Association has stated that there are several alternatives for that, but that the government refuses to enter into constructive dialogue with the providers.
Lastly, we noted that the State attorney argued that the current law is not in contradiction with the European legislation. The amendment that minister Opstelten proposed, which would not solve the problems according to the plaintiffs by the way, would be implemented to make sure the law would contradict the ECHR even less.
Voys and Webwereld have kept a more detailed report of the hearing and the subjects discussed. Various other media, including Tweakers, have published articles on the lawsuit as well.
The judge will offer his verdict on March 11. There is a possibility that the court decides this matter to be too complex for a preliminary injunction and needs to be sorted out by standard proceedings. So give your provider a little push to take action if that happens and make sure you are heard on stopdebewaarplicht.nu and/or support Bits of Freedom and/or support Privacy First, which both incessantly defend your online privacy.