Dutch Government Wants Carte Blanche to Link Data without Restrictions

A legislative proposal from the Dutch government would enable public authorities to link all available data of citizens for any purpose, partly suspending the Personal Data Protection Act. An inquiry into the need for such a law stays out.

Like his predecessor Ivo Opstelten before him, the Dutch minister of security and justice, Ard van der Steur, argues that fraud is a growing problem in the Netherlands and that it’s therefore necessary to link all available data of citizens. The more data are available, the more detailed the behavior of citizens can be mapped. Deviant behavior is suspicious, because it might indicate fraud.

Moreover, the data should be compiled to "monitor the compliance of legal requirements and the enforcement of the public order and safety […], as well as the prevention, detection and prosecution of criminal offenses." It concerns both data that are in the possession of public authorities as well data from private companies and institutions. The provision of data becomes mandatory.

At the same time, with the proposed new law, the minister wants to enable the deployment of more "modern data analysis techniques." He finds "that there are no fundamental reasons to deny the government the use of profiling techniques, only because it violates the right to the protection of privacy".

The minister wants the above to become a valid general principle for all sectors and areas of activity in the Netherlands. Once the law is in force, the minister himself can decide which data from any area of activity are to be linked and he can expand the linkage if he deems it necessary. He will not have to request permission for this from the House of Representatives.

Erosion of the Personal Data Protection Act

This legislative proposal erodes the Personal Data Protection Act. The core of this act determines that the data are only exchanged and registered if this is necessary, proportional and when there’s no alternative approach that is less privacy intrusive. So data may only be collected and exchanged if certain criteria are met. This changes with the arrival of the envisaged new rules. "No, unless (there are good reasons to proceed with the provision of data)" will turn into "yes, unless (there are good reasons to keep the data secret)." This renders the core of the Personal Data Protection Act inoperative.

Within the new model, data are no longer provided merely to the requesting party, but directly to all parties that cooperate in the area of activity. In this respect, it is not important whether or not those parties actually need the data.

Justification of the necessity

As was the case with the debate about the data retention obligation, the minister sees no reason to come up with a justification of the necessity for this legislation. In his eyes, giving two abstract examples whereby the exchange of data would have been particularly useful is sufficient motivation to cancel existing privacy protection. Strikingly, the minister points out that fighting fraudsters has indeed already been possible. This emerges from a December 2014 report about detected fraud. However, according to the minister it’s a "slow and inefficient" process. To him, privacy is not a right but an "obstacle." He is fine with this right being jeopardized for the sake of efficiency in a number of fraud cases.

The minister doesn’t substantiate his proposal whatsoever. He doesn’t provide any figures of the magnitude of the fraud or evidence for the claim that fraud is really on the rise. In fact, the minister doesn’t mention any type of fraud at all, not even those types for which the proposal could serve a solution. The need for and the effect on maintaining the public order or the fight against criminality are not indicated. Nowhere in his proposal does the minister prove that this erosion of privacy is necessary, proportional and that there is no other method that is possibly just as effective.

European judge declared less intrusive data retention directive invalid

Last year, the European Court of Justice declared the Data Retention Directive invalid. An important argument of the judge was that public officials had too easy access to the behavior data of unsuspected citizens without them being able to indicate the necessity for this. The proposal for this framework act goes one step further.

Fundamental rights jeopardized for 0.2 percent of budget

The System Risk Indication (SyRI) act – which enables municipalities and public authorities to more effectively search for people who misuse benefits and supplements – serves as the model for this framework act. Since last year, SyRI enables the government to link data from 17 different fields of interest and in so doing to create detailed profiles of citizens. Anyone with a profile that doesn’t fit the behavior that the government desires is highlighted and will have inspectors at their door. In his explanatory memorandum, the minister of social affairs and employment, Lodewijk Asscher, writes that in 2011, the fraud amounted to 153 million euros. Last December, the former minister of security and justice, Ivo Opstelten, reported that fraud had not increased for two years. In 2013, fraud amounted to 155 million euros. While this is still a substantial amount of money, it’s only 0.2 percent of the 80 billion social security budget. Research in 2010 by the National Ombudsman pointed out that fraud at the Social Insurance Bank amounted to 0.0001 percent. In 2013, Privacy Barometer (an independent privacy watchdog) discovered that in an Amsterdam precursor of the SyRI project, fraud was detected in 0.1 percent of cases.

Whilst focusing so much on 0.2 percent of the budget, not once did the minister wonder whether this is actually time and effort effectively spent. Figures of the SyRI project are still unknown, but both the National Ombudsman as well as the Privacy Barometer already determined that the costs of the project barely, if at all, outweigh the benefits.

Government approach creates mistrust

The cabinet finds that profiling citizens is necessary because there can only be confidence in public authorities when fraud is vigorously fought. However, by introducing SyRI, minister Asscher actually revoked his confidence in citizens. Citizens are in principle suspected. According to him, only detailed insight into the behavior of citizens can still save the social security system. The national ombudsman opposed the enormous mistrust that public authorities have in citizens: "Ninety-eight percent of the citizens are good. Things are going very well. Crime rates are going down." Crime rates in the Netherlands have been declining for years, but with the proposed framework act, citizens are definitively considered as potential criminals. Mistrust in public authorities may well be more destabilizing for Dutch society than 0.2 percent of fraud.

House of Representatives relinquishes control

Both the Senate and the House of Representatives have adopted SyRI without any debate. SyRI, too, is a sort of framework act whereby the minister decided upon its precise elaboration once it was already adopted. Once that happened, members of the House of Representatives were scared stiff. Afterwards the very debate was held that could have been of some significance beforehand. During the debates on the act, members of the Senate and the House of Representatives didn’t realize what they voted for and which powers they relinquished.

This proposal for a framework act whereby it is very handy to already take away all "obstacles" (that is to say: the rights of citizens) for all sectors and future situations, is the SyRI Act in the superlative degree. If members of the House of Representatives give the proposal the thumbs up, they not only render the principle of the Personal Data Protection Act inoperative, they also give carte blanche to the government to start collecting and using all available data of citizens in almost every situation.

There is an alternative

The only reason for the minister to now come up with a framework act is because it would be convenient to arrange things in one single effort. But the rights of citizens and the still valid Personal Data Protection Act require prudence whereby the need, proportionality and subsidiarity have to be proven. Therefore, MPs should vote against this comprehensive act. The minister is well capable of drafting legislative proposals for each situation or cooperation. With a properly carried out Privacy Impact Assessment, he can then demonstrate that it is indeed necessary to exchange additional data. In this way, MPs are able to guard important rights of citizens and carefully verify changing rules. This would truly be to the benefit of the confidence in society.

Contributor: Privacy Barometer

The proposal of the minister was discussed in the House of Representatives on April 8.