Tech & Rights

The Hague Judge Puts a Stop to Dutch Data Retention Act

In a break-through verdict the district court of The Hague has rendered the Dutch Data Retention Act inoperative. The judge did so at the request of the Netherlands Committee of Jurists for Human Rights and six other civil society organizations.

by Nederlands Juristen Comité voor de Mensenrechten

The preliminary injunction judge in The Hague rendered the Dutch Data Retention Act inoperative on March 11, 2015. This ruling puts an immediate stop to the obligation of telephony and Internet service providers to retain the traffic and location data of clients for 12 months and 6 months, respectively, for criminal investigation purposes. The act breaches the right to respect for private life and the protection of personal data.

Broad coalition

The claimant organizations were the Public Interest Litigation Project of the Netherlands Committee of Jurists for Human Rights (PILP-NJCM), the Privacy First Foundation, the Dutch Association of Defence Counsel (NVSA), the Dutch Association of Journalists (NVJ), Internet provider BIT and telecommunications providers VOYS and SpeakUp. Boekx Attorneys in Amsterdam took care of the proceedings.

PILP-NJCM was one of the claimant parties in the case against the Dutch state because the Data Retention Act has profound consequences for the human rights of everyone who uses electronic means of communication, including citizens who are not at all suspected of criminal behavior. Experts of PILP-NJCM contributed to the human rights arguments of the claimant parties.

Furthermore, the Dutch state has paid little heed to the ruling of the European Court of Justice that made short shrift of the EU Data Retention Directive, which the Dutch act is based upon. The decision to maintain a serious violation of human rights without safeguards was equally unacceptable to PILP-NJCM.

Retention obligation is unlawful

The 2009 Data Retention Act was based on the 2006 EU Data Retention Directive. This directive was introduced in response to the terror attacks in Madrid and London in 2004 and 2005, respectively, and it was aimed at guaranteeing the availability of certain data in the fight against serious crime. In April 2014, the Court of Justice of the European Union declared the directive entirely and retroactively unlawful. However, the Dutch state continued to apply the Data Retention Act just the same.

In his ruling, the preliminary injunction judge declares that, in its current form, the Data Retention Act constitutes a breach of the respect for private life and family life, home and communications as well as the right to protection of personal data (articles 7 and 8 of the Charter of Fundamental Rights of the European Union), as it is not limited to that which is ‘strictly necessary’ for the fight against (only) serious crime.

To justify the interference with these fundamental rights, the legislation should contain objective criteria that limit the access and subsequent use of data by competent national authorities. According to the judge, there are no such criteria in the Data Retention Act. This would limit the use of data for the detection and prosecution of terrorist crimes and criminal offenses for which people may be placed in pre-trial detention. This latter category, however, also includes criminal offenses – such as bike theft – that are not sufficiently serious to justify interference with the privacy of the perpetrator.

Moreover, the act doesn’t contain safeguards to really restrict the level of access to personal data to that which is "strictly necessary." This is all the more cogent, according to the judge, as currently the access to retained data isn’t subject to prior checks by a judicial or independent administrative authority. The Public Prosecution Service cannot be considered as such an independent administrative authority, the judge concluded.