Flickr/zanten.net. Some rights reserved.
As in many countries, the Snowden revelations were front page news in the Netherlands. The PowerPoint slides showing the intensity of (inter)national surveillance received considerable attention in the political arena. Special debates were scheduled, and dozens of questions were asked by members of parliament. What made things special in the Netherlands was the fact that the revelations coincided with a review of the Dutch Intelligence and Security Act (WiV, Wet op de inlichtingen en veiligheidsdiensten), a process that was then already underway.
The review committee delivered its report in early December 2013. In the meantime, the newspaper NRC reported on Dutch Snowden revelations. The documents given by ‘intermediary’ Greenwald to the NRC revealed that the Netherlands had been an NSA target between 1946 and 1968. The information that the Dutch counterpart of the NSA, the AIVD, was hacking into websites added to the impact. A third ‘Snowden’ issue was the stats showing that the NSA had access to 1.8 million telecommunications metadata. This chart had already been published some time ago but had escaped attention.
As mentioned above, dozens of questions were asked in parliament. The answers by the government showed systematic denial. Question: Has our Prime Minister been tapped (after the revelation of the tapping of government leaders, such as German Chancellor Merkel)? Answer: We have no indication that this happened – which means that network effects were ignored (as Merkel’s calls were listened to, conversations with the Dutch Prime Minister must also have been recorded, unless the Dutch prime minister did not have any conversations with Merkel, which might be even more worrying). Question: What are the antennas on top of the US embassy (which is within a stone’s throw from the Dutch parliament buildings and has an almost direct line of sight into the office of the Dutch prime minister) used for? Answer: We will ask the US ambassador. In the context of the 1.8 million metadata: Did the Netherlands provide these data? Answer: No, we did not.
This last answer, given by the minister of the interior who is responsible for the AIVD, almost led to his resignation, as it turned out that he had misinformed parliament. It was the AIVD or its military counterpart, the MIVD, which delivered these data to the NSA. We found out about this incident because the Dutch State was forced to mention its involvement in handing over data to the NSA in a court case. This case was initiated by a private/NGO initiative that wants the court to prevent the Dutch State from releasing data to foreign intelligence agencies. The initiative is called ‘The Dutch against Plasterk’ - Plasterk being the name of the minister of the interior, who oversees Dutch national security.
Giving data to the NSA is in itself not considered forbidden by the national legislation, as the secret parliamentary oversight committee quickly pointed out. Interestingly, the report of the review committee (the Dessens Committee) did suggest some improvements of the oversight procedures, but it did not go so far as to introduce ex-ante oversight. It advised that the present model should be kept intact - the minister retains full control, with some oversight measures. According to the committee, the model would meet the standards of the European Court of Human Rights if some marginal improvements (such as quicker ex-post evaluation) were implemented.
Discussions have started on what to do with the recommendations of the committee and how to modify the Intelligence and Security Act. In addition to its recommendations on governance issues, the committee recommended the introduction of mass surveillance of wired communications (the present act only allows for mass surveillance of wireless communications). This is one of the most criticized elements of the report, and even the government has said that it needs further evaluation.
Whatever the outcome, the recent decision of the European Court of Justice on data retention might turn out to be the real deal breaker. By declaring the European Data Retention Directive invalid, the Court confirmed that privacy and personal data protection also apply to metadata. On the basis of this directive, data was to be collected even in the absence of concrete suspicions against the user, and this information was to be kept for several years. The Court effectively challenged this approach. It recognized that collecting communication data can contribute to fighting terrorism and serious crime, but that it should be done in a proportionate manner. In the view of the Court, the directive did not meet the proportionality requirement.
Judging from their reactions to the ruling, it is clear that the European Commission and the Dutch government trivialize the underlying issues, in a manner consistent with the systematic denial mentioned earlier. They think that some small modifications will solve the problem. However, there is no easy fix. The ruling of the Court of Justice is in line with a turn in thinking about the exact limits to collecting metadata at random (‘mass surveillance’). In my view, based on the evidence and on the framework of fundamental rights as reconfirmed by the European Courts, three changes are necessary to make the Netherlands more compliant:
a) Current powers and powers yet to be introduced in the field of collecting communication data at random on a large scale should be subject to fully fledged critical analysis. The available research seems to suggest that the yield is low and therefore that the use of mass surveillance methods can only be allowed under special circumstances. In the United States, low effectiveness was a reason to restrict mass surveillance. In the Netherlands, the government systematically refuses to present a cost/benefit analysis. The use of mass surveillance should only be possible in special cases and under strict conditions.
b) Where powers are in place, an effective account needs to be given. Although in many countries aggregated data on collecting practices is published, the Dutch government advises against doing this, since investigative activities would suffer as a result – an unproven proposition. Here, too, there is a strange discrepancy with the United States, where ‘transparency reporting’ is applauded.
c) Collecting and consulting metadata at random on a large scale needs to be subject to ex-ante oversight. In the Netherlands, it is mainly the minister of the interior who decides about what is allowed and what is not. Only ex-post is a committee allowed to render advice on the legitimacy of a decision. Prior review by an independent court (or an equivalent offering similar guarantees) would be preferable to the current situation. There also should be a mechanism to voice counter-arguments.
Power, accountability and oversight should be in balance with each other. Freedom of communication, privacy, and protection of personal data are too precious to be left unprotected. The Netherlands needs to live up to its reputation as a front runner when it comes to safeguarding these freedoms.
Read more from our 'Joining the dots on state surveillance' series here.