Use of online publicly accessible resources by the NCTV
May 20 2022 / in News / by Paul Dam
Gepubliceerd in Sdu Opmaat Privacyrecht d.d. May 11th 2022
On March 31, 2022, during a roundtable discussion in the House of Representatives of the Netherlands, many parties seized the opportunity to criticize the bill regulating the processing of personal data by the NCTV. A year ago, reports appeared in NRC about the lack of a legal basis for the activities of the NCTV. The NCTV uses publicly accessible sources to identify, analyze and interpret trends and phenomena in the area of national security. All parties agree that this practice needs a solid legal basis. Amnesty International, Bits of Freedom, the Human Rights Board, the Personal Data Authority (AP), and the Intelligence and Security Services Regulatory Commission (ISSRC) have criticized, in particular, the vague and broad formulation of the NCTV’s objectives, tasks, and powers, as well as the safeguards and oversight of the NCTV’s performance of these tasks. This article addresses that criticism. First, the reason for the bill is briefly outlined. It then discusses the contents of the bill and the criticism expressed of the bill. This article is also relevant in the context of the monitoring of social media by municipalities and other authorities (see the Parliamentary Letter of April 29, 2022).
NRC: ‘NCTV covertly follows citizens on social media’
In April 2021, NRC published several reports about the National Coordinator for Counterterrorism and Security (NCTV). The NCTV allegedly collected and disseminated privacy-sensitive information about citizens for years without a legal basis, and employees of the NCTV used pseudonymous accounts to follow “political campaign leaders, religious leaders, and left-wing and right-wing activists. The NCTV has ceased carrying out these activities in key areas pending decision-making on the bill.
Content of the bill
The bill aims to provide a specific legal basis, partly by further specifying and delineating the tasks and related powers. The NCTV performs these activities on behalf of the Minister of JenV. As a result, the bill does not mention the NCTV, but attributes the objectives, tasks and powers to the Minister.
Objectives and task
The bill (Kamerstukken II 2021/22, 35958, 1-3) regulates the processing of personal data with the objective of “increasing resilience in the face of terrorism and protecting national security, by strengthening society’s resilience, preventing social
disruption and protecting the vital interests of society’. The processing takes place in the context of the task of the NCTV to coordinate the coherence and effectiveness of the policies and measures of the government agencies involved in combating terrorism and protecting national security. Various government agencies may be involved in a particular case; this is not limited. According to the Explanatory Memorandum, these are in any case the police, Royal Netherlands Marechaussee, Netherlands Public Prosecution Service, General Intelligence and Security Service, Dutch Military Intelligence and Security Service, the mayors and the probation institutions (Parliamentary Documents II 2021/22, 35958, 3, p. 7-9).
Authority: obtaining personal data from publicly accessible sources
One of the parts of the bill concerns the authority to obtain data from online publicly accessible sources for ‘identifying, analyzing and interpreting trends and phenomena’. Research directed at individuals is not permitted. If necessary for reasons of substantial public interest, this may include personal data of a criminal nature and special personal data revealing racial or ethnic origin, political, religious or philosophical beliefs and data concerning health. According to the further report, it is not conceivable that genetic and biometric data could be relevant to the performance of the tasks of the NCTV (Parliamentary Papers II 2021/22, 35958, 4, p. 15). The processing of such data is therefore completely excluded in the bill in advance.
In addition, when using online sources, no use may be made of ‘technical tools that collect, analyze and combine personal data on the basis of profiling’. The Explanatory Memorandum shows that, in short, this means that the use of web crawlers and composite search queries on search engines is not permitted (Parliamentary Papers II 2021/22, 35958, 3, p. 20).
Authority: providing analyses and interpretations with personal data
The NCTV may, based on Section 7 of the bill, provide an analysis or interpretation prepared using the data collected – including from publicly available sources – to:
- A mayor in connection with the maintenance of public order,
- The police and the Royal Netherlands Marechaussee in connection with police duties,
- The Dutch Public Prosecution Service in connection with the criminal enforcement of the legal order and its other statutory tasks,
- The General Intelligence and Security Service and Dutch Military Intelligence and Security Service in connection with their tasks under the Intelligence and Security Services Act 2017 (Wiv 2017),
- The probation institutions in connection with their statutory tasks,
- If necessary, a (different) minister in relation to their statutory duties.
In the event of such a disclosure, the personal data must be pseudonymized, unless this is not possible due to the purposes. If an analysis or interpretation is made public by the NCTV, the data must be made anonymous, unless this is not possible because of the purposes.
Data from online publicly accessible sources must, pursuant to Article 4, paragraph 7 of the bill, be destroyed no later than 5 years after the first processing, unless the Minister of justice and security agrees to an extension of 5 years, if this is necessary for the purpose of the processing.
Rights of data subjects
The rights of data subjects may be restricted by the Minister of justice and security pursuant to Article 9 of the bill and as referred to in Article 23 of the AVG, if this is necessary to safeguard national security, public safety, the prevention, investigation, detection and prosecution of criminal offences or the execution of punishments or the protection of the data subject or the rights and freedoms of others. The Minister must inform the person concerned in writing with a supporting substantiation, unless this is detrimental to the purpose of the restriction.
Pursuant to Article 4, paragraph 5 of the bill, an Order in Council (not yet published) will set rules regarding the technical, personnel and organizational measures in the processing of the data, including rules on segregation of duties and authorizations. Pursuant to Article 5 of the bill, the periodic performance of a data protection audit, to be further regulated by Order in Council, is mandatory.
Roundtable discussion: criticism of the bill
All parties recognize the importance of national security. It is also undisputed that personal and other data must be processed for this purpose and all parties indicate that this requires a solid legal basis.
During the round table discussion in the Dutch House of Representatives, Amnesty International, Bits of Freedom, the College for Human Rights, the CTIVD, the AP, Prof. Zuiderveen Borgesius, the police, the General Intelligence and Security Service, the municipality of The Hague and the NCTV, among others, were given the opportunity to clarify their positions. Almost all parties, except the NCTV, have concerns about the bill on the following points (Kamerstukken II 2021/22, 35958, 6; see also the position papers of the parties participating in the roundtable):
- The objectives, tasks and powers of the NCTV are too vague and broad
Article 10 of the Constitution and Article 8 of the ECHR require a specific statutory basis for any restriction of the right to respect for personal privacy. In that context, a balancing of interests must take place, at least in the main lines, at the level of the law. This is related to the requirements of necessity and proportionality arising from Article 8 of the ECHR. This balancing of interests is hardly evident from the bill and the explanatory memorandum (see also the CTIVD position paper, p. 2).
It is also questionable whether the bill complies with the AVG, which requires that the purpose of data processing be ‘well-defined’ and ‘explicitly described’. If the purpose is lawful at all, this leads to the NCTV being given a great deal of leeway to collect personal data, for purposes that are now not easily predictable. The scope of the proposal is thus insufficiently limited. This leads to privacy risks (see the position paper by Prof. mr. Zuiderveen Borgesius, p. 2).
It is also important that the scope of the objectives and tasks of the NCTV be defined sufficiently clearly (Kamerstukken II 2021/22, 35 958, nr. 4, especially pp. 8-9; AP Opinion of 30 June 2021, especially pp. 3-4 and 5-6; see also the position paper by Prof. mr. Zuiderveen Borgesius, p. 2 and the position paper by the AP, p. 3). From that perspective, it is not sufficiently clear how the NCTV relates to the General Intelligence and Security Service (AIVD).
- Safeguards and oversight are insufficient
The AVG applies to the processing of personal data by the NCTV on behalf of the Minister. This means that supervision lies with the Personal Data Authority (AP). Some parties argue that the NCTV’s analysis task might be better suited under the Wiv 2017 (see the CTIVD position paper, p. 2, and the position paper by Prof. Zuiderveen Borgesius, p. 2). The CTIVD notes that the bill differs substantially from how the balance between national security and fundamental rights (such as privacy) is ensured in the Wiv 2017. If the Wiv 2017 is applicable, then the Supervisory Committee is the supervisor of the Intelligence and Security Service and the strict safeguards of the Wiv 2017 apply. The CTIVD has built up in-depth knowledge of the national security domain and has far-reaching investigative powers. The AVG may not apply then. The AP is only a supervisor of the processing of personal data, not of the entire performance of the NCTV’s duties.
Personal note author
The criticisms seem justified to me. However, with respect to the power to obtain personal data from publicly accessible sources, the concrete differences and similarities with similar powers of the police, AIVD and MIVD remain underexposed. In my view, this could teach us how to limit the powers of the NCTV in concrete terms and how to give concrete shape to supervision and guarantees.
Under Article 38 of the Wiv 2017, the AIVD and MIVD are authorized to systematically acquire personal data from publicly accessible sources. Following the introduction of Article 2.8.8 of the new Code of Criminal Procedure, the police will also be authorized to do so. The police are already authorized to perform such acts under the more comprehensive Article 126j Sv (systematic collection). In the case of both the General Intelligence and Security Service, the Dutch Military Intelligence and Security Service and the police, the exercise of this power is covered by guarantees.
The shortcomings in the bill are all the more serious as the bill also makes a mistake with respect to the doctrine of systematicity. Systematicity exists if “a more or less complete picture is obtained of certain aspects of a person’s life” (Kamerstukken II 1996/97, 25403, 3, p. 26-27). For the question of whether there is systematicity, a number of elements are important: the duration, the place, the intensity or frequency and whether or not a technical aid is used that offers more than just amplification of the senses’. Individually, but especially in combination, these elements determine whether a more or less complete picture of certain aspects of a person’s life is obtained. The longer the observation takes place, the more intimate the place where the person to be observed is, the greater the intensity or frequency with which the observation is made, or the greater the possibilities offered by a technical aid device that is used, the greater the chance that such an image will be obtained.
The decisive factor is that transactions can result in systematicity. The test for systematicity therefore takes place beforehand, although it may turn out afterwards that more than a minor infringement of the right to respect for private life has taken place.
The bill aims to enable the collection of personal data from publicly accessible sources and excludes research aimed at individuals. This does not alter the fact that research into trends and phenomena can – in terms of the Code of Criminal Procedure and the Wiv 2017 – lead to systematicity. For this purpose, it is not necessary that the research is not focused on persons. After all, according to the explanatory memorandum to the bill, “some persons […] are inextricably linked to certain trends and phenomena, as a result of which precisely their utterances are relevant to an analysis of the phenomenon and, when investigating the phenomenon, precisely their utterances continue to come to the fore” (Kamerstukken II 2021/22, 35958, 3, p. 10). Systematicity may lie in the purpose of the investigation, but whether there is no more than a minor infringement is above all a consequence and can only be ruled out if the investigation method was not suitable for obtaining a more or less complete picture of certain aspects of a person’s life (see also HR 19 January 2021, ECLI:NL:HR:2021:80, r.o. 2.5.2 and HR 6 November 2018, ECLI:NL:HR:2018:2050, r.o. 2.4). The bill fails to recognize this. Precisely such an invasion of privacy requires a formal legal basis that meets the requirements of Article 10 of the Constitution, Article 8(2) of the ECHR and Article 17 of the ICCPR. Good examples of this can be found in Article 2.8.8 of the new Code of Criminal Procedure and in Article 38 of the Wiv 2017.