After facing enormous pressure from the media, civil society and several MPs, The Dutch Ministry of Security and Justice announced that it will not develop a national database or search engine containing bank data of all Dutch citizens. The Dutch digital rights organization Bits of Freedom discovered plans to this end in one of 27 internal documents, that were made public after a Freedom of Information Act requests by independent researcher Rejo Zenger. As the response of the Government followed only one day after these plans hit the news, the campaign illustrates the crucial role civil society can and must play to protect digital civil rights.
The ambitions are a part of the much larger ‘Project verkeerstoren’ (Traffic Tower), that seeks to centralize the retention of and access to several categories of personal data, in order to ease the procedure for data requests by law enforcement agencies (LEAs). As telecommunications subscriber data are already stored in the national database CIOT (Centraal Informatiepunt Onderzoek Telecommunicatie) – accessed approx. 3 million times a year by Dutch LEAs – the Government had been investigating in ‘Project dataretentie’ the extension the CIOT-model to historical telecommunications subscriber data, traffic- and location data following the enactment of the Data retention directive. In one document however, the Government discusses the Traffic Tower project and writes that bank data could follow, after the successful implementation of the Data retention project. After the confirmation of these ambitions by the Ministry to several journalists, the plans received considerable media attention and critique from MPs. Two days later, the Ministry cancelled the national database on bank data.
The implications of the CIOT-database function creep were put in context by a second finding: at least 78.000 requests of traffic- and location data by Dutch LEAs in the last year. Until now, the Ministry had kept secret this information for the general public. Consequently, the news that Dutch LEAs are a European frontrunner when it comes to telecommunications data – subscriber-, traffic and locations data – requests was mentioned along the plans for the centralization of bank data. These revelations follow up a Bits of Freedom analysis of last summer, that concluded that the LEAs have been neglecting the data protection rules surrounding the database for at least three years in a row, even though internal audit reports had strongly called upon the LEAs to respect the privacy and data protection rights since the errors where ‘undermining the legitimacy of the Law Enforcement effort’. Bits of Freedoms disclosure that authorized police officers had been giving their PIN-codes away to their colleagues and that the entire request procedure had not been subject to either independent oversight or prior check of legitimate access, were two of the more striking examples that reached the headlines in mainstream media back then. If that weren’t enough, ISP and telecoms incumbent KPN stated in a letter – amongst the 27 released documents – that the operator rather keeps the data for itself, than handing it over to the CIOT-database.
Hence, the cancellation of the database on bank data is of important symbolic value. It casts light on the Traffic Tower project, the impact of mandatory centralized personal data storage and shows that civil society can stop such ambitions as it has the facts on its side. It also shows that civil society is needed in the future: the Ministry is still working out the centralization of telecommunications traffic- and location data of all Dutch citizens, to the effect that every single communication and movement of all Dutch citizens can be requested with one mouse click. Bits of Freedom will continue to put any ambitions to this end under close scrutiny.