A power struggle rages for your data
- 03 februari 2023
- Deepmind on Unsplash
The Cyber Act has not yet been debated in Parliament and there is already a new proposed amendment. This proposal mainly changes how the secret services have to deal with so-called bulk data: Huge mountains of data, most of which is about people the services do not investigate. Your data, in other words.
Once again, abuse of power threatens to be rewarded with extension of power
Last year, we filed a formal complaint because the secret services kept data on millions of citizens longer than they were legally allowed to. We were vindicated and thus freed this data from the clutches of the secret services.This is how we freed your data from the clutches of the secret services After the services got the lid on it like this, there is now a proposal to amend the rules on how the secret services handle bulk data, including this term for data retention. And it does not look good for our privacy and data protection. Once again, abuse of power threatens to be rewarded with expansion of power.
A potentially never-ending deadline
Under the current law, the secret services have to assess the huge mountains of data they collect for relevance as soon as possible. They have a maximum of a year and a half to do so, and data that is not relevant must be destroyed immediately.
This proposal removes that maximum time limit. Services will then be able to ask the minister for an annual extension, without a maximum. This means that your data may remain on the secret services' servers indefinitely. The Council of State already wrote that this arrangement was inadequate and advised for a cap on this period. But that advice was ignored.It is shocking how little has been done with the opinion of the Council of State (in Dutch)
Moreover, the requirement to assess data for relevance as soon as possible is also removed. This effectively changes the character of this so-called assessment period into a retention period. With a major risk that the sifting, whereby parts of data sets that are not relevant are immediately destroyed, will no longer take place.
This binding supervision does not compensate
As a counter-measure, the amendment gives the oversight committee binding powers in reviewing the annual renewal. We welcome binding oversight. It is just unfortunate that the proposal does set the bar for reviewing the extension of the retention period very low, and the oversight committee will review based on that bar.
In the proposal, the test seems to be limited to necessity only. This means that the infringement on your rights and freedoms that takes place with the retention of your data, and whether it is proportionate to the purpose, is not considered at all in the question of whether the data may be retained longer.
In addition, the necessity criteria is based on the number of times the secret services have queried the data set. That usage says nothing about the value of a set for the secret services' investigation is evident from our complaint procedure, among others. Indeed, it gives a perverse incentive to process data more often so that it does not have to be destroyed. Whether that processing contributes to anything or not. Then your data is not only kept longer, but also viewed more often.
Bits of Freedom finds the large-scale collection of data, most of which is about citizens who are not of interest to the services, problematic. The collection and processing of this data infringes on the fundamental rights and freedoms of large groups of citizens. It is therefore of extra high importance that when the use of these data sets is regulated, strong safeguards are included. Therefore, at a minimum, the following points should be met:
- Enforce the requirement to assess data for relevance as soon as possible and destroy irrelevant data.
- Let the assessment take place at the most granular level possible.
- Have the oversight committee conduct a full, binding review of any extension of time, including proportionality. In doing so, look not at use, but at value of the data to the investigation.
- Introduce a maximum, and as small as possible, number of deadline extensions.
- Data that is not yet assessed for relevance should not be shared with foreign services.
- When there will be one single bulk data regime, it should apply to all bulk data, including bulk data collected with the informant capability or obtained through foreign services.
The proposal and our response
Want to read more about this proposal and our response to it? You can do so here (in Dutch):