With the new data law, the government is digging even deeper into private life

© Sophie Smeets

JUNE 10 ·

11 MIN

With the new data law, the government is digging even deeper into private life

JAN-HEIN NOOSE DAVID DAVIDSON NEVALINE SHOT

105 CONTRIBUTIONS

Governments are eagerly awaiting a new data law that will allow them to share and analyze privacy-sensitive data almost limitlessly. They say they need them to combat social problems such as domestic violence and crime. Opponents warn against a repeat of the benefits affair. “This is the legalization of arbitrariness.”

THIS PIECE IN 1 MINUTE

On Tuesday, June 11, the Senate will have the last word on the Data Processing Partnerships Act (WGS). If that law passes, the government will have extensive freedom to collect, analyze and share data from citizens.
The government wants more leeway in tackling crime and maintaining public order. When it comes to signs of money laundering, for example, the tax authorities like to review the data that other government services already have about the suspected money launderer. This mutual browsing through data files is done in so-called collaborations. But that practice is at odds with the constitution, which gives citizens the right to “respect for their privacy”.
On paper, the new law aims to solve that tension: more space for (sharing) “automated data analyses”, and less space to expose citizens to its risks, such as stigmatization or discrimination.
In reality, the law falls short on that second front, says, among others, the Data Protection Authority: it erodes citizens' rights.
Rumors (or something like prominent features in a database) can be the starting gun for a data collection that captures information that the ignorant citizen cannot verify — and against which they cannot defend themselves. According to privacy experts, the latter is the biggest problem. The Data Protection Act puts citizens empty-handed against the omnipotence of the government.
The Groenlinks-PvdA Senate Group is against the law; those of the VVD, PVV and the CDA are in favour. The key lies tomorrow with the sixteen votes that the BBB has to cast.

What a RIEC is, a Regional Information and Expertise Center, no one should have asked Gabriel Malki a few years ago. That is different now. 'I'm afraid to open a letter anymore. Every time, it's the tax authorities with an assessment or a bank that wants to stop my accounts. “In 2020, employees of the municipality of Enschede suspected that Malki was abusing health care funds. The municipality then shared that suspicion with the police, the Employee Insurance Implementation Institute (UWV) and the tax authorities. This happened via the RIEC, a partnership in which government organizations share information to combat organized crime. And then what the entrepreneur himself calls “a witch hunt” began. The UWV did not even fail to secretly observe his children and their mother, who do not live with him. The woman was a supervisor in the healthcare company, and one of the suspicions was that she and Malki ran the company together, even though this was not so written on paper.

“If it's not possible one way, we'll try to switch you off in another way”

Meanwhile, the original accusation of misusing health care money has been dismissed since 2022, after a settlement with Malki. As part of this, he had to refrain from legal action and withdraw a complaint about his treatment. But the UWV and the tax authorities have continued to investigate Malki and his healthcare company in recent years. Did his employees have real employment and therefore entitled to benefits? Were the tax payments correct? Malki's banks are also asking compelling questions on a regular basis. He must always explain expenses in detail. He suspects because they got wind of the suspicions against him. One bank closed its accounts.

'I'm not a criminal'

Malki sees it as the essence of partnerships such as the RIEC: “If it can't be done one way, an attempt will be made to shut you down in another way.” He believes that — even if he has made mistakes — he has unfairly ended up in the approach of the collaborating governments: “I am not a criminal. My family, colleagues and healthcare company are not a criminal organization. “The closets at his home are now full of file folders with suspicions and his defenses against them. He suspected that there was a connection between the investigations of the various authorities, but he could not determine it for a long time. It took him longer than two years to find out that the Regional Information and Expertise Center played a central role in his case. Only after 2022 RTL News reported about Malki's problems, he was given clarity about it. Since then, he has been trying to get file documents. What decisions were made about him? On what criteria did he become a so-called “RIEC case”? With whom has all the information about him been shared? And was that information correct?

From the cabinet to the wall

Follow the Money has been following his quest for a year and a half now: no matter where Malki knocks, he won't get documents and he's sent from cabinet to wall.What happens to him shows that a citizen has few rights and control options when a government partnership targets him.Had Malki been a suspect in a criminal case, he would know what assumptions he is being treated as a criminal on the basis of, and he would make those assumptions have been able to discuss. In short, there would have been legal protection. Now Malki has nothing to rely on. The RIEC denies this problem.

DOSSIER

THE RULE OF LAW

The rule of law has come under fire: lack of transparency, laws that do not comply with international law, and profiling citizens is no longer the exception.

VIEW ARTICLES

The ten RIECs have been around since 2008 and deal with around 1,300 cases annually. This treatment involves the exchange of information between the municipality and various government services. But there is no clear legal basis for this to date. The exchange of information infringes the constitutional right to protect privacy (article 10). That is why a law with guarantees is needed so that citizens are not at the mercy of arbitrariness, discrimination and stigmatization. And so that citizens can defend themselves against the government. That law is nearing completion.

Broad objective

On 11 June, the Senate will discuss the proposal for the Data Processing by Partnerships Act (WGS). The objective is very broad: “Preventing tax and social fraud, monitoring compliance with legal regulations, maintaining public order and safety and preventing and detecting criminal offences.” The new law applies to — for now — four government partnerships that are fairly unknown: the Care and Safety Homes (for data exchange about people and families with “complex problems”); the Financial Expertise Center (FEC), for data exchange on the “integrity of the financial sector”) and the Criminal and Inexplicable Property Infobox (ICoV, for data exchange aimed at combating money laundering and tax evasion) .One thing these partnerships have in common: highly privacy-sensitive information is shared and analysed. Under the bill, there are now almost no restrictions: financial and criminal information, data from municipal systems and even data on sexual behavior. In addition, this type of data may also be shared from people all around those involved. Also remarkable: private parties such as banks can also receive and provide data.

Algorithms

The law also provides for the use of algorithms: With “automated data analyses”, for example, streets or neighborhoods can be searched for people with what is called an “increased risk”. Follow the Money previously showed that this can be harmful, especially for groups of already vulnerable citizens. The VVD, PVV and the CDA are in favour of the new Data Processing Act. Whether it is adopted on June 11 depends on the BBB, which has sixteen seats, and whose senators do not respond to questions about their position. Of the four largest parties, Groenlinks-PvdA will be the only one to vote against with certainty. The Senate Group speaks of a law “that has all the elements that went wrong in the benefits scandal”. Because, says the party, the government can take drastic measures based on vague suspicions, “without supervision and guarantees to protect citizens against the government”.

THE HOUSE OF REPRESENTATIVES AGREED, DESPITE WARNINGS

The House of Representatives (including VVD, PVV, CDA and PvdA) approved the bill on December 17, 2020, after important advisory bodies warned that citizens' fundamental rights would be seriously compromised. That was on the day that the parliamentary committee of inquiry investigated the benefits affair in its final report. Unprecedented injustice had determined that fundamental principles of the rule of law had been violated. Member of Parliament Kees Verhoeven (D66) spoke of a “dangerous law” and warned as one of the few: “To eliminate fraud and undermining, people decisively choose the wrong tool: hasty use of data without grip. Now it's dead quiet, but if things go wrong again, people will scream murder. '

The Association of Dutch Municipalities (VNG), the Public Prosecutor's Office and the police are watching ''eagerly' looking forward to the new law. Although they now work without an explicit legal basis, “legal barriers” still stand in the way of an “effective” data exchange, the chairmen wrote in a joint letter to the Senate in May. Many others are very concerned.

“This is very drastic”

“We will have a law that states that the government can take action if there is a first suspicion of unlawful activity,” says historian Bob de Graaff, professor emeritus and expert in the field of intelligence services. “People act on signals, rumors and clues that seem to come from figures. Such a first suspicion can immediately lead to a very extensive data collection. This is very drastic. 'The Data Protection Authority (AP) speaks of “substantial risks of eroding the rule of law safeguards” — that someone is innocent until proven otherwise — and states that the government should not collect more data from citizens than is strictly necessary.

“Open door to unlimited surveillance by an unlimited number of parties”

According to the Authority, the law also goes against the principle of transparent government. Because in practice, citizens who are suspected - just as is the case today - will not be informed about this.AP chairman Aleid Wolfsen made an urgent request as early as 2021 profession in the Senate to prevent “Kafkaesque conditions for large numbers of people”: “The bill opens the door wide for unlimited surveillance by an unlimited number of parties, public and private. [..] This can have far-reaching consequences. We therefore urge the Senate not to adopt this bill. 'The Council of State, the government's main advisory body, warned in April 2020 that the bill is in violation of the Constitution. Changes have been made and, according to the Council of State and the Data Protection Authority, the bill has thus become clearer and better. But according to the latter, it still contains insufficient guarantees.

“InFRINGEMENT OF THE LAW”

That is why the supervisor stated pre to have the sharing of data reviewed by a judge beforehand. According to the AP, this is necessary because people who come into the picture are often not suspects, even though their data may be widely shared: “In terms of impact, this is not inferior to heavy investigative tools such as searches and phone taps."But outgoing Minister of Justice Dilan Yeşilgöz (VVD) sees nothing in advance a judicial test. The Regional Information and Expertise Centers have around 1,300 cases under them annually, and around 16,000 times. investigative officers from, among others, the police and the tax authorities, request reports to the info box Criminal and Unexplained Assets (ICoV).

Citizens' rights are already adequately protected, says Minister Yeşilgöz

The minister therefore expects such a test to “take an enormous toll on the personnel capacity of the judiciary”. This would also affect the “intended improvement in effectiveness”. According to Yeşilgöz, everyone in the government must comply with the General Data Protection Regulation (GDPR) and that in itself is a protection. There are also already “lawfulness advisory committees”, which must assess whether data processing is allowed and whether there is no discrimination. 'The safeguards in place will suffice,” says the minister. However, these committees consist of representatives of the parties in the partnership and are therefore not independent, said the AP. Moreover, their advice is not binding. This inspires little confidence among experts now that, after numerous affairs, the government is known as a notorious violator of the privacy law.

'Black-box bureaucracy'

The GDPR and the bill therefore do not solve the lack of legal protection, says Tijmen Wisman, chairman of the Civil Rights Platform and assistant professor of privacy and data protection law at the Vrije Universiteit Amsterdam. “We see here the legalization of arbitrariness and a black box-bureaucracy. As a government, you can do whatever you want from now on. “He also points out that citizens will not always know that data is being shared about them. “So if you are not informed, there is no legal protection either.”

'The government firmly believes that all kinds of abuses can be detected with big data'

Wisman was previously involved in the lawsuit against the controversial “fraud trawl” System Risk Indication (SyRI), a tool with which the government wanted to combat the abuse of benefits, surcharges and taxes. The Hague District Court struck a line in 2020 because SyRI was in violation of the European Convention on Human Rights. “If SyRI is not allowed, then this is certainly not allowed,” says Wisman. The organizations that previously filed the case against SyRI — in addition to Platform Civil Rights, including the trade union FNV and Privacy First — sent a letter to the Senate on 14 May. In it, they once again highlighted the major risks of the Data Processing Act: “Through uncontrolled data sharing, citizens and companies can contact numerous organizations without the possibility of defending themselves. stand as a criminal, fraud or rogue” [..] “Such a method legitimises the practices that preceded the benefits affair and the FSV scandal.”

DOSSIER

DIGITAL BUSINESS

What happens to the data that governments, companies and institutions store about us? What if they are hacked or taken hostage? How secure are our systems and data?

VIEW ARTICLES

Why is the government so hungry for data that the new law must be implemented despite all the risks? That hunger comes from a desire to avoid risks, says intelligence expert Bob de Graaff. The government prefers to tackle social problems such as undermining preventively. “In doing so, she is increasingly seeking or even exceeding the limits of the rule of law. “A mistrust of citizens, which has grown over the years, also plays a role. “That is linked to a holy faith that, with the use of big data all kinds of abuses can be detected. “At the same time, the government is not prepared to handle that data carefully. “For example, we see that in many cases the educational level of the people responsible for this is not sufficient.” De Graaff is concerned. “With the help of data, the government is increasingly trying to get a grip on citizens and look behind the front door, but the longer the government's arm becomes, the further people retreat to stay out of that arm's reach.” Years of uncertainty and endless procedures await citizens who do find themselves in the grip of collaborating governments, such as Malki.

THERE ARE ALSO MAJOR INTERNAL DOUBTS ABOUT THE CURRENT WAY OF WORKING

The partnerships have been making data analyses of citizens who were not suspected of anything at that time. This is evident from documents released after Follow the Money requested documents from municipalities using the Woo. The analyses were aimed at finding people and addresses that might be wrong. In Rotterdam, for example, the Regional Information and Expertise Center made scans and analyses of real estate and transactions. Partly based on this, the RIEC drew up an overview of “suspected malicious” companies and individuals: “This list will be screened so that the chosen entities can then be further consulted in the systems of all partners,” says a document provided by the municipality. The Criminal and Unexplained Property (ICoV) info box — the partnership against money laundering and tax evasion — also screened neighborhoods: “Two streets and a residential tower on As a pilot, Rotterdam-Zuid will be further analyzed for signs of money laundering on the basis of risk indicators on ownership, mortgage financing and real estate transactions,” says one of the documents from Rotterdam.

The RIECs have been operating for years without the required review prior to processing personal data

The documents do not clarify exactly what powers the partnerships do this on the basis of. The RIECs throughout the Netherlands have been operating for years without the obligations required for partnerships data protection impact assessments. These are intended to identify in advance the risks of processing personal data. An internal supervisor must then advise on this. The Public Prosecutor's Office says that the RIEC partners are still working on the data protection impact assessments. It is not known when they will be ready and approved. The municipality of Rotterdam says in a response “it guarantees fundamental rights at all times and an infringement can only occur if this is in accordance with the law”. Since its inception in 2013, there have been doubts about the other partnership, the ICOV, whether the method complies with the AVG Privacy Act and the European Convention on Human Rights. Those doubts are contained in internal documents whose contents are known to Follow the Money. The ICOV brings together a lot of privacy-sensitive information about citizens' finances and assets. At the end of 2021, area scans, such as those in Rotterdam, were stopped because the working method was not legally substantiated. But the proposal for the Data Processing by Partnerships Act does offer the space for it again. According to a spokesperson, the Public Prosecution Service has no doubts about the ICOV. “Advice has been followed or is being involved in the long-term development of the ICOV”. This means that the uncertainty about the legality certainly remains partly.

This article was created with support from Journalismfund Europe