The Complaints Department of the Review Committee on the Intelligence and Security Services (CTIVD), the Dutch supervisor of the secret services, ruled that we are right! After we filed a complaint about the secret services unlawfully storing data of millions of citizens, the Complaints Department ruled that the data of millions of citizens unlawfully in the possession of the secret services must be deleted immediately.
The data hunger of the secret services must be limited
The complaint we filed is about the so-called 'relevance assessmentThis is what goes wrong with the relevance assessment'. This is an important safeguard in the Intelligence and Security Services Act 2017, which stipulates that, when collecting huge amounts of data (bulk data), the secret services must delete the data of citizens they are not investigating as quickly as possible - but within eighteen months at the latest. The services have been collecting more and more data, but they are not as enthusiastic about removing them. And thus they are breaking the law.
This is how the Dutch secret services store your data illegally
We believe that limits must be set to the greediness of the secret services. Therefore, we filed a complaint about the unlawful retention of the data. In the complaint, we asked the Complaints Department to have this data deleted. After a thorough investigation lasting months, talks with the Dutch secret services AIVD and MIVD and an inspection of their systems, the Complaints Department ruled that there had been improper conduct and that the data the secret services were storing unlawfully had to be deleted.
There is talk of improper conduct
The Dutch Minister of Interior Affairs and the Dutch secret services refused to remove the data before, because it is "not necessarily irrelevant." But this reason can substantially legitimise the storage of every piece of information, as one day it may be relevant. The law doesn't provide that much room to keep data at all. The Complaints Department now states that the Minister's view is incorrect, and endorses the opinion that the Oversight Department gave already since 2019: the retention of these data is unlawful, and therefore now also improper and has to be deleted immediately.
To make straight what is crooked, the Minister had drawn up a Temporary regulation for the further processing of bulk datasets in November 2020. This gave the secret services more leeway than the law provides for. The investigation by the Complaints Department now shows that the secret services exceeded even these extra-wide boundaries. For example, the MIVD only began to examine whether the data were still relevant after we had submitted the complaint. And the guarantee that only a limited number of employees of the secret services would have access to the data was not fulfilled.
Moreover, the longer deadlines in that Temporary regulation are contrary to a higher law, and therefore not valid at all.
Even when the Complaints Department asked the secret services to explain exactly what they needed this data for, they were unable to do so. They didn't get much further than the number of times they had queried the datasets. But that, of course, says nothing about what that yields in concrete terms.
This is why the Dutch oversight system is unable to effectively protect us
What does this mean?
The decision of the Complaints Department shows two things:
The secret services do not respect regulations. They collect more data than they can handle and keep that data longer than permitted. Even the Temporary regulation that the Minister drew up to give them more leeway was not enough for the services, as they also broke the rules in that Regulation.
The oversight system is not capable to intervene by itself when the secret services are breaking the law. The Oversight Department, which previously ruled that this practice was unlawful, has no binding powers. The Complaints Department does have binding powers, but can only use them if someone files a complaint. And that really needs to change.