Criticism piling onto Dutch mass surveillance plans, GDPR lows and highs, and a vigilant Parliament speaks out against client-side device scanning: a quick read through the most interesting developments at the intersection of human rights and technology from the Netherlands. This is the fifth in a series.

Parliament prohibits government from agreeing with client-side scanning

Last year Parliament instructed the cabinet not to support any European legislative proposal that would restrict the use of encryption. A clear instruction, but the Minister of Justice and Security opted for a play on words. She argued that because client-side device scanning happens before end-to-end encryption is applied, client-side device scanning does not impact encryption. We don't agree.

And neither did Parliament. This month she adopted a motion instructing government not to support any legislative proposals that would allow client-side device scanning. The minister advised against it, claiming it would isolate the Netherlands in the European discussion and de facto exclude it from negotiations. (Something we know not to be true.) We're impressed by Parliament's vigilance and hope rumors about the minister ignoring Parliament turn out not to be true.

Council of State and Court of Audit issue damning reports on proposed changes to mass surveillance powers

Parliament is currently discussing the temporary Cyber Act, an addition to the Intelligence and Security Services Act from 2017. Even before the bill was shared with Parliament, the responsible ministries announced it would be amended.

This month, the Council of State issued an opinion on the proposed amendments. The text received a so-called "heavy dictum" from the Council. This firm slap on the wrist means the proposal must be discussed again in the Council of Ministers before it can be shared with Parliament. It is not often that the Council of State issues such a critical opinion, and we hope the ministries take the criticism to heart.

In the meantime, the temporary Cyber Act itself has also fallen under criticism, namely from the Dutch Court of Audit. Unfortunately many of our concerns are confirmed in the Court of Audit's report. The temporary Cyber Act is supposed to alleviate so-called implementation problems in the current law. The Court of Audit, however, finds it highly questionable whether the Cyber Act itself is actionable and enforceable. The Court also confirms that the urgency the ministries invoked when introducing the bill has lead to bad-quality law making, and an insufficiently informed Parliament.

All in all not a great month for the rule of law in the Netherlands.

Municipalities continue to fail their citizens, and an ecosystem perspective on the GDPR in practice

Last year we found that 9 of the 10 biggest municipalities weren't complying with the most basic GDPR requirements. A year on, and after promises made by the Minister of Digitization that improvements would be made, we were curious how they are doing now. Well... The DPO in Amsterdam was made to oversee his own work, Rotterdam has been making use of a discriminatory algorithm, Eindhoven is under increased inspection by the DPA, and at least 5 municipalities are still using a controversial anti-fraud algorithmic system. We'd say there's still a little bit of work to be done!

Taking a step back, this month we also organized a panel at CPDP with the Dutch DPA, the Minister of the Interior, and civil society. Reflecting on the intersection of our work, we asked them: why is it that people aren't getting the protection they need, despite each one of us acting with the best intentions? And looking forward, how can we do better?

And finally...

We celebrated the incredible Ai Act victory in the European Parliament and the hard work we put into it with colleagues across Europe. To close, a little heads-up that this update will next appear in August, after a lovely long summer break. See you then!

Receive this update in your inbox

Want to receive a heads-up when another monthly update is published? Leave your e-mail address behind and we’ll drop you a line whenever a new update becomes available. We'll not use your e-mail address for any other purposes.