The annual report of the Dutch Data Protection Authority  (DPA) signals that the Dutch government increasingly breaks its own privacy laws. The contempt for data protection may influence EU privacy legislation currently in the making.

The Dutch government is collecting and linking an increasing amount personal data. By doing so it undermines two cornerstones of the data protection law: purpose limitation and transparency, the DPA warns in its report.

Purpose limitation ‘protects  data  subjects  by  setting  limits  to  the  collection   and further  processing  of  their  data’. Citizens are often required by law to provide certain data to governmental agencies. It is therefore important they can trust the agency not to use the data for any other purpose than for which it was given. But in the name of efficiency and customer service agencies responsible for tasks like child services, social security and elderly care link their databases.

The worst transgression of the right to privacy, the DPA notes, is that of the tax authority providing information on the taxable income of tenants to private housing corporations. It is the result of a new law compelling occupants of social housing earning more than €43.000 a year to pay an extra 5% rent. To enforce the law the Dutch parliament mandated the tax office to use the data collected for tax declaration for an unrelated purpose. An obvious breach of purpose limitation, the DPA states. Moreover, it messes with the transparency principle which states that people are entitled to know what happens with their data. While government agencies have official channels enabling citizens to claim that right no such checks and balances are in place when it comes to private companies.

Jacob Kohnstamm, chairman of the DPA, warns that the Dutch frivolous attitude towards data protection might find its way into the new legal framework on privacy currently meandering its way through the EU legislative process. Although the DPA endorses the aim of the European Commission to ‘strengthen, improve and simplify’ data protection, certain proposals being discussed by the Council of Ministers (CM) -endorsed by the Netherlands- merit concern.

The CM is considering a plan to grant greater flexibility to the public sector with respect to data protection provisions than the private sector. Kohnstamm gives three reasons why this is an ill-conceived idea.

For one, governments are the greatest collectors of personal data and in many cases citizens are required by law to provide it. Therefore they ‘should adhere to the requirements and conditions that are essential for the protection of personal data’, Kohnstamm writes.

Secondly, the temptation of linking databases for greater efficiency and control might easily lead to hollowing out the principle of purpose limitation.

And lastly, the right to privacy is set down in the European Convention on Human Rights, article 8. Kohnstamm: ‘Fundamental rights primarily govern the relationship between government and citizens – certainly from a historical perspective. Allowing greater flexibility for the public sector in the application of the provisions of the Regulation could lead to the strange situation that the fundamental right of the protection of personal data only fully applies to the private sector and not in relation to the public sector.’

Annual DPA report Dutch version. The English version (abbreviated) is linked above.

Image: Thevintage.in