Regulator has major concerns about implementation of Big Data law

The AIVD building in Zoetermeer
The AIVD building in ZoetermeerPhoto: S.J. de Waard / Wikimedia Commons

According to CTIVD, the regulator for the Dutch intelligence services AIVD and MIVD, there are major risks that the two services will act in violation of the new Intelligence and Security Law because guarantees that they will do so are lacking or not properly regulated. As a result the AIVD and MIVD themselves don't know themselves whether they're acting in line with the law, NOS reports.

The Intelligence and Security Act, also called the Big Data- and data mining law by opponents, was implemented on May 1st. It gives the Netherlands' two intelligence and security services more power. The biggest change is that the AIVD and MIVD are now able to tap telephone and internet traffic on a large scale. The services are allowed to perform hacks more often, and on a larger range - where the services could previously only hack a specific suspect, the new law allows them to reach the suspect by hacking the computer of a housemate, for example. The new law also gives the services the capability of storing DNA material for investigations. The expansion of powers is balanced with more supervision on the services.

"Because these safeguards are now lacking, you run the risk that you collect too much and that you destroy too little of what you collected", Harm Brouwer, chairman of the CTIVD, said "This means that you unnecessarily violate the privacy protection of the citizen and that you therefore act unlawfully when exercising your authority." The CTIVD called on the AIVD and MIVD to take "concrete steps" in the short term to make sure they comply with the new law.

According to the CTIVD, the AIVD and MIVD have little policy in place to make sure that irrelevant data is disposed of. The MIVD, for example, does not have an ICT system in place that disposes of irrelevant data automatically - this is done largely by hand and is therefore not good enough. The CTIVD wants the service to arrange this in the "shortest possible time", but the MIVD seems to be planning to spread out the implementation "over several years". 

Once the intelligence services destroy data, that data must really be gone, and not retrievable in any way. That too is not well set up at the MIVD. There is no internal control on the removal of data and therefore the CTIVD can not accurately judge whether information was actually discarded. 

The Intelligence and Security Act was subject to a lot of criticism, even before its implementation. In a referendum on the law, the majority of Dutch voters voted against it. The intelligence services' new power to tap data on a larger scale in particular led to dissatisfaction. In order to address these concerns, the government decreed that the new data tapping powers must be deployed "as targeted as possible", to prevent data from innocent civilians ending up in the intelligence services' databases. 

But according to the CTIVD, the AIVD and MIVD have not yet made work on intercepting data "as targeted as possible". The new power to intercept internet traffic on a larger scale has not yet been actually used, but the stricter precautionary measures now also apply to the large-scale interception of radio and satellite traffic, and that is not yet properly regulated. 

The CTIVD also stated that the intelligence services have not built in proper precautions to protect citizens' data at the services. For example, there are no rules about which employees may access the data. In December last year the government promised that these precautionary measures would be in place. According to the CTIVD, it is "essential" that this happens as soon as possible.