Dutch intelligence services AIVD and MIVD now able to investigate cyberattacks faster

The Dutch civilian intelligence service, AIVD, and its military counterpart, the MIVD, can now react more quickly to a cyberattack after the Dutch Senate passed a bill about this on Tuesday. The services can now begin an investigation immediately if countries including Russia and China carry out a digital attack. However, they are no longer under a strict obligation to destroy data within 18 months if the relevance of that data has not been determined.

Previously, a supervisor had to grant permission before starting the investigation. The supervisor will still assess whether the intelligence services are sticking to the rules and are not taking any unnecessary risks, but it will now do that during the operations themselves.

This change is expected to save crucial time, according to the AIVD and the MIVD. Some operations were canceled in the past because the intelligence services needed to wait too long before being granted permission.

The new law also states that bulk datasets containing large amounts of personal data can be kept for a longer period of time. The previous requirement mandated that data must be examined for relevance after a year and a half, and be deleted if deemed irrelevant.

Under the new law, the services can ask the minister involved to grant an extension. The minister can give permission to keep the data for an additional year.

The Eerste Kamer, the formal name for the Dutch Senate, debated the bill last week. Most of the senators believed that the geopolitical situation made it necessary to give the intelligence services more power. Parties like GroenLinks-PvdA, Volt, and Partij voor de Dieren expressed concerns about civilian privacy.

The temporary bill that the Eerste Kamer adopted is meant to address the shortcomings identified by the outgoing Cabinet in the Law of the Intelligence and Security Services (Wiv) for four years. The idea is to permanently adopt the Wiv after this point.