Dutch intelligence agencies accused of privacy breaches in large-scale data processing
The AIVD and MIVD do not always comply with the law when processing large databases containing sensitive personal data, the oversight body CTIVD says. More and more departments within the intelligence agencies are working with these extensive data collections, but there is no central oversight to ensure compliance. The watchdog also found that some employees were given access to sensitive data despite lacking the required authorisation.
These so-called “bulk datasets” can include millions of individual entries, such as names, telephone numbers, and location information. They may originate from other public authorities, be acquired from private companies, or be illegally obtained by hackers and then sold or shared online.
Intelligence agencies may use this type of information to investigate threats such as terrorism and espionage, but strict rules apply. Data cannot be retained indefinitely; access must be restricted to a small group of authorised staff, and any information that is not relevant must be deleted.
It is important that the AIVD and MIVD comply with the rules when processing such data, argues Hugo Hillenaar, chair of the Commission for the Oversight of Intelligence and Security Services (CTIVD). “The processing of data from bulk datasets constitutes an invasion of privacy for the individuals included in them.” Meanwhile, most people appearing in these datasets “have nothing to do with espionage or terrorism.”
The Ministry of Defense recognises that the use of bulk data has a significant impact on privacy, but argues that it is “essential” for the work of the intelligence services. The responsible ministers, Defense Minister Dilan Yeşilgöz and Pieter Heerma, the Minister of Interior Affairs, say they are broadly following the CTIVD’s recommendations, with several improvements already underway.
Digital rights group Bits of Freedom says security services have a history of collecting excessive amounts of citizens’ data and were forced to delete it several years ago. However, the digital rights group argues that “they apparently have not learned from it.”
The privacy organisation fears that intelligence services are training their own artificial intelligence systems using citizens’ data. “They even appear to be purchasing data that comes from data leaks,” Bits of Freedom claims.
Evelyn Austin, director of Bits of Freedom, argues that intelligence and security services are steadily expanding their ambitions for greater powers, “while repeatedly showing that they are unable to handle the power we have already given them. They do not get their data management in order and do not allow themselves to be constrained by the law.” Austin calls this “particularly concerning” because such services are designed to operate in secret. “Oversight of these services must absolutely not be weakened.”
Reporting by ANP
