In the new Code of Criminal Procedure, the government wants to greatly expand the ability of police and the judiciary to collect large amounts of personal data. However, the law fails to adequately protect important rights and freedoms. Among other things, this leads to risks for people who are not suspects, but who end up as 'bycatch' in the police systems when collecting digital evidence.
This is evidenced by a review by the Personal Data Authority (AP) of a bill that is part of the modernization of the Code of Criminal Procedure. The Code of Criminal Procedure includes rules for the investigation and prosecution of criminal offenses. The bill still falls short on a number of important points: data that are not relevant to the investigation are kept for too long, the possible reuse of collected data for another purpose is not regulated clearly enough, and rules for analyzing and investigating large databases are lacking. Moreover, the proposal does not take insufficient account of European law and rulings of the EU Court of Justice. The minister must therefore amend the proposal.
AP Chairman Aleid Wolfsen: 'Of course, in this digital age, police and justice must have modern powers to track crime. But the cabinet now seems to forget to build the necessary guardrails. For example, a judge should be in between more often, for example before the police are allowed to look into a confiscated smartphone.'
'If you collect large amounts of personal data, there is a good chance that among them is data from people who have nothing to do with crime. How do you prevent data of those innocent people from ending up in the police systems for no good reason and remaining there? This proposal doesn't have a good answer to that.
Because the risks can be great, says Wolfsen: "Where there's smoke, there's fire, people often think. So if your name turns up in the police systems even though you haven't done anything wrong, you can still get into trouble. For example, if the police do not properly record that you are not a suspect at all, the idea may still arise that you have something to do with crime. Or if your information is shared with the tax authorities or municipalities, who then suddenly check whether you are not fraudulent with benefits or allowances. Or if you were to end up in foreign police systems without good reason, which would prevent you from entering certain countries. We must not let that happen.
One way to avoid problems is to immediately destroy data collected that is not relevant to the investigation. But the cabinet wants only a limited destruction obligation, only for data that the police have obtained by hacking. And thus not, for example, for data from smartphones and laptops that the police confiscate. Wolfsen: "The police collect tons of data, also from people with whom the suspect has emailed, telephoned or telephoned, but who have nothing to do with crime. Then you also have to have a good plan what you do with the data you don't need.'
There must also be more safeguards for personal data that the police have collected and want to reuse for another purpose. Wolfsen: 'We must prevent data that has been collected, for example, with sweeping powers in a murder investigation, from subsequently being used simply to keep an eye on certain demonstrators.' The AP therefore recommends including in the law that a judge must check whether the reuse of that data is allowed or not.
Finally, there should be rules for analyzing large databases of personal data. These are not in the law now. Wolfsen: "Such analyses have proved useful, for example, in cases where the police cracked the encryption of very large amounts of criminals' crypto communications. But rules on this kind of analysis are currently lacking. Clear rules should, for example, prevent "fishing expeditions," in which people dig around in that data without a clear purpose in search of interesting information. The examining magistrate can play an important monitoring role here.
The AP recommends that the cabinet properly regulate safeguards for careful processing of personal data collected for tracking purposes. Preferably in a separate law. That was initially the Cabinet's plan: there was to be a separate data processing law. That was called off because it would cost too much money. While this is about fundamental rights.' Recently, the Minister of Justice and Security announced to establish a committee to advise on data processing in criminal procedure. 'That inspires hope,' says Wolfsen. 'The AP therefore trusts that the minister will take our test to heart and come up with additional legislation. Do it right the first time, we would say. Regulate at once both the powers and the safeguards.'
