Bulk datasets contain sensitive data from individuals and organizations that have the attention of the intelligence and security services. However, they also contain confidential information of persons and organizations that the services are not investigating. Therefore, it is good to put a limit on this and establish a retention period by law.
That opinion brings the Raad van State on the 'Temporary Act on Specific Provisions for AIVD and MIVD Investigations'. Previously, this law was known as the "Temporary Act on Investigations by the AIVD and MIVD into Countries with Offensive Cyber Programs.
The General and Military Intelligence and Security Services (AIVD and MIVD) have far-reaching powers to guard the national security of the Netherlands. The best-known of these are the hacking powers and research-led interception (OOG-I), also known as cable interception. The latter means the services may temporarily tap Dutch Internet cables to gather as much relevant information as possible.
Interest group Bits of Freedom (BoF) has expressed its objection to cable interception more than once in the past. Essentially, it comes down to the fact that the security services collect too much non-relevant information and keep it longer than necessary.
"The amounts of data that the secret services have started collecting about us are so big that the services themselves can't handle it anymore. They assess that data too late, and as a whole mountain. As a result, they are funneling gigantic amounts of data from you and me into their systems, without that data being relevant to an investigation," BoF policy advisor Lotte Houweling told me on the matter.
The Intelligence and Security Services Regulatory Commission (CTIVD) ruled last year that the practices of the AIVD and MIVD were unlawful. Bits of Freedom then decided to file a complaint with the regulator. The latter ruled in favor of the interest group and ordered the intelligence and security services to remove and destroy non-relevant data from five bulk datasets.
In December 2022, the government sent the Temporary Act to the House of Representatives. A few weeks later, the Cabinet wanted to amend the bill in two ways. First, there should be a binding test before intelligence agencies are allowed to collect real-time traffic and location data. In addition, intelligence agencies would be allowed to retain bulk data sets for longer, subject to the CTIVD's approval.
The Raad van State criticizes the latter bill. It thinks that the Cabinet should legally limit the retention period of bulk datasets. On this she writes the following:
"The retention and destruction of bulk datasets must be properly safeguarded. The bill of amendment focuses on binding independent oversight of the annual extension of the retention period. However, the regulation itself has few concrete boundaries.
The advice is to lay down in law the criteria against which an extension request must be assessed. It should also be clear that the invasion of the citizen's privacy is finite. Therefore, the advice is to include in the proposal a statutory final deadline for the retention of bulk data sets, with a clear delineation to be able to deviate from this in case of exception."
The Raad van State advises the government not to send the bill of amendment to the House of Representatives until it has made these adjustments.
