September 26, 2014

Article 17 Wiv2002: the AIVD’s legal basis for asking third parties for voluntary provisioning of information

English: View on tier 1 and 2 ISP interconnections
English: View on tier 1 and 2 ISP interconnections (Photo credit: Wikipedia)

Posted on

NOTE: this page is also available in Dutch.
UPDATE 2014-09-19: added a few lines concerning Article 13 Wiv2002, that designates the persons about whom data can be requested using Article 17 Wiv2002, and what sort of data can be processed (health, race, religion, sex life). Data about political opinions obviously can be processed; data about religion, health, race and sexual life cannot, unless it is not only necessary but also “inevitable”.

The Dutch Intelligence & Security Act of 2002, from hereon “Wiv2002″, contains three articles that provide the Dutch General Intelligence & Security Service (AIVD) a legal basis for requesting information from third parties. (For clarity of exposition I disregard the Dutch Military Intelligence & Security Service (MIVD) here.)
First, Article 29 Wiv2002 provides the legal basis for the AIVD to request subscriber data from “providers of public electronic telecommunication networks and telecommunication services” as defined by the Dutch Telecommunications Act (“who’s name and address is this phone number, IP address, etc. registered to”). Note that “public electronic telecommunication networks and telecommunication services” is a complex and restricted group under Dutch law; it applies to many ISP’s (but not the SURFnet NREN, as it is not “public”: it is restricted to educational users) and providers of mobile and landline voice telephony. Google, Twitter, Skype etc. are not “telecommunication services” under Dutch law. Here is the Dutch govt’s list of all providers of public electronic telecommunications networks and here is the list of providers of electronic telecommunication services.

Second, Article 28 Wiv2002 (Decision ex Art.28; Explanatory Memorandum) provides the legal basis for the AIVD to request traffic data from those providers (e.g., for telephony: when did the user call, with whom, at what date and time, for how long, from what location, etc.; for internet: when did the user(‘s modem) log in to their ISP to access the internet, etc.).
Third, Article 17 Wiv2002 provides the legal basis for the AIVD to request information from any government office (police registers, citizen records, land registers, etc.), any civil servant, any party responsible for processing of personal data (in accordance with the Dutch Data Protection Act) and “furthermore anyone who is supposed to be able to provide the required data” — including Google, health insurers, banks, web shops, the grocery store and your neighbors, insofar necessary for the AIVD’s legal tasks, proportional and subsidiary:
  1. The services are authorized in the course of carrying out their tasks, or in support of good exercise of tasks, to collect data by addressing:
    1. government offices, civil servants and furthermore anyone who is supposed to be able to provide the required data;
    2. the party responsible for the processing of personal data. [in the sense of the Dutch Data Protection Act]
  2. In the case, meant in the first member, preamble and under b, the tasked civil servant is required to show proof of identity to the party responsible for processing of personal data using a proof of identity provided by the relevant head of a service.
  3. Legal requirements to the party responsible for the processing of personal data do not apply in the course of a request as meant in the first member, preamble and under b.
Article 17 Wiv2002 can used to acquire data related to the persons designated by Article 13 Wiv2002:
  1. The collection of personal data by the AIVD can only be related to persons:
    1. who give rise to serious suspicion that they are a threat to democratic rule of law, or for the security or other heavy interests of the state;
    2. who consented for the purpose of a security clearance screening;
    3. about whom such collection is necessary for the purpose of investigations concerning other countries; [=foreign intelligence]
    4. whom another intelligence or security service acquired data of;
    5. whose data are necessary in support of carrying out the tasks of the service; [service=AIVD or MIVD]
    6. who or have been employed by the a service;
    7. about whom such collection is necessary for the purpose of establishing threat and risk analyses, as meant in Article 6, second member,under e.
Articles 28 and 29 can only be used for the a-task (national security) and d-task (foreign intelligence). Article 17 can be used for all tasks, i.e., also including the b-task (security screenings), the c-task (promoting security measures) and e-task (performing threat and risk analyses). Articles 28 and 29 are “special powers” and have additional safeguards, such as mandatory reporting and mandatory approval. Article 17 is not a special power and does not have such safeguards. For some time I had been wondering:
  1. Does Article 17 Wiv2002 only provide the authority to ask for information, or also to demand it?
  2. Can Article 17 Wiv2002 be used to acquire, without having to get prior approval from the Dutch minister, private communications from Facebook etc.?
The answer to both questions is “no”. This follows from paragraphs in the new report (.pdf, 2014, in Dutch) by the Dutch Review Committee on the Intelligence and Security Services (CTIVD) on the activities of the AIVD related to social media and webfora (I blogged about that report here and here). Page 8 states (emphasis is mine)
Article 17 provides the AIVD the authority to, in carrying out its tasks or in support of that, address governmental officies, persons and institutions that process data (informants). This also includes companies that process data related to social media. The AIVD may ask such a company from which IP address a certain user logged on from. The company is not obligated to provide the information; the provisioning is voluntary. The AIVD can only ask for information insofar that is necessary for a specific purpose and fulfillment of the legal tasks. Furthermore, the CTIVD is of the opinion that the AIVD can only use an informant insofar accessing the required data or providing it to third parties belongs to the normal tasks of the informant. If it is more than that, the human source needs to be qualified as an agent.
Hence: Article 17 Wiv2002 does not provide the authority to demand information. The answer to my second question is found in the next paragraph::
The generic authority of Article 17 does, in the opinion of the CTIVD, provide insufficient legal basis to make further infringement on privacy, such as in acquiring the content of private communications, such a s restricted-access messages on social media. In the latter case, such a privacy infringement is made, that it is only permissible if additional safeguards apply. This includes mandatory approval, the motivation, mandatory reporting, and the use of the acquired data. The law bounds these safeguards to special powers. Now that such safeguards don’t apply to Article 17, the Article 17 authority does not allow acquiring the contents of restricted messages.
Hence: Article 17 Wiv2002 can not be used to ask for voluntary provisioning of the content of private communication. Requesting the voluntary provisioning of other data is possible: traffic data from Twitter, your purchasing history at a web shop, etc.; is simply a question of what data is available, and where. Article 17 Wiv2002 does not distinguish between the type of data. (Of course, the AIVD is only permitted to ask for data insofar that data is necessary for its tasks, proportional and subsidiary.)
Can financial data be requested from banks? Yes, because bank secrecy is overruled by the third member. That’s apparent from the following paragraph from  CTIVD report 20 (.pdf, 2009, in Dutch) on financial-economic investigations by the AIVD in the context of the Financial Expert Centrum (FEC) that the AIVD participates in:
From the third member of Article 17 Wiv2002, possible legal requirements concerning the provision of data to the AIVD do not apply. The bank secret, that is important in the financial world, hence can be put aside in the context of data provisioning to the AIVD.
The FEC carries out investigations in the context of the European “freeze lists” conform EC/2580/2001 (.pdf) of funds belonging to persons or organizations that are suspected of involvement in terrorist activities.
Can medical data be requested? The third member of Article 13 Wiv2002 establishes a prohibition:
The processing of personal data concerning someone’s religion, race, health and sexual life does not take place.
“Health” and “sexual life” mean: sexuality, intimate conduct, medical or psychological conditions (see Article 8 of the European Data Protection Directive 95/46/EC).  Of course, data about political opinions can be processed. The fourth member of Article 13 Wiv2002 establishes an exemption to the prohibition of processing data about religion, race, health and sexual life:
The processing of data concerning the aspects meant in the third member only takes place in addition to the processing of other data and only insofar it is inevitable for the purposes of the data processing.
So: the AIVD cannot process medical data (or data about religion, race of sex life) on and by itself, but can do so if it is an addition to existing data processing — if doing so is not only necessary but also “inevitable”. Here are some thoughts. Due to legally mandated medical confidentiality, care providers (physicians, psychologists, etc.) may not disclose patient information. Exemptions to this exist: see the KNMG Handreiking beroepsgeheim en politie/justitie. But care providers are not the only ones in possession on medical data.
Health insurers process declarations for drugs and healthcare, and are not subject to medical confidentiality. That information about drug use can be very privacy sensitive, is clear: the use of SSRI’s is associated with anxiety and depression, the use of quetiapine with psychosis, methylphenidate with ADHD, etc. That information about the provided care can be very privacy-sensitive is also clear. During the introduction of the so-called “DBC system”, and secondary care became required to record DBCs: somatic care, surgery, but also mental healthcare. Care providers must on care declarations provide a “performance code”, and that code includes diagnostic information. The performance code has the format AAA BBB CCC DDD, where AAA = care type, BBB = diagnosis, CCC = stay (e.g. in hospital), DDD = treatment. The code lists for DBCs in mental care are available here. The diagnostic main groups as they become known to the health insurers are as follows:
001 = Other disorders in childhood
002 = Pervasive developmental
003 = Attention deficit disorders and behavioral disorders
004 = Group Rest diagnoses
005 = Adjustment disorders
006 = Other Conditions that may be a cause for concern
007 = Delirium, dementia and amnestic and other cognitive disorders
008 = Alcohol-related disorder
009 = Other disorders related to an agent
010 = Schizophrenia and other psychotic disorders
011 = Depressive disorders
012 = Bipolar and other mood disorders
013 = Anxiety Disorders
014 = Personality disorders
015 = Somatoform disorders
016 = Eating Disorder

Health insurers thus possess diagnostic information. Thanks to the very elaborate efforts of Dutch psychiatrist Kaspar Mengelberg (@DeVrijPsych) an opt-out exemption exists for (only) mental care providers. The diagnostic code can be replaced with “000″. However, Mengelberg states that institutional mental care providers (as opposed to self-employed ones) do not use this opt-out arrangement much. And that health insurers bully patients if the care declaration has a masked diagnostic code.
Moreover, there is the Dutch national DBC Information System (DIS). All care providers, including the mental care providers, are required to provide detailed diagnostic information in pseudonimized format to this system. Here (.pdf, 2012, in Dutch) is a visualization of the information flows. Consider the following (.pdf, 2012, in Dutch) concerning that pseudonimization:
As result of the applied pseudonimization, no persons can be identified in the DBC Information System (DIS). For the purposes of the Central Bureau for Statistics (CBS) a situation is created through which the CBS can link DIS-data to Municipal Citizen Registry. (…)
Hence, the CBS can, technically, link DIS-data to individual persons. That is not to say that this will ever happen at the request of the AIVD (one can imagine the scandal that would be). But it is clear to information about health, especially mental health, is relevant to the a- and d-task (who can we influence a target?) and to the b-task (security clearances; some 30-40k happen each year, of which some 1500 at the highest clearance).
Information about health can be acquired through observation and asking around in the social environment of someone, but less risky is having someone read it from a database. Homosexuality used to be an aggravating circumstance in screenings; fortunately we’ve moved past that. But health, mental health in particular, is and remains a relevant topic in security screenings, where it’s all about someone’s reliability and vulnerability to blackmail etc..
In conclusion: in order to obtain medical data, it is not necessary to infringe on medical confidentiality. The question then is: would the CTIVD be of the opinion that Article 17 Wiv2002 permits requesting medical data? Fact is that it is apparent that the banking secret does not apply to requests based on Article 17 Wiv2002.
A little sidestep to the US. The DoD defines (.pdf, 2014) “medical intelligence” as follows:
(…) the product of collection, evaluation, and all-source analysis of worldwide health threats and issues, including foreign medical capabilities, infectious disease, environmental health risks, developments in biotechnology and biomedical subjects of national and military importance, and support to force protection
The National Geospational Agency (NGA) and the NSA provide “support for medical intelligence and medical intelligence-related requirements”. Perhaps that involves the PATRIOT ACT. Plausibly, data about individual persons will occasionally be processed. Even in filling out an ESTA declaration a medical question is asked: “Do you have a communicable disease; physical or mental disorder; or are you a drug abuser or addict?” That same form asks for your name, address and passport information.
Back to the Netherlands, and the main topic of this post. The Dutch government has in 2006 proposed the power to demand data as part of the post-Madrid bill to change the Wiv2002. That bill explicitly also involved provisioning of financial data to the AIVD (Article 29a-1-a). Back then, it was one of the controversial items in the bill, that was eventually revoked. It remains to be seen whether elements of that proposal will re-appear in the bill that the Dutch cabinet is expected to propose later this year. The Dessens Committee, that last year reviewed the Wiv2002, has made no recommendations concerning Article 17 Wiv2002 or Article 29a in the revoked bill.
Related posts:
EOF
read more: