The Netherlands: Intelligence agencies must remove large bin of data of Dutch citizens

A Google data center in Belgium – GOOGLE

Dutch intelligence agencies AIVD and MIVD are violating the law by storing data of citizens that are not the subject of investigation for a long time. That is the conclusion of the watchdog for the intelligence agencies, the Commission of Supervision of the Intelligence and Security Services (CTIVD). The data must be deleted.

This is not about what critics call the ‘sleepnet’ (or ‘dragnet’ in English), which is used by the intelligence agencies to retrieve data from many people at the same time via untargeted internet taps. Instead, it concerns large amounts of private data that the agencies have received via, for example, a hack. The privacy impact of such a ‘bulk dataset’ can be comparable or even greater than an internet tap.

For example, an intelligence agency could hack a telecom provider to get the bills of all customers, and then retrieve the call history of possible terrorists. A mail provider could also be hacked. It is not known what kind of data is involved; it can concern both Dutch citizens and foreigners.

“The law states that these data may be kept for a year and a half, but they have kept them much longer,” said Addie Stehouwer from CTIVD. “That includes data they know will never be relevant.”


The verdict comes after a complaint from action group Bits of Freedom. It is not the first time that the regulator has warned about this, but now the judgment is binding. “We are very happy with the ruling, which says that these data must now be destroyed,” said Lotte Houwing of Bits of Freedom.

“We filed our complaint because the agencies broke the law, but the government did nothing about it,” says Houwing. “It’s problematic that this is happening and that our surveillance system is incapable of solving it on its own.”

The CTIVD is not warning for the first time that the law does not allow this at all. As early as 2019, the CTIVD wrote that the way in which the gigantic data sets are treated is wrong. In 2020, the agencies were warned again, and the CTIVD ruled that several datasets had to be destroyed. That didn’t happen.

The AIVD did not want to comment; the MIVD could not be reached for comment.