On 2 October 2020, the second Letter of Amendment was sent to the House of Representatives on the draft amendment of the Telecommunications Act in connection with the provision of information to the RIVM. The concept looks at the importance of the rivm’s task in the fight against epidemics. The proposal to amend the Telecommunications Act has been branded controversial because of the government’s resigning status.
Nevertheless, it is good to continue to monitor the progress of this legislative process. Indeed, an exception is made to the principle of the confidentiality of electronic communications by requesting information based on traffic and/or location data from the telecom operators. The concept is assessed according to the requirements of Article 15 e-Privacy Directive.
The intermediate position
The Dutch Data Protection Authority (AP) has indicated at an earlier stage that it is not convinced of the soundness of the legislative product. She recommended that the concept be supplemented in a number of respects in order to provide sufficient safeguards. From the point of view of the protection of personal data, it is important how large the areas in which information is provided are. The concept does not contain a minimum interval, so almost permanent monitoring could be in line with the text.
From the point of view of foreseeability for the data subject, it is difficult that only provisions are included in the draft concerning the end of the period for which data may be processed. There are no provisions on its onset, which may involve data still available from the period before the designation came into force. The law should limit this period to what is strictly necessary.
The concept also shows that there is no fixed, maximum retention period for this data. The period in which the data can be stored depends on the assessment of the necessity by the RIVM itself.
What has been done with the AP’s recommendations?
The proposal for a law has been amended in the second memorandum of information. The system has been changed in the sense that an attempt has been made to preserve the privacy of the data subjects. To this end, the use of the ‘actual’ positions of the phones has been abandoned, but a statistical approach is used.
For the purposes of the counts, the traffic data is used to calculate the chances that an aircraft was located in a municipality at the start of an active connection. The result of these calculations are the only ‘new data’ that arise. The new seventh paragraph also clarifies that this data must be destroyed after 30 days as soon as they have been used as input for determining the derived origin for the counts on the 30th day. It is also important that this information (the result of the calculation of the probability that an aircraft was located in a municipality) is a less precise derivative of the traffic data that the investigation and security services can already request as a result of the operation prescribed in the new third paragraph. Although the results of these calculations make the counts statistically more relevant, these results give a less faithful picture of the actual location where the device was located than the source data. This means that this ‘additional data’ cannot contribute to the investigation services and security services. In addition to limiting the traffic data already retained by the provider of active connections, the total number of statistical figures in paragraph 3 (new) is also regulated that the provider performs an operation for the purpose of obtaining the total numbers per municipality that makes the counts statistically more relevant and also adds ‘statistical noise’. This method contributes to the fact that the total numbers to be finally provided to CBS cannot be traced back to identifiable individuals. This method would be prescribed to the providers in the instructions under paragraph 10 (new). With this new third paragraph, this anonymising method is laid down in the bill. For a total number below 15, no information is provided to prevent a sports team from potentially being traced back to the same bus or train.
No opinion yet from the Dutch Data Protection Authority
It is not yet known what the Dutch Data Protection Authority thinks of these changes. However, another objection, namely the legal basis which appears to be contrary to Article 15 of the e-Privacy Directive, is not met. In particular, there is still some judicial review that the ministerial appointing authority has to pass.
Want to know more?
Click here to learn more about our Amsterdam, The Netherlands member firm Fruytier Lawyers in Business.