Recently, the Court of Appeal of The Hague held that the storage of Dutch citizens’ personal data in a central register is an unjustified violation of the right to privacy.

In light of, amongst other things, the implementation of the European regulation on standards for security features and biometrics in passports and travel documents, and to comply with this regulation, the Dutch Passport Act was amended in 2009. This new Passport Act states that future passports would have to contain a chip with a digital facial image and two fingerprints of each applicant. The Dutch government therefore planned to create a central register to hold the facial image files and four fingerprints of each applicant (two of which are included in the passport for identity verification). This new register would also serve other purposes: it would help passport fraud control, and it would allow applicants to renew their passport in any municipality in the Netherlands. The national government acknowledged that the request and saving of these personal data would form a violation of the right to privacy of Dutch citizens, but the government stated that the data storage was proportionate and justified, considering the intended purposes.

The interest group Privacy First disagreed with the government. This group, which seeks to publicly promote the enhancement and preservation of the right to privacy, believed that the creation of this central register violates this fundamental right enshrined in several international laws and regulations. The group launched legal proceedings against the Dutch government. The district court of The Hague ruled that Privacy First did not have a cause of action. Privacy First then appealed against this verdict.

Remarkably, the government meanwhile reviewed their amendments to the new Passport Act. The government concluded that the storage of these personal data in a central register did not achieve its purpose, namely passport fraud control via one’s identity verification.  Therefore, the Act’s provisions that related to the storage of personal data in a central register would be suspended. Furthermore, the number of fingerprints to be taken for the filing would be reduced from four to two in accordance with European regulation.

On appeal, the Court of Appeal ruled that since Privacy First and the government now share the same views about the central register, Privacy First would have lost its standing in their cause of actions, so it dismissed the interest group’s claims. However, the Court of Appeal found that the district court had erred when it held that Privacy First did not have a cause of action at the time. Since Privacy First is an interest group advocating the protection of the general interest of Dutch nationals’ right to privacy, it should have been able to bring proceedings before the civil court according to Article 3:305 of the Dutch Civil Code (Burgerlijk Wetboek). This would only have been different if the interest group had represented the combined interest of individuals.  The Court of Appeal further ruled that Privacy First incurred a financial risk.

The Court of Appeal also ruled that in view of all the circumstances of the case at first instance, the district court should have ruled in favour of Privacy First concerning their arguments against the setting up of a central register. This central register’s storage of Dutch citizens’ personal data is an unjustified violation of one’s right to privacy enshrined in Article 8 ECHR because it did not fulfill its purpose. The Court of Appeal understands that this was a violation from the start, but this had only become evident after the first ruling.

[Source: Court of Appeal The Hague, 18 February 2014, ECLI:NLGHDHA:2014:412]