In 2017, the Dutch Parliament controversially approved the Dutch Intelligence and Security Services Act (ISS Act) 2017, which started applying in May 2018. The Act aimed to reflect both new security threats and technological developments. Many groups and individuals took issue with the law’s provisions allowing for mass, indiscriminate surveillance by authorities and their bulk collection of personal data. The draft law inspired a citizen-initiated referendum and multiple court cases aimed at changing the law to better protect individual privacy, all of which were largely unsuccessful. An Explanatory Memorandum submitted with the original bill and many scholars have assessed the law’s (in)compatibility with the Council of Europe legal framework. Little attention, however, has been given to how the law adheres to EU data protection standards. Whilst EU law does not extend to national security and intelligence, EU data protection law can provide guidance on how authorities should collect and process individuals’ personal data. Furthermore, the Court of Justice of the EU has increasingly made pronouncements on Member State law that covers security issues. Using EU data protection law as a guide, this chapter assesses certain provisions of the ISS Act. It determines that the Act does not adhere to the cornerstone principles of purpose limitation, data minimisation and limited data retention.
Mistale Taylor is Assistant Professor, Utrecht University. Thank-you very much to Yulan Weeres for her invaluable help. Thank-you, too, to Ilina Georgieva for her feedback on an earlier draft. All mistakes remain the author’s own.
This is a preview of subscription content, log in via an institution to check access.
