Recognizing this, we now offer a choice of email hosting in the Netherlands or the USA, and are working to bring online email servers in other countries soon.

You are currently viewing the US site. If you would like to switch to the Netherlands site, click here.

Electronic Privacy in the Netherlands

According to the EPIC / Privacy International survey of Privacy & Human Rights (2003), the right to privacy is guaranteed by the constitution of the Netherlands:

The Constitution grants citizens an explicit right to privacy.^[1896] Article 10 states: "(1) Everyone shall have the right to respect for his privacy, without prejudice to restrictions laid down by, or pursuant to, Act of Parliament. (2) Rules to protect privacy shall be laid down by Act of Parliament in connection with the recording and dissemination of personal data. (3) Rules concerning the rights of persons to be informed of data recorded concerning them, of the use that is made thereof, and to have such data corrected shall be laid down by Act of Parliament." Article 12 states: "(1) Entry into a home against the will of the occupant shall be permitted only in the cases laid down by, or pursuant to, Act of Parliament, by those designated for this purpose by, or pursuant to, Act of Parliament. (2) Prior identification and notice of purpose shall be required in order to enter a home under the preceding paragraph, subject to the exceptions prescribed by Act of Parliament. A written report of the entry shall be issued to the occupant." Article 13 states, "(1) The privacy of correspondence shall not be violated, except in the cases laid down by Act of Parliament or by order of the courts. (2) The privacy of the telephone and telegraph shall not be violated, except in the cases laid down by Act of Parliament, by or with the authorization of those designated for this purpose by Act of Parliament."

In May 2000, the government-appointed Commission for Constitutional Rights in the Digital Age presented proposals for changes to the Dutch Constitution. The commission was set up after confusion about the legal status of e-mail under the constitutionally protected right to secrecy of correspondence. The commission's task was to investigate if existing constitutional rights should be made more technology-independent and if new rights should be introduced. According to this proposal, Article 10 will be expanded to the right of persons to be informed about the origin of data recorded about them and the right to correct that data. Article 13 would be made technology-neutral and would give the right to confidential communications. Only a judge or minister could authorize intrusions upon this right. Until now, no proposal for changes of the Constitution based on the commission's proposal has been brought before Parliament.

The Dutch data protection authority (College Bescherming Persoonsgegevens, or CBP) exercises supervision of the operation of personal data files in accordance with the Act.^[1898]

In its 2002 annual report^[1899] the CBP expresses its concern about the way various prominent Dutch administrators and politicians have characterized privacy in the public and political debate on security: "Privacy protection was portrayed as an impediment to public safety". The CBP criticizes this approach by arguing that "privacy protection is one of the success factors for effective government;" notices that the general political climate has hardened since "9/11" and there is a general shift in the public opinion towards supporting measures to ensure public safety and national security, and greater police powers, and that a simplistic introduction of greater police powers could seriously undermine the rights and interests of ordinary citizens.^[1900]

Interception of communications is regulated by the Criminal Code and requires a court order.^[1915] The Intelligence services do not need a court order for interception, but obtain their authorization from the Minister of Interior. The Special Investigation Powers Act which came into effect in February 2000 streamlines criminal investigatory methods.^[1916] A new Telecommunications Act was approved in December 1998, requiring all ISPs to have the capability to intercept all traffic with a court order.^[1917] The bill was enacted after ISP XS4ALL, refused to conduct a broad wiretap of electronic communications of one of its subscribers^[1918].

Of-course, it's important to remember that while specific laws are always subject to change, an overall culture of respect for individual privacy is the final guardian of these rights.

The Kingdom of the Netherlands has successfully pioneered civilized policies in contrast to the rest of the world in diverse areas, including victimless crimes, censorship, encryption and data protection.

The Netherlands is also home to a large number of free speech and civil liberties activists and organizations, who have succeeded in focussing attention on privacy issues and scoring significant wins against privacy invasions. As the report notes:

In February 2002, the privacy and civil liberties organization, Bits of Freedom, organized the first Dutch Big Brother Awards.^[1933] The awards were granted to: the Health Institute RIVM for archiving over one million blood samples of children, without any legal basis or permission from the children; the Mevis Committee for its 2001 report (above); the Organization for Applied Scientific Research (TNO) for the development of the Automatic Aggression Detection video processing software; and to the State Secretary of Transport, Public Works and Water Management, Monique de Vries, for re-introducing proposals for data retention.^[1934]

Electronic Privacy in the USA

According to the same EPIC / PI report:

There is no explicit right to privacy in the United States Constitution. The Supreme Court has ruled that there is a limited constitutional right of privacy based on several provisions in the Bill of Rights. This includes a right to privacy from government surveillance into an area where a person has a "reasonable expectation of privacy"^[2809] and also in matters relating to marriage, procreation, contraception, family relationships, child rearing and education.^[2810] Some states within the country have incorporated explicit privacy protections into their state constitutions.^[2811]

However, the United States has taken a sectoral approach to privacy regulation so that records held by third parties, such as consumer marketing profiles or telephone calling records, are generally not protected unless a legislature has enacted a specific law.^[2812] The Court has also recognized a right of anonymity^[2813] and the right of political groups to prevent disclosure of their members' names to government agencies.^[2814]

The US has passed comprehensive medical privacy legislation:

In April 2003, the first federal regulation protecting individually identifiable health information became effective for enforcement. The Standards for Privacy of Individually Identifiable Health Information, commonly known as the "HIPAA Privacy Rule," provide basic protections for individually identifiable health information and give individuals rights with respect to the information about them.

The report notes that many large US companies don't take customer privacy seriously (and often actively violate it):

Internet privacy has remained the hottest issue of the past few years. Several profitable companies, including eBay.com, Amazon.com, drkoop.com, and Yahoo.com have either changed users' privacy settings or have changed privacy policies to the detriment of users.^[2872] A series of companies, including Intel and Microsoft, were discovered to have released products that secretly track the activities of Internet users.^[2873] Users have filed several lawsuits under the wiretap and computer crime laws. In several cases, TRUSTe, an industry-sponsored self-regulation watchdog group ruled that the practices did not violate its privacy seal program.

The report also notes that in recent years, privacy protections in the USA have been significantly weakened:

In December 2001, the FBI confirmed the existence of a technique called "Magic Lantern."^[2887] This device would reportedly allow the agency to plant a Trojan horse keystroke logger on a target's computer by sending a computer virus over the Internet.

In July 2000, it was revealed that the FBI had developed a system called "Carnivore" that is placed at an ISP's offices and can monitor all traffic about a user including e-mail and browsing.^[2891] Earthlink, a major ISP, announced that it refused to install the system in its network.^[2892] After the system was discovered, Attorney General Reno promised to conduct a review of its privacy protections.^[2893] In the fall of 2000, the Justice Department commissioned a team of experts at the Illinois Institute of Technology Research Institute (IITRI) and the Illinois Institute of Technology Chicago-Kent College of Law to undertake an independent review of the carnivore system. The IITRI group issued its final report on Carnivore in December 2000 and made several recommendations for changes to the system.^[2894] These recommendations have not yet been implemented by the Justice Department and the system remains in use today. In May 2002, EPIC obtained Freedom of Information Act (FOIA) documents on Carnivore that indicated that the program may have hindered the government's anti-terrorism investigation by overcollecting data in violation of wiretapping laws.^[2895]

The USA PATRIOT Act, which passed in the wake of the September 11, 2001 attacks, significantly weakened privacy protections in federal wiretapping statutes.^[2896] The Act extended the "pen register" portions of federal wiretapping law, allowing Carnivore to be used to collect traffic data based on a mere certification of a prosecutor that it would collect information relevant to an ongoing investigation.^[2897] The bill made computer crimes and terrorism predicate offenses for initiation of a federal wiretap.^[2898] The bill authorizes national application of a wiretap order, that is, a court in one jurisdiction can issue a warrant that could apply anywhere in the country.^[2899] Courts can issue roving wiretaps, giving law enforcement the ability to monitor many different devices that a suspect may use.^[2900] Although supporters of the USA PATRIOT Act claimed that a sunset provision in the bill would limit police power, only some of the new surveillance authority will expire. Also, several states followed suit by passing state legislation that loosens protections against wiretaps.^[2901]

Following the USA PATRIOT Act, Congress further weakened privacy protections against wiretapping in passing the Cyber Security Enhancement Act (CSEA).^[2902] The CSEA allows communications providers to voluntarily provide government agents with access to the contents of customer communications without consent based on a "good faith" belief that an emergency justifies the release.