Dutch spy agency slammed for almost unlawfully bad handling of citizens’ private data
Dutch intelligence agencies are failing to properly safeguard vast collections of citizens’ personal data, according to a watchdog report that warns of repeated privacy violations in large-scale data processing. The review body says AIVD and MIVD staff have accessed and retained sensitive datasets in ways that breach legal safeguards.

Via Shutterstock
Dutch intelligence agencies are failing to properly safeguard vast collections of citizens’ personal data, according to a watchdog report that warns of repeated privacy violations in large-scale data processing. The review body says AIVD and MIVD staff have accessed and retained sensitive datasets in ways that breach legal safeguards.
- Dutch intelligence agencies AIVD and MIVD mishandled bulk sensitive citizen data, violating privacy safeguards, a watchdog found.
- CTIVD says staff had unlawful access and stored personal data too long in large-scale datasets.
- The agencies collect and use bulk data for security work, including terrorism and cyber threat investigations.
- The watchdog warns of privacy risks for millions and urges stronger controls, while ministers accept findings and promise improvements.
Key Takeaways by nexos.ai, reviewed by Cybernews staff.
As part of their statutory duties, the Dutch intelligence agencies are allowed to collect personal information of millions of people. These bulk datasets sometimes contain sensitive information, including names, phone numbers, email addresses, location data, social media data, and content-related communication data.
The datasets originate from various government bodies, as well as from online public sources and from commercially available or stolen datasets offered by hackers on the dark web.
The intelligence agencies are permitted to use these bulk datasets to launch investigations into terrorism, espionage, and digital threats from countries with a so-called “offensive cyber program.”
However, certain conditions apply. For example, the data may only be collected and stored for a limited time. All data that’s considered irrelevant must be removed immediately. Lastly, only a handful of workers are allowed access to this information.
This is where things go wrong.
Stay updated with our latest stories and follow us on social media
Be the first to discover new stories, ideas, and updates from our team.
According to the Review Committee on the Intelligence and Security Services (CTIVD), several safeguards to protect citizens’ privacy are being violated, increasing the risks of unlawful practices and negligence.
The Review Committee found that groups of AIVD and MIVD employees had unlawful access to personal data. In some cases, large quantities of personal data were retained for too long.
“The processing of data from bulk datasets constitutes a privacy violation for the individuals included in them. Furthermore, the vast majority of people included in these datasets have nothing to do with espionage or terrorism. The safeguards regarding data processing must simply be in place,” Hugo Hillenaar, Chairman of the CTIVD, said in a statement.
The Review Committee concludes that these issues are due to technical shortcomings and procedural errors. The supervisor has formulated 13 recommendations for improvement.
In response to the report, Pieter Heerma, Minister of the Interior and Kingdom Relations, and Dilan Yeşilgoz-Zegerius, Minister of Defense, say they agree with the conclusions of the Review Committee. According to the ministers, improving the management of bulk datasets to improve the privacy of Dutch citizens is a high priority for the intelligence agencies.
Unlock more exclusive Cybernews content on YouTube.