Netherlands surveillance

CTIVD Finds Dutch Spy Agencies Broke Their Own Bulk-Data Rules, Again

Oversight body report 84 found AIVD and MIVD gave too many staff access to bulk datasets and kept data past legal limits — the second such finding since 2020.

Dutch Bulk Data Oversight, By the Numbers People of Internet Research · Netherlands 13 CTIVD recommendations issued Fixes ordered after unlawful bulk-… Millions Records in bulk datasets AIVD/MIVD bulk datasets can hold m… 2020 Prior unlawful retention finding Second time in six years the agenc… 18 months Old retention deadline abolished 2024 law scrapped the evaluate-or-… peopleofinternet.com
Dutch Bulk Data Oversight, By the Numb… People of Internet Research · Netherlands 13 CTIVD recommendations … Millions Records in bulk datasets 2020 Prior unlawful retention finding 18 months Old retention deadline abolish… peopleofinternet.com

Key Takeaways

What CTIVD found

On July 1, 2026, the Dutch intelligence oversight body CTIVD (Commissie van Toezicht op de Inlichtingen- en Veiligheidsdiensten) sent parliament Toezichtrapport 84, its review of how the AIVD (general intelligence service) and MIVD (military intelligence service) handle so-called bulk datasets — bulk collections of personal records, sometimes running to millions of entries, drawn from other government bodies, commercial data brokers, and in some cases stolen datasets circulating after breaches. The finding is blunt: several statutory safeguards "are not in order," and as a result data has been processed unlawfully. Specifically, CTIVD found that groups of employees had access to bulk data beyond what their roles required, and that datasets were retained well past the periods the law permits (CTIVD, June 24, 2026).

CTIVD's own framing is worth quoting directly: "De verwerking van gegevens uit bulkdatasets vormt een privacy inbreuk voor de personen die er in voorkomen" — processing data from bulk datasets constitutes a privacy violation for the people in them — and, more pointedly, "verreweg het merendeel van de mensen die in deze datasets voorkomen, niks te maken hebben met spionage of terrorisme" — the vast majority of people in these datasets have nothing to do with espionage or terrorism. The committee issued 13 recommendations and attributed the failures to technical shortcomings in the agencies' systems and inadequate internal procedures for enforcing existing policy, rather than to any single rogue decision.

Not a first offense

This is not a new problem for the AIVD and MIVD. As the digital rights group Bits of Freedom notes in its response to the report, in 2020 the same agencies were found to have unlawfully retained bulk data on millions of citizens for too long — data that had to be destroyed only after Bits of Freedom filed a formal complaint (Bits of Freedom, June 2026). Six years and one legislative overhaul later, CTIVD is describing the same category of failure — excess access, excess retention — plus a newer complaint: that the services appear to be using bulk datasets, including breach-sourced material, to train their own AI systems, with no clear statutory basis and no opt-out for the citizens involved.

The legislative backdrop matters

The timing sharpens the story. Under the 2024 Tijdelijke wet onderzoeken AIVD en MIVD (temporary law 36.263), parliament already relaxed the retention regime the agencies are now shown to be violating: the original Wiv 2017 requirement that bulk datasets be evaluated for relevance within 18 months and destroyed otherwise was abolished, replaced with a system where ministers can annually extend storage on the services' request, subject to CTIVD review (Eerste Kamer, wetsvoorstel 36.263). In other words, lawmakers loosened the retention ceiling in 2024, and by 2026 the oversight body has found the agencies breaching even the loosened rules. The relevant ministers have said the report's findings will feed into a broader revision of the Wiv 2017, expected to go to public consultation in August 2026 (Tweede Kamer, kamerstuk 2026D34125).

The case for the agencies, fairly stated

Before concluding this is simply bad faith, it is worth stating the strongest version of the intelligence services' position. Bulk collection is not, in itself, indefensible: modern counterterrorism and counter-espionage work genuinely requires sifting large, noisy datasets to find the small number of records that matter, and legislators built the 2024 amendment precisely because rigid 18-month destruction deadlines were forcing services to discard data before its intelligence value could be assessed. Compliance failures at large bureaucracies handling millions of records are also not unique to intelligence agencies, and CTIVD itself attributes the problems substantially to technical and procedural gaps rather than deliberate abuse.

Why that defense runs out

But a genuine operational need for bulk analysis does not require unrestricted internal access or open-ended retention, and CTIVD's report shows the agencies failed at exactly the safeguards meant to reconcile the two — access controls and retention limits, not the existence of bulk collection itself. That distinction matters for the Wiv 2017 revision now heading toward consultation. The 2024 reform already traded a hard destruction deadline for a system of ministerial extensions reviewed by CTIVD; if that oversight layer cannot catch unlawful access and over-retention even under the looser regime, the answer is not necessarily to re-impose blunt deadlines that discard useful data, but to make CTIVD's technical audit capacity and access-logging requirements enforceable rather than advisory. A proportionate regime lets services keep bulk data long enough to be useful while making unauthorized access technically difficult, not merely against policy on paper — and gives the oversight body teeth to require fixes on a timeline, not just a promise that findings will be "taken into account" in the next bill.

The alternative — treating each CTIVD report as background noise until the next one repeats the same findings — is what produced this exact pattern from 2020 to 2026. Dutch legislators have a real opportunity in the August consultation to write access and audit requirements into the statute with the same specificity they gave retention extensions in 2024. That is a more durable answer than either unchecked bulk collection or a reflexive rollback of the tools services say they need.

Sources & Citations

  1. CTIVD news release on Toezichtrapport 84
  2. CTIVD Toezichtrapport 84 document page
  3. Tweede Kamer kamerstuk 2026D34125
  4. Eerste Kamer, wetsvoorstel 36.263 (Tijdelijke wet onderzoeken AIVD en MIVD)
  5. Bits of Freedom reaction to CTIVD report 84