Summary:
A July 2026 report by the Dutch intelligence oversight body, the Review Committee on the Intelligence and Security Services (CTIVD), found that the country’s two main spy agencies — the General Intelligence and Security Service (AIVD) and the Military Intelligence and Security Service (MIVD) — repeatedly violated legal requirements when handling large collections of citizens’ personal data. The committee documented unlawful staff access and excessive retention of personal information affecting millions of people with no connection to espionage or terrorism. While the CTIVD did not confirm that retained data was used to train artificial intelligence systems, the digital rights group Bits of Freedom interpreted the findings as suggesting the agencies may be using such data for AI development. The Dutch government accepted the oversight findings and pledged reforms. The case revives questions first raised in 2020, when the same agencies were ordered to delete millions of unlawfully held records.
Detailed Report
1. Oversight Findings and Confirmed Violations
The Dutch intelligence oversight body, the CTIVD, concluded in its July 2026 Report 84 that the AIVD and MIVD failed to meet legal requirements when processing bulk datasets — large collections of personal data that can include millions of records. The committee identified two main violations: groups of staff had unlawful access to restricted data, and large volumes of personal information were retained longer than permitted. Most people in these datasets had no connection to espionage or terrorism. The CTIVD described the problems as systemic, caused by technical shortcomings and weak internal controls, and issued thirteen recommendations for improvement.
2. The Intelligence and Security Services Act 2017 (Wiv 2017) Legal Framework
The Intelligence and Security Services Act 2017 (Wet op de inlichtingen- en veiligheidsdiensten, Wiv 2017), as amended in 2023, governs the activities of the AIVD and MIVD. The law permits the collection and processing of bulk datasets only when strictly necessary for national security tasks such as counter-terrorism and counter-espionage. Wiv 2017 requires that any intrusion into privacy be justified by necessity and proportionality, with strict limits on data retention and access. Oversight is provided by the CTIVD and the Review Board for the Use of Powers (Toetsingscommissie Inzet Bevoegdheden, TIB).
3. AI Training Concerns: Bits of Freedom’s Interpretation
While the CTIVD did not confirm that unlawfully retained data was used to train AI models, the digital rights group Bits of Freedom interpreted the findings as suggesting the agencies may be using such data for AI development. BoF pointed to the agencies’ growing use of automated analysis, the presence of unlawfully retained and commercially purchased data (including from breach sources), and weak internal controls as supporting factors. The group called for stronger oversight and greater public input into the upcoming revision of Wiv 2017. BoF’s claims remain an interpretation and are not confirmed by the CTIVD.
4. Historical Pattern of Data Governance Failures
The July 2026 findings are part of a recurring pattern. In 2020, following a complaint by Bits of Freedom, the CTIVD ordered the destruction of millions of unlawfully retained citizen records. The oversight body’s latest report references similar violations in previous years, highlighting persistent weaknesses in the agencies’ ability to comply with legal requirements for data handling. Despite prior interventions, the agencies have struggled to implement effective safeguards.
5. Dutch Government and Regulatory Responses
The Dutch government, through Ministers Pieter Heerma (Interior) and Dilan Yeşilgöz (Defence), formally acknowledged the CTIVD’s findings and accepted the need for significant reforms. The government emphasized the necessity of bulk data for national security but committed to implementing stricter safeguards, technical upgrades, and enhanced oversight. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) has repeatedly warned about the risks of large-scale, opaque data processing by government agencies, especially when automated decision-making is involved. Legislative reforms to Wiv 2017 are underway, with public consultation scheduled for August 2026, aiming to address the shortcomings identified by the CTIVD.
6. International Context
The Dutch controversy reflects broader international concerns. In the United States, The Intercept has reported that the National Security Agency (NSA) purchases and analyzes vast amounts of sensitive personal data with AI tools, raising privacy and oversight concerns. The United Kingdom’s Government Communications Headquarters (GCHQ) has faced repeated legal challenges and was found by the European Court of Human Rights in 2021 to have violated privacy rights through untargeted bulk data collection. Germany’s Federal Intelligence Service (Bundesnachrichtendienst, BND) has been scrutinized in parliamentary inquiries for its retention and analysis of bulk metadata, though no confirmed cases of AI training on unlawfully retained data have emerged. European courts, including the European Court of Human Rights and the Court of Justice of the European Union, have consistently ruled that indiscriminate data retention is incompatible with fundamental rights unless accompanied by robust, independent oversight and strict legal safeguards.
Conclusion
The July 2026 CTIVD report has exposed systemic legal violations by the AIVD and MIVD in their handling of bulk citizen data. While claims that unlawfully retained data was used to train AI models remain unconfirmed by the oversight body, the episode underscores the urgent need for robust oversight, transparent safeguards, and clearer rules as intelligence agencies increasingly adopt advanced technologies.