I'm struggling to see the point of this policy. At first, I assumed it was a way of proving an account isn't a sockpuppet (each sends a copy of their passport, thus proving there are two real people involved - not particularly conclusive proof, given how easy it is to get hold of a scan of someone else's passport, though).
Now, it seems it's just supposed to be an arbitrary hoop to jump through to weed out people that are just in it for a laugh and don't care enough to go to the trouble of sending a letter. I really don't think it is appropriate to request such sensitive personal information for such a reason.
If this policy is going to continue, then the Dutch community need to work with the WMF to ensure it is done in keeping with the privacy policy. I don't think the current wording of the policy makes it clear that it is outside the privacy policy and I also don't think an individual project should be allowed to unilaterally decide that the privacy policy doesn't apply, even if the affected people consent to it (especially if they are required to consent to it in order to edit the project).