AP (The Netherlands) - 11.03.2021
AP (The Netherlands) - Gemeente Enschede | |
---|---|
Authority: | AP (The Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 4 GDPR Article 6(1)(c) GDPR Article 6(1)(e) GDPR Article 6(1)(f) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 11.03.2021 |
Published: | 29.04.2021 |
Fine: | 600000 EUR |
Parties: | Municipality of Enschede |
National Case Number/Name: | Gemeente Enschede |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Dutch |
Original Source: | Autoriteir Persoonsgegevens (in NL) |
Initial Contributor: | n/a |
The Dutch DPA fined the municipality of Enschede €600,000 for processing the personal data of 1.8 million unique mobile device owners for the period of 25 May 2018 and 30 April 2020 without a legal basis.
English Summary
Facts
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off.
Dispute
According to the municipality, the data was sufficiently anonymized in such a way that no personal data was processed. The municipality also did not agree with the AP that it was a personal data controller in this case. Finally, the municipality argued that this processing could be based on the Article 6(1)(c) “compliance with a legal obligation” or Article 6(1)(e) GDPR “the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”.
Holding
The AP concludes that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Because of that the data processed by the municipality constitutes personal data. Because the data was stored for a long time and the truncated/hashed MAC-addressed were not rotated, clear life and location patterns could be deducted from the data set. These patterns could reveal, for example, someone's home or place of work, but also more sensitive data such as visits to medical institutions. Although it was not the municipality’s intention to track people’s life patterns and there is no evidence that that has factually happened, the AP considered these facts irrelevant for this case. According to the AP, the municipality was the controller because it has decided on the means and purposes of personal data processing; it had even issued orders to the Bureau RMC about the specifics of this processing on at least one occasion. Furthermore, the AP considered that there was no law that had obliged the municipality to do WiFi tracking in the city center. This processing also could not follow from a broadly formulated duty of care or a statutory obligation. Moreover, the conditions of necessity and proportionality have not been respected by the municipality as there were less privacy-intrusive ways to count the number of visitors of a city center, like infrared counters. In the view of the recital 47 GDPR, the AP considered that legitimate interest also could not possibly be a valid legal basis in this case because, according to its own arguments, the municipality had acted in the exercise of its official authority. The AP did not see any reason to reduce the fine, it considered the amount of the fine of €600,000 to be proportionate.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.