Rb. Overijssel - ZWO 22/775
Rb. Overijssel - ZWO 22/775 | |
---|---|
Court: | Rb. Overijssel (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 4(1) GDPR Article 6(1) GDPR |
Decided: | 02.02.2024 |
Published: | 02.02.2024 |
Parties: | Enschede municipality AP (The Netherlands) |
National Case Number/Name: | ZWO 22/775 |
European Case Law Identifier: | ECLI:NL:RBOVE:2024:594 |
Appeal from: | AP (The Netherlands) [1] |
Appeal to: | Pending appeal |
Original Language(s): | Dutch |
Original Source: | Rechtspraak (in Dutch) |
Initial Contributor: | Droogstoppel |
A court ruled that the Dutch DPA did not prove that the MAC addresses constituted personal data (cf Article 4(1) GDPR), because it did not sufficiently prove that the controller would be able to identify persons connected to the MAC addresses.
English Summary
Facts
On 6 September 2017 the municipality of Enschede decided to start 24/7 WiFi tracking in the centre of the city. Its purpose was to measure the effectiveness of municipal investments, in view of the responsible use of public funds. The contract to execute this task was given to City Traffic B.V., now Bureau RMC. Bureau RMC then contracted an unnamed party to do the installation and maintenance of the sensors and to collect and validate the data gathered by the sensors. Information collected included hashed MAC-addresses, date and timestamp of exposure, signal strength and sensor ID. It was stored for a period between 6 and 7 months. Starting from 1 January 2019 the hashed MAC-addresses were also truncated. On 30 April 2020 the municipality gave an assignment to Bureau RMC to switch the tracking sensors off.
The Dutch DPA concluded that the chosen anonymization method of truncating a small part of the hashed MAC address does not sufficiently exclude the risks of singling out, linking or deducing person’s identity based on a pseudonymous identifier + timestamp + location information (available via the sensor ID). Accofrding to the Dutch DPA employees of the controller could identify people in three ways: (a) When someone walks past sensor, their MAC address is registered and an employee in the vicinity of the sensor could see who is walking by and link the MAC address to the person walking by on that moment. (b) the moment that a device enters the range of the sensor and the moment when device leaves the range of the sensor were stored. If someone enters for a longer time but does not exit within range sensor, and employee could find out who is in the range of the sensor in the corresponding time-span and connect the MAC address to that person. (c) An employee could determine a movement pattern based on the readings of multiple sensors, and use this information to link the MAC address to a specific person.
Because of these reasons the Dutch DPA held that the data processed by the controller constituted personal data. The Dutch DPA considered that the controller did not have an adequate legal basis for processing the personal data, and imposed a fine of €600,000.
Holding
The main question the court answered in the case was whether the Dutch DPA had proven that MAC addresses constitute personal data under Article 4(1) GDPR.
The court held that the Dutch DPA had insufficiently substantiated their claim that employees of the company would be able to identify the natural person connected to a MAC address. The court noted that the Dutch DPA was using to many assumptions in their argumentation. (For example, the controller held that the range of the wifi-sensors was large, and the DPA assumed (without proof) that this claim by the controller was wrong). Because of the use of unproven assumptions the court concluded that the Dutch DPA has not proven that the MAC addresses constitute personal data. Therefore the Dutch DPA has not proven that the controller had infringed the GDPR. Therefore it overturned the DPA's previous decision and annulled the fine that the Duch DPA had imposed on the municipality.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
Pronunciations Some of all judicial decisions are published on Rechtspraak.nl. This is done anonymously. This statement has been anonymized according to the anonymization guidelines. ECLI:NL:RBOVE:2024:594 Share pronunciation Authority Overijssel District Court Judgment date 02-02-2024 Date of publication 02-02-2024 Case number ZWO 22/775 Jurisdictions Administrative law Special characteristics First instance - multiple Content indication The court declares the appeal of the municipality of Enschede well-founded. The municipality appealed against an administrative fine of 600,000 euros imposed by the Dutch Data Protection Authority. Locations Rechtspraak.nl Sdu News Privacy Law 2024/105 Sdu News Privacy Law 2024/20 Enriched pronunciation Pronunciation OVERIJSSEL COURT Location Zwolle Administrative law case number: ZWO 22/775 ruling of the multiple chamber in the case between the mayor and aldermen of Enschede, plaintiff, authorized representative: Mr. M.H. Elferink, and Dutch Data Protection Authority, hereinafter: AP, authorized representative: Mr. J.M.A. Koster. Introduction In this ruling, the court assesses the plaintiff's appeal against the administrative fine of €600,000 imposed on him by the AP. With the contested decision of April 6, 2022 on the plaintiff's objection to the fine decision of March 11, 2021, the AP has stood by that decision. The court heard the appeal on November 29, 2023. The plaintiff appeared before K.B.H. Ligthart-Kaalverink, assisted by the authorized representative and M.M. Shorter. The AP was represented by its representative, assisted by W. van Steenbergen and V. Klos. Furthermore, [name], hereinafter [name], was heard. Establishment of the decision 1.1 On September 5, 2017, the plaintiff decided to start 24/7 footfall counts via sensors in the city center of Enschede from September 6, 2017 to gain insight into visitor numbers. The contract for this has been awarded to [company 1] B.V., now [company 1]. This agency has appointed [company 2] B.V. for the technology. enabled. 1.2 On July 16, 2018, the AP received a complaint from [name] requesting enforcement action against the municipality of Enschede due to WiFi tracking that infringes the privacy of Enschede residents and visitors. 1.3 The AP received two more complaints about WiFi tracking from the plaintiff on December 2, 2018 and January 4, 2019. 1.4 The AP subsequently launched an investigation. In this context, information has been requested from the plaintiff, [company 1] and [company 2] B.V. On May 29, 2019, AP supervisors conducted a local investigation at a number of retailers in the city center of Enschede where a sensor was located. 1.5 On April 21, 2020, the AP released an investigation report, which concluded in summary that the processing of personal data of owners/users of mobile devices with Wi-Fi enabled in the city center of Enschede is unlawful. The defendant concludes that the plaintiff, as controller, has acted in violation of the General Data Protection Regulation (GDPR) from May 25, 2018 until the date of the report. 1.6 Following this report, the AP announced its intention on May 8, 2020 to impose a sanction on the claimant, namely an administrative fine and/or a penalty payment. 1.7 The plaintiff has submitted an opinion against this intention. 1.8 By decision of March 11, 2021, the AP imposed an administrative fine on the plaintiff of €600,000 because the plaintiff (from May 25, 2018 to April 30, 2020) processed personal data of owners/users of mobile devices with Wi-Fi enabled without any basis. in the city center of Enschede. The plaintiff has thus violated Article 5, first paragraph under a, jo. Article 6(1) of the GDPR is violated. 1.9 The plaintiff has appealed against this decision. A hearing took place on September 16, 2021. 1.10 In the decision of April 6, 2022, which was contested on appeal, the AP declared the objection unfounded. Assessment by the court Can [name] be regarded as a third party? 2.1 The court has designated [name] as a third party at the request of the AP. The plaintiff has taken the position that [name] cannot be regarded as such. 2.2 [name] has submitted a request for enforcement. Such a request is only an application within the meaning of Article 1:3, third paragraph, of the General Administrative Law Act (GALA), if this request has been made by an interested party. The response to such a request submitted by an interested party is then a decision as referred to in Article 1:3, first paragraph, of the General Administrative Law Act, against which legal remedies can be used. In accordance with Article 1:2, first paragraph, of the General Administrative Law Act, an interested party is defined as: the person whose interest is directly involved in a decision. Only those who have a sufficiently objective and current personal interest that is directly involved in the enforcement decision are in principle an interested party in that decision. The question is whether [name] has such an interest. 2.3 At the hearing, [name] stated uncontested that he – a resident of Enschede – passed the sensors in the city center with WiFi enabled on his mobile phone and must have been spotted. He believes this is the processing of personal data and considers this a violation of his privacy. 2.4 In the opinion of the court, this passing of the sensors does not distinguish [name] from other people visiting the city center of Enschede, but he can be regarded as an interested party, provided it is established that the plaintiff is in violation of the GDPR. has processed personal data. The reason for this is that the protection of privacy under European law requires this. The answer to the question of whether [name] can be regarded as a third party in this case depends on the court's opinion in this ruling as to whether the plaintiff has processed personal data. The court finds support for this method of assessment in the ruling of the Administrative Jurisdiction Division of the Council of State dated 18 February 2018 (ECLI:NL:RVS:2018:590). Assessment framework 3.1 Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person. 3.2 Recital 26 of the GDPR states that the principles of data protection should apply to any information relating to an identified or identifiable natural person. Pseudonymized personal data that can be linked to a natural person through the use of additional data should be regarded as data relating to an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all means that could reasonably be expected to be used by the controller or by another person to directly or indirectly identify the natural person, for example selection techniques. In order to determine whether means can reasonably be expected to be used to identify the natural person, all objective factors, such as the cost and time required for identification, should be taken into account, taking into account the technology available the time of processing and technological developments. The data protection principles should therefore not apply to anonymous data, namely data that does not relate to an identified or identifiable natural person or to personal data that has been anonymized in such a way that the data subject is not or no longer identifiable. This Regulation therefore does not concern the processing of such anonymous data, including for statistical or research purposes. 3.3 Article 5(1)(a) of the GDPR stipulates that personal data must be processed in a manner that is lawful, fair and transparent in relation to the data subject (“lawfulness, fairness and transparency”). 3.4 Pursuant to Article 6(1) of the GDPR, processing is only lawful if and to the extent that at least one of the following conditions is met: a) the data subject has given permission for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of an agreement whereby the data subject is a party, or at the request of the data subject before the conclusion of a agreement to take measures; c) the processing is necessary for compliance with a legal obligation imposed on the controller rests; d) the processing is necessary to protect the vital interests of the data subject or of a protect another natural person; e) the processing is necessary for the performance of a task carried out in the public interest or of a task in the context of the exercise of public authority vested in the controller has been assigned; f) the processing is necessary for the pursuit of the legitimate interests of the controller or of a third party, except where the interests or fundamental rights and freedoms of the data subject which are intended to protect personal data outweigh those interests, especially when the the person concerned is a child. Point (f) of the first paragraph shall not apply to processing by public authorities in the exercise of their duties. 3.5 Pursuant to Article 18, paragraph 1, of the GDPR Implementation Act, the AP may impose an administrative fine of up to the amounts mentioned in these paragraphs. 3.6 Article 83(5)(a) of the GDPR provides that breaches of the basic principles of processing, including the conditions for consent, in accordance with Articles 5, 6, 7 and 9 are subject to administrative fines of up to €20,000. 000,-. Is there a violation? Is there (processing of) personal data involved? 4. The court points out that according to settled case law, if the imposition of an administrative fine by an administrative body concerns a discretionary power, the burden of proof of the violation lies with the administrative body, whereby high requirements are imposed on the evidence. The court will assess whether the AP has provided sufficient evidence for the claim that the plaintiff violates Article 5, first paragraph under a, jo. Article 6(1) of the GDPR has processed personal data. 5. The documents submitted by the plaintiff and the AP show that in the context of the intended passer-by count in the city center of Enschede in the period from May 25, 2018 to April 30, 2020, the MAC address of owners/owners was collected with ten sensors. users of mobile devices with Wi-Fi enabled. The MAC addresses were temporarily stored on the sensor's working memory and then hashed (pseudonymized), after which the hashed MAC address was immediately forwarded to the PFM server. On the server, the last three characters of the hashed MAC address (since January 1, 2019) were cut off. 6. The AP takes the position that the identity of the natural person does not follow directly from the MAC address or the pseudonymised MAC address and the location data of the sensors, but that the natural person can be identified on the basis of these identifiers. identification is. 7. The AP has mentioned three different ways to do this, namely: a. identification of persons based on the data stored on the sensor: PFM knows the exact location of the sensors and has access to the working memory and the software running on each sensor. At the same time as a new detection of a mobile device by a sensor, it is possible for someone from PFM to observe on site which person is walking within the range of the sensor. Especially at quiet times in the city center, this immediately leads to the identification of natural persons. For verification purposes, the person may be asked for his/her MAC address. identification of persons using the data in the short-term table (until January 1, 2019): PFM is responsible for collecting and validating the data. The short-term table on the server is owned by PFM. From mobile devices that enter the range of a sensor, data with an associated 'status 1' is included in the short-term table and if the same mobile device leaves the range of the sensor a little later, data with 'status 2' is sent to the short-term table . However, if a mobile device remains within range of a certain sensor, for example because that person lives or works within it, then the short-term table will only contain a status 1 record containing the pseudonymised MAC address, date and time. If a status 2 record is missing for a longer period of time, the PFM is aware that the person in question (possibly a resident or store employee) is still within range of the sensor. Someone from PFM can then determine on the spot which person is involved and identify the person. identification of persons based on the data in the long-term table: For PFM it is also possible to identify natural persons based on the historical data included in the long-term table on the server. Defendant has established that living and movement patterns can be recognized in the long-term table from after January 1, 2019, i.e. after the introduction of cutting off three characters from the hashed MAC address. This will also be the case in the long-term table from before January 1, 2019, when it still contained unique pseudonymised MAC addresses, because six months of data were always stored at that time. Using a pattern, it is possible for PFM to predict when the natural person in question is located somewhere, for example the person who moves between sensors in the city center of Enschede every night between 4:00 AM and 5:00 AM. At night there are hardly any other people on the street and it is possible for PFM to identify this person on the spot. 8. According to the AP, these three ways of identifying natural persons do not require excessive effort from PFM, given the required time, costs and manpower. The fact that PFM employees do not use these resources in practice to identify people in the city center of Enschede does not alter the fact that they could reasonably do so. The identification can also be done by employees of [company 1] because they have access to all data that PFM collects based on the service level agreement with PFM. The claimant can also make the identification because he also has access to all data based on the processor agreement with [company 1]. 9. The AP concludes that the combination of MAC address and location data and the combination of pseudonymised MAC address and location data on the sensor from May 25, 2018 to April 30, 2020 and in the short- and low-term table until January 1 2019 qualify as personal data within the meaning of the GDPR. 10. The court notes that when refuting the plaintiff's objections, the AP repeatedly bases itself on the implausibility of circumstances and equivalent wording instead of basing itself on research into facts. Reference is made to the following marginal numbers in the contested decision of April 6, 2022. No. 22: “The AP considers it implausible that the sensors actually receive signals 70 meters around the sensor.” No. 30: “The AP does not consider it plausible that this questioning would never, under any circumstances, lead to someone giving out their MAC address. In any case, it cannot be ruled out…” No. 37: “Although the AP has not established that remote login is possible (…) Although the AP has not investigated and established (…)” No. 39: “(…) which makes it unlikely that it would be impossible for PFM to access the information stored in the cache memory.” No. 42: “The AP finds it plausible that PFM has the knowledge and programming skills to be able to distill living patterns from the long-term table.” 11. Furthermore, the court understands that the AP dropped the observation of natural persons with a camera mentioned in the fine decision of March 11, 2021 as a possibly illegal means in the contested decision of April 6, 2022. 12. The court notes that the AP has essentially based its decisions on the ability of the plaintiff to identify natural persons on site on the basis of hashed, pseudonymised and clipped MAC addresses. In the aforementioned ways, the AP assumes the possibility that an employee of the agencies engaged by the claimant or an employee of the claimant itself could be on site at some time in the early morning, when there are few people on the street. to determine that a specific, unique mobile device user is within range of a sensor and could potentially identify that person. 13. The court is of the opinion that the AP has not sufficiently investigated whether the methods it mentions indeed make it possible, in the given situation, to determine the identity of a user of a mobile device with the naked eye. The AP's mere assertion that the employees in question could reasonably do this does not convince the court. In view of recital 26 of the GDPR, the AP should have investigated whether it could reasonably be expected that the said means would be used to directly or indirectly identify the natural person, taking into account the costs and time required for identification, taking into account the available resources. technology at the time of processing and technological developments should have been involved. 14. On this basis, the court is of the opinion that the AP, especially in view of the heavy burden of proof resting on the defendant in the event of the imposition of an administrative fine, has not proven that the plaintiff processed personal data with the method he used. of owners/users of mobile devices with Wi-Fi enabled in the city center of Enschede. It follows that the AP has not proven that the plaintiff committed the offense accused of him. 15. It then follows that [name] cannot be regarded as a third party. Conclusion 16. The AP has imposed an administrative fine on the plaintiff on incorrect grounds, so that this decision cannot be upheld. The claimant's appeal is well-founded. The court will annul the contested decision of April 6, 2022 and revoke the fine decision of March 11, 2021. 17. The court sees reason to order the AP to pay the plaintiff's legal costs. These costs have been calculated on the basis of the Administrative Law Costs Decree (Bpb) at € 2,998 (1 point for the notice of objection + 1 point for the hearing at € 624 per point + 1 point for the notice of appeal + 1 point for appearing at the hearing x weighting factor 1 x € 875 per point). 18.1 The claimant has requested reimbursement of travel and lost expenses from the representative K.B.H. who appeared on her behalf. Ligthart-Kaalverink. An amount of € 148.90 has been declared for travel costs and an amount of € 356 for lost time costs for two hours for attending the hearing. 18.2 The court is of the opinion that the travel costs are eligible for reimbursement. Travel costs will be reimbursed on the basis of public transport, second class. The court therefore sets the travel costs eligible for reimbursement at € 29.78. 18.3 There is no reason for reimbursement of the lost time costs in accordance with Article 2, first paragraph, opening words and under e, of the Bpb since, in the opinion of the court, Mrs Lighart-Kaalverink is employed by the claimant and it has not emerged that she had to take unpaid leave. to attend the hearing. In addition, these costs have not been substantiated in any way. 19. There is also reason to order the AP to reimburse the court fee of € 365 paid by the plaintiff. Decision The court - declares the appeal well-founded; - annuls the contested decision; - revokes the decision of March 11, 2021; - orders the AP to pay the legal costs, estimated to date at € 3,027.78; - orders that the AP reimburse the plaintiff for the court fee of € 365 paid by her. This statement was made by Mr. J.W.M. Bunt, chairman, and Mr. A. Oosterveld and Mr. W.J.B. Cornelissen, members, in the presence of Y. van Arnhem, clerk. The verdict was pronounced in public on clerk chair A copy of this ruling has been sent to the parties on: Information about appeal A party that does not agree with this ruling can send an appeal to the Administrative Jurisdiction Division of the Council of State explaining why this party does not agree with this ruling. The appeal must be submitted within six weeks of the day on which this decision was sent. If the petitioner cannot await the hearing of the appeal because the case is urgent, the petitioner can ask the preliminary relief judge of the Administrative Jurisdiction Division of the Council of State to take a provisional measure (a temporary measure). Help with search