Rb. Den Haag - C/09/550982/HA ZA 18/388
|Rb. Den Haag - C/09/550982/HA ZA 18/388|
|Court:||Rb. Den Haag (Netherlands)|
|Relevant Law:||Article 5(1) (b) GDPR|
|Decided:||5. 2. 2020|
|Published:||5. 2. 2020|
|Parties:||The Netherlands Vs. Anonymous|
|National Case Number:||C/09/550982/HA ZA 18/388|
|European Case Law Identifier:||ECLI:NL:RBDHA:2020:865|
|Original Source:||de Rechtspraak (in NL)|
The District Court of Hague ruled that the digital tool SyRI violated the right to respect a private life (Article 8 ECHR). This digital tool is used by public authorities to combat fraud in the areas of tax and social security. The Court assessed the lawfulness of the interference with the right to privacy under the ECHR in the lights of the Charter of fundamental rights and the EU data protection law principles, namely the principles of purpose limitation and data minimisation.
English Summary[edit | edit source]
Facts[edit | edit source]
The digital tool called System Risk Indication (SyRI) is used by central and local Dutch authorities to prevent and combat fraud in the areas of tax and social security. It carries out different processing operations on personal data. SyRI gathers large-scale data and generates risk notification about people likely to commit fraud, which is called “risk report”. These risk reports have significant consequences on citizens' life; they indicate s that a specific person is worthy of investigation related to fraud.
A number of civil society organisations and citizens sued the State claiming that SyRI violates fundamental rights. The Sate argued that SyRI provides sufficient guarantees for protecting the human right to privacy.
The litigation raised numerous issues related to International and European Law, mainly the violation of Article 8(2) ECHR which allows interferences with the exercise of the right to respect for private and family life by a public authority under three conditions: it must be provided by law, be necessary in a democratic society and pursue interests such as the prevention of disorder or the economic well-being of the country. Nevertheless, this summary will focus on the protection of personal data and the interplay between the new technologies and the ECHR.
Dispute[edit | edit source]
The Court had to pronounce itself on whether the processing of personal data by the digital tool SyRI falls within the scope of Article 8(2) ECHR. It assessed whether SyRI was prescribed by law and under which conditions to know if it was necessary for the pursue of the prevention of fraud within a democratic society. Thus, it addressed importantly the interplay between Article 8 ECHR and EU law, including the Charter and the GDPR for the purpose of the assessment of the interference in private life under the ECHR.
Focusing on data protection, the Court focused on the processing operations in the context of the deployment of the SyRI and the technical safeguards contained in the tool. It referred to several further processing operations, namely: the mutual exchange of personal data by administrative bodies, the provision of personal data to the Minister, the profiling, the provision of personal data to the Minister, the making of risk notifications and/or the inclusion of (information about) notifications in the Register of Notifications. Mainly, It had to assess whether Article 8 of the Charter; Articles 5, 6, 22 and 35 GDPR have been violated.
Holding[edit | edit source]
The Court decided to assess the compliance with Article 8 ECHR in the lights of the Charter and the EU law data protection principles. Indeed, the Court recalled that the ECHR provides for a minimum protection of the fundamental right to privacy. It pointed out that the content and scope of EU fundamental rights in the Charter and the ECHR are alike insofar they are corresponding to each other’s. It also reminded, that the Charter provides for a least the same minimum level of protection and that rights guaranteed by the ECHR are part of the general principles of EU law under Article 6(3) TEU. Finally, as the Court considered that the Charter and the GDPR go beyond the ECHR in some respect, the ECHR have to be interpreted in the lights of the general principles of the Charter and the GDPR.
Regarding the concrete assessment of the interference in the lights of the EU data protection principles, the Court considered that the risk model, the indicators and the data that are actually processed are neither public nor known to those involved and it has a significant effect on the private life of the person to whom the report relates.
More precisely, with regard to the condition of “provided by law”, the Court acknowledged the SyRI legislation. Nevertheless, it left open the question on whether the legislation is sufficiently accessible and foreseeable to constitute an adequate legal basis and, thus, to justify the restriction of the right to privacy.
Concerning the condition of “necessary in a democratic society”, the Court assessed the risk model and the processing operations on personal data and concluded that the SyRI legislation does not take sufficiently into account the purpose of limitation principle (Article 5(1)(b) GDPR) and data minimization (Article 5(1)(c) GDPR). For example, the Court noticed that the data protection impact assessment had been carried out prior the entry in force of the GDPR and could not meet the requirements under the national data protection act and Article 35 GDPR.
Comment[edit | edit source]
As Amicus Curiae, the United Nations Special Rapporteur, professor Philip Aston submitted his brief to the District Court of The Hague focusing on whether the emphasis on the poor and marginalized groups in Dutch society was justified and thus, does not lead to discriminations based on prohibited grounds.
Further Resources[edit | edit source]
Share others blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the original. Please refer to the Dutch original for more details.
judgment COURT HEDGE Trade team Case number / reel number: C/09/550982 / HA ZA 18-388 Judgment of 5 February 2020 in the matter of 1 DUTCH HUMAN RIGHTS COMMITTEE in Leiden, 2. FOUNDATION PLATFORM FOR THE PROTECTION OF CIVIL RIGHTS in Amsterdam, 3. STICHTING PRIVACY FIRST in Amsterdam, 4. FOUNDING KOEPEL OF DBC-FREE PRACTICES in Amsterdam, 5. COUNTRY CLIENT'S COUNTRY in The Hague, 6. plaintiff sub 6] at [place 1] , 7. plaintiff sub 7] at [place 2] , plaintiffs, attorney mr. A.H. Ekker in Amsterdam, and FEDERATION NETHERLANDS VAKBEWEGING in Utrecht, intervener on the plaintiffs' side, attorney mr. A.H. Ekker in Amsterdam, by STATE OF THE NETHERLANDS domiciled in The Hague, defendant, attorney mr. C.M. Bitter in The Hague. Plaintiffs will hereinafter jointly also be referred to as NJCM c.s. and separately respectively as NJCM, the Platform for the Protection of Civil Rights, Privacy First, the DBC Free Practices umbrella organisation, the National Clients Council, [plaintiff sub 6] , [plaintiff sub 7] . Intervener is called FNV. Defendant is called the State. The classification of this judgment is as follows: 1 The course of the proceedings 1.1-1.3 2 NJCM c.s. and FNV 2.1-2.5 3 The facts 3.1-3.10 4 The SyRI legislation 4.1-4.3 General 4.4-4.7 Provision of data for a joint venture 4.8-4.10 Legal basis SyRI 4.11-4.16 Risk notifications, retention obligation, removal from SyRI and privacy 4.17 Data that may be processed in SyRI 4.18 Flowchart deployment SyRI 4.19-4.26 The request for deployment SyRI, advice LSI and expensive SyRI project 4.27-4.31 Data processing 4.32 Feedback on results of risk notifications 4.33 Supervision 5 The dispute 5.1-5.4 6 The assessment 6.1 Introductory 6.9-6.18 Admissibility 6.19 General assessment framework 6.20-6.26 Human rights protection 6.27-6.36 EU legal protection 6.37-6.41 Mutual relationship between the ECHR and EU law and party debate 6.42-6.44 The alleged infringement of Article 8 ECHR 6.45-6.54 Degree and severity of interference; what is SyRI? Undirected trawling, data mining, 'deep learning', 'big data'. 6.55-6.60 Degree and severity of interference; profiling and automated individual decision-making? 6.61-6.65 Summary 6.66-6.72 Provided by law 6.73-6.79 Necessary in a democratic society; general 6.80-6.107 Necessary in a democratic society; proportionality subsidiarity 6,108-6,117 The receivables 6,118 Litigation costs 7 The decision 1 The process sequence 1.1. The course of the procedure is evidenced by - the indictment of 27 March 2018 with productions, - the conclusion of reply with productions, - the verdict in the incident insertion of 26 September 2018 with the documents referred to therein, - the deed of 14 November 2018 issued on behalf of the FNV, - the Deed of Reply on the State's side of 14 November 2018, - the judgment of 2 January 2019 ordering a meeting of the parties, - the minutes of the meeting of the parties, drawn up in the absence of the parties. 29 October 2019 and the deed submitted at the session containing productions on the part of NJCM c.s. with productions. 1.2. The parties were given the opportunity to make factual comments on the minutes. The State made use of this opportunity in a letter dated 29 November 2019 and NJCM et al. in a letter dated 3 December 2019. The Court will read the official report with due observance of the comments of the parties. 1.3. Finally, a date has been set for judgment. 2 NJCM c.s. and FNV 2.1. NJCM c.s. is a coalition of civil society organisations and two natural persons. 2.2. The NJCM is an organisation concerned with protecting and strengthening fundamental human rights and freedoms. The Platform for the Protection of Civil Rights focuses on the protection of classical civil rights. Privacy First is committed to the preservation and promotion of the right to privacy. The dome of DBC-free practices is committed to protecting the privacy of psychotherapists' clients. 2.3. The National Clients Council has been established pursuant to the Act on Structure of Executive Organisation and Income (hereinafter referred to as the SUWI Act or the Act). It is a body consisting of representatives of national client organisations, municipal client participation organisations and the central client councils of the Employee Insurance Administration Institute (UWV) and the Social Insurance Bank (SVB). It is the duty of the National Client Council to consult periodically with the UWV, the SVB, the municipalities and the Minister of Social Affairs and Employment (hereinafter referred to as 'the Minister') on the design and implementation of client participation in the relevant bodies and with the Minister on proposals made by the National Client Council regarding policy issues in the area of work and income.1 According to its internal regulations, the National Client Council aims to play an important role in relation to client input in the areas of work and income, among others. 2.4. Claimant sub 6] is a philosopher, lawyer, writer and columnist. Claimant sub 7] is an author, columnist and presenter. 2.5. The FNV is a trade union. It defends the interests of its members. In doing so, it is also guided by the fundamental values of equality of all people, freedom, justice and solidarity. 3 The facts 3.1. The Risk Indication System (hereinafter referred to as: SyRI) is a statutory instrument used by the government to prevent and combat fraud in the field of social security and income-related schemes, tax and social security contributions and labour laws. According to the legislator, it involves technical infrastructure and associated procedures that allow data to be linked and analysed anonymously in a secure environment so that risk reports can be generated.2 3.2. A risk report means that a legal or natural person is considered to be worth investigating in relation to possible fraud, unlawful use and non-compliance with legislation. 3.3. The instrument is deployed by the Minister at the request of certain government bodies or other bodies with a public task. These are currently the colleges of mayor and aldermen (hereinafter referred to as: the municipalities), the UWV, the SVB, the National Tax and Customs Administration (hereinafter referred to as: the Tax and Customs Administration), the Immigration and Naturalisation Service (hereinafter referred to as: the IND) and supervisors, such as the Inspectorate for Social Affairs and Employment (Inspectie SZW). These bodies may enter into a partnership in which they exchange information. With the deployment of SyRI, files at the disposal of these (government) agencies will be linked in a structured manner in order to be able to identify related abuses in the aforementioned areas and to increase the chance of being caught. 3.4. According to the legislator, this method of working leads to efficient and effective use of the recording equipment. 3.5. The technique used in the deployment of SyRI is based on a practice that existed before there was a legal basis for the deployment of SyRI. With a view to the joint approach to tax and contribution fraud, benefit fraud, illegal employment and related abuses, a nationwide structure of intervention teams has been set up. 3.6. In 2003 the authorities involved in this structure concluded a Cooperation Agreement for Intervention Teams. Provision was made for a two-level structure: a National Intervention Team Steering Group (LSI) and projects carried out at regional level by Regional Anti-Fraud Platforms. The Cooperation Agreement for Intervention Teams was updated in 2017.3 3.7. The LSI is chaired by a representative of the Ministry of Social Affairs and Employment and consists of representatives of the Inspectorate for Social Affairs and Employment, the Tax and Customs Administration, the UWV, the police, the municipalities (represented by the Association of Netherlands Municipalities), the SVB, the Public Prosecution Service (OM), and the IND. 3.8. Since 2004, the Work and Social Assistance Act (Wet werk en bijstand, hereinafter referred to as: WWB) has provided for a statutory regulation for file linking.4 Article 64 WWB (since 1 January 2015 Participation Act) obliges certain bodies to provide the UWV with declarations and information that are necessary for the implementation of that Act. In 2005, the then State Secretary for Social Affairs and Employment adopted a framework for accessing data sources for file linking. A project called Waterproof was started in 2005. This project involved a file link in which, in sixty-five municipalities, the housing situation of recipients of benefits under the WWB was checked on the basis of consumption figures of water companies and the housing data and pollution units of the water boards. In response to criticism from the Dutch Data Protection Authority (College voor bescherming van persoonsgegevens, hereafter: Cpb) on the file coupling in this project, the former Social Intelligence and Investigation Service (SIOD, now the Inspectorate for Social Affairs and Employment (Inspectie SZW, afdeling opsporing)) set up an environment that was referred to as the 'black box'. In it, the SIOD carried out file links for and on behalf of the regional intervention teams and developed risk profiles using these file links. The 'black box' project ended in 2010. 3.9. Between 2008 and 2014, one hundred and sixty intervention team projects were carried out under the direction of the LSI. Twenty-two of these projects made use of SyRI or its predecessors. Nineteen of the twenty-one completed intervention team projects followed a so-called neighbourhood-oriented approach. The Minister explained this approach as follows: "This means that a number of addresses in a certain district in a municipality were investigated by the intervention team for benefit fraud, benefit fraud or tax fraud. The aim of these projects is to contribute to the improvement of the living climate in such a district. For this reason, these projects also explicitly focus on providing care and support to people who show caring behaviour. "5 3.10. Since 2015, after the introduction of SyRI in legislation, the following SyRI projects have started: 'G.A.L.O.P. II', 'Address fraud Afrikaanderwijk in Rotterdam', 'WGA Vulnerable neighbourhoods Capelle aan den IJssel', 'WGA Rotterdam Bloemhof & Hillesluis' and 'WGA Haarlem Schalkwijk'.6 4 The SyRI legislation General 4.1. The SUWI Act has been amended with effect from 1 January 2014 to provide a legal basis for the deployment of SyRI.7 The conditions for such deployment are further specified in the SUWI Decree.8SyRI now has a legal basis in Section 65 of the SUWI Act in conjunction with Section 64 of the SUWI Act and Chapter 5a of the SUWI Decree. The then amended SUWI Act and the SUWI Decree are hereinafter jointly referred to as the SyRI legislation. The District Court will explain the SyRI legislation in more detail below. 4.2. Article 1(2) of the SUWI Act defines the term 'data'. The term 'data' includes personal data within the meaning of the General Data Protection Regulation (hereinafter referred to as 'the AVG').9 Until the AVG comes into force on 25 May 2018, reference was made to the Personal Data Protection Act (hereinafter referred to as 'the Wbp Act'). 4.3. Article 1(2) of the SUWI also ties in with the AVG (Article 4(2), (7) and (8)) for the terms 'processing', 'controller' and 'processor' and was the Wbp prior to 25 May 2018. Provision of data on behalf of a partnership 4.4. Article 64 paragraph 1 of the SUWI Act provides for the cooperation of a number of administrative bodies and persons designated for this purpose by or pursuant to the Act. The term 'persons' does not refer to natural persons, but to those charged with supervising compliance with or implementation of regulations that fall under the responsibility of the Minister. These administrative bodies and persons are expressly referred to in Section 64(1) of the SUWI Act or may be designated by ministerial regulation (hereinafter: the designated government authorities). At present, the bodies previously referred to in 3.3 have been designated (hereinafter: governmental and other bodies). According to the legislative text, the purpose of the cooperation lies in: "'integrated government action to prevent and combat the wrongful use of government funds and provisions in the field of social security and income-related schemes, to prevent and combat tax and contribution fraud and non-compliance with labour laws'. 4.5. Two or more of the designated (government) bodies may enter into a partnership in which data are processed that are necessary for the aforementioned purpose for that partnership (Article 64 paragraph 2 of the SUWI Act). 4.6. The basic principle is that the designated (government) bodies participating in a joint venture are obliged to provide each other with the necessary data. They are then jointly responsible for processing within the meaning of Section 26 of the AVG (Section 64(3) of the SUWI Act). 4.7. In the event of a partnership in which the participating (government) bodies wish to deploy SyRI, they will submit a request to this effect to the Minister. Contrary to the above principle, the necessary information must then be provided to the Minister. In that case, the Minister is responsible for processing within the meaning of the AVG (Section 64, subsection 4 of the SUWI Act in conjunction with Section 65, subsection 1 of the SUWI Act). Legal basis SyRI 4.8. Section 65 of the SUWI Act then provides the statutory basis for the processing of the aforementioned necessary data in SyRI by the Minister for the performance of risk analyses. This Section also contains provisions on making a risk report, confidentiality, retention of the fact that a risk report has been made, use of a risk report, feedback and removal. Finally, it stipulates which further rules are in any event laid down by order in council. The latter has been implemented by the SUWI Decree, in particular Chapter 5a of that Decree. 4.9. A request to the Minister to process data in SyRI can only be made by a joint venture of designated (government) bodies with the intention of deploying SyRI. Each of the cooperating authorities must also be a party to the Cooperation Agreement for Intervention Teams (Article 65 paragraph 1 of the SUWI Act in conjunction with Article 1.1 bb and Article 5.a.1 paragraph 1 of the SUWI Decree). 4.10. The Public Prosecutor's Office and the police are parties to the Cooperation Agreement for Intervention Teams and are represented in the LSI. However, they are not a designated (government) authority within the meaning of Article 64 of the SUWI Act. They cannot therefore enter into a cooperation agreement within the meaning of Article 64 of the SUWI Act and the SUWI Decree. Nor can they request the deployment of SyRI or provide the Minister with information for that purpose pursuant to Sections 65(1) and 64(4) of the SUWI Act. They may, however, receive risk notifications at their request insofar as this is necessary for the performance of their statutory task (see Section 65 subsection 3 of the SUWI Act and below 4.13). Risk notifications, obligation to retain, removal from SyRI and confidentiality 4.11. If the Minister processes data in SyRI, these data can only be used to make a risk notification about a natural or legal person for the purpose referred to in Section 64, subsection 1 of the SUWI Act (Section 65, subsection 1 of the SUWI Act). 4.12. Article 65 paragraph 2 SUWI Act means a risk report: "the provision in name from the system risk indication which contains an observation of an increased risk of wrongful use of government funds or government facilities in the field of social security and income-related schemes, tax and contribution fraud or non-compliance with labour laws by a natural or legal person and of which the risk analysis, which consists of data from the system risk indication presented in conjunction, is part. 4.13. In individual cases, the Minister will make risk notifications to the designated (government) bodies that have requested the deployment of SyRI and to the extent that this is necessary for the proper performance of their statutory task. The Minister may also submit risk reports to the Public Prosecutor's Office and the police at their request and to the extent that this is necessary for the performance of their statutory duties (Article 65, paragraph 3 of the SUWI Act). 4.14. There is a register of risk notifications for the purpose of providing this information to the participating (government) agencies and the Public Prosecution Service and the police and to inform the person to whom a risk notification relates on application. Those concerned are not informed separately about the risk reports processed in the register after an investigation has been completed (Article 5a.5 SUWI Decree). 4.15. A risk report will be kept by the Minister for no longer than is deemed necessary for the purpose of processing risk reports and for a maximum period of two years. The designated (government) authority receiving the risk report may make use of the risk report for a period of two years and must feed back the results of the risk report to the Minister. This feedback must take place within twenty months of the start of the SyRI project. Apart from this, the data processed in SyRI will in any case be removed from it no later than two years after its inclusion in SyRI (Sections 65(5), (6) and (7) of the SUWI Act and Sections 5a.3 and 5.a.5 of the SUWI Decree). 4.16. The Act also provides for a duty of confidentiality for anyone who, pursuant to Article 65 of the SUWI Act, becomes aware of data relating to a natural or legal person which has been laid down in a risk report. This with corresponding application of the duty of confidentiality applicable to the data (Article 65, paragraphs 3 to 7 of the SUWI Act and Articles 5a.5 to 5a.7 of the SUWI Decree). Data that may be processed in SyRI 4.17. One or more of the following categories of data are eligible for processing in SyRI (Article 5a.1 paragraph 3 of the SUWI Decree): employment data, i.e. data with which a work performed by a person can be determined; data concerning administrative measures and sanctions, i.e. data showing that a natural or legal person has been imposed an administrative fine or that another administrative measure has been taken; tax information, i.e. information enabling the identification of tax obligations of a natural or legal person; information on movable and immovable property, that is to say, information enabling a natural or legal person to identify the ownership and use of certain property; information concerning grounds for exclusion from assistance or benefits, that is to say, information showing that a person is not eligible for a benefit; trade information, which is information making it possible to identify the nature and activities of a legal person; accommodation data, i.e. data making it possible to determine the (actual) place of residence or place of business of a natural or legal person; identification data, i.e. for a natural person: name, address, postal address, date of birth, sex and administrative characteristics and for a legal person: name, address, postal address, legal form, location and administrative characteristics; integration data, i.e. data which make it possible to determine whether a person is subject to integration obligations; compliance data, i.e. data that make it possible to record the compliance history of a natural or legal person with legislation and regulations; educational data, i.e. data with which the financial support for the funding of education can be determined; pension data, i.e. data enabling pension entitlements to be determined; reintegration data, i.e. only data with which it can be determined whether reintegration obligations have been imposed on a person and whether these obligations are complied with; indebtedness data, i.e. data making it possible to determine the debts, if any, of a natural or legal person; benefits, allowances and grants data, i.e. data making it possible to establish the financial support of a natural or legal person; permits and exemptions, which are data making it possible to identify the activities for which a natural or legal person has requested or obtained consent; health insurance data, i.e. only the data with which it can be determined whether a person is insured under the Health Insurance Act (Zorgverzekeringswet). Flowchart deployment of SyRI 4.18. The procedural steps in deploying SyRI are set out in the Explanatory Memorandum to the SUWI Decision in a flow chart with references to the relevant provisions of SyRI legislation. This flow chart is shown below: The request for SyRI deployment, LSI advice and duration of the SyRI project 4.19. The Minister shall process the data referred to in Section 64, subsection 2, of the SUWI Act if (i) the request from the partnership within the meaning of the SUWI Decree satisfies the conditions set out in the SUWI Decree and (ii) the prioritisation shows that sufficient capacity is available to link the files in SyRI and analyse the results thereof (Section 5a.1, subsection 1 in connection with Sections 5a.2 and 5a.3 of the SUWI Decree). 4.20. A request to deploy SyRI must meet the following conditions. The request must in any case show which designated (government) bodies are cooperating for the purpose of a specific project (the SyRI project), what the specific objective of the cooperation is, and how the cooperation is organised and given shape. The request must also state the intended start date and the duration of the SyRI project (Article 5a.1 paragraph 2 sub a of the SUWI Decree). 4.21. According to the SUWI Decree, a SyRI project is a project that collects information for the objective of that project using SyRI and fits within the objective referred to in Section 64, subsection 1 of the SUWI Act (Section 1.1 subsection dd of the SUWI Decree). 4.22. In addition, the request must determine what specific data will be provided by the participating (government) agencies, the intended manner of feedback of the risk notifications by the Minister and the indicators and risk model to which the request relates (Section 5a.1 paragraph 2 sub b-d SUWI Decree). 4.23. According to the Explanatory Memorandum to the SUWI Decree, the indicators and the risk model to be used should be clearly stated and, without this provision, linking the databases could lead to a "fishing expedition" and even to arbitrariness. According to the Minister, in this way justice is done to the 'select before you collect' principle. According to the SUWI Decree, an indicator is a fact that makes the presence of a certain circumstance plausible. By risk model is meant a model that consists of predetermined indicators and indicates whether there is an increased risk of wrongful use of government funds and provisions in the area of social security and income-related schemes, tax and contribution fraud or non-compliance with labour laws (Section 1.1. sub y and Section 1.1. sub aa, respectively, of the SUWI Decree). 4.24. To date, the Inspectorate SZW has one risk model that it has validated, the Neighbourhood Approach Model (WGA).10 At the hearing, the State explained that work is underway on the development of a risk model for certain companies and an address-related risk model. In time, according to the Explanatory Memorandum to the SUWI Decree, the intention is to create the possibility of using a risk model specifically tailored to a SyRI project. 4.25. The (government) bodies participating in the partnership will each assess whether there is a need for data provision. To this end, the participants in the partnership must demonstrate that approval has been obtained within their own organisation to participate in the SyRI project. Insofar as a participant in the joint venture has the necessary data at his disposal, as referred to in Section 64, subsection 2, of the SUWI Act, it must also be demonstrated that the data necessary for the risk analyses in relation to the specific objective of the SyRI Project has been tested beforehand. Furthermore, these participants must have separately substantiated that a possible impairment of the interests of the natural or legal persons to whom the processing of data relates is not disproportionate and in proportion to the purpose intended by the deployment of SyRI. Only such data may be provided as is necessary for the performance of the risk analyses, whereby no less intrusive means may reasonably be used to achieve the objective of deploying SyRI. All this must also be evident from the request (Article 5a.1 paragraph 4 of the SUWI Decree). 4.26. The Minister will be advised by the LSI on the application of SyRI in the SyRI project in question. He will determine the starting date of the SyRI project if the request meets the conditions. He shall announce this in the Netherlands Government Gazette (Article 5a.4, paragraph 1 of the SUWI Decree). A model information letter has been drawn up which municipalities can use to inform residents in a neighbourhood in advance. According to this model, residents are informed which authorities are cooperating in the investigation and that only these authorities will see the data of residents. The model also contains the statement that the team compares data that are already known to various agencies. Furthermore, it is stated how the monitoring is carried out with the application of SyRI and what happens with a risk report. The SyRI project ends as soon as the feedback from the (government) agencies participating in the partnership has been submitted or when the Minister decides to terminate the project (Article 5a.4 of the SUWI Decree). Data processing 4.27. After the Minister has determined that the request for deployment of SyRI satisfies the conditions and before the start of the SyRI project, a so-called kick-off meeting will take place with the partnership and the processor. During this meeting, the partnership will receive information and instructions on, among other things, the way in which the files must be delivered and the security level to be applied. 4.28. The Stichting Inlichtingenbureau (hereafter referred to as: the IB) has been appointed as the processor and processor for linking files in SyRI (Article 5a.2 SUWI Decree in conjunction with Article 5.24 SUWI Decree). Pursuant to Section 63 of the SUWI Act, the IB has been designated as the body for the coordination and provision of services to municipalities for the exchange of data between the UWV, CWI and municipalities and the use, installation and maintenance of the electronic infrastructure required for this purpose (Suwinet).11 As processor, the IS is responsible for, among other things, bringing together, pseudonymising (i.e. the encryption of the data in a dataset in such a way that the data can no longer be directly traced back to a person), testing the encrypted files against the risk model and decrypting them after testing. 4.29. Data processing consists of two phases: processing (phase 1) and analysis (phase 2). In the first phase, the IS brings the files together and pseudonymises them. Among other things, personal and company names, citizen service numbers and addresses are replaced by a code (a pseudonym). After this, the processor applies the first step in risk selection to these encrypted data: the source file is automatically tested against the risk model with all indicators. This generates potential hits. A potential hit is a hit that indicates an increased risk of fraud. In addition, the IB creates a key file that indicates which personal or company name, citizen service number or address belongs to a certain pseudonym. If certain natural or legal persons or addresses are identified as high-risk on the basis of the risk model, these are decrypted again on the basis of the key file. All data associated with these increased risks (with the exception of the key file) are then forwarded to the Minister for the second phase of the risk analysis by the analysis unit of the Inspectorate SZW. The IB destroys the files of the SyRI project that are still in its possession within four weeks after they have been forwarded. The destruction is recorded in an official report. 4.30. In the second phase, the decrypted data are further analysed by the SZW Inspectorate's analysis unit. These are assessed for investigative value. This results in a final risk selection. The Minister makes the risk reports on the basis of the final risk selection. 4.31. If a natural person or legal entity with an increased risk is not the subject of a risk report, his or her data will be destroyed within four weeks of completion of the analysis. The Minister will destroy any remaining data after feedback from the participants in the partnership no later than two years after the start of the SyRI project. The destruction will be recorded in an official report. This destruction order does not extend to the data in the risk notifications register. A retention period of two years after the registration of the risk report applies (Article 65 paragraph 5 of the SUWI Act). Feedback on the results of risk reports 4.32. The use of the risk notifications should be reported back to the Minister. This is intended to increase the effectiveness of the risk model. Feedback should in any case consist of the results of the risk reports, a substantiation if risk reports have not been followed up and feedback on the usefulness of the risk reports. Pursuant to Article 5a.6 of the SUWI Decree, the Minister is obliged to evaluate the risk model on the basis of the feedback received. On the basis of the feedback, the risk model applied to the file link and the analysis phase thereafter can, if necessary, be adjusted by the analysis unit of the Inspectorate SZW. Supervision 4.33. The Personal Data Authority (hereinafter: AP, formerly the Cbp) has been designated as the supervisory authority in the Netherlands within the meaning of the AVG and, as the external privacy supervisor, supervises compliance with the SyRI legislation.12 5 The dispute 5.1. NJCM c.s. requests a judgment to be declared provisionally enforceable as far as possible: I. Declare that the application of Sections 64 and 65 of the SUWI Act and Chapter 5a of the SUWI Decision is incompatible with higher-ranking law, in particular with Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (hereinafter referred to as 'the Charter'): Charter) and/or Article 17 of the International Covenant on Civil and Political Rights (hereinafter: ICCPR); and/or Article 6 and/or Article 13 of the ECHR; and/or Articles 5, 6, 13, 14, 22 and/or 28 of the AVG, or at least the corresponding articles of the Wbp, II. declare that the application of the following sections of the SUWI Act and the SUWI Decree is incompatible with higher-ranking law, in particular with Article 8 of the ECHR, Articles 7 and 8 of the Charter and/or Article 17 of the ICCPR; and/or Article 6 and/or Article 13 of the ECHR; and/or Articles 5, 6, 13, 14, 22 and/or 28 of the AVG, or at least with the corresponding articles of the Wbp: a. a) the target description as included in Section 64 subsection 1 of the SUWI Act; and/or (b) the formulation of powers to process data and to deploy it to SyRl as included in Sections 64(3) and 64(4) of the SUWI Act; and/or (c) the enumeration of categories of personal data as included in Article 5a.1. paragraph 3 of the SUWI Decree; and/or (d) the practice of confidentiality of risk models used when deploying SyRI; and/or (e) the arrangement in respect of the register of risk reports as set out in Section 5a.5 of the SUWI Decree; and/or (f) the substantiation by the State of the necessity of SyRI; and/or (g) the arrangement whereby the individual administrative bodies are instructed to substantiate that the provision of data in the context of a SyRI project is proportional and proportionate, as set out in Article 5a.1(4) of the SUWI Decree, and thus fails to ensure that an adequate, overarching review of those requirements takes place; and/or h) the arrangement whereby data subjects will only be informed about the processing of their personal data in SyRI if they are the subject of a risk notification and then only upon request, as included in Article 5a.5 of the SUWI Decree; and/or (i) The regulation of the supervision of SyRI deployment, in particular the fact that the Minister is the only Party to supervise the deployment of SyRI; III. to declare that the processing of personal data that takes place in the context of, by means of and/or for the benefit of the deployment of SyRI, in particular the mutual exchange of personal data by administrative bodies (including the Tax and Customs Administration), the provision of personal data to the Minister (including by the Tax and Customs Administration), the provision of personal data to the ITI, the processing of personal data by the ITI, including profiling, the provision of personal data by the ITI to the Minister, the making of risk notifications and/or the inclusion of (information about) notifications in the Register of Notifications, is unlawful due to violation of Article 8 of the ECHR, Articles 7 and 8 of the Charter and/or Article 17 of the ICCPR; and/or Article 6 and/or Article 13 of the ECHR; and/or Article 5, 6, 13, 14, 22 and/or 28 of the AVG and/or the local AVG corresponding articles from the Wbp; IV. to set aside Sections 64 and 65 of the SUWI Act and Chapter 5a of the SUWI Decree, or at any rate to declare them ineffective, or at any rate to stipulate that they must be left inapplicable, possibly subject to the imposition of a condition, at least the parts thereof as deemed incompatible with higher law by the District Court on the grounds of claim I and/or II, or at any rate the parts thereof as deemed incompatible with higher law by the District Court in good court; V. rule that the State is in breach of the obligations of confidentiality incumbent on the Tax and Customs Administration because the Tax and Customs Administration provides personal data to other parties in joint ventures pursuant to Section 64 of the SUWI Act and to the Minister in the context of SyRI; VI. order the State to publish the risk models and indicators used in the G.A.LO.P. II and Capelle projects; VII. declare that the processing of personal data by the IB is unlawful due to the absence of a processing agreement as referred to in article 28 paragraph 3 of the AVG and/or article 14 paragraph 2 of the Wbp; VIII. prohibit the State from processing personal data, or at least personal data of [plaintiff sub 6] and [plaintiff sub 7], in the context of, by means of and/or for the benefit of the deployment of SyRI; IX. order the State to irreversibly destroy all personal data collected in the context of, by means of and/or for the benefit of the deployment of SyRI and to provide evidence of such destruction to NJCM c.s.; order the State to pay the costs of these proceedings, plus statutory interest thereon as from fourteen days after the date of the judgment. 5.2. NJCM c.s. bases its claims on unlawful conduct on the part of the State. Articles 64 and 65 of the SUWI Act and Chapter 5a of the SUWI Decree, or at least the application thereof, are, in its opinion, contrary to provisions of international treaties that are binding on everyone. In addition, the State (the Tax and Customs Administration) is acting in violation of its statutory confidentiality obligations under national law by providing personal data under SyRI legislation to the third parties referred to by NJCM c.s. and in violation of the GCG by processing data in SyRI without a processing agreement. 5.3. The State will put forward a defence. 5.4. In so far as relevant, the parties' statements will be discussed in more detail below. 6 The Assessment Introductory 6.1. With this procedure NJCM c.s. aims to 'stop' the use of SyRI. It believes that SyRI violates human rights. NJCM c.s. explained at the hearing that its main intention is to declare SyRI legislation non-binding. According to NJCM c.s., SyRI legislation constitutes an unlawful invasion of privacy, in particular the right to respect for private life. The NJCM c.s. is of the opinion that the SyRI legislation does not contain sufficient guarantees. The State disputes this. It argues that the SyRI legislation is based on objective criteria and contains procedural and material guarantees. According to the State, this prevents abuse and limits the intrusion of SyRI's private life to what is strictly necessary. 6.2. The court must assess whether the SyRI legislation is contrary to any binding provisions of international and European law. In this respect, NJCM c.s. has invoked in the first place a violation of Article 8 ECHR, Articles 7 and 8 of the Charter and Article 17 ICCPR and also a violation of Articles 5, 6, 13, 14, 22 and/or 28 of the AVG. 6.3. The starting point is that social security is one of the pillars of Dutch society and contributes significantly to prosperity in the Netherlands. NJCM c.s. also endorses this. The social security system can only function if citizens in the Netherlands who are not entitled to benefits do not make use of them either. The system is financed with public money and fraud undermines the solidarity underlying the system. The fight against fraud is therefore crucial in order to maintain public support for the system, as argued by the State and the objective of the SyRI legislation. 6.4. New technologies - including digital possibilities to link files and analyse data using algorithms - offer (more) possibilities for the public authorities to exchange data with each other as part of their legal duty to prevent and combat fraud. The District Court shares the State's view that these new technological possibilities should be used to prevent and combat fraud. It is of the opinion that the SyRI legislation is in the interest of economic welfare and therefore serves a legitimate purpose. After all, adequate control of the correctness and completeness of data on the basis of which claims are granted to citizens is of great importance. 6.5. However, the development of new technologies also means that the right to the protection of personal data is becoming increasingly important. The existence of adequate legal protection of privacy in the exchange of personal data by (public) bodies contributes to public confidence in government, as does preventing and combating fraud. As NJCM et al. rightly states, it is plausible that in the absence of adequate and transparent protection of the right to respect for private life, a 'chilling effect' will occur. Without confidence in sufficient privacy protection, citizens will be less willing to provide data or there will be less support for this. 6.6. Under Article 8 ECHR, the Netherlands, as a Member State in the application of new technologies, has a particular responsibility to strike the right balance between, on the one hand, the benefits associated with the use of these technologies in preventing and combating fraud and, on the other hand, the interference that this may cause in the exercise of the right to respect for private life. The legislation must provide a sufficiently effective framework for the protection of the right to privacy, which includes the right to the protection of personal data, to enable all the interests at stake to be weighed up in a transparent and verifiable manner. The legislation should allow any person to have a reasonable expectation that his or her private life will be sufficiently respected in the case of SyRI deployment. In the District Court's opinion, SyRI legislation does not meet this requirement. 6.7. SyRI legislation does not meet the requirement laid down in Article 8(2) of the ECHR that interference in the exercise of the right to respect for private life is necessary in a democratic society, i.e. necessary, proportionate and subsidiary in relation to the intended purpose. The court will compare the content of the SyRI legislation with the intrusion into private life that the SyRI legislation makes in the light of the objectives it serves. It is of the opinion that the legislation does not meet the 'fair balance' (the reasonable relationship) that must exist under the ECHR between the social interest that the legislation serves and the intrusion into private life that the legislation represents in order to be able to speak of a sufficiently justified intrusion into private life. In doing so, the court takes into account the fundamental principles underlying data protection under EU law (the Charter and the AVG), in particular the principles of transparency, purpose limitation and data minimisation. It considers that the legislation is not sufficiently clear and verifiable as regards the use of SyRI. It is for this reason that the court will declare Article 65 of the SUWI Act and Chapter 5a of the SUWI Decree ineffective in this judgment on the grounds of conflict with Article 8(2) of the ECHR. 6.8. The District Court sets out below the grounds on which it has reached its verdict. Admissibility and procedural position of the FNV 6.9. First, the court must assess ex officio whether each of the plaintiffs can be received in his or her claims. The State has taken the view that the DBC Free Practices, [plaintiff sub 6] and [plaintiff sub 7] are inadmissible. 6.10. It is not in dispute that the NJCM, the Platform for the Protection of Civil Rights, Privacy First and the Koepel van DBC-Vrije Praktijken are collective interest organizations within the meaning of Section 3:305a of the Dutch Civil Code. According to their articles of association, these litigating parties are authorised to represent the interests of their supporters in court. In the case of the NJCM, these supporters consist of persons or groups whose fundamental human rights have been violated. In the case of the Platform for the Protection of Citizens' Rights, the supporters consist of a network of organisations, groups and individuals who come together in, among other things, the pursuit of a better guarantee and strengthening of civil rights in the Netherlands, in particular the right to privacy and, in the case of Privacy First, of all citizens in the Netherlands. The supporters of the Koepel van DBC-free practices consist of the psychotherapists and psychiatrists of DBC-free practices and their patients/clients. These plaintiffs also actually represent the interests of these supporters. 6.11. The court is also of the opinion that the legal actions in these proceedings are aimed at protecting the interests of the supporters of these four plaintiffs. All interest groups mentioned defend, among other things, the protection of fundamental human rights in general, or the right to privacy in particular. 6.12. Now that NJCM, the Platform for the Protection of Civil Rights and Privacy First, is standing up for the public interest, the court deems these organisations admissible in their claims. 6.13. De Koepel van DBC-Vrije Praktijken stands up for a group of persons whose interests can be individualized, namely the interests of patients/clients of psychotherapists, psychiatrists and psychologists. The Court rejects the State's defence that the Dome of DBC Free Practices is inadmissible in its claims. It considers the concrete importance of the DBC Free Practices Dome in its claims to be sufficiently factually explained. The data that may be part of processing in SyRI, such as, for example, reintegration data with a view to establishing a claim, may relate to the group of patients/clients for which she is claiming. In the context of admissibility, the District Court did not consider it of decisive importance, as the State argued, that no health data may be processed in SyRI. Such a concrete interest is not required for admissibility in this case. Therefore, the DBC Free Practices Umbrella Association can also be received in its claims. 6.14. The State has not put forward any defence against the admissibility of the National Clients Council. The District Court acknowledges that the National Client Council, in view of the interests it represents according to the SUWI Act and its by-laws, definitely has an interest in the outcome of these proceedings. However, the National Client Council is a consultative body. It has no legal personality. Nor are any natural persons acting on its behalf who are authorised to do so in these proceedings. Nor does it appear that there is any other legal basis on which the National Client Council has been granted powers of attorney. It is not apparent from the SUWI Act or regulations based thereon that he has a legal status comparable to that of an employee participation body such as a works council under the Works Councils Act or a healthcare institutions clients' council under the Health Care Institutions (Participation) Act. These are bodies that have the power to institute legal proceedings on specific statutory grounds, given their duties. This is also not apparent from the internal regulations. Contrary to what NJCM et al. advocates, the court therefore sees no basis for analogous application of this legislation. In view of this, the court will declare the National Client Council inadmissible in its claims. 6.15. Also [plaintiff sub 6] and [plaintiff sub 7] the District Court considers their claims inadmissible. NJCM c.s. has not explained in fact that, in the case of these claimants, there are concrete leads from which it can follow that data relating to them are part of the processing in SyRI. plaintiffs sub 6] and [plaintiff sub 7] are among others writers and columnists and citizens in the Netherlands. They are seriously concerned about the use of SyRI by the government. In these proceedings, they have not stated any facts that demonstrate or are likely to demonstrate a possible concrete connection between their own private lives, including their professional activities, and data processing in SyRI. The mere possibility of an abstract assessment as to whether the SyRI legislation constitutes a violation of Article 8 of the ECHR and the circumstance that, on the basis of the SyRI legislation, the personal data of 'any person' insofar as they belong to one of the categories referred to in Article 5a.1 paragraph 3 of the SUWI Decree may possibly form part of a SyRI project, is considered by the District Court insufficient for a sufficiently concrete and personal interest within the meaning of Article 3:303 of the Dutch Civil Code. 6.16. The above means that the National Client Council, [plaintiff sub 6] and [plaintiff sub 7] will be declared inadmissible in their claims. The other plaintiffs, the NJCM, the Platform for the Protection of Civil Rights, Privacy First and the DBC Free Practices umbrella organisation are admissible in their claims. 6.17. With regard to the procedural position of the FNV, the Court notes that the FNV has joined forces with the plaintiffs. It has not independently brought an action against the State. Therefore, the court's decisions in the operative part do not concern any claim of the FNV. 6.18. In so far as the court refers to NJCM et al. below, in view of the above, it only refers to the four admissible plaintiffs and the FNV. General assessment framework 6.19. The issue at stake is whether SyRI legislation constitutes an unauthorised breach of the right that protects privacy. In this context, the court first discusses the general assessment framework it uses. It looks successively at the protection of human rights under the ECHR, the protection under Union law of, inter alia, the Charter and the AVG, and finally at the relationship between the ECHR and Union law and the party debate. Human rights protection 6.20. The right to privacy is a fundamental human right protected by international law in Articles 8 ECHR and 17 ICCPR. These are binding provisions to be applied by the courts under Articles 93 and 94 of the Constitution. 6.21. Article 8(1) ECHR states that everyone has the right to respect for his private and family life, home and correspondence. According to Article 8(2) of the ECHR, intervention by public authorities in the exercise of this right shall be permitted only to the extent provided for by law and in a democratic society, in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals or for the protection of the rights and freedoms of others. Article 17 ICCPR, which offers the same protection of private life as Article 8 ECHR, has no independent meaning in this case, so the court will not go into this further. 6.22. Because the Netherlands is also bound by the ECHR to the jurisdiction of the European Court of Human Rights (hereafter: ECHR; see Article 32 ECHR), the court must base its interpretation of Article 8 ECHR on the interpretation given by the ECHR, or interpret this provision itself, applying the interpretation criteria of the ECHR. 6.23. In the course of time the ECtHR has brought several interests under the notion of private life and thus under the protection of article 8 ECHR. The right to respect for private life also protects a right to personal autonomy, to personal development and self-fulfilment and the right to enter into relationships with others and the outside world. According to the ECtHR, the principles of human dignity and human freedom belong to 'the very essence of the Convention'.13 Together with the notion of personal autonomy, they play an important role in determining the scope of the right to respect for private life. 6.24. The right to personal identity and the right to personal development have also been identified by the ECtHR as part of the right to respect for private life. Moreover, the right to personal identity is closely linked to the right to the protection of personal data. Finally, the right to respect for private life in the case of data processing also touches upon the right to equal treatment in equal cases and the right to protection against discrimination, stereotyping and stigmatisation. 6.25. The right to protection of personal data is not enshrined as an independent right in the ECHR. However, according to ECtHR jurisprudence, the right to protection of personal data in a general sense is fundamental to the right to respect for privacy14. 6.26. Like the parties, the District Court hereafter takes as a starting point that the SyRI legislation affects privacy and therefore falls under the scope of protection of Article 8 ECHR. The legislator, too, takes as a starting point that the provision of data for the purpose of a cooperation arrangement and the deployment of SyRI as provided for in Sections 64 and 65 of the SUWI Act constitutes an interference with the exercise of the right to respect for private life. The legislator explicitly tested the bill against the requirements of Article 8 ECHR, Article 10 of the Constitution and the Wbp, which was still in force at the time, and did not consider it to be in conflict with these requirements. Union law protection 6.27. Under Union law, the right to the protection of personal data as a separate right is primarily protected by the Charter and the Treaty on the Functioning of the European Union (TFEU). Under Article 7 of the Charter, everyone has the right to respect for his private and family life, his home and his communications. Articles 8 Charter and 16 TFEU provide that everyone has the right to the protection of personal data concerning him or her. Article 8 Charter also elaborates on this right, namely that personal data shall be processed fairly for specified purposes and with the data subject's consent or on any other legitimate basis provided for by law. Furthermore, it provides that everyone has the right of access to data which has been collected concerning him or her and the right to have it rectified and that compliance with these rules is monitored by an independent authority. 6.28. Before 25 May 2018, data protection in European secondary legislation was regulated in a general sense by Directive 95/4615 , which had been implemented at national level in the Wbp. With effect from 25 May 2018, after the writ of summons has been issued, the AVG applies. As an EU regulation, the AVG is binding in its entirety and directly applicable. The European legislator has not laid down any transitional law in the AVG. The court must assess the claims of NJCM c.s. according to current law. In view of the nature of the AVG (as an EU Regulation with priority and direct effect) and the assessment to be carried out by the court, this cannot detract from the fact that the Dutch legislator has stipulated in Article 48 paragraph 10 of the AVG Implementation Act (hereinafter: UAVG) that the law applicable to claims that are already pending before the court at the time when the UAVG comes into force will be the law that applied prior to the entry into force of that Act. This provision should not apply in this case. 6.29. With the choice of the legal instrument of the Regulation, the European legislator has underlined the importance attached at the European level to the careful handling of (personal) data. In principle, the AVG thus regulates data protection in the Netherlands exhaustively. At the same time, the AVG leaves room for national legislation in certain areas. Insofar as this is the case, the UAVG applies. The AVG strengthens the existing rights of the person whose data are processed (hereinafter also referred to as: the data subject), such as the requirements for the data subject's consent as a basis for processing (Articles 6, 7 and 8 of the AVG). New rights are laid down by law, such as the right to be forgotten, the right to transfer data and the right not to be subject to profiling (Articles 17, 20 and 22 AVG). In addition, unlike Directive 95/45, the AVG contains the obligation for the controller to take into account, when processing data, the likelihood and seriousness of risks to the rights and freedoms of natural persons (Article 24 AVG). A data protection impact assessment must demonstrate compliance with the Regulation by putting in place measures, safeguards and mechanisms to mitigate that risk (Article 35 GSC). 6.30. The AVG lays down a number of principles on the processing of personal data (see recitals in conjunction with Article 5 AVG). These include the principle of transparency, the purpose limitation principle, the principle of data minimisation, the principle of accuracy and the principle of integrity and confidentiality and finally, as a consequence of the previous principles, the principle of accountability. These principles are further elaborated in the other provisions of the AVG. 6.31. The principle of transparency requires accessible and comprehensible information, communication and simple language, and information to data subjects on the identity of the controller and the purposes of the processing. Independently of this principle, further information should actively be provided to ensure proper and transparent processing of data and individuals should be made aware of the risks, rules, safeguards and rights relating to the processing of personal data and how to exercise their rights in relation to the processing. 6.32. The purpose limitation principle implies that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. 6.33. The principle of minimum data processing requires that personal data are adequate, relevant and limited to what is necessary for the purposes for which they are processed. No more data may be processed than is necessary for the purposes for which they are processed, as also follows from the principle of storage limitation which is also laid down in the AVG. 6.34. Based on the principle of accuracy, the controller must take all reasonable steps to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without undue delay. The principle of integrity and confidentiality implies that personal data are processed by appropriate technical or organisational measures in such a way as to ensure appropriate security. Finally, the AVG obliges the data controller to comply with the above principles, also known as the accountability principle. 6.35. The AVG also contains provisions relating to profiling and a ban on automated individual decision-making, including profiling. Article 4(4) of the AVG defines profiling as any form of automated processing of personal data that uses personal data to evaluate certain personal aspects of a natural person, in particular with a view to analysing or predicting his or her professional performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Pursuant to Article 22 of the General Data Protection Act, there is a general prohibition on fully automated individual decision-making, including profiling, which has legal or otherwise significant consequences for the data subject. Exceptions are possible. Where one of these exceptions applies, measures must be taken to safeguard the rights and freedoms and the legitimate interest of the data subject. 6.36. The guidelines of the Article 29 Data Protection Working Party16 state that the threshold for 'significant degree' should be comparable to the degree to which the data subject is affected by a decision to which a legal effect is attached. According to the guidelines, data processing affects a person significantly when the effects of the processing are large or significant enough to merit attention. The decision must have the potential to significantly affect the circumstances, behaviour or choices of the persons concerned; have a lasting or lasting effect on the data subject; or, in the extreme case, lead to exclusion or discrimination of persons. Mutual relationship between the ECHR and Union law and the party debate 6.37. The ECHR provides for minimum protection of the fundamental right to privacy. The content and scope of EU fundamental rights in the Charter are the same as those of ECHR rights in so far as the Charter contains rights corresponding to the ECHR (Article 52(3) Charter). The rights guaranteed by the ECHR also form part of EU law as general principles (Article 6(3) TEU). Union law therefore provides for at least the same minimum level of protection as the ECHR. However, EU law may provide a broader protection (Article 52(3) Charter). According to the Charter and the AVG, the protection of the EU citizen's right to the protection of personal data is more detailed and goes beyond the ECHR in some respects. 6.38. NJCM et al. focus on the alleged violation of Article 8 ECHR, as confirmed by NJCM et al. at the hearing and understood by the State. The debate between the parties therefore focused on the questions whether the SyRI legislation meets the conditions that Article 8 paragraph 2 ECHR sets for the restriction of the right to respect for privacy. 6.39. NJCM c.s., according to its statements, and the State in its defense, takes the view that Articles 7 and 8 of the Charter offer the same minimum protection in terms of content and scope as Article 8 ECHR. 6.40. NJCM et al. and the State's defences also state, conversely, that the minimum protection provided by Article 8 ECHR also implies that SyRI legislation must comply with the aforementioned general principles of data protection enshrined in EU law in the Charter and the AVG, such as the transparency principle, the purpose limitation principle and the data minimisation principle. The State did not take the view - rightly so in the opinion of the court - that the court is only entitled to review SyRI legislation against those principles if and in so far as that legislation meets the conditions laid down in the ECHR for limitation of the right to privacy. 6.41. The Court will take into account the general principles of data protection set out in the Charter and the AVG when assessing whether the SyRI legislation complies with Article 8 ECHR. In other words, the court will also interpret Article 8(2) ECHR in the light of those principles. There is no evidence that the minimum protection of the right to respect for private life, which includes the protection of personal data, under the ECHR is less far-reaching than the data protection provided by the Charter and the AVG on the basis of the general principles laid down therein. The alleged breach of Article 8 ECHR 6.42. As stated above, it is not disputed that cooperation for the exchange of information and the use of SyRI as provided for in SyRI legislation regularly constitutes an interference with the exercise of the right to respect for private life. In view of the debate between the parties, the court should assess whether the SyRI legislation meets the requirements of Article 8(2) ECHR to justify such interference. 6.43. For the purposes of this test, the court notes in advance that it does not have the task to determine at its own discretion the value or social weight to be attached to the interests involved. Moreover, in view of the nature of the legislative function and the position of the court, it must also exercise restraint in this assessment.17 However, this does not mean that the SyRI legislation should be assessed marginally. As NCJM et al. also argued, the court will not assess the amended legislation marginally, but in accordance with Article 8(2) of the ECHR. 6.44. The District Court will first discuss the extent and seriousness of the interference in the exercise of the right to respect for private life that is, or may be, involved in the event that SyRI is deployed. This interference will be coloured by the answer to the question what exactly SyRI is. The positions of the parties on this matter vary widely. There is also a dispute between the parties as to how the making of a risk statement should be legally defined, namely whether it concerns profiling and automated individual decision-making within the meaning of the AVG. The answer to this question also partly determines the extent and seriousness of the interference in private life in the event that SyRI is used. In summary, the court arrives at a number of starting points for its further assessment. The court then discusses whether the SyRI legislation meets the requirement that interference must be provided for 'by law' and must be necessary in a democratic society in the light of the objectives that the legislation serves. Degree and seriousness of interference; what is SyRI? Undirected trawling, data mining, 'deep learning', 'big data'? 6.45. According to NJCM et al., the deployment of SyRI involves untargeted trawling actions in which personal data is collected for investigative purposes. It argues that this is a digital investigation system on the basis of which citizens are classified in a risk profile and in which the State makes use of 'deep learning' and data mining. According to NJCM et al., there is large-scale, unstructured and random automated linking of files of large groups of citizens, the secret processing of personal data and SyRI works proactively. NJCM c.s. further argues that the use of SyRI falls under what is called 'big data' in (legal) literature and practice. 6.46. In support of its position, NJCM et al. invoked, among other things, an 'unsolicited advice on the effects of digitisation on relations under the rule of law' that the Advisory Division of the Council of State (hereinafter: the Advisory Division) issued to the Cabinet.18 In this advisory report, the Advisory Division notes that in practice 'big data' is generally understood to mean large quantities of data collections that are so large or complex that they can no longer be processed by conventional database systems and that they come from different sources at the same time. In its advisory report, the Advisory Division cited SyRI as an illustration and noted the following: "Profiling as an example The potential dangers of using large collections of data can be well illustrated when profiling to identify persons at increased risk. After all, this can lead to general characteristics being attributed to the individual. (…) In 2014, the Department advised on the implementation of the Risk Indication System. This system gave the Ministry of Social Affairs the opportunity to run various types of files containing citizens' data against each other for the purpose of detecting fraud in taxes or social benefits. This is in keeping with the use of deep learning and self-learning systems, which are after all designed to investigate as many connections as possible without prior assumptions. The downside is that, in a number of cases, data covered by these systems can have a profound impact on a person's privacy. The enumeration of data is so broad that there is hardly any personal data that is not covered by it. The enumeration does not seem to be intended to limit, but to have as much room for manoeuvre as possible". And... and..: "Deep learning - self-learning systems The Tax and Customs Administration is at the forefront when it comes to working with deep learning techniques: it possesses an enormous amount of data about people in the Netherlands and plays a pivotal role in many collaborative ventures, such as the Risk Indication System. In addition, some municipalities also use algorithms to select possible cases of social assistance fraud. The algorithm looks at all kinds of data, such as dates of birth, family composition, benefit history and data from the Tax and Customs Administration, the land register and the Road Traffic Department. (…) The term "self-learning" is confusing and misleading: an algorithm does not know and understand reality. There are prediction algorithms that are now reasonably accurate in predicting the outcome of a lawsuit. However, they do not do so based on the merits of the case. Therefore, they cannot substantiate their predictions in a legally sound way, whereas this is required for every legal case. (…) The reverse is also true: the human user of such a self-learning system does not understand why the system concludes that there is a connection. An administrative body that (partly) bases its actions on such a system cannot properly justify its actions and cannot properly motivate its decisions". 6.47. On the other hand, the State argues that when deploying SyRI, (only) data from existing datasets of designated (government) agencies are compared in order to discover discrepancies with a view to checking claims by the party concerned. With reference to statements made by the Minister19 , according to the State this is a comparison of files with existing factual data. These factual data are compared with each other using a simple decision tree. 6.48. Following NJCM's appeal to the aforementioned unsolicited advice of the Advisory Division, the State referred to the Cabinet's response to this advice. The State Secretary of the Interior and Kingdom Relations mentions in this response: "The Division also describes the risks associated with the digital linking of data in different contexts. An example where data are linked is SyRI (System Risk Indication). Contrary to what the Department assumes, SyRI is neither an application of deep learning nor a self-learning system. SyRI is emphatically not a tool for predicting whether an individual could commit an offence. SyRI is used to compare files containing existing, factual data from the parties referred to in Section 64 of the Work and Income (Implementation) Organisation Structure Act (SUWI), such as the UWV, SVB, B&W colleges, the Tax and Customs Administration and the SZW Inspectorate, and to assess whether there are any discrepancies between these data. If a discrepancy has emerged from the comparison after testing against the risk model, this discrepancy must first be investigated by one or more of the parties mentioned before a decision may be taken that may have legal consequences for the party concerned "20. 6.49. The District Court finds that it cannot verify the correctness of the State's position on what exactly SyRI is. After all, the State has not disclosed the risk model and the indicators that the risk model consists of or may consist of. Also in these proceedings it has not provided objectively verifiable information to the District Court to enable it to assess the State's view on what SyRI is. The reason given by the State is that citizens could adjust their behavior accordingly. This is a conscious choice of the State. This choice is also in line with the principle of the legislator regarding the provision of information about SyRI. SyRI legislation does not show how the decision model of SyRI works or what the indicators are or could be that are used in a SyRI project (see for the concepts of decision model and indicators in 4.23), i.e. what factual data make the presence of a certain circumstance plausible. 6.50. In addition, the District Court established that the SyRI legislation - contrary to what NJCM et al. states - does not provide room for unstructured ('ad random') data collection with the use of SyRI. The number of categories of data that can be used is broad, but still exhaustive. On the other hand, the number of data that can be used when applying SyRI is very large. A total of seventeen categories of data of different nature are covered. Each category, considered in isolation, may also contain a large amount of data. Therefore, depending on the specific SyRI project, there may be large amounts of structured data sets coming from different sources. 6.51. There is also no doubt that the use of SyRI looks for links between data. Indeed, (existing) files are compared with each other with a view to potential hits that indicate an increased risk. SyRI legislation also leaves open the possibility of using predictive analysis, deep learning and data mining when using SyRI. The definition of the risk model in the SUWI Decree does not stand in the way of this. Moreover, SyRI legislation expressly provides for the possibility of adapting a risk model on the basis of an evaluation and, in addition, new risk models with new indicators can be developed (see also 4.24 above). The District Court is therefore (together with the Advisory Division, see above in 6.46) of the opinion that the use of SyRI "fits" with "deep learning" and self-learning systems. To that extent, the District Court follows NJCM et al. This does not affect the fact that, in view of the statements made by the ministers to the House of Representatives, the District Court assumes, as a matter of fact, that no use is currently being made of 'deep learning' and data mining when deploying SyRI, as argued by NJCM et al. 6.52. The District Court will also follow NJCM et al. insofar as the deployment of SyRI involves 'big data' in the sense referred to by the Advisory Division. However, there is no definite definition of this term. Whether the processing of data in SyRI must be qualified as a form of 'big data' is of no importance to the District Court for its further assessment. 6.53. With regard to the use of risk profiles, a distinction must be made between the development of risk profiles on the one hand and their use on the other hand. The District Court assumes that risk profiles based on file links are not currently being developed in SyRI when implementing SyRI legislation. This is as argued by the State in response to the references made by NJCM et al. to the aforementioned Waterproof and Black Box projects. The District Court cannot determine whether risk profiles are actually being developed using file links (see above in 6.49). However, given the purposes for which data are processed in SyRI and in view of the definitions of the concepts of risk model and risk indicator, the District Court considers that risk profiles based on existing factual data are an inherent part of the SyRI instrument. 6.54. Finally, SyRI legislation does not provide for an information obligation on data subjects whose data are processed in SyRI so that those data subjects can reasonably be expected to know that their data are or have been used for such processing. Nor does the SyRI legislation provide for an obligation to inform data subjects individually, where appropriate, of the fact that a risk notification has been made. There is only a legal obligation to publish the start of a SyRI project in advance by publication in the Staatscourant (Government Gazette) and to have access to the register of risk notifications on request afterwards. The model letter that can be used in practice - as was the case in the Rotterdam Bloemhof & Hillesluis project - is not based on a legal obligation to inform those involved 'house-to-house', while the court cannot determine, on the basis of the information available, whether municipalities have a fixed practice in implementing the law. Nor are those concerned automatically informed afterwards. This only happens if there is a check and investigation in response to a risk notification. This is not done automatically. Degree and seriousness of the interference; profiling and automated individual decision-making? 6.55. In that case, in view of the debate between the parties about the extent to which the submission of a risk report affects private life, the District Court will have to assess whether the deployment of SyRI involves profiling and automated individual decision-making. 6.56. It is not disputed that the file link used in a SyRI project meets the definition of profiling within the meaning of Article 4 clause 4 of the AVG. This does not mean, however, that automated individual decision-making as referred to in the AVG is involved. 6.57. NJCM c.s. states, emphatically endorsed by the FNV, that the submission of a risk report by the Inspectorate SZW can be regarded as a decision with legal effect, or at least a decision that affects the parties involved to a considerable extent in any other way, and that this decision is taken on the basis of automated individual decision-making as referred to in Article 22 of the AVG, which is prohibited. According to NJCM c.s., prior to making a risk notification there is no question of significant human intervention; the mere removal of 'false positives' is not to be regarded as such, nor is the assessment by the participating parties after receipt of a risk notification. 6.58. The State disputes the existence of automated individual decision-making and argues that in any event there is no question of a prohibited form of such decision-making. According to the State, all exceptions to the prohibition stipulated in the AVG are met and the amended legislation is surrounded by sufficient safeguards to protect privacy. 6.59. Although in the opinion of the District Court the deployment of SyRI, contrary to what was argued by NJCM et al., as such is not aimed at legal consequences - neither civil nor administrative or criminal - a risk notification does have a significant effect on the private life of the person to whom the notification relates. The District Court derives this conclusion partly from the guidelines of the Article 29 Data Protection Working Party (see 6.36 above). A risk report may be stored for a period of two years and may be used for a maximum of twenty months by the participants in the SyRI project in question. The risk report may also be communicated to the Public Prosecutor's Office and the police on request. The fact that a risk report does not always have to lead to further investigation, or to a sanction (under administrative law or criminal law), nor may it be used as the sole basis for an enforcement decision, does not detract from the significant effect on a person's private life. 6.60. The court leaves open whether the precise definition in the AVG of automated individual decision-making and, if so, one or more of the grounds for exemption from its prohibition in the AVG are met. This is also irrelevant in the context of the court's assessment of whether the SyRI legislation complies with Article 8 ECHR. However, the District Court does consider the aforementioned significant effect of making a risk report and inclusion in the register of risk reports on the private life of the person concerned to be a significant factor in its assessment of whether the SyRI legislation complies with Article 8(2) of the ECHR. This effect will also determine the extent to which the SyRI legislation interferes with the right to respect for private life. It takes into account that part of the right to protection of personal data is the right of everyone to be able to follow their personal data to a reasonable extent and to be informed about the processing of their data. Although the start of a SyRI project is published in the Government Gazette, a risk notification may subsequently be included in the register for a period of two years without this being known to the person concerned. Summary 6.61. In summary, the District Court takes the following principles into account in its further assessment. These principles are important for the extent and seriousness of the interference in the private lives of those involved in the SyRI legislation and will therefore be taken into account in the District Court's assessment of whether such interference is permissible pursuant to Article 8(2) of the ECHR. 6.62. The linking of files in the case of the deployment of SyRI relates to the processing of categories of data listed exhaustively in the SUWI Decree. These data are contained in files containing factual data (personal data or other data) that are at the disposal of the (government) bodies designated by law on the basis of their statutory task. It concerns structured data processing on the basis of existing available files. Depending on the SyRI project, large amounts of data may be collected from many different sources. The data processing uses a risk model that consists of predetermined risk indicators and indicates whether there is an increased risk of unlawful use of government funds and provisions in the field of social security and income-related schemes, tax and contribution fraud, or failure to comply with labour laws. 6.63. There are no indications that the implementation of the SyRI legislation currently involves 'deep learning' and data mining or that risk profiles are being developed. However, the SyRI legislation does offer scope for the development and application of a risk model that involves 'deep learning', data mining and the development of risk profiles. 6.64. Whether the processing of data in SyRI involves 'big data', as argued by NJCM et al. and disputed by the State, is of no further importance for the District Court's assessment. The term has no definite definition. In any case, a very large amount of data qualifies for processing in SyRI. 6.65. Moreover, the risk model currently being used and the risk indicators of which this model consists are 'secret'. This also applies to the data used in a concrete SyRI project (which data have been processed in SyRI). The risk model, the indicators and the data that are actually processed are neither public nor known to those involved. SyRI legislation does not provide for an obligation to inform those whose data are processed in SyRI. There is also no legal obligation to inform data subjects individually about the fact that a risk notification has been made. The District Court furthermore assumes that a risk report has a significant effect on the private life of the person to whom the report relates. Provided by law 6.66. Interference in private life in the application of SyRI must be provided for by law. According to the case-law of the ECtHR, this does not have to be a law in a formal sense, but can be fulfilled by any generally binding rule or even court law. "Some basis in domestic law" is sufficient.21 However, the legal basis for the interference must be sufficiently accessible and foreseeable. This means that the legal basis must be sufficiently clear to allow an individual to adjust his behaviour accordingly.22 6.67. In support of its assertion that SyRI legislation is unlawful, NJCM c.s. relies in particular on the case law of the ECtHR in cases concerning indiscriminate bulk interception (mass surveillance) or targeted interception of data in a criminal or national security context.23 As follows from the above, this is not the case in the case of the deployment of SyRI. As follows from the above, this is not the case in the case of the deployment of SyRI. Therefore, this case law cannot be considered one-to-one as a guideline for the court's judgment. 6.68. The S. and Marper v. the UK case concerned the legality of the UK Data Protection Act (1998), which implemented Directive 95/45 and guidelines based thereon for the use of the Police National Computer in relation to the storage of fingerprints, cellular material and DNA profiles. Although the factual context of this case, too, is not comparable to the present one, the ECtHR judgment contains considerations of a more general nature on data protection. This makes this judgment relevant for the assessment of the (in)legality of the SyRI legislation. 6.69. It follows from the ECtHR judgment in that case that, in order to meet the requirements of accessibility and foreseeability, national law must provide sufficient protection against arbitrariness and define with sufficient clarity the discretion granted to the competent authorities and the manner in which they may be used. According to the ECtHR, the degree of precision required by national law depends to a large extent on it: "the content of the instrument in question, the field it is designed to cover and the number and status of those to whom it is addressed "24 : "It reiterates that it is as essential, in this context, as in telephone tapping, secret surveillance and covert intelligence-gathering, to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards concerning, inter alia, duration, storage, usage, access of third parties, procedures for preserving the integrity and confidentiality of data and procedures for its destruction, thus providing sufficient guarantees against the risk of abuse and arbitrariness.'25 6.70. According to the ECtHR, the extent to which the legal guarantees are adequate therefore depends on the concrete circumstances and amounts to a weighting of the set of legal guarantees. The extent to which, and the level of detail with which, guarantees must be laid down in law depends on the extent of the interference. 6.71. 6.71. This judgment also shows that the assessment of whether interference is provided for by law may be closely linked to whether it is necessary in a democratic society. The safeguards must be laid down by law, but at the same time they must be sufficient to prevent abuse and therefore proportionate to the objective to be achieved. For this reason, the ECtHR, in the light of its considerations on the latter assessment, did not consider it necessary to assess whether the quality of the law met the requirements of Article 8(2) ECHR. It is considering this issue: "The Court notes, however, that these questions are in this case closely related to the broader issue of whether the interference was necessary in a democratic society. In view of its analysis in paragraphs 105-126 below, the Court does not find it necessary to decide whether the wording of section 64 meets the 'quality of law' requirements within the meaning of Article 8 § 2 of the Convention26. 6.72. The Court - like the ECtHR in that case - leaves open its assessment as to whether the SyRI legislation is sufficiently accessible and foreseeable and thus provides a sufficient legal basis as Article 8(2) ECHR requires for a justified restriction of the right to privacy. In any event, the court finds that the SyRI legislation does not contain sufficient safeguards for the conclusion that it is necessary in a democratic society in the light of the purposes that the legislation serves, as Article 8(2) ECHR also requires. As such, that legislation in its current form does not stand the test of Article 8(2) ECHR and is therefore unlawful. The Court considers the following reasoning to be valid. Necessary in a democratic society; general 6.73. It is necessary to assess whether there is interference necessary in a democratic society in the interests, in this case, of the country's economic well-being. The court states first of all that, in principle, the ECtHR leaves the national authorities of a Member State a margin of appreciation in determining whether a measure is necessary in a democratic society in the interest of one of the purposes of Article 8(2) ECHR. As far as the scope of that margin of appreciation is concerned, the court here refers to a 'certain' margin of appreciation. This margin of discretion necessitates (also, see above in 6.43) restraint on the part of the District Court in its assessment of whether the SyRI legislation is contrary to Article 8(2) ECHR, as the State rightly argues. 6.74. It is not disputed that the SyRI legislation serves a legitimate purpose (see above in 6.4). The provision of data for the purpose of a cooperation and the deployment of SyRI as provided for in the SyRI legislation therefore meets the so-called 'public interest' test, namely that it is in the interest of one of the purposes referred to in Article 8 (2) ECHR. 6.75. The parties dispute whether there is a 'pressing social need', i.e. whether the interference meets an imperative social need. NJCM c.s. states that this is not the case, for which it considers it important that there is very serious interference in the private lives of citizens. In addition, according to NJCM et al., the State has not demonstrated that it is necessary to use such a heavy instrument as SyRI to maintain the social security system. It points out that the broader social views on SyRI are negative, or at least reticent, and that the SyRI projects are therefore not an effective means of combating fraud. 6.76. The District Court rejects this assertion of NJCM et al. The SyRI legislation in itself pursues a sufficiently weighty objective to justify interference in private life. In doing so, the District Court will take into account the principles stated above regarding what SyRI is and the effect on private life in the event that the data processing in SyRI leads to a risk notification, which determines the degree and seriousness of the interference (see above 6.44 - 6.60). Fraud in the field of social security and assistance is extensive: the State has reported amounts of 153 million euros in social security fraud, half to one billion euros a year in assistance fraud, and 135 million euros in social damage as a result of social security fraud.27 Fraud also has indirect effects, including on the integrity of the economic system and confidence in financial institutions.28 Partly in view of the national authorities' margin of discretion, the direct and indirect damage involved in fraud in this area justifies the legislator's conclusion that there is an imperative social need to take measures provided for in the SyRI legislation in the interests of the economic welfare of the Netherlands. 6.77. NJCM c.s. points in this connection to what it calls the real problem, i.e. access at the gate. As far as it is concerned, this problem can only be remedied by imposing stricter requirements on the obligation to demonstrate applications in order to prevent subsequent detection. Apart from the usefulness and necessity of improving the control of applications, NJCM et al. has, in the opinion of the District Court, not provided sufficient facts from which it can be concluded that this control will overcome the objective pursued by the SyRI legislation in such a way that it cannot be said that there is a 'pressing social need' for the SyRI legislation and that it is therefore already non-binding legislation. Nor does the case law of the ECtHR show that the actual effectiveness of the SyRI instrument in the interest of the economic welfare of the Netherlands must, according to the criteria of Article 8 (2) of the ECHR, be established in advance in order to meet the requirement of a 'pressing social need', contrary to what NJCM et al. suggests. There is no question of an unsuitable or a priori disproportionate instrument in the light of the objectives it serves. 6.78. In the opinion of the District Court, the legislator's choice to create a legal basis for data processing for the purpose of a collaboration with a view to the purposes as expressed in Article 64 of the SUWI Act and the legislator's choice for data processing in an instrument such as SyRI therefore meet the general necessity requirement of Article 8(2) ECHR in view of the above. The latter concerns the choice of a technical infrastructure to (be able to) link files with data in a secure environment in order to make analyses, so that risk notifications can be generated. 6.79. However, this does not mean that (the functioning of) the chosen instrument, i.e. SyRI, and the associated procedures and safeguards that the legislator has included in SyRI legislation for its use sufficiently respect privacy in the light of Article 8(2) ECHR. This concrete test does not stand up to the SyRI legislation, as explained by the court below. Necessary in a democratic society; proportionality and subsidiarity 6.80. The court assesses whether the SyRI legislation meets the requirements of necessity, proportionality and subsidiarity under Article 8(2) ECHR in the light of the objectives it serves. There must be a 'fair balance' between the aims of the SyRI legislation and the intrusion into private life that the legislation represents. 6.81. This assessment is based on the content of the SyRI legislation (see Chapter 4 of this judgment). This shows, as the State argues, that the SyRI legislation limits the circle of designated (government) authorities, lists the number of categories of data eligible for processing exhaustively, and obliges the participating designated (government) authorities to assess the necessity of a SyRI project and the data to be processed. In addition, the IS is designated as the processor, which pseudonymises data and the analysis is carried out by the separate analysis unit of the Inspectorate for Social Affairs and Employment (Inspectie SZW). The SyRI legislation also contains retention periods and restrictions with regard to the inspection and use of risk notifications and confidentiality and evaluation obligations. 6.82. For this assessment, the District Court also takes into account the starting points as set out in 6.61-6.65 in summary. These principles are important for the degree and seriousness of the interference of the SyRI legislation in the private lives of those involved. A very large amount of data qualifies for processing in SyRI. The risk model and the indicators that make up the model and the data used in a concrete SyRI project are neither public nor known to data subjects. Furthermore, there is legal scope to adjust the risk model on the basis of feedback results. Finally, there is the fact that the person involved is unfamiliar with the fact that a risk report is made, while making a risk report has a significant effect on the person involved. 6.83. The District Court will compare the content of the SyRI legislation in the light of the objectives that the SyRI legislation serves with the intrusion into private life that the SyRI legislation represents. It will take the view that the SyRI legislation, insofar as it relates to the use of SyRI, does not satisfy the 'fair balance' required for the conclusion that there is justified interference within the meaning of Article 8(2) of the ECHR. It points out the following. 6.84. In the above-mentioned ECtHR judgment on S. and Marper v. the United Kingdom Kingdom, the Court considered: "The Court considers that any State claiming a pioneering role in the development of new technologies bears special responsibility for striking the right balance in this regard".29 The Dutch legislator does not claim to be a pioneer in this respect with respect to the use of the SyRI instrument, whereas in that case, moreover, the storage of DNA profiles for an unlimited period of time was involved. Both the intrusiveness of the intrusion into private life and the safeguards for the protection of privacy in the British legislation tested in that case differ from those in this case. Nevertheless, the court is of the opinion that the State also bears a special responsibility in this matter, as expressed by the ECHR. 6.85. The development of new technologies gives the State, inter alia, digital possibilities to link files and analyse data using algorithms in order to carry out more effective monitoring. The right to data protection is becoming increasingly important in this development, partly because of its speed. The collection and analysis of data using these new technologies can have a profound impact on the private lives of the data subjects. The legislator therefore has a particular responsibility also in the case of the deployment of an instrument such as SyRI: it is difficult for a data subject to assess the exact impact of the instrument on his or her private life and the ECHR requires that the legislation providing a basis for it contains sufficient safeguards to prevent abuse and arbitrariness. 6.86. The legislator has taken account of Article 8 ECHR and the right to respect for private life protected by the ECHR when drafting SyRI legislation. Contrary to the State, the court is of the opinion that the safeguards provided in the legislation for the protection of the private life of the person whose data can be processed in SyRI are insufficient. Taking into account the principles of transparency, purpose limitation and data minimisation, fundamental principles of data protection, the court considers the SyRI legislation to be insufficiently transparent and verifiable for it to be concluded that the interference that the use of SyRI may entail in the right to respect for private life is necessary, proportionate and proportionate in relation to the purposes served by the legislation. It considers the following circumstances, viewed in conjunction, to be relevant in this respect. 6.87. The principle of transparency is the main guiding principle of data protection underpinning and enshrined in the Charter and the AVG (see above on data protection principles 6.27 to 6.34). This principle has, in the opinion of the court, not been sufficiently respected in SyRI legislation in the light of Article 8(2) ECHR. The District Court finds that the SyRI legislation does not in any way provide for information about the factual data that could make the presence of a certain circumstance plausible, i.e. what objective factual data could justify the conclusion that there is an increased risk. In the history of the legislation, only a few examples have been given of indicators that may indicate an increased risk and a potential hit: "For example, there may be cohabitation fraud if, according to the GBA, persons with a benefit and/or supplement are registered at different addresses while they actually reside at a single address. In the case of concealed assets, one should think, for example, of someone whose bank balance increases explosively in a year. Other examples are a person who has several garage boxes in another district and has several vehicles in his name in a short period of time, or a WWB person who has given the Tax and Customs Administration an account number with assets, but who is unknown to the Municipal Social Service. "30 6.88. The State has given a number of other examples which may indicate discrepancies (including the examples that someone who receives benefits as a single person receives a care allowance for married people and several occupants of the same address receive a rent allowance for a different address, while only one occupant can receive rent allowance for an address). He did not explain on what objectively verifiable information these examples are based. 6.89. Furthermore, the SyRI legislation does not provide any information relating to the operation of the risk model, for example on the type of algorithms used in the risk model, nor on the method of risk analysis used by the Inspectorate SZW. The State explained in more detail in this procedure that the risk model consists of (i) risk indicators, (ii) links and (iii) a so-called cut-off point. Depending on the purpose of the investigation, points are awarded for each risk indicator. The level of the score depends, among other things, on the probability of the risk indicator occurring. The more unlikely it is that the specific risk indication occurs, the higher the number of points. The cut-off point, which is determined in advance, implies a threshold. Cases with fewer points than the threshold value will not lead to a potential hit. According to the State, risk models validated by the Inspectorate SZW are used, using verified risk indicators which in practice have been found to indicate an increased risk of abuse or fraud. However, the SyRI legislation does not provide insight into the validation of the risk model and the verification of the risk indicators, nor does the court have such insight in this procedure. 6.90. As a result of the above, it is not possible to verify how the simple decision tree, which the State is talking about, comes about and what steps it consists of. Thus it is difficult to see how a person involved can defend himself against the fact that a risk report has been made in respect of him or her. Likewise, it is difficult to see how a data subject whose data have been processed in SyRI, but who did not result in a risk report, can be aware that his or her data have been processed on correct grounds. The fact that in the latter situation the data did not lead to a risk notification and, moreover, must have been destroyed no later than four weeks after analysis, does not detract from the required transparency with regard to that processing. The right to respect for private life also implies that a data subject must be given a reasonable opportunity to follow his or her data. 6.91. The importance of transparency, with a view to accountability, is also important because the use of the risk model and the analysis carried out in that context carries the risk of (unintended) discriminatory effects. In its advice referred to above in 6.46, the Advisory Division points out that analysing large collections of data, with or without deep learning/self-learning systems, is undeniably useful, but can also have undesirable results, including unjustified exclusion or discrimination. In his letter of 8 October 2019 to the House of Representatives on Information and Communication Technology (ICT)31 , the Minister of Legal Protection recognises that, because of the risk of discriminatory effects, data analyses based on profiling, for example, are wrongly assigned a certain characteristic (false positive) or, vice versa, are wrongly not assigned a characteristic (false negative). 6.92. NJCM c.s., supported by the FNV and the United Nations Special Rapporteur on extreme poverty and human rights, has explained in detail in this procedure that, in its opinion, the use of SyRI has a discriminatory and stigmatising effect. She points out that SyRI is used to investigate neighbourhoods that are already known as problem neighbourhoods. As a result, the chances of irregularities being found are higher than in other neighbourhoods, which in turn confirms the image of a problem neighbourhood, encourages stereotyping and reinforces a negative image of the residents living in the neighbourhood, even though no risk report has been made in respect of them. 6.93. It is true that SyRI has so far only been used in so-called 'problem neighbourhoods', as confirmed by the State at the hearing. This in itself does not necessarily imply that such deployment is disproportionate or otherwise contrary to Article 8(2) of the ECHR in all cases. However, given the large amounts of data that qualify for processing in SyRI, including special personal data, and the circumstance that risk profiles are used, there is a risk that inadvertent links are made with the deployment of SyRI on the basis of bias, such as a lower socio-economic status or an immigration background, as argued by NJCM et al. 6.94. On the basis of SyRI legislation, it cannot be assessed whether this risk has been sufficiently mitigated, due to a lack of verifiable insight into the risk indicators and the (functioning of the) risk model, including the method of analysis used by the Inspectorate for Social Affairs and Employment. The circumstance that the data processing process consists of two phases and that the analysis unit of the Inspectorate SZW checks the decrypted data for investigative value after the IB has linked the files, which provides for human control of false positives and false negatives, is considered insufficient by the District Court for this purpose. After all, the manner in which the final risk selection is arrived at is not public. Nor are the parties involved informed about the manner in which the final risk selection was arrived at and the associated conclusion as to whether or not a risk report was made, whereas the SyRI legislation only provides for general retrospective supervision by the AP. 6.95. In view of the above, the District Court is of the opinion that the SyRI legislation does not provide sufficient safeguards to protect the right to respect for private life in relation to the risk indicators and the risk model that can be used in a concrete SyRI project. Without an understanding of the risk indicators and the risk model, or at least without further legal safeguards to compensate for this lack of understanding, SyRI legislation does not provide sufficient guidance for the conclusion that the use of SyRI always makes interference in private life proportionate and therefore necessary in the light of the abuse and fraud that is intended to be combated, as required by Article 8(2) of the ECHR. 6.96. The District Court is also of the opinion that the SyRI legislation, tested against Article 8 (2) ECHR, does not take sufficient account of the purpose limitation principle and the principle of data minimization. First and foremost, the District Court holds that the definition of objectives in Article 64 paragraphs 1 and 2 of the SUWI Act is sufficiently defined in itself. It is clear in advance which purposes data must be provided for the purpose of a collaboration. The choice of the legislator for a large number of areas in which cooperation can take place and in which data must be provided can also be regarded as justified, in the sense of necessary, proportionate and subsidiary. In doing so, the court also takes into account the importance of the fight against abuse and fraud and the discretion of the State as national authority. The Court rejected NJCM c.s.'s argument and followed the State's defence on this point. In so far as the SyRI legislation does not violate the purpose limitation principle, the District Court considers it to be in breach. 6.97. This will be different if and insofar as those purposes are viewed in conjunction with the large amount of data which, pursuant to Section 65 of the SUWI Act and the SUWI Decree, qualify for processing in SyRI, the circumstance that the necessity test as required by the designated (government) authorities will be carried out separately and there is no question of an integral preliminary test by an independent third party. The necessity test to be carried out by the designated (government) authorities affects both the purpose limitation principle and the data minimisation principle. 6.98. The statutory limitation of the data set lies in the (ultimately) exhaustive enumeration of the categories of data that qualify for processing and the necessity of the data for the purposes served by the specific SyRI project (Section 64 (2) of the SUWI Act seen in conjunction with Section 5a.1 of the SUWI Decree). However, even if the exhaustive list of categories of data is taken as a starting point, as the Advisory Division noted earlier, it is hardly conceivable that personal data will not qualify for processing in SyRI. 6.99. Furthermore, the necessity of the test of whether the provision of data is necessary for a certain project has been left to each of the designated (government) bodies participating in the partnership. This necessity test can and should only be carried out in respect of the data sets available to the relevant (government) authority. SyRI legislation does not provide for an integral prior assessment or an assessment by an independent third party. In other words, a test prior to data processing in SyRI by the Minister at the request of a collaborative venture and with the aim of assessing whether the interference in private life due to all the files linked in that project is necessary, proportionate and subsidiary in view of the specific objective of that project. 6.100. Contrary to what has been argued by the State, the sum of the tests carried out by the participants involved in the SyRI project cannot simply be regarded as an integral preliminary test. In this respect, too, the District Court considers it important that the SyRI legislation does not provide insight into the functioning and validation of the risk indicators and the risk model. After all, the risk model and the risk indicators are also important for the assessment of whether and to what extent the provision of data is necessary and therefore also for the overall effect on private life of the comparison of the various datasets that take place in SyRI. Also against this background, in the opinion of the District Court, a data subject has insufficient certainty that his privacy is safeguarded when using SyRI. 6.101. Moreover, the LSI is only an advisory body. The advice is not binding and has no explicit legal basis. In addition, the LSI consists of representatives of bodies that themselves have an interest in combating and preventing abuse and fraud in the areas referred to in Section 64 (1) of the SUWI Act. Moreover, the Inspectorate of SZW is not only represented in the LSI, but can also be a participant in a partnership for a SyRI project and is charged with the analysis of data for the final risk selection on the basis of which a risk report is made. The District Court cannot assess whether and to what extent the internal functional separation between the various departments of the Inspectorate for Social Affairs and Employment (Investigation Department, Analysis Unit and any other departments involved) is sufficiently guaranteed. The State did not explain this further in response to the defence of NJCM et al. 6.102. The State pointed out, with reference to case law of the Central Appeals Tribunal, that file linking with a view to the selection of control cases has been accepted in case law.32 The case law to which the State refers does not lead the District Court to a different conclusion. As can be seen from the above, the District Court does not consider the use of risk profiles in connection with the exercise of their supervisory task in itself to be contrary to Article 8(2) of the ECHR. The judgments invoked by the State do not concern the use of SyRI, but always concern the exchange of a limited set of data using risk profiles justified by objective criteria. As far as the use of SyRI is concerned, the SyRI legislation does not offer sufficient privacy safeguards because of the large amount of data - of a diverse nature and originating from a large number of different sources - that can be processed. Moreover, there is no insight into the (objective criteria underlying the validity of the) risk indicators and the risk model. In this respect, the cases that led to the case law referred to by the State differ substantially from the legislation to be assessed here. 6.103. The State has also argued that a data protection impact assessment (Privacy Impact Assessment, PIA) has taken place within the framework of the Act and that for this reason a data protection impact assessment per SyRI project does not and does not have to take place. 6.104. The Court considers that Article 35(1) of the AVG requires a data protection impact assessment to be carried out where, having regard to its nature, scope, context and purposes, a type of processing is likely to present a high risk to the rights and freedoms of natural persons. This provision does not apply pursuant to Article 35(10) of the AVG, as the State has rightly pointed out, in the case, in a nutshell, where the specific processing operation or set of processing operations in question is regulated by law and a data protection impact assessment has already been carried out in that context, unless Member States consider it necessary to carry out such an assessment prior to the processing operations. The State pointed out that since the entry into force of the SyRI legislation, a new data protection model of the State administration is in place, tailored to the privacy rules of the AVG. 6.105. Without further explanation, which is lacking, the Court cannot follow the State's defence as to why a data protection impact assessment is not carried out per SyRI project. Indeed, the data protection impact assessment carried out took place before the entry into force of the AVG. On the basis of the information available, the Court cannot assess whether this assessment meets the requirements of the AVG. Nor did the State explain why, in view of the extent and seriousness of the intrusion into private life caused by the processing of data in SyRI, such an assessment does not take place on a project-by-project basis. In this respect it should be noted that, as far as the District Court is aware, since the entry into force of the SyRI legislation there has been a limited number of SyRI projects (five). 6.106. In view of the large quantity of data that may qualify for processing in SyRI and the circumstance that in a specific SyRI project the necessity test is carried out by the individual participants in the project, therefore without an integral and, moreover, no independent test prior to approval by the Minister, the SyRI legislation therefore contains insufficient safeguards for the conclusion that, in view of the principles of purpose limitation and data minimisation, Article 8(2) ECHR has been complied with. 6.107. In view of all of the above, the District Court will not be entitled to assess whether the SyRI legislation is in conflict with one or more specific provisions of the AVG invoked by NJCM et al. and whether the SyRI legislation is in conflict with Articles 6 and/or 13 of the ECHR. The other assertions and defences of the parties will therefore not be discussed by the District Court. The claims of NJCM c.s. 6.108. The question remains what the above means for the claims of NJCM c.s. 6.109. As considered above, the National Client Council, [plaintiff sub 6] and [plaintiff sub 7] will be declared inadmissible in their claims. The assessment of claim VIII, which only concerns [plaintiff sub 6] and [plaintiff sub 7], is not up to the court. 6.110. With regard to the claims of the Platform for the Protection of Civil Rights, Privacy First and the Foundation for DBC Free Practices (Stichting Koepel voor DBC-Vrije Praktijken), the court considers as follows. The District Court considers the SyRI legislation to be contrary to Article 8(2) ECHR insofar as that legislation relates to the deployment of SyRI. Only Section 65 of the SUWI Act and Chapter 5a of the SUWI Decree specifically relate to (the deployment of) SyRI. Section 64 of the SUWI Act regulates the exchange of information for the purpose of a partnership with a view to preventing and combating wrongful use of social security provisions, income-related schemes, tax and contribution fraud and non-compliance with labour laws in general. It follows from the above that the court does not consider Section 64 of the SUWI Act, viewed in isolation, to be contrary to Section 8(2) of the ECHR. 6.111. Furthermore, on fundamental grounds the District Court comes to the opinion that the SyRI legislation, insofar as it concerns (the deployment of) SyRI, is in conflict with Article 8 paragraph 2 ECHR. These grounds relate to both Section 65 of the SUWI Act and Chapter 5a of the SUWI Decree. The combination of the legal anchoring of SyRI in Section 65 of the SUWI Act and the further elaboration in Chapter 5a of the SUWI Decree contains, in view of the legislation as a whole, insufficient guarantees to be able to speak of a sufficiently justified interference in private life in the case of the deployment of SyRI. This does not detract from the fact that the court deems certain choices and principles of the legislator expressed in Section 65 of the SUWI Act and Chapter 5a of the SUWI Decree to be compatible with Article 8 of the ECHR. 6.112. In view of the above, the District Court will rule that Section 65 of the SUWI Act and Chapter 5a of the SUWI Decree are non-binding with respect to NJCM, the Platform for Civil Rights, Privacy First and the DBC Free Practices and those whose interests these parties are defending because they are in conflict with Section 8(2) of the ECHR. To that extent claim IV is granted. For the rest, this claim is dismissed. 6.113. The court will dismiss the remaining claims. With regard to the legal statements claimed in claims I-III, these plaintiffs do not have an independent interest in these claims, in view of the partial granting of claim IV. 6.114. Insofar as claim V relates to the provision of data by the Tax and Customs Administration to other joint ventures on the basis of Section 64 of the SUWI, they have insufficiently explained their claims. Insofar as this claim relates to the provision of data to the Minister in connection with the deployment of SyRI pursuant to Section 65 of the SUWI Act in conjunction with Section 64 of the SUWI Act, they have no independent interest in this claim. 6.115. With regard to the order claimed in claim VI to disclose the risk models used in the specific SyRI project, a procedure for administrative law proceedings with sufficient safeguards will be available. It does not follow from the District Court's judgment regarding the unlawfulness of the SyRI legislation, insofar as it relates to the use of SyRI, that the State is obliged to disclose that model to plaintiffs. 6.116. Claim VII also comes up against the lack of a sufficient independent interest in that claim and has, for that matter, been insufficiently explained in order to be capable of being awarded, irrespective of the deployment of SyRI. 6.117. Finally, the District Court considers claim IX to be formulated in too general a manner to be allowable. The non-binding nature of Section 65 of the SUWI Act and Chapter 5a of the SUWI Decree cannot automatically be linked to the conclusion that the State is obliged vis-à-vis the admissible collective interest groups in these proceedings to destroy all personal data collected in the context of, by means of or for the benefit of the deployment of SyRI and to provide them with evidence of such destruction. Nor does the claim in question lend itself to assessment in the context of a collective action, in view of its close connection with the individual circumstances of the supporters of the collective interest organizations. Legal costs 6.118. The State will be ordered to pay the costs of the proceedings on the part of NJCM, the Platform for Civil Rights, Privacy First and the Umbrella Association of DBC Free Practices and the FNV. The costs on the part of these parties have been estimated to date: - subpoena € 98,01 - court fee € 1.252,00 - lawyer's salary € 1,900.50 (3.5 points x rate II of € 543) Total € 3,250.51 6.119. The claimed statutory interest on the costs of the proceedings is irrefutable. 7 The decision The court 7.1. the National Client Council, [plaintiff sub 6] and [plaintiff sub 7] declare their claims inadmissible, 7.2. declares that Section 65 of the SUWI Act and Chapter 5a of the SUWI Decree are non-binding with respect to NJCM, the Platform for Civil Rights, Privacy First and the DBC Free Practices and those whose interests these parties are defending, on the grounds of violation of Article 8(2) of the ECHR, 7.3. Condemns the State to pay the costs of the proceedings, on the side of the NJCM, the Platform for Civil Rights, Privacy First and the DBC Free Practices and the FNV to date budgeted at € 3,250.51 plus the statutory interest thereon from fourteen days after today until the day of full payment, 7.4. declares this judgment provisionally enforceable, 7.5. rejects it more or otherwise advanced. This judgment was delivered by M.C. Ritsema van Eck-van Drempt, J.S. Honée and H.J. van Harten and pronounced publicly on 5 February 2020. 1 Article 8 of the SUWI Act. Chambers II 2012/13, 33579, 3. 3 Government Gazette 2017, 20624. 4 Act of 9 October 2003, enacting a law on support for employment and the provision of assistance by municipalities (Work and Assistance Act), Bulletin of Acts and Decrees 2003, 375. 5 Chamber documents II 2014/15, 17050, 508. 6 Respectively: Government Gazette 2015, 34927 and Government Gazette 2015, 34927 (https://zoek.officielebekendmakingen.nl/stcrt-2015-34927.html) (corrigendum); Government Gazette 2016, 3826; Government Gazette 2016, 19457; Government Gazette 2018, 12083; Government Gazette 2018, 12088. WGA stands for District Oriented Approach, see also below in 4.24. 7 Act of 9 October 2013 amending the Work and Income (Administrative Organisation) Structure (Structure) Act (Wet structuur uitvoeringsorganisatie werk en inkomen) and any other acts relating to the approach to fraud through the exchange of data and the effective use of data known within the government, Bulletin of Acts and Decrees 2013, 405. 8 Decree of 1 September 2014 amending the SUWI Decree in connection with rules for fraud prevention through the exchange of data and the effective use of data known within the government using SyRI, Bulletin of Acts and Decrees 2014, 320. 9 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, OJ L 119/1, p. 1. 10 Conclusion of the reply Supports 5.8 with reference to footnote 20. According to the Explanatory Memorandum to the SUWI Decision, there are two standard risk models. 11 Decree of 13 December 2001, laying down further rules on the coordination and provision of services by the Intelligence Office for the benefit of municipalities in the provision of data under both the SUWI Act and the Abw, the IOAW and the IOAZ, and on the financing of the Intelligence Office (Municipalities Intelligence Office Decree), Bulletin of Acts and Decrees 2001, 686. 12 Article 6 Data Protection Implementation Act (Uitvoeringswet Algemene verordening gegevensbescherming). 13 See ECHR 27 October 1995, No 20190/92 (C.R. v. United Kingdom), paragraph 42 and ECHR 29 April 2002, No 2346/02 (Pretty v. United Kingdom), paragraph 65. 14 See inter alia ECHR 4 December 2008, Nos 30562/04 and 30566/04 (S. and Marper v the United Kingdom), paragraph 66. 15 Directive of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ 1995 L 281, p. 31. 16 Production 22 claimants, Guidelines on Automatic individual decision making and Profiling for the purposes of Regulation 2016/679, 3 October 2017; last amended on 6 February 2018. 17 Cf. HR 16 May 1986, NJ 1987/251 (Agricultural pilots), point 6.1. 18 Chamber documents II 2017/18, 26643, 557. 19Chamber documents II 2018/19, Appendix to the acts, 1037. 20Camber pieces II 2018/19, 26643, 578. 21 ECHR 2 August 1984, No 8691/79 (Malone v. United Kingdom). 22 ECHR 26 April 1979, No 6538/74 (Sunday Times v. United Kingdom), paragraph 48. 23 See inter alia ECHR 29 June 2006, No 54934/00 (Weber and Saravia v Germany) and the case law cited there and ECHR 12 January 2016, No 31718/14 (Szabó and Vissy v Hungary). 24 ECHR 4 December 2008, Nos 30562/04 and 30566/04 (S. and Marper v the United Kingdom), paragraph 96. 25 ECHR 4 December 2008, Nos 30562/04 and 30566/04 (S. and Marper v. the United Kingdom), paragraph 99. 26 ECHR 4 December 2008, Nos 30562/04 and 30566/04 (S. and Marper v the United Kingdom), paragraph 112. 27 See conclusion of answer 5.63, with reference to the explanatory memorandum to the bill to amend the SUWI Act, P. Olsthoorn, 'Big data for combating fraud', WRR working paper number 21 and a report by PWC, "Naar een fraudebeeld, Nederland Amsterdam, 19 December 2013. 28 For these indirect effects, see, for example, Parliamentary Papers II 2013/14, 17050, 450 and Parliamentary Papers II 2013/14, 17050, 439, to which the State refers (conclusion of reply, 6.51). 29 ECHR 4 December 2008, Nos 30562/04 and 30566/04 (S. and Marper v the United Kingdom), paragraph 112. 30 Chamber documents II 2012/13, 33579, 3, p. 5. 31Chambers II, 2019/20, 26643, 641. 32 See, inter alia, CRvB 15 December 2009, ECLI:NL:CRVB:2009:BK8311 and CRvB 27 April 2010, ECLI:NL:CRVB:2010:BM:3881.