The Dutch information watchdog—the Autoriteit Persoonsgegevens (AP)—has fined the city of Enschede for € 600,000 for tracking its citizens’ movements without permission. It is the first time that a Dutch government body has been fined by the AP. The investigation was set in motion after it received a complaint about tracking.
The Autoriteit Peroonsgegevens is the Dutch supervisor that has been commissioned to keep an eye on how companies and governments process Personally Identifiable Information (PII) in the Netherlands. In other words, it guards privacy-sensitive information, and how it is handled.
What did Enschede do wrong?
The city of Enschede hired a company to keep track of how crowded its city center was. The company they hired used Wi-Fi-tracking to measure how many people were present at one time. The Wi-Fi-tracking system assigned a unique ID to each passing phone that had Wi-Fi enabled (based on each phone’s unique MAC-address), so it could count the number of these phones. Which gave them a pretty accurate idea of the number of people.
However, because this method of measurement was used over a period of years (2017-2020) which overlapped with the period that the EU’s General Data Protection Regulation (GDPR) came into effect, the AP ruled that the method that was intended for counting, had turned into something that could be used for tracking.
The AP mentioned in its ruling that since a MAC-address is a unique identifier for a device, and since mobile devices like phones and tablets are mostly personal items, they can be used to identify a person. The system in Enschede used pseudonymization for the MAC addresses, but the AP ruled that was not enough to make the data truly anonymous, as they could still be combined with other data.
The AP ruled that the privacy of regular visitors and inhabitants of the city was compromised because they could be tracked without a real necessity. This was never the intention, but the fact that Wi-Fi-tracking over a prolonged period made this possible was reason enough for the steep fine.
In its ruling, the AP was adamant about the distinction between counting and tracking and emphasized how important it is that citizens should not be followed around, intentionally or not.
Tracking data can be turned into PII
If you find the same phone often enough, data intended for counting can be turned into data suitable for tracking. And if you put in enough effort and have enough data points you can establish patterns that can be used to identify a person (when this approach is used deliberately and legitimately, it’s called “Big Data”, for good reason). For example, if the same phone checks in at a certain point at 9 AM in the morning and leaves around 5 PM in the afternoon, you can make the assumption that the owner of that phone probably works in or near that location.
And even if none of the companies collecting or accessing that data intend to use it for that purpose, they or anyone buying or stealing the data, could.
The AP has strict rules about using Wi-Fi and Bluetooth-tracking and makes it clear that it is forbidden in most cases. It describes the large numbers of data points that can be collected by such tracking as “indirectly identifiable data” because while it is pseudonymous, it can be used to track people, and can be combined with other data to unmask individuals and render PII. For example, combining Wi-Fi-tracking with CCTV footage or payment data.
Who had access to the data?
The city and two companies that were involved in the measurements had access to the raw data. One of the companies carried out the order from the city and the other maintained the hardware and processed the data. The AP held the city responsible since it was the commissioning party. The city has filed an appeal against the ruling because they do not consider the data to be PII and their sole objective was counting, not tracking.
100 other cities
The company that operated the sensors in Enschede has 100 other cities and townships among its customers. But, when asked, it stated that the data gathered with Wi-Fi-tracking was no longer saved for more than 24 hours. Which, given the original goal for gathering the data makes perfect sense.