The municipality of Enschede will challenge the GDPR fine it received from the Dutch Data Protection Authority in court. The municipality says that it did not collect any personal data and that the AP committed ‘improper administration’.
In April last year, the municipality of Enschede was fined 600,000 euros by the Dutch Data Protection Authority. The municipality called in an external company to use WiFi tracking in the city center to measure visitor flows. Enschede never agreed with that fine. The municipality now says she’s going to court. Enschede denies having collected personal data with the WiFi tracking. MAC addresses were collected during the WiFi tracking. According to the municipality of Enschede, these were ‘encrypted and cut off’, but the AP concluded during the investigation that the data was only pseudonymised. Moreover, the pseudonymization method worked the same on every WiFi counter and would never have changed in the two years that the measurements were running. Clipping of the mac addresses happened according to the fine also only since January 1, 2019, while the study looked at the period from May 2018 to April 2020.
The criticism of the municipality of Enschede mainly lies with that part of the fine. In this specific case, the collected data cannot be traced back to individuals. The Dutch Data Protection Authority disagrees. This states that patterns can be extracted from the mac addresses that can be attributed to specific mobile devices. “The lifestyle patterns can reveal, for example, a person’s place of residence or place of work, as well as more sensitive data, such as visits to medical facilities,” the AP wrote. In 2020, the regulator already took the position that location data cannot be anonymous by definition, because patterns can be extracted from it about someone’s home address.
The municipality of Enschede says that ‘the AP has in no way demonstrated how identifying people was possible in practice in the passerby counts’. That is exactly what the privacy supervisor did in the fining decision. In fact, the AP cited three specific examples where a citizen could be identified based on different types of data collected, both long and short-term. The municipality further says that ‘actual identification never took place’.
Enschede also calls it ‘very bad’ that the AP ‘created the suggestion’ that visitors were identified or followed. “We didn’t want that. We couldn’t do that either,” says alderman Jurgen van Houd, although the AP named three clear identification options.
Van Houd further says: “The municipal council of Enschede remains of the opinion that the AP’s decision does not comply with several principles of good governance, such as proportionality, due care and equality.” He means by this that various Dutch municipalities carried out WiFi tracking and that Enschede received the fine without prior warning and consultation. That’s right; the AP did request information from the municipality and the company first, but sent an ‘intention to enforce’ in May 2020. However, municipalities already received a general warning in 2016 that WiFi tracking was not permitted under the Personal Data Protection Act. That was the predecessor of the GDPR.
The municipality of Enschede has always fiercely opposed the fine. She has already lodged an objection with the AP itself. He declared the complaint unfounded. The fine is one of the highest GDPR fines in the Netherlands to date. It was also the first fine issued by a government agency. Tweakers wrote a background article last year about what happens when the government gives itself a fine.