The Dutch Data Protection Authority has imposed a fine of 600,000 euros on the municipality of Enschede for Wi-Fi tracking. According to the regulator, the privacy of citizens was not properly guaranteed. It is the first time that a government has been fined by the AP.
Enschede began measuring the traffic in the city center using sensors in 2017. For this, a company was hired that used WiFi signals. Each telephone was registered separately with a unique code; by counting how many phones there are, you then know how busy it is.
The fine covers the period from May 2018 (when the AVG came into effect) up to and including May 2020. Since then, the municipality has stopped.
‘You could follow people’
When it is monitored over a longer period of time which telephone passes a measuring box, this counting changes into tracking people, the watchdog finds. The Dutch Data Protection Authority calls the practice very bad.
Vice-chairman Monique Verdier: “With that data you could follow people through the city center of Enschede. At a quiet moment you can see exactly who belongs to which code.” It also shows patterns, says Verdier. Anyone who leaves somewhere at eight in the morning and leaves at five in the afternoon probably works there.
No evidence of data abuse
The watchdog has no indications that the data has been misused. Nevertheless, it is referred to as a “serious offense”. The fine is for the municipality and not for the company that carries out the assignment, because Enschede is ultimately responsible in this case.
In a response, Mayor Onno van Veldhuizen of Enschede says: “We feel wrongly punished for something that we did not intend and which actually did not happen”. Enschede is of the opinion that “identification of individuals on the basis of the processed data from the anonymous WiFi measurement is not possible.” The church says, “We don’t follow, we just count.” Enschede therefore objects to the decision of the AP.
The company behind the sensors says that it is active outside of Enschede in about 100 Dutch municipalities with measurements via WiFi signals. The company does not want to say whether they worked there in the same way. It does let us know that the method has now been adjusted, so that data, among other things, is not stored for longer than 24 hours.
The Dutch Data Protection Authority has investigated Enschede after a complaint from a citizen. The AP makes no statements about possible other investigations into other municipalities. “But I can still hope that municipalities, now that they hear this, will very soon review their system,” says Verdier.