Dutch city hit with €600,000 GDPR fine over Wi-Fi counters

The Dutch Data Protection Authority (DPA) has fined the City of Enschede €600,000 (US$730,000) for its use of Wi-Fi sensors to measure the number of people in the city centre.

It is understood to be the first time the regulator has imposed a fine on a government body under the General Data Protection Regulation (GDPR) but the case could have implications for cities well beyond the Netherlands.

The DPA accepted that it was not the city’s intention to track people and found no evidence to suggest that this actually took place.

However, it said: “Using Wi-Fi tracking that makes it possible is in itself a serious violation of the privacy law: the GDPR.”

The municipality of Enschede is appealing the decision and said the accounts are anonymous and that no personal data has been processed.

“We do not follow, we only count,” a spokesperson told Cities Today.

Individual movements

In 2017, Enschede engaged a contractor and began using sensors to detect the Wi-Fi signals from mobile phones of passers-by in the city centre. Each phone was registered separately and given a unique code, according to the DPA.

Although the purpose was counting, the DPA said: “If, however, you monitor over a longer period of time which phone passes close to which sensor, that ‘counting’ becomes tracking.”

The DPA asserts that it was possible for the data to be linked with individuals and for movements to be tracked over time.

“When it’s relatively quiet, you can see exactly which person belongs with which code. Or you can look at patterns: if a person arrives at the same location every day at 08.00, and leaves again at 17.00, that means they work there,” DPA deputy chair Monique Verdier explained.

She added: “Nobody should be able to track what shops, doctors, churches or mosques we visit. That is private, and it should stay private. So that people can be themselves, without feeling inhibited by possible registration.”

A statement from the City of Enschede said: “The municipality is of the opinion that identification of individuals on the basis of the processed data from the anonymous Wi-Fi measurement is not possible.”

The city maintains that the 2017 deployment met the privacy laws and regulations applicable at that time, and when GDPR was introduced a year later, it took active steps to comply.

Enschede stopped using the Wi-Fi sensing on 1 May 2020.

“We feel punished”

Enschede Mayor Onno van Veldhuizen said: “We feel punished for something that we did not intend and which actually did not happen. Guaranteeing the privacy of our inner-city visitors has been a condition from the start. Visitor counts are necessary to measure the effect of investments and policy on the attractiveness, liveability and safety of our city. The past year, during the corona pandemic, has shown that being able to monitor the hustle and bustle in our city is more topical than ever.”

The city said a ban on anonymous measurements would be a “step back in time”.

Wider implications

The case is likely to rattle nerves in European cities and beyond. Many have deployed technology to measure footfall during the pandemic, if not before. These technologies are also regularly used at airports and events and in route navigation systems.

Andre Walter, Head of Data Law Solutions (Netherlands) at law firm Pinsent Masons, told Cities Today that more action of this type may be on the horizon, particularly given the pandemic-induced rise in crowd monitoring solutions as well as contact-tracing apps and emerging digital ‘vaccine passports’.

“Be very careful with pseudonymous personal data – it has to be treated as ‘personal data’ under the GDPR and other regulations,” he commented. “Select appropriate data privacy and security measures carefully.”

“Frequently changing the pseudonymisation key is important,” he said, adding that measurements of low numbers of people should be excluded. Otherwise, for example, if one person is registered in the middle of the night, they might be identified by video footage.

Walter said techniques such as Wi-Fi counting can be deployed in a privacy-compliant way.

Communication and transparency on the implementation are key with regards to the data subject and other stakeholders, he noted.

Image: Irstone | Dreamstime.com