Dutch DPA fines municipality for Wi-Fi tracking
The Dutch Data Protection Authority (DPA) has fined the municipality of Enschede €600,000 for using Wi-Fi tracking in the city centre in a way that is prohibited. The Wi-Fi tracking made it possible to track shoppers and people who live or work in the city centre.
Update March 2024
On February 2, 2024, the District Court of Overijssel ruled that the DPA has not proven that the municipality of Enschede has processed personal data and that the DPA has wrongly imposed a fine. The DPA has appealed against this ruling.
Wi-Fi tracking in Enschede
In 2017 the mnicipality of Enschede decided to measure how crowded the city centre was, using sensors. It contracted a company that specialises in conducting people counts.
Sensor equipment was placed in the shopping streets that detected the Wi-Fi signals from the mobile phones of passers-by. Each phone was registered separately and given a unique code.
This makes it possible to measure how crowded the street is by counting how many phones are near a sensor at a particular time. If, however, you monitor over a longer period of time which phone passes close to which sensor, that ‘counting’ becomes tracking.
A DPA investigation of the municipality of Enschede revealed that this was indeed the case. People’s privacy was therefore not properly protected, as they could be tracked without this being necessary.
It was not the municipality’s intention to track people, and the DPA found no evidence to suggest that this actually took place. But using Wi-Fi tracking that makes it possible is in itself a serious violation of the privacy law: the General Data Protection Regulation (GDPR).
‘People’s privacy must come first’
‘If people can be tracked via their phones that is a bad state of affairs,’ said DPA deputy chair Monique Verdier. ‘Everyone has the right to go about their business outside freely and without being spied on. Without the government or any other party being able to watch you or keep track of what you’re doing. That is part of our free and open society.’
‘Nobody should be able to track what shops, doctors, churches or mosques we visit. That is private, and it should stay private. So that people can be themselves, without feeling inhibited by possible registration.’
‘Municipalities should put this fundamental right of their citizens first. Any system for measuring crowds in the city centre should count people. Not track them.’
Tracking people
The municipalities and two companies had access to the data. ‘That data could be used to track people in the city centre of Enschede,’ Ms Verdier explained. ‘When it’s relatively quiet, you can see exactly which person belongs with which code. Or you can look at patterns: if a person arrives at the same location every day at 08.00, and leaves again at 17.00, that means they work there.’
The violation started in May 2018. Following the intervention by the DPA, the municipality stopped using Wi-Fi tracking on 1 May 2020.
Wi-Fi tracking prohibited in most cases
The use of Wi-Fi tracking is subject to strict conditions, and in most cases it is prohibited. ‘Because this technology can affect people’s daily lives so profoundly, it must be used only in exceptional cases,’ said Ms Verdier.
‘In some situations municipalities are allowed to process personal data using Wi-Fi tracking, for instance if this is necessary in order for them to carry out their statutory duties. But if the DPA establishes that a municipality or business is using Wi-Fi tracking unlawfully, they run the risk of a hefty fine,’ she added.
Businesses and municipalities can obtain more information about the use of Wi-Fi tracking from the DPA website. The DPA advises municipalities to scrutinise any proposed or ongoing projects that involve Wi-Fi tracking.
The municipality of Enschede lodged an objection against the decision.