Fine for failing to conduct a risk analysis before using camera cars in Rotterdam
An investigation by the DPA also shows that too many images were collected unnecessarily. The DPA, however, cannot impose a fine for this violation.
Monitoring the public
In the context of the COVID-19 pandemic, over a period of five weeks in 2020 the municipality of Rotterdam and the police used two cars equipped with 360-degree cameras to monitor whether people were keeping a distance of 1.5 metres from each other.
Even when travelling at 50 kilometres an hour the cameras can take pictures sharp enough and with enough detail that the people in the images can still be identified. Recognisable images were taken of people well beyond the camera cars’ immediate vicinity.
The images collected were viewed in a control centre, saved and could be forwarded to other police locations. From a legal point of view, these images are considered police data and the police are therefore responsible for them.
‘People in the Netherlands want to be able to walk around freely without cars driving around recording them in detail for the government,’ explains DPA board member Katja Mur. ‘Or images of them being viewed in a control centre somewhere so that the government can identify them and, if it wants, take action against them. And in the event that the government does have to use such advanced surveillance techniques on the public, it should first assess the risks this might entail so that it can consider in a timely manner how to carefully deal with these risks.’
In May 2020, the DPA requested an explanation regarding the use of the camera cars, after which the use of the vehicles was halted. Following indications that the camera cars were nevertheless being used again, the DPA initiated an investigation.
The DPA has now concluded that the use of camera cars violated the law in two ways. The DPA also established that there were differing views regarding the legal grounds for the use of camera cars.
Failure to assess risks beforehand
Before taking any images with the cameras, the police failed to carry out an analysis of the possible risks this could entail in terms of privacy. This kind of analysis is known as a data protection impact assessment (DPIA).
The police could have known that using camera cars would pose a significant privacy risk, so a DPIA should have been conducted. By using these cameras the police were using new technology.
What’s more, the police were going to collect personal data in public spaces from large groups of people who would not likely be aware that images of them were being collected or how those images would be used.
This violates the Police Data Act (Wpg), in which the main privacy rules for the police are laid down. The police have acknowledged this violation, for which the DPA has imposed a fine of €50,000.
Disproportionate and unnecessary
Even when no violation of coronavirus measures such as the ban on gathering in groups was identified, on numerous days the camera cars nonetheless still took recognisable images of people.
What’s more, this also occurred in places other than designated hotspots, while en route from one location to another.
Too many images were collected and saved that were not necessary for the police to carry out their work. The police acknowledged this violation of the WPG as well. Although the DPA monitors compliance with the WPG, it cannot impose a fine for this violation.
The camera cars were used on the basis of section 3 of the Police Act. The DPA has established that there are various views as to whether the use of camera cars over a longer period of time is justifiable on the grounds of this legislation. The DPA is therefore working on an explanation of standards concerning this provision.
What happens next?
The police can lodge an objection to the fine imposed by the DPA.