Wi-Fi tracking fine highlights pseudonymisation risks

Out-Law News | 30 Apr 2021 | 2:40 pm | 1 min. read

A fine imposed on a local municipality in the Netherlands highlights the substantial financial penalties organisations face if they fail to manage the risk of re-identification when processing pseudonymised data, Amsterdam-based specialists in data protection law have said.

Andre Walter and Nienke Kingma of Pinsent Masons, the law firm behind Out-Law, were commenting after the municipality of Enschede was fined €600,000 in relation to Wi-Fi tracking. The Enschede municipality has lodged an appeal against the decision.

“This is the first fine the Autoriteit Persoonsgegevens (AP), the Dutch data protection authority, has imposed on a government body under the General Data Protection Regulation (GDPR),” Nienke Kingma said.

According to the AP, the municipality of Enschede engaged contractors to measure how crowded the city centre was. Sensors were used to count the number of people in the city’s shopping streets. The sensors gathered information on the number of people passing close by using Wi-Fi signals omitted from mobile phones. Each phone was registered separately and assigned a unique code.

The AP said that it was possible for the data collected to be used to track individuals’ movements over time, as well as for individuals to be matched to a specific phone code at quiet times. While the AP said that it was not the Enschede municipality’s intention to enable this form of tracking and that it found no evidence such tracking took place, it considered the fact tracking was possible to be a serious breach of the General Data Protection Regulation (GDPR). It said the potential for tracking was not necessary for the municipality to achieve its purpose of crowd-measuring.

Andre Walter of Pinsent Masons said: “This decision is a reminder to organisations in both the public and private sectors that pseudonymised personal data are subject to the GDPR and that the potential re-identification of individuals will sometimes be possible even in scenarios where that might seem unlikely on the face of it. In this case, the Dutch data protection authority argued that individuals could be singled out by enriching the data collected with video footage from surveillance cameras in situations where only very limited number of people were on the streets, such as in the middle of the night.”

Deputy chair of the AP, Monique Verdier, said: “Nobody should be able to track what shops, doctors, churches or mosques we visit. That is private, and it should stay private. So that people can be themselves, without feeling inhibited by possible registration. Municipalities should put this fundamental right of their citizens first. Any system for measuring crowds in the city centre should count people. Not track them.”