The Dutch Burgernet initiative was set up as a means of efficiently resolving criminal activity. Users of the app are automatically notified of crimes having been committed in their residential area. A recent study by the Privacy First Foundation, however, suggests potential issues with safeguarding the privacy of users of the Burgernet app.
“Burgernet” (Citizens’ Network) is the result of a joint initiative by the Dutch national police force, Dutch municipalities and citizens, aimed at the efficient resolution of criminal activity. Persons using the Burgernet app automatically receive notifications of burglaries, robberies and other cases of petty crime in their residential environments. So far, so good. Not so good are the results of a recent investigation into Burgernet’s privacy protection by the Privacy First Foundation, which brought to light several issues.
In a reaction to these results, Dutch MP Michiel van Nispen has put forward a number of parliamentary questions addressed to the Minister of Legal Protection, asking for clarification.
One of the issues reported by Privacy First has to do with the concept of data minimisation, the problem being that, apart from asking users to provide their live location, which information is necessary for the system to achieve its purpose, the Burgernet app also collects other user data, such as their zip codes and house numbers.
So, the question we will try to answer in this week’s blog is: Does Burgernet comply with the requirement of data minimisation? In order to answer this question, we will first take a look at the principle of data minimisation itself and explain what it means.
Data minimisation implies that no more personal data are being processed than is necessary for the purpose of processing. What this requirement is intended to achieve is to prevent processing of excessive volumes of partially unnecessary data. The concept is mentioned, sometimes in different wording, both in the GDPR and in jurisprudence of the European Court of Human Rights (ECHR), the latter, for instance, having decreed in the Santander arrest that compliance with the principle of data minimisation is required even when for the processing itself consent has been obtained. Consent, in other words, cannot be seen as a license for storage and processing of disproportionate amounts of data.
In the current European privacy legislation, the principle of data minimisation is mentioned multiple times, for instance in Article 5,1,c of the GDPR which stipulates that processing of personal data must be ‘adequate, relevant and limited to what is necessary in relation to the purposes’ (of processing). Here, as in other places, data minimisation is the actual term used in the GDPR. Organisations processing more data than is necessary to achieve the purpose or processing, are acting in violation of Articles 5 and 6 of the GDPR.
In an article published on the RTL Nieuws site, a spokesperson of the Dutch police force states that Burgernet does comply with the principle of data minimisation and that the data are being stored in a secure police environment. In a reaction to one of the questions raised by Privacy First – as to why the Burgernet app asks users to provide their private address – the spokesperson explains that users can also participate in neighbourhood surveys as part of a separate feature of the app for email notification of burglaries in the user’s residential area. For users of this feature to be able to take part in neighbourhood surveys, their home address is part of the necessary data.
This does, however, contradict Burgernet’s own privacy statement, which mentions that zip code, house number, telephone number and email address are being stored as soon as people register for Burgernet. It specifically does not say that these data will only be stored if a person chooses to use the extra functionality for digital neighbourhood surveys.
Seen in this light, the conclusion drawn by Privacy First, to the effect that Burgernet fundamentally does not comply with the principle of data minimisation, has to be qualified as correct. If Burgernet would not store address data of users indicating that they will not be using the digital survey feature of the app, this would be a completely different story. In that case, Burgernet would check the box of meeting the requirement of data minimisation. If this interpretation is correct, then it is up to Burgernet to change its privacy statement so that it will clearly specify the exact purpose of data processing and to explain which data are used for which service. These changes should be made as soon as possible.