The government wants to create a central database with data on all cab journeys. So also data on where people get in and out. Someone with access to that database could discover sensitive private matters of passengers. The Autoriteit Persoonsgegevens (AP) points out to the cabinet that it needs to better protect passenger privacy.
The purpose of the central database is to make it easier for the Environmental and Transport Inspectorate (ILT) to check whether cab drivers are complying with the law. Now, data on cab rides are only stored on the cabs' on-board computers. ILT inspectors must read the data in the cab. In the proposal, the GPS coordinates of the starting and ending points of each ride are sent to the ILT. This thus creates a database of all cab journeys in the Netherlands.
'We understand that the government wants to make monitoring easier,' says AP board member Katja Mur. 'But by storing so precisely in one database the coordinates of the departure and arrival points of each cab ride, you unnecessarily expose people taking the cab to privacy risks. Passengers deserve better protection.'
GPS coordinates can often be used to find out which home someone was picked up from, and what their destination was. Mur: "Do you live on a street with few immediate neighbors and use a cab? Then someone with access to that database could find out quite easily where you all go. So even if you take the cab to your therapist every Friday. Or that time you get dropped off at a plastic surgery clinic. Things you have to be able to trust to remain private.
And once such a central database exists, there is also the risk of things going wrong, says Mur: "A data breach is often in a small corner. Through a mistake, a malicious employee or a hacker. We've seen this go wrong often enough, including at government agencies.'
There is also the risk of 'function creep' with this type of database: that the data will eventually be used for things for which it was not originally intended. Mur: "Maybe the police want access. Or the tax authorities and municipalities might find it useful, to check whether people are cheating on benefits or allowances. By linking that data to other data, the government can follow people closely. We shouldn't want that.
The AP reminds the cabinet that it should eliminate major risks in a new version of the proposal. For example, the ILT may only collect location data if the cabinet can give good reasons why it must necessarily do so. The cabinet does not give those reasons now.
But even if the administration can give those reasons, the administration should make it more difficult, where necessary, to trace location data to specific passengers. For example, by making location less accurate with simple adjustments.
Moreover, the proposal does not specify when the ILT deletes the data. Mur: 'There should be a clear boundary there: as soon as the data is no longer needed, it should be destroyed. Because: data you don't have, can't leak.'
