The Personal Data Authority (AP) is fining the police 50,000 euros. During corona, camera cars were deployed in Rotterdam, without first identifying the privacy risks of this. With the cars driving around, detailed images of people were collected and stored.
The AP's investigation also shows that too many images were taken that were not necessary. For that violation, however, the AP cannot impose a fine.
For five weeks in corona year 2020, the municipality of Rotterdam and the police deployed two cars equipped with 360-degree cameras. With these, the municipality and police wanted to check whether people were keeping 1.5 meters distance from each other.
Even at speeds of 50 kilometers per hour, the cameras can capture sharp images with enough detail to identify people. Far beyond the camera cars, people are identified in images.
The images collected were viewed in a control room, stored and could be forwarded to other police locations. The police are legally responsible for the images because they are considered police data.
Katja Mur, AP board member: 'You want to be able to walk the streets freely in the Netherlands. Without having to expect the government to make sharp recordings of you from moving cars. And that these go to an incident room, so that the government can identify you and, if necessary, take action against you. And even if the government should use such advanced techniques for surveillance, the risks must be mapped out in advance. So that the government can consider in time how to deal with those risks in a careful manner.
The AP requested clarification on the deployment of the camera cars in May 2020, after which they were shut down. After signals that the camera cars were driving around again anyway, the AP launched an investigation.
The AP now concludes that the law was violated in two ways. In addition, the AP notes that there are different views on the basis for the deployment of camera cars.
Prior to taking the camera footage, the police did not conduct an analysis of potential privacy risks. Such an analysis is called a data protection impact assessment (DPIA).
A DPIA was required, however, because the police could have known that deploying the camera cars was likely to pose a high privacy risk. This is because the police were using new technology in deploying these cameras.
In addition, police in public spaces would collect personal data from large groups of people, who are unlikely to know that images are being collected or how they are being used.
This is a violation of the Police Data Protection Act (Wpg), which contains the main privacy rules for the police. The police have acknowledged this violation. The AP is imposing a fine of 50,000 euros for this.
Even at times when no violations of corona measures such as group formation were observed, the camera cars took recognizable images of people on different days. Moreover, this also occurred outside the designated "hot spots," en route from one location to another.
Too many images were thus collected and stored that were not necessary for the performance of police work. The police also acknowledged this violation of the Wpg. While the AP monitors compliance with the Wpg, it cannot impose a fine for this violation.
The camera cars were deployed under Article 3 of the Police Act. The AP notes that there are different views on whether deployment of camera cars for an extended period can be based on this. The AP is therefore working on standards explanations on this article of the law.
Police can still appeal the AP's fine.
