European transport companies believe they have "legitimate interest" in mass surveillance of all train passengers in the EU.
A view from Dutch Railways (NS) in October 2025 reveals that European railroad companies have jointly set up a surveillance system they call Electronic Ticket Control Database (ETCD). This system stores the personal travel data (name, sometimes date of birth, travel date and time, travel route, ticket specifications, customer history) of all train passengers who purchase so-called "e-tickets," for example by booking train journeys via the Internet or at a station counter. In the Netherlands, only e-tickets are now available for the vast majority of international travel routes in the EU. Transport companies such as Deutsche Bahn and French SNCF have phased out the sale of other tickets in the Netherlands.
The ETCD system seems to have been quietly built up in recent years by railroad companies united in the industry association UIC(Union Internationale des Chemins de Fer / International Railway Union). The existence and scope of the system was recently revealed by a view expressed by NS in a legal suit filed since 2018 by privacy activist Michiel Jonker. He twice requested enforcement from the Dutch Autoriteit Persoonsgegevens (AP).
In August 2024, the AP made a second decision not to investigate the case. To this, Jonker filed an objection. Initially, NS did not want to provide input into the objection process, while the AP said it did not want to prioritize it. After several interventions by Jonker, followed by a plea from the AP, NS still sent a view in October 2025 providing more information.
Jonker: "I am shocked by this information. This means that the intention of these companies is to have the location data of everyone who travels around the EU on public transport continuously available to themselves and any interested government agencies. After all, for air travel within the EU, this is already currently being done via an extension of Passenger Name Records (PNR) presented as "temporary," and of course they will want to extend this to tracking people taking the bus as well. Travelers will not be given a choice as to whether they want their trip recorded or not. This ETCD is reminiscent of EHDS, the European Health Data Space, in which the EU wants to store the personal medical data of everyone who receives or needs medical care in the EU. At least that still required European legislation. But this ETCD is happening - in name only - completely outside the government, without any democratic control, not even indirectly. And now NS is saying to the AP, "Don't interfere. We are allowed to do this because we are private transportation companies.' Baffling. This is a huge scandal. We also know by now how risky it is to store sensitive personal data - location data of identifiable individuals - in such huge systems."
For the first time, NS now also argues a so-called "legitimate interest" (Article 6.1(f) AVG) for this data processing. Jonker. "This is a new argument that NS brings in at the very last minute, only after the hearing in the objection procedure. Until now, NS always said that claiming this personal data was allowed on the basis of a contract that passengers enter into with NS, namely the general terms and conditions that NS has unilaterally drawn up and imposes on customers (Article 6.1 under b AVG). In addition, NS believed it had a legitimate interest because of its desire to inform travelers about delays always and everywhere - regardless of whether citizens want this. I myself, for example, do not want to be informed unsolicited at home, I prefer to look it up myself on the NS website, or on the signs in the stations. But now NS says they need passengers' names and other personal data for fraud prevention, whereas with traditional tickets that was not necessary at all. Those privacy-friendly tickets, however, the railroad companies want to phase out. In the Netherlands, this has already been done for almost all train tickets to foreign countries."
Another worrisome development is NS' desire for ticket sellers to have a new role as independent data controllers who are allowed to set their own purposes for data processing. This would circumvent the "purpose limitation" requirement set forth in the AVG. Jonker: "NS thinks of itself as an independent data controller for train tickets from Deutsche Bahn, SNCF or other transport companies that they have NS sell in the Netherlands, so NS is allowed to set its own purposes for that processing. I obviously disagree with that. For those tickets, NS is only a processor, not the processing controller. After all, NS only gets access to that data because Deutsche Bahn or SNCF issue an order to NS to sell those tickets."
NS also seems to want to create an entirely new role for itself as a "publisher" of tickets, a kind of intermediary between a transportation company and a ticket seller. Jonker: "NS is steering toward a kind of miraculous multiplication of data controllers who are all allowed to set their own goals. The only thing that such a "publisher" of train tickets would add to transportation and ticket sales is the gobbling up of travelers' personal data. That would be the goal. NS started doing that in the Netherlands years ago with the creation of subsidiary Trans Link Systems (TLS), which processes OV-chipcard data of travelers. Apparently NS and foreign transport companies such as Deutsche Bahn and SNCF want to roll out a similar technical system for mass surveillance EU-wide, without any democratic legitimization."
Jonker hopes that after the objection he filed, the Autoriteit Persoonsgegevens (AP) will still be willing to take enforcement action against Deutsche Bahn, SNCF and other relevant transport companies. Jonker: "The AP has so far refused to investigate, but legally it really can't avoid it anymore. Especially not now that the French Raad van State (the Conseil d'État) in a similar case has obliged the French regulator to take enforcement action against SNCF's unlawful claiming of certain passenger data. The AP, along with other regulators, has the authority and resources to enforce. There is no legitimate reason for the AP to refuse to investigate any longer."
The AP has indicated it first wants to wait for a ruling from the Dutch Administrative Law Division of the Raad van State in another case, also conducted by Jonker. Jonker: "That is about the acceptance of cash payment in a cinema, for cinema tickets. There, too, the AP refuses to investigate. This violates not only the AVG, but also Article 8 ECHR. The AP wants to wait to hear what the Raad van State will say about the relevance of Article 8 ECHR. In itself I can understand that, but it should not become yet another excuse to delay decision-making. Both with those cinema tickets and train tickets I have been dealing with since 2018, and still the AP refuses to even seriously investigate both cases. Such behavior is unworthy of a regulator. After all, we are talking about millions of people who want to be able to participate culturally and socially and travel with privacy."
Litigation documents filed by Jonker can be viewed HERE (timeline of proceedings from 2020 to the present).
