For some years, the key card system for underground waste containers used by the municipality of Arnhem in the Netherlands has been causing privacy concerns. On 30 June 2021, the Administrative Jurisdiction Division of the Dutch Council of State rejected an enforcement request related to the latest version of this system.
From this judgment we can learn that it is important for government agencies to carefully determine the purposes of the data processing prior to starting the processing. If the determined purposes are, in all reasonableness, in line with the general interest they service, there appears to be a relatively large scope for legitimate processing.
Background
In June 2016, an Arnhem resident submitted an enforcement request to the Dutch Data Protection Authority (‘Dutch DPA’) because household waste could no longer be put out anonymously. Following that request, the Dutch DPA started an investigation which resulted in 2017 in an order subject to a penalty for non-compliance. At the time, the Dutch DPA concluded that the municipality did have grounds for the processing of personal data for creating and managing the key card and opening underground waste containers, but that the grounds for storing personal data on the waste system's controller were absent. The Dutch DPA added that, as soon as Arnhem were to implement the pay-as-you-throw (PAYT) principle, then this would constitute sufficient grounds to justify the data processing.
The municipality stopped the unlawful processing by leaving the underground containers open, and then changed the key card system. After implementing these changes, the system works as follows: residents present their key card to the card reader, which compares the internal chip code to the list of authorised key cards stored on the card reader to check if the card provides access to the underground container. If the key card is authorised, the container opens and the waste can be deposited in it. The key card's internal chip code is then immediately converted into a generic 9999 number. That anonymised number is stored on the card reader, stating the time at which the container opened and a number of technical aspects related to the container.
At the municipal executive's request the Dutch DPA lifted the order that it had imposed. The person who submitted the original enforcement request, however, objected to this decision, arguing that unlawful processing is still continuing after the changes had been implemented. In the end, the appeal proceedings before the Gelderland court have resulted in the present judgment rendered by the Administrative Jurisdiction Division.
Objections against the processing
Relevant security risks
The appellant claims that there are still security risks related to the new set-up where identifiable data are processed for a short time. The Administrative Jurisdiction Division considers that the risks related to abuse of the system are related to the system's security and that this is not relevant to determining the lawfulness of the processing.
Act of parliament?
With respect to lawfulness, the key question is whether processing is necessary for the performance of a task carried out in the public interest (Article 6 (1) (e) of the GDPR). The appellant argued that the necessity must arise from an act of parliament. However, the Administrative Judicial Division concluded that such an obligation does not ensue from the GDPR, the Charter or the Constitution, and that legislation that serves as a basis for various processing is sufficient. That legislation must be clear and accurate and its application must be predictable for those to whom it applies.
The municipality's responsibility is to ensure that the collection of household waste is characterised as a task carried out in the public interest. This task ensues from Article 10.21 of the Dutch Environmental Protection Act, which not only orders municipalities to collect waste, but also to take into account the applicable waste management plan and the order of preference included in it. The prevention of residual waste and the separate collection of household waste also falls within the scope of the municipality's task carried out in the public interest. The municipal authorities have certain discretion to further specify that task.
The municipal executive has determined the following specific purposes that are ‘well-defined and clearly outlined’, according to the Administrative Judicial Division:
- Preventing that the containers are used by companies and by non-residents;
- Determining which waste collection routes are followed; and
- Determining which local areas require more guidance about waste separation.
Assessment framework necessity: thoroughness of the assessment
To answer the question concerning the necessity of the processing, it must be assessed whether the violation of privacy is limited to what is strictly necessary for accomplishing the purpose. The assessment should particularly focus on whether the purpose for which the personal data is processed cannot be realised in another manner that is less detrimental to the data subjects.
The Administrative Judicial Division further specifies the assessment's intensity, which is partly determined by the specificity of the alternatives presented. In other words: the more detailed a description the party involved gives of the alternative, the more thorough the investigation by the Dutch DPA should be.
The municipality has some discretion. The fact that the data processing must be necessary within the meaning of Article 6 (1), opening words and under (e) of the GDPR does not mean that processing is only lawful if the task carried out in the public interest cannot be fulfilled without data being processed. This is only the case if there are other ways of fulfilling the task carried out in the public interest that achieve the same purpose, or if the processing is disproportional.
When assessing proportionality, the Administrative Judicial Division considers it important that in this case data is only processed for a very short time. This reasoning is not contrary to the principle of minimum data processing, the Division argues, as the GDPR's starting point is not to prohibit the processing of ordinary personal data, such as an address. The GDPR is aimed at regulating the processing of this data. There is also no constitutional right to not having this type of data processed. The processing is limited to what is strictly necessary for determining the purposes. Therefore the Dutch DPA is allowed to adopt the view that the violation is proportional to the purpose of the processing.
The Administrative Judicial Division considers it likely that, if the containers were to be opened again, it cannot be prevented that non-residents and companies would dump their waste in the containers. The use of a key card not linked to an address and used to open the waste containers means that the purpose of preventing abuse cannot be realised. A reasonable case has been made that the introduction of surcharged bin liners will not lead to accomplishing the goals of the 2012-2020 municipal waste plan because waste will not be separated as carefully and it would cause more nuisance in the public space.
Given the above, the Administrative Judicial Division agrees with the court that the purpose of the processing of personal data cannot in all reasonableness be achieved in a manner that causes less detriment to the person involved. The Division therefore concludes that the court rightly ruled that the Dutch DPA was justified in adopting the position that the municipal executive is no longer in violation of the GDPR if the imposed order is lifted.
For some years, the key card system for underground waste containers used by the municipality of Arnhem in the Netherlands has been causing privacy concerns. On 30 June 2021, the Administrative Jurisdiction Division of the Dutch Council of State rejected an enforcement request related to the latest version of this system.
From this judgment we can learn that it is important for government agencies to carefully determine the purposes of the data processing prior to starting the processing. If the determined purposes are, in all reasonableness, in line with the general interest they service, there appears to be a relatively large scope for legitimate processing.
Background
In June 2016, an Arnhem resident submitted an enforcement request to the Dutch Data Protection Authority (‘Dutch DPA’) because household waste could no longer be put out anonymously. Following that request, the Dutch DPA started an investigation which resulted in 2017 in an order subject to a penalty for non-compliance. At the time, the Dutch DPA concluded that the municipality did have grounds for the processing of personal data for creating and managing the key card and opening underground waste containers, but that the grounds for storing personal data on the waste system's controller were absent. The Dutch DPA added that, as soon as Arnhem were to implement the pay-as-you-throw (PAYT) principle, then this would constitute sufficient grounds to justify the data processing.
The municipality stopped the unlawful processing by leaving the underground containers open, and then changed the key card system. After implementing these changes, the system works as follows: residents present their key card to the card reader, which compares the internal chip code to the list of authorised key cards stored on the card reader to check if the card provides access to the underground container. If the key card is authorised, the container opens and the waste can be deposited in it. The key card's internal chip code is then immediately converted into a generic 9999 number. That anonymised number is stored on the card reader, stating the time at which the container opened and a number of technical aspects related to the container.
At the municipal executive's request the Dutch DPA lifted the order that it had imposed. The person who submitted the original enforcement request, however, objected to this decision, arguing that unlawful processing is still continuing after the changes had been implemented. In the end, the appeal proceedings before the Gelderland court have resulted in the present judgment rendered by the Administrative Jurisdiction Division.
Objections against the processing
Relevant security risks
The appellant claims that there are still security risks related to the new set-up where identifiable data are processed for a short time. The Administrative Jurisdiction Division considers that the risks related to abuse of the system are related to the system's security and that this is not relevant to determining the lawfulness of the processing.
Act of parliament?
With respect to lawfulness, the key question is whether processing is necessary for the performance of a task carried out in the public interest (Article 6 (1) (e) of the GDPR). The appellant argued that the necessity must arise from an act of parliament. However, the Administrative Judicial Division concluded that such an obligation does not ensue from the GDPR, the Charter or the Constitution, and that legislation that serves as a basis for various processing is sufficient. That legislation must be clear and accurate and its application must be predictable for those to whom it applies.
The municipality's responsibility is to ensure that the collection of household waste is characterised as a task carried out in the public interest. This task ensues from Article 10.21 of the Dutch Environmental Protection Act, which not only orders municipalities to collect waste, but also to take into account the applicable waste management plan and the order of preference included in it. The prevention of residual waste and the separate collection of household waste also falls within the scope of the municipality's task carried out in the public interest. The municipal authorities have certain discretion to further specify that task.
The municipal executive has determined the following specific purposes that are ‘well-defined and clearly outlined’, according to the Administrative Judicial Division:
- Preventing that the containers are used by companies and by non-residents;
- Determining which waste collection routes are followed; and
- Determining which local areas require more guidance about waste separation.
Assessment framework necessity: thoroughness of the assessment
To answer the question concerning the necessity of the processing, it must be assessed whether the violation of privacy is limited to what is strictly necessary for accomplishing the purpose. The assessment should particularly focus on whether the purpose for which the personal data is processed cannot be realised in another manner that is less detrimental to the data subjects.
The Administrative Judicial Division further specifies the assessment's intensity, which is partly determined by the specificity of the alternatives presented. In other words: the more detailed a description the party involved gives of the alternative, the more thorough the investigation by the Dutch DPA should be.
The municipality has some discretion. The fact that the data processing must be necessary within the meaning of Article 6 (1), opening words and under (e) of the GDPR does not mean that processing is only lawful if the task carried out in the public interest cannot be fulfilled without data being processed. This is only the case if there are other ways of fulfilling the task carried out in the public interest that achieve the same purpose, or if the processing is disproportional.
When assessing proportionality, the Administrative Judicial Division considers it important that in this case data is only processed for a very short time. This reasoning is not contrary to the principle of minimum data processing, the Division argues, as the GDPR's starting point is not to prohibit the processing of ordinary personal data, such as an address. The GDPR is aimed at regulating the processing of this data. There is also no constitutional right to not having this type of data processed. The processing is limited to what is strictly necessary for determining the purposes. Therefore the Dutch DPA is allowed to adopt the view that the violation is proportional to the purpose of the processing.
The Administrative Judicial Division considers it likely that, if the containers were to be opened again, it cannot be prevented that non-residents and companies would dump their waste in the containers. The use of a key card not linked to an address and used to open the waste containers means that the purpose of preventing abuse cannot be realised. A reasonable case has been made that the introduction of surcharged bin liners will not lead to accomplishing the goals of the 2012-2020 municipal waste plan because waste will not be separated as carefully and it would cause more nuisance in the public space.
Given the above, the Administrative Judicial Division agrees with the court that the purpose of the processing of personal data cannot in all reasonableness be achieved in a manner that causes less detriment to the person involved. The Division therefore concludes that the court rightly ruled that the Dutch DPA was justified in adopting the position that the municipal executive is no longer in violation of the GDPR if the imposed order is lifted.