For years now, Dutch privacy activist Michiel Jonker has been litigating against the city of Arnhem’s use of the citizen’s waste disposal card, going as far as appealing to the Council of State, the highest general administrative court in The Netherlands. In the end, the essence of the court’s ruling was that at heart, what the GDPR has been set up to do is regulating the processing of personal data, not prohibiting it. But what about protecting citizens and their personal data? What about protection mechanisms specified in the GDPR itself, like the minimisation of processed data?
Ever since 2017, legal procedures have been initiated by Dutch privacy activist Michiel Jonker against the city of Arnhem and, specifically, its use, dating back to 2015, of waste disposal cards controlling the deposition of residual waste. The system is primarily intended to prevent waste containers being used by non-residents and businesses. By issuing the cards, the city also hopes to encourage and improve waste separation.
In 2017, the Dutch Data Protection Authority imposed a burden under penalty compelling the city to stop collecting personal data by means of card readers linked to underground waste containers. Rightfully so, because at the time, the cards that were being used allowed detailed registration of the depositor’s identity and the time of deposition.
Then, in 2019, the city re-introduced the waste disposal cards, with several changes to the control system intended to make it less intrusive and, as a result, legitimate.
The new card was now linked only to the holder’s home address, ensuring that the containers would only be accessible to actual citizens residing in Arnhem and could not be used by, for instance, stores or businesses. When citizens use their cards to open a container, the system checks their permission to do so by scanning a chip code, which is then immediately converted to a set of generic digits which is no longer traceable to an individual citizen or household. Because of these changes, the DPA agreed to resumption of the card system, effectively lifting the earlier cease and desist order.
In spite of the modifications to the system, Jonker still feels that the use of waste disposal cards represents an infringement of the data subjects’ right to privacy and has appealed his case to the Council of State.
In dealing with the matter, the Council is ruling on a number of interesting points of law related to the concept of ‘public interest’. In this blog, we will take a closer look at some of the key issues of the case, first of all addressing the question of whether or not a task carried out in the public interest needs to be dictated by formal law and, by extension, what exactly is a task carried out in the public interest? Finally, we will discuss one additional consideration and try to determine whether the processing of personal data is necessary for the performance of what, in this case, may or may not be a task in the public interest.
Article 6 of the GDPR lists several grounds for the lawfulness of personal data processing, one of them, specified in 6(1)(e), being its necessity for the performance of a task carried out in the public interest. Which task, furthermore, must be dictated by Union law or member state law. In this case, Jonker argued that the processing is unlawful because its necessity cannot be derived from a formal law.
This argument, however, was dismissed by the Council because Recital 45 to the GDPR merely states that the law on which the processing is based must be clear and accurate. Apart from this, application of the law has to be predictable for the person(s) to which it applies. Also, it does not follow from Article 8 of the European Convention on Human Rights or from the Charter of Fundamental Rights of the European Union that there has to be a law in the formal sense of the word. Lower-level regulations may also be sufficient for the processing of personal data to qualify as lawful.
Task carried out in the public interest
Next, the Council of State addresses the question of whether the case involves a task carried out in the public interest. Here, the Council states that the city’s responsibility in facilitating the collection of domestic waste is indeed a task in the public interest, dictated by the Laws on Environmental Conservation. According to these laws, the city not only has the obligation to collect household waste, but it also, in doing so, has to take into account the guidelines of the municipal waste management plan, which means that the city, among other things, has to pursue the objectives of residual waste minimisation and separate disposal of reusable materials. It is largely up to the city itself to decide how best to accomplish these goals.
Necessity of the personal data processing
Finally, the Council addresses the question of whether or not the processing of personal data is necessary and it does so by balancing the pros and cons of alternative options and different interests. Also, the Council emphasises that the fact alone that there may be other ways to collect household waste – without the use of cards, specifically – is not enough reason to claim that the processing of personal data is unlawful or unnecessary. To support this, the Council explains that in its view the intention of the GDPR is to regulate the processing of personal data, not to prohibit it.
The Council concludes that none of the alternatives suggested by the claimant would allow for the goal of waste reduction to be achieved, while judging the infringement to be of minor severity and the scope of processing limited to what is necessary, seeing as how the data are being processed for only a very short period of time, in the container’s temporary memory and for the sole purpose of providing access, after which they are immediately anonymised.
Furthermore, in the Council’s opinion, the city of Arnhem has sufficiently demonstrated that the goal of preventing misuse could not have been reached if the system, cards linked to home address included, had not been implemented. Studies show that, in the period during which the system was disabled, 7% more waste ended up in the containers.
What makes this case special, is that the Council quite specifically states that, in balancing conflicting interests in relation to privacy and personal data, it is essential to always remember the purpose, the intention of the GDPR, which is to regulate, not to prohibit the processing of personal data. As true as this may be, which it is to some extent, it is also rather simplistic. One other equally essential purpose of the GDPR is the mitigation of risks for the data subjects. The Council’s reasoning would have been much more convincing if the case had been approached from the basic idea that the GDPR exists to protect citizens and not just for the purpose of regulating the processing of their personal data. That would have contributed more to the further development of privacy legislation, apart from possibly having produced a different result in terms of the final verdict.
On the site of the Stichting Privacy First, the Privacy First foundation, Jonker is very explicit in his disagreement with the ruling, announcing his intention to appeal to the European Court of Human Rights. It may be years before we know how that will eventually play out, but hopefully the ECHR, if it comes to that, will present a more compelling and legally more productive case.