ECLI:NL:RBDHA:2020:1878
see: ECLI:NL:RBDHA:2020:865 (Dutch version)
SyRI legislation in breach of European Convention on Human Rights
The Hague District Court has delivered a judgment today in a case about the Systeem Risico Indicatie, or SyRI. SyRI is a legal instrument used by the Dutch government to detect various forms of fraud, including social benefits, allowances, and taxes fraud. The court has ruled that the legislation regulating the use of SyRI violates higher law. The court has decided that this legislation does not comply with Article 8 of the European Convention on Human Rights (ECHR), which protects the right to respect for private and family life, home and correspondence.
Review
The court reviewed whether the SyRI legislation is in breach of provisions of international or European law binding on all persons. The court assessed whether the SyRI legislation complies with Article 8 paragraph 2 ECHR. This particular provision requires striking a fair balance between the interests of the community as a whole, which the legislation serves, and the right of the individuals affected by the legislation to respect for their private life and home.
Special responsibility with introduction of new technologies
According to Article 8 ECHR the Netherlands – as a party to the ECHR – has a special responsibility when applying new technologies. It must strike the right balance between the benefits such technologies bring and the violation of the right to a private life through the use of new technologies. This also applies to the use of SyRI.
Use of SyRI insufficiently transparent and verifiable
After a review of the objects of the SyRI legislation, namely preventing and combating fraud in the interest of economic welfare, in relation to the violation of private life by the legislation, the court has drawn the conclusion that in its current form the SyRI legislation fails to comply with Article 8 paragraph 2 ECHR. The court has decided that the legislation does not strike a fair balance, as required under the ECHR, which would warrant a sufficiently justified violation of private life. In that respect, the application of SyRI is insufficiently transparent and verifiable. As such, the SyRI legislation is unlawful, because it violates higher law and, as a result, has been declared as having no binding effect.
Background
Several civil society interest groups, including the Dutch Section of the International Commission of Jurists (NJCM) and two private individuals, instituted these proceedings against the State of the Netherlands. The Netherlands Trade Union Confederation (FNV) joined as a party in the claimants’ proceedings. Claimants want to call ‘a halt’ to the use of SyRI. They believe that by applying SyRI, the Netherlands government unlawfully violates human rights. The State disagrees and argues that the SyRI legislation contains sufficient safeguards to protect the privacy rights of all.
vonnis
THE HAGUE DISTRICT COURT
Commerce Team
Case number / cause list number: C/09/550982 / HA ZA 18-388
Judgment of 5 February 2020
in the matter of
1 NEDERLANDS JURISTEN COMITÉ VOOR DE MENSENRECHTEN
established in Leiden,
2. STICHTING PLATFORM BESCHERMING BURGERRECHTEN
established in Amsterdam,
3. STICHTING PRIVACY FIRST established in Amsterdam,
4. STICHTING KOEPEL VAN DBC-VRIJE PRAKTIJKEN established in Amsterdam,
5. LANDELIJKE CLIËNTENRAAD established in The Hague,
6. [claimant sub 6] of [residence 1] ,
7. [claimant sub 7] of [residence 2] ,
eisers,
attorney mr. A.H. Ekker of Amsterdam,
and
FEDERATIE NEDERLANDSE VAKBEWEGING established in Utrecht,
intervening third party, joining the claimants,
attorney mr. A.H. Ekker of Amsterdam,
versus
THE STATE OF THE NETHERLANDS seated in The Hague,
defendant,
attorney mr. C.M. Bitter of The Hague.
General assessment framework
The subject under discussion is whether the SyRI legislation unlawfully violates the right that protects privacy. In this context the court will first discuss the general assessment framework it uses, followed by the protection of human rights under the ECHR, the Union law protection offered by, among other things, the Charter and the GDPR, and finally the interrelationship of the ECHR and Union law and the arguments between the parties to these proceedings.
Protection of human rights
The right to respect for privacy is a fundamental human right protected in international law in Article 8 ECHR and Article 17 ICCPR. These are provisions that are binding on all persons and which the court must apply pursuant to Articles 93 and 94 of the Constitution.
Article 8 paragraph 1 ECHR stipulates that everyone has the right to respect for his private and family life, his home and his correspondence. Interference of the government with the exercise of this right is only permitted, according to Article 8 paragraph 2 ECHR, in accordance with the law and when necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. Seeing as Article 17 ICCPR, which offers the same protection of private life as Article 8 ECHR, has no independent significance in this case, the court will not discuss it further.
Considering that the Netherlands, as a party to the ECHR, is also bound to the jurisdiction of the European Court of Human Rights (hereinafter: ECtHR; see Article 32 ECHR), the court must proceed from the ECtHR’s interpretation of Article 8 ECHR, or independently interpret this provision with the application of the interpretation criteria of the ECtHR.
Over time the ECtHR has brought various interests under the umbrella of private life, thereby bringing them under the protection of Article 8 ECHR. The right to respect for private life also protects the right to personal autonomy, personal development and self-determination and the right to establish relations with other human beings and the outside world. According to the ECtHR the principles of human dignity and human freedom constitute ‘the very essence of the Convention’.13 Together with the notion of personal autonomy, they play an important role in determining the scope of the right to respect for private life.
The right to a personal identity and the right to personal development have also been identified by the ECtHR as aspects of the right to respect for private life. Furthermore the right to a personal identity is closely related to the right of protection of personal data. Finally, the right to respect for private life in the context of data processing concerns the right to equal treatment in equal cases, and the right to protection against discrimination, stereotyping and stigmatisation.
The right to protection of personal data has not been laid down as a distinct right in the ECHR. According to the case law of the ECtHR the right to protection of personal data does in general terms have fundamental significance for the right to respect for private life.14
The court follows the parties to these proceedings in taking as a starting point that the SyRI legislation impacts private life and consequently falls within the scope of the protection of Article 8 ECHR. The legislator also takes as a starting point that data supply for the benefit of a collaborative alliance and the application of SyRI as stipulated in Sections 64 and 65 SUWI Act constitute an interference with the exercise of the right to respect for private life. The legislator expressly reviewed the legislative proposal against the requirements of Article 8 ECHR, Article 10 of the Constitution and the then applicable Wbp Act, and did not regard it as violating them.
Protection under Union law
Under Union law the right to protection of personal data as a distinct right is primarily laid down in the Charter and in the Treaty on the Functioning of the European Union (TFEU). Under Article 7 Charter everyone has the right to respect for his or her private and family life, home and communications. Article 8 Charter and Article 16 TFEU stipulate that everyone has the right to protection of personal data. Article 8 Charter also contains a further explanation of this right, namely that such data must be processed fairly, for specified purposes and on the basis of the consent of the data subject or some other legitimate basis laid down by law. It also specifies that everyone has the right of access to collected data concerning them, and the right to rectification and that an independent authority monitors compliance with these rules.
Before 25 May 2018 the protection of data was generally laid down in European secondary legislation in Directive 95/4615, which at the national level was implemented in the Wbp Act. The GDPR applies as of 25 May 2018, after the summons was issued. As an EU regulation, the GDPR is binding in its entirety and directly applicable. The European legislator did not provide for transitory provisions in the GDPR. The court must assess the claims of NJCM et al. under the law as it currently stands. Considering the nature of the GDPR – as an EU regulation with precedence and direct effect – and the review the court must carry out, this is not altered by the fact that in Section 48 subsection 10 General Data Protection Regulation (Implementation) Act (hereinafter: UAVG) the Dutch legislator has stipulated that claims submitted to the court at the time the UAVG entered into force are subject to the law in force before said act entered into force. This provision must not be applied in this case.
By using a Regulation as the legal instrument of choice, the European legislator underlined the relevance that at the European level importance is attached to a careful handling of personal and other data. The protection of data in the Netherlands under the GDPR is therefore in principle exhaustive. At the same time the GDPR leaves room in parts for national legislation. Insofar as that is the case, the UAVG applies. The GDPR has strengthened existing rights of individuals whose data are processed (hereinafter also: the data subject), such as the requirement of consent of the data subject as a basis for processing data (Articles 6, 7 and 8 GDPR). New rights have been laid down in law, such as the right to be forgotten, the right to data portability and the right not to be subject to profiling (Articles 17, 20 and 22 GDPR). Unlike Directive 95/45, the GDPR also contains the obligation for the controller to take account of the risks of varying likelihood and severity for the rights and freedoms of natural persons when processing data (Article 24 GDPR). Using a data protection impact assessment it must be demonstrated that the regulation’s requirements have been met by implementing measures, safeguards and mechanisms to limit that risk (Article 35 GDPR).
The GDPR has established several principles as regards the processing of personal data (see the recitals in conjunction with Article 5 GDPR). These are the principle of transparency, the principle of purpose limitation, the principle of data minimisation, the principle of accuracy and the principle of integrity and confidentiality and finally, as a corollary of these principles, the principle of accountability. These principles are explained in more detail in the other provisions of the GDPR.
The principle of transparency requires easily accessible and easy to understand information, communication and clear and plain language, and the provision of information to the data subject about the identity of the controller and the purposes of the data processing. Aside from this, under this principle, further information must actively be provided to ensure a sound and transparent data processing, and natural persons must be made aware of the risks, rules, safeguards and rights in relation to the processing of personal data and also of how they may exercise their rights with respect to the processing.
The principle of purpose limitation means that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
The principle of data minimisation requires personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed. As also follows from the principle of storage limitation laid down in the GDPR, not more personal data may be kept for longer than is necessary for the purpose for which the personal data are processed.
Pursuant to the principle of accuracy, the controller must take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which it is processed, is erased or rectified without delay. The principle of integrity and confidentiality means that personal data are processed in a manner that ensures appropriate security of the personal data by using appropriate technical or organisational measures. Finally, the GDPR obliges the controller is responsible to comply with the above principles. This principle is known as the principle of accountability.
The GDPR also contains provisions on profiling and a ban on automated individual decision-making, including profiling. Article 4 point 4 GDPR defines profiling as any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Pursuant to Article 22 GDPR there is a general ban on fully automated individual decision-making, including profiling, which produces legal effects concerning the data subject or similarly significantly affects him or her. Exceptions may apply and if one of them does apply, measures must be taken to safeguard the rights and freedoms and legitimate interests of the data subject.
The guidelines of the Article 29 Data Protection Working Party16 state that the threshold for “significance” must be similar to that of a decision producing a legal effect for the data subject. According to the guidelines, for data processing to significantly affect someone the effects of the processing must be sufficiently great or important to be worthy of attention. The decision must have the potential to significantly affect the circumstances, behaviour or choices of the data subjects; have a prolonged or permanent impact on the data subject; or at its most extreme, lead to the exclusion or discrimination of individuals.
Interrelationship ECHR and Union law and the arguments between the parties
The ECHR provides for a minimum level of protection of the fundamental right to respect for private life. The substance and scope of the EU fundamental rights in the Charter are the same as those of the ECHR rights, insofar as the Charter contains rights that correspond with the ECHR (Article 52 paragraph 3 Charter). The rights safeguarded by the ECHR also form part of Union law as general principles (Article 6 paragraph 3 TFEU). Therefore, as regards Union law, there is at least the same minimum level of protection as in the ECHR. However, Union law may provide more extensive protection (Article 52 paragraph 3 Charter). Under the Charter and the GDPR, the protection of EU citizens’ right to protection of personal data is specified in more detail and in some instances extends beyond the protection under the ECHR.
The focal point of the arguments of NJCM et al. is the alleged violation of Article 8 ECHR, as confirmed by NJCM et al. at the hearing and as understood by the State. The debate between the parties therefore focuses on the questions whether the SyRI legislation meets the conditions Article 8 paragraph 2 ECHR lays down for restrictions of the right to respect for private life.
As follows from its arguments NJCM et al., and from the defence of the State, that Articles 7 and 8 Charter provide the same minimum protection as Article 8 ECHR in terms of their substance and scope.
The arguments of NJCM et al. and the defence of the State also imply, conversely, that the minimum protection of Article 8 ECHR also entails that the SyRI legislation must meet the aforementioned general principles of data protection, as laid down in Union law in the Charter and the GDPR, such as the principle of transparency, the principle of purpose limitation and the principle of data minimisation. The State has not taken the position – and in the opinion of the court correctly so – that the court is only able to review the SyRI legislation against these principles if and insofar as this legislation meets the conditions the ECHR lays down for restrictions of the right to respect for private life.
The court will take into account the aforementioned general principles of data protection from the Charter and the GDPR in its review of whether the SyRI legislation meets the requirements of Article 8 ECHR. In other words: the court will also interpret Article 8 paragraph 2 ECHR on the basis of these principles. There are no indications to assume that the minimum level of protection of the right to respect for private life, including the protection of personal data under the ECHR, is less extensive than the data protection offered by the Charter and the GDPR under the general principles laid down in these instruments.
The alleged violation of Article 8 ECHR
As has been stated before, it is not in dispute that collaboration for the benefit of data exchange and the application of SyRI, as laid down in the SyRI legislation, constitute an interference with the exercise of the right to respect for private life. The court must review, considering the debate between the parties, whether or not the SyRI legislation meets the requirements of Article 8 paragraph 2 ECHR to justify that interference.
Before commencing its assessment, the court would like to note that its duty is not to establish as it sees fit the value or social significance that should be attached to the interests in question. Moreover, considering the nature of the legislative function and the position of the court, the court must show restraint during the assessment.17 However, this does not mean that the SyRI legislation must be assessed marginally. As has also been argued by NJCM et al., the court will not assess the amended legislation marginally, but fully against Article 8 paragraph 2 ECHR.
The court will first discuss the extent and seriousness of the interference with the right to respect for private life, which occurs or may occur when SyRI is applied. This interference is coloured by the answer to the question what precisely SyRI is. The positions of the parties on this point are widely divergent. It is also in dispute between the parties how to legally interpret the submission of a risk report, namely whether this constitutes profiling and automated individual decision-making within the meaning of the GDPR. The answer to this question also determines the extent and seriousness of the interference with private life when SyRI is applied. In summary, the court has arrived at a number of starting points for its further assessment. The court subsequently discusses whether or not SyRI legislation meets the requirement that interference must be ‘in accordance with the law’ and necessary in a democratic society in relation to the intended aims of the legislation.
Extent and seriousness of the interference: what is SyRI? Dragnet, untargeted approach, data mining, ‘deep learning’, ‘big data’?
According to NJCM et al. the application of SyRI constitutes a dragnet, untargeted approach in which personal data are collected for investigation purposes. It argues that SyRI is a digital tracking system with which citizens are categorised in risk profiles and in the context of which the State uses ‘deep learning’ and data mining. According to NJCM et al., SyRI is a proactive system with a large-scale, unstructured and random automated linking of files of large groups of citizens and secret processing of personal data. NJCM et al. also argues that the application of SyRI falls under what is referred to in literature, legal literature and in practice as ‘big data’.
To substantiate its position, NJCM et al. has relied on, inter alia, an “Independent advisory opinion on the effects of digitisation on constitutional relations”, as submitted by the Advisory Division of the Council of State (hereinafter: the Advisory Division) to the cabinet.18 In the advisory opinion, the Advisory Division notes that in actual practice ‘big data’ generally refers to large amounts of data sets that are so large or complex that they cannot be processed by customary systems, and at the same time are derived from various sources. The Advisory Division noted the following in its opinion on SyRI by way of example:
“Profiling as example
The
potential hazards in using large data sets are best illustrated with
profiling to identify persons posing an increased risk. After all, this
could lead to the situation where general characteristics are attributed
to an individual.
(…)
In 2014 the Division issued an advisory opinion on the introduction of the Systeem Risico Indicatie [SyRI]. That system enabled the Ministry of Social Affairs to run different types of files containing data of citizens against each other in order to detect taxes or social benefits fraud. This is in line with the use of deep learning and self-learning systems, which after all are focused on investigating as many links as possible without preconceived notions. The downside is that such data may constitute a serious interference with a person’s privacy. The enumeration of data is so wide that it is difficult to think of personal data that would not fall under it. The list appears not to seek limitation, but rather to create the widest possible reach.”
And:
“Deep learning – self-learning systems
The
Tax and Customs Administration is at the forefront of the application
of deep learning techniques: it has huge amounts of data on persons in
the Netherlands and plays a pivotal role in many collaborative
alliances, such as those of the Systeem Risico Indicatie [SyRI].
In addition, some municipalities use algorithms to select possible
cases of social assistance benefit fraud. The algorithm reads all sorts
of data, such as dates of birth, family composition, benefit history and
data of the Tax and Customs Administration, the Land Registry and the
National Vehicle and Driving Licence Registration Authority. (…)
The term “self-learning” is confusing and misleading: an algorithm does not know and understand reality. There are predictive algorithms which are fairly accurate in predicting the outcome of a court case. However, they do not do so on the basis of the substantive merits of the case. They can therefore not substantiate their predictions in a legally sound manner, while that is required for all legal proceedings for each individual case. (…)
The reverse also applies: the human user of such a self-learning system does not understand why the system concludes that there is a link. An administrative organ that partially bases its actions on such a system is unable to properly justify its actions and to properly substantiate its decisions.”
In its defence, the State has argued that when using SyRI, only data from existing data sets of designated government or other bodies are compared in order to identify discrepancies with a view to checking the entitlements of the data subject. With reference to statements made by the Minister19 the State argues that files of existing, factual data are compared. The factual data are compared to each other with the aid of a simple decision tree.
Responding to reliance of NJCM et al. on the aforementioned independent advisory opinion of the Advisory Division, the State has referred to the reaction of the cabinet to this opinion. The State Secretary for the Interior and Kingdom Relations stated the following in that reaction:
“The Division has also described risks regarding the digital linking of data in various contexts. One example of data linking is SyRI (Systeem Risico Indicatie). Contrary to what the Division assumes SyRI is not a deep learning application nor is it a self-learning system. SyRI is emphatically not a tool to predict whether or not an individual could commit an offence. SyRI compares files containing existing, factual data of the parties designated under Section 64 of the Work and Income (Implementation Organisation Structure) Act (SUWI), such as the UWV, the SVB, the Municipal Executives, the Tax and Customs Administration and the Social Affairs and Employment Inspectorate in order to assess whether there are discrepancies in the data. If the mutual comparison following assessment against the risk model shows a discrepancy, this discrepancy must be examined by one or more of said parties before a decision may be taken that may have legal consequences for the data subject.”20
The court finds that it is unable to assess the correctness of the position of the State of the precise nature of SyRI because the State has not disclosed the risk model and the indicators of which the risk model is composed or may be composed. In these proceedings the State has also not provided the court with objectively verifiable information to enable the court to assess the viewpoint of the State on the nature of SyRI. The reason the State gives for this is that citizens could then adjust their conduct accordingly. This is a deliberate choice of the State. That choice also coincides with the starting point of the legislator regarding the provision of information on SyRI. The SyRI legislation does not show how the decision model of SyRI functions and which indicators are or can be used in a SyRI project (see 4.23 above for the terms decision model and indicators), i.e. which factual data make or can make the presence of a certain situation plausible.
The court also finds that, unlike NJCM et al. argues, the SyRI legislation does not provide room for unstructured (‘ad random’) data collection with the use of SyRI. The number of data categories that can be used is extensive, but still enumerated exhaustively. On the other hand, the amount of data that can be used in the application of SyRI is substantial. A total of 17 data categories of various types qualify. Each separate category can be deemed to encompass a large amount of data. Depending on the specific SyRI project, there may be large amounts of structured data sets from various sources.
It is also found that in the application of SyRI links between data are established. This is because existing and new files are compared to each other with a view to producing potential hits, which are indicative of an increased risk. The SyRI legislation furthermore leaves the option open that in the application of SyRI use is made of predictive analyses, ‘deep learning’ and data mining. The definition of risk model in the SUWI Decree does not preclude this. The SyRI legislation furthermore expressly provides for the option to adjust a risk model based on an evaluation, while new risk models with new indicators can also be developed (see also 4.24). Therefore the court is of the opinion (concurring with the Advisory Division, see above in 6.46) that the application of SyRI “is in line” with ‘deep learning’ and self-learning systems. To this extent the court endorses NJCM et al. This does not alter the fact that the court, considering the communications of the government members to the House of Representatives, accepts as a factual assumption that in the implementation of the SyRI legislation no use is made at this point in time of ‘deep learning’ and data mining in the application of SyRI, as argued by NJCM et al.
The court also concurs with NJCM et al. to the extent that when SyRI is applied, use is made of ‘big data’ within the meaning of the opinion of the Advisory Division. However, there is no clear-cut definition of that term. The court deems it irrelevant to its further assessment whether or not the processing of data in SyRI should be qualified as a form of ‘big data’.
As regards the use of risk profiles, a distinction must be made between the development of risk profiles on the one hand, and their use on the other. The court assumes that in the implementation of the SyRI legislation no risk profiles based on file linkages are currently being developed. This, as put forward by the State, in response to the references of NJCM et al. to the aforementioned Waterproof and ‘black box’ projects. The court is unable to find whether risk profiles are truly not being developed with the aid of file linkage (see, for comparison, 6.49). However, the court deems it to be inherent in SyRI as an instrument, considering the purposes for which data are processed in SyRI and in light of the definitions of the terms risk model and risk indicator, that use is made of risk profiles based on existing factual data when SyRI is used.
Finally, there is the situation that the SyRI legislation does not provide for a duty of disclosure to those whose data are processed in SyRI so that these data subjects can be reasonably assumed to know that their data are or have been used for that processing. The SyRI legislation also does not provide for an obligation to notify the data subjects individually, as appropriate, that a risk report has been submitted. There is only a statutory obligation to announce the start of a SyRI project beforehand by way of publication in the Government Gazette and after the processing access to the register of risk reports upon request. The model letter which can be used in practice – as was the case in the Rotterdam Bloemhof & Hillesluis project – is not founded on a statutory obligation to inform the data subjects ‘door-to-door’, while the court is unable to find based on the available information whether municipalities have a standard practice in the implementation of the act. Data subjects are also not informed automatically afterwards. This only occurs if there is a control and investigation in response to a risk report. This does not happen as a matter of course.
Extent and seriousness of the interference: profiling and automated individual decision-making?
Now the court arrives at the assessment, in view of the debate between the parties on the extent to which submitting a risk report affects private life, whether or not profiling and automated individual decision-making occur when SyRI is applied.
It is not in dispute that the file linkage used in a SyRI project meets the definition of profiling within the meaning of Article 4 paragraph 4 GDPR. However, this does not mean that automated individual decision-making within the meaning of the GDPR occurs.
NJCM et al. argues, and FNV emphatically endorses, that the submission of a risk report by the Social Affairs and Employment Inspectorate can be considered a decision with legal effect, or at least a decision that affects the data subjects significantly in another way, and that this decision is taken on the basis of automated individual decision-making within the meaning of Article 22 GDPR, which is prohibited. According to NJCM et al. there is no meaningful human intervention prior to the submission of a risk report; the mere removal of ‘false positives’ cannot qualify as such nor can the assessment of the participating parties after receipt of a risk report.
The State contests that automated individual decision-making occurs and puts forward that in any event no prohibited form of it occurs. The State argues that all exceptions to the prohibition stipulated in the GDPR are met and that the amended legislation contains sufficient safeguards to protect privacy.
Although the court holds that, contrary to what NJCM et al. argues, the use of SyRI in and of itself is not aimed at having legal effect – whether in private law, administrative or criminal law – a risk report does have a similarly significant effect on the private life of the person to whom the risk report pertains. The court derives that conclusion partially from the guidelines of the Article 29 Data Protection Working Party (see 6.36). A risk report can be stored for two years and can be used by the participants in the SyRI project in question for a maximum of 20 months. In addition, the Public Prosecution Service and the police may be notified of the risk report upon request. The fact that a risk report does not necessarily always lead to further investigation, or to an administrative or criminal-law sanction, and may also not be used as the sole basis for an enforcement decision does not alter the significant effect on the private life of the data subject.
The court does not give an opinion on whether the exact definition of automated individual decision-making in the GDPR and, insofar as this is the case, one or more of the exceptions to the prohibition in the GDPR have been met. That is irrelevant in the context of the review by the court whether the SyRI legislation meets the requirements of Article 8 ECHR. However, the court does consider the aforementioned significant effect of the submission of a risk report and its inclusion in the risk reports register on the private life of the data subject a significant factor in its assessment whether the SyRI legislation meets the requirements of Article 8 paragraph 2 ECHR. This effect, too, determines in part the extent to which the SyRI legislation interferes with the right to respect for private life. The court takes into account that part of the right to protection of personal data is the right of everyone to be reasonably able to follow up on their personal data and be informed about the processing of their data. Although the start of a SyRI project is published in the Government Gazette, a risk report may be retained in the register for two years, without this being known to the data subject.
Abstract
In summary, the court will take the following starting points into consideration in its further assessment. These starting points are relevant to the extent and seriousness of the interference with the private life of the data subjects by the SyRI legislation and are therefore included in the court’s review whether this interference is permissible under Article 8 paragraph 2 ECHR.
The linking of files when SyRI is applied relates to the processing of the data categories as exhaustively listed in the SUWI Decree. The data can be found in files with factual data (personal or other data) which are available to the statutorily designated government or other bodies on the basis of their statutory duty. It involves structured data processing based on existing, available files. Depending on the SyRI project, there may be a set of a large amount of data derived from various sources. During the data processing a risk model is used, which consists of predetermined risk indicators and which gives an indication of whether there is an increased risk of unlawful use of government funds and government schemes in the area of social security and income-dependent schemes, taxes and social security fraud or non-compliance with labour laws.
There currently are no indications of ‘deep learning’ or data mining or the development of risk profiles in the implementation of the SyRI legislation. However, the SyRI legislation does provide scope for the development and application of a risk model using ‘deep learning’ and data mining, and for the development of risk profiles.
The court does not deem it relevant for its further assessment whether ‘big data’ plays a role in the processing of data in SyRI, as NJCM et al. argues and the State contests. This term has no clear-cut definition. In any event, a substantial amount of data qualifies for processing in SyRI.
Moreover, the risk model that is currently being used and the risk indicators constituting this risk model are ‘secret’. This also applies to the data used in a concrete SyRI project (which data have been processed in SyRI). The risk model, the indicators and the data that have been concretely processed are not public nor are they known to the data subjects. The SyRI legislation does not provide for an obligation to inform the persons that their data have been processed in SyRI. Nor is there a legal obligation to inform the data subjects individually, as appropriate, that a risk report has been submitted. The court furthermore assumes that a risk report has a significant effect on the private life of the person to whom the report pertains.
In accordance with the law
The interference with private life in the application of SyRI must be in accordance with the law. According to the case law of the ECtHR this does not need to be an Act of Parliament: this requirement can also be met with any generally binding regulation or even judge-made law. “Some basis in domestic law” is sufficient.21 The legal basis on which the interference is predicated must, however, be sufficiently accessible and foreseeable. This means that the legal basis must be sufficiently clear so as to enable an individual to regulate their conduct accordingly.22
In support of its argument that the SyRI legislation is unlawful, NJCM et al. mainly relies on the case law of the ECtHR in matters pertaining to untargeted bulk interception (mass surveillance) or targeted interception of data in a criminal-law or national security context.23 As follows from the foregoing, this is not the case with the application of SyRI. Therefore, this case law cannot be considered as a one-to-one guidance for the court’s assessment.
The case of S. and Marper versus the United Kingdom revolved around the lawfulness of the British Data Protection Act (1998), implementing Directive 95/45 and the guidelines for the use of the Police National Computer on the basis of said act in connection with the retention of fingerprints, cellular samples and DNA profiles. Although the factual context of this case, too, is not comparable with the current proceedings, the judgment contains considerations of the ECtHR on data protection of a more general nature. That makes this judgment relevant to the assessment of the lawfulness or unlawfulness of the SyRI legislation.
The judgment of the ECtHR in that case proves that domestic law must afford adequate protection against arbitrariness and indicate with sufficient clarity the scope of discretion conferred on the competent authorities and the manner of its exercise in order to meet the requirements of accessibility and foreseeability. According to the ECtHR, the level of precision required of domestic legislation depends to a considerable degree on: “the content of the instrument in question, the field it is designed to cover and the number and status of those to whom it is addressed”24 The ECtHR then considers as follows:
“It reiterates that it is as essential, in this context, as in telephone tapping, secret surveillance and covert intelligence-gathering, to have clear, detailed rules governing the scope and application of measures, as well as minimum safeguards concerning, inter alia, duration, storage, usage, access of third parties, procedures for preserving the integrity and confidentiality of data and procedures for its destruction, thus providing sufficient guarantees against the risk of abuse and arbitrariness.”25
To what extent the legal safeguards are sufficient depends, according to the ECtHR, on the concrete circumstances and comes down to weighing all of the legal safeguards combined. The extent to which and the level of detail with which safeguards must be laid down in law depends on the seriousness of the interference.
This judgment also shows that the assessment whether the interference is in accordance with the law may be closely connected to the assessment whether the interference is necessary in a democratic society. The safeguards must be laid down in law but at the same time also be adequate to prevent abuse and thereby proportionate to the aims pursued. In light of its considerations regarding the latter assessment, the ECtHR therefore did not deem it necessary to review whether the quality of the act met the requirements of Article 8 paragraph 2 ECHR. In this context the court considered as follows:
“The Court notes, however, that these questions are in this case closely related to the broader issue of whether the interference was necessary in a democratic society. In view of its analysis in paragraphs 105–126 below, the Court does not find it necessary to decide whether the wording of section 64 meets the ‘quality of law’ requirements within the meaning of Article 8 § 2 of the Convention.”26
Like the ECtHR in that case, the court leaves undiscussed in its review whether the SyRI legislation is sufficiently accessible and foreseeable and as such affords an adequate legal basis as required under Article 8 paragraph 2 ECHR for a justified restriction of the right to protection of private life. The court holds that the SyRI legislation in any case contains insufficient safeguards for the conclusion that it is necessary in a democratic society in light of the purposes of the legislation, as Article 8 paragraph 2 ECHR also requires. As a result, in its current form this legislation does not pass the test of Article 8 paragraph 2 ECHR and is therefore unlawful. The court deems what follows as substantiation of its opinion.
Necessary in a democratic society: general
What must be assessed is whether there is an interference that is necessary in a democratic society in the interest of, in this case, the economic wellbeing of the country. The court states first observes that the ECtHR in principle affords the authorities of a Member State a ‘margin of appreciation’ to determine whether a measure is necessary in a democratic society in the interest of one of the purposes listed in Article 8 paragraph 2 ECHR. As regards the scope of that margin of appreciation, the court settles on ‘a certain’ margin of appreciation. This margin (see also above in 6.43) calls for restraint on the part of the court in its assessment whether the SyRI legislation violates Article 8 paragraph 2 ECHR, as the State correctly argues.
It is not in dispute that the SyRI legislation serves a legitimate purpose (see above in 6.4). The supply of data for the benefit of a collaborative alliance and the application of SyRI as provided for in the SyRI legislation thereby meet the so-named ‘general interest’ test, namely that it occurred in the interest of one of the purposes as identified in Article 8 paragraph 2 ECHR.
It is in dispute between the parties whether there is a ‘pressing social need’, or in other words, whether the interference meets a pressing social need. NJCM et al. argues that this is not the case, in support of which it considers relevant that there is a very serious interference in the private lives of citizens. NJCM et al. also argues that the State has failed to show that it is necessary to deploy an instrument as severe as SyRI to maintain the social security system. It points out that the wider social attitude towards SyRI is negative, or at least reserved and that the SyRI projects have not borne fruit and are therefore not effective as a means for combating fraud.
The court rejects this argument of NJCM et al. The SyRI legislation in itself seeks to fulfil a sufficiently compelling purpose to justify an interference with private life. In doing so, the court takes into account the starting points mentioned above on what SyRI is and the effect on private life in case data processing in SyRI results in a risk report, which determine the extent and seriousness of the interference (see above in 6.44 - 6.60). Fraud in the area of social security and welfare is significant: the State has mentioned – uncontested – sums of 153 million Euros in social security fraud and half a billion to one billion Euros in welfare fraud as well as 135 million Euros in social damage as a result of social security fraud.27 Combating fraud also has indirect effects, including on the integrity of the economic system and confidence in the financial institutions.28 Also taking into account the margin of appreciation which the national authorities have, the direct and indirect damage of fraud in this area justifies the conclusion of the legislator that there is a pressing social need to take measures provided for by the SyRI legislation in the interest of the economic wellbeing of the Netherlands.
In this respect, NJCM et al. refers to what it calls the real problem, namely ‘access at the gate’. NJCM et al. believes that this problem can only be solved by setting more stringent requirements on the obligation to provide proof for applications so as to prevent investigation afterwards. Leaving aside the usefulness and necessity of improving checks of applications, the court is of the opinion that NJCM et al. has furnished insufficient facts which can demonstrate that these checks cover the aim pursued by the SyRI legislation to such an extent that there no longer is a ‘pressing social need’ for the SyRI legislation and that for this reason alone this legislation has no binding effect. Nor does the case law of the ECtHR show that the actual effectiveness of the instrument of SyRI in the interest of the economic wellbeing of the Netherlands, in accordance with the standards of Article 8 paragraph 2 ECHR, must be determined beforehand in order to meet the requirement of a ‘pressing social need’, contrary to what is suggested by NJCM et al. In light of the purposes the legislation serves, SyRI is not an unsuitable instrument or an a priori disproportionate instrument.
In light of the foregoing, the court is of the opinion that the choice of the legislator to create a legal basis for data processing for the benefit of a collaborative alliance aimed at the purposes as formulated in Section 64 SUWI Act and the choice of the legislator for data processing in an instrument such as SyRI therefore meet the general necessity requirement of Article 8 ECHR. The latter concerns the technical infrastructure chosen to link, or have the ability to link, data files in a secured environment in order to carry out analyses, so that risk reports can be generated.
But this does not mean that the functioning of the instrument of choice, or the instrument itself, in this case SyRI, and the associated procedures and safeguards created for its application by the legislator in the SyRI legislation, sufficiently respects privacy in light of Article 8 paragraph 2 ECHR. The SyRI legislation does not pass this concrete test, as the court will explain below.
Necessary in a democratic society: proportionality and subsidiarity
The court must assess whether the SyRI legislation meets the requirements of necessity, proportionality and subsidiarity pursuant to Article 8 paragraph 2 ECHR in light of the aims it pursues. There has to be a ‘fair balance’ between the purposes of the SyRI legislation and the invasion of private life the legislation causes.
The substance of the SyRI legislation is the starting point for this assessment (see Chapter 4 of this judgment). From that substance it follows, as has been argued by the State, that the SyRI legislation restricts the circle of designated government or other bodies, exhaustively lists the number of data categories that qualifies for data processing, and obliges the participating designated government or other bodies to verify the necessity of a SyRI project and the data to be processed in that project. Moreover, the IB has been designated as processor, which pseudonymises said data, while the separate analysis unit of the Social Affairs and Employment Inspectorate carries out the analyses. The SyRI legislation also contains retention periods and limitations as regards access to and use of risk reports as well as obligations to maintain confidentiality and perform evaluations.
For this assessment, the court also takes into consideration the starting points as summed up in 6.61-6.65. These starting points are of interest to the extent and seriousness of the interference of the SyRI legislation with the private lives of the data subjects. A great amount of data qualifies for processing in SyRI. The risk model and indicators that make up the model and the data which are used in a particular SyRI project are not public nor are they known to the data subjects. Furthermore, there is room in the legal framework to adjust the risk model based on the feedback outcome. Finally, there is the fact that the data subject is unaware of the existence of a risk report, while the submission of a risk report has a significant effect on them.
The court weighs the substance of the SyRI legislation in light of the aims it pursues against the violation of private life the SyRI legislation brings about. The court is of the opinion that the SyRI legislation, insofar as it concerns the application of SyRI, does not strike the ‘fair balance’ required for the conclusion that there is a justified interference within the meaning of Article 8 paragraph 2 ECHR. The court points out the following.
In the aforementioned judgment of the ECtHR in the matter of S. and Marper versus the United Kingdom, the ECtHR considered as follows: “The Court considers that any State claiming a pioneer role in the development of new technologies bears special responsibility for striking the right balance in this regard”.29The Dutch legislator does not claim to be a pioneer in the application of the instrument of SyRI in this case, while that matter also concerned the retention of DNA profiles for an indefinite term. Both the intrusiveness of the interference with private life and the safeguards to protect privacy of the British legislation reviewed in that matter differ from those in the current proceedings. Nevertheless, the court holds that in this case, too, the State bears a special responsibility, as expressed by the ECtHR.
The development of new technologies gives the government, among other things, opportunities to link files and analyse data with the aid of algorithms in order to exercise supervision more effectively. Partly due to the speed of said development, the right to data protection is becoming increasingly important. Collecting and analysing data with the help of those new technologies can interfere extensively with the private lives of those to whom the data pertain. Therefore the legislator bears a special responsibility when applying an instrument such as SyRI: for a data subject it is difficult to gauge the effect of the instrument on their private life while the ECHR requires that the legislation that provides a basis for such an interference provides sufficient safeguards to protect against abuse and arbitrariness.
When drafting the SyRI legislation, the legislator paid heed to Article 8 ECHR and the right to respect for private life, as protected by the ECHR. Unlike the State, the court is of the opinion that the safeguards laid down in the legislation for the protection of the private life of those whose data can be processed in SyRI are insufficient. Considering the principle of transparency, the principle of purpose limitation and the principle of data minimisation – fundamental principles of data protection – the court holds that the SyRI legislation is insufficiently transparent and verifiable to conclude that the interference with the right to respect for private life which the use of SyRI may entail is necessary, proportional and proportionate in relation to the aims the legislation pursues. The court is of the opinion that the following circumstances, viewed in conjunction, are relevant.
The principle of transparency is the leading main principle of data protection that underlies and is laid down in the Charter and the GDPR (see 6.27- 6.34 for the principles of data protection). The court is of the opinion that in view of Article 8 paragraph 2 ECHR this principle is insufficiently observed in the SyRI legislation. The court finds that the SyRI legislation in no way provides information on the factual data that can demonstrate the presence of a certain circumstance, in other words which objective factual data can justifiably lead to the conclusion that there is an increased risk. The legislative history only provides a few examples of indicators that can indicate an increased risk and a potential hit:
“For instance, there may be cohabitation fraud if persons who receive a social benefit and/or an allowance and who, according to the municipal personal records database (Gemeentelijke Basisadministratie – GBA) are registered at different addresses while in fact they are living at the same address. An example of undeclared assets is someone whose bank balance has grown exponentially in one year. Other examples include a person who has several lock-up garages in a particular neighbourhood and has multiple vehicles registered in his name in a short period of time, or a recipient of social assistance under the WWB who has registered a bank account number with the Tax and Customs Administration with assets, while this is not known to the Municipal Social Services.”30
The State has provided several other examples that could indicate discrepancies, including the example of a person who receives social assistance as a single householder, healthcare allowance for married couples and where multiple occupants of the same address receive housing allowance for a different address, while only one occupant is eligible to receive housing allowance at one address. The State has failed to explain on which objectively verifiable information these examples are based.
What is more, the SyRI legislation does not provide information on the functioning of the risk model, for instance the type of algorithms used in the model, nor does it provide information on the risk analysis method as applied by the Social Affairs and Employment Inspectorate. In these proceedings, the State has explained in more detail that the risk model consists of i) risk indicators, ii) links and iii) a so-named cut-off point.
Depending on the purpose of the investigations, points are awarded per risk indicator. The score depends on, inter alia, the probability of the risk indicator occurring. The more improbable it is that the specific risk indicator occurs, the higher the score. The cut-off point, which is predetermined, constitutes a threshold value. Instances with a score below the threshold value will not result in a potential hit.
The State argues that risk models are used which have been validated by the Social Affairs and Employment Inspectorate and for which use is made of verified risk indicators which have shown in practice that they can indicate an increased risk of abuse or fraud. However, the SyRI legislation does not afford insight into the validation of the risk model and the verification of the risk indicators; the court consequently lacks such insight in these proceedings.
The foregoing results in the inability to verify how the simple decision tree, to which the State refers, is generated and of which steps it is comprised. Consequently, it is difficult to comprehend how a data subject could be able to defend themselves against the fact that a risk report has been submitted about him or her. It is just as difficult to see how a data subject whose data were processed in SyRI but which did not result in a risk report, can be aware that their data were processed on correct grounds. The fact that in the latter situation the data did not result in a risk report and furthermore must be destroyed no later than four weeks following the analysis does not alter the requirement of transparency in respect of that processing. The right to respect for private life also means that a data subject must reasonably be able to track their personal data.
The importance of transparency, in the interest of verifiability, is also compelling, because using the risk model and the analysis that is carried out in that context carries the risk that discriminatory effects – unintentional or otherwise – occur. The Advisory Division stated in its opinion – see 6.46 – that analysing large data sets, with or without deep learning/self-learning systems is undeniably useful, but may also yield undesirable results, including unjustified exclusion or discrimination. The Minister for Legal Protection acknowledged in his letter on Information and Communications (ICT)31 of 8 October 2019 to the House of Representatives that on account of the risk of discriminatory effects, at least in profiling-based data analyses, certain characteristics may be incorrectly attributed to people (false positive), or the other way around, characteristics may incorrectly not be attributed (false negative).
NJCM et al., in these proceedings also supported by FNV and the UN Special Rapporteur on extreme poverty and human rights, has explained extensively that it believes that the use of SyRI has a discriminatory and stigmatising effect. NJCM et al. notes that SyRI is used to further investigate neighbourhoods that are known as problem areas. This increases the chances of discovering irregularities in such areas as compared to other neighbourhoods, which in turn confirms the image of a neighbourhood as a problem area, contributes to stereotyping and reinforces a negative image of the occupants of such neighbourhoods, even if no risk reports have been generated about them.
It is correct that to date SyRI has only been applied to so-labelled ‘problem districts’, as confirmed by the State at the hearing. This in and of itself need not imply that such use is disproportionate or otherwise contrary to Article 8 paragraph 2 ECHR in all cases. However, given the large amounts of data that qualify for processing in SyRI, including special personal data, and the circumstance that risk profiles are used, there is in fact a risk that SyRI inadvertently creates links based on bias, such as a lower socio-economic status or an immigration background, as NJCM et al. argue.
Based on the SyRI legislation, it cannot be assessed whether this risk is sufficiently neutralised due to the absence of a verifiable insight into the risk indicators and the risk model as well as the functioning of the risk model, including the analysis method applied by the Social Affairs and Employment Inspectorate. The circumstance that the process of data processing consists of two phases and that the analysis unit of the Social Affairs and Employment Inspectorate, following a link of the files by the IB, assesses the decrypted data on their worthiness of investigation, which includes a human check for false positives and false negatives, is deemed insufficient by the court. After all, the manner in which the definitive risk selection takes place is not public. Nor are the data subjects informed about how the definitive risk selection is effectuated or about the associated conclusion whether or not a risk report is submitted, while the SyRI legislation only provides for a general monitoring by the AP afterwards.
In view of the foregoing, the court is of the opinion that the SyRI legislation contains insufficient safeguards to protect the right to respect for private life in relation to the risk indicators and the risk model which can be used in a concrete SyRI project. Without insight into the risk indicators and the risk model, or at least without further legal safeguards to compensate for this lack of insight, the SyRI legislation provides insufficient points of reference for the conclusion that by using SyRI the interference with the right to respect for private life is always proportionate and therefore necessary, as required by Article 8 paragraph 2 ECHR, in light of its purpose of combating abuse and fraud.
The court also holds that the SyRI legislation, as assessed against Article 8 paragraph 2 ECHR, pays insufficient attention to the principle of purpose limitation and the principle of data minimisation. The court emphasises that the purpose clause in Section 64 subsections 1 and 2 SUWI Act in itself is sufficiently specific. It is clear in advance in connection with which purposes data must be provided for the benefit of a collaborative alliance. The choice of the legislator for a large number of areas of potential cooperation and for which data must be provided can also be considered as being justified, in the sense of necessary, proportionate and subsidiary. Here the court has also taken into consideration the importance of fighting abuse and fraud and the margin of appreciation which the State, as the national authority, has. The court rejects the argument of NJCM et al. and accepts the defence of the State on this point. The court considers the SyRI legislation as not in violation of the principle of purpose limitation in that respect.
However, the situation changes if and insofar as those purposes are viewed in conjunction with the large amounts of data that qualify for processing in SyRI pursuant to Section 65 SUWI Act and the SUWI Decree, the circumstance that the test of necessity is carried out, as required, by the designated government or other bodies and there is no comprehensive review beforehand by an independent third party. The test of necessity which the designated government or other bodies must perform is relates to both the principle of purpose limitation and the principle of data minimisation.
The statutory restriction of the data set can be found in the eventually exhaustive enumeration of the data categories that qualify for processing, and the necessity of the data in terms of the purposes the specific SyRI project serves (Section 64 subsection 2 SUWI Act in conjunction with Article 5a.1 SUWI Decree). However, even if the exhaustive list of data categories is accepted as a given, it is hard to imagine any type of personal data that is not eligible for processing in SyRI.
Furthermore, the necessity of the test whether the data provision is needed for the benefit of a particular project has been left to each of the designated government or other bodies participating in the collaborative alliance. That test of necessity can and must only be carried out with respect to the data sets which the relevant government or other body has at its disposal. The SyRI legislation does not provide for a comprehensive review beforehand nor for a review by an independent third party, that is to say, a review prior to the data processing in SyRI by the Minister at the request of a collaborative alliance for the purpose of assessing whether or not the interference with private life is necessary, proportionate and subsidiary in light of all the files that are linked in a project considering the specific purpose of that project.
6.100. Unlike the State has argued, the sum total of the separate reviews carried out the participants involved in the SyRI project cannot be definitively considered as a comprehensive review in advance. In this respect, too, the court also considers it relevant that the SyRI legislation does not provide insight into the functioning and validation of the risk indicators and the risk model. The risk model and the risk indicators are, after all, also of importance for the assessment whether, and if so, to what extent the data provision is necessary and thereby also for the overall effect on the private life of the comparison of the various data sets in SyRI. The court holds that against this backdrop, too, a data subject has insufficient certainty that their privacy is safeguarded when SyRI is used.
6.101. Moreover, the LSI is merely an advisory organ. Its advice is non-binding and lacks an explicit legal basis. What is more, the LSI is comprised of representatives of organs which also have an interest in combating and preventing abuse and fraud in the areas specified in Section 64 subsection 1 SUWI Act. Furthermore, the Social Affairs and Employment Inspectorate is not only represented in the LSI, but can itself also be a participant in a collaborative alliance for the benefit of a SyRI project, and is charged with analysing data for the definitive risk selection based on which a risk report is submitted. The court is unable to assess if and to what extent the internal functional division between the various units of the Social Affairs and Employment Inspectorate (the investigation unit, the analysis unit and possibly other units) is sufficiently safeguarded. The State has failed to provide further explanation about this in its response to the defence of NJCM et al.
6.102. Citing judgments of the Central Appeals Tribunal, among other things, the State has pointed out that case law accepts file linkage with a view to selecting inspection cases.32 The judgments on which the State relies do not move the court to draw a different conclusion. As is apparent from the foregoing, the court deems the use of risk profiles in connection with the exercise of their regulatory duty not to be contrary to Article 8 paragraph 2 ECHR per se. The judgments on which the State relies do not pertain to the use of SyRI, but in each case to the exchange of a limited set of data, for which use was made of risk profiles justified by objective criteria. Where SyRI is applied, the SyRI legislation provides insufficient safeguards due to the large amount of data – of various types and from a large number of different sources – that can be processed. Moreover, there is no insight into the risk indicators and risk model nor into the objective criteria underlying the validity of the risk indicators and risk model. In this sense, the cases resulting in the judgments cited by the State differ fundamentally from the legislation to be assessed in these proceedings.
6.103. The State has also put forward that a data privacy impact assessment (DPIA) has been carried out in the context of the act and that therefore a DPIA neither is nor need be carried out for each SyRI project.
6.104. The court considers that pursuant to Article 35 paragraph 1 GDPR a DPIA must be carried out when a type of processing, considering its nature, the scope, the context and purposes, probably entails a high risk for the rights and freedoms of natural persons. As the State has correctly observed, this provision does not apply pursuant to Article 35 paragraph 10 GDPR if, put briefly, the specific processing or all relevant processing activities are regulated by law, and a DPIA has already been carried out in that context, unless the Member States deem it necessary to carry out such an assessment prior to the processing. The State has pointed out that since the entry into force of the SyRI legislation a new data protection model of the civil service is being used, geared towards the privacy rules of the GDPR.
6.105. Without further explanation, which is lacking, the court cannot accept the defence of the State why a DPIA is not carried out for each individual SyRI project. After all, the DPIA that has been carried out occurred before the entry into force of the GDPR. Whether this assessment meets the requirements set by the GDPR cannot be assessed by the court on the basis of the available information. The State has also failed to elucidate why, considering the extent and seriousness of the invasion of private life, occasioned by the processing of data in SyRI, such an assessment is not carried out for each individual project. In this regard it should be noted that insofar as the court is aware a limited number of SyRI projects (five) have been carried out since the entry into force of the SyRI legislation.
6.106. In view of the large amount of data that qualify for processing in SyRI and the circumstance that in a concrete SyRI project the test of necessity is carried out by the separate participants in the project, that is to say, with no comprehensive and furthermore no independent assessment prior to the approval by the Minister, the SyRI legislation therefore contains insufficient safeguards for the conclusion that, in light of the principles of purpose limitation and data minimisation, Article 8 paragraph 2 ECHR has been complied with.
6.107. In view of all of the above, the court will not assess whether the SyRI legislation is contrary to one or more specific provisions of the GDPR on which NJCM et al. relies and whether the SyRI legislation is in violation of Articles 6 and 13 ECHR. The court therefore leaves undiscussed the other arguments and defences of the parties.
