ⒾMachine translations by Deepl

International rail passengers in the EU become traceable with ETCD

Article
Surveillance
11 November, 2025

European transport companies believe they have ‘legitimate interest’ in mass surveillance of all train passengers in the EU.

A legal document from Dutch Railways (NS) in October 2025 reveals that European railway companies have jointly set up a surveillance system they call Electronic Ticket Control Database (ETCD). This system stores the personal travel data (name, sometimes date of birth, travel date and time, travel route, ticket specifications, customer history) of all rail passengers who buy so-called ‘e-tickets’, e.g. by booking train journeys over the internet or at a station counter. In the Netherlands, only e-tickets are now available for the vast majority of international travel routes in the EU. Transport companies such as Deutsche Bahn and France's SNCF have phased out the sale of other tickets in the Netherlands.

Undemocratic surveillance system

The ETCD system seems to have been quietly built up in recent years by railway companies that have united in the industry association UIC (Union Internationale des Chemins de Fer / International Railway Union). The existence and scope of the system was recently revealed by a document of NS in a legal action brought since 2018 by privacy activist Michiel Jonker. He twice requested enforcement from the Dutch Personal Data Authority (AP).

In August 2024, the AP took a second decision not to investigate the case. To this, Jonker filed an objection. Initially, NS did not want to provide input into the objection procedure, while the AP said it did not want to prioritise it. After several interventions by Jonker, followed by a plea from the AP, NS still sent a legal document in October 2025 providing more information.

Jonker: “I am shocked by this information. This means that it is the intention of these companies to have the location data of everyone travelling around the EU on public transport continuously available to themselves and any interested government agencies. After all, for air travel within the EU, this is already currently done via an extension of Passenger Name Records (PNR) presented as ’temporary’, and obviously they will want to extend this to tracking people taking the bus too. No choice will be left to passengers whether they want their journey recorded or not. This ETCD is reminiscent of EHDS, the European Health Data Space, in which the EU wants to store the personal medical data of everyone who receives or needs medical care in the EU. At least that still required European legislation. But this ETCD is happening - in name only - completely outside the government, without any democratic control, not even indirectly. And now NS is telling the AP: ‘Don't interfere. We are allowed to do this because we are private transport companies.’ Baffling. This is a huge scandal. We also know by now how risky it is to store sensitive personal data - location data of identifiable individuals - in such huge systems.”

Alleged legitimate interest

For the first time, NS now also invokes a so-called “legitimate interest” (Article 6.1(f) AVG) for this data processing. Jonker. “This is a new argument that NS brought in at the very last minute, only after the hearing in the objection procedure. Until now, NS always said that claiming that personal data was allowed on the basis of a contract that passengers enter into with NS, namely the general terms and conditions that NS has unilaterally drawn up and imposes on customers (Article 6.1(b) AVG). In addition, NS believed it had a legitimate interest because of its desire to inform travellers about delays anytime, anywhere - irrespective of whether citizens want this. I myself, for example, do not want to be informed unsolicited at home; I prefer to look it up myself on the NS website, or on the signs in the stations. But now NS says they need travellers” names and other personal data for fraud prevention, whereas with traditional tickets this was not necessary at all. However, the railway companies want to phase out those privacy-friendly tickets. In the Netherlands, this has already been done for almost all train tickets to foreign countries."

Miraculous multiplication of processors

Another worrying development is NS“ desire for ticket sellers to have a new role as independent data controllers who are allowed to set their own purposes for data processing. This would circumvent the ”purpose limitation" requirement set out in the AVG. Jonker: “NS believes of itself that it is an independent data controller for train tickets from Deutsche Bahn, SNCF or other transport companies that they allow NS to sell in the Netherlands, so NS is allowed to set its own purposes for that processing. I obviously disagree with that. For those tickets, NS is only a processor, not the processing controller. After all, NS only gets access to that data because Deutsche Bahn or SNCF issue an order to NS to sell those tickets.”

NS also seems to want to create an entirely new role for itself as a “publisher” of tickets, a kind of intermediary between a transport company and a ticket seller. Jonker: “NS is steering towards a kind of miraculous multiplication of data controllers who are all allowed to set their own goals. The only thing such a “publisher” of train tickets would add to transport and ticketing is to gobble up passengers” personal data. That would be the goal. NS started doing that in the Netherlands years ago with the creation of subsidiary Trans Link Systems (TLS), which processes travellers' OV-chipcard data. Apparently, NS and foreign transport companies such as Deutsche Bahn and SNCF want to roll out a similar technical system for mass surveillance EU-wide, without any democratic legitimisation."

Will the AP finally enforce?

Jonker hopes that after the objection he filed, the Personal Data Authority (AP) will still be willing to take enforcement action against Deutsche Bahn, SNCF and other relevant transport companies. Jonker: “The AP has so far refused to investigate, but legally it can no longer really avoid it. Especially not now that, in a similar case, the French Council of State (the Conseil d'État) has obliged the French regulator to take enforcement action against SNCF's unlawful claiming of certain passenger data. The AP, along with other regulators, is competent and has the means to enforce. There is no legitimate reason for the AP to refuse to investigate any longer.”

The AP said it first wanted to wait for a ruling from the Dutch Administrative Law Division of the Council of State in a other, also conducted by Jonker. Jonker: “That is about the acceptance of cash payment in a cinema, for cinema tickets. There too, the AP refuses to investigate. This violates not only the AVG but also Article 8 ECHR. The AP wants to wait to hear what the Council of State will say about the relevance of Article 8 ECHR. In itself, I can understand that, but it should not become yet another excuse to delay decision-making. Both with those cinema tickets and train tickets I have been dealing with since 2018, and still the AP refuses to even seriously investigate both cases. Such behaviour is unworthy of a regulator. After all, we are talking about millions of people who want to be able to participate culturally and socially and travel with privacy.”

The pleadings submitted by Jonker may HERE can be viewed (timeline of proceedings from 2020 to the present).