Citizennet: privacy at stake
Privacy First Foundation has assessed the protection of privacy in Burgernet and is deeply concerned. Privacy First calls on the Lower House to investigate whether the system of 24/7 tracking of citizens by the Police is in line with the principles of our rule of law.
Police do 24/7 tracking of citizens
Burgernet is a partnership between police, municipalities and citizens with the aim of solving more and faster criminal cases. In case of burglary, robbery, or a missing person, app users in the vicinity of the incident receive a message from the police to feed back relevant information.
This way of working means that Burgernet records the location data of all participants 24/7. This obviously needs to be handled very carefully from the perspective of the AVG and the fundamental rights of citizens. Privacy First has looked at whether there is that necessary care within Burgernet, but notes several problems.
Who does Burgernet actually belong to?
The law requires that it must always be clear which (legal) person is processing the personal data. This is not the case with Burgernet. Among other things, Burgernet was in a BV, In-Pact BV, but it has since been dissolved, according to the Chamber of Commerce. But why then is this non-existent BV still listed as a provider in the Burgernet app in the Apple store?
The website https://www.burgernet.nl only mentions that it is a collaboration of citizens, municipalities and police. Contact details are missing, nor does Burgernet's privacy statement mention anything about it. Burgernet now seems to belong to the Police, as evidenced by Among other things, a recent letter (p.2) and replies from outgoing minister Grapperhaus to Parliamentary questions, but this is not mentioned anywhere within the Burgernet app or website.
No (adequate) consent for 24/7 tracking
The recording and processing of location data requires consent. Indeed, Burgernet's app requests consent to send messages relevant to the neighbourhood in which the participant is located. However, according to the AVG, consent given is only valid if it is a specific, informed and unambiguous expression of will accepting the relevant processing of personal data. Privacy First believes that anyone who signs up to Burgernet should be told that his/her location can be ascertained by the Police. Only then is there legally valid consent. However, this does not happen at present.
Risks of other uses of location data
Burgernet's privacy statement does not state what the purpose of processing personal data is, although the AVG requires it. Therefore, it is not clear whether Burgernet really collects and processes data solely for the purpose of sending alerts, or whether more is done with it. The question then arises whether the police might also use the location data for other purposes. In that context, it is noteworthy that the privacy statement refers to the Police Data Act (Wpg). This suggests that the personal data might also be used for other police tasks. The police may be tempted to use the location data of Burgernet app participants much more widely, such as in football riots. Could that well-meaning Burgernet participant who happens to be nearby then become a suspect by using the app? And if so, does a brief reference to the Wpg in the privacy statement suffice? Privacy First believes not.
Non-compliance with minimum data processing requirement
Burgernet itself states that location data is collected for the purpose of sending only relevant messages. It is inimitable why the app also asks for postcode and house number; for sending an alert, someone's current residence is relevant, but someone's private address is not at all. In doing so, Burgernet violates the principle of data minimisation. In addition, there does not seem to be a Data Protection Officer within Burgernet to oversee this and the above-mentioned issues.
Has the impact of all this been properly assessed?
The AVG also requires that in data processing involving new technologies, which may pose a high risk to the rights and freedoms of natural persons, a proper analysis of the possible effects must always be carried out. With the Police collecting and processing sensitive personal data on a large scale via the Burgernet app with 24/7 tracking of Burgernet members, a proper risk analysis is mandatory under European law. Privacy First has been unable to find that such a thorough risk analysis in respect of this app has ever taken place. Privacy First suspects that if it had, the app would have looked very different.
Call to House of Representatives
Privacy First calls on the House of Representatives to commission an independent investigation as soon as possible into the question (of) who Burgernet currently belongs to, what data is collected and why. This should examine whether current legislation is being complied with. Finally, Privacy First questions whether the goals of Burgernet within a constitutional state would not be better realised by taking the personal data away from the Police.