New round in privacy battle between NS and train passenger
Enforcement request to Personal Data Authority over three new privacy breaches
Following three new attempts by Dutch Railways to violate the privacy of train passengers, NS customer Michiel Jonker filed an enforcement request with the Personal Data Authority this week. It concerns:
- Refusing to refund remaining balance on anonymous public transport chip cards if the holder does not provide NS with his name and address details;
- Denial of international train tickets by NS employees at station counters if buyers do not provide NS with their name and address details;
- Charging, since 2 July 2018, additional "service fees" when holders of anonymous OV-chip cards pay cash to top up the balance on these cards.
Since July 2014, Dutch Railways (NS) has previously attacked the privacy of Dutch train passengers in various ways. These included:
- Discriminating against holders of anonymous OV-chip cards in benefit hours;
- Demanding de-anonymisation of anonymous OV-chip cards in NS service provision (e.g. money back in case of delay);
- Applying two unique card numbers to each anonymous OV-chip card, thus compromising the anonymity of those cards.
As a traveller who wanted to maintain his privacy, Jonker repeatedly requested the Personal Data Authority (AP) to investigate these breaches and take enforcement action. Jonker won on this already several lawsuits against the AP, which initially refused to even investigate the reports.
The recently enacted General Data Protection Regulation (AVG) will play an important role in NS' assessment of the new violations. Another issue that will take centre stage is the right to pay with cash as legal tender that also protects privacy.
Jonker: "All these cases are about whether users of Dutch public transport are entitled to real, effective protection of their privacy. That question is more topical than ever when you see how people are treated in situations where privacy is not adequately protected. This does not only include China with its Social Credit Score, or the United States with its "No Fly" lists, but also European countries in which laws have been passed in recent years that allow authorities to spy on travellers who are not suspected of any criminal or risky behaviour. For example, France with its permanent state of emergency and the Netherlands with its Sleep Act."
Jonker is also supported in this new case by the Privacy First Foundation and Society For Better Public Transport.
Update 23 July 2018: After submitting the enforcement request to the AP, Jonker identified a further privacy violation in public transport, also related to discouraging cash payment for tickets. On buses in several Dutch regions, cash payment has been refused since 1 July 2018, forcing passengers on the bus to use debit cards or their credit cards there, and thus having their personal data processed. This appears to be based on a nationwide agreement between transport companies. On 21 July this year, Jonker therefore supplemented his enforcement request by asking the AP to also investigate and end this privacy violation in that context.
Jonker: "What is striking is that the industry body Royal Dutch Transport (KNV) is mute about this national agreement, and that the measure was introduced in the middle of the summer period. I cannot escape the impression that attempts are being made to silently introduce the refusal of legal tender. I have asked the AP, invoking the WOB, to inform me of any behind-the-scenes communication with or by the AP on this matter."