This article was co-authored by Merel Hendrickx and Tijmen Wisman.
Profiling is a widespread practice in government agencies. It is difficult to reject this sort of practice outright, since much depends on the duties of the agency, the activities they are carrying out, and the safeguards they have put in place. In some circumstances, these practices may even be pursuing legitimate purposes.
Nonetheless, profiling practices are becoming more concerning as both technological potential and data availability expand.
With this comes greater power, and with this concentration of power comes a greater need for clear delimitations and more accountability to protect citizens against arbitrary use of their data.
The judgment in the Dutch SyRI case is one of the first steps towards acquiring this increase in legal protection for citizens in the face of ongoing technological developments.
SyRI, or System Risk Indicator, is a risk profiling method employed by the Dutch government to detect individual risks of welfare, tax and other types of fraud. The law authorising SyRI was passed in the Parliament and Senate in 2014 without a single politician voting against it. This was despite significant objections from the Dutch Data Protection Authority and the Council of State, both of which considered that the purposes for which SyRI could be deployed, and the data that could be used in the system, were likely to expand government powers and maximise executive discretion.
SyRI thus eroded the relationship of trust between citizens and government, because almost all data given to government in a wide variety of relationships could end up in this system and it was impossible for a citizen to find out whether his or her data was actually used.
SyRI thus eroded the relationship of trust between citizens and government
The SyRI system offered immense informational power that could be deployed by the Dutch state against ordinary citizens by bringing databases of different executive bodies together and effectively building dossiers on citizens. Moreover, in practice, SyRI was primarily deployed in poor neighbourhoods. This meant that all the people in these communities were targeted for an invasive search of their personal data through digital means.
The SyRI case was taken jointly by the Platform for the Protection of Civil Rights (Platform Bescherming Burgerrechten), the Public Interest Litigation Project of the Dutch Section of the International Commission of Jurists (PILP-NJCM), and other civil society organisations with a shared interest to set a legal precedent for the protection of citizens against risk profiling and predictive policing practices. Two famous Dutch writers that were critical of SyRI were also asked to join as complainants in the procedure, and the Platform for the Protection of Civil Rights launched a publicity campaign on SyRI and the case.
Due to the publicity campaign, and the appearance of one of the complainants in a popular talk show, the largest Dutch trade union FNV became aware of the case and joined the coalition in July 2018. This created two opportunities. First, we had an extra round to strengthen our arguments in the proceedings, where our lawyers focused their efforts on the GDPR and the relevant provisions on automated decision-making in particular. Second, access to the FNV network gave us the opportunity to be in direct contact with the people who were subjected to the SyRI system and those representing them.
The SyRI system offered immense informational power that could be deployed by the Dutch state against ordinary citizens
The collaboration between the Platform, PILP-NJCM and the FNV around SyRI in Rotterdam turned out to be a great success. The FNV was new to the subject of digital rights, but the union did have a strong network of active union members and volunteers in Rotterdam. With their help (flyer campaigns, a neighbourhood meeting, information leaflets and posters), our knowledge of SyRI could be used effectively to generate critical attention in both the media and local politics.
Eventually, the Mayor of Rotterdam stopped the use of the SyRI system by the local authorities in July 2019. Looking back, the first “battle” in the fight against SyRI was won in Rotterdam, and it definitely set the tone for the future coverage of SyRI in the media.
The involvement of FNV, and the Rotterdam neighbourhood targeted by SyRI, showed how risk profiling instruments are being used against the poorest in society. Philip Alston, the United Nations Special Rapporteur on extreme poverty and human rights (UNSR) became aware of the SyRI case during DFF’s strategy meeting in February 2019. He wrote a very critical amicus curiae to the court, warning that many societies are “stumbling zombie–like into a digital welfare dystopia”. The involvement of the UNSR increased public debate on SyRI and the case. It was all over the news.
He warned that many societies are “stumbling zombie–like into a digital welfare dystopia”
This was followed by a landslide victory in court. The court held that technological advancements had meant that the right to protection of personal data had also gained in significance, echoing the adage of the European Court of Human Rights that the development of technology makes it essential to formulate clear and detailed data protection rules. The rules governing the deployment of SyRI were anything but detailed, effectively providing a great margin of appreciation to public authorities to browse through the private lives of citizens in a “black box” setting.
The court held that the secrecy of the risk models made it impossible for citizens to “defend themselves against the fact that a risk report has been submitted about him or her”. Even in cases where no risk reports are produced, the court held, citizens should be able to check whether their data were processed on correct grounds. This ability of citizens to defend themselves is one of the hallmarks of the rule of law, which is confirmed in this case and has significant implications for data management within public authorities.
Shortly after the verdict, public authorities in the Netherlands announced that they would critically revise their own fraud systems. The Dutch Employment Agency is reviewing its internal fraud systems in response to the judgment. The Dutch Tax Service ceased the operation of the fraud detection system after facing investigations of the Dutch Data Protection Authority. Furthermore, many municipal councils have started to question the legality of local systems that are comparable to SyRI.
In short, the SyRI case has set a timely precedent in which risk profiling practices are finally held to account
In short, the SyRI case has set a timely precedent in which risk profiling practices are finally held to account. The State Secretary for Social Affairs and Employment, Tamara van Ark, has indicated on the 23rd of April that she has decided not to appeal against the judgment. She did, however, state the intention to further explore the use of risk models within social security.
This underlines the need to keep in mind that these changes do not take place automatically but require continuous and concerted efforts from all of us. In that light, the work of NGOs in these turbid times is of the utmost importance and the support of DFF in funding and providing a network of professionals to cooperate with is indispensable.
In the last few months, the SyRI case has garnered widespread attention, both at national and international level. Thanks to our publicity campaign, we were able to inform the public about the importance of this case and the issues adjudicated upon. No longer is risk profiling a niche subject only raising the eyebrows of a small group of privacy lawyers and techies. In times of a pandemic where even constitutional democracies might consider risk profiling practices as one of the ways out, this broader understanding of the implications of risk profiling is much needed.
We can conclude that now there is broader public debate on risk profiling, algorithms and using systems like SyRI. Citizens are starting to understand that the way their data is governed is essential for the relationship between them and the state. We consider this one of the biggest victories of this case, because people caring about their relationship with the state is a first step towards improving it.
Tijmen Wisman is Chairman of the Platform for Civil Rights and Assistant Professor of privacy law at the Vrije Universiteit of Amsterdam.
Merel Hendrickx is an in-house human rights Lawyer with the Public Interest Litigation Project of the Dutch Section of the International Commission of Jurists (PILP-NJCM).