Dutch Court rules over risk profiling regarding Article 8 ECHR

On February 5th, 2020, the Hague Court released a decision on the adequacy between the profiling system implemented by Dutch State to improve fraud detection and Article 8 of ECHR which protects the right to privacy.

The Hague Court ruled on the SyRI (System Risk Indication) processing implemented by the Dutch State. In concrete terms, this system is a legal instrument that the government uses to prevent and combat fraud in the field of social security and income-related schemes, tax and social insurance contributions and labor laws. The algorithm processes 17 categories of personal data related, among others, work, indebtedness, health insurance, tax, administrative measures and sanctions... coming from governmental databases.

The names are collected in a register of risk alerts, and the administration can open investigations into these "at-risk" citizens, which may result in administrative or criminal sanctions. All citizens of the Netherlands are, according to SyRI, suspects. The Court states that "the risk model currently being used and the risk indicators that make up this model are 'secret' ".

Several organizations representing civil society have therefore brought an action against the state on the grounds that the processing carried out constituted an "inadmissible violation of human rights". According to the claimants, it involved non-targeted trawl actions using deep learning and data mining, resulting in a secret processing of personal data and investigations that were not supported by any concrete suspicion or evidence.

The Court therefore ruled on the compliance of this processing with Article 8 of the European Convention on Human Rights, which protects the right to privacy. The judges' analysis shows that, under Article 8, paragraph 2, of the ECHR, the balance between the public interest served by the use of a new technology and the invasion of privacy it constitutes must be verified.

In the present case, however, the text adopted by the Netherlands legislature does not offer sufficient guarantees protecting the right to privacy of citizens, in that it is not sufficiently clear and transparent as to the technology used.

This decision is remarkable in the sense that judgments censoring, based on Article 8 of the ECHR, a processing implemented by State, remain quite rare. It is therefore easy to imagine that this reasoning could be applied to other processing operations, such as those relating to facial recognition.