The state of privacy at Dutch municipalities

EDRi member Bits of Freedom has done research on the General Data Protection Regulation (GDPR)-compliance within the ten largest municipalities of the Netherlands. Unfortunately, most municipalities scored a failing grade, despite the fact that the GDPR has celebrated its fourth anniversary.

By Bits of Freedom (guest author) · June 8, 2022

Four candles for the privacy law

Four years ago on 25 May 2018, the GDPR came into force. It introduced more rules for organisations to ensure that they would be accountable for how they process personal data. The privacy law was also supposed to give people more say and control.

Bits of Freedom wondered how well the law works in practice. So, they decided to conduct research among municipalities. These are per-eminently the organisations that process many different and very sensitive personal data of citizens, often without citizens having a choice in the matter. Municipalities may and must process personal data because of a legal task or obligation.

Bits of Freedom chose the ten largest municipalities in the Netherlands: Amsterdam, Rotterdam, The Hague, Utrecht, Eindhoven, Groningen, Tilburg, Almere, Breda and Nijmegen. Firstly, because these ten municipalities, added together, process the data of about 3.8 million people. Secondly, small municipalities regularly outsource work to large municipalities, so the state of affairs in large municipalities is also relevant for smaller municipalities. Third, large municipalities serve as role models for smaller municipalities. Bits of Freedom has submitted a request for information to the ten largest municipalities asking them to send them all the reports of the Data Protection Officers from 2017 until now, together with all the reports on information security. Bits of Freedom also asked them to share with us the internal responses to these reports. On the fourth anniversary of the GDPR Bits of Freedom published their report based on these documents.

Disappointing results

Unfortunately, it appears that things are not going as well as we might have expected them to do, now four years in. Here are our key findings:

  • Municipalities do not have basic data management in good order yet. Processing registers are incomplete and not up to date so that municipalities do not know sufficiently what data they are processing, for what purpose, whether the processing is lawful and secure, and with whom they are cooperating. Without a good overview, municipalities cannot properly assess the possible risks for citizens. 
  • At the same time municipalities show ambition in data-driven work and they’re trying out new technologies. This is unwise because the data whose legitimacy and reliability have not yet been verified, are being used as input for big data or algorithms. There is then a risk of unlawful or inaccurate data being used as input, which in turn can produce unlawful or inaccurate results, harming citizens. 
  • Citizens who exercise their GDPR rights, for example by requesting access, often have to wait too long. Processes are not always in order and legal deadlines are wrongly extended and exceeded. The GDPR was supposed to give citizens more control and say over their personal data. But these rights are not taken seriously by every municipality. 
  • There is a capacity problem in almost all municipalities, due to insufficient resources being allocated to data protection. This creates the impression that responsible administrators and boards do not prioritise this sufficiently. Without capacity and resources, no steps can be taken to properly comply with the GDPR. 
  • On the basis of article 60 of the Dutch Municipalities Act, mayors and aldermen must account to the municipal council for the administration they have conducted. However, the majority of municipalities do not actively account to the municipal council by sharing the GDPR reports of the Data Protection Officer with them. Many municipalities report in a few sentences how they are doing in complying with the GDPR, but in doing so, very little information is shared which doesn’t enable municipal councils to exercise their function of control.

We also see positive developments

Although some municipalities don’t seem to be able to move ahead and year after year supervisors observe an unimproved situation in the reports, in other municipalities there is clearly an upward trend. The municipality of Rotterdam, for example, shows that advice from the DPO is well followed, which means that it is becoming increasingly compliant with the GDPR.

In the municipality of Utrecht, a project team started in time in 2016 to prepare for the GDPR. They were one of the first municipalities to publish the processing register on their website. After the regulator indicated that the access requests were not going well enough and there was not enough capacity, action was taken to improve that. The municipality of Utrecht scores the highest on the components we’ve investigated. That seems to be because the subject is taken seriously and sufficient time and resources are made available to protect the rights of citizens.

This is something other municipalities can learn from. The protection of personal data is a core task for municipalities. You do not cut back on that and you do not ignore advice on the subject.

Work to do

In the report, we also make a number of recommendations that municipalities can follow in order to comply with the GDPR. These include continuously mapping out the processes involving personal data within the municipality, stricter controls by the municipal council and calling a halt to ‘exciting’ pilots and experiments until the basis is in order.

Read the report in Dutch here.

(Contribution byNadia Benaissa, Policy Advisor, EDRi member Bits of Freedom)