Dutch DPA: privacy risk posed by central database for taxis is too big
The government wants to create a central database with data about all taxi rides. And therefore also data about where people get into and out of a taxi. Someone with access to that database could discover sensitive privacy matters of passengers there. The Dutch Data Protection Authority (Dutch DPA) points out to the government that it has to protect the privacy of passengers better.
The purpose of the central database is to enable the Human Environment and Transport Inspectorate (ILT) to check more easily if taxi drivers observe the law. Currently, data on taxi rides are stored on the board computers of the taxis only. Inspectors of the ILT have to read out the data in the taxi. In the proposal, the GPS coordinates of the points of departure and arrival of every ride are forwarded to the ILT. This results in the creation of a database with all taxi rides in the Netherlands.
‘Passengers deserve better’
‘We understand that the government wants to make supervision easier’, Dutch DPA board member Katja Mur says. ‘But by storing the coordinates of the points of departure and arrival of each taxi ride in one database with such a high degree of precision, you needlessly expose people taking a taxi to privacy risks. Passengers deserve better protection.’
GPS coordinates can be used, often with success, to find out from which house someone was picked up, and what the destination was. Mur: ‘Do you live in a street with few immediate neighbours and do you use a taxi? Then someone who has access to that database could fairly easily find out where you are going. And therefore also if you take a taxi to go your therapist every Friday. Or that time you have yourself dropped off at a clinic for plastic surgery. Things of which you should be confident that they remain private.’
‘Data breach is just waiting to happen’
And as soon as such a central database exists, there is also a risk that things go wrong, according to Mur: ‘Often, a data breach is just waiting to happen. Due to a little mistake, a malicious employee, or a hacker. We have seen this go wrong often enough, also at government agencies.’
Besides, these kind of databases also always pose a risk of ‘function creep’: that in the end, the data will be used for matters for which they originally were not intended. Mur: ‘Maybe the police want access. Or the Tax Administration and the municipality find it useful to check if people commit fraud with allowances or benefits. By linking these data to other data, the government can follow people on their heels. We should not want that.’
Eliminating risks
The Dutch DPA points out to the government that it will have to eliminate the major risks in a new version of the proposal. For example, the ILT may only collect location details if the government can give good reasons why they actually have to do this. The government does not give those reasons now.
But even if the government can give those reasons, even then, the government should make it more difficult, where necessary, to trace the location details back to specific passengers. For example, by making the location less precise with simple adjustments.
Besides, the proposal does not say when the ILT will remove the data. Mur: ‘A clear limit must be set there: as soon as the data are no longer necessary, they must be destroyed. Because data that you do not have cannot be leaked.’
