The Dutch Data Protection Authority (DPA) concerned about smart traffic lights

In the Netherlands, the number of traffic lights contacting road users’ mobile phones is increasing. These ‘smart traffic lights’ can collect a lot of information about people. The Dutch Data Protection Authority (DPA) has concerns about the use of these traffic lights. That is why the DPA wants the Ministry of Infrastructure and Water Management to take action.

Smart traffic lights are used to measure how much traffic is passing by. Just like so-called detector loops do in the road. But these loops do not collect personal data and do not infringe on the privacy of road users. Smart traffic lights do.

Tracking people

Usually without people noticing, smart traffic lights establish contact with the apps on the mobile phones of road users. For example, these traffic lights can collect personal information from people on a large scale. For example, it is possible to map out entire journeys, including date, time and speed. Since road authorities (Rijkswaterstaat, provincial and municipal authorities) know where the traffic lights are, they can track road users. Especially when road authorities also use cameras at these traffic lights.

Not thought through

The road authorities do not appear to have properly considered the privacy risks these traffic lights pose. Nor is it always clear whom exactly the data is shared with, or who is responsible for collecting and using the data. According to the General Data Protection Regulation (GDPR), these matters must always be clear before data collection starts.

The Dutch Data Protection Authority (DPA) issued previous warnings

The DPA alerted the Ministry of Infrastructure and Water Management to the risks of these traffic lights, also known as “traffic control installations”, as early as 2021. And now the DPA is doing that again. In the new letter about the smart traffic lights, the DPA once again urges the minister to investigate whether the design and use of the traffic lights complies with the GDPR. And to enter into discussions with all road authorities who use them (or who have expressed a desire to do so), to ensure that any privacy risks are removed.