(Mar. 13, 2020) On February 5, 2020, the District Court of The Hague (Rechtbank Den Haag) held that the System Risk Indication (SyRI) algorithm system, a legal instrument that the Dutch government uses to detect fraud in areas such as benefits, allowances, and taxes, violates article 8 of the European Convention on Human Rights (ECHR) (right to respect for private and family life).
Facts of the Case
The case was brought by several civil rights organizations, including the Netherlands Committee of Jurists for Human Rights (Nederlands Juristen Comité voor de Mensenrechten, NJCM), and two natural persons against the Dutch government. The Federation of Trade Unions in the Netherlands (Federatie Nederlandse Vakbeweging, FNV) intervened on behalf of the plaintiffs. The NJCM works to protect and strengthen fundamental human rights and freedoms. The FNV is a trade union that acts in the interests of its members and “is guided in part by the fundamental values of equality of all people, of freedom, justice and solidarity.” (District Court, paras. 2.2, 2.4 & 2.5.) The UN special rapporteur on extreme poverty and human rights, Philip Alston, submitted an amicus brief.
The SyRI system is an algorithm used by the government “to prevent and combat fraud in the fields of social security and income-related schemes, tax and social insurance contributions, and labor laws.” It links and analyzes data from various government or public agencies and generates a risk report if a person is suspected of fraud. In 2003, these agencies, which include, among others, municipalities, the Employee Insurance Agency (UWV), the Social Insurance Bank (SVB), the national tax authorities, the Immigration and Naturalization Service (IND), and the Inspectorate SZW, concluded a Cooperation Agreement and formed a National Steering Committee on Intervention Teams (LSI). The Cooperation Agreement was updated in 2017. The LSI is chaired by a representative of the Ministry of Social Affairs and Employment. The SyRI is deployed by the minister of social affairs and employment (the minister) upon request of these agencies. (District Court paras. 3.1–3.7.)
In 2004, a provision was inserted into the Work and Social Assistance Act (Wet werk en bijstand, WWB) that allowed the linking of data of the agencies. One-hundred sixty projects were undertaken under the supervision of the LSI to prevent and detect fraud between 2008 and 2014. The SyRI or its predecessors were used for 22 of them. Nineteen of the 22 projects used a “neighborhood-oriented approach,” meaning they targeted specific neighborhoods in which the linked data indicated an increased risk of welfare fraud.
The plaintiffs alleged that the use of the SyRI system violates the right to respect for privacy codified in article 8 of the ECHR, article 17 of the International Covenant on Civil and Political Rights (ICCPR), and articles 7 and 8 of the EU Charter of Fundamental Rights, as well as in data protection law.
Applicable Law
The SyRI was given a legal basis in 2014 with an amendment of the SUWI Act (Wet structuur uitvoeringsorganisatie werk en inkomen, Wet SUWI). Further details are provided in the SUWI Decree (Besluit SUWI). (District Court paras. 3.8–4.1.) The terms “data,” “processor,” and “controller” are defined in accordance with the European Union (EU) General Data Protection Regulation (GDPR). Article 64, paragraph 1 of the SUWI Act provides for the cooperation of a number of designated government bodies to “prevent and combat the unlawful use of government funds and government provisions in the field of social security and income-related schemes, prevent and combat tax and premium fraud, and non-compliance with labor laws.” Article 65 authorizes the minister to process data in the SyRI for risk analysis at the request of the designated government bodies for the purposes referred to in article 64, paragraph 1. The start of a SyRI project must be published in the Government Gazette.
The data processing consists of two phases: the processing (phase 1) and the analysis (phase 2). In the first phase, the processor brings the files together and pseudonymizes them. After this, the source file is automatically checked against the risk model with all indicators, which generates potential hits, meaning an indication of an increased risk of fraud. All data associated with these increased risks is passed on to the minister for phase 2, in which it is further analyzed, and assessed. A definitive risk selection follows. The minister makes the risk reports on the basis of the definitive risk selection. The SyRI legislation contains retention periods (two years) and restrictions with regard to the inspection and use of risk reports, and confidentiality and evaluation obligations. (Paras. 4.28–4.31.)
Article 8 of the ECHR guarantees the right to respect for private and family life. Paragraph 2 requires that any interference be in accordance with the law and necessary in a democratic society in the interests of national security, public safety, or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. The public authority must strike a fair balance between the violation of the right to private life and the social interest that the legislation serves.
Decision
The Court first stated that social security is one of the pillars of Dutch society and contributes significantly to prosperity in the Netherlands. The fight against fraud, which is the stated aim of the SyRI legislation, is therefore crucial. It agreed with the government that new technologies such as the SyRI, which offer more possibilities to prevent and combat fraud, should be utilized and generally serve a legitimate purpose. However, the Court pointed out that the development of new technologies means that the right to respect for private life, which includes the right to the protection of personal data, is increasingly important and that the absence of sufficient and transparent protection of it might have a “chilling effect” among the population. (Paras. 6.3–6.5.)
The Court reiterated that the Netherlands has an obligation under article 8 of the ECHR to strike a fair balance between the interference with the right to respect for private life and the benefits of the use of new technologies to prevent and combat fraud. It held that the SyRI legislation fails to comply with that requirement because it is “insufficiently clear and verifiable.” It therefore declared article 65 of the SUWI Act and chapter 5a of the SUWI Decree incompatible with article 8, paragraph 2 of the ECHR. (Paras. 6.6 & 6.7.)
The Court focused its remarks on article 8 of the ECHR, but took the general principles of data protection codified in the EU Charter and the GDPR into account, because they offer the same level of protection. (Para. 6.41; EU Charter art. 52, para. 3.) According to the Court, it is undisputed that the SyRI legislation interferes with the right to respect for private life and that the Court must decide whether it is justified. The Court held that it cannot determine what exactly the SyRI is because the government has neither publicized the risk model and the indicators that make up the risk model nor submitted them to the Court. (District Court para. 6.49.) It ruled that the implementation of the SyRI legislation currently does not involve deep learning, data mining, and risk profile development but that it might in the future. (Para. 6.63.) Even though there is no random data collection, a large amount of data is collected, in the opinion of the Court. (Para. 6.50.) Finally, the Court stated that people whose data is collected and included in a risk report are not automatically informed. There is only a legal requirement to announce the start of a SyRI project. (Paras. 6.54 & 6.65.)
The Court reiterated the case-law of the European Court of Human Rights that states that any interference with the right to respect for private life must be provided for by law. It explained that it does not have to be a law in the formal sense, but that “some basis in domestic law” is sufficient. The legal basis must be sufficiently accessible and foreseeable, meaning it must be so clear that it is possible for an individual to adjust his or her behavior accordingly. In the case at issue, the Court left open the question whether the SyRI legislation is sufficiently accessible and foreseeable and concentrated on whether it was necessary in a democratic society. (Paras. 6.66–6.72.)
The Court held that in light of the margin of discretion provided to national authorities under the ECHR, the damage caused by welfare fraud justified the conclusion of the legislator that there was a compelling social need to take measures in the interest of the economic well-being of the Netherlands as provided for under the SyRI legislation. However, it ruled that the way the SyRI was operated and the associated procedures and safeguards were insufficient and that the SyRI legislation did not strike a fair balance as the ECHR requires. In the view of the Court, the principle of transparency was not observed, because there is no insight into the risk indicators and the operation of the risk model. Finally, the Court stated that it cannot be ruled out that the deployment of the SyRI in “problem areas” will discriminate and stigmatize the citizens in such areas. Due to the lack of transparency, the Court cannot assess how these risks have been addressed. (Paras. 6.76, 6.79, 6.83, 6.87, 6.92–6.95.)