Nederlands Juristen Comité voor de Mensenrechten et al. v. The Netherlands, ECLI:NL:RBDHA:2020:1878
The District Court of the Hague held that an amendment to the Work and Income Implementation Organization Structure Act authorizing the use of the System Risk Indication (“SyRi”) was in violation of the European Convention on Human Rights. The European Convention on Human Rights provisions on privacy, outlined in Article 8, paragraphs 1 and 2, required the court to balance the government interests of the Netherlands against the individual invasion of privacy resulting from the use of the SyRi, and the court found that the government interests were not strong enough to justify the breach of the individual privacy right. The court ordered the government to stop using the SyRi.
Seven parties, a human rights organization, a civil rights organization, a privacy rights organization, an organization that works for the privacy rights of clients of psychotherapists, a statute-made national council of client participants in government policymaking, and two individuals brought suit against the State of the Netherlands in March 2018, challenging the legality of the use of the System Risk Indication (SyRi), a government data legal instrument used to assess the risk that individuals receiving welfare benefits from the State have behaved fraudulently. (A trade union joined the suit as an intervening third party for the plaintiffs in September of 2018). The plaintiffs claimed that SyRi violated provisions of the European Convention on Human Rights (ECHR), and they claimed that the Tax and Custom Administration of the Netherlands was in violation of its duties of confidentiality. They sought a decree prohibiting the government from future use of SyRi. Additionally, the plaintiffs asked that the State be ordered to disclose the risk models and indicators used by SyRi, to destroy all personal data collected for SyRi projects, and to pay the costs of the proceedings.
The Work and Income Implementation Organization Structure Act (SUWI Act), as amended on January 4, 2014, and implemented under the SUWI Decree, authorized the application of the SyRi data instrument. The SyRi data system produced risk reports for government agencies indicating whether an individual was worth investigating for fraudulent behavior in their receipt of welfare benefits. In practice, SyRi was implemented through neighborhood projects, whereby a “collaborative alliance” of government agencies identified a geographic area in which to run SyRi analyses, and then collaborated by providing data to the SyRi risk model. The risk models were designed through the compilation of a collection of risk indicators which were compared across data from any government agency participating in the collaborative alliance. Under the legislation, risk report data could be stored for up to two years following a SyRi neighborhood project.
The SUWI Decree contained an extensive list of informational categories that could be processed in SyRi, including: gender, employment history, taxes, property ownership, education, health insurance, government permitting, social assistance benefits, debt burden, pension, and administrative sanctions. Agencies could propose SyRi projects and bring them to the Minister of Social Affairs and Employment for authorization of the project. The Minister could choose to process the data if the request met the conditions of the SUWI Decree and if the request outlined that there was systemic capacity to link data records for the proposed analytical outcome.
The plaintiffs challenged the SyRi legislation (the provisions of the SUWI Act and SUWI Decree containing the SyRi provisions) under the ECHR’s Article 8, paragraph 1, which establishes privacy as a fundamental human right in “family life, home, and correspondence,” and under Article 8, paragraph 2, which states that interference with a privacy right is only allowed “in accordance with the law and when necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedom of others.” Article 8 sets forth a balancing test to establish the legal status of the SyRi legislation. The court was required to weigh the state’s public interests in the SyRi legislation against the individual invasion of privacy that may result from the SyRi risk reports.
Furthermore, the European Union protects privacy rights through the General Data Protection Regulation Implementation Act (GDPR). The principles of the GDPR include: transparency, purpose limitation, data minimization, accuracy, integrity & confidentiality, and accountability. In 2018, the GDPR came into effect in all EU member states.
In the decision, the court addressed the relationship between the ECHR and the GDPR by identifying that, while the ECHR provides broad rules in regard to privacy and human rights, the GDPR provides specific statutory language regarding citizen rights in the protection of personal data. The ECHR rights are embedded within the European Union Charter, which governs the GDPR. Noting this framework, the court chose to use the principles identified in the GDPR to analyze and interpret the SyRi legislation under Article 8 of the ECHR.
The court held that the SyRi legislation was a violation of the European Convention on Human Rights because it did not meet the balancing test presented in Article 8, paragraph 2, and because the State did not prove that the legislation and enactment of the SyRi system were transparent and verifiable.
Regarding the balancing test, the court concluded that a risk report has a significant legal effect on the person whose information is in the report, whether that was the intention of the legislation or not. Even though a risk report cannot be used in isolation to sanction an individual, it may lead to an investigation or be used in legal decisions that have significant impacts on the individual’s life. The court found that there were insufficient protections in place to create a justified right to interfere with an individual’s privacy. For these reasons, the court found that the interference with the individual privacy right was too great to accept the government’s stated interest.
The court also analyzed the SyRi legislation and found that it was not transparent or verifiable. It found that SyRi had the potential to be utilized as a “deep learning” system because it allowed the agencies using the system to adjust the risk models throughout the process. Further, the court found that there was a potential for the system to engage in data profiling of individuals, which is banned under the GDPR. The file linkage operations used in SyRi met the definition of data profiling under the GDPR. Data subjects were not individually notified when their data was entered into the SyRi system. The risk models used and data gathered were kept secret by the government. Under the GDPR principles, these practices led the court to the conclusion that the legislation violated the ECHR.
As a remedy, the court voided the SyRi legislation, meaning that the government cannot continue to use the SyRi data system. However, the court dismissed the Tax and Customs Administration data confidentiality claim, stating that the plaintiffs had failed to support their assertion. The court also declined to order the government to disclose the SyRi risk models that had been used in specific SyRi projects, and the court did not order the destruction of the data that had already been collected through the SyRi projects. On April 23, 2020, the Netherlands announced that it did not plan to appeal the judgment rendered in the case.
With the rise of artificial intelligence (“AI”), countries across the world are beginning to implement systems that use technology to identify both individual behaviors and systemic patterns in welfare and other government benefits. The holding in this case sets a precedent that under the ECHR and European Union law, such systems can be challenged, particularly when the harms to individual beneficiaries of welfare programs significantly outweigh the gains for the country as a whole. Additionally, this case foreshadows that when the systemic calculations used to identify fraudulent behavior by welfare recipients are not transparent or available, states might have a difficult time defending their technologies.
For their contributions, special thanks to ESCR-Net member: the Program on Human Rights and the Global Economy (PHRGE) at Northeastern University.