The Human Environment and Transport Inspectorate (ILT) takes the comments of the Dutch Data Protection Authority to heart. Despite these reassurances, privacy experts remain sceptical.
The Environment and Transport Inspectorate (ILT) has responded to the concerns of the Dutch Data Protection Authority (AP) on the plan for a central taxi transport database (CDT). The ILT emphasises that the proposal has been carefully developed, with specific attention to the privacy of both passengers and taxi drivers. According to the ILT, the database is intended to improve supervision and not to collect or process passenger data.
driver data only
The ILT makes it clear that the CDT only registers journey data from taxi drivers for business journeys. “No passenger data is stored, let alone processed,” according to the inspection. This means that information such as GPS coordinates of pick-up and drop-off locations is exclusively linked to drivers and cannot be traced back to individual passengers.
Although the Human Environment and Transport Inspectorate (ILT) emphasises that the central taxi transport database (CDT) only processes data from taxi drivers, privacy experts warn that travel data can still reveal patterns. The government and the ILT claim that passenger data is not stored, but the stored GPS coordinates of journeys can still lead to indirect identification of passengers and their travel behaviour in practice.
Experts point out that even without explicit storage of passenger data, it is possible to recognize patterns that can be traced back to specific individuals. “For example, if someone takes a taxi from the same location to a workplace every morning, you can easily identify that person,” says one privacy consultant. In addition, sensitive destinations, such as a hospital or a therapist, can provide a clear picture of someone’s private life.
security
The purpose of the CDT, according to the ILT, is to ensure safety and quality in the taxi market. A central storage facility allows taxi inspectors to check more efficiently whether drivers comply with the rules, such as the legal working hours and journey registration.
The ILT states that privacy protection is a priority when introducing the database. To underline this, two extensive DPIAs (data protection impact assessments) were carried out. These analyses have mapped out possible risks for the protection of personal data and led to the implementation of various security measures.
Although the Dutch Environment and Transport Inspectorate (ILT) emphasises that the central taxi transport database (CDT) only processes data from taxi drivers, privacy experts warn that travel data can still reveal patterns.
In a response to the ICT service providers in response to the AP report, ILT writes: “The CDT is a closed system to which only authorized taxi inspectors have access.” According to ILT, the system is equipped with logging and authorizations to prevent misuse or unauthorized access. In addition, a statutory retention period of two years applies to the stored data. This period is in line with the rules in the Working Hours Act. After this period, the data is automatically destroyed.
Personal Data Authority
Despite the reassuring words from the ILT, the AP remains vigilant. According to board member Katja Mur, there are still risks exist, such as the possibility of 'function creep' or data leaks. The AP has advised the government to create further safeguards and consider alternatives that limit the collection of GPS data.
It is now up to the cabinet to find the balance between efficient supervision and privacy protection. The ILT emphasizes that all efforts are in the interest of both passengers and drivers. "A reliable and safe taxi market is ultimately what we strive for together," according to the inspection.