Fortunately, my prognosis was wrong- but only to a certain extent..
In my prognosis 'SyRI most likely violates the ECtHR criteria, but the system will be deemed lawful by the lower court', I expressed my expectation that the court would consider the application of SyRI to be lawful. I indicated that the deployment of SyRI obviously contradicts the ECtHR criteria on the right to respect for privacy (art. 8 ECHR), because the requirements of foreseeability and necessity in a democracy, as well as the requirements of proportionality, subsidiarity and data minimization, are not met. Moreover, the violation of private life cannot be compensated for in the absence of guarantees in the law on which SyRI is based (that is, the SUWI legislation).
My specific expectation was that the civil court would judge the formal requirement of a legal basis to be met by Article 65 of the SUWI Act and Chapter 5a of the SUWI Decree. It was exactly this expectation that did not come true. That seems good news, but the expectations should not be too high!
What is the concrete consequence of the Court ruling in the SyRI case?
The Court of The Hague considers the SyRI legislation '... in conflict with the right to respect for privacy as referred to in art. 8 paragraph 2 ECHR, insofar as this SyRI legislation concerns the deployment of SyRI (Court of The Hague, 5 February 2020, ECLI:NL:RBDHA:2020:865, consideration 6.111).
This somewhat over-abundant consideration means that Article 65 of the SUWI Act and Chapter 5a of the SUWI Decree are incompatible with art. 8 paragraph 2 ECHR.
The consequence is that only Article 65 of the SUWI Act and Chapter 5a of the SUWI Decree will be declared non-binding because of the conflict between these provisions and higher law (Article 8 of the ECHR).
The case law of the European Court of Human Rights concerning Article 8 ECHR is now finally taking shape in Dutch legal practice. The verdict, stating that art. 65 SUWI Act and Chapter 5a of the SUWI Decree must be considered to be non-binding, is the result of the criteria laid down by the ECHR, including in the ECHR cases 21 June 2011, 30194/09 (Shimovolos v. Russia) (paragraph 68) and ECtHR 4 December 2008, 30562/04 and 30566/04 (S. and Marper v. United Kingdom) (paragraph 95).
This is clearly reflected in the application of the fair balance test in considerations 6.7, 6.80 and 6.86 of the Court of The Hague. In the opinion of the court, the legislation on which the application of SyRI is based does not provide sufficient safeguards to protect the right to respect for private life. SyRI legislation without insight into the risk indicators and the risk model, or at least without further legal safeguards that compensate for this lack of insight, provides insufficient guidance for the conclusion that with the use of SyRI the interference in private life in the light of the abuse and the fraud that is intended to combat is always proportional and therefore necessary, as required by Article 8, paragraph 2 of the ECHR (consideration 6.95). In view of the principles of purpose limitation and data minimization, the legislation contains insufficient guarantees (see consideration 6.106)
What was not achieved with this statement?
It is good to realize that SyRI itself is not being deemed unlawful. The media deliberately rushed into their interpretation of the verdict, causing newspapers and news sites to spread incorrect headlines such as "Judge prohibits controversial fraud detection system SyRI".
Due to the extensive consideration of the proportionality and subsidiarity requirement, the necessity requirement ('pressing social need in a democratic society') and the discussion of the obligation of the State to carry out a Privacy Impact Assessment (PIA / DPIA), the court ran out of time to assess the compatibility of SyRI with specific provisions in the GDPR.
It is striking that the court makes clear that the 'black box'-character of SyRI has made it impossible for the court to test what exactly SyRI is, because the risk models have not been made public (see consideration 6.49). Insight into the validation of risk models in SyRI is not provided by the SUWI legislation and the court cannot verify these risk models (considerations 6.65, 6.89 and 6.90).
Despite the abundancy of the considerations in the SyRI case, only one claim is awarded: the declaration that Article 65 SUWI and Chapter 5a SUWI Decree are not binding. The question is what the practical significance of this statement is for those involved (every citizen covered by social security and tax benefits):
1. The State is not obliged to destroy the personal data already collected within the framework of SyRI (consideration 6.117). The claim for the destruction of the personal data must be assessed per individual case.
2. The 'black box' will not be opened. The State is not obliged to make the risk models public (consideration 6.115).
3. For disclosure of specific risk models, the person concerned must follow the administrative route (consideration 6.115).
4. No judgment is given on the topic of discrimination in the deployment of SyRI, because discrimination does not have to infringe the right to respect for private life as protected by art. 8, paragraph 2 of the ECHR (see considerations 6.93-6.94).
To be continued?
In spite of all the detailed considerations, ultimately only the judgment has direct meaning. The basis of SyRI in the SUWI legislation is invalid, but SyRI as a system cannot be put aside as non-binding. However, after the ruling on 5 February 2020, the legislator decided that SyRI can no longer be used as a means of enforcement. My expectation is that the legislator will either repair the irregularities in the SUWI Act and the SUWI Decree, or that another System Risk Indicator is under construction right now.
In my prognosis 'SyRI most likely violates the ECtHR criteria, but the system will be deemed lawful by the lower court', I expressed my expectation that the court would consider the application of SyRI to be lawful. I indicated that the deployment of SyRI obviously contradicts the ECtHR criteria on the right to respect for privacy (art. 8 ECHR), because the requirements of foreseeability and necessity in a democracy, as well as the requirements of proportionality, subsidiarity and data minimization, are not met. Moreover, the violation of private life cannot be compensated for in the absence of guarantees in the law on which SyRI is based (that is, the SUWI legislation).
My specific expectation was that the civil court would judge the formal requirement of a legal basis to be met by Article 65 of the SUWI Act and Chapter 5a of the SUWI Decree. It was exactly this expectation that did not come true. That seems good news, but the expectations should not be too high!
What is the concrete consequence of the Court ruling in the SyRI case?
The Court of The Hague considers the SyRI legislation '... in conflict with the right to respect for privacy as referred to in art. 8 paragraph 2 ECHR, insofar as this SyRI legislation concerns the deployment of SyRI (Court of The Hague, 5 February 2020, ECLI:NL:RBDHA:2020:865, consideration 6.111).
This somewhat over-abundant consideration means that Article 65 of the SUWI Act and Chapter 5a of the SUWI Decree are incompatible with art. 8 paragraph 2 ECHR.
The consequence is that only Article 65 of the SUWI Act and Chapter 5a of the SUWI Decree will be declared non-binding because of the conflict between these provisions and higher law (Article 8 of the ECHR).
The case law of the European Court of Human Rights concerning Article 8 ECHR is now finally taking shape in Dutch legal practice. The verdict, stating that art. 65 SUWI Act and Chapter 5a of the SUWI Decree must be considered to be non-binding, is the result of the criteria laid down by the ECHR, including in the ECHR cases 21 June 2011, 30194/09 (Shimovolos v. Russia) (paragraph 68) and ECtHR 4 December 2008, 30562/04 and 30566/04 (S. and Marper v. United Kingdom) (paragraph 95).
This is clearly reflected in the application of the fair balance test in considerations 6.7, 6.80 and 6.86 of the Court of The Hague. In the opinion of the court, the legislation on which the application of SyRI is based does not provide sufficient safeguards to protect the right to respect for private life. SyRI legislation without insight into the risk indicators and the risk model, or at least without further legal safeguards that compensate for this lack of insight, provides insufficient guidance for the conclusion that with the use of SyRI the interference in private life in the light of the abuse and the fraud that is intended to combat is always proportional and therefore necessary, as required by Article 8, paragraph 2 of the ECHR (consideration 6.95). In view of the principles of purpose limitation and data minimization, the legislation contains insufficient guarantees (see consideration 6.106)
What was not achieved with this statement?
It is good to realize that SyRI itself is not being deemed unlawful. The media deliberately rushed into their interpretation of the verdict, causing newspapers and news sites to spread incorrect headlines such as "Judge prohibits controversial fraud detection system SyRI".
Due to the extensive consideration of the proportionality and subsidiarity requirement, the necessity requirement ('pressing social need in a democratic society') and the discussion of the obligation of the State to carry out a Privacy Impact Assessment (PIA / DPIA), the court ran out of time to assess the compatibility of SyRI with specific provisions in the GDPR.
It is striking that the court makes clear that the 'black box'-character of SyRI has made it impossible for the court to test what exactly SyRI is, because the risk models have not been made public (see consideration 6.49). Insight into the validation of risk models in SyRI is not provided by the SUWI legislation and the court cannot verify these risk models (considerations 6.65, 6.89 and 6.90).
Despite the abundancy of the considerations in the SyRI case, only one claim is awarded: the declaration that Article 65 SUWI and Chapter 5a SUWI Decree are not binding. The question is what the practical significance of this statement is for those involved (every citizen covered by social security and tax benefits):
1. The State is not obliged to destroy the personal data already collected within the framework of SyRI (consideration 6.117). The claim for the destruction of the personal data must be assessed per individual case.
2. The 'black box' will not be opened. The State is not obliged to make the risk models public (consideration 6.115).
3. For disclosure of specific risk models, the person concerned must follow the administrative route (consideration 6.115).
4. No judgment is given on the topic of discrimination in the deployment of SyRI, because discrimination does not have to infringe the right to respect for private life as protected by art. 8, paragraph 2 of the ECHR (see considerations 6.93-6.94).
To be continued?
In spite of all the detailed considerations, ultimately only the judgment has direct meaning. The basis of SyRI in the SUWI legislation is invalid, but SyRI as a system cannot be put aside as non-binding. However, after the ruling on 5 February 2020, the legislator decided that SyRI can no longer be used as a means of enforcement. My expectation is that the legislator will either repair the irregularities in the SUWI Act and the SUWI Decree, or that another System Risk Indicator is under construction right now.
