The Netherlands’ Data Protection Authority (DPA) has levied a fine of €600,000 ($725,000) on Enschede city council for tracking pedestrians in the city centre in contravention of the General Data Protection Regulation (GDPR).

The way the authority monitored how busy the centre was made it possible to follow shoppers, workers and residents in the city’s core. The council has lodged an objection against the fine.

The DPA’s vice-president Monique Verdier said: “It is not intended that anyone can track which shop, doctor, church or mosque we visit. That is private, and it must remain private, so that people can be themselves, without feeling inhibited by possible registration.

“A municipality must put this fundamental right of its residents first.”

Back in 2017, the Enschede council decided to monitor how busy the centre was and hired a company which specialises in counting passers-by.

Measuring boxes installed in shopping streets picked up wi-fi signals from passing pedestrians’ phones. Every phone was registered separately, with a unique code.

A DPA investigation subsequently found the council could effectively follow people by keeping track which telephone passed a particular measuring box over a period.

Citizens’ privacy was therefore not properly guaranteed because they could be tracked unnecessarily, the authority said, adding it was not the municipality’s intention to track individuals and it found no evidence that happened.

“But deploying wi-fi tracking that makes this possible is, in itself, a serious violation of the GDPR privacy law,” the DPA said.

Verdier added: “If you can follow people on their phone, that is very bad because everyone has the right to walk the streets freely and unobserved, without the government or another party being able to watch or record what you are doing. That suits our free and open society.

“To measure crowds in a city centre, a system must count people, not follow them.”

Following the DPA’s intervention, the wi-fi tracking stopped in May last year.

The authority also said that in most cases the practice is prohibited and municipalities are only allowed to process personal data via wi-fi tracking to, for example, carry out legal obligations.

Register to receive the latest data protection and privacy news and analysis straight to your inbox