System Risk Indication (SyRI)
‘If the information collected by the police, the tax authorities, the social security offices, the health care system and other bodies were to be brought together in one file, the freedom of the individual would be seriously compromised. The file with private information is the emblem of the totalitarian state.’- Baron Browne-Wilkinson, former vice-president of the English Supreme Court, 1991
What may have seemed unlikely in 1991, has become reality with the System Risk Indication (SyRI). Citizens provide the government with a lot of information about themselves. For example, when they apply for a permit or for an unemployment benefit, when they report their tax returns, or when they get married. SyRI enables the government to use the information, which we share with institutes such as the Institute for Employment Insurance, the tax authorities and the Social Security Bank, for purposes other than for which it was provided.
The SyRI, an instrument based on Article 64 and Article 65 of the Dutch Work and Income Act, allows governmental departments to exchange information about citizens to prevent and combat abuse of social security provisions, prevent and combat tax and premium fraud and non-compliance with labor laws.
It also authorizes the government to use big data analytics to look for patterns of possible fraudulent behaviour. Please note, that SyRI detects a risk to, rather than actual fraud.
The PILP-NJCM, the Platform Bescherming Burgerrechten, concerned about SyRI, because the system violates human rights.
Below we will discuss the most problematic aspects of SyRI.
Almost unlimited use of personal data
SyRI may process everything you have ever shared with the government about your identity, labor, personal estates and property, education, pension, business, income and assets, pension and debts. And the list does not stop there.
The Dutch Council of State and the Dutch Data Protection Authority have both strongly criticized the government’s use of the SyRI. The Council of State expressed concern in an advisory opinion, in which it spoke of a ‘far-reaching restriction of the right to respect one’s private life.’ The Council of State concluded that there is hardly any personal information that may not be processed within the SyRI. The list of data that may be analysed seems to have been written to give government agencies more room to manoeuvre. According to the Council of State, this is against the statutory duty of the government to only collect data that is strictly necessary in order to achieve a specific purpose. The Data Protection Authority is of the opinion that it is imperative to carefully select data before it is transferred to the Minister for processing within the SyRI.
In addition, this information has been shared with the government for a different reason than to detect fraud. This means that there is a violation of the purpose limitation principle.
Everyone ‘a suspect’
All data from anyone which has ever been shared with the government can be used by SyRI to detect a risk of fraud. It is not necessary that there is a suspicion of a criminal offense before all your data are investigated. As the wrote: ‘The citizen will be screened the same way as the profile of a criminal is drawn up. Writer Tommy Wieringa warned of SyRI in his lecture: “The System Risk Indicator uses software that is hostile towards citizens. Its check is permanent. The government and the terrorist have a common image: there are no innocent people.’
Risk profile and lack of information
In SyRI, by linking all these personal details, risk alerts are created of people with an increased risk of fraud. Their names are collected in a register of risk reports. The government can conduct further investigation into those people. For example by the police. There is, at this time, still no specific indication of fraudulent conduct, only a risk report based on the linking of personal data. Moreover, citizens to whom the risk profile applies, other than privacy legislation requires, are not informed of the fact that they are in that register. This is problematic, as they are unable to legally contest this.
SyRI is only used in poor districts
SyRI is currently only being used in the following cities and districts: Capelle aan den IJssel, Eindhoven, Schalkwijk in Haarlem and Hillesluis and Bloemhof in Rotterdam. These are all poor municipalities, or the poorest neighbourhoods in a municipality. In addition, there is an above-average percentage of non-Western migrants living in Schalkwijk, Hillesluis and Bloemhof. According to the PILP-NJCM, this could indicate the possible discriminatory use of SyRI with regard to people with a low income and on the grounds of ethnicity.
What does the PILP-NJCM do?
It is hard to see the accordance with the right to privacy and other human and civil rights when it comes to the use of profiling and linking all this personal data – which citizens have not specifically provided for this purpose. Together with the Platform Bescherming Burgerrechten, the FNV, Privacy First, the Landelijke Cliëntenraad and the Stichting KDVP the PILP-NJCM has decided to start proceedings against the Dutch State with the aim of having SyRI declared illegal by the court.
In addition, author Tommy Wieringa and publicist and philosopher Maxim Februari have joined the proceedings as individual co-plaintiffs.
Public campaign “Bij Voorbaat Verdacht”
Around the trial, the ‘Bij Voorbaat Verdacht’ campaign, which roughly translates as ‘suspected in advance’, is being conducted by the Civil Rights Protection Platform. By providing information, conducting research and media appearances, this campaign will focus on triggering a public debate about the use of systems such as SyRI. Visitors to the website are also kept informed of, among other things, the progress of the lawsuit and other important news in the field of profiling and the digital control society.
Photo “Shepard Fairey in London: Big Brother Is Watching YOU” by Tim Rich and Lesley Katon, CC BY-NC-ND 2.
On July 3, 2019, the only running SyRI-project, in Rotterdam, was cancelled, due to, amongst others, privacy concerns with regards to the General Data Protection Regulation.
The Netherlands Trade Union Confederation (FNV) has officially joined the legal coalition in the court case against the System Risk Indication (SyRI). The district court in The Hague decided that the trade union confederation has sufficient interest to join the coalition. Read the full news article here.
The Netherlands Trade Union Confederation (FNV) announced on July 17, 2018, that it will be joining the court case that the PILP, together with a coalition of civil society organizations, initiated against risk profiling through SyRI.
On March 27, 2018, a coalition of NGO’s (NCJM, Privacy First, KDVP, Platform Bescherming Burgerrechten and the Landelijke Cliëntenraad) and two Dutch writers (Tommy Wieringa and Maxim Februari) have started a court case against SyRI. This is a PILP-NJCM case, the case lawyers are Anton Ekker and Douwe Linders from firm Deikwijs. Read the summons (in Dutch) here.
Honours students of the University of Utrecht presented their research to the PILP in May 2016. The students examined whether the Dutch rules on the anti-fraud data-processing system comply with data protection principles protected by EU law, and compared the Dutch system with practice in the United Kingdom, Germany and the US.