Trouble for new Dutch public transport chipcard

18 March 2008

Gerrit-Jan Zwenne

The introduction of a new nationwide public transport chipcard in The Netherlands has been the subject of much debate and has even led to questions in Parliament. The chipcard is an RFID based payment system which has already been deployed on a small scale in some pilot projects. It was intended that the chipcard would be deployed nationwide in under a year but in light of the current teething problems this seems doubtful.

When German hackers demonstrated earlier this year that the chip could be tampered with, the company responsible for the introduction of the system, TransLink, claimed that this was only a minor incident and that it only concerned certain less important elements of the chipcard system. However, when less than two weeks later, students of Nijmegen University demonstrated on national television how easy it was to hack into the card, Members of Parliament asked the state secretary to take control of the project, which has already cost more than €200 million, The Dutch Data Protection Authority published a damning report about one of the chipcard project’s pilot schemes undertaken by the Amsterdam municipal transport company, GVB. According to the Authority GVB violated several provisions of the Dutch Personal Data Protection Act. In its report it concluded that too many items of personal data are recorded and used, that the data are retained for too long and that it is insufficiently safeguarded. Furthermore the Authority concluded that individuals are not sufficiently informed of what happens to the personal data collected by the transport company.

“This could lead to a situation where citizens of Amsterdam are suddenly presented with their travel behaviour over many years”, says Jacob Kohnstamm, Chairman of the Authority. All kinds of travel movements can be recorded by means of the public transport chipcard, including train, bus and underground journey and can be traced to the individual traveller. At present, travellers can still use public transport without their personal data being registered on every trip. In the opinion of the DPA, this must be the starting point.

The report includes a number of requirements which should be complied with:

  • The public transport company should only record personal data for unique authorisation and payment purposes;

  • Linking card holder data to travel data violates the privacy of the traveller and may only take place under certain strict conditions;

  • The transport company may only use travel data for marketing activities with the consent of the traveller, e.g. someone who regularly travels from A to B should not receive an unsolicited discount subscription for that journey;

  • The public transport company should take sufficient organisational and technical measures to protect the data;

  • The public transport company should provide the travellers with sufficiently clear information about what happens to their data. Travellers must always be able to know how their data are used and must also be able to object to this.

The Amsterdam public transport company has already confirmed that it will comply with all requirements stipulated by the Authority.

The Authority’s report (in Dutch) can be downloaded at its website:
www.cbpweb.nl/downloads_rapporten/rap_20080115_OVChipkaart.pdf?refer=true&theme=purple