SyRI stands for System Risk Indication. The system was introduced in 2014. It is a system that the government uses to analyze personal data of Dutch citizens in order to create risk profiles and detect people who may be cheating on social services. On October 29, 2019, a hearing was held in a lawsuit against SyRI, because it is believed that SyRI poses a threat to citizens’ freedoms in the Dutch constitutional state. The court ruled on February 5, 2020 that SyRi can no longer be used in the form described here.
What is SyRI?
Unofficially, SyRI has existed since 2008 to test its functions, but it was only officially added to the Work and Income Implementation Organization Act (Wet SUWI) in 2014. It is called a partnership to ‘prevent and combat unlawful use of government funds and government facilities in the field of social security and income-related schemes, prevent and combat tax and premium fraud, and non-compliance with labor laws (SUWI Art.64.1 ) .’ The intention is that, if fraud is suspected, certain personal data will be analyzed to create a risk profile. If, based on that profile, the conclusion is drawn that a particular person has a higher risk of misuse of government funds or facilities, the name of that person will be passed on for further investigation. So at this point in the process there is no evidence that anything is wrong, only a prediction is being made here.
Steps of the risk analysis
Step 1
Two or more parties start a ‘partnership’ in which the Ministry of Social Affairs and Employment is asked to start a risk analysis. These parties provide all personal data that the ministry requests to the Stichting Inlichtingenbureau.
The parties that can start up such a partnership are:
- Boards of mayor and aldermen
- Institute for Employee Insurance
- Social insurance bank
- Supervisors of compliance and implementation of the Ministry of Social Affairs and Employment
- tax authorities
- Persons and administrative bodies designated by the Ministers of Social Affairs and Employment and Finance
Step 2
Stichting Inlichtingenbureau processes this data into a risk analysis. The data is pseudonymised. This means that the name of the person being investigated is converted into, for example, a number. The data being examined is linked to that number instead of a name. This ensures that the person performing the analysis does not see any names.
Step 3
If the risk analysis shows that a specific person poses a higher risk of misuse of government funds, a name is again linked to the data and that name is returned to the Minister of Social Affairs and Employment. If the Foundation Intelligence Agency does not forward the analysis as a result of the analysis, they will immediately destroy the results.
Step 4
The Minister of Social Affairs and Employment leaves further investigation to the Social Affairs and Employment Inspectorate. The SZW Inspectorate will continue with the analysis and determine whether a report actually needs to be made. In the event of a report, this will be passed on to the Minister of Social Affairs and Employment. The minister passes on the risk report to the parties of the partnership, and possibly to the police or the Public Prosecution Service. The Ministry of Social Affairs and Employment stores risk reports for a maximum of 2 years, after which they must be destroyed.
Step 5
If a report has been made by the SZW Inspectorate, further investigation will be conducted to find evidence of the alleged fraud. If the fraud can be proven, sanctions can be imposed on the fraudster. If the partnership takes such actions, they must report this back to the minister. The risk report is recorded in a register. The citizen involved is not informed of this, but it is clear to him/her.
What personal data do they use?
Personal data is required to carry out a risk analysis. At the request of the minister, this data will be provided during the investigation by the following parties:
- The Employee Insurance Implementation Institute
- Boards of mayor and aldermen
- Social insurance bank
It is unclear exactly what information is requested and on the basis of which indicators it is decided that a specific person has a higher risk of fraud. The government does not want to release this because it is afraid that fraudsters will then change their behavior so that they no longer emerge as possible fraudsters via SyRI based on the known factors. There are 17 known categories of data from which personal data is extracted and analyzed:
|
|
Court case
In March 2018, the Ministry of Social Affairs was sued by a group of claimants who believe that SyRI should be decommissioned. Two reasons for this have already been mentioned: the amount of data that can be analyzed and the lack of clarity about exactly what data that data is, and the lack of clarity about the precise indicators that lead to an increased risk. In addition, people are not analyzed individually after reports, but it is used as a so-called ‘dragnet method’, in which residents of entire neighborhoods are put through the analysis at once. A point of criticism that builds on this is that in 2019, in the 5 mass analyzes that have been carried out since 2014, not a single fraudster has emerged thanks to SyRI. The system is therefore unclear in its operation, and appears to be failing in its purpose. In addition, the question is whether SyRI does not conflict with Article 10 of the Constitution: the right to privacy and the General Data Protection Regulation (GDPR). There is a belief that regular use of systems such as SyRI can lead to the normalization of privacy intrusions by the government, and the mindset that citizens are suspects without there being any evidence of wrongdoing. This could possibly lead to a police state.
The hearing of this case was in October 2019. On February 5, 2020, the court ruled that the legislation surrounding SyRi is contrary to Article 8(2) of the European Convention on Human Rights (ECHR). This means that the court has assessed that there is not a good balance between the invasion of private life and the social interest that the legislation surrounding SyRi should serve. As the plaintiffs were of the opinion, the court has now also ruled that the method used is insufficiently verifiable and transparent. This ruling means that SyRi may no longer be used in the form described here.