The article says the "municipality" is fined. So where does the money come from? From the same citizens the municipality tracked, is that correct? Is it fair to say that citizens who were tracked ended up paying the fine, indirectly of course, through taxes? How is this punishing the people who were responsible for this in the first place?
Although this is true, the municipality is democratically elected by and accountable to the European citizens who reside there. Consequently they now have to decide whether the €600,000 that could have gone to something interesting is worth changing their vote over.
I’ve always felt the same about the usefulness of fining police departments for committing offenses against the citizens who fund them in the first place.
Often however police departments have been allowed to keep money extracted through fines or property seizures. While I imagine the laws around this vary, near where I live there was an infamous speed trap that managed to rake in piles of fines that the police department was able to use in its budget. Until it attracted national news and became an embarrassment.
I do appreciate the fine and the fact that the city will stop tracking citizens but I have to play devil's advocate: is this actually a privacy risk?
I have been playing around with passive wifi tracking for a personal project and found that most devices (including iOS and recent Android) all have MAC randomization turned on. Even in mesh wifi like this, the MAC rotates when a new base station is picked up. So while annoying and against GDPR rules, I am not sure if this is a true loss of privacy.
I understand that a truncated hash of the MAC address was stored in a database of the company City Traffic and that people investigating the database were able to establish that every night (between 4AM and 5AM) one and the same device was traveling through the city center. They have not been able to identify the person who might be carrying the device. Anyway, the Dutch Data Protection Authority concluded that for the purpose of counting the number of people in the city center it is not allowed to track them according to the Dutch law implementing the GDPR. If City Traffic had just stored the number of unique MAC addresses picked up by one of the ten 'MAC address sniffers' for some time interval, they might not have violated the law.
