THE BOTTOM LINE
- Heightened Enforcement Risk: Companies in regulated industries, particularly the transport and environmental sectors, face greater scrutiny from automated sensor networks. Regulators are using “smart” technology to detect violations in real-time.
- GDPR Is Not a Silver Bullet: Relying on a third-party technology provider’s potential GDPR non-compliance is an unreliable defense. Courts recognize that law enforcement and regulatory bodies operate under a different, more permissive set of data processing rules when investigating offenses.
- Corporate Liability is Clear: The illegal actions of an employee or contractor (in this case, the ship’s captain) will be attributed to the company if the act occurred during normal business operations and served the company’s interests, such as increasing operational efficiency.
THE DETAILS
A Dutch shipping company has been fined €5,000 after its tanker was caught illegally venting, or “degassing,” flammable petroleum residue in prohibited areas near Amsterdam, including densely populated zones and under bridges. The crucial evidence came from a network of “e-noses”—advanced sensors placed along the waterways that detect changes in air composition. This system automatically correlated the chemical plume with the ship’s real-time position using its Automatic Identification System (AIS) data, triggering an alert to environmental authorities and leading to a criminal prosecution.
The company’s defense hinged on a novel data privacy argument. It claimed the evidence was inadmissible because the private technology firm that supplied the e-nose system had violated the GDPR. The defense argued that the ship’s AIS data constituted personal data, and the tech firm’s processing of it was unlawful. They contended that since the entire investigation was triggered by this allegedly “tainted” data, all evidence should be excluded, and the company should be acquitted. This strategy attempted to use a private vendor’s potential compliance failure to invalidate a public enforcement action.
The Amsterdam Court of Appeal decisively rejected this defense. While agreeing that the AIS data could be considered personal data, the court highlighted a critical distinction in data protection law. It ruled that the strict rules of the GDPR do not apply to authorities when they are investigating and prosecuting criminal offenses. Instead, their actions are governed by the more flexible EU Law Enforcement Directive, which permits data processing if it is necessary and proportionate for a legitimate law enforcement purpose. Furthermore, the court found that the authorities managed the sensor network themselves and had independent access to the data. The tech vendor’s software only automated the alerts; it was not the sole source of the evidence. Consequently, the court found the evidence was lawfully used and upheld the conviction.
SOURCE
Source: Gerechtshof Amsterdam
