Voices as personal data: Belgian DPA challenges Antwerp's noise pollution initiative
10 Apr 2025
On 18 February 2025, the Litigation Chamber of the Belgian Data Protection Authority (“DPA”) issued a decision concerning the use of sound sensors by the city of Antwerp in order to fight noise pollution in the student district. Although the claim was against the city of Antwerp, two interested parties, a supplier used by the City of Antwerp and Flanders Agency for Innovation & Entrepreneurship (VLAIO), were also part of the proceedings.
The innovation project (“innovatieproject”)
In 2022, the city of Antwerp launched an innovation project in the student district, installing 30 sound sensors to map and fight noise pollution.
The sound sensors were designed to record ambient sounds 24/7 for a period of eight months. Recordings were segmented into 10-second clips (“raw audio files”) and stored via Google Cloud. When noise levels exceeded a certain threshold (the objective trigger) or when a resident reported noise disturbances through a dedicated app (the subjective trigger), the sensors created a graphical representation of the sound as an MEL spectrogram (“voice sample”).
The raw audio files and voice samples were further processed to train an AI model which would ultimately be able to classify ambient sounds and, in case of certain classifications, create real-time “nudges” to reduce noise pollution. The city relied upon a third-party processor to finetune an existing AI model by manually listening and labelling the raw audio files into the different classifications (for example “yelling”, “crying”, “singing” and “talking”).
After a short trial period, the project was shut down due to complaints. One of the residents filed a complaint with the DPA.
Voices as personal data
The DPA investigated whether personal data was processed. To assess this, the DPA distinguished the processing of (1) raw audio files and (2) voice samples.
1. Raw audio files
Contrary to the assertion of Antwerp and its processor, the DPA decided that the raw audio files constitute personal data for the following reasons:
The European Data Protection Board (EDPB) affirmed in Guidelines 01/2022 that a person's voice qualifies as personal data.
Raw audio files may contain information about the speakers and individuals mentioned during the conversations, making them identifiable under Article 4.1 of the GDPR.
Local laws gave the city means to identify individuals for noise pollution control, including access to police data and databases.
Incidentally, the city's DPO had already confirmed that the project involves processing of personal data.
2. Voice samples
The city of Antwerp and its processor claimed that voice samples are merely sound frequency visuals and should be considered as anonymous data, thus falling outside the GDPR’s scope.
The DPA ruled that voice samples should be regarded as biometric data under article 4(14) of the GDPR. This article defines biometric data as "personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person." The DPA clarifies that a voice sample, much like a fingerprint, contains objective unique information about an individual. This creates the possibility of identifying the speaker.
3. Sensitive data
The DPA determined that both the raw audio files and voice samples may contain sensitive data as defined by article 9(1) of the GDPR. Individuals often discuss subjects such as politics and health when speaking outdoors, making the processing of sensitive data inevitable. The DPA's assertion is supported by the duration of the project, the vibrancy of the neighbourhood, and the professional quality of the recordings which enabled the processor to comprehend conversations.
The DPA emphasized that reducing the quality of the recordings until the content of the conversations becomes incomprehensible would have been sufficient to fulfill the project's purpose. By failing to lower the quality, the DPA asserts that the city of Antwerp must have processed sensitive data through the raw audio files and voice samples. Such processing is principally prohibited under Article 9(1) GDPR.
Noteworthy:
The DPA qualified the raw audio files and the voice samples as sensitive data for the reason that they could include content which falls in the scope of article 9 GDPR and not because these are biometric data. In our view, this is consistent with the GDPR, as biometric data only fall under article 9 if they are processed for a specific purpose, being the unique identification of an individual.
Nevertheless, the DPA's conclusion that the city of Antwerp unavoidably processed sensitive data due to the length and methods of the project calls for the utmost scrutiny, as there is no evidence that such processing has taken place.
Processing personal data without a legal basis
To determine the appropriate legal basis, the DPA first assesses the legal basis under article 6 and continues with the basis to process sensitive data following article 9(2) of the GDPR.
| Legal basis | Decision DPA |
Consent Article 6.1(a) GDPR
|
|
Public interest Article 6.1(e) GDPR
|
|
Substantial public interest Article 9.2(g) GDPR
|
|
As a result, the DPA ruled that the city of Antwerp violated the lawfulness of the processing activities, both under article 6 and article 9 GDPR.
Due diligence obligation regarding processors
The DPA further investigated whether the city of Antwerp fulfilled its obligations when selecting a third-party supplier in the innovation project. Article 28(1) of the GDPR requires controllers to only engage with processors that provide sufficient guarantees regarding data protection. The DPA sets forth three conditions derived from Recital 81 of the GDPR and further explained in the Guidelines 07/2022 of the EDPB on the concepts of controller and processor.
| Conditions EDPB | Decision DPA | |
| 1. | Expert knowledge of the processor |
|
| 2. | Reliability of the processor |
|
| 3. | The resources of the processor |
|
Infringements of the city of Antwerp
Once the DPA concluded that the city of Antwerp processed personal data without a legal basis, it establishes several other violations of the GDPR:
Transparency: The city of Antwerp set up information notices in public areas but failed to provide all the required information on their project to the data subjects, including the legal basis, sub-processors and ex EEA data transfers. This resulted in a breach of article 5.1(a) GDPR.
Data protection impact assessment (DPIA): A DPIA is designed to systematically identify and mitigate the data protection risks of a processing activity. A DPIA was conducted, but the city appeared to consider the DPIA as a mere formality and did not take it seriously. The DPA found serious shortcomings in all aspects of the DPIA, leading to a violation of article 35(7) of the GDPR.
Data transfers outside the European Economic Area (EEA): If data is transferred outside the EEA, adequate safeguards are necessary to ensure that the data receives the same level of protection as it does within the EEA. All recordings from the project were stored without encryption on Google Cloud, provided by Google as a US-based sub-processor. The DPA notices that the transfer took place before the Data Privacy Framework was installed and thus required the performance of a data transfer impact assessment (DTIA). Given the absence thereof, the city violated article 44 of the GDPR.
- Data protection by design and default: The project did not contain any measures regarding the design or default settings to prevent excessive data processing, even though it was possible. This resulted in a violation of article 25 of the GDPR.
Sanctions
The infringements resulted in a reprimand to the city of Antwerp and an order to delete all raw audio files and voice samples.
Our views
The DPA insists that all audio files should be treated as sensitive data under article 9(1), despite neither the claimant nor the DPA provided evidence that sensitive were actually processed. This emphasizes its extensive approach to the concept of sensitive personal data. The processing of sensitive data extends to situations where such data could reasonably be expected to be processed even though it is not actively pursued by the controller.
Timely involvement of the DPO and performance of a DPIA are key steps in innovative projects that safeguard the proportionality and necessity principles. By lowering upfront the quality of the audio files to what was necessary for obtaining the purpose, the city of Antwerp could have performed its project in compliance with the GDPR requirements.
Data protection, when applied correctly, should not preclude innovation, but rather provide tools and a framework to guide your organisation on how to take into consideration the rights and freedoms of citizens.
Third party risk management (in this case, the choice of a technology provider) becomes an increasingly important point of attention for data protection supervisory authorities, which will affect companies’ procurement activities.
Also facing challenges or uncertainties relating to innovative projects and data protection? Don't hesitate to contact our IP, IT & Data lawyers.
Contact us
