Policy & Law

Dutch anti-fraud system has to be withdrawn – government is infringing on private lives

In the Netherlands, the SyRI anti-fraud system was withdrawn after a court ruled that it infringed on private lives. The case is an important milestone in digital rights. It shows how large‑scale data aggregation can clash with fundamental privacy, and it offers lessons for anyone building online services – including tools that help people share files, transfer files and send files secure.

What was SyRI?

SyRI (System Risk Indication) was a system used by Dutch authorities to detect potential welfare and tax fraud. It worked by combining data from various government databases – such as employment records, benefits information and residency data – to generate risk profiles on individuals and neighbourhoods. Critics argued that this created a form of algorithmic surveillance without sufficient transparency or safeguards.

The court ruling and its significance

In 2020, a Dutch court ruled that SyRI violated the right to respect for private life as protected by the European Convention on Human Rights. The judges highlighted several problems: lack of transparency about how risk profiles were generated, the breadth of data sources involved and the difficulty for citizens to challenge or even know that they were being profiled.

The ruling is significant because it draws a clear line: even when fighting fraud, governments cannot simply gather and correlate any amount of data without strict justification and oversight. Automated decision‑making systems must respect proportionality and necessity, especially when they can affect access to essential services.

Lessons for everyday digital tools

Most people are not building nationwide anti‑fraud systems, but the principles from the SyRI case apply broadly. When designing any online service, you should ask: how much data do we actually need? Who can see it? How long do we keep it? Do users understand what is happening? These questions matter whether you run a messaging platform, a social network or a file transfer service.

At Free Transfer, the case reinforces our decision to avoid storing file contents on our servers and to minimise metadata. By letting users share files through private P2P channels with no file size limit, we reduce the amount of centralised data that could be misused or demanded by external parties. The less data we hold, the less there is to profile.

Why decentralisation helps protect privacy

SyRI’s power came from centralisation: many databases combined into one risk‑scoring machine. In contrast, decentralised designs – where data stays closer to the edges, on user devices – naturally limit what any single actor can see. Peer‑to‑peer private file sharing is one example of such a decentralised approach. When files move directly between users instead of via a central store, it becomes much harder for large‑scale profiling to emerge from transfer logs.

This does not mean decentralisation is a silver bullet. Metadata can still reveal patterns, and local devices must be secured. But the risk profile is different from systems that aggregate vast amounts of personal data in one place. The SyRI verdict suggests that this difference matters legally as well as ethically.