em360tech image

Transport for London (TfL) is being accused of illegally obtaining EU citizens’ data to issue false ULEZ notices, in what is being called "possibly the biggest data breach in EU history." 

According to a report by the Guardian, the transport authorities of five EU countries are investigating TfL over allegedly stealing personal information including names and addresses of their citizens to dish out over 320,000 ULEZ fines since 2021.

Since Brexit was enforced in 2020, the UK has been banned from gaining automatic access to the personal data of EU residents.

But transport authorities in Germany, Belgium, Spain, and the Netherlands have warned that TfL is using EU citizen data to enforce the ultra-low-emission zone – which is banned under the Brexit agreement. 

These authorities claim that registered drivers’ details were illegally acquired by Euro Parking Collection – the contractor who enforces ULEZ overseas on behalf of TfL. Many of the penalties have been issued to drivers who visited London in Ulez-compliant vehicles and were not aware they had to be registered with TfL’s collections agent Euro Parking at least 10 days before their visit.

Failure to register does not count as a contravention, according to Ulez rules, but some drivers have nonetheless received penalties of up to five-figure sums. TfL said the fines were justified because it was unable to confirm whether foreign vehicles had contravened emissions standards if they were not registered.

But Belgian MP Michael Freilich, who has investigated the issue over several months, has accused TfL of treating European drivers as a “cash cow” by using data obtained illegally to issue unjustifiable fines across the continent. 

“This is possibly one of the largest privacy and data breaches in EU history, but so far no concrete action has been taken while responsibilities are being shunted on to drivers,” he said on Thursday. 

Is TfL illegally stealing EU data for Ulez?

Despite an absence of individual data-sharing agreements with EU countries, TfL said that “local laws” allowed authorities to share vehicle owner information with the UK for the enforcement of traffic regulations.

But the EU countries investigating the fines say national laws only allow the UK to access personal data for criminal offences, not civil ones. 

And since breaching Ulez is just a civil offence, EU authorities question whether Euro Parking is legally carrying out its contract with TfL by using EU data to issue fines for a company outside of the EU, which is illegal under the GDPR

tfl ulez data breach
Ulez zone in London. EU citizens must pay to drive in this zone. Source: TfL

Responding to a Freedom of Information request asking about its foreign Ulez policy, TfL said: “'We use European Parking Collections (EPC) to carry out foreign enforcement on our behalf. They are provided with details of the vehicle and then carry out some additional checks. 

“If they establish that the vehicle is compliant a PCN will not be issued. If compliance cannot be established then a PCN will be issued.”

Euro Parking and EU Data

Euro Parking is a parking management company that was given a five-year contract by TfL in 2020 to recover debts from drivers outside who had breached London’s low-emission and congestion rules after Brexit. 

The firm is owned by the US transport tech company Verra Mobility, which is listed on the Nasdaq stock exchange with net revenue was $205m (£161m) in the second quarter of 2023.

It bypasses data protection rules by using EU-based agents to request driver data without disclosing that it is for UK enforcement.

In October, the Belgian government ordered a criminal investigation after a court bailiff was accused of illegally passing the details of 20,000 drivers to Euro Parking to issue fines for breaking Ulez rules

The bailiff was subsequently suspended TfL initially claimed that no Belgian data had been shared with Euro Parking since then. But a freedom of information request by the Guardian found that more than 17,400 fines had been issued to Belgians in the following 19 months.

TfL then claimed driver details were provided directly to Euro Parking by Belgium’s vehicle licensing agency. But the Belgian minister for transport confirmed this data cannot be shared directly – or indirectly – for enforcing Ulez rules, and last month, the Belgian data protection authority began an investigation into how the data was still being obtained.

Speaking on behalf of Euro Parking, TfL said in a statement: “Any company working on our behalf is contractually required to ensure that data is processed in line with the relevant data protection legislation”

“We work closely with European Parking Collection to ensure all elements of the contract are being adhered to and have mechanisms in place should they not be fulfilled.”

“Euro Parking make it clear when they submit requests for keeper data in EU countries that they are acting on behalf of TfL, for enforcement of road-user charging in London, even when they route those requests through a third party. Euro Parking has not been prevented from accessing keeper data for drivers in EU countries,” TfL added.