Amsterdam violated privacy legislation when the city collected the Facebook data of thousands of loitering young people in 2015, NRC reports based on its own research.

According to the newspaper, in 2015 Amsterdam collected over 100 friends lists of young loiterers and performed a network analysis on that data. In total the lists contained the data of almost 65 thousand people. After eliminating people with fewer than six interconnections, a group of over 1,200 people remained.

Under current legislation, Amsterdam should have reported this analysis to the Dutch Data Protection Authority so that the authority could check whether the municipality dealt with the data responsibly, NRC writes.

Amsterdam should have indeed reported that analysis, a spokesperson for the Dutch Data Protection Authority said to NU.nl. Nevertheless, the authority will not reprimand the municipality. "That only happens when we investigated ourselves", spokesperson Pauline Gras said to the newspaper. "This judgment is based on NRC's research."

On May 25th new European privacy rules take effect. From then, the duty to report the processing of personal data to the Dutch Data Protection Authority lapses. Organizations who collect individuals' data must still inform the individuals.

The Dutch Data Protection Authority doesn't think that the change of rules will affect its supervision, Gras said. "As of 25 May, governments are obliged to appoint a data protection officer who will internally monitor how the organization deals with privacy. In addition we can also start an investigation on our own initiative."