Clifford Chance

The Dutch data protection authority (DPA), Autoriteit Persoonsgegevens, has imposed a fine of 3.7 million euros on the Dutch Tax and Customs Administration (Belastingsdienst). The fine, the highest ever issued by the DPA, was imposed for years of ongoing illegal data processing by the tax authorities in the context of the Fraud Notification Facility (FSV) application. The FSV was essentially a blacklist of potential fraudsters operated by the tax authorities in order to track fraud signals. The list had severe and far-reaching consequences for many of the individuals who were wrongfully listed.

This article discusses the background of the fine and addresses the broader implications.

Background

In a statement released on April 12, the DPA outlined multiple violations of the EU General Data Protection Regulation (GDPR) starting 4 November 2013, up until 27 February 2020, when the tax authorities discontinued its use of the FSV. The FSV was used to record signals of detected fraud and signals that could indicate an increased risk of tax and benefits fraud. The persons included in the FSV were primarily persons who had committed fraud and people who were suspected of possible tax or benefits fraud. The tax authority used the FSV data to assess tax returns, benefit applications and register information requests from other authorities. The application was also used to prepare risk models and determine whether penalties should be imposed in the case of collection of tax of benefits debts. 

Violations

The 3.7 million euro fine was an accumulation of multiple fines for a total of six violations of the GDPR for data processing in the context of the FSV:

• No lawful basis - The tax authorities did not have a legal basis for the FSV-related data processing (Article 5.1(a) and Article 6.1), which in various instanced included sensitive personal data such as information relating to individuals' health. Under the GDPR, any processing of personal data is required to be based on a valid lawful basis. The GDPR sets out a limitative list of lawful bases for processing. In its decision the DPA acknowledged that whilst the tax authorities do have some statutory authority to collect data in order to monitor compliance, Dutch tax law does not provide for any legal basis which would justify the separate, structural and comprehensive collection of data as had been the case under the FSV. In addition, the processing was not considered to be necessary for the tax authority to fulfil its public duty.
• Lack of purpose limitation - The purpose of the application was not explicitly defined in advance (Article 5.1(b)). The GDPR requires organizations which process personal data to be clear about what the purpose for processing is from the outset and to record such purpose. In addition, the processing should be proportionate to the purpose to for which the controller collects said data.
• Retention of inaccurate data - The FSV contained inaccurate data that was not updated (Article 5.1(d))
• Failure to comply with the principle of data retention - The tax authorities stored and retained the data for an indefinite period of time, which constitutes a clear breach of the data retention principle under the GDPR. (Article 5.1(e) This breach and the one above constituted violations of key principles under the GDPR, namely the principles of data accuracy and data minimisation.
• Insufficient security measures - The tax authorities had not taken sufficient security measures with respect to the personal data that was stored in the context of the FSV. Article 32.1 GDPR, contains a requirement for organisations processing personal data to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
• Failure to adequately escalate - The tax authority did not involve the internal data protection officer in a timely and adequate manner in configuring the application and the assessment of data protection risks of the FSV (Article 35.2).

The tax authorities can still appeal the decision by the DPA.

Investigation & Impact

With the FSV, the tax authorities have unlawfully processed more than 540,000 signals relating to more than 270,000 data subjects. Aleid Wolfsen, head of the DPA, has called the violations unprecedented: "with FSV, the tax authorities violated the rights of the many for over six years. (…) The tax authorities turned lives upside down with FSV." 

Registration in the FSV could lead to stigmatisation, increased supervision and negative financial consequences. For example, the FSV registration could result in income tax returns being corrected to the detriment of the citizen or rent or childcare benefits being rejected. In addition, requests for personal or amicable payment arrangements in connection with tax or benefit debts were automatically rejected due to FSV-registrations. Subjects were also unaware that they were listed in the FSV, even after requests to inspect the data, and could therefore not exercise their rights. The DPA found that in some cases individuals were labelled as fraudsters without thorough investigation; and often in investigations where no fraud had been found these findings were not noted in the FSV, leaving the suspicion of fraud.

According to the tax authority's own investigation, staff were instructed to partly base the risk of fraud on characteristics such as nationality and appearance. This meant persons with Turkish, Moroccan, or eastern European nationalities were investigated more closely without justification. Other things, such as donations to mosques or high medical costs, were also used as risk factors for fraud. 

Record fine

The imposed fine is the highest the DPA has ever issued. The fine is issued to the Dutch Minister of Finance (Sigrid Kaag), as the minister acts as the data controller (as defined in Article 4.7 of the GDPR) for the data that has been processed in the context of the FSV by the tax authorities. The amount is primarily based on the severity of the violations, the large number of affected persons and the fact that the violations continued for extended periods. 

In determining the fine, the DPA also took into consideration that the tax authorities had committed data violations before. 

• In 2018 the tax authorities were ordered by the DPA to stop the data processing of personal identification numbers (BSN) for self-employed persons.
• In 2021 the tax authorities were fined 2.75 million euros by the DPA for using a self-learning algorithm to create risk profiles in an attempt to spot childcare benefit fraud, which resulted in the unlawful and ethnical profiling of childcare applicants with dual nationalities, in the 'childcare benefits scandal.' The Dutch Cabinet resigned in January 2021 over this scandal.

In addition, the DPA has also taken into account that the persons involved are in a dependent and unequal position in relation to the tax authorities. In light of this skewed relationship, the responsibility of the tax authorities to exercise extreme care in its handling of data is even greater.

Broader Implications

The fine issued by the DPA underlines the real life harm and far-reaching consequences that a failure of complying with data protection rules can have for individuals whose personal data is being processed.

The fine continues to further support the trend of the DPA's broad spectrum of organizations which it has sought to investigate and fine – ranging from small to big, to public and private organizations, including bodies of the Dutch government.

In this particular case of the tax authorities, which formally acts under the Minister of Finance, the fine does strongly feel like "robbing Peter to pay Paul" as the fine will ultimately end up at the source which paid it.

The question therefore arises as to what the individual affected will benefit from this decision. The fine, however, does send out a strong signal, which has not gone unnoticed in Dutch politics and has already casts its shadow legally. When the fine was published, the chairman of the AP, Aleid Wolfsen, called for a generous compensation for those unjustly affected by the FSV. The cabinet has indicated that it is open to suggestion, assumably in the hope that it would pre-empt any attempts at mass claims.