Tax Administration fined for fraud blacklist
The Dutch Data Protection Authority (DPA) has imposed a €3.7 million fine on the Tax Administration for illegally processing personal data over a period of years in its ‘fraud identification facility’ (FSV). This was a blacklist which the Tax Administration used to register indications of fraud, often with major repercussions for people who had been wrongly included on the list.
Over the course of its investigation into the FSV the DPA uncovered numerous violations of the General Data Protection Regulation (GDPR). For example, the Tax Administration had no statutory basis for processing the personal data on the list. Without such a basis in the GDPR, it is prohibited to process personal data.
In many cases the personal data was not even correct, and as a result people were wrongly registered as possible tax frauds. Furthermore, the list was not properly protected, and the Tax Administration’s internal privacy supervisor was not involved at an early stage in the creation of the list.
Lives in disarray
The fine is the highest ever imposed by the DPA. This is due to the seriousness of the violations, the large number of people impacted and the fact that the violations persisted for such a long period of time.
DPA chair Aleid Wolfsen said: 'The Tax Administration violated the rights of the 270,000 people on that FSV list to an unprecedented degree. And this went on for over six years. People were often wrongly branded as tax frauds, with terrible consequences. In some cases, if your name appeared on the FSV, you weren’t offered a payment scheme or you were ineligible for debt rescheduling. By using the FSV, the Tax Administration left many lives in disarray.'
According to the Tax Administration’s own investigation staff were instructed to base their fraud risk analysis in part on factors like nationality and physical appearance.
'If you were a Turkish, Moroccan or Eastern European national, you were subjected to further investigation for no good reason, simply due to your nationality,' said Wolfsen. 'This discrimination is unacceptable. The Tax Administration also cited donations to mosques and high medicine costs incurred by people with Eastern European-sounding names as risk factors for fraud.'
Not the first such violation
In determining the amount of the fine, the DPA also considered that this was by no means the first time that the Tax Administration had violated the GDPR. In 2018, for example, the DPA determined that the Tax Administration did not adequately protect personal data.
And in 2020 the DPA prohibited the Tax Administration from processing personal data on account of the illegal use of the citizen service numbers (BSN) in the VAT identification numbers of self-employed persons. In addition in 2021 the Tax Administration was fined €2.75 million by the DPA, for its discriminatory and unlawful methods in the childcare benefits affair.
As Wolfsen noted: 'The Tax Administration has repeatedly made mistakes, even though it is a government body that bears a major responsibility towards people in the Netherlands. Those people depend on the Tax Administration. You can’t decide to apply for benefits or file your tax return somewhere else. People need to be able to trust the Tax Administration to treat their information with care. The FSV case has revealed once again that the agency was not exercising due diligence.'
Violations by the Tax Administration
The €3.7 million fine comprises multiple fines for 6 violations in total:
- The Tax Administration had no statutory basis for processing personal data in the FSV: €1 million.
- The purpose of the FSV was not specifically described in advance: €750,000.
- The FSV contained incorrect and obsolete information: €750,000.
- This particular data was stored for far too long: €250,000.
- The FSV was not adequately protected: €500,000.
- The Tax Administration waited over a year to ask its internal privacy supervisor for advice about assessing the risks of using the FSV: €450,000.
In February 2020 the Tax Administration shut down the FSV.
What happens next?
WThe Tax Administration can lodge an objection to the fine imposed by the DPA.