Dutch tax administration receives record €3.7 million fine for unlawful use of blacklists

Merel van Aar & Laurent van der Bruggen

On 7 April 2022, the Dutch Data Protection Authority (DPA) imposed a fine of €3.7 million on the Dutch tax administration for unlawfully maintaining blacklists of possible fraudsters. This is the largest fine the DPA has issued to date.

The DPA's investigation was triggered when Dutch media companies Trouw and RTL Nieuws revealed the existence of blacklists within the tax administration two years ago. Internally, these black lists were called the Fraud Detection Facility (FSV).

The tax administration collected information about citizens that were suspected of committing fraud or similar illegal behaviour. The application was used by the tax administration to assess the tax returns and for the registration of information requests from other government bodies.

Furthermore, the application was used to draft risk models and to determine whether a fine had to be imposed on citizens due to debts relating to taxes or benefits.

Between 2013 and 2020, the tax administration had processed, amended, used and combined the information regarding alleged and established fraud in the FSV and even used this information outside the FSV.

This effectively meant that personal data of approximately 270,000 people, including victims of the childcare benefits affair[1], were shared among other government bodies.

Infringement of principles relating to the processing of personal data

The DPA determined that the Tax administration acted in conflict with four of the principles relating to the processing of personal data under the GDPR.

First, to lawfully process personal data, a valid legal ground for the processing should be provided. The Tax administration incorrectly relied on a legal obligation as legal ground for the processing. According to the DPA, there was no legal obligation to process signals of (possible) fraud and requests for information. The legal ground 'the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller' did not apply either.

Second, the pre-formulated purposes of the processing of personal data in FSV were not well specified. This is not in accordance with the principle of purpose limitation.

Third, the DPA found FSV contained inaccurate and outdated personal data and that the Tax administration failed to take reasonable measures to rectify or delete these personal data. This is not in accordance with the principle of accuracy.

Finally, the data was kept longer than the retention period applicable to personal data in the FSV, violating the principle of storage limitation.

Insufficient security of processing

In addition to the infringement of the four aforementioned standards and their underlying principles, the DPA concluded the Tax administration has not implemented adequate technical and organisational measures for the access security, logging and logging audit to guarantee an appropriate level of security for the personal data in FSV.

The GDPR requires implementation of technical and organisational measures that are in line with the specific nature of data processing activities. Especially in cases where data processing activities involve special categories of personal data, the compliance threshold for technical and organisational measures is higher.

All Dutch government bodies have to use the Baseline Information security policy (previously "BIO" and recently known as "BIR") based on ISO27001 and ISO27002. This policy consists of three different levels of which only the second level is relevant in this regard: BBN2.

According to the DPA, the Tax administration violated the applicable policy as a large group of employees had access, while the policy implies that only a limited group of employees may access such information as long as is necessary to perform their tasks.

Another issue was that the FSV application enabled users to export files to Excel. It was commonly used and even unauthorised employees gained access to the personal data in the FSV application. In addition, the logging feature did not function properly. Therefore, it was unclear what data sets had been exported or altered by (unauthorized) users.

Insufficient involvement of the DPO with execution of DPIA

Lastly, the AP concluded the tax administration did not involve the Data Protection officer (DPO) in a proper and timely manner in the implementation of a Data Protection Impact Assessment (DPIA) regarding FSV.

It is important that a DPO is involved in the early stages of data processing activities. Organisations need to obtain advice from the DPO when performing a DPIA. In this regard, the DPIA performed by the tax administration showed that the FSV application was not compliant and needed to be replaced due to the potential detrimental consequences on data subjects.

To the contrary, the tax administration informed its DPO only after a year had passed and, in the meantime, management decided to develop a new application again without consulting the DPO.

Calculation of the fine

In 2019, the DPA issued its own fining policy rules, which provide an overview of possible violations of the GDPR and the Dutch Implementation Act of the GDPR with a corresponding minimum and maximum fine that can be imposed.

In order to determine the height of the fine, the DPA considered the following circumstances to be relevant: (i) the extensive duration of the violations, (ii) the negative financial impact on data subjects, (iii) the special categories of personal data involved (iv) the fact that government bodies should protect citizens and not breach the regulations that protect those citizens and (v) other fines the tax administration already received from the DPA.

Between 2018 and 2021, the DPA already fined the tax administration multiple times. All violations involved the lack of a lawful ground under the GDPR to process personal data as well as the implementation of insufficient technical and organisational measures.

Main take away

Government bodies as well as companies should ensure that there is a lawful ground for data processing activities performed as well as implementing technical and organisational measures that fit the risks caused for data subjects.

Next to the risk of receiving a fine from the DPA, since the Settling of Large-scale Losses or Damage (Class Actions) Act entered into force in 2020, more and more foundations representing data subject are starting to sue allegedly non-compliant organisations. The sum of compensation awarded to those foundations can be even higher than the fines mentioned in the GDPR. It is plausible that such a foundation will start legal proceedings against the tax administration because of the structural violations of the GDPR over the years. A recent example is the initiation of a class action against the Dutch Joint Health Service due to multiple data breaches.