Once again, the tax authorities have not taken the protection of fundamental rights seriously for years.

• Ans Duthler
• October 29, 2021
• Protecting personal data
• 6 min read

Reason

Today, the Data Protection Authority (AP) published the investigation report on the Tax Administration's Fraud Signaling Facility (FSV). The final conclusion from the report is that the tax authorities should never have processed personal data in the FSV in the way this has happened for years. The tax authorities have acted in violation of the principles of legality, specification of purpose, accuracy and storage limitation. In addition, the tax authorities have taken insufficient technical and organizational measures to properly protect the personal data in FSV. The Data Protection Officer (DPO) is also involved too late in carrying out a Data Protection Impact Assessment (DPIA). An investigation report is always the first formal step in an enforcement process.

AP findings

What is it about? In the period from 4 November 2013 to 27 February 2020, the tax authorities registered, modified, consulted, used, combined and distributed signals of alleged and detected fraud and requests for information in FSV about at least 244,273 people. This includes personal data about health, nationality and criminal personal data. The tax authorities included in FSV mainly persons who had committed fraud and persons suspected of possibly committing tax or tax fraud. Signals came from both outside and within the tax authorities, for example from Report Crime Anonymous reports, tips from citizens and companies, reports from the police and other governments such as municipalities. In addition, the results of the algorithms developed by the tax authorities aimed at detecting fraud with tax returns and payment applications were also included in FSV. The FSV application could be used to assess tax returns and applications for surcharges and was used to register requests for information from other governments. In addition, FSV was consulted as a register in other activities, for example by FIOD employees, in the process of recovering debts and in some models aimed at estimating fraud by entrepreneurs. For individuals, registering in FSV could have major consequences, such as stigmatization, being subject to more intensive supervision by the tax authorities and financial consequences. Concrete examples of this are that people were unable to obtain a mortgage or were wrongly denied benefits. Moreover, people usually did not know that they were registered in FSV — even if they received questions from the tax authorities in response to a signal.

Contrary to the principle of legality

The AP concludes that there was no basis for the processing of personal data in FSV. The tax authorities could not rely on the “legal obligation” basis because there was no obligation to process signals of (possible) fraud and information requests as counter-information. In addition, the tax authorities were unable to base the processing on the basis “necessary for the performance of a task in the public interest”. Primarily because there was no sufficiently precise legal basis that could serve as a legal basis for the processing of personal data in FSV by the tax authorities and secondly because the processing in FSV was not necessary for the performance of the tax authorities's public duty to monitor compliance with the provisions of or under tax and allowance legislation.

Acted in violation of the principle of target specification

The AP notes that from the start, the purpose of the processing in FSV was unclear. What the tax authorities wanted to achieve with FSV was not specifically described in advance, with the result that employees stored all kinds of, sometimes detailed, information about people in FSV and FSV was used differently by the various parts of the tax authorities.

Contrary to the principle of accuracy

The AP notes that FSV contained incorrect and unupdated personal data and that the tax authorities did not take reasonable measures to rectify or delete this personal data. In some cases, a person was labeled “fraudster” without a thorough investigation. And if, after an investigation, it was found that there was no fraud, this was often not noted in FSV, so that the suspicion of fraud remained in FSV.

Acted in violation of the principle of storage limitation

The tax authorities kept personal data in FSV longer than necessary. Because signals from an older application were taken over into FSV and were not deleted once registered, FSV grew over the years into an application with half a million signals from the years 2000-2020, covering at least 244,273 people.

Insufficient appropriate technical and organizational measures taken

The security of personal data in FSV did not meet the security standards that are mandatory for governments on several points. For example, more employees of the tax authorities had access to FSV than necessary for work, and unauthorized employees also had access to personal data because signals from FSV were exported in Excel. The AP also found that the tax authorities improperly reduced access to FSV in May 2019, namely by only changing the internal link to the application. Finally, it was not logged by whom which personal data was viewed, modified and exported.

The DPO involved too late in carrying out a DPIA

FSV's DPIA was carried out in the period from November 6, 2018 to January 21, 2019. The conclusion was that data processing in FSV did not comply with the GDPR and that the risks for those involved that occurred in FSV were such that FSV had to be phased out and replaced with a new application. The DPO was asked to advise on this on February 26, 2020 — in response to press inquiries — more than a year after the DPIA was carried out and even though it was decided to implement the construction of a new application. The tax authorities seriously violated the GDPR on several points. “Many of the core principles of the AVG Privacy Act were seriously violated by the tax authorities. This created a gap in legal protection. Caused by the government, of course!” , according to the chairman of the AP. The tax authorities can now respond to the investigation report, followed by the AP's decision on a possible sanction.

Is the violation of fundamental rights persistent and structural?

The fact that the research report causes a lot of outrage is obvious and understandable just a few hours after it was published. It is disconcerting to read the extent to which the tax authorities have breached the GDPR. The AP's investigation into the processing of data in the Allowance Affair also showed in July 2020 that the tax authorities did not take the protection of fundamental rights seriously for years. Today's investigation report unfortunately shows that violation of the protection of fundamental rights by the tax authorities appears to be persistent and structural.

Questions?

Do you have questions about this blog? Feel free to contact us at +31 (70) 392 22 09 or info@duthler.nl.