Tax authorities violated privacy rules with RAM database

Berry SweatsMarch 7, 2025, 2:34 PM CET

Research shows that the Risk Analysis Model (RAM) did not comply with privacy legislation between 1998 and 2018. The database included tax data on citizens and companies for 20 years.The RAM system was born in the late 90s out of a need for practical supervision support. Through this system, employees were able to access data from various sources at once. This was considered necessary at the time because there was a need for such a system that could help combat fraud. But after an investigation that started at the end of 2023, it appears that the tax authorities were violating privacy all this time. The system's growth did not take sufficient account of the applicable guarantees. The investigation shows that RAM did not meet the (legal) requirements applicable at the time in the field of privacy legislation, security regulations and the Archives Act.

Fundamental rights violated?

In a Letter to Parliament states Secretary of State Van Oostenbruggen (Taxation, Tax Administration and Customs) that, given the zeitgeist of that time, he understands how RAM came about. However: “For me, it is certain that the tax authorities should not and should not have used RAM like that. I can't change the past, so I want to focus on what we need to do in the present. This means that I want to be clear whether the use of RAM may have violated fundamental rights at the time due to the use of nationality in the selection.” Van Oostenbruggen wants clarity about these issues by June 2025 at the latest. In addition, he wants the existing laws and regulations to be properly complied with. “That is why the tax authorities are continuing their approach to complying with the GDPR and will continue to support and train employees in the field of data processing and information security.”

Improvements made

The tax authorities switched off the Risk Analysis Model in May 2018, ahead of the entry into force of the AVG, also known as the GDPR. This happened due to a violation of the legislation. Insufficient mitigation measures had been taken. Since 2018, the tax authorities have made several improvements, says Van Oostenbruggen. It is now pre-tested whether selections do not make an unwanted distinction between groups. There is also a team that deals with ethical issues surrounding algorithms, similar to how other government agencies make their algorithms public in a register.

Tags:

algorithms / tax authorities / GDPR / KPMG / Privacy