Risk Model (RAM) serious violation of fundamental rights according to AP

November 2025

Unmasking the Risk Analysis Model (RAM): Legal Analysis, Political Accountability and the Systemic Challenges to Government Data Governance

This text analyses the political and legal settlement of the scandal surrounding the Risk Analysis Model (RAM) by the Dutch tax authorities in 2025. The core problem was that RAM, a fraud detection system that was operational for twenty years, structurally violated the law, including privacy legislation and the Archives Act. Secretary of State Van Oostenbrugge acknowledged this failure, which was confirmed by a KPMG report and the Data Protection Authority (AP), with in particular the discriminatory processing based on nationality is considered a serious violation of fundamental rights. The House of Representatives responded by the Van Vroonhoven and Inge van Dijk motion to assume, which required a comprehensive audit of similar risk selection systems at the tax authorities, Customs and the UWV, bringing the issue from an incident to a systemic crisis was incorporated into the government's data governance.

I. The Political Reason: The Letter to Parliament from Secretary of State Van Oostenbrugge (March 2025)

The political handling of the tax authorities' Risk Analysis Model (RAM) scandal culminated in 2025, with Secretary of State Tjebbe van Oostenbrugge (Taxation, Tax Administration and Customs) as the administrator responsible for accountability to the House of Representatives. [1, 2] Van Oostenbrugge, who had accepted this portfolio in November 2024 [3], was confronted with the results of an external investigation into the use of the 20-year-old fraud system.

I.A. The Context and Role of the Administrator

The core of the parliamentary discussion was the Letter to Parliament that the Secretary of State sent to the House of Representatives on March 6, 2025 (Parliamentary Paper 31066, No. 1465). [2, 4] With this document, Van Oostenbrugge shared the results of the investigation carried out by accounting firm KPMG, which was launched after NRC reported on the controversial system in 2023. [1] This external audit process was politically necessary; it illustrates that internal control mechanisms within the Tax authorities made structural deficiencies, making the finding of the truth dependent on independent external parties. The delay to 2025 in the formal recognition of violations of the law highlights deep-seated problems in the Service's internal legal compliance and risk management.

The official conclusion in the letter was clear: the Secretary of State found that the use of RAM “did not meet the (legal) requirements applicable at the time in terms of privacy legislation, security regulations and the Archives Act”. [4] This was an admission of a triple failure, which violated not only the protection of personal data but also basic administrative and technical security standards. [1]

I.B. Regrets and Political Necessity

In the letter, Van Oostenbrugge acknowledged that the tax authorities “should not and should not have used RAM” and expressed regret (“I regret that”). [1, 4] This apology at the highest political level was essential to restore public trust, given the scale and length of the violations—after all, the system had been operational for 20 years, analyzing data from 69 different source systems. [1]

The political consideration behind this recognition reflects the need to recognize the constitutional damage. The recognition of violations of both the Personal Data Protection Act (Wbp) and the Archives Act establishes the tax authorities as an institution with deep-rooted, multi-dimensional compliance issues. The government needed to determine why a system that apparently already violated the Wbp (the precursor to the GDPR) was able to function undisturbed for so long, and why it was only the approach to the General Data Protection Regulation (GDPR) that led to disabling. [4] This indicates a defensive response to inevitable legal review, rather than proactive compliance with the rule of law.

II. The Risk Analysis Model (RAM): Operationality and Legal Violations

The Risk Analysis Model was the central data infrastructure for fraud detection at the tax authorities for two decades. The analysis of RAM functionality and deployment reveals an institutional pattern of data processing that prioritized efficiency over lawfulness.

II.A. Origin, Duration and Objective

RAM was built in 1998 and remained in use until May 25, 2018. [1, 5] The system's primary function was to collect and analyse data from various sources to detect possible fraud. [1] The scope of data collection was enormous: a total of 69 internal and external source systems were incorporated into RAM. [1] This included a broad spectrum of information, including financial data, citizen and business assets, but also more sensitive information such as nationalities and “tax criminal data”. [1]

RAM was used “intensively”, with 20,000 “selections” of data about citizens or companies being made in the year prior to the shutdown. [1] The application was used in many dozens of fraud detection projects, but also for mapping taxpayers abroad and carrying out “tactical explorations” to entrepreneurs. [6] The extensive use of the system led to the dissemination of the analyzed data: the research later found 1170 spreadsheets in the tax authorities systems that came from RAM. [1]

II.B. Legal Review: WPR, Wbp and the AVG Flight

The tax authorities shut down RAM in May 2018, just before the General Data Protection Regulation (GDPR) came into force. [1, 4] This was due to a violation of this legislation and insufficient mitigation measures. [4] The timing of this shutdown suggests that the Service was unable or unwilling to meet the compliance requirements of the stricter, new European privacy legislation.

The crucial legal finding, however, is that RAM not only violated the impending GDPR, but also the older legislation that applied during the operational period. The tax authorities violated the Personal Data Protection Act (Wbp, valid from 2001) and the Personal Records Act (WPR, applicable before), both of which set standards for the careful handling of personal data. [1, 5] This confirms a structural failure of rule of law compliance for years.

An important connection in this file is the fact that the KPMG report found that data from the Fraud Signaling Facility (FSV) — another system that was later shut down for violating the GDPR and that led to known systemic errors and disadvantages for citizens [7] — was also included in RAM. [1] This indicates illegal data exchange between various unlawful risk selection systems. This interplay of abusive systems, often driven by “felt social and political pressure” to combat fraud [8], confirms that the executive branch translated the desire to combat fraud into legally unsustainable solutions, structurally ignoring legal compliance. The shutdown in May 2018 was not a proactive recovery, but a defensive step to avoid an inevitable legal confrontation with the GDPR.

III. Key Legal Conclusions: Failures in Privacy, Safety and Supervision

RAM's legal audit, confirmed by both KPMG and the Data Protection Authority (AP), points to a complex and serious failure in the tax authorities' data governance. The AP concluded four main points about RAM usage until May 25, 2018. [5, 9]

III.A. The Four Main Conclusions of the AP and KPMG

1. PERSONAL DATA, SUCH AS CRIMINAL OFFENCES, PROCESSED UNLAWFULLY

The first main conclusion concerned the unlawful processing of personal data. This included not only ordinary data, but also special categories of personal data and data concerning criminal convictions and offences. [5] Processing such sensitive data is strictly prohibited under privacy laws, unless there are explicit and compelling legal exceptions.

2. AP CONCLUDES DISCRIMINATORY PROCESSING WITHOUT JUSTIFICATION

Second, the AP concluded that there was discriminatory processing. A distinction was made between persons, specifically on the basis of nationality, without the existence of objective and legally sustainable justifications. [5, 9] This is a direct violation of fundamental principles of equality.

3. RAM IS NOT SECURE ENOUGH: SENSITIVE DATA WAS USED UNLAWFULLY

The third finding concerned the insufficient security of the system. No appropriate technical and organizational (T&O) measures were taken. Data could be exported freely and unsecurely from RAM, as the discovery of 1170 uncontrolled spreadsheets proved. [1, 5] This serious security flaw exposed citizens' sensitive data to unauthorized use and data breaches.

4. THE TAX AUTHORITIES WITHDREW FROM SUPERVISION BY NOT MAKING LEGALLY REQUIRED REPORTS TO THE APP

Finally, it turned out that the tax authorities had evaded supervision for years by the legally required notifications not to do data processing to the AP. [5, 9]

III.B. The Crisis in Archiving and Liability

The compliance failure was so profound that RAM was also the Archives Act violated. [4] This is a critical offence because it hampers the traceability and auditability of government actions. The consequences of this were immediately revealed during the investigation: because much information about RAM was no longer available, the AP was unable to conduct an additional investigation. [5, 9] This administrative failure effectively created a legal blind spot, making the degree of government liability and the extent of the damage more difficult to determine.

The long-term negligence in reporting to the AP created a legal environment in which the tax authorities could operate undisturbed. This governance failure—where the executive agency ignored supervision—underlines a structural problem in relationships within the rule of law. The combination of unsecured data export, the unfindability of information, and the violation of the Archives Act is symptomatic of a serious dysfunction in data management, which greatly complicates future recovery operations and the determination of individual liability. The Secretary of State has therefore promised the House that the tax authorities would draw up a plan to actively search all files for remaining, unidentified RAM spreadsheets, in order to secure them and make them inaccessible. [8]

IV. Discrimination and Fundamental Rights: The Political Succession to the Nationality Principle

The RAM file goes to the heart of the Dutch rule of law by establishing discriminatory processing. This aspect elevates the scandal above a mere technical or privacy-related issue.

IV.A. The Highest Legal Threshold

The most profound conclusion of the AP and the KPMG report was the observation that RAM made a distinction based on nationality and thus led to “discriminatory processing”. [5, 9] This directly affects Article 1 of the Constitution.

Due to the constitutional sensitivity of this finding, Secretary of State Van Oostenbrugge announced that further research would be carried out to clarify whether the use of nationality in the selection was possible at the time. fundamental rights has violated. [2] The administrator promised to clarify this to the House of Representatives by June 2025 at the latest. [2] This investigation is crucial, because if fundamental rights have actually been violated, the legal basis for claims for damages and political liability are significantly greater than if fundamental rights are actually violated. The political need to specifically investigate this, even years after the system was shut down, is a direct reflection of the House of Representatives's renewed emphasis on protecting the Constitution after previous affairs.

IV.B. The Parallels with Systemic Injustice

In the Written Consultation of the Standing Committee on Finance of May 2025, after receiving the letter to Parliament, the members of the House of Representatives explicitly made the link between the findings about RAM and the structural patterns that led to the report “Unprecedented Injustice” (the Allowance Affair). The House asked the Secretary of State whether the political system is sufficiently resistant to similar patterns of “data hunger”. [8]

This parliamentary response confirms that RAM is seen as part of a wider, systemic government failure that focused on ethnic profiling and improper risk selection. The FSV connection reinforces this image. After all, RAM absorbed data from the FSV [1], a system that itself was used unlawfully, violated privacy rules, and unlawfully led to additional controls and financial disadvantages for citizens. [7] This suggests that the tax authorities had created a structural infrastructure for risk selection on questionable grounds. Confirming fundamental rights violations through the use of nationality would definitively determine the constitutional damage and pave the way for a more extensive recovery process.

V. Parliamentary Debate: Debate, Written Consultation and Motions

After presenting the research results in March 2025, the House of Representatives intensified control over the tax authorities and forced the government to carry out a far-reaching systemic audit. The results are expected in December 2025.

V.A. The Parliamentary Discussion After the Letter to Parliament

An important aspect of political accountability was the duty of transparency. At the request of Member of Parliament Omtzigt (based on Article 68 of the Constitution), the Secretary of State provided all memos about RAM that had reached the top of the tax authorities (from scale 16) and/or the political top since 2015. [4, 10] This was intended to gain insight into the extent to which politicians and the administrative top were aware of the irregularities.

The Written Consultation that followed the Letter to Parliament (adopted on May 26, 2025) confirmed that the House shared the Secretary of State's analysis that RAM should never have been used. [8] The groups, including Groenlinks-PvdA, focused their questions on cultural and policy causes, such as the “felt social and political pressure” that prompted the Service to this “data hunger”. [8] The House asked the fundamental question whether the political order was incited. can provide sufficient guarantees that such patterns will not recur. [8]

V.B. The Passed Motion on Systemic Compliance

A crucial moment was the adoption of the Van Vroonhoven and Inge van Dijk motion (Parliamentary Paper 31066-1469) on March 27, 2025. [11] This motion transformed the RAM case from an isolated incident to a structural systemic crisis. The motion found that several systems at the tax authorities, the Department of Surcharges and Customs were similar to the unlawfully used RAM. [11]

The adopted motion required the government to carry out a far-reaching audit:

1. Investigate whether the UWV (which also has large amounts of sensitive personal data and makes drastic decisions) uses algorithms or systems that are similar to RAM. [11]

2. Assess all comparable systems at the tax authorities, surcharges, customs, and the UWV for legality by the summer at the latest. [11]

3. Record the algorithms involved in the algorithm register. [11]

This motion is a clear political signal that the legislature no longer sees failure as a technical problem at one instance, but as a broad, interdepartmental risk in the Dutch government's data governance. The extension to the UWV proves the suspicion that the patterns of insufficient security, lack of supervision and potentially discriminatory selection occur at several vital implementing agencies. The Secretary of State has now transferred the UWV's request for investigation to the Minister of Social Affairs and Employment. [8]

V.C. Consequences for the Recovery Process

A fundamental request in the motion was the obligation to inform affected citizens if their data has been processed unlawfully in the past six years, in accordance with the GDPR. [11] The Secretary of State's response to this point was revealing: he stated that informing citizens, depending on the definition of “unlawful processing,” may be a “large proportion of taxpayers” could concern. [8] This ruling confirms the potential massiveness of the legal violations. The administrative and financial implications of this recovery obligation are significant and require a clear legal definition of wrongfulness in the context of the transition from the Wbp to the GDPR.

The table below provides an overview of the crucial moments in RAM's history and the political handling by Secretary of State Van Oostenbrugge in 2025.

Table II.A: RAM System and Political/Legal Handling Timeline (Level of Detail)

Date

Event/Actor

Involved Party

Significance

1998

RAM made operational.

Tax authorities

Start of the period of unlawful use under WPR.

May 2018

RAM disabled.

Tax authorities

Preventive action regarding the entry into force of the AVG. [4]

2023

Cabinet starts external investigation.

Cabinet (in the name of NRC)

Recognition of the need for an independent audit. [1]

Feb 2025

KPMG Report completed

KPMG Accountants N.V.

Formal finding of violation of the Wbp, Archives Act, and security regulations. [1, 4]

March 6, 2025

Letter to Parliament Sent (31066, No. 1465).

State Secretary Van Oostenbrugge

Official policy response, apology, and handover of Omtzigt memos. [2, 4]

March 27, 2025

Van Vroonhoven/Inge van Dijk motion passed.

House of Representatives

Expansion of research obligations to Aries people, including UWV; duty to provide citizen information. [11]

May 2025

Written Consultation adopted (31066, point 1505).

House of Representatives/Standing Committee on Finance

Political focus on structural resistance of the system to data starvation. [8]

June 2025 (Deadline)

Clarity about violations of fundamental rights due to nationality.

State Secretary Van Oostenbrugge

Handling the most constitutionally sensitive question. [2]

VI. Systemic Risks and the Need for Recovery (Data Governance)

The failure of RAM is a symptom of deeper systemic problems in government IT and data governance. The political process and ongoing investigations are now focused on controlling the legacy of RAM and making up for the backlog in digital rule of law.

VI.A. The Legacy of RAM in Comparable Systems

KPMG's external investigation also included a “review of systems similar to RAM” to assess the extent to which other systems used by the tax authorities, surcharges and customs complied with the Integral Security Reference Architecture (RIB). [2, 12]

This report showed that the problem extends across the entire financial chain of the Ministry of Finance. Customs appeared to have at least one system in use that met the RAM criteria, namely a system for selecting goods declarations from entrepreneurs. [2] The House of Representatives motion now requires an accelerated and complete assessment of the legality of all these systems. [11] The extension of the audit to the UWV is an acknowledgment that the “RAM risk” is not limited to the Financial Domain, but is a broad risk for all implementing agencies that work with sensitive data.

VI.B. The Recovery Process and the GDPR Backlog

The Secretary of State acknowledged that the tax authorities were too late in complying with the GDPR in 2018 and that the Service is still making up for this backlog. [2, 8] This ongoing compliance shortage creates ongoing legal risks to the legality of current processes.

A major operational challenge is the remediation of the data landscape. The need to actively search for RAM spreadsheets that did not appear in the KPMG study [8] shows that the tax authorities are struggling with an uncontrolled, shadow IT infrastructure. As long as unsecured, illegal copies of RAM data circulate in the form of spreadsheets, the tax authorities cannot guarantee that the violations have stopped. It is a serious operational security risk and a source of legal non-compliance with both the Archives Act and the GDPR. The success of the recovery depends on the effectiveness of the plan to effectively search all data within the Service for these files. [8]

For the recovery process to citizens, the adopted motion requires determining the legal definition of “unlawful processing” over the past six years. [8, 11] The experience with FSV processing (where registrants were informed and received financial compensation if they were disadvantaged, for example in the form of additional checks [7]) serves as a guide here. However, this recovery needs to be addressed on a much larger scale, given the potential scale of the unlawful processing.

VII. Conclusions and Recommendations for Future Data Governance

The analysis of the Risk Analysis Model, as published by Secretary of State Tjebbe van Oostenbrugge in 2025, confirms a profound institutional failure that has endangered the safeguarding of rule of law principles and fundamental rights within the digital operations of the Dutch government. The RAM case is not an incident, but a mirror of the structural shortcomings previously identified in the Allowance Affair.

VII.A. Synthesis of the Structural Deficiencies

1. Prioritizing Efficiency over Legality: The fact that RAM was able to operate in violation of the law for twenty years, under the applicable WPR and Wbp, and was only discontinued due to the impending GDPR indicates an ingrained culture where combating fraud (efficiency) was systematically placed above legal compliance (lawfulness).

2. Defective Supervision Mechanism and Archival Obligation: Years of ignoring the reporting obligation to the AP and the violation of the Archives Act created a legal blind spot and made it difficult to determine the full extent of the errors. This structural failure in governance and archiving has stood in the way of government liability.

3. Violation of fundamental rights as a risk: The explicit finding that RAM led to discriminatory processing based on nationality brings the issue to the level of constitutional liability. This requires a clear political and legal approach to the possible violation of Article 1 of the Constitution.

VII.B. Recommendations for a Robust Data Governance Framework

In order to prevent the recurrence of the RAM problem and systemic risks at other implementing agencies, structural reforms in data governance are necessary, building on the political tasks of the House of Representatives:

1. Compulsory Constitutional and Legal Impact Assessment (C-IA/J-IA): All algorithms and risk and selection systems that are similar to RAM, as well as new systems, should be subject to mandatory, independent review of fundamental law principles (equality, proportionality) and full legal compliance. This review should prior implementation takes place and must be carried out by a central, legally independent entity.

2. Integration and Enhancement of Supervision by the Data Protection Authority (AP): In order to prevent the recurrence of the reporting obligation, the AP should be involved early, structurally and on a forced basis in the architecture and operational design of risk selection systems. This ensures that the supervisor can no longer be circumvented by the executive branch.

3. Full and Rapid Implementation of Parliamentary Mandates: The government must implement the adopted Motion 31066-1469 in its entirety and within the specified time limits. This includes assessing the legality of all RAM-like systems at the Tax Administration, Surcharges, Customs, and the UWV. In addition, the government must present a proactive and clear plan to inform all affected citizens, whose data has been unlawfully processed in the past six years, and to set up an accessible recovery process.

4. Remediation and Anchoring of Archive and Security Protocols: Actively sanitizing and securing the remaining, uncontrolled RAM spreadsheets is an essential operational priority to prevent further data breaches and unauthorised use. This should be followed by a review of the T&O measures to permanently prohibit uncontrolled data exports (such as via spreadsheets) and to embed compliance with the Archives Act digitally and audit-permanently in the IT architecture.

--------------------------------------------------------------------------------

1. Tax Administration violated privacy law with Risk Analysis Model... , https://tweakers.net/nieuws/232636/belastingdienst-schond-privacywet-met-risico-analyse-model-database.html

2. RAM investigation sent to the House of Representatives | News item | Rijksoverheid.nl, https://www.rijksoverheid.nl/actueel/nieuws/2025/03/06/onderzoek-ram-aan-tweede-kamer-verzonden

3. Tjebbe van Oostenbrugge becomes State Secretary for Finance - Dutch IT Channel, https://www.dutchitchannel.nl/news/514627/tjebbe-van-oostenbrugge-wordt-staatssecretaris-van-financi%C3%ABn

4. Government letter -: - External research results Risk Analysis Model (RAM) - House of Representatives, https://www.tweedekamer.nl/kamerstukken/brieven_regering/detail?id=2025Z04110&did=2025D09393

5. Letter from the Dutch Data Protection Authority - Investigation into RAM and the “systems similar to RAM”, https://zoek.officielebekendmakingen.nl/blg-1207951.pdf

6. Data Protection Authority investigates tax authorities over RAM database, https://www.security.nl/posting/816910/Autoriteit+Persoonsgegevens+onderzoekt+Belastingdienst+wegens+RAM-database

7. The Fraud Signaling Provision System (FSV) - Tax Administration, https://www.belastingdienst.nl/wps/wcm/connect/nl/contact/content/het-systeem-fraude-signalering-voorziening-fsv

8. Report of a written consultation on External Research Outcomes Risk Analysis Model (RAM) (Parliamentary Paper 31066-1465) - House of Representatives, https://www.tweedekamer.nl/kamerstukken/detail?id=2025Z10527&did=2025D24068

9. AP: Tax authorities must stop systems with privacy risks... , https://www.autoriteitpersoonsgegevens.nl/actueel/ap-belastingdienst-moet-systemen-met-privacyrisicos-stopzetten

10. Letter to Parliament: External Research Results | Risk Analysis Model | Parliamentary Paper - National Government, https://www.rijksoverheid.nl/documenten/kamerstukken/2025/03/06/kamerbrief-beleidsreactie-uitkomsten-extern-onderzoek-ram

11. Motion by members Van Vroonhoven and Inge van Dijk on research into algorithms and data systems that are similar to RAM - House of Representatives, https://www.tweedekamer.nl/kamerstukken/detail?id=2025Z05849&did=2025D13345

12. Review systems similar to RAM | Report | Rijksoverheid.nl, https://www.rijksoverheid.nl/documenten/rapporten/2025/03/06/bijlage-3-eerste-analyse-ram-achtigen