Dutch Tax Administration Hit with $3.1 Million GDPR Penalty

The Dutch Tax Administration has been hit with a €2.75 million ($3.1 million) financial penalty for violating the General Data Protection Regulation (GDPR) by unlawfully processing the data of dual nationality Dutch citizens over many years.

The fine was announced by the Dutch Data Protection Authority (DPA), Autoriteit Persoonsgegevens, on December 8, 2021, following an investigation that revealed dual nationality data were being used to make decisions about Dutch citizens when that information had no relevance to the data processing activities being performed. Those activities were being performed without the knowledge of Dutch citizens and infringed on their fundamental rights to equality and non-discrimination.

For years, the Dutch Tax Administration held dual nationality data in a system that was used to combat organized fraud. That system, the Fraud Signaling Facility, used an algorithm to identify individuals who were potentially committing fraud and one of the factors that were considered was whether the individual had dual nationality status. Individuals who applied for childcare allowance who had dual nationality were classed as non-Dutch and were added to a blacklist of potential fraudsters when dual nationality data should not have been used for that purpose. Individuals would be unaware they were on a blacklist and had no way of being removed.

According to the AP, the Dutch Tax Administration should have deleted the dual nationality data from its systems in January 2014, but failed to do so, even when the GDPR took effect on May 25, 2018. At that point, there were 1.4 million people who were registered as dual nationals in the Tax Authority’s systems, and their dual nationality data were processed as part of the efforts to combat fraud when it was not necessary to use the data for that purpose.

According to a translated post about the decision to fine, the Dutch DPA said, “It is unlawful, and therefore prohibited, to use nationality data to assess applications, combat fraud and determine risk.” The Dutch DPA said the continued use of dual nationality data was discriminatory, as it doesn’t matter whether a Dutch citizen has dual nationality as far as childcare benefits are concerned, as any individual who is lawfully resident in the Netherlands is entitled to claim childcare benefits if certain conditions are met.

‘In a world in which digitalization is advancing rapidly, it’s becoming all the more crucial to protect individuals’ personal data in order to protect other fundamental rights, such as the rights to safety, property, and health. This case shows exactly why: unlawful processing by means of an algorithm led to a violation of the right to equality and non-discrimination,” said DPA chair Aleid Wolfsen. ”Digital applications have become indispensable, and they enable us to swiftly process and conveniently combine huge volumes of information. But when it goes wrong, it really goes wrong. And other fundamental rights can be affected too. The implications for individuals can be enormous, as the Childcare Benefits affair has made painfully clear.”

The Dutch Tax Authority stopped using the dual nationality status of applicants for childcare benefits to determine risk in October 2018 and said it has not used the data to combat organized fraud since February 2019. In the summer of 2020, dual nationality data was purged from its systems. The Dutch Tax Authority has the right to object to the financial penalty, although it is currently unclear if an appeal will be filed.

Author: NetSec Editor