Minister Dekker for Legal Protection and Minister Grapperhaus of Justice and Security offer the House of Representatives a policy response to the study "Cross-sectoral data sharing between private parties to combat fraud.
During the General Consultation on financial-economic crime on October 4, 2018, we promised your Chamber to commission research into so-called cross-sector (cross-industry) data sharing between private parties for the purpose of fraud prevention, a system existing in the United Kingdom by the organization Cifas for this purpose and the possible added value of this system for fraud prevention within the Dutch situation (1). The main question here is how such data sharing relates to the privacy legislation that applies within the Netherlands and the United Kingdom. Fraud control refers to combating so-called horizontal fraud, i.e. fraud that citizens and businesses fall victim to. Examples include mortgage fraud, insurance fraud or bankruptcy fraud.
We hereby present to you this study, which was conducted by the Considerati firm, and discuss the researchers' findings and conclusions.
We note that researchers conclude, based on their legal analysis, that the fraud prevention system of Cifas in the United Kingdom (UK), in which cross-sectoral (criminal) personal data are exchanged, cannot be adopted one-to-one within the Netherlands. The main reason for this is that the grounds for exemption for processing criminal personal data in the UK are set up differently than in the Netherlands. The analysis by researchers confirms our view that within the Dutch legal framework of the General Data Protection Regulation (AVG) and the General Data Protection Regulation (Implementation) Act (UAVG) cross-sector data sharing between private parties is possible with a permit from the Autoriteit Persoonsgegevens. The Autoriteit Persoonsgegevens (AP) tests whether the permit application meets the requirements of the AVG. Only recently, with the adoption of the UAVG, which entered into force on May 25, 2018, the Dutch legislator chose this path of review and licensing by the AP. In this way, the privacy interests of data subjects are safeguarded. However, this in no way means that a (potential) fraudster can hide behind those privacy rules. After all, cross-sector data sharing between private parties is possible with a permit from the Autoriteit Persoonsgegevens . We await the experiences gained by private organizations with their intention of cross-sectoral data sharing for the purpose of combating fraud, within the current legal privacy framework. Depending on those experiences, new legislation may be considered if necessary.
In their study, the researchers first described the legal framework of the General Data Protection Regulation (AVG) that has been in force for all countries within the European Union since May 25, 2018. They then conducted a legal analysis of the legal requirements within the Dutch legal system for cross-sectoral data sharing between private parties in the context of fraud prevention. This included the situation where certain public parties would participate in such data sharing. Next, researchers described the cross-sector data sharing system of the organization Cifas in the United Kingdom (UK) and determined what the legal basis of this system in the UK is. Finally, the researchers examined the extent to which Cifas' system is applicable in the Dutch situation and what possibilities exist within the Dutch situation for cross-sectoral data sharing between private parties.
When private (and possibly public) parties share data cross-sectorally for the purpose of combating fraud, processing of personal data takes place. In addition to 'ordinary' personal data, this often involves criminal personal data. Criminal personal data includes not only convictions but also possibly well-founded suspicions. Even in the event that private parties exchange data about crimes that may have been committed, criminal data may therefore be involved. This processing is subject to the AVG. According to the AVG, the processing of personal data is only allowed if that processing is lawful: there must be a clearly defined purpose for the processing, a basis as mentioned in Article 6 of the AVG, and - in the case of the processing of personal data of a criminal nature - an exception to the general ban on processing such data. If the processing is lawful, it must then meet the requirements of due care, such as taking security measures, the requirement of data minimization, transparency and quality of data.
The AVG and the UAVG offer legal possibilities within the Dutch legal system for cross-sectoral data sharing between private parties for the purpose of fraud prevention. If private parties wish to share data or possibly set up a fraud prevention system, they should first of all carefully determine and record the exact purpose of the data sharing prior to doing so. The basis for this can be found in Article 6 under f of the AVG: personal data may be processed if this is necessary to serve the legitimate interests of the controller or of a third party, except when the interests or fundamental rights and freedoms of the data subject requiring protection of personal data outweigh those interests, especially when the data subject is a child. In doing so, three requirements must be met:
the presence of a legitimate interest. According to researchers, the processing of personal data, which is strictly necessary to prevent fraud, can be considered a legitimate interest, both from the point of view of a legitimate business interest and the public interest;
the necessity requirement: data sharing must be necessary for its intended purpose. This includes consideration of issues of proportionality and subsidiarity. This includes assessing whether the purpose of the processing is in reasonable proportion to the invasion of the privacy of the data subjects and whether the interest can be served otherwise or by less intrusive means;
the interests of the controller must prevail over the interests of the (potential) fraudsters: the interests of data subjects must be weighed against the interests of the organizations in combating fraud. From decisions of the Autoriteit Persoonsgegevens regarding blacklists, researchers deduce that the impact of the processing on the rights and freedoms of data subjects should be carefully considered. The greater the impact, the more safeguards must be put in place. Among other things, the way in which the burden of proof is regulated, the process of consultation (who gets access to the data and in what way) and the scope of the data sharing must be carefully considered, both in terms of the size of the participating parties and the cases that can be submitted.
When combating fraud, criminal personal data are processed. As stated above, such personal data may only be processed if an exception is provided for this purpose. This ground for exception can be found in Article 10 AVG in conjunction with Article 33 paragraph 4 sub c and paragraph 5 of the UAVG.
Article 33(4)(c) provides that such data processing can only take place if the Autoriteit Persoonsgegevens (AP) has granted a license to that effect. Article 33 (5) UAVG provides that this license can only be granted if the processing is necessary in view of a substantial interest of third parties and if in the implementation such safeguards are provided that the privacy of the data subject is not disproportionately affected. Regulations may be attached to the permit. Private parties, who intend to share cross-sector data to combat fraud, should therefore jointly apply to the AP for a license to this end as data controllers.
Because the data sharing system for anti-fraud purposes of Cifas in the United Kingdom, discussed below, also involves a number of public parties, researchers have investigated whether in the Dutch situation it is possible for public parties to participate in private cross-sector data sharing for anti-fraud purposes.
The AVG and the UAVG have options for doing so. However, there is no general legal provision allowing public organizations to participate. Therefore, it should be assessed per public party whether a task of public interest or a task in the exercise of public authority is laid down by law. It must then be assessed whether that task extends to the extent that data may be provided by public parties to all organizations participating in cross-sectoral data sharing or whether those public parties - as participants or otherwise - may receive data.
The Data Processing by Partnerships Act, currently in preparation, may in the future be able to provide a simpler legal basis for a public-private partnership for the purpose of fighting fraud.
The United Kingdom operates a fraud prevention system, initiated by about seven companies, from the organization Cifas, which includes the National Fraud Database and the Internal Fraud Database. About 400 private and some public organizations participate in this, sharing data for the purpose of fraud prevention.
The legal basis for this data sharing lies in the AVG and the Data Protection Act 2018, the implementing law of the AVG applicable in the UK. The Data Protection Act 2018 includes an exemption from the ban on processing criminal law personal data on the basis of which "anti-fraud organizations," such as Cifas, are permitted to process criminal law personal data for the purpose of combating fraud. The Serious Crime Act 2007 designated Cifas as such an "anti-fraud organization. Data sharing for anti-fraud purposes in the UK therefore does not require a license from the privacy authority there.
Based on that Serious Crime Act, some public organizations are also participants or provide data to Cifas without being participants. In addition, on a daily basis, automated provision of criminal personal data, namely the new fraud cases entered in the National Fraud Database, takes place to investigative agencies. This occurs on the basis of Article 6 paragraph 1 sub f AVG (legitimate interest) and Article 6 paragraph 1 sub e AVG (task of general interest). This public interest task is assigned to Cifas in the Data Protection Act 2018.
The safeguards Cifas must put in place to protect the privacy of data subjects are set out by Cifas in eight principles, detailed in a participant handbook.
The researchers conclude that the fraud prevention system of Cifas in the UK cannot be adopted one-to-one within the Netherlands. The main reason for this is that the grounds for exception for processing criminal personal data in the UK are set up differently than in the Netherlands.
In the UK, the Data Protection Act 2018 includes a specific provision allowing an "anti-fraud organization," such as Cifas and its participants, to process criminal data for the purpose of fraud prevention.
In the Netherlands, unlike the situation in the UK under the UAVG, organizations intending to share cross-sector criminal data for the purpose of combating fraud must apply for a permit from the Autoriteit Persoonsgegevens to do so. The Autoriteit Persoonsgegevens tests prior to the processing whether it is in line with the AVG.
Regarding the participation of public organizations in the Cifas system, the UK has a legal basis in the Serious Crime Act 2007. In the Netherlands, no such general legal basis exists and it must be assessed per public organization whether there is a basis for participation in cross-sectoral data sharing as referred to in Article 6 AVG.
The researchers note that although in the UK there is a legal basis for the set-up of Cifas and the privacy authority in the UK (Information Commissioner's Office, ICO) does not (as yet) see any reason to enforce it, this does not mean that the way in which the system of Cifas is set up is automatically lawful also within the Dutch context and leads to a permit from the Autoriteit Persoonsgegevens . Although the AVG is a regulation that is the same for all member states of the European Union, it does leave room for member states to include specific provisions or make exceptions on a number of points. For example, member states could include provisions in their national implementing laws regarding the processing of criminal and special personal data, which could involve their own political and social considerations.
In addition, the AVG does not contain a specific set of rules but rather principles that must be complied with when processing data. These principles are formulated as open standards and can therefore be fleshed out differently. It is up to the supervisor of a member state to determine whether these principles are properly implemented and sufficient safeguards are in place to protect personal privacy. The European Data Protection Board (EDPB), in which all supervisory authorities - including the Autoriteit Persoonsgegevens are united, does provide guidelines regarding the interpretation, but there remains a certain room for interpretation for member states. Thus, it may be that in the UK certain safeguards are considered adequate, while the Dutch supervisor assesses this differently. Whether the Cifas system would also be lawful in the Netherlands will therefore have to be assessed independently by the Dutch regulator.
The researchers conclude that the fact that the Cifas system cannot be adopted one-to-one does not mean that there are no possibilities in the Netherlands for cross-sectoral data exchange between private parties. After all, as described above, there is the possibility for parties to jointly apply for a license from the Autoriteit Persoonsgegevens on the basis of the AVG and UAVG. To that end, those parties must first jointly carry out a so-called DPIA (Data Protection Impact Assessment) in which the risks of cross-sector data sharing for data subjects and measures to reduce those risks are identified. A privacy protocol should also be drawn up jointly.
The researchers further point to opportunities that the Collaborative Data Processing Act may provide for data sharing between public and private organizations in the future.
Finally, researchers point out that if it should eventually become apparent that the possibilities for cross-sectoral data exchange would require legal improvement, consideration could possibly be given to amending the UAVG:
either creating, in addition to Article 33(4)(c) and (5) UAVG, a specific framework applicable to cross-sectoral data sharing license applications that contains preconditions and safeguards. This framework would give organizations wishing to apply for such a permit more
Or the inclusion of an exemption ground for the processing of criminal data. This means that a license from the AP would no longer be required. This does not alter the fact that the AP retains the power to supervise independently or upon request at any time.grips.
Horizontal fraud is a social problem that can cause significant financial and emotional damage and undermine the economic and financial system. It is a dynamic phenomenon that has many and changing manifestations and is becoming increasingly digital and international.
In order to effectively combat horizontal fraud, it is very important to (continue to) focus strongly on its prevention and on public-private cooperation in this regard. The focus here is on increasing the resilience and awareness of citizens and businesses to prevent them from becoming victims of fraud and on the creation of barriers by private and public parties to make it as difficult as possible for the fraudster. Within the integrated approach to fraud, criminal law is used for cases where criminal law can be most effective.
Addressing horizontal fraud in this way requires data sharing. Not only between public parties and between public and private parties, but also between private parties themselves. It may be necessary to be able to share personal data on (potential) fraudsters across the borders of different (private) sectors, i.e. cross-sectorally, and in this way prevent citizens and companies from becoming victims (again). This may involve the sharing of criminal personal data. At the same time, the right to privacy is a fundamental right within Europe and within the Netherlands. Therefore, within the Netherlands, the AVG and the UAVG impose strict rules on the processing of (criminal) personal data, such as data on (potential) fraudsters.
Based on their legal analysis, the researchers conclude that the fraud prevention system of Cifas in the UK, in which cross-sectoral (criminal) personal data are exchanged, cannot be replicated on a one-to-one basis within the Netherlands. The main reason for this is that the grounds for exemption for the processing of criminal personal data in the UK are set up differently than in the Netherlands.
Their analysis also shows that within the legal framework of the AVG and UAVG that applies in the Netherlands, cross-sector data sharing between private parties is possible, but with a permit from the Autoriteit Persoonsgegevens. (Private) parties intending to share data with each other must carefully map out which (criminal) personal data they wish to share with which purpose, they must make a privacy impact assessment (DPIA) in order to properly map out the privacy risks for those involved in this data sharing and how safeguards, as included in the AVG, can be created. A privacy protocol must also be drawn up. The Autoriteit Persoonsgegevens then tests whether the permit application meets the requirements of the AVG.
We note that the Dutch legislator only recently - the UAVG came into force on May 25, 2018 - chose this path. In this way, i.e. with a review role of the AP as to whether the proposed data sharing complies with the principles and standards of Dutch data protection law, the privacy interests of data subjects are safeguarded. However, this in no way means that a (potential) fraudster can hide behind these privacy rules. Cross-sectoral data sharing between private parties is possible, as the researchers have also pointed out. It is up to the private parties, who intend to share cross-sectoral data to prevent fraud, to obtain authorization from the AP to do so in accordance with the legal frameworks.
During the consideration of the proposal for the UAVG, the Minister for Legal Protection promised your House that he would explore the possibilities for further modernization and improvement of data protection law immediately after the completion of this bill. In line with this commitment, he then also adopted the Koopmans et al. motion, in which the government was requested to take stock of experiences with the UAVG and, if necessary, to take measures in the light of these experiences (2) . One of the issues from the motion concerns the privacy aspects surrounding the industry-wide creation of blacklists of fraudsters.
In his letter of April 1, 2019 (3), the Minister for Legal Protection indicated that the sharing of so-called blacklists of fraudsters between industries (referred to in this letter as cross-sectoral data sharing between private parties) is possible on the basis of the UAVG. For this, as the researchers also indicate, a permit from the AP is required.
In response to the proposal by VNO-NCW and MKB Nederland in a letter dated September 19, 2018, to amend the UAVG in the sense that the UAVG will contain an explicit legal basis for the cross-sectoral sharing of data on fraudsters, the Minister for Legal Protection indicated that experience must first be gained with the current way in which data sharing is regulated in the UAVG before there can be reason to consider amending the UAVG. In doing so, he indicated that he, together with VNO-NCW and MKB Nederland, would enter into discussions with the AP about the meaning of the new applicable application procedure for new applications for cross-sector data sharing about fraudsters. This conversation took place on June 6 last. In this conversation, it was confirmed that cross-sector exchange of criminal data is possible on the basis of a license to be granted by the AP, if this exchange is necessary in view of a compelling interest of certain private parties and sufficient safeguards are in place to ensure that persons do not unjustly end up on, for example, a blacklist. In the light of the requirements of necessity, subsidiarity and proportionality, the application for a license must be well-founded and the safeguards must be stronger the greater the scope of the list and the greater the impact of placement on it. Against this background, it is conceivable that a permit application could be submitted for the exchange of criminal data for the purpose of tackling, for example, real estate fraud by parties in addition to those involved, such as notaries, real estate agents, banks and property owners, which meets these requirements. Such a license application could be based on a similar model as the Financial Institutions Incident Warning System (Pifi) Protocol to be updated, which allows for data exchange between banks and insurers to monitor the continuity and integrity of these two sectors. In this way, the conversation has mutually clarified what a license application could serve and what requirements it should meet.
We await the experiences gained by private organizations with their intention of cross-sector data sharing for the purpose of combating fraud and any bottlenecks involved within the current legal privacy framework. Depending on those experiences, new legislation may be considered if necessary.
Horizontal fraud causes great damage and preventing it is of great importance. Sharing data on fraudsters between private (and public) parties may be necessary in this regard. However, this should always be done within the privacy laws applicable in the Netherlands. Whether the current legal framework, which currently provides for the level of protection of data subjects desired by the legislature with a view to combating fraud and the cross-sectoral data sharing required for this purpose, should be modified depends in part on the experiences yet to be gained by the (private) organizations involved. We await those experiences.
(1) Acts II 2018/2019, no. 210, p. 19, 20, 27
(2) Parliamentary Papers II 2017/18, 34 851, no. 19
(3) Parliamentary Papers II 2018/19, 32 761, no. 132 p. 9
