By letter of October 29, 2021, my predecessor informed your House of the investigation by the Personal Data Authority (AP) into processing of personal data in the Tax Administration's Fraud Signaling Facility (FSV) (1). Following the investigation report, the AP published the announced enforcement decision (a 'Decision to impose fines') on 12 April. I offer that enforcement decision as an appendix to your Chamber and provide an explanation below. Before addressing the content of the enforcement decision, I briefly summarize the AP's findings.
The AP's October 2021 assessment of FSV's data processing was harsh and is in line with other reports (2). The severity of the findings is reflected in the enforcement decision now announced. I respect this decision and see it as confirmation of the need to improve safeguards around the use of personal data within the Tax Administration.
In summary, the AP concludes that by processing personal data in FSV from Nov. 4, 2013 to Feb. 27, 2020, the Minister of Finance, as data controller of the Tax Administration, violated the principles of lawfulness, purpose limitation, accuracy and storage limitation applicable under the General Data Protection Regulation ("AVG").
In addition to violating the four aforementioned principles, the AP concluded that the Tax Administration did not take sufficient appropriate technical and organizational measures with respect to access security, logging and logging control to ensure an adequate level of security for the personal data in FSV. Finally, the AP concluded that the Tax Administration did not properly and timely involve the Data Protection Officer in the conduct of the Data Protection Impact Assessment (DIA) of FSV.
The AP has the power to impose administrative fines. In the enforcement decision, the AP imposed 6 administrative fines on the data controller - the Minister of Finance - for violations of Articles 5, 6, 32 and 35 of the AVG. Because FSV was an application of the Internal Revenue Service, I have policy responsibility.
Under the law, the AP has policy discretion to determine the amount of fines to be imposed. In determining the amount of the fines, the AP took into account the nature, seriousness and duration of the unlawful processing operations (breaches) (3). The AP considers the breaches particularly serious given the scope and sensitive nature of the personal data, including special personal data.
In determining the level of fines, the AP also took into account previous relevant breaches, such as breaches of Article 13 of the Wbp and Article 32 of the AVG due to logging, control of logging and access security at the Data Foundations & Analytics Department, the use of BSN in the VAT identification number and the unlawful processing of (the dual) nationality of applicants for childcare benefits. This, according to the AP, points to persistent problems of a structural nature, citing examples from the Inland Revenue's investigation (4). According to the AP, this can lead to no other conclusion than that for years the Tax Administration, the official leadership of the department and the minister have (been) guilty of widespread carelessness, negligence, the use of a discriminatory working method and thus improper conduct in the application of statutory data protection rules.
The AP set the total amount of fines imposed at €3,700,000. The AP substantiated the amount of the fine - in brief - as follows:
a fine in the amount of €1,000,000 because there was no legal basis for the processing of personal data in FSV.
a fine in the amount of €750,000, for processing personal data in FSV in violation of the principle of target specification.
a fine in the amount of €750,000 for processing personal data in FSV in violation of the principle of accuracy.
a fine in the amount of €250,000 for processing personal data in FSV in violation of the principle of storage limitation.
a fine in the amount of €500,000 because an insufficiently adequate level of security is ensured for the personal data in FSV.
a fine in the amount of €450,000 because the FG's advice was not sought during the conduct of the GEB.
The AP's judgment regarding FSV is harsh and unmistakable and demonstrates once again that fundamental improvements are needed at the Tax Administration. As my predecessors and I have stated many times before, I share the AP's judgment that FSV should never have been used in this way. I experience the fines imposed as a painful but understandable conclusion given the seriousness of the findings. I will not oppose and comply with the fines.
I view the enforcement decision as confirmation of the need to redesign the data processing in the signals process for supervision to comply with laws and regulations. The processing of personal data in the signals process must fit within the legal bases.
Moreover, the right safeguards around risk selection have not always been central. To put this in order, the Tax and Customs Administration launched various investigations and improvement projects, which were brought together in October 2020 in the Recover, Improve, Safeguard (HVB) program. Your Chamber has been informed about these on a number of occasions (5). You will soon receive the next progress report.
The signals process in which FSV was used was shut down in early 2020. As part of the HVB program, a new process was developed with a supporting temporary signals facility. A GEB has been prepared for this purpose. This has been presented to the FG and also submitted to the AP for prior consultation. Based on the AP's response, the process and GEB will be adjusted as necessary before the signals process resumes.
FSV should never have been used in the way it was. In order to determine the potential impact this had on citizens and businesses registered in FSV, my predecessor commissioned external research. On July 10, 2020, the first phase of this investigation was delivered with KPMG's report (6). For the second phase, a total of five reports by PwC were published on December 3, 2021 and on January 25 and March 29 of this year (7) (8) (9).
On December 6, 2021, your Chamber received the outline of an allowance scheme for undue consequences of FSV registration (10). Now that the impact study is complete, these outlines can be fleshed out. I will involve all findings from the various reports in shaping this. I will do so in consultation with your Chamber and with due regard for the budget rights of parliament. I expect to be able to set out my proposals in more detail in the near future.
To conclude, let me express my regret that the AP had to make this enforcement decision. Citizens have a right to expect the government to handle their data with care. The Tax Department will do everything possible to prevent violations of privacy laws in the future
(1) Parliamentary Papers II 2021/2022, 31 066, no. 911
(2) Parliamentary Papers II 2019/2020, 31 066, no. 681, 2021/2022, 31 066, no. 935, no. 957, no. 992
(3) Fine Policy Rules Personal Data Authority 2019, Stcrt. 2019,14586,14 March 2019
(4) Parliamentary Papers II 2021/22, 31 066, no. 977.
(5) Parliamentary Papers II 2020/2021, 31 066, no. 709, 802, 803, 804, 807, 816, 826, 852, 920
(6) Parliamentary Papers II 2019/2020, 31 066, no. 681
(7) Parliamentary Papers II 2021/2022, 31 066, no. 935
(8) Parliamentary Papers II 2021/2022, 31 066, no. 957
(9) Parliamentary Papers II 2021/2022, 31 066, no. 992
(10) Parliamentary Papers II 2021/2022, 31 066, no. 937
