On more than 500 occasions, the Internal Revenue Service shared information from the Fraud Alert Facility (FSV) database with third parties. A total of 851 citizens' private data were forwarded as a result. It is possible that this number is still increasing because not all of the tax authorities' mailboxes were investigated.
So writes state secretary for taxation and tax administration Marnix van Rij in a letter (1) to the House of Representatives.
The Fraud Signaling Facility, or FSV for short, functioned for many years as the black book of the Internal Revenue Service. Citizens whom the tax authorities suspected of being guilty of tax fraud entered the FSV by name. Once in the system, it was impossible to get out again. They were stamped "potential fraudster.
More than a quarter of a million Dutch people experienced firsthand what this meant. They were placed under increased supervision, for example. Or they had to pay back (tens of) thousands of euros in previously received benefits. In the worst cases, children were placed outside the home. The Tax Administration was harsh and did not look at the circumstances, no matter how distressing.
In February 2020, then-Secretary of State for Surcharges Alexandra van Huffelen and Secretary of State for Taxation Hans Vijlbrief decided to take the FSV offline. The Autoriteit Persoonsgegevens was tasked with investigating how civil servants handled the privacy (2) of citizens.
The regulator concluded that the Inland Revenue was way out of line (3). To begin with, there was no legal basis, making any processing by the system unlawful. Also, the FSV did not contain up-to-date data and the security of the system was not in order.
Finally, the privacy watchdog said data was kept too long and the Data Protection Officer (FG) of the Ministry of Finance was involved too late in the Data Protection Impact Assessment (DPIA). For all this, the regulator imposed a fine of 3.7 million euros (3).
Aleid Wolfsen, board chairman of the Autoriteit Persoonsgegevens, fiercely lashed out at the tax authorities. "With FSV, the Tax Authority violated the rights of the 270,000 people who were on that list in an unprecedented way. For more than six years. People were often unfairly labeled as fraudsters, with terrible consequences. If you were on FSV, some did not receive payment arrangements or qualify for debt settlement. The IRS turned lives upside down with FSV," Wolfsen said.
The Inland Revenue accepted the fine and did not appeal (4).
With that, the story is not over. Earlier this year, the government asked market researcher PricewaterhouseCooper (PwC) to investigate the sharing of data from FSV systems with third parties. The results of the study are in. With a letter, State Secretary Van Rij informs the House of Representatives of the findings.
The researchers indicate that in 536 cases FSV information was shared with third parties, such as municipalities, the UWV and the police. Four of these emails contained exports of parts of the FSV, sending a total of 11,211 BSN numbers. In the remaining 532 emails, information was shared with third parties. These involved a total of 851 citizens.
The number of those duped may be increasing. PwC investigated 18 mailboxes with the highest risk of FSV data disclosure. The researchers write that about 80 more mailboxes need further investigation. "If the same ratio of mailboxes from which information was shared in the PwC investigation 'data sharing with third parties' is applied to the present investigation, it concerns approximately 4,000 citizens whose information was shared with third parties," Van Rij wrote to the House of Representatives.
The Secretary of State ends his letter by stating that he intends to write to all affected citizens about the consequences of their registration in the FSV. Some 220,000 citizens are affected. It could be quite a while before this letter hits their doormat. "If I wait for the further investigation, informing the 220,000 citizens will be delayed by about 13 weeks and thus they will have to wait longer for clarity."
https://www.tweedekamer.nl/kamerstukken/brieven_regering/detail?id=2022Z16656&did=2022D34983
https://www.vpngids.nl/privacy/
https://www.vpngids.nl/nieuws/ap-legt-belastingdienst-boete-van-3-7-miljoen-euro-op/
https://www.vpngids.nl/nieuws/belastingdienst-gaat-niet-in-beroep-tegen-avg-boete/
