The Personal Data Authority's findings on the Fraud Alert Facility (FSV) are "harsh and unmistakable." They show that thorough and profound changes are needed at the Tax Administration. The tax authority will therefore not appeal the fine.
So writes state secretary for taxation and tax administration Marnix van Rij in a letter to the House of Representatives.
These violations the taxman committed with the FSV
Between November 4, 2013 and February 27, 2020, the Tax Authority unlawfully collected and processed personal data in the FSV systems. That was the main conclusion of the Personal Data Authority, which turned the FSV inside out. According to the regulator, there was no legal basis for this data processing, as required by the General Data Protection Regulation (AVG). The FSV also contained inaccurate and non-updated data. As a result, people were unfairly labeled as fraudsters.
Furthermore, FSV security was not in order, allowing thousands of Tax Administration employees to access data in the systems. Finally, data were kept too long and the Data Protection Officer (FG) of the Ministry of Finance was involved too late in the data protection impact assessment (GEB or DPIA) of the system.
The Personal Data Authority therefore handed out a fine of 3.7 million euros to the Tax Authority on Tuesday. It is the highest fine ever handed out by the regulator to date. And it was not for nothing.
Aleid Wolfsen, board chairman of the Personal Data Authority, was snarky in his assessment. "With FSV, the Tax Authority violated the rights of the 270,000 people who were on that list in an unprecedented way. For more than six years. People were often unfairly labeled as fraudsters, with terrible consequences. If you were on FSV, some did not receive payment arrangements or qualify for debt settlement. The IRS turned lives upside down with FSV," Wolfsen said.
The Inland Revenue was allowed to appeal the regulator's ruling. The tax authority will not do so, State Secretary Van Rij announced. In a letter to the Lower House, the minister writes that the opinion of the Personal Data Authority is "harsh and unmistakable." According to him, it simultaneously shows that "fundamental improvements" are needed at the Tax Authority.
"As my predecessors and I have stated many times before, I share the AP's assessment that FSV should never have been deployed in this manner. I experience the fines imposed as a painful but understandable inference given the seriousness of the findings," the state secretary said. For that reason, he does not oppose the fine and will pay it.
"I view the enforcement decision as confirmation of the need to redesign the data processing in the signals process for supervision to comply with laws and regulations. The processing of personal data in the signals process must fit within the legal bases."
The secretary of state acknowledges that risk selection has not always been central to the FSV. This allowed citizens to be discriminated against based on nationality and donation behavior. To bring this to ear, the Tax Office launched several investigations and improvement projects. Van Rij will soon send a progress report on these to the House of Representatives.
The FSV was shut down in early 2020. In the meantime, a temporary signals facility was developed. For this purpose, a GEB was prepared and presented to the Data Protection Officer of the Ministry of Finance and Personal Data Authority. Based on the regulator's response, the process and GEB will be adjusted if necessary.
Secretary of State Van Rij draws the fine line. "FSV should never have been used in the way it was," he says. He then promises improvement. "To conclude, I want to express my regret that the AP had to take this enforcement decision. Citizens have a right to expect the government to handle their data with care. The Tax Administration will do everything possible to prevent violations of privacy laws in the future," Van Rij said.
