The Inland Revenue should never have processed personal data in the Fraud Alert Facility (FSV) - a blacklist - in the way it did for years. Many of the core principles of the privacy law AVG were seriously violated by the Tax Authority. This is according to research presented today by the Autoriteit Persoonsgegevens AP).
AP Chairman Aleid Wolfsen: 'Of course the Tax Authority must tackle fraud. But our investigation shows that the Tax Administration recorded and used fraud signals in a way that is absolutely not permitted. Innocent people were duped as a result.'
The main violation is that there was no legal basis (foundation) for FSV. Without a basis, the processing of personal data is prohibited. Other serious violations include that signals of fraud were kept in FSV for far too long and that in some cases the data was inaccurate and not current.
Wolfsen: "More than a quarter of a million people were - often unjustly - on this fraud list for far too long without knowing it. As a result, they could not defend themselves and could not be removed from the list. This created a gap in legal protection. Caused by the government, no less!
For example, the Internal Revenue Service could consult FSV when reviewing tax returns and applications for benefits and when recovering debts. The list consisted of data on more than a quarter of a million people, including minors. FSV was accessible to thousands of employees from multiple parts of the Tax Administration. The Inland Revenue used the FSV blacklist from late 2013 to early 2020, when the service became discredited following publications about it. FSV's predecessor had existed since 2001.
The blacklist included all kinds of signals of (alleged or proven) fraud, ripe and green, from both inside and outside the Tax Administration. Such as reports to Report Crime Anonymously, reports from citizens and businesses ('clicks') and reports from other government organizations. But sometimes it was also registered if, for example, the municipality had requested someone's income details. This had nothing to do with possible fraud, but the person could still end up on the black list.
The consequences for those on the blacklist were severe. Because they were labeled "potential fraudsters," they faced intensive supervision from the Tax Administration. This meant, for example, that they had to wait a long time for a decision on a requested benefit. And which could have far-reaching financial consequences, such as an unjustly rejected personal payment arrangement.
Any data processing must be lawful. This means that there must be a legal basis for the processing. If there is not, then an organization may not process personal data. In the case of FSV, there was no basis for the processing. As a result, the processing through FSV was unlawful, or against the law and therefore prohibited.
That there must be a legal basis is one of the core principles of the privacy law, the General Data Protection Regulation (AVG). Not only did the Inland Revenue not have a basis for FSV, but the Inland Revenue did not comply with most other core principles of the AVG:
FSV's goal was not specifically defined in advance.
FSV contained inaccurate and non-updated data. Sometimes a person was labeled a fraudster without following thorough investigation. And did investigation reveal that the information was not current or that there was no fraud? Then this was often not noted in FSV. As a result, people remained in the system wrongfully as alleged fraudsters.
Signals were kept far too long.
The Inland Revenue informed the FG (the internal privacy regulator) of the Ministry of Finance of FSV far too late and involved it in the assessment of the privacy aspects of FSV (the so-called DPIA).
FSV security was inadequate. Among other reasons, too many employees had access to the information, signals from FSV could easily be exported to Excel, and edits to personal data in FSV by employees were not logged.
With this fact-finding, the AP has completed the first part of the investigation process. The next step is for the AP to assess whether to impose a sanction on the Tax Administration, such as a fine. But first, the Finance Minister has the right to officially respond to the investigation.
Download the research report here.
