The Dutch Data Protection Authority has imposed a €2.75 million (USD 3.1 million) financial penalty on the Dutch Tax Administration for the unlawful processing of the personal data of Dutch citizens with dual nationality, which violated the EU’s General Data Protection Regulation (GDPR).
One of the roles of the Dutch Tax Administration is to combat organized fraud, but those activities violated individuals’ fundamental rights to equality and non-discrimination. The Dutch Tax Administration used a fraud management system, the Fraud Signaling Facility, which had an algorithm that assessed risk in relation to childcare benefit applications. The system included the dual nationality data of Dutch citizens who were legal residents of the Netherlands, and that data was used to determine risk. Any individual with dual nationality status who applied for childcare benefits was marked as high risk of fraudulent claims and was essentially added to a blacklist.
Dutch citizens were not aware that their dual nationality status was used to make decisions about them, nor that they had been added to the blacklist. They also had no way of removing themselves from that list. The Dutch DPA said the use of dual nationality data was not necessary for assessing risk and should not have played any part in an assessment of a childcare benefits application, as individuals with dual nationality are eligible to make claims.
The offenses predate the introduction to the GDPR and span several years. The Dutch DPA said the Dutch Tax Administration should have deleted the dual nationality data from its systems in January 2014 yet continued to use the information to assess risk. In May 2018, when the GDPR took effect, dual nationality data was still being stored in the Dutch Tax Administration’s systems and was being unlawfully used. At the time the GDPR took effect, 1.4 million individuals were registered in its systems as dual nationals and their data was used in a discriminatory manner.
The Dutch Tax Administration stopped using dual nationality data to assess risk in October 2018, and its Fraud Signaling Facility was decommissioned in February 2019. In the summer of 2020, dual nationality data was purged from its systems.
“The government has exclusive responsibility for lots of things. Members of the public don’t have a choice; they are forced to allow the government to process their personal data,’ said DPA chair Aleid Wolfsen. “That’s why it’s crucial that everyone can have absolute confidence that this processing is done properly. That the government doesn’t keep and process unnecessary data about individuals. And that there is never any element of discrimination involved in an individual’s contact with the government.”