The Dutch Data Protection Authority (DPA) on Tuesday announced a fine of €2.75 million (U.S. $3.1 million) against the government’s Tax and Customs Administration for violations of the EU’s General Data Protection Regulation (GDPR).

The Tax and Customs Administration, part of the Ministry of Finance, for years “processed the (dual) nationality of applicants for childcare allowance in an unlawful, discriminatory, and therefore improper manner,” the Dutch DPA stated in a translated press release. The government agency should have deleted this data in January 2014 but instead kept and used it. In May 2018, the month the GDPR took effect, the tax authorities’ system still contained the dual nationality information of 1.4 million people, according to the DPA.

Additionally, the DPA stated tax authorities unnecessarily processed the nationality of applicants to combat organized fraud. In a report issued in October (in Dutch), the DPA found tax authorities processed personal data in a fraud management system called the “Fraud Signaling Facility,” which the data regulator said served as a blacklist to identify potential fraudsters. Often, however, the data was inaccurate or out of date.

“More than a quarter of a million people were—often unjustly—on this fraud list for far too long without their knowledge,” said DPA Chairman Aleid Wolfsen in a translated statement on Oct. 29. “As a result, they could not defend themselves and they could not be removed from the list.”

Further, the DPA found tax authorities also unnecessarily processed and “used the nationality of applicants as an indicator (Dutch or not Dutch) in a system that automatically designated certain applications as high-risk.”

Citizens do not have a freedom of choice regarding the processing of their data by the government, Wolfsen said. Rather, they must “blindly trust” the government is handling their data properly and fairly. In this case, tax authorities violated that trust, he said.

Discriminatory processing

The right to childcare allowance is not dependent on nationality, the DPA stated. Under the GDPR, data processing may not infringe fundamental rights.

“By unnecessarily including data about nationality in all kinds of systems, the Tax and Customs Administration acted in a discriminatory way,” the DPA stated.

In this case, the unlawful processing of data using an algorithm went “terribly wrong,” resulting in the violation of citizens’ rights, Wolfsen said. He added the DPA “will continue to warn about the serious dangers of processing personal data with algorithms and AI.”

The Tax and Customs Administration has addressed the violations, according to the DPA. The agency completely removed from its internal systems the dual nationalities of Dutch people.

Since October 2018, tax authorities no longer use the nationality of applicants in the risk system, and since February 2019, no longer use the nationality of applicants to fight fraud.

The Tax and Customs Administration can appeal the fine, which was imposed on the Minister of Finance, who is responsible for the processing of personal data at the agency. The fine notice (in Dutch) addressed to the Minister of Finance is dated Nov. 25.