Dutch DPA fines government tax authority $3.1M under GDPR

By Jaclyn Jaeger2021-12-09T17:57:00+00:00

No comments

The Dutch Data Protection Authority (DPA) on Tuesday announced a fine of €2.75 million (U.S. $3.1 million) against the government’s Tax and Customs Administration for violations of the EU’s General Data Protection Regulation (GDPR).

The Tax and Customs Administration, part of the Ministry of Finance, for years “processed the (dual) nationality of applicants for childcare allowance in an unlawful, discriminatory, and therefore improper manner,” the Dutch DPA stated in a translated press release. The government agency should have deleted this data in January 2014 but instead kept and used it. In May 2018, the month the GDPR took effect, the tax authorities’ system still contained the dual nationality information of 1.4 million people, according to the DPA.

Additionally, the DPA stated tax authorities unnecessarily processed the nationality of applicants to combat organized fraud. In a report issued in October (in Dutch), the DPA found tax authorities processed personal data in a fraud management system called the “Fraud Signaling Facility,” which the data regulator said served as a blacklist to identify potential fraudsters. Often, however, the data was inaccurate or out of date.

“More than a quarter of a million people were—often unjustly—on this fraud list for far too long without their knowledge,” said DPA Chairman Aleid Wolfsen in a translated statement on Oct. 29. “As a result, they could not defend themselves and they could not be removed from the list.”

Further, the DPA found tax authorities also unnecessarily processed and “used the nationality of applicants as an indicator (Dutch or not Dutch) in a system that automatically designated certain applications as high-risk.”

Citizens do not have a freedom of choice regarding the processing of their data by the government, Wolfsen said. Rather, they must “blindly trust” the government is handling their data properly and fairly. In this case, tax authorities violated that trust, he said.

Discriminatory processing

The right to childcare allowance is not dependent on nationality, the DPA stated. Under the GDPR, data processing may not infringe fundamental rights.

“By unnecessarily including data about nationality in all kinds of systems, the Tax and Customs Administration acted in a discriminatory way,” the DPA stated.

In this case, the unlawful processing of data using an algorithm went “terribly wrong,” resulting in the violation of citizens’ rights, Wolfsen said. He added the DPA “will continue to warn about the serious dangers of processing personal data with algorithms and AI.”

The Tax and Customs Administration has addressed the violations, according to the DPA. The agency completely removed from its internal systems the dual nationalities of Dutch people.

Since October 2018, tax authorities no longer use the nationality of applicants in the risk system, and since February 2019, no longer use the nationality of applicants to fight fraud.

The Tax and Customs Administration can appeal the fine, which was imposed on the Minister of Finance, who is responsible for the processing of personal data at the agency. The fine notice (in Dutch) addressed to the Minister of Finance is dated Nov. 25.

Jaclyn JaegerJaclyn Jaeger is a freelance contributor to Compliance Week after working for the company for 15 years. She writes on a wide variety of topics, including ethics and compliance, risk management, legal, enforcement, technology, and more.View full Profile

Topics

No comments

Interested in writing for CW?

Compliance Week accepts outside contributions from corporate chief compliance officers and other senior-level GRC practitioners. To learn more, contact Editor in Chief Kyle Brasseur.

Article
GDPR fines worth appealing? Factors to consider

2021-08-19T13:03:00Z By Neil Hodge

Experts weigh in on the results of a report from the European Data Protection Board showing which countries have seen the most GDPR fines annulled or modified following court appeal.
Article
TikTok fined $883K under GDPR for children’s privacy violations

2021-07-23T18:25:00Z By Neil Hodge

The Dutch Data Protection Authority imposed a €750,000 (U.S. $883,000) fine on TikTok for violating the privacy of young children following a wide-scale investigation launched last year.
Article
Booking.com fined $557K under GDPR for reporting data breach late

2021-04-01T20:55:00Z By Neil Hodge

Online reservation Website Booking.com has been fined €475,000 (U.S. $557,000) by the Dutch Data Protection Authority for reporting a data breach 22 days later than the 72 hours required under the GDPR.

No comments yet

You're not signed in.

Only registered users can comment on this article.

More from Regulatory Enforcement

News Brief
Maxim Group fined $800K by SEC over SARs filing lapses

2023-10-02T19:42:00Z By Kyle Brasseur

New York-based broker-dealer Maxim Group agreed to pay an $800,000 fine in settling with the Securities and Exchange Commission regarding the firm’s alleged failures to file required suspicious activity reports and properly execute certain short sales.
News Brief
Goldman, JPMorgan, Bank of America caught in CFTC swap reporting sweep

2023-10-02T17:53:00Z By Kyle Brasseur

Goldman Sachs, JPMorgan Chase, and Bank of America agreed to pay penalties totaling $53 million across settlements with the Commodity Futures Trading Commission addressing alleged swap reporting failures among their respective affiliates.
News Brief
DOJ orders Cigna to pay $172M over false claims to Medicare

2023-10-02T17:20:00Z By Jeff Dale

Multinational health insurance company Cigna agreed to pay more than $172 million as part of a settlement with the Department of Justice addressing allegations it submitted and failed to withdraw false claims to Medicare.