On 7 December 2021, the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, DDPA) imposed a penalty of EUR 2.75 million on the Minister of Finance (Minister) for the processing of personal data by the Tax Administration (Belastingdienst) in violation of the General Data Protection Regulation (GDPR) and the Dutch Personal Data Protection Act (Wbp). This penalty was imposed for the unlawful processing of the (dual) nationality of applicants for childcare benefits in an unlawful, discriminatory and therefore improper manner.
The imposition of this fine was to be expected in view of the seriousness of the situation and the impact of the benefits affair on society. In addition, it is not surprising that the DDPA imposed a record fine, given the seriousness of the situation.
The DDPA investigated the Tax Administration's processing of the (dual) nationality of applicants for childcare benefits and published its investigation report dated 16 July 2020, "Tax Authority/Benefits, Processing of the Nationality of Applicants for Childcare Benefits" (Investigation Report).
The Investigation Report reveals that the DDPA concluded that three of the data processing operations were unlawful. Firstly, the Tax Administration stored the dual nationality of applicants in the 'Benefits Provision System' (Toeslagen Verstrekking Systeem, TVS) without these data being necessary for the performance of its task. Secondly, the Tax Administration used the applicants' nationality as an indicator in a risk classification model (a system that automatically selects risky applications for the allocation of staff capacity). Thirdly, the Tax Administration used the applicants' nationalities for the purposes of detecting fraud.
The DDPA not only concludes that the processing is unlawful, but in respect of two of the processing operations it also concludes that these are discriminatory and improper.
The DDPA imposes the fine because of a violation of both the GDPR and the Wbp. The Wbp was repealed when the GDPR entered into application. In this penalty decision, the DDPA still applies the Wbp, because part of the violation took place before the GDPR entered into application. On the points relevant to the present situation, the GDPR and the Wbp are not that different.
Nationality falls within the scope of the definition of personal data referred to in Article 4 opening words and under 1 of the GDPR and Article 1 opening words and under a of the Wbp. After all, this concerns information about a natural person who is identifiable for the Tax Administration. Pursuant to Article 5(1)(a) GDPR, personal data may only be processed in a manner that is lawful, fair and transparent. In addition, personal data may only be processed lawfully if one of the processing grounds specified in Article 6 GDPR justifies this. Special personal data - such as personal data about race, health and religion - are given extra protection by the GDPR (and previously by the Wbp). In principle, these personal data may not be processed, but Article 9 GDPR provides a number of exceptions to this prohibition.
Points of attention
It was to be expected that the DDPA would impose a (large) fine on the Tax Authorities. Not least because the DDPA had already announced in its 2020 annual report that 'digital government' is and will remain one of its focus areas. This is not the first time that a governmental body has been reprimanded for the processing of personal data in the context of fraud prevention. In November 2021 the DDPA ordered the Municipal Health Service (Gemeentelijke Gezondheidsdienst, GGD) to improve the protection of personal data and in May 2021 the DDPA imposed a fine on the Employee Insurance Agency (Uitvoeringsinstituut Werknemersverzekeringen, UWV). In February 2020, the Court of The Hague also ruled that a governmental body had to adjust its processing of personal data: the use of the SyRi anti-fraud system was deemed to be in violation of Article 8 ECHR (Court of The Hague 5 February 2020, ECLI:NL:RBDHA:2020:865).
It is interesting to note that in the aforementioned judgment the civil court did not (explicitly) address Article 6(1)(e) GDPR, despite the fact that the claimant did argue that this Article was in conflict with the GDPR. Now the DDPA chooses to deem a fraud prevention system that is comparable on certain points in conflict with Article 6(1)(e) GDPR.
It follows from the Investigation Report that the GDPR had previously also investigated whether the processing of nationality involved the processing of special personal data, more specifically data about racial or ethnic origin. If such personal data would have been processed without a legal basis, this would constitute a violation of Article 9 GDPR (and previously Article 16 Wbp), which, according to the Fining Policy Rules Dutch Data Protection Authority 2019 (Boetebeleidsregels Autoriteit Persoonsgegevens 2019, the Fining Policy Rules (Government Gazette March 14, 2019, no. 14586)), would have resulted in a higher penalty than the penalty for the violation that was ultimately established. With respect to the qualification of nationality as special personal data, the DDPA first noted in the Investigation Report that it follows from Dutch case law for this qualification importance is attached to other processed personal data. If nationality were to be processed in combination with other personal data, such as country of birth or place of birth, this could lead to the qualification of nationality as special personal data. In addition, the DDPA considered that in certain cases the context of the processing can lead to nationality in itself qualifying as special personal data.
This would be the case if the purpose of the processing of nationality is to make a distinction between racial or ethnic origin, or if it can be reasonably foreseen that the processing will lead to the making of such a distinction. According to the website of the DDPA, this is also the standard in certain other situations for determining whether personal data qualify as special personal data.The DDPA already came to the conclusion in the Investigation Report that nationality, as processed by the Tax Administration, does not qualify as special personal data because an indirect link between nationality and racial and ethnic origin could not be established. The decision to impose a fine therefore does not address this issue any further.
The DDPA imposes a total fine of EUR 2.75 million, consisting of: EUR 750,000 for unlawfully storing second nationality, EUR 1 mio for using nationality as an indicator for the risk classification model and EUR 1 mio for using nationality in the detection of organized fraud). In determining the amount of the fine, the DDPA applies the Fining Policy Rules. In view of the seriousness of the violations referred to, the DDPA significantly increases the basic amounts of the fines in accordance with the system set out in the Fining Policy Rules.
Following the DDPA’s investigation the Tax Administration had already initiated putting an end to the infringement. The Tax Administration had removed the (dual) nationalities from its systems in the summer of 2020 and had thus also terminated the infringement. However, the fact that the Tax Administration terminated the infringement before the DDPA imposed the penalty does not result in the imposition of a penalty. The DDPA considers the violations to be so serious that there seems to be no room for mitigation at all.
No response to the penalty has yet been received from the Minister or on his behalf. Although the response to the Investigation Report and the Minister's response to the advance notice of this penalty indicate that the Minister acknowledges that the Tax Administration committed the aforementioned offences, the possibility cannot be excluded that the Minister may still lodge an objection to the penalty, for example on account of its amount. It has not yet been disclosed whether the Minister will do so.
With thanks to David van de Velde for his help in writing this blog.