The Netherlands Update: Record fine for tax authorities for violation of GDPR – will a mass claim follow?

On 7 December, the Dutch Data Protection Authority (AP) announced that it is imposing a fine of 2.75 million euros on the Tax and Customs Administration. Of the 16 (publicly disclosed) fines that the DPA has imposed since it has the authority to do so as of 25 May 2018, this fine is by far the highest. But it is not an unexpected fine. In April 2017, the DPA received a signal about the possible processing of the dual nationality of applicants for childcare allowance by the Tax and Customs Administration. The DPA then started an investigation, of which a report was published on 16 July 2020. In this investigation report, the DPA already established that three types of processing by the Tax and Customs Administration were unlawful, and that the Minister, as controller, violated the General Data Protection Regulation (GDPR).

Investigation report of the AP

Which processing operations of the Tax Authorities were unlawful? The first unlawful processing was the processing of the dual nationality of Dutch applicants. In the investigation, the DPA ruled that this was unlawful because the processing of this data was not necessary for the performance of the task of the Tax and Customs Administration. The second unlawful processing was the use of the nationality of applicants in the so-called ‘risk classification model’. In short, this is a system that selects risky applications, after which those applications are checked by staff of the Tax and Customs Administration. The DPA ruled that the use of the data on dual nationality in this system was also not necessary, because less far-reaching form of processing was possible. The third unlawful processing was the use of the nationality of applicants for childcare allowance in the context of the detection of organised fraud. The DPA also did not consider this processing necessary in the light of the purpose of the processing. The DPA also ruled that the second and third processing operations were discriminatory and therefore improper.

The aforementioned processing operations are therefore contrary to Article 5 paragraph 1 a GDPR, which stipulates that personal data must be processed in a manner that is lawful, fair and transparent with regard to the data subject. The processing operations are also contrary to Article 6(1) gdpr, because the processing operations do not meet the condition that the weathering is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Insofar as the processing operations before the introduction of the GDPR took place on 25 May 2018, the Personal Data Protection Act (Wbp) applies, as a result of which those processing operations constitute a breach of Articles 6 and 8 introductory wording and under e Wbp.

Decision imposing a fine

In the enforcement decision, the DPA imposes the highest basic fine possible within the bandwidth of the Fine Policy Rules for all three processing, namely a fine of € 750,000. On the basis of the Fine Policy Rules, the fine can be increased ‘if the category of fine determined for the violation does not allow for appropriate punishment in the specific case’. In this case, the DPA judges that this is the case, partly due to the ‘improperness’ of the processing operations due to their discriminatory nature. It increases the fine for the second and third processing operations to an amount of € 1,000,000, taking into account the fact that this concerns ‘intentional or negligent acts by a government body’ and the ‘special responsibility’ of the Tax and Customs Administration to handle the personal data it processes with care. The DPA also ruled that the Tax and Customs Administration ‘should have limited the processing of the personal data nationality to the minimum and should have covered it with such guarantees that the risk of discriminatory processing was excluded as much as possible’. Finally, the DPA ruled that the Tax and Customs Administration did not cooperate sufficiently with the DPA to remedy the infringement and limit the consequences thereof.

A clear signal: when the person whose data is processed is dependent on the public authority that processes the data, the protection of personal data is subject to extra care and a higher fine is therefore appropriate.

AP chairman Aleid Wolfsen says the following about the fine:

“Many cases run exclusively through the government. As a citizen, you have no freedom of choice in this. As a result, you are forced to undergo data processing from the government. That is precisely why you must be able to trust blindly that this is done neatly. That the government does not unnecessarily store and process information about you. And that discrimination does not play a role in your contact with the government. That has gone terribly wrong with Surcharges, with all the consequences that entails. Of course, this fine cannot undo that. But it is an important step in a broader recovery process.”

Sorrow money?

This reminded me of another comment by Aleid Wolfsen in his privacy blog of 22 February 2021: “Smartengeld should be the rule, not the exception”.

Can the victims of the Surcharges affair also claim civil damages for immaterial damage (pain money) resulting from the unlawful processing of their personal data? As Wolfsen points out in the aforementioned blog, there is certainly room in case law for granting smart money for unlawful processing of personal data. Wolfsen refers to a ruling of the Council of State of 1 April 2020 (ECLI:NL:RVS:2020:898) in which the Minister for Legal Protection was ordered to pay €500 pain money for the unlawful processing/provision of medical data, and a judgment of the subdistrict court in which compensation of €500,- was also awarded because the municipality used the BSN, had unlawfully placed the e-mail address and telephone number of a resident on its website, and concludes:

“What makes these statements so beautiful and clear is that they confirm that violating the core of this right of freedom is in itself so serious that in the event of a violation as a result of unthinking or careless behavior, there is a right to pain money anyway. The violation itself and who is liable for it, must of course still be proven.”

The DPA has held the Minister of Finance, as controller, responsible for the unlawful processing operations, and the carelessness of the actions is also established. In principle, it would therefore be possible to claim immaterial damages in court on the basis of Article 82 of the GDPR. Such damages can be claimed both from the civil court and from the administrative court.

In cooperation with the government, the Tax and Customs Administration is working on compensating the victims of the Allowances affair. Various schemes have been used for this, including the ‘compensation scheme’, the ‘hardship scheme’ and the ‘O/GS (‘Intent or Gross Negligence’) compensation’. The compensation resulting from the compensation scheme and the hardship scheme relates, in addition to material compensation, also to the non-material damage for ‘worries and suffering’. Victims receive compensation of € 500 per half year for the immaterial damage, counting from the date on which the tax authorities first wrongly asked to reimburse childcare or to stop the childcare allowance. The O/GS compensation does not provide for immaterial damages.

This means that only a part of the people whose data has been processed and/or used unlawfully by the Tax and Customs Administration are eligible for immaterial compensation through the compensation scheme and the hardship scheme. For the other people whose dual nationality was registered in systems of the Tax And Customs Administration, the GDPR offers the possibility to get their immaterial damages compensated. It is obvious to combine the claims for immaterial damages of those people into one collective action, after which the court can then settle the claim in one go. Conducting such a collective damages action is possible since the entry into force of the Act on settlement of mass claims in collective action (the WAMCA) on 1 January 2020. Examples of collective actions that have been or are being taken against companies that have made large-scale privacy violations are the cases against TikTok, Facebook, Salesforce and Oracle and the Minister of Health, Welfare and Sport because of a large-scale data breach at the GGD. I would not be surprised if a collective action against the tax authorities is added to this list.

By Jytte Elfferich, Hocker, Netherlands, a Transatlantic Law International Affiliated Firm. 

For further information or for any assistance please contact netherlands@transatlanticlaw.com

Disclaimer: Transatlantic Law International Limited is a UK registered limited liability company providing international business and legal solutions through its own resources and the expertise of over 105 affiliated independent law firms in over 95 countries worldwide. This article is for background information only and provided in the context of the applicable law when published and does not constitute legal advice and cannot be relied on as such for any matter. Legal advice may be provided subject to the retention of Transatlantic Law International Limited’s services and its governing terms and conditions of service. Transatlantic Law International Limited, based at 42 Brook Street, London W1K 5DB, United Kingdom, is registered with Companies House, Reg Nr. 361484, with its registered address at 83 Cambridge Street, London SW1V 4PS, United Kingdom.