FSV Steering Group Discussion Document — 25 June 2020: Structural GDPR Violations by the Tax and Customs Administration

Document Details

Summary

The discussion document prepared for the FSV Steering Group on 25 June 2020 reveals that the Tax and Customs Administration structurally and knowingly violated the General Data Protection Regulation (AVG/GDPR). As of the meeting date, the MKB (SME) and Toeslagen (Benefits) divisions were explicitly not GDPR-compliant. The administration accepted this as an “administratively acceptable risk.” The Particulieren (Individuals) division had taken no action on signals since 24 April 2020, with a backlog of 1.5 years. Chain partners could create LOAs (Lists of Action Items) at any time without oversight, resulting in no complete inventory of ongoing data processing activities.

Chronological Context

• 2014: Establishment of the FSV (Fraude Signaal Voorziening / Fraud Signal Facility) as a central signalling system.
• 2019: FSV formally shut down following the childcare benefits scandal revelations.
• 2020 (April): Particulieren division ceases all work on signals effective 24 April.
• 2020 (June): Steering Group convenes to discuss the ongoing GDPR compliance crisis after FSV closure.

Findings

1. Structural GDPR Violations, Even After FSV Closure

The Tax and Customs Administration continued to process personal data in ways that violated the GDPR after the formal closure of the FSV. The discussion document confirms this was not an incidental issue but a structural problem affecting the entire organisation.

The administration was aware of the violations and classified the risks as “administratively acceptable.”

2. MKB and Benefits Explicitly Not GDPR-Compliant

On 25 June 2020 — months after the formal closure of the FSV — MKB and Toeslagen still did not qualify as GDPR-compliant. The Steering Group accepted this as an “administratively acceptable risk” without instituting concrete measures for immediate compliance.

3. “Being GDPR-Compliant and Continuing to Pick Up Signals Are Not Reconcilable Wishes”

The Benefits division is quoted in the document:

“Being AVG-proof and continuing to pick up signals are not reconcilable wishes at short notice.”

This statement demonstrates that the Tax Administration made a conscious trade-off between privacy compliance and signal follow-up, choosing the latter — in direct contravention of its legal obligation to comply with the GDPR.

4. Individuals Division: No Action on Signals Since 24 April 2020

The Particulieren division had not acted on a single signal since 24 April 2020. As of the meeting date, the backlog stood at 1.5 years. This means that potential fraud signals — and, critically, unjustified signals — went entirely untreated for an extended period.

5. LOAs Unmanageable

Chain partners could create LOAs (Lists of Action Items) at any time through any employee. No central overview of all LOAs existed, which meant the Tax Administration:

• Did not know how many LOAs were in circulation;
• Could not verify whether LOAs were justified;
• Had no control over the processing of personal data through LOAs.

6. KPMG Investigation Incomplete

At the time of the Steering Group meeting, the external investigation by KPMG was not yet completed. The Steering Group therefore lacked a complete picture of the scope of GDPR violations.

7. Parliamentary Letter Delayed for Political-Administrative Considerations

The drafting of a letter to Parliament regarding the GDPR compliance crisis was determined not only by substantive progress but also by political-administrative considerations. This indicates a deliberate strategy to withhold full and timely information from Parliament.

8. Sweep Actions: 23 Actions Planned Over 9 Months

The Steering Group planned so-called “sweep actions” to improve GDPR compliance:

• Number of actions: 23
• Duration: 9 months
• Objective: Systematic identification and remediation of GDPR violations

The 9-month timeframe stands in stark contrast to the severity of the identified violations and the legal obligation for immediate compliance.

Institutional Analysis

A Culture of “Administratively Acceptable Risks”

The document reveals an institutional culture in which the conscious violation of privacy legislation is accepted as long as it is administratively convenient. The term “administratively acceptable risk” functions as a legitimation of unlawful conduct.

Double Standard

The Tax Administration demanded complete and timely filings from citizens while itself willfully and structurally violating privacy law. Citizens could lose their benefits based on unfounded signals; the administration itself accepted GDPR violations as an “acceptable risk.”

Absence of Accountability

There is no evidence that individual managers or employees were held to account for the structural GDPR violations. The Steering Group discusses the problem without attaching concrete consequences to the established violations.

Relevant Legal Frameworks

Source References

1. Belastingdienst, Discussiedocument Stuurgroep FSV, 25 June 2020. Source file: 084042020-06-24-discussiedocument-stuurgroep-fsv-van-25-juni.pdf.
2. General Data Protection Regulation (EU 2016/679), in particular Articles 5, 6, and 25.
3. Autoriteit Persoonsgegevens (Dutch Data Protection Authority), reports on the FSV and GDPR compliance by the Tax Administration.

Open Questions

1. Who made the decision to classify GDPR violations as an “administratively acceptable risk”?
2. What was the role of political leadership in delaying the parliamentary letter?
3. How many citizens were affected after 25 June 2020 by actions that violated the GDPR?
4. Has the KPMG investigation ever been fully disclosed to the public?
5. What consequences have been imposed on the employees and managers responsible for the GDPR violations?

Document prepared on the basis of archived material from the Tax and Customs Administration, obtained through a WOO (Open Government) request. All quotations are reproduced verbatim from the source document.