RAM and SME Profiling: The Tip of the Iceberg

Executive summary

The Risk Analysis Model (RAM) was the largest and most invasive surveillance instrument the Dutch Tax and Customs Administration (Belastingdienst) ever built. For twenty years, from 1998 to 2018, the system profiled virtually all taxpayers — citizens and entrepreneurs alike — by linking 69 source systems into a central data warehouse, without legal basis, without notifying data subjects, and without any right to appeal. The KPMG report of February 2025 (330 pages), released following MP Omtzigt’s Article 68 request, confirms what affected entrepreneurs have suspected for years: the childcare benefits scandal was not the incident, but the tip of the iceberg. While the benefits scandal affected approximately 26,000 families, RAM profiled 2.2 million entities over twenty years, generated more than 20,000 selections per year, and was bidirectionally linked to the FSV blacklist that registered 180,000 citizens as fraud suspects. The Tax Authority knew of the unlawfulness as early as 2013, kept the system running until one day before the GDPR took effect, and then locked the evidence in a “data vault” of 64 million files that has not been searched in any investigation. This investigation documents the damage to SME entrepreneurs, the concealed scale, and the constitutional implications of a state that secretly profiled its own citizens for two decades.

Context

The RAM system

The Risk Analysis Model (RAM) emerged around 1998 at the Roermond office as a simple Excel database for branch risk assessment. Through MS Access (2004) and Oracle on AWS (2012), it grew into a data warehouse with 250 data tables profiling virtually all taxpayers in the Netherlands. The Small and Medium-sized Enterprise (MKB/SME) directorate was owner and primary user.

RAM linked 69 source systems, including:

• Tax data: OB, LH, VPB, IH, Benefits/Toeslagen
• Population registers: BRP (including nationality), BVR, Chamber of Commerce, Land Registry
• Criminal justice: GEFIS (criminal records data)
• Vehicles/property: RDW (vehicle registrations), Land Registry
• Internet: scraped internet data (2015)

The system operated with a traffic light mechanism: red = select for supervision/fraud investigation. The top 20,000 red subjects were automatically routed to FD-approach, fraud/EOS, or thematic investigations — without substantive review.

The data vault: 64 million hidden files

In May 2019, around the introduction of the GDPR, the Tax Authority moved 64 million unsorted files from a collaboration drive (Q-drive) to a secured environment: the “data vault.” In April 2026, parliamentary letter 2026D17991 revealed its existence. The critical issue: the data vault has not been searched in any investigation — not during the Parliamentary Inquiry into Fraud and Public Service (PEFD), not during the POK investigation, not during the FSV investigation, not during the CAF investigation, and not during the RAM investigation itself.

The official position states: “There are currently no indications that the data vault was intentionally excluded from consideration.” But the facts tell a different story: systematic exclusion of HTML file types during searches, a 9-month delay in informing Parliament, and confirmed missing documents from investigations that were present in the vault.

The childcare benefits scandal in perspective

The ratio is revealing: for every affected benefits family, 7 to 11 citizens were on the FSV blacklist, and RAM potentially profiled millions of taxpayers over twenty years. The childcare benefits scandal was not the system — it was a symptom.

Key findings

1. SME entrepreneurs as primary victims

The SME directorate was owner and primary user of RAM. Of the 248 authorized users, 200 had unrestricted access to all data on all taxpayers. More than 2,662 Excel extracts containing RAM data were distributed via USB sticks, email, and CDs by post — outside all central control.

SME entrepreneurs were profiled without their knowledge on:

• Nationality (first and second; 112/250 tables contained nationality data)
• Postal code
• Criminal record (via GEFIS link)
• Internet data (scraped in 2015)

They were then selected for tax audits, book investigations, and fraud/EOS proceedings — without any possibility of access, correction, or objection. The only “transparency” consisted of generic information pages on the Tax Authority’s website.

2. Estimated number of affected entrepreneurs

Estimation methodology: With at least 20,000 selections per year over 20 operational years, accounting for overlap (some entrepreneurs selected multiple times), this yields a conservative estimate of 100,000 to 300,000 unique SME entrepreneurs who were profiled and potentially harmed by RAM. The actual number may be larger because RAM successor systems (IVT, KTA, CAP) continued using partially the same data after 2018.

3. The data vault as evidence repository

The indications that RAM data was deliberately shielded are circumstantial but cumulative:

The Inspectorate for Government Information and Heritage (2021) qualified the destruction as an “extraordinarily unfortunate coincidence” but found no intent. MP Omtzigt responded: “The tax authority finds a data vault… Now I understand why relevant documents were always untraceable…”

4. Eight mechanisms of harm

The RAM system harmed SME entrepreneurs through eight documented mechanisms:

1. Selection on nationality — 14 extractions used nationality as selection criterion; 369/1,170 extractions contained nationality data
2. No legal basis — never conducted a legal basis or purpose limitation analysis; GEB Oct 2017 acknowledged non-compliance
3. Unrestricted access — 200/248 users with unrestricted access to all data; 2,662 Excel files distributed without control
4. Fraud/EOS engine — traffic light red = automatic selection; top 20,000 to FD-approach without review
5. FSV linkage — bidirectional; RAM amplified FSV registrations and vice versa; 16,529 registrations without competent unit
6. No transparency — entrepreneurs did not know RAM existed; no access, correction, or objection possible
7. Continued despite warnings — internally known since 2013; DG informed 2015; system maintained as “indispensable”
8. Dissemination to third parties — data shared with ministries, municipalities, inspectorates; no overview maintained; no further investigation promised

5. The constitutional crisis

RAM strikes at the heart of the rule of law:

• Art. 1 Dutch Constitution (equal treatment) — nationality as selection criterion is discrimination
• Art. 8 ECHR (private life) — uncontrolled data dissemination over 20 years
• Art. 14 ECHR (non-discrimination) — systematic profiling on origin
• Art. 6 ECHR (fair trial) — no access, no objection, no defense
• Art. 1 P1 ECHR (property protection) — undisturbed exercise of profession and business made impossible
• GDPR — never registered with AP; no processing register; no legal basis analysis

The WRR published in April 2016 — four years before the childcare benefits scandal — Working Paper 021 describing the exact systems, methods, and risks. Peter Olsthoorn warned: “An enormous and rapidly growing data complex is emerging… largely unnoticed.” The warning went unheeded.

6. Remediation investigation: insufficient and incomplete

The state secretary’s remediation investigation (March 2025) is fundamentally inadequate:

The state secretary promised clarity by June 2025. As of December 2025, the investigation was still pending.

Damage estimate: conservative projection

This estimate is based on damage findings from the childcare benefits scandal, scaled to the broader SME population. Actual damage may be higher given the longer period (20 vs. 5 years) and broader range of consequences (tax assessments, collection, FSV registration, digital stigmatization).

Conclusion

The RAM system was not a technical error but a constitutional violation at system level. For twenty years, the Dutch state profiled its own citizens and entrepreneurs based on nationality, criminal record, and postal code, without legal basis, without oversight, and without right to appeal. The childcare benefits scandal — with 26,000 affected families and a societal shock that brought down a cabinet — was the symptom of a much larger problem. The RAM system potentially affected hundreds of thousands of entrepreneurs. The evidence is locked in a data vault the state refuses to search. The remediation investigation is limited to 14 spreadsheets. No one has been held personally liable. And the successor systems continue to run.

Krijn ten Hove (BNNVara) characterized it aptly: “A constitutional problem, not an administrative error.”

Sources

• KPMG Report RAM Investigation, Part 1 (25 February 2025) — rijksoverheid.nl
• KPMG Report RAM Investigation, Part 2 (25 February 2025) — rijksoverheid.nl
• Parliamentary letter RAM policy response (6 March 2025) — State Secretary Van Oostenbruggen
• Review of systems comparable to RAM (March 2025) — rijksoverheid.nl
• Parliamentary letter RAM January 2026 — rijksoverheid.nl
• RAM investigation documents, Part 2 (May 2025) — rijksoverheid.nl
• RAM investigation documents, Part 3 (May 2025) — rijksoverheid.nl
• Tweede Kamer — RAM Investigation Results
• Official publication KPMG report (PDF)
• Article 68 request MP Omtzigt (NSC), 21 June 2023
• Parliamentary letter 2026D17991 (data vault), 15 April 2026 (Eerenberg & Palmen-Schlangen)
• Parliamentary letter 3 December 2025 (RAM follow-up) — State Secretary Heijnen
• Inspectorate for Government Information and Heritage report, April 2021 (ISBN 978-90-773541-0-0)
• Dutch Data Protection Authority (AP), FSV fine decision July 2020 (€2.75 million)
• WRR Working Paper 021, April 2016 (ISBN 978-94-90186-30-2)
• PwC working document FSV, February 2022
• Donner Commission (“Omzien in verwondering”), March 2020
• CBS statistics childcare benefits scandal victims
• Accountancy Vanmorgen, 7 March 2025
• iBestuur, 7 March 2025
• Dutch IT Channel, 5 December 2025
• NOS, 15-16 April 2026 (data vault revelation)