Greetings from The Netherlands,
It was a tumultuous start to 2021 here in The Netherlands privacy-wise. Last year, the Dutch Parliament conducted an investigation into an anti-fraud scheme of the Dutch tax authority. The tax authority had illegally profiled people who had applied for child benefits, based on their second nationality. This profiling resulted in thousands of families being wrongfully accused of fraud. Many families went into tens of thousands of euros in debt, resulting in evictions, stress, divorces and unemployment.
For years, the families tried to seek justice but failed. The Parliament’s report, "Unprecedented Injustice," concluded that the rule of law had failed to protect innocent families, not only because of the actions of the tax authority, but also because of the roles played by the government, parliament and the courts in this matter. As a result of this scandal, the entire Cabinet of Prime Minister Mark Rutte resigned three weeks ago.
On the basis of an automated risk classification model, the tax authority selected applications it suspected were problematic. The risk classification model, which used a few dozen indicators, including second nationality, was a self-learning model that learned based on examples of correct and incorrect requests. Earlier, the Dutch data protection authority called the model “illegal, discriminatory and unfair,” yet it also said that it didn’t have the manpower to complete its own investigation into the scandal in time to issue a fine. However, the AP said that it is still planning to issue an enforcement order later this year.
And last week, a journalist discovered that personal data, including Citizen Service Numbers, a unique number assigned to all Dutch citizens that is used to communicate with government agencies to open bank accounts and apply for health insurance, were offered for sale on the internet.
The data appeared to be stolen from the IT systems jointly used by the 25 Local Health Services — known as the GGD — for testing and contact tracing to combat the COVID-19 crisis. Insider thieves were able to export data from the system using the built-in export functionality. There was no automated logging on the systems. When the pandemic hit, the systems had been hastily scaled up and the many temporary employees working in the GGD call centers had full access to all personal data of the millions of people who had undergone a COVID-19 test.
Despite the many warnings from employees who were surprised about their broad access rights, the GGD failed to take corrective steps. This week, Parliament spent almost the entire day grilling the Minister of Health, who leads the fight against the virus, and the Minister for Legal Protection, who is responsible for the GDPR, over what had gone wrong, as the breach may not only have adverse effects on the people whose data had been stolen, but could also undermine the people’s willingness to have themselves tested.
Last but not least, in a hearing in Parliament earlier this week, the AP stressed the fact that it is seriously understaffed to adequately perform its tasks. Only 0.04% of complaints and 0.3% of reported data breaches are investigated. There is a five-year waiting list for binding corporate rules, and it has only 0.2 FTE staff available to find unreported data breaches.
International investigations take too long (see the Dutch Consumer Union’s suit against the AP, for example). By its own admission, the AP doesn’t have the manpower to issue fines and defend those fines in court. The good news from all this drama is that after the debate about the GGD data breach, a large majority in Parliament filed a motion to increase the AP’s budget to grow as requested from 184 to 470 FTE. Like I said earlier: “The Achilles’ heel of the GDPR is the budget that the Member States are willing to allocate to their DPAs.”