Unlimited information exchange by the Dutch tax authority - GDPR-proof?

July 25, 2019 | Blog

Increased transparency between tax authorities enables private parties and companies to better comply with tax regulations. In the last ten years, the G20 countries have collected EUR 95 billion in additional government income by sharing financial and tax information (according to the OECD). Local tax authorities are increasingly dependent on assistance from foreign authorities when it comes to enforcing tax legislation. This has led the Dutch tax authority to increasingly use enforcement tools to obtain information from taxpayers, which it subsequently exchanges with foreign tax authorities.

The Dutch tax authority has been taking increasing measures to obtain information on taxpayers. This could result in an unauthorised violation of the relevant data subjects' privacy. Despite what we've heard about the tax authority becoming increasingly aware of privacy legislation, you will have to keep assessing whether the information requested may actually be disclosed. We will be able to provide advice when you analyse this question.

The Dutch tax authority and privacy
In order to perform its duties, the Dutch tax authority needs to exchange data. In that context, it is important for it to comply with privacy legislation, too. However, it remains to be seen if it actually does. After all, it already became apparent earlier this year that the tax authority would need at least another year to comply with all the requirements under the privacy legislation. The tax authority itself has stated that it works with numerous different, and at times outdated, systems, which means that many processes require adjustments. This also makes the removal of old data a time-consuming and tricky task.

What is more, the Dutch tax authority has twice been the subject of an investigation by the Dutch Data Protection Authority ("DDPA"). For instance, the DDPA prohibited the tax authority from processing the Citizen Service Number (BSN) in the VAT identification number, and it initiated an investigation into the processing of special personal data and discrimination.

Statutory basis for exchange is required
The exchange of - possibly privacy-sensitive - data on taxpayers with foreign authorities qualifies as personal data processing within the meaning of the General Data Protection Regulation ("GDPR"). A processing operation must have a valid basis. The tax authority may only pass on personal data if there is a legal basis for doing so.

The Dutch tax authority may proceed to exchange data on the basis of a number of Dutch and international statutory provisions. Double taxation treaties enable the exchange of information between tax authorities in different countries. Other bases for information exchange can be found in specific 'tax information and exchange agreements', the Convention on Mutual Administrative Assistance in Tax Matters, the European Mutual Assistance Directive, and the implementing regulations as provided in the Dutch International Assistance (Levying of Taxes) Act (the "WIB"). The latter provides a detailed description of the way in which the Dutch tax authority can collect information on its residents and exchange it with foreign authorities on the basis of its international obligations. For example, Section 8 WIB gives the Dutch tax authority the power to conduct audits in order to disclose information, pursuant to this Act, to the tax authorities of another state.

It is relatively easy for foreign tax authorities to ask the Dutch tax authority to disclose information. As long as the information is 'foreseeably relevant', the tax authority may actually disclose information to the requesting state. The Dutch courts only marginally assesses whether such 'foreseeable relevance' actually exists. The request will only be denied in cases of fishing expeditions or if one of the grounds for refusal of Sections 14 and 16 WIB applies.

The question of whether the exchange of information by the Dutch tax authority is allowed depends on the underlying statutory obligation and the assessment of the necessity of the exchange in this context. For taxpayers, it is usually difficult to assess whether an exchange is allowed.

Abolition of notification procedure
What is more, the notification procedure under the WIB was abolished as per 1 January 2014. Pursuant to this procedure, the taxpayer received a notification containing a description of the information that needed to be disclosed and the name of the requesting state, before any data was disclosed. These days, the disclosure of data can take place on request, spontaneously or automatically - i.e. without the tax authority being obliged in any way to notify the taxpayer. This means that the taxpayer may no longer assess the substance of the request and the lawfulness of the exchange of data, since the taxpayer no longer receives a notification containing a description of the information to be disclosed and the name of the requesting state. This might result in an even broader assessment of the exchange of data by the tax authority.

Moreover, there are few possibilities for taxpayers to challenge the disclosure of data by the tax authority. After all, it is no longer necessary for the taxpayer to be informed of the data exchange by means of the notification procedure. As a result, the right to object or to appeal - whereby the lawfulness of the disclosure of the data would be investigated - can no longer be exercised. Save for appealing to the civil courts, taxpayers have very few possibilities to challenge the disclosure of data.

Transparency
The GDPR may offer a solution. After all, the GDPR provides several rights for data subjects; in this case, private parties who are liable to pay tax or taxpayers' staff.

One of those rights is the right to information (Art. 13 GDPR). On the basis of the right to information, the tax authority is obliged to report which recipients (or categories of recipients) it shares personal data with. Furthermore, if recipients are established outside the EU, the tax authority must provide information on the countries in which those recipients are located and on the measures that have been taken to protect the personal data. This is to ensure that the data subject is able to verify whether and, if so, how the protection of his/her personal data is guaranteed in non-EU countries.

This obligation can only be avoided if the data subject already has that information, or if:

  1. the personal data were not obtained from the data subject; and
  2. the provision of information proves impossible or would involve a disproportionate effort, or obtaining or disclosure is expressly laid down by Union or Member State law to which the controller is subject and which provides appropriate measures to protect the data subject's legitimate interests, or the personal data must remain confidential subject to an obligation of professional secrecy.

It remains to be seen whether the tax authority will be able to successfully invoke these provisions. If none of the exceptions apply, the tax authority will be obliged to inform the data subjects themselves, prior to the provision of data. By means of a privacy policy, for example.

Furthermore, data subjects have a right of access to data processing operations. The tax authority is obliged to grant access to data subjects, unless such access would constitute an infringement of the rights and freedoms of third parties.

Other requirements pursuant to privacy legislation
Naturally, the tax authority must also comply with the other requirements and principles provided by the GDPR if there is to be a lawful processing of personal data. For example, only personal data that is required to achieve a certain goal may be processed (minimisation). Furthermore, personal data may only be stored for a limited period of time (storage limitation) and the tax authority must be able to prove that it is complying with the GDPR (accountability). Also, any disclosure of personal data from within the EU to a country outside the EU must meet additional requirements and is prohibited in certain circumstances.

In so far as the tax authority meets all the requirements, the provision of information is not in itself in breach of privacy legislation. However, the lawfulness of the provision of data may be difficult for data subjects to assess even if sufficient information is provided by means of a privacy policy. 

What information should you provide?
The Dutch tax authority has been taking increasing measures to obtain information on taxpayers. This could result in an unauthorised violation of the relevant data subjects' privacy. Despite what we've heard about the tax authority becoming increasingly aware of privacy legislation, you will have to keep assessing whether the information requested may actually be disclosed. We will be able to provide advice when you analyse this question. 

Sign up for our newsletters