Your bank account: the shortcut to your private life (part 1)
The Referral Portal Bank details
If you have a bank account (and who can do without one?) then many government departments, to a greater or lesser extent, have access to your private data. How does that work?
In a series of short articles, Privacy First clarifies what data agencies can already access and what more is in the pipeline. Part 1 of this series is about the Banking Data Referral Portal.
What is the Banking Data Referral Portal (VB)?
The Banking Data Referral Portal (VB) is a digital counter for fully automatic provision of certain banking data to authorised government agencies. The banks are obliged to provide this data. Currently, 10 government bodies are affiliated to the VB. Since September 2020, they can retrieve name/address/residence of account holders via the portal and check whether surcharges are paid on the account. They can also check what other products the account holder purchases from the bank, such as a safe deposit box. The bodies with access are in part investigative bodies such as the Police, FIOD, Public Prosecution Service, the Royal Military Police and the National Criminal Investigation Department, but the Tax and Customs Administration can also access the portal.
Parties that still want to join the VB are the Central Judicial Collection Agency (CJIB) and bailiffs. They too find it convenient to be able to access these data directly "to better perform their tasks".
Expansion plans
The minister made it clear in 2021 that she intends to expand the VB so that member agencies will now also have fully automated access to all balance and payment details of account holders.[1] The minister also wants these bodies to be able to access the e-mail address, mobile phone number and International Mobile Equipment Identity number (IMEI number) of the mobile phone the account holder uses to conduct his banking business.
This will greatly expand the VB: a selection of government agencies will have full automatic access to the payment details and mobile numbers of millions of account holders. A bill has already been assessed by the Council of State but has not yet been submitted to the House of Representatives. The minister recently made it clear that she will not proceed with this until it is clear that the VB is being "correctly used" by all connected bodies. That is not clear at the moment.
Why does the VB exist?
The existence of the VB is partly driven by European rules on the detection of crime ('money laundering') and terrorist financing, but this is not the whole story. The planned, substantial expansion is a national desire. Furthermore, the Dutch legislator chose to use the banking portal also for administrative control purposes, while European rules actually preclude this.[2] For example, the Inland Revenue's benefits department has access to your bank details for assessing entitlement or determining benefits. The regular department of the Inland Revenue has access to your bank details "for tax collection". The CJIB wants access to your bank details because it is "convenient" for the collection of fines.
Is access to the VB controlled?
According to the law, for the first five years after the start of the VB, the use of the portal would have to be audited every year by the Audit Department of the State. After that, monitoring was supposed to take place every two years. The law has not been complied with in this regard. Over three years after the VB came into force, there have been three one-off audits by the Police, FIOD and JustID, the body that works as a conduit between banks and member agencies."[3] So there is no visibility at all on correct use by other agencies, including, for example, the tax authorities or the public prosecutor's office.
Figures published by the minister show that the Police and the Inland Revenue are the major users of the portal. The Police accessed the system about 40,000 times in 2022; some 50,000 police officers have access. The Tax Authority made about 700,000 uses of the system.[4]
Privacy First position
Privacy First was pleased to learn that the minister is at least pausing with further expansion of the VB. Privacy First believes at the same time that fundamental(r) questions need to be asked with this portal.
Privacy First believes that the portal's vague objectives (from detection to taxation) do not legitimise the government's fully automatic access to all citizens' banking data. It is essential that the government demonstrably respects citizens' fundamental rights when using the portal and does not unnecessarily delve into private data. It is inappropriate to use bank accounts as a central element in the monitoring and investigative tasks of a host of agencies with different, not always clearly defined tasks, even without proper monitoring of duty-of-care compliance.
Citizens cannot do without bank accounts and must be able to trust that the government respects fundamental rights.
[1] Overheid.nl | Consultation Amendment decree on banking data referral portal (internetconsultation.nl)
[2] Directive (EU) 2019/1153 - Rules to facilitate the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences, recital 11
[3] Parliamentary paper 35238, no. 8 | Overheid.nl > Official notices (officielebekendmakingen.nl)
[4] Annual statutory reporting VB 2022 via: Annual report VB 2022 (officialreports.co.uk)