Private crime fighting must not lead to excesses

Background: financial privacy and companies with government functions

Meanwhile, it has emerged that private crime-fighting activities can lead to improper treatment of customers.

Harmful action can affect anyone, such as the Dutch ruling in the case of an ICT expert whose accounts were blocked without good reason by payment service provider bunq. Strangely, according to this ruling, bunq did not have to account for its incorrect action.

In practice, it is particularly certain groups that are affected by improper action from obliged entities, such as people from minority groups and those making cash payments.

Although the banks and the finance minister have promised that the nuisance to innocent citizens will be reduced, practice shows that obliged entities still cause nuisance. One example is a bank asking a novice entrepreneur probing questions about the business model of his sole proprietorship and asking for detailed information about customers and relations. These are questions that you would expect from a tax inspector and go much further than might be expected from a bank (e.g. because personal data of third parties are requested). Such questions are asked by banks under threat of blocking the bank account and terminating the relationship; for the customer concerned, this is terrifying. Often, another problem is that the questions are not well understood and therefore answered incorrectly.

Privacy First believes that the fundamental rights of citizens must be respected even in the privatised crime fight. Financial personal data must be handled carefully.

Automated risk profiling

Part of anti-money laundering is that large obliged entities are expected to track their customers by digital means and constantly analyse their transactions and other actions to see if the customer is criminal. Analysis systems are being developed secretly in this area. These systems are expected to be deployed jointly by the major banks, perhaps even at European level. New European anti-money laundering and financial services rules offer new opportunities for financial institutions and governments to analyse the entire payment traffic in search of criminal money (‘banking dragnet’). Privacy First considers this a dangerous development as there is no guarantee that people's financial personal data will be handled carefully.

Our activities

Our focus on financial privacy in crime fighting prompted Privacy First's activities mentioned below.

Participation in NEN consultation on preventing discrimination in risk profiling

For several years, Privacy First has been increasingly active (in several areas) with the Netherlands Standardisation Institute (NEN). On 17 April this year, Privacy First participated in the NEN consultation about the ‘Dutch Technical Agreement on profiling algorithms‘ (NTA). In the consultation, we pointed out, among other things, that the draft NTA is not suitable for risk profiling in crime fighting. We support the criticism by civil rights organisations that were part of the preparatory committee that indirect discrimination based on ‘race’, nationality and other grounds of discrimination in profile in the context of enforcement or monitoring by the government or companies performing government tasks is never allowed.

In our consultation response, Privacy First warns of the danger of users of profiling systems excessively harvesting personal data to use for the ‘good purposes’ they have in mind. Among other things, the draft NTA talks about using a large amount of personal data to analyse or predict people's job performance, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. In Privacy First's view, this is undesirable.

We made several other comments, including on ‘meaningful human intervention’, which will not be possible in a number of cases, for example in anti-money laundering. Moreover, the requirement of explainability of automated decisions is not met in anti-money laundering.

The draft NTA lacks mature arrangements for involving those affected by risk profiling, i.e. citizens and civil rights organisations. Privacy First calls for mature governance of profile systems, including adequate feedback opportunities and an independent ombudsman function.

Comments on ECRI report on the Netherlands

At the request of the Dutch Ministry of the Interior and Kingdom Relations (BZK), on 28 April we gave the following response on the report on the Netherlands released by the European Commission against Racism and Intolerance (ECRI). Privacy First recognises many elements of the report, but draws BZK's attention to the fact that some aspects receive too little attention. That concerns in particular the systemic flaws in the European anti-money laundering rules, which lead to discriminatory behaviour by government agencies and by companies that perform government tasks under those rules, including banks. Part of those rules is that anyone with a relationship with a so-called ‘high-risk’ country for crime is itself considered an increased crime risk. Relationships with neighbouring countries can also lead to extra scrutiny. In practice, this leads to discrimination and disproportionate customer scrutiny, which could only get worse under the new European anti-money laundering regulation that comes into force next year. On top of this, ECRI does not realise that algorithmic discrimination is also an issue for the companies implementing the anti-money laundering rules.

Privacy First calls on ECRI to pay more attention to the privatisation of government tasks to companies and to identify systemic flaws in anti-money laundering rules. Furthermore, legal protection should be improved and it is important that stronger safeguards are created in the case of algorithmic profiling by companies.

Participation in consultation of European anti-money laundering authority AMLA

On 6 May, Privacy First participated in the consultation from the new European anti-money laundering authority AMLA on their draft detailed rules on customer due diligence (draft RTS). In our response, we criticised, among other things, the one-size-fits-all system, AMLA's proposal to make the European Digital Identity (EUDI wallet) de facto mandatory and the financial personal data that, according to the draft RTS, should always be requested even if there is no good reason for it.

Our letters in response to the opinion of the State Commission against Discrimination and Racism

Early last May, the Dutch State Commission against Discrimination and Racism (SDR) released the advice ‘Principles of profiling. A critical perspective on the government's application of data-driven profiling‘ out. In the accompanying news release advises the SDR to stop data-driven profiling by the government for discrimination.

This opinion prompted Privacy First and the Dutch section of the International Commission of Jurists (Nederlands Juristen Comité voor de Mensenrechten, NJCM) to launch a joint letter to several committees of the Dutch House of Representatives and relevant Dutch ministers. In this letter, Privacy First and NJCM indicate that SDR's advice is also relevant to privatised crime fighting (money laundering) and that data-driven profiling should be stopped there too.

Privacy First also brought SDR's opinion to the attention of the European anti-money laundering authority AMLA, stating that the report's findings apply to data-driven profiling under European anti-money laundering rules.

In conclusion

Privacy First continues to monitor developments critically and welcomes support from professional volunteers who have knowledge of the above-mentioned topics. Tips and practical experiences that may be useful for our activities are also always welcome.