Credit registration in the Netherlands: BKR in current form should disappear
Financial personal data, such as income, expenses and debts, are confidential data that must be handled very carefully. Privacy First has chosen financial privacy as one of its focus areas and therefore participated in the legislative consultation on the future of the Bureau Kredietregistratie (BKR). Below you can read our main views.
Criticism of BKR
In the consultation 'Credit Registration System Act', the Ministry of Finance proposes to leave the position of BKR unchanged, while it is common knowledge that the current credit registration system is not functioning properly. There have been many proceedings by citizens about unjust BKR registrations and a large number of questions have been asked by members of the House of Representatives about the state of affairs at BKR. In April this year, there was a broadcast by consumer programme Radar about this [1].
Recently, BKR has lost several proceedings over BKR's application of the General Data Protection Regulation (GDPR). In 2021, for instance, the Supreme Court determined that BKR itself is a data controller. In 2023, it took a ruling by the Arnhem-Leeuwarden Court of Appeal to establish that BKR, as a data controller, must itself assess deletion and correction requests. It makes it clear that BKR did not take its responsibility when it could have known long ago that it must comply with the AVG.
On top of this, BKR is a commercial organisation that acts in the interests of lenders and other customers (especially municipalities in the context of debt relief) and pays too little attention to the interests of citizens.
Our views
Privacy First, in its consultation participation advocates that the entire system of credit registration in the Netherlands should be addressed. To start with, the current mandatory credit registration for financial institutions should be placed under an independent organisation. That organisation should be set up to safeguard the interests of citizens (debtors).
We believe that the new regulations should make a clear distinction between the parties that are allowed to provide information on the debts people have ('lenders') and other stakeholders that are allowed to access information, such as municipalities in the context of debt relief. If lenders are not licensed under the Financial Supervision Act, they will have to meet certain requirements for participation, including integrity and good internal organisation.
The BKR has consistently acted as a passive registration body. Privacy First finds this undesirable, now that practice has shown that lenders, even if they are large financial institutions, regularly fail to act with due care towards their customers. Our proposal is that when citizens complain, the new organisation will have to actively check whether lenders have acted correctly. The organisation's action may then also lead to an improvement in the lender's attitude.
Privacy First makes several other proposals, including that the new organisation keep registered citizens informed about the registration, its changes and who has had access to it. Furthermore, we propose improving legal protection for registered citizens. Finally, we believe that all forms of credit registration should become subject to licensing, including credit registration by trade information agencies and foundations that maintain blacklists of defaulters for certain industries.
Privacy First's full consultation response can be found at HERE can be accessed (pdf).
[1] Mr Frank Visser wants to tackle unjust BKR registrations, https://radar.avrotros.nl/uitzendingen/gemist/item/mr-frank-visser-wil-bkr-registraties-veranderen/