May 25, 2025, Amsterdam
Across Europe, civil society organisations have proven essential in holding data protection authorities accountable when enforcement fails. That’s the lesson noyb (None of Your Business) has demonstrated at the EU level — becoming the most effective GDPR enforcer where regulators hesitate.
On Friday, HRIF.EU acted — again — where the Dutch Data Protection Authority (Autoriteit Persoonsgegevens, AP) remains silent. The foundation has filed a formal legal appeal against the Dutch DPA for failing to take a decision in a case involving mass unlawful transaction monitoring by Dutch banks. The goal is clear: force enforcement, prevent repetition, and protect human rights before the system resets itself in 2026.
But who are HRIF.EU: Human Rights in Finance (EU)?
In the Netherlands, Human Rights in Finance.EU (HRIF.EU) fulfils an NGO role in the financial domain — sort of as the local twin of noyb, but with a unique profile.
HRIF.EU blends the human rights commitment of Amnesty, the privacy focus of digital rights NGOs, and the systemic analysis of financial justice movements. Our unique combination of risk, compliance and insider expertise allows us to operate in a sector that is too complex, opaque, and insular for most traditional NGOs to monitor effectively — yet one where human rights are increasingly at stake.
And we gain recognition for our work. Just last week, the Dutch VCO — a national network of professionals in ethics, integrity and compliance — announced that one of its members has nominated HRIF.EU for the 2024 VCO Ethics, Integrity & Compliance Award (formerly the National Compliance Award, please give us your vote here), honouring our contribution to upholding rights, exposing structural failures, and restoring accountability where oversight fails: we stopped the Dutch banking dragnet where government just stood by and approved tacitly.
Background: the Dutch DPA is ill-funded (as a political fact)
While financial regulators in the Netherlands can fully fund their supervision activities with hundreds of million euro’s in resources by sending their invoices ticket to the supervised organisation (injust, overdone and a violation of the ownership principle, but that’s a different discussion), the Dutch DPA is held on a leash and only gets a meagre 37 million euro in public funding. This is, of course a reflection of political pririoties, but it does explain why the AP has a hard time enforcing even illegal mass surveillance.
This is reflected in noybs January 2025 enforcement report, where they revealed that most European data protection authorities rarely impose fines. The Dutch AP came in last, issuing fines in just 0.03% of cases between 2018 and 2023. This is despite a €37 million budget and a 62% increase in funding since 2020.
“Authorities have all the necessary means… Instead, they frequently drag out the negotiations for years – only to decide against the complainant’s interests all too often,”
said noyb’s Max Schrems.
Whereas noyb takes on Big Tech and all kind of sectors, HRIF.EU takes on Big Finance — exposing how surveillance, automation, and discrimination unfold inside anti-money laundering systems, devised far from the public eye, but with a day-to-day impact that hurts many account holders.
One Complaint, Millions of Citizens and Billions of Data Points at Stake
The AP’s inaction centers on a GDPR complaint filed by HRIF.EU in 2024. It concerned 407 bank transactions by its chairman — 112 of which included special category data (medical, religious, political). These were unlawfully shared through Transaction Monitoring Netherlands (TMNL) — a private data infrastructure created by five major Dutch banks (ING, ABN AMRO, Rabobank, Volksbank, Triodos) to jointly scan financial transactions for suspicious activity.
But this case represents more than one person. Based on the technical structure of TMNL, HRIF.EU estimates that the system facilitated the illegal processing of over 6 billion data points, including 1.5 billion sensitive ones, affecting millions of Dutch bank customers. And TMNL didn’t end because the AP intervened. It collapsed only after public pressure and legal escalation by HRIF.EU. In essence, HRIF explained with a legal opinion how the dragnet was also a crime under penal law. That was enough for AWS to pull the plug on the banks joint system.
Dutch treat: we aim to over-achieve things in the KYC-AML-corner and legality is a side issue, not a prior constraint
But in the Netherlands, we do things differently. If banks, government and financial supervisor agree, they don’t care about the GDPR, nor the Dutch penal law. They set up systems of unusual transaction reporting where the EU only wants suspicious reporting. We open up public databases of government for the banks only. We do mass monitoring of sensitive personal data without having a law in place.
So we are in a groupthink tunnel where on local terms we do things locally, with little respect for the public and little transparancy. This is well reported fact and already in 2020 Dutch scientific researchers put it this way:
Collaborative platforms such as the FEC Project TF and the TF Taskforce have, so far, provided very limited public reporting. Expanding and safeguarding the legal basis of these initiatives could benefit from a public and informed discussion on their effectiveness, proportionality, and procedures.
Government announces system restart of mass monitoring and AI-use in 2026, prior to having legal rules in place
Despite the HRIF succes, no lessons appear to have been learned in the Groupthink policy community of the Netherlands. On May 14, 2025, the Ministry of Finance publicly announced its intent to restart joint transaction monitoring in 2026 — without a new legal basis, without transparency, and without fundamental rights guarantees.
So there has been no apology, no accountability, and no meaningful debate. Just a quiet admission that the state intends to resume what it previously allowed to collapse under legal pressure.
This is an interesting and asymmetic display of powerplay by our government. Because on the one hand the shift to reporting of suspicious transaction in the Netherlands is delayed ‘until we have it all clear and all rules are in place’. Yet the possibility of sharing transaction data between banks (possibly under limitations and rules that are partly still to be determined by EDPB etc) for reporting suspicious transaction reports is being fast-tracked to 2026.
The Dutch DPA, Autoriteit Persoonsgegevens, now needs to act to prevent the system from reloading
In response to its 2024 complaint, HRIF.EU sent the AP a formal notice of default on May 2, 2025. The legal deadline to respond has passed. Yet no decision has been issued. Not even a procedural letter. Just silence. This is not a technical delay. It is a strategic void — one that allows the financial system to quietly reorganise for TMNL 2.0, while denying citizens the right to redress.
At the same time, the banks have begun erasing their tracks. Only ABN AMRO disclosed full data to HRIF.EU. The other banks now claim they “can’t retrieve” or “no longer hold” the monitored transactions — shielding themselves from scrutiny and blocking future complaints. And while they do so, the Dutch government says, we’re gonna do it all over again.
This kind of institutional amnesia and disrespect for privacy is exactly what the GDPR was meant to prevent and correct. It is clear that the AP needs to act now, otherwise it risks becoming irrelevant in one of the most far-reaching data protection scandals in Dutch history. And it risks sending a wrong message to banks and ministries alike: you can build illegal surveillance infrastructure, and walk away without consequence.
If civil society must go to court to enforce the law — so be it. If all our calls to do the good thing land on deaf ears, that is what HRIF.EU will do. And this time, we won’t walk away until the system is stopped before it restarts.
Why HRIF.EU Is Acting — and Why It Matters
As the only organisation in the Netherlands that successfully dismantled TMNL, HRIF.EU has now taken the next step: forcing the regulator to act, and demanding real enforcement before surveillance restarts.
HRIF.EU has legal standing based on the individual case, but also a clear mandate to act in the public interest. It represents those who may never be able to prove they were monitored — because the system was designed to hide itself.
This is about more than compliance. It is about restoring the authority of the law over a financial sector that has come to see surveillance as default — and rights as optional. It should be the other way around: human rights by default, surveillance only when strictly necessary — and always under the law.
Support HRIF.EU — While There’s Still Time to Act
Of course this case takes energy, time and resources. Feel free to share our news/role to friends. Vote for us in the Dutch context, so we may receive the VCO Ethics and Integrity Awards. And of course your donations to our foundation are more than welcome.