Help Us Make the Dutch Data Protection Authority Enforce the GDPR !
The Dutch Data Protection Authority (AP) last month issued four decisions on the banks’ bulk transaction-monitoring dragnet—and looked away. After 18 months, of investigation the AP now says it “needs more research,” but won’t do it. Meanwhile the harm persists in customer files.
What we proved—and stopped:
- Our legal opinion (also in English: see here) showed the dragnet was unlawful. Banks shut it down the day they received it—no court order needed – just a lot of legal pressure.
- We provided the AP with 407 unlawful transaction samples, including 112 with special-category data (religion, health, political views).
- The AP asked us to revoke the complaint, we refused and asked them to enforce
- The AP refused to move so we started a court case in order for them to decide
- The decision says ‘further investigation into the facts is necessary’, denying HRIF.EU legal standing under article 80 of AVG and suggesting to “look to the future” while past violations remain unremedied.
Why this matters to all citizens and privacy fighters in the world?
This was AI-supported financial mass surveillance—billions of payment records pooled and screened, between 2021 and 2024, by 5 banks (ING Bank, ABN AMRO, Rabobank, Triodos Bank and Volksbank). Any individual in the world that in those years sent out a payment to SMEs and charity organisations at those banks was put in the dragnet and monitored for being a money launderer and/or terrorist. For the Netherlands alone this amounts to 10 billion plus transactions. But there is more.
In the pool, in violation of article 9 GDPR, sensitive personal data was monitored, while the Dutch DPA had already issued/re-affirmed a prohibition to do so in a prior consultation advice of 2019. And right now we have internal whistle-blower information in the files that demonstrates all banks, AP and DNB knew of this violation. The AP-decision thus demonstrates that there is a classic Dutch condoning agreement in place, which is more important then the GDPR.
HRIF.EU is set up however, not to condone human rights violations but to make sure supervisors and Data Protection Authorities respect human rights, enforce the GDPR and act upon infringements. Especially the ones of the size of this banking dragnet, which spanned the world, as all incoming payments of any person in the world towards SMEs at those five banks was being monitored.
We need your support !
Your support helps set a GDPR precedent that limits data-sharing, abundant AI applications and strengthens privacy-preserving finance across Europe.
What we’ll do with your support
We’re taking the AP to court to compel enforcement against the banks. We took the case this far – until decision moment – on our own budget, assuming that the DPA would hand us the recognition of the facts.
Now that the Dutch DPA is afraid to look the facts in the eye, we will need additional funds for litigation support and further research and expert filings.
Donate now: in particular if you’re not Dutch !!
- Click the PayPal button on the above right part of our website to contribute (fast & international).
- Bank transfer: Human Rights in Finance (EU) — IBAN: NL94 TRIO 0320 7857 85.
- Netherlands-based donors: please keep individual gifts ≤ €2,500 (we follow a “many small donations” model),
- Outside the Netherlands: no cap—your generous support is welcome.
- Want extra anonymity? Use our geef.nl campaign; we don’t receive your personal data there (a small platform fee applies).
Every bit helps. Let’s make the AP enforce the law.
PS. We are – on purpose – not a registered charity to ensure your anonimity towards government and prevent the tax authority from retroactively denying us from this position (and thus being able to bankrupt us by clawing back prior donations). They are now doing this to one of the oldest charities in the Netherlands – the Concertgebouw Amsterdam.