Selling something through Vinted? There goes your privacy
A new directive requires digital platforms such as Airbnb and Vinted to start storing citizen service numbers (BSN) on a large scale. A very undesirable situation, in my opinion. Therefore, I wrote the opinion piece below that was published today in the Dutch national newspaper Trouw.
A new European directive requires hundreds of digital platforms and marketplaces to collect and exchange information about their sellers with the local tax authorities. This is a new measure to combat tax evasion. The directive, called the DAC7, applies throughout the European Union and is integrated into national legislation per country. So too in the Netherlands.
The new directive focuses on digital platforms and marketplaces that are operating in Europe and where users generate income. Among those users are also many consumers. Think, for example, of people who rent out their homes, or their cars, or who offer their services via Internet platforms or sell second-hand clothing, for example. Anyone who makes at least 2,000 euros a year in revenue will have to deal with this reporting.
Is the solution proportionate?
The idea behind the directive is clear, but is the solution proportionate? That is very much the question. The law seems to be implemented in the Netherlands in such a way that our BSN will be registered, because that is also the tax number of the consumer. So if you rent out your house through Airbnb (a company in Ireland and the U.S.) or sell your second-hand clothes with Vinted (Lithuania), those companies will record your BSN. This applies to hundreds of platforms in the Netherlands and Europe, which will have to store databases of citizen service numbers on a large scale. The question is whether this will be done properly and securely everywhere, especially in these times when cybercrime and identity fraud are rampant.
In the Netherlands, we have always attached great importance to the privacy aspects surrounding BSNs. If this legislation is introduced, this will be compromised. It is completely unclear as to why this large-scale data collection is necessary and why the principle of data minimization has not been applied. Why not just capture and verify bank accounts? Less easy for the tax authorities, but millions of times safer.
And the Data Protection Authority? They have apparently given up on protecting the BSNs as well, because it has not given any significant response to the bill. The legislation passed through the House fairly quietly and, from a European perspective, should come into effect by January 1, 2023.