On November 11, 2024, the Dutch data protection authority (AP) published a report on the Education Executive Agency's (DUO) use of algorithms in the context of education, finding the DUO in violation of the General Data Protection Regulation (GDPR) following its investigation.

Background

The AP highlighted that the DUO used an algorithm to assess risk factors when monitoring the abuse of non-resident grants by students. The algorithm assessed criteria including:

• the type of education, with secondary vocational education courses resulting in a higher risk score than a higher vocational education or university education;
• distance, with a shorter distance between the student's home address and that of their parents resulting in a higher risk score; and
• age, with the lower age of a student resulting in a higher risk score.

Findings of the AP

The AP found that the risk factors above were based on 'experience and common sense' without objective justification being used as a means of discrimination. Students subject to a higher risk score were liable to more checks and a home visit of the DUO, with approximately 21,500 students selected and checked for fraud between 2013 and 2022. Students with a non-European background were also given a higher risk factor under the algorithm used by the DUO.

Accordingly, the AP held that the DUO, in directly distinguishing between students without there being an objective justification for the risk factors and distinction, violated Article 5(1)(a) of the GDPR for the absence of a valid legal basis for the processing of personal data.

Outcomes

In light of the above violation, the AP held that the Minister of Education, Culture, and Science, as the relevant controller for the processing of personal data by the DUO, noted that the Minister acknowledged the discrimination in the monitoring process and apologized on behalf of the Dutch Government for violation of the GDPR.

You can read the press release here and the report here, both only available in Dutch.