News
Money Control in Belgium – your bank account speaks louder than words, and the tax authorities are listening
When looking for potential fiscal fraud cases, tax authorities have only a limited amount of data sources available to them. But what if they could proactively start looking into your bank accounts, even if you’ve done nothing wrong? A Belgian law, dubbed “Money Control” by its critics, aims to pioneer in controversial terrain.
In late 2025, a controversial Belgian legislative proposal to combat tax fraud has reignited fundamental debates on privacy, algorithmic governance, and the rule of law. The proposal was pejoratively dubbed Money Control by its critics, and even lead to a fairly unique filibuster in the Belgian Parliament. At its core, the draft law envisages shifting from traditional, suspicion-based fiscal inquiries to proactive scanning of financial data using algorithms, raising acute concerns under EU data protection and fundamental rights frameworks.
Context: the Money Control vision in a nutshell
Under current Belgian law, tax authorities have a multitude of sources at their disposal to identify potential tax fraud cases. One of these is the Central Contact Point (Centraal Aanspreekpunt or Point de contact central - CCP), a database maintained by the National Bank of Belgium containing financial account information such as bank account holders, account balances, and related financial contract data. The tax authorities may however traditionally only access this when there are specific and clear indications of fraud.
The contested amendment, embedded in a much broader piece of reform legislation, would significantly expand this power. Among other points, it proposes the integration of CCP data into the Ministry of Finance’s data warehouse, and provides a mandate for the AI-assisted datamining of these datasets with the explicit objective of detecting anomalies and risk patterns across the entire population, absent any prior suspicion of wrongdoing. The envisioned system would continuously process financial data of all taxpayers, including bank accounts, securities and potentially crypto accounts, in order to generate risk profiles that can trigger further scrutiny.
Proponents reasonably argue that enhanced data analytics and AI integration will improve the fight against increasingly sophisticated tax evasion schemes. Opponents predictably counter that the proposal effectively treats every citizen as a potential suspect and undermines the very premise of targeted fiscal enforcement.
Data protection compliance – fundamental criticisms
The Belgian Data Protection Authority issued a critical and detailed opinion on the proposal (Advice nr. 36/2025, available in Dutch and in French) in May 2025. While the Authority supported, in principle, targeted access to the CCP when already existing indications of tax fraud justify such access, it expressed strong reservations about the planned integration of CCP data into a ministerial data warehouse for generalised datamining, matching and profiling, highlighting that this would constitute a severe interference with data protection rights. The DPA’s analysis highlights notably the following legal failings:
Necessity and proportionality: The draft law does not adequately justify why a shift from reactive, suspicion-based access to a proactive, data-first regime is strictly necessary in a democratic society. Without robust justification, the interference bears little resemblance to legitimate, proportionate processing.
Finality and purpose limitation: The proposed broad integration of CCP data into the data warehouse for profiling and datamining collides with the reactive purpose for which the CCP was originally authorised. It is a clear example of scope creep, and the DPA warns against conflicting processing purposes, undermining the finality principle that underpins sound data protection governance.
Automated individual decision-making: The use of AI to generate risk profiles with potential real-world consequences triggers certain mandatory protections under the GDPR. The Authority expressed its concern over the lack of detail regarding the scope of human oversight, the risk models, and criteria for subsequent intervention.
Duplication of authentic sources and data minimisation: The plan to replicate CCP data into a separate data warehouse raises concerns with respect to data minimisation and the once-only principle, which safeguards against unnecessary duplication and expanded use of personal data. Duplicating a sensitive database also increases the risk of incidents.
Globally, the DPA considers that the draft legislation fails to meet the stringent thresholds of necessity and proportionality under EU data protection law for the envisaged mass processing of financial data, and the linked profiling of tax payers.
AI inspectors watching your bank accounts?
One of the pillars of the proposal is the algorithmic datamining of CCP data. Following pseudonymisation of the original (directly identifiable) CCP data and transfer to the Ministry’s data warehouse, algorithms would be used to determine risk scores and risk profiles of the pseudonymised account holders, to identify potential fraud situations (e.g. on the basis of suspicious bank transfers or offshore account holdings), and to identify priority targets for further investigation. In other words, algorithms would assist in singling out persons to be audited.
From an AI governance perspective, the proposal likely collides with evolving EU norms on trustworthy and transparent AI. Although the European AI Act is not yet fully in force for all high-risk scenarios, its principles underscore the importance of risk management, human oversight and transparency in systems that materially affect individuals’ rights and freedoms. It is not clear whether or how the Belgian law would clear that bar.
Deploying AI models on sensitive financial data without clear specification of the models, transparency of logic or explainable outputs amplifies the risk of opaque profiling and disparate impact. Historical precedents such as the Dutch childcare benefits scandal, where automated risk profiling led to wrongful allegations against thousands of families, illustrate how algorithmic systems can embed biases and produce hallucinations with grave consequences.
Moreover, without robust safeguards including documented impact assessments, human-in-the-loop mechanisms and meaningful notice to data subjects, such a system risks contravening fundamental EU values on fairness and accountability.
Further challenges ahead
Despite these doubts, the proposal was adopted in December 2025. Procedures before the Belgian Constitutional Court seem inevitable however. In that case, the Court will undoubtedly need to take the recent Ferrieri decision of the European Court of Human Rights under consideration, which looked critically at the requirements for tax authorities to access bank account data. That precedent may not bode well for the future of Money Control.
More generally though, Belgium’s experience serves as a cautionary tale, in several ways. Firstly, it shows the dangers of scope creep, where the creation of an initially fairly well defined database with a clearly delineated mission statement also created a very easy target for abuse: once the data is there, it’s very tempting to just take the next step and use it for much, much more.
Secondly, it illustrates that technology indeed may enhance enforcement efficiently, but that it should be tethered to legal safeguards that protect individuals’ rights and maintain public trust. Without scrupulous calibration, even well-intended systems can slide toward Orwellian outcomes.
Article provided by INPLP member: Hans Graux (Time Lex, Belgium)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)
News Archiv
- Alle zeigen
- März 2026
- Februar 2026
- Jänner 2026
- Dezember 2025
- November 2025
- Oktober 2025
- September 2025
- August 2025
- Juli 2025
- Juni 2025
- Mai 2025
- April 2025
- März 2025
- Februar 2025
- Jänner 2025
- Dezember 2024
- November 2024
- Oktober 2024
- September 2024
- August 2024
- Juli 2024
- Juni 2024
- Mai 2024
- April 2024
- März 2024
- Februar 2024
- Jänner 2024
- Dezember 2023
- November 2023
- Oktober 2023
- September 2023
- August 2023
- Juli 2023
- Juni 2023
- Mai 2023
- April 2023
- März 2023
- Februar 2023
- Jänner 2023
- Dezember 2022
- November 2022
- Oktober 2022
- September 2022
- August 2022
- Juli 2022
- Mai 2022
- April 2022
- März 2022
- Februar 2022
- November 2021
- September 2021
- Juli 2021
- Mai 2021
- April 2021
- Dezember 2020
- November 2020
- Oktober 2020
- Juni 2020
- März 2020
- Dezember 2019
- Oktober 2019
- September 2019
- August 2019
- Juli 2019
- Juni 2019
- Mai 2019
- April 2019
- März 2019
- Februar 2019
- Jänner 2019
- Dezember 2018
- November 2018
- Oktober 2018
- September 2018
- August 2018
- Juli 2018
- Juni 2018
- Mai 2018
- April 2018
- März 2018
- Februar 2018
- Dezember 2017
- November 2017
- Oktober 2017
- September 2017
- August 2017
- Juli 2017
- Juni 2017
- Mai 2017
- April 2017
- März 2017
- Februar 2017
- November 2016
- Oktober 2016
- September 2016
- Juli 2016
- Juni 2016
- Mai 2016
- April 2016
- März 2016
- Februar 2016
- Jänner 2016
- Dezember 2015
- November 2015
- Oktober 2015
- September 2015
- August 2015
- Juli 2015
- Juni 2015
- Mai 2015
- April 2015
- März 2015
- Februar 2015
- Jänner 2015
- Dezember 2014
- November 2014
- Oktober 2014
- September 2014
- August 2014
- Juli 2014
- Juni 2014
- Mai 2014
- April 2014
- März 2014
- Februar 2014
- Jänner 2014
- Dezember 2013
- November 2013
- Oktober 2013
- September 2013
- August 2013
- Juli 2013
- Juni 2013
- Mai 2013
- April 2013
- März 2013
- Februar 2013
- Jänner 2013
- Dezember 2012
- November 2012
- Oktober 2012
- September 2012
- August 2012
- Juli 2012
- Juni 2012
- Mai 2012
- April 2012
- März 2012
- Februar 2012
- Jänner 2012
- Dezember 2011
- November 2011
- Oktober 2011
- September 2011
- Juli 2011
- Juni 2011
- Mai 2011
- April 2011
- März 2011
- Februar 2011
- Jänner 2011
- November 2010
- Oktober 2010
- September 2010
- Juli 2010