Tax compliance and privacy rights in profiling and automated decision making

: New technologies allow tax authorities to carry out faster and automated analysis of large amounts of data, minimising errors and saving time. Some of these technologies enable tax administrations to identify and cluster taxpayers based on the risk of noncompliance. Consequently, “high risk” taxpayers will be audited. The European Union General Data Protection Regulation (GDPR) has introduced new provisions on automated decision making and how individuals can be profiled - technology, such as the one implemented by tax administrations, could present difficulties in this area. Even if profiling and automated decision making in tax matters are included in the broader public interest exception, safeguards to taxpayers’ privacy rights need to be in place.


INTRODUCTION
decision making pursuant to the GDPR definition of these two key notions. The third section highlights how in the context of the GDPR, the European legislator has tried to balance tax compliance needs with individual privacy rights. Finally, section four describes the policy implications for EU member states deriving from the relation between GDPR provisions regulating profiling and automated decision making, and the instruments at tax authoritiesd isposal in the fight against tax evasion and fraud.

SECTION 1: ICT TOOLS USED BY TAX ADMINISTRATIONS
As recent studies conducted by the Organisation for Economic Co-operation and Development (OECD) and the Intra-European Organisation of Tax Administrations (IOTA) show, tax administrations around the world have integrated new technologies to improve their tax collection mechanisms (OECD, 2016a;OECD, 2016b;OECD, 2017;IOTA, 2018). Indeed, and more generally, revenue agencies need technologies in order to address transparency of operations, greater efficiency and responsiveness to the needs of government and taxpayers. The implementation of new technologies by tax administrations varies around the world and from developing to developed countries (Kariuki, 2014). The need for IT is also reflected in the budget of tax administrations and requires careful management (OECD, 2016a;OECD, 2016b).
In the last two decades, there have been different ways in which tax administrations have used ICT to enhance performance in revenue administrations, some of them include: to provide readily accessible historical data; to reduce mistakes, processing times and costs; to improve and promote voluntary compliance and consequently increase revenue collections (Smith,1969;Edwards-Dowe,2008;Chatama, 2013;Kariuki, 2014). Some administrations will use new technologies just in order to perform their core and basic tasks such as: registration, processing, payment and accounting, audit targeting and debt collection (OECD, 2016a;OECD, 2016b;IOTA, 2018). Recent examples of ICT implementations in tax matters can be found in Slovenia where certified electronic cash registers are connected to the tax administrations which are informed about transactions in real-time; also, in Chile or Italy where they have adopted an Electronic Invoicing System which directly connects the taxpayers and the tax administrations (IOTA, 2018). However, more broadly, examples of possible ICT tools used by tax authorities typically include: e-filing of tax returns, e-payments, data sharing and datamatching, taxpayer self-help portals, chatbots for technical enquiries (IOTA, 2018). These instruments rely on automated data matching, precedent databases, campaign management and rules-based systems. Data matching is fueled by the information that was gathered through several records and includes third party information as well. This information is typically used to assess the information which was provided by the taxpayer and a database informs the formulation of tax rulings. Finally, these systems are based on the data they are fueled with might be enabled to decide what actions should be taken, such as sending communication to the taxpayer about their tax situation (Kariuki, 2014).
In a recent study, the OECD has highlighted the benefits of ICT used for tax and a lot of attention has been given to the role of Big Data and advanced analytics techniques for tax administrations (OECD, 2016a). Referring to the collection of Big Data from third-party sources which could be then combined with tax data, the OECD underlines how this will allow revenue Tax compliance and privacy rights in profiling and automated decision making bodies to develop and create tailored e-services that target the specific needs of individual and business taxpayers (OECD, 2016a). With reference to Big Data, they could improve the ways in which revenue bodies examine and understand the activities and taxpayers' behaviour through several implementations of Big Data for information storage, the analysis across multiple periods, compliance, control and risk management activities, identifying and tracking changes in taxpayer abilities and performance to enable revenue bodies to respond more effectively and in a timelier manner and for supporting whole-of-government outcomes by sharing insights and information (Ehrke-Rabel, 2019a;IOTA, 2018).
Regarding advanced analytics techniques, a 2016 OECD survey showed that advanced analytics is the principal application for audit case selection (OECD, 2016a). Moreover, 15 out of the 16 tax administrations that answered the OECD survey indicated that they were deploying advanced analytics to prioritise cases for investigation, audit or other compliance intervention (OECD, 2016a). According to the same OECD study, administrations generally create unsupervised models which consist of models seeking to identify interesting or anomalous patterns in the data, rather than trying to learn from the outcomes of specific cases. Moreover, tax administrations such as the Irish and the Dutch ones have experimented with unsupervised segmentation techniques. These techniques represent a sectorial application of the broader cluster analysis through which it is possible to identify groups of taxpayers who are similar to each other in some significant respects, and dissimilar to the other groups identified (OECD, 2016a). Ireland has also adopted an alternative approach to segmentation, which focuses on grouping taxpayers based largely on their predicted response-to-intervention. According to this model if all taxpayers have the same response to a given intervention, then there is little practical value in segmentation, whereas if there are large and consistent differences in response-to-intervention, then segmentation is worthwhile. This approach is based on the uplift modelling techniques which is likely to create multiple segmentations and ultimately, each type of intervention would require a different segmentation of the taxpayer base (OECD, 2016a).
Two examples of unsupervised models can be found also in the Australian nearest neighbours model, which is able to identify incorrect income tax deductions, and in the Irish incomeconsumption model, aiming at the identification of under-declaration of income (OECD, 2016a).
What is a common element in both models, even though they use different statistical techniques (k in the case of Australia's nearest neighbours model and multiple regression for Ireland's income consumption model), consists of comparing a taxpayer's return to those of his or her peers. In this way, it is possible to identify outliers for further investigation, and also to identify cases which, even though they may appear unusual on initial inspection, are in fact normal once compared to others, similar cases (OECD, 2016a). Other examples of implementation of advanced analytics are the Swedish predictive model to specifically identify unreported income, as distinct from over-claiming of deductions and the US structured income flows model which links the analysis of related entities to uncover misreporting at the entity-level and noncompliance associated with the structure of income flows (OECD, 2016a).
In the 2016 OECD survey, it also emerges how tax administrations are using both predictive and prescriptive techniques. The first ones aim at identifying taxpayers who are more likely to fail to meet their obligations, while the second ones are implemented to verify which is the most effective way to communicate to a certain group of taxpayers. Regarding predictive techniques, tax administrations from countries such as Australia, Canada, Norway and the United Kingdom have implemented programmes for risk modelling and controlled experimentation that identify which cases are likely to fail to meet payment or filing obligations, and which interventions are likely to remedy the problem. In these cases, analytic outputs are used both to prioritise cases and to determine treatment paths. For example, the United Kingdom has built models that are able to assess taxpayer risk prior to filing (e.g., determining which taxpayers are most likely to miss filing deadlines) in order to target interventions to encourage compliance (OECD, 2016a).
An example of prescriptive-analytics technique is the so-called experimental design where treatment and control groups are partitioned and observed in order to isolate the effects of specific actions, interventions, or treatments. This instrument is particularly used for direct taxpayer communications and the Norwegian administration, for example, has engaged with a behavioural economics researcher to test a variety of communications intended to improve compliance on declarations of foreign income (OECD, 2016a).
Relevant for the scope of this analysis is, in particular, the use of technology for tax auditing risk assessment. In this profiling modality, it should not be possible to single out individuals by name or identifying characteristics. However, it is quite problematic in determining where the collected information and the technological system are effectively singling out taxpayers. This could be the case when a process adds extra value to taxpayers of a certain postal code, gender, birth month (Ohm, 2010, as cited by Kroll et al., 2016). The auditing risk assessment is usually conducted by also checking the tax returns that were previously filled (Kroll et al., 2016).

SECTION 2: HOW THE GDPR NOTIONS OF PROFILING AND AUTOMATED DECISION MAKING FIT IN THE USE OF ICT TOOLS BY TAX ADMINISTRATIONS
In the context of this paper, we focus on two concepts which are relevant in the way tax agencies are using ICT tools and which are both contained in the GDPR, namely profiling and automated decision making. While in the academic discourse, the tendency is to focus on the commercial applications of these techniques to better segment markets and tailor services and products to align them with individual needs, profiling and automated decision making can and are implemented also in the public sector (e.g., in education, healthcare and transportation).
Indeed, both the private and public sector, profiling and automated decision-making can increase the efficiency of delivering a certain service. However, the use of these techniques may raise significant risks for individuals' rights and freedoms.
As we have seen, in the previous sections, tax authorities are implementing new technologies for different reasons (e.g., better tax assessment and collection, better communication with the taxpayers, increasing tax compliance ex ante). In many of the examples reported there is a clustering of taxpayers based on the different purpose pursued by the tax administration.
Considering the personal income tax, new technologies clustering taxpayers based on the information contained in their tax returns and received by third parties can be a very useful tool in verifying whether the income declared by that natural person is correct or not. The way in which personal income tax is generally built, it relies on different income categories (e.g., business income, employment income, capital income), tax exemptions and the possibility to deduct expenses. This type of construction makes it possible to consider it as a progressive tax and be compliant with the ability to pay in principle.
Traditionally, in order to minimise the interference with taxpayers' personal autonomy, tax collection has been based on the information provided by the taxpayers through the submission of her/his tax return (Ehrke-Rabel, 2019a). The tax return is the instrument through which natural persons declare the income they have produced during the previous fiscal year.1 Depending on the threshold under which taxpayers´ income will fall, taxes will be due according to a certain applicable tax rate. Once the tax return is submitted, the tax authority will proceed to the verification and assessment of the due taxes. Because of the high number of tax returns submitted to tax authorities which basically consist in a mass procedure, for a long time it has been assumed that tax authorities would not be able to thoroughly verify all returns before assessment. Consequently, initial assessments were (and still are) regularly subject to revision through tax audits (Ehrke-Rabel, 2019a; Vaillancourt et al., 2011;Russell, 2010;Jensen & Wöhlbier, 2012;EU Commission, 2006;OECD, 2006;OECD, 2017).
Moreover, maintaining a progressive system while at the same time avoiding revenue losses, created a complex system for both tax administrations and taxpayers. This has led to the introduction of pre-filled tax returns and the creation of online applications to calculate the due amount of taxes. By matching the submitted tax returns with other information which were gathered by other public administrations or third parties (e.g., employer, financial institutions, etc.), tax administrations are able to verify whether the declared income is correct or not.
Indeed, a pivotal role in the good functioning of the tax auditing system is played by data transmitted to tax authorities by third parties.2 However, matching these data through ICT tools could lead to profiling of taxpayers and consequently to automated decision making pursuant to the GDPR definitions.

PROFILING PERFORMED BY TAX AUTHORITIES
As defined by the GDPR, profiling can be described as any form of automated processing of personal data aiming at the evaluation of certain personal aspects of a natural person. Among these aspects, the European legislator lists the natural person´s performance at work, economic situation, health, personal preferences, interests, behaviour, location or movements (Art. 4 (4) GDPR).
From this definition, in order to verify whether profiling can take place in the tax sphere there are three elements which need to be present in the way tax administrations use the ICT tools at their disposal and in the way these tools are built: The processing must be automated; 1.
It must be carried out on personal data of a natural person; 2.
The processing scope is the evaluation of the personal aspects of a natural person. 3.
As described above, the increasing number of possible deductions, the different types of income that taxpayers can produce simultaneously, and the high number of taxpayers itself makes it impossible for tax administrations to go through each tax return. The use of employees for checking each tax return would be too expensive for tax administrations (Ehrke-Rabel, 2019c; Lipniewicz, 2017) and would drive away resources which could be used for other public activities.
This has led to the adoption of automated systems which are able to go through a large amount of data and verify whether the information submitted by the taxpayers are correct or not. In this sense, the processing of the gathered taxpayers' data is automated and thus, fulfills one of the GDPR requirements for the processing of data to be considered as profiling.
Another aspect which needs to be considered is whether the taxpayers' data collected and processed by the tax administrations are personal data. Indeed, the information at disposal of the tax administrations in order to verify the income of a certain taxpayer relates to an identified or identifiable natural person who (as exactly stated in the definition of personal data of the GDPR) "can be identified, directly or indirectly, by reference to identifiers such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
Finally, in order to prove whether the use of ICT by tax administrations in the management of the tax returns and the consequent verification of the correctness of the declared income might consist in a profiling activity, the scope of the processing must be the evaluation of personal aspects about a natural person. Among the example of personal aspects cited in Art. 4 (4), which defines the notion of profiling, there is the economic situation of the natural person which is at the heart of the evaluation of whether the declared income is correct or not and in order to verify the correctness all the directly and indirectly, relevant economic and non-economic elements will be taken into consideration. Indeed, among these elements, there are financial accounts, expenses such as cars or immovable properties (and in this case the exact location and structural elements which intrinsically influence the price and value) but also medical, cultural or educational expenses.
One last aspect concerning profiling which needs to be considered is the possibility to carry out group profiling. This type of profiling is based on data from existing groups, but it can also involve categorisation based on aspects shared by group members without them realising that they belong to that particular group (Mantelero, 2016). In the tax sector, risk management tools might divide taxpayers into groups with different risk levels based on different sets of data. It has been noticed that in this type of profiling, there is a significant number of false positives (deciding that a person is a member of the group when they are not) or false negatives (deciding that a person is not a member of the group when they actually are) (Kamarinou, Millard, & Singh, 2017). Moreover, the presence of false positives and false negatives can lead to decisions which produce legal or significant effects on individual people. Consequently Art. 22 GDPR might be applicable since it requires that the decision based on the profiling addresses an individual and has legal or significant effects for him/her (Kamarinou et al., 2017).

AUTOMATED DECISION MAKING IN TAX MATTERS
As will be further investigated in this section, profiling might also lead to decisions based on the processed data which can be automated and consequently, both individual profiling and group profiling might lead to the application of Art. 22 GDPR. With regard to automated decision making under the GDPR, there are two aspects, which need to be further analysed especially in connection to their implications in tax matters. First of all, it is important to understand the scope of the word "decision". Second of all, it is important to identify the cases where the decision is "solely" automated.
In tax matters, the use of software able to go through the amount of data collected by tax authorities in relation to tax returns and information provided by third parties will lead to the identification of possible mismatches between what has been declared by the taxpayer and what results from the combination of all the information available to the tax authorities.
Consequently, a tax assessment notice indicating a different amount of tax to be paid and relevant sanctions (in the case where more taxes are due than what has been paid by the taxpayer) will be sent to the taxpayer. Depending on the different procedural rules of a single member state, the taxpayer will be given a certain amount of time to challenge the tax assessment notice. This means that the tax assessment notice which is based on the results of the software which match the different information available to the tax authorities is not a final decision and neither is a court decision.
The meaning of the word "decision" in the context of automated decision making can be derived by looking at the different parts of the GDPR text. It has already been highlighted that Art. 22 GDPR does not specify whether the decision mentioned in the article has to be a final decision or just a mere interim or individual step taken during the automated processing. However, recital 71 of the GDPR expressly states that the word "decision" should include also "measure".
Thus, the word "decision" is to be understood in a broader sense. At the same time, Art. 22 of the GDPR describes the word "decision" as the one which produces legal effects or similarly significantly affects the data subject. On the one hand, with regard to the "legal" element, this requires that the decision be binding or that the decision create legal obligations for the data subject. In the case of the tax notice, where the taxpayer does not challenge it, if he/she does not comply with it, the tax assessment notice can be enforced by the relevant authorities. On the other hand, the fact that the GDPR introduces the word "similarly", absent in the previous directive, to the phrase "significantly affects" means that the threshold for significance must be similar to that of a decision producing a legal effect. Even if it can be argued that the "significant" element is rather vague, Article 29 Working Party has identified possible categories of decisions which can be considered as producing "similarly significantly" effects on the data subjects (Veale & Edwards, 2018). These decision categories include decisions affecting someone's access to health services, to education, decisions denying someone an employment opportunity or put them at a serious disadvantage and decisions affecting someone's financial circumstances. Undoubtedly, tax assessment notices affect the financial circumstances of the data subject (Art. 29 Working Party, 2017).
The second aspect that needs to be considered in order to identify a solely automated decision, is the level of human intervention. Art. 22 of the GDPR finds application only in cases where decisions are made in a "solely" automated way and the scope of the word "solely" is decisive in the determination of the practical extent of the rights granted to data subjects (Bygrave, 2001;Wachter et al., 2017;Veale & Edwards, 2018). In order to frame the scope of the notion of "solely" the attention needs to be focused on the level of human intervention in the loop. Indeed, it is difficult to find completely automated systems where the decisions are made "solely" by the algorithm (Veale & Edwards, 2018). Consequently, a literal interpretation of the word "solely" will significantly reduce the practical scope of application of Article 22 and it might even lead to a wider introduction of a nominal human intervention in the loop consisting in a mere "rubberstamping" in order to limit the application of Article 22 (Veale & Edwards, 2018). Under Art. 29 Working Party (2017), the activity leading to the decision should not be a tokenised gesture but there must be an influential activity exercised by a human. The main issue in the context of this contribution is whether the mere signature by the tax agent responsible for the assessment procedure reported on the assessment notice, completely based on the ICT system used and to be sent to the taxpayer, can be considered a sufficient indication of human intervention.
Depending on a case-by-case analysis, it might be that the tax agent had to go through further investigations before finalising and sending the assessment notice. Nevertheless, the outcome on which the assessment letter is based resulting from the implementation of an ICT system will be hardly questioned by the tax agent. In fact, there are studies showing that even in systems where the explicit intention is to merely support a human decision-maker, the trustworthiness of the intrinsic automated logic of the system, the lack of time and convenience reasons, tend to make the system operate as wholly automated (Skitka, 2000 Thus, minimal human intervention with no real influence on the outcome of the decision cannot be sufficient to exclude the applicability of Art. 22 (1) (Malgieri & Comandé, 2017), and this might be the case of merely signing the tax assessment notice to be sent to the taxpayer.
Finally, regarding the legal effects or significant effects, it is undoubtably that the decision to proceed to the assessment or to require taxpayers to pay a higher amount of taxes differently from what they had declared (or better not declared) will significantly affect the taxpayers' sphere. Consequently, taxpayers shall be recognised the right to appeal that decision or more generally, they should have access to a judicial remedy. Admitting that the requirement for Art.
22 (1) is met is fundamental because it will mean that profiling and automated decision making will still be allowed in tax matters if, according to the second paragraph, these activities are authorised by the European Union or member state laws to which the controller is subject to.
Moreover, these provisions must lay down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests. Thus, laws providing for the ICT system to run activities such as profiling and automated decision-making shall then lay down the suitable safeguards. These safeguards are actually not described in the text of the Directive but only in the recitals.

SECTION 3: THE NEED TO BALANCE INDIVIDUAL PRIVACY RIGHTS WITH THE PUBLIC INTEREST EMBODIED IN TAX COMPLIANCE
fight tax evasion and consequently, revenue losses.
For this reason, in the GDPR provisions concerning data processing, profiling and automated decision making there are important exceptions to the general rules governing these procedures.
Nevertheless, these exceptions must be introduced by legislation and respect the essence of fundamental rights and freedoms (Ehrke-Rabel, 2019b). Indeed, the aim is to safeguard the public interest in which the protection of public revenues from tax evasion behaviours is and must be included.

STRIKING A BALANCE IN DATA PROCESSING
Starting with data processing, Art. 6 of the GDPR defines the cases where the processing will be considered as lawful. Relevant for the tax law sphere is letter e) which states that the processing of data is lawful if necessary for the performance of a task which is carried out in the public interest or in the exercise of official authority vested in the controller. Moreover, the allowed processing cases contained in Letter f) Art. 22 GDPR will not apply since this point will not find application if the processing is carried out by public authorities in the performance of their tasks, which is the case of tax authorities. However, the lawfulness of the processing in the case of the performance of a task carried out in the public interest or in the exercise of official authority, such as the one carried out by the tax authorities, Art. 6 (3) establishes the need for a legal basis which shall be laid down by: (a) Union law; or (b) Member state law to which the controller is subject and which shall be proportionate to the legitimate public interest aim pursued. The same Art. 6 also contains a series of specific provisions which need to be included in the legal basis for the processing according to Art. 6 (1) lit. e) and which consequently will find application in processing for tax matters as well. Examples of these specific provisions concern the type of processed data, the identification of the data subjects, the purpose limitation, the storage period and the general conditions governing the lawfulness of processing by the controller. Nevertheless, member states can provide for more specific requirements for the processing and other measures to ensure lawful and fair processing. Thus, it might be that a tax law allowing taxpayers' data processing in one state might offer additional protection to taxpayers' privacy when compared to that of other member states.
Moreover, regarding the processing of special categories of personal data, the relevant provision in the GDPR is Article 9. Special categories of data include the data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation. The general rule established in Art. 9 (1) prohibits the processing of these data.
However, paragraph 2 states exceptions to the application of the first paragraph. Similarly to Art. 6, these exceptions include the case where processing is necessary for reasons of substantial public interest, on the basis of European Union or member state law. Indeed, one reason for substantial public interest is represented by tax compliance and the state´s need to safeguard its resources from tax evasion. However, the exception enshrined in Art. 6, which is relevant also in the field of taxation, is limited by a proportionality test4 which has to take place with reference to the aim pursued. The processing also has to respect the essence of the right to data protection and the law allowing the processing must provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
From combining these two articles on processing, it is possible that for tax reasons which are part of the broader "public interest", member states will process data, including the one belonging to the special categories. Nevertheless, for reasons of public interest this permission must still undergo a proportionality test, and it must provide for safeguards of the fundamental rights and interests of the data subject. However, the safeguards that need to be adopted are not listed or exemplified, therefore it remains quite vague what measures that member state will adopt. Due to the territoriality and the worldwide taxation principles, information gathered for tax purposes might still include racial or ethnic origins, or information on health expenses for obtaining tax exemptions. They might even include information on religious belief such as in the case where states levy so-called "church taxes"5 or in cases where there are tax deductions for donations to religious or charitable organisations.6 Moreover, in most of the tax systems, these pieces of information will be directly provided by the taxpayer or by third parties depending on the type of information.

STRIKING A BALANCE IN PROFILING AND AUTOMATED DECISION MAKING
Regarding profiling, the relevant provision is Art. 22 which, as previously described, specifically establishes the right for the data subject to not be subject to a decision which is solely based on automated processing including profiling which will be able to produce legal effects on the data subjects (or can similarly affect him). However, this provision also provides for limitation to this data subject's right.
According to Recital n. 73, the right to not be subjected to automated decision making and profiling together with the "rights of information, access to and rectification or erasure of personal data, the right to data portability, the right to object, decisions based on profiling, as well as the communication of a personal data breach to a data subject and certain related obligations of the controllers" can be restricted by European Union or member state law in the taxation field. Art. 23 (1) (e) expressly mentions taxation matters as general public interest of the Union. However, Art. 23 (1) establishes that any legislative measure restricting those rights (provided for in Artt. 12 to 22 and Art. 34, as well as Art. 5 in so far as its provisions correspond to the rights and obligations provided for in Artt. 12 to 22) must respect the essence of the fundamental rights and freedoms and must be a necessary and proportionate measure.
Additionally, in order to ensure the respect of fundamental rights and freedom which also include the right to privacy, Art. 23 (2) lists a series of information which need to be included in the legislative measure allowing such restrictions: the purposes of the processing or categories of processing; a.
the categories of personal data; b.
the scope of the restrictions introduced; c.
the safeguards to prevent abuse or unlawful access or transfer; d.
the specification of the controller or categories of controllers; e.
the storage periods and the applicable safeguards taking into account the nature, scope and f. purposes of the processing or categories of processing; the risks to the rights and freedoms of data subjects; and g.
the right of data subjects to be informed about the restriction, unless that may be prejudicial h.
to the purpose of the restriction.
Nevertheless, this list can be integrated with other information at member states' discretion.
On a different note, it might be argued that the information contained in the list of Art. 23 (2) could reveal the red flags for when tax authorities are going to assess taxpayers and deprive them of an important instrument when assessing possible tax evasion or tax avoidance schemes.
Indeed, by knowing exactly how the information is treated and how the technology works, taxpayers could fill in the tax return, or more generally adopt behaviours, which put to the test the predictive measures adopted by the tax revenue agencies in order to fight back tax evasion and avoidance (Reeves, 2015). As already highlighted by Kroll et al. (2016), the need to keep the decision policy as a secret is useful in preventing strategic gaming within the system. Thus, limiting meaningful information about the logic involved in the ICT tool used by the tax administration shall be considered as legitimate (Ehrke-Rabel, 2019a;Ehrke-Rabel, 2019b).
Nonetheless, in my opinion, the information required by Art. 23 (2) is not able to offer a concrete overview of how the system works and therefore should not be considered as endangering the public tasks to be carried out when using these instruments.

SECTION 4: POLICY IMPLICATIONS FOR EU MEMBER STATES
As emerges from the GDPR provisions, the European legislator has clearly recognised that technologies allowing processing of large amounts of data and profiling (which might also lead to automated decisions) can represent a fundamental tool for tax administration in the fight against tax evasion and fraud. At the same time, the European legislator has attempted to strike a balance between the public interest to protect public revenue and the taxpayers´ data protection rights, by requiring the presence of safeguards in the legislation allowing for the use of such technologies.
From combining these two provisions on data processing (Art. 6 and Art. 9 GDPR), it is possible that for tax reasons which are part of the broader "public interest", member states will process data, including the one belonging to the special categories. Nevertheless, this permission for reasons of public interest must still undergo a proportionality test, and the permission must provide for safeguards of the fundamental rights and interests of the data subject. Similarly, in the context of automated individual decision-making, including profiling restrictions to the rights of the subject, must respect the essence of the fundamental rights and freedoms and must be a necessary and proportionate measure in a democratic society (Art. 23).
Firstly, from the member states perspective, this means that they shall verify whether the use of ICT tools for carrying out tax administrations activities involve any form of data processing, profiling and automated decision making. If yes, there must be a specific legal basis in place.
Indeed, the entrance into force of the GDPR has determined the need for a specific legal basis for ICT instruments such as the ones used by tax administrations through which data are processed, profiles are created, and automated decisions are taken. Secondly, if the use of these tools already has a legal basis or in cases where member states will need to adopt a new piece of legislation allowing the use of these instruments by tax administrations, these provisions must include the required safeguards as prescribed by the GDPR.
Nevertheless, due to the fact that these safeguards tend to be very vague, the GDPR leaves a lot of discretion to member states on the level of protection of taxpayers' privacy. Indeed, the GDPR provides only for a minimum level of protection to be included in member states' legislation allowing the use of ICT tools for profiling and automated decision making in tax matters. Thus, member states could increase the level of protection at their discretion. However, different margins in how to extend the scope of the safeguards might lead to misalignments in the way taxpayers' privacy is protected among EU member states. Moreover, the lack of both a common auditing system in the European Union and of a common instrument ensuring taxpayers' rights, such as a European Taxpayer Code (EU Commission, 2016) or Charter (CFE, 2018), intensifies even more the possible discrepancies in the level of protection of taxpayers data and privacy among member states.

CONCLUSIONS
In recent years, the use of ICTs by tax authorities has efficiently improved their abilities to carry out their tasks (e.g., tax monitoring, taxpayers' auditing, tax collection) for the public interest.
For this reason, investment in ICT for revenue agencies has been highlighted as a priority by many international institutions (OECD, 2016a;OECD, 2016b;Cotton & Dark, 2017). Using new technologies has simplified the ways in which tax administrations can assess taxpayers and individuate those who are tax evaders. However, if on the one hand tax authorities need to be provided with the most efficient instruments in order to prevent and fight tax evasion and tax avoidance, on the other hand, this need must be balanced with privacy rights of the taxpayers.
More specifically, ICT tools (including and in particular risk management systems) are able to combine data provided by third parties and by the taxpayers, process them in order to categorise taxpayers on the basis of their compliance risks and finally, based on their profiles, individuate the taxpayers that will be subjected to audits. The way in which these systems operate perfectly match the definitions of data processing, profiling and automated decision making contained in the GDPR. However, from analysing the text of the GDPR, it emerges that tax authorities, because of the public interests they are fulfilling, are enabled to use ICT instruments which might facilitate, also through profiling and data matching, the carrying out of tax authorities' tasks. First of all, this means that member states will have to adopt (where not already in place) a legal basis allowing tax authorities to use ICT tools performing profiling and automated decision making. Secondly, according to Recital n. 71 of the GDPR, the legislative measures authorising decision-making based on profiling for fraud and tax-evasion monitoring shall provide the data subject the right to obtain human intervention, to express his or her point of view, to obtain an explanation of the decision reached after such assessment and to challenge the decision (De Raedt, 2018). However, the text of the regulation itself does not provide for the express indication or description of the safeguards mentioned in Art. 22. Differently, Art. 23 (2) with regard to automated decision making, provides for a list of information which shall be contained in the legislative measure adopted for permitting the use of automated decision making by tax authorities. Nevertheless, the presence of these requirements in the law and in the ICT systems effectively used by tax administrations needs to be assessed on a case-by-case basis at the national level. Indeed, the GDPR, by requiring the inclusion of these safeguards, only offers a minimal level of protection that might be extended at the national level. Moreover, the vagueness of these safeguards as indicated in the GDPR text and the discretion left to member states on the implementation of those, may lead to an even wider gap between different levels of taxpayer protection across member states.