Ten Dutch Cities Fined for Secretly Spying on Muslim Communities

What Happened

Ten municipalities in the Netherlands have been fined a combined 250,000 euros by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) for secretly investigating local Muslim communities and compiling detailed personal files on residents without their knowledge or consent.

The municipalities, Delft, Ede, Eindhoven, Gooise Meren, Haarlemmermeer, Hilversum, Huizen, Tilburg, Veenendaal, and Zoetermeer, each received a 25,000 euro penalty. The regulator found they had hired external research firms to conduct covert investigations of Islamic organizations, compiling dossiers that contained some of the most sensitive categories of personal data under GDPR: religious beliefs, political views, family relationships, and photographs of individuals.

What the Dossiers Contained

The scope of the surveillance went far beyond what any municipality could justify. Investigators mapped mosque related "structures," identified key figures and networks within local Muslim communities, and compiled extensive personal profiles that included:

• Religious beliefs and Islamic sect affiliations
• Photographs and names of community members
• Family member information and personal relationships
• Details about tensions between religious leaders
• Commentary about internal mosque dynamics
• Political views of individuals

Some of this data was shared with the Netherlands' anti terrorism unit (NCTV) and the social affairs ministry, further expanding the reach of the unauthorized surveillance.

How It Came to Light

The surveillance program first became public in 2021 after investigative reporting by Dutch newspaper NRC described so called "force field analyses" that had been conducted by a private firm on behalf of multiple municipalities. The reporting triggered political scrutiny and parliamentary questions, eventually leading the Dutch DPA to investigate.

The municipalities had justified their actions as responses to the terrorism concerns of 2015 and 2016, arguing they were trying to prevent radicalization. But the DPA found that the data collection had no sufficient legal basis, the individuals were never informed they were being profiled, and the processing of special category data (religion and political beliefs) violated GDPR's strict requirements.

The Regulator's Verdict

AP Chairman Aleid Wolfsen did not mince words: "People in Muslim communities were investigated without their knowledge. The privacy of these people has been breached in the worst possible way."

Wolfsen also noted that the surveillance had damaged trust between municipalities and the communities they are supposed to serve: "The municipalities' approach has been detrimental to the relationship with the people affected." The municipalities themselves acknowledged they had exceeded their authority, with some officials describing their own behavior as acting like "private police forces."

Delft's Mayor Alexander Pechtold issued a formal apology to the Al Ansaar Mosque, and all ten municipalities accepted the fines and acknowledged their wrongdoing.

Why This Matters Beyond the Netherlands

This case is a textbook example of how government surveillance can operate outside the law, even in countries with strong data protection frameworks. The Netherlands has some of the most robust privacy protections in Europe, yet ten municipalities were able to conduct years of covert religious profiling before anyone outside their offices noticed.

The GDPR classifies religious beliefs and political views as "special category" data that requires explicit consent or a specific legal basis to process. There are no exceptions for municipal curiosity about community dynamics. Yet the municipalities processed this data without consent, without transparency, and without any of the safeguards the regulation demands.

The fines, 25,000 euros per municipality, are modest by GDPR standards. But the political and social fallout is significant. The case demonstrates that government bodies, not just tech companies, can be privacy violators, and that communities targeted by surveillance often have no idea it is happening until journalists or regulators intervene.

The Bigger Picture

Government profiling based on religion is not unique to the Netherlands. From the NYPD's surveillance of Muslim communities in the United States to China's monitoring of Uyghur populations, the pattern repeats globally: security concerns are used to justify mass data collection targeting specific religious or ethnic groups, often with minimal oversight and no transparency.

What distinguishes this case is that the enforcement came from within the system. The Dutch DPA held its own government accountable, a reminder that data protection regulators exist to check all forms of power, not just corporate power. Whether that accountability will deter future surveillance programs remains to be seen, but the precedent is now set: in Europe, secretly profiling communities based on their faith carries legal consequences.