Law Enforcement or Administrative Duty? Decoding Legal Dimensions of Fraud Profiling in Public Administration

ABSTRACT integration of data analytics and automated fraud-detection systems within welfare sectors, focusing on the evolving legal landscape in Europe. Throughout Europe, the use of advanced technologies to monitor welfare payments has intensified. However, large-scale data profiling raises significant legal challenges, exemplified by the judicial scrutiny of the Dutch SyRI system, which was found to violate the European Convention on Human Rights and the General Data Protection Regulation (GDPR). This study addresses a pivotal question: whether the use of such systems under EU law constitutes law-enforcement activities or routine administrative operations. This classification impacts the legal framework—GDPR or the Law Enforcement Directive (LED)—governing data processing practices, and influences obligations under the forthcoming EU Artificial Intelligence Act. Through an analysis of European law, including GDPR, LED, the EU Charter of Fundamental Rights, and relevant case law, this article highlights the complexities of this legal demarcation and the potential for conflicting regulatory incentives. Swedish examples are used to illustrate how different legal and institutional setups affect these issues, offering insights into the broader implications for the legality and governance of fraud detection systems.

KEYWORDS Fraud detection – Artificial Intelligence Act – GDPR – Law Enforcement Directive – Automated decisionmaking

TABLE OF CONTENTS 1. Introduction. – 2. The Legal pertinence of typical fraud-detection-system characteristics. – 3. The GDPR and the LED as two distinctive data-protection frameworks. – 3.1. It is either the GDPR or the LED – profiling practises rarely escape EU data protection. – 3.2. Legal basis. – 3.3. Special-category data. – 3.4. Profiling and automated decision-making. – 4. Definitions of “law enforcement” in the data-protection and AI context and its relation to fraud-detection systems. – 4.1. Applicability and the LED as the exception to the GDPR. – 4.2. The importance of the institutional setup. – 5. Fraud Detection, meet your new friend – the Artificial Intelligence Act. – 5.1. Applicability of AIA risk categories on fraud-detection systems. – 5.2. The impact of ‘law enforcement’ classification under the AIA. – 6. Conclusions