Following the seminal judgment in the Schrems II case by the Court of Justice of the European Union (CJEU) on 16 July 2020, serious questions have arisen in relation to the compatibility of systems of automatic exchange of information (FATCA/CRS) with non-EEA countries with the fundamental rights to data protection and privacy
Under FATCA, banks in the EEA are required to collect sensitive personal and financial information about US clients and transfer them automatically to the IRS via their local tax authorities. The Common Reporting Standard (CRS) extended such obligations to over 100 jurisdictions.
Filippo Noseda, Partner in Private, who is leading on a number of legal challenges concerning the data protection implications of FATCA, as well as the CRS, commented:
"For almost five years now we have been raising the same concerns that were at the heart of the Schrems case, notably the lack of appropriate data protection safeguards for transfers of data collected in the EU. As our correspondence shows, until now the national data protection authorities and even the European Data Protection Board (EDPB) failed to consider our concerns, prompting a UK MEP to accuse the EDPB of being "Kafkaesque".
"The Schrems II judgment is a game changer and we have already written to the UK Information Commissioner's Office and the EDPB urging them to take immediate action against the violation of basic EU data protection principles."
"Mishcon de Reya is representing a US born British citizen who is raising funds to bring a judicial review against a decision from the UK Information Commissioner's Office which went against the grain of the Schrems II judgment. She is seeking £75,000 through CrowdJustice before 29 August 2020"