Correspondence

Posted on 29 July 2020

This page collects the correspondence between Mishcon de Reya and the relevant institutions, such as the Information Commissioner’s Office, the European Parliament, the Petitions Committee (PETI), the European Data Protection Board (EDPB) and the European Commission (TAXUD).

The Mishcon de Reya Hacking and Data Breaches List includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, supporting our client's claim that FATCA unnecessarily exposes sensitive personal and financial data to the risk of hacking. 

As the first law firm in Europe to instigate legal proceedings against the excessive nature of both FATCA and the CRS, the team at Mishcon de Reya has a deep understanding of the interaction between systems of automatic information exchange as well as the wider data protection angle.

Under the European Convention on Human Rights (ECHR), the right to privacy is a fundamental right. This means that any interference with this right is subject to strict legal requirements.

The Mishcon de Reya Hacking and Data Breaches List

This list was prepared to support Jenny's claim that FATCA unnecessarily exposes sensitive personal and financial data of compliant citizens to the risk of hacking. In another case, the UK tax authorities acknowledged that the incidents reported by Mishcon de Reya were 'serious', but refused to back down from automatically exchanging information across borders. The list includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, including a hacking against Bulgaria that led to the theft of the entire database of the local tax authorities (between 5 and 7 million citizens affected).  More recent incidents concerning the National Supercomputer and even the European Parliament confirm the fundamental problem of data security.

Click here to view.

Letters

July 2020
31 July 2020 to the EDBP Chair

This letter discusses the ICO's continued refusal to consider the implications of the recent judgment from the Court of Justice of the European Union which declared the existing EU-US legal framework for the transfer of data collected in the EU to the US to be illegal.

Click here to view the letter.

28 July letter to CNIL re GDPR Complaint against OECD

This letter considers the implications of the recent judgment of the Court of Justice of the European Union (CJEU) in the 'Schrems II' case on our GDPR complaint against the OECD.

The CJEU decided in 'Schrems II' that transfers of personal data to non-EEA Member States without 'adequate safeguards' are illegal.

In a letter to our Firm, the OECD's Secretary-General claims that this judgment does not apply to the OECD, confirming the view that the Common Transmission System operated by the OECD represents a huge data protection black hole at the heart of the EU.

Click here to view this letter.

28 July 2020 letter to Elizabeth Denhman re UK Government's statement on Schrems 2

This letter deals with the implications of Brexit on data protection. The UK Government confirmed in a written statement to Parliament that the recent CJEU decision in the Schrems II case is binding for the UK during the Brexit transitional period.

This has direct implications for Jenny's complaint.

Click here to view the letter.

26 July 2020 letter to the EDPB and the ICO re Schrems interview

This letter to the EDPB and the UK information Commissioner discusses a recent interview in which Maximiliam Schrems described the handling of GDPR complaints by national data protection authorities as 'kafkaesque'. It is noteworthy that the same term was used by a British MEP during the hearing on FATCA that took place before the European Parliament on 12 November 2019. (link to previous correspondence)

Click here to view the letter.

25 July 2020 Letter to Elizabeth Denham re Schrems FAQs

This letter considers the implications of the recent 'Frequently Asked Questions' (FAQs) published by the EDPB following the EU Judgment in the Schrems II case for Jenny's case.

The letter also refers to a data breach affecting the Florida Tax Office, which underpins the data security concerns of FATCA.

Click here to view the letter

25 July letter from Claimant to the EDPB (Austrian CRS Challenge)

Most of the correspondence in this section relates to FATCA and Jenny's legal challenge in the UK. However, the same issues arise in relation to the Common Reporting Standard (CRS), which is subject to a legal challenge in Austria. Following the publication of the EU judgment in the Schrems II case, the Claimant in that case sent a letter to the EU raising the similarities between his challenge and Jenny's case.

Click here to view the letter

23 July 2020 to ICO General Counsel re ICO's independence

Following the intervention of the ICO's General Counsel in Jenny's case (nearly eight months after the date of the original complaint), this letter is a reminder of the concerns that exist in relation to the handling of this case, in particular with reference to the ICO's independence.

Click here to view the letter

21 July to the Elizabeth Denham, Andrea Jelinek, Bruno Gencarelli, Dolors Montserrat

This letter contains a direct appeal to the UK Information Commissioner and its EU counterparts to intervene in the FATCA debate following the recent EU Judgment in the Schrems II case, which held that the existing legal framework for the transfer of data to the US is illegal.

Click here to view the letter

20 July 2020 letter to Ms Elizabeth Denham re Data Protection Impact Assessment (DPIA)

Following revelations in the press that the UK Government failed to adhere to the principles of the GDPR in relation to the Covid-19 track-and-trace programme, this letter asks the UK Information Commissioner to clarify its statements about the existence of an adequate 'Data Protection Impact Assessment' (DPIA) in relation to UK FATCA.

Click here to view the letter

20 July 2020 letter to Bruno Gencarelli, (Head of Unit – International Data Flows and Protection)

This letter to the Head of the European Commission's Unit on International Data Flows and Protection, which was written shortly after the Court of Justice of the European Union declared the framework for data flows between the EU and the US ('Privacy Shield') to be illegal, asks the Commission to take immediate action and consider the individual complaint that was filed on 8 April 2020.

In the complaint, Mishcon asked the European Commission to commence infringement proceedings against EU Member States in relation to the conclusion of FATCA agreements.

Click here to view the letter.

18 July 2020 Letter to the Chairs of the EDPB and the PETI

This letter is a riposte to the statement issued by the Chair of the EDPB following the recent CJEU judgment in the Schrems 2 case.

The statement claims that the EDPB has been raising concerns over the data protection implications of the transatlantic transfer of data.

However, the EDPB's alleged commitment in this area does not extend to FATCA, which is a type of system of EU-US data transfer.

Click here to view the letter.

16 July 2020 letters to ICO, EU and OECD following Schrems 2 Judgment

The attached letters discuss the implications of the EU judgment in the Schrems 2 case (C-311/18) for the various claims.

The judgment held that the existing EU-US framework for the transfer of data (known as 'Privacy Shield') is invalid.  This has direct implications for FATCA as well as CRS transfers to non-EU Member States

Click here to view the letter to the ICO

Click here to view the letter to the EU

Click here to view the letter to the OECD

15 July 2020 to EDPB and the CNIL

This letter discusses the recent decision from the OECD's Secretary-General in response to our data protection complaint under the OECD rules.

In its decision, which is the first of this kind since the introduction of the CRS, the OECD refused to assume any responsibility in relation to the data of individual bank account holders.

Given the huge numbers and risks at stake, the letter calls on the European Data Protection Board and the French Data Protection Commissioner to intervene.

Click here to view the letter.

 

June 2020
30 June 2020 to EDPB

This letter discusses the data protection implications of the statistics released on 30 June 2020 by the OECD which confirm that last year 84 million accounts were subject to automatic information exchange under the CRS, for an aggregate value of €10 trillion.

Click here to view the letter.

25 June 2020 to EDPB

This letter discusses the GDPR report published by the European Commission entitled 'Data protection as a pillar of citizens’ empowerment' and its repercussions for the ongoing legal challenges against the excessive nature of FATCA and the CRS.

Click here to view the letter.

19 June 2020 letter to EDPB

This letter discusses the recent decision from the UK Information Commissioner's Office in Jenny's case and its implications for the European Data Protection Board.

Click here to view the letter.

16 June 2020 letter to the EDPB

This letter considers the position of the European Data Protection Board (EDPB) following yesterday's judicial appeal against a decision from the Austrian Data Protection Authority, which was led by the Chair of the EDPB.

Click here to view the letter.

3 June 2020 letter to EDPB

This letter criticises the European Data Protection Board's refusal to intervene to enforce data protection in the context of FATCA and the CRS.

The letter is in response to an email from the EDPB, which you will find on page 2 of our letter.

Click here to view the letter.

 

May 2020
28 May 2020 letter to the OECD re lack of response/accountability

The attached letter to the OECD's Pascal Saint-Amans addresses the lack of response to our previous correspondence and the OECD's lack of accountability.

Click here to view the letter.

27 May 2020 letter to Elizabeth Denham CBE (UK Information Commissioner)

This letter asks for a direct intervention by the UK Information Commissioner into Jenny's data protection complaint following concerns about the policy driven decision-making of her staff. 

Click here to view this letter.

26 May 2020 letter to the OECD

This letter considers the OECD's recent move of hiring one technician to assist reporting jurisdictions with the data security implications of sending sensitive personal and financial data across borders.

The letter shows the inadequacy of the measures, which appear as a response to our investigation into the data protection risks of the Common Transmission System (CTS), which is the system used by 101 jurisdiction to exchange CRS data.

Click here to view the letter.

26 May 2020 letter to the ICO

This letter considers the numbers of accounts subject to FATCA and makes some comparisons with the size of the US Covid-19 stimulus package, the EU budget and the world's biggest sovereign funds. 

Click here to access the letter.

25 May 2020 letter to the ICO

On the second anniversary of the introduction of GDPR, this letter demands action in a file that has been  on the desk of the UK Information Commissioner's Office (ICO) for over six months.  In its previous correspondence, the ICO said that they were seeking a 'policy view' on the Complaint. As the UK's independent data protection authority, the ICO should not get itself involved with policy, nor the politics of FATCA. Similar letters have been sent to the European Commission and the European Parliament.

Click here to access the letter

21 May 2020 letter to the ICO

This letter considers the ICO's approach in the last stages of Jenny's data protection complaint.

In particular, it queries the ICO's intention to obtain 'a policy view' before issuing a decision.

Click here to access the letter.

19 May 2020 letter to the OECD

This letter considers the implications OECD's argument that the OECD does not have any knowledge in relation to the data that goes through the 'Common Reporting System' (CTS), a system developed and administered by the OECD used by tax authorities all over the world use to transmit CRS-data to each other.

The letter also consider the OECD's statement that the CTS is 'secure' in the light of recent hacking incidents against EasyJet, several European Supercomputers and even the European Parliament.

Click here to access the letter. 

14 May 2020 to EDPB PETI TAXUD

This letter discusses additional evidence from the European Commission showing that the European Commission was actively involved in a dialogue with the US on FATCA as far back as 2011.

The new evidence calls into question recent statements made by European Commissioners before the European Parliament, which deny the existence of any such dialogue and (indirectly) the existence of data protection concerns. This is contradicted by the evidence discussed in our earlier letters, notably the letters dated 3, 7, 9, 11 and 13 April 2020.

Separately, the letter raises fresh concerns in relation to the security of data exchanged under FATCA, following the hacking of the UK National Supercomputer on 12 May 2020.

Click here to access the letter.

8 May 2020 to EDPB PETI TAXUD

This letters brings together various instances in which the European Commission appears to have misled the European Parliament in relation to its own involvement in the negotiation of bilateral FATCA agreements between EU Member States and the US, known as 'Intra-governmental Agreements' (IGAs) – see also our letter dated 14 May 2020 for additional evidence.

This letter raises the question of the Commission's accountability to the European Parliament, which is enshrined in the EU Treaty.

Click here to access the letter.

5 May 2020 letter to the UK data protection authorities (ICO): Implications of ICO's COVID-19 statement for FATCA

This letter considers a statement made by the UK's Information Commissioner (Elizabeth Denham) before the Joint Human Rights Committee of the UK Parliament in relation to the data protection implications of COVID-19 tracing apps.

The letter claims that the same data protection principles (transparency, necessity, data security) apply to FATCA and asks the ICO to bring its investigation against the UK tax authorities to a conclusion.

Click here to access the letter.

1 May 2020 letter to the OECD

This letter, which was filed following our data protection complaint against the OECD in relation to the Common Transmission System (CTS), brings together the existing data protection concerns raised by multiple European data protection authorities, as well as the relevant case law.

Click here to access the letter.

 

April 2020
29 April 2020 correspondence with the OECD

This letter discusses the interaction between the GDPR and the OECD's own data protection rules in relation to the 'Common Transmission System' (CTS) which was developed and is managed by the OECD to enable governments to transfer CRS data to each other. 

The letter contains separate requests to the French data protection regulator, which is dealing with a GDPR Complaint against the OECD.

Click here to access the letter

26 April letter to the OECD

This letter addresses raising data security concerns following an investigation into the IT systems designed by the IRS and the OECD to enable tax authorities to transfer FATCA and CRS data to each other.

The investigation shows that the US 'International Data ExchangeSystem' (IDES) was designed by a company with close links to the US intelligence community.

The letter requests the OECD to provide evidence of an independent vetting of the system before it was deployed, as well as written reassurances from governments that they have not built a 'back-door' into the CTS and will not seek to access it for intelligence purposes.

Click here to access the letter.

22 April 2020 – Letter to the OECD

This letter discusses the data security risks posed by the 'Common Transmission System' (CTS) designed and operated by the OECD.  The CTS is the platform which tax authorities use to actually exchange information.  By creating a single-entry point for thousands of exchanges (4,500 bilateral exchanges concerning 47 million accounts worth €4.9tn in 2018), the OECD appears like the architect of a data protection disaster waiting to happen.

This letter ends with a GDPR Complaint before the French data protection authorities.

Click here to view.

19 April 2020 – Letter to EDPB PETI TAXUD

The attached letter discusses the latest of a long series of cyber-attacks against tax authorities, government agencies and financial institutions.

These incidents demonstrate that FATCA exposes compliant taxpayers to unnecessary and disproportionate risks for their data security.  FATCA was designed almost a decade ago.  Since then, there have been countless high-profile incidents brought together in the Mishcon de Reya Hacking and Data Breaches List.

Click here to review.

13 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show how the parties involved in the development of a 'government to government' solution to FATCA were aware of negative advice from the Commission's department of Justice in relation to the lack of adequate data protection safeguards in the US.

Click here to view.

11 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional EU documents showing that the European Commission believed that the bilateral FATCA Agreements (known as 'IGAs') were a 'quick' and 'temporary' solution ahead of a bilateral EU-US solution, which would only solve 'some' of the existing data protection concerns.

The documents call into question recent statements from the Commission about its knowledge of data protection concerns back in 2010-12.

Click here to view.

9 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show that the European Commission failed to follow up on its own data protection concerns in its dialogue with the US concerning the adoption of a 'government to government' solution to extend FATCA to all EU Member States.

Whilst the European Commission raised data protection concerns, by the end of 2014 it was led by Pierre Moscovici, who signed the FATCA Agreement on behalf of France, thus making it politically difficult for the European Commission to react to additional concerns raised by data protection authorities between 2012 and 2016.

Click here to view.

7 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses internal documents from the EU which call into question a recent statement from the Commissioner Paolo Gentiloni according to whom 'to date there is no evidence' that the bilateral FATCA Agreements breach EU law.

Click here to view.

3 April 2020 - Letter to EDPB PETI TAXUD

This is the first of a series of letters discussing internal documents from the EU showing the 'worrying concerns' harboured by the European Commission ahead of the adoption of bilateral FATCA Agreements with the US.

Click here to view.

 

March 2020
6 March 2020 - Letter re EDPB Guidelines

This letter, originally sent to the UK's data protection authority and later circulated to the European Parliament and data protection authorities, discusses the absence of any data protection safeguards in the bilateral FATCA Agreement signed by the UK and the US in the light of EU guidelines published in January 2020 for the transfer of data outside the EEA.

Click here to view.

 

16 Nov 2019 - Letter to PETI  EDPB following Public Hearing on FATCA

This letter expands on the presentation made by Filippo Noseda before the European Parliament during a public hearing organised to discuss the extraterritorial nature and data protection implications of FATCA following a petition by a US-born French citizen known as Jude.

Click here to view.

2016 – 2019 correspondence with the OECD

This letter brings together our emails to the OECD that raise concerns in relation to the data protection. Most of them were ignored at the time and are now part of the material submitted to the OECD's Data Protection Commissioner and the French data protection regulator (CNIL) as part our data protection complaint against the OECD.

Click here to view the correspondence.

 

 

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

COVID-19 Enquiry

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select a contact method

I'm a client

Please enter your first name
Please enter your last name
Please enter your enquiry
Please enter a value

I'm looking for advice

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select a department
Please select a contact method

Something else

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select your contact method of choice