Correspondence

Posted on 27 May 2020

The Mishcon de Reya Hacking and Data Breaches List

This list was prepared to support Jenny's claim that FATCA unnecessarily exposes sensitive personal and financial data of compliant citizens to the risk of hacking. In another case, the UK tax authorities acknowledged that the incidents reported by Mishcon de Reya were 'serious', but refused to back down from automatically exchanging information across borders. The list includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, including a hacking against Bulgaria that led to the theft of the entire database of the local tax authorities (between 5 and 7 million citizens affected).  More recent incidents concerning the National Supercomputer and even the European Parliament confirm the fundamental problem of data security.

Click here to view.

Letters
 

3 June 2020 letter to EDPB

This letter criticises the European Data Protection Board's refusal to intervene to enforce data protection in the context of FATCA and the CRS.

The letter is in response to an email from the EDPB, which you will find on page 2 of our letter.

Click here to view the letter.

28 May 2020 letter to the OECD re lack of response/accountability

The attached letter to the OECD's Pascal Saint-Amans addresses the lack of response to our previous correspondence and the OECD's lack of accountability.

Click here to view the letter.

27 May 2020 letter to Elizabeth Denham CBE (UK Information Commissioner)

This letter asks for a direct intervention by the UK Information Commissioner into Jenny's data protection complaint following concerns about the policy driven decision-making of her staff. 

Click here to view this letter.

26 May 2020 letter to the OECD

This letter considers the OECD's recent move of hiring one technician to assist reporting jurisdictions with the data security implications of sending sensitive personal and financial data across borders.

The letter shows the inadequacy of the measures, which appear as a response to our investigation into the data protection risks of the Common Transmission System (CTS), which is the system used by 101 jurisdiction to exchange CRS data.

Click here to view the letter.

26 May 2020 letter to the ICO

This letter considers the numbers of accounts subject to FATCA and makes some comparisons with the size of the US Covid-19 stimulus package, the EU budget and the world's biggest sovereign funds. 

Click here to access the letter.

25 May 2020 letter to the ICO

On the second anniversary of the introduction of GDPR, this letter demands action in a file that has been  on the desk of the UK Information Commissioner's Office (ICO) for over six months.  In its previous correspondence, the ICO said that they were seeking a 'policy view' on the Complaint. As the UK's independent data protection authority, the ICO should not get itself involved with policy, nor the politics of FATCA. Similar letters have been sent to the European Commission and the European Parliament.

Click here to access the letter

21 May 2020 letter to the ICO

This letter considers the ICO's approach in the last stages of Jenny's data protection complaint.

In particular, it queries the ICO's intention to obtain 'a policy view' before issuing a decision.

Click here to access the letter.

19 May 2020 letter to the OECD

This letter considers the implications OECD's argument that the OECD does not have any knowledge in relation to the data that goes through the 'Common Reporting System' (CTS), a system developed and administered by the OECD used by tax authorities all over the world use to transmit CRS-data to each other.

The letter also consider the OECD's statement that the CTS is 'secure' in the light of recent hacking incidents against EasyJet, several European Supercomputers and even the European Parliament.

Click here to access the letter. 

14 May 2020 to EDPB PETI TAXUD

This letter discusses additional evidence from the European Commission showing that the European Commission was actively involved in a dialogue with the US on FATCA as far back as 2011.

The new evidence calls into question recent statements made by European Commissioners before the European Parliament, which deny the existence of any such dialogue and (indirectly) the existence of data protection concerns. This is contradicted by the evidence discussed in our earlier letters, notably the letters dated 3, 7, 9, 11 and 13 April 2020.

Separately, the letter raises fresh concerns in relation to the security of data exchanged under FATCA, following the hacking of the UK National Supercomputer on 12 May 2020.

Click here to access the letter.

8 May 2020 to EDPB PETI TAXUD

This letters brings together various instances in which the European Commission appears to have misled the European Parliament in relation to its own involvement in the negotiation of bilateral FATCA agreements between EU Member States and the US, known as 'Intra-governmental Agreements' (IGAs) – see also our letter dated 14 May 2020 for additional evidence.

This letter raises the question of the Commission's accountability to the European Parliament, which is enshrined in the EU Treaty.

Click here to access the letter.

5 May 2020 letter to the UK data protection authorities (ICO): Implications of ICO's COVID-19 statement for FATCA

This letter considers a statement made by the UK's Information Commissioner (Elizabeth Denham) before the Joint Human Rights Committee of the UK Parliament in relation to the data protection implications of COVID-19 tracing apps.

The letter claims that the same data protection principles (transparency, necessity, data security) apply to FATCA and asks the ICO to bring its investigation against the UK tax authorities to a conclusion.

Click here to access the letter.

1 May 2020 letter to the OECD

This letter, which was filed following our data protection complaint against the OECD in relation to the Common Transmission System (CTS), brings together the existing data protection concerns raised by multiple European data protection authorities, as well as the relevant case law.

Click here to access the letter.

29 April 2020 correspondence with the OECD

This letter discusses the interaction between the GDPR and the OECD's own data protection rules in relation to the 'Common Transmission System' (CTS) which was developed and is managed by the OECD to enable governments to transfer CRS data to each other. 

The letter contains separate requests to the French data protection regulator, which is dealing with a GDPR Complaint against the OECD.

Click here to access the letter

26 April letter to the OECD

This letter addresses raising data security concerns following an investigation into the IT systems designed by the IRS and the OECD to enable tax authorities to transfer FATCA and CRS data to each other.

The investigation shows that the US 'International Data ExchangeSystem' (IDES) was designed by a company with close links to the US intelligence community.

The letter requests the OECD to provide evidence of an independent vetting of the system before it was deployed, as well as written reassurances from governments that they have not built a 'back-door' into the CTS and will not seek to access it for intelligence purposes.

Click here to access the letter.

22 April 2020 – Letter to the OECD

This letter discusses the data security risks posed by the 'Common Transmission System' (CTS) designed and operated by the OECD.  The CTS is the platform which tax authorities use to actually exchange information.  By creating a single-entry point for thousands of exchanges (4,500 bilateral exchanges concerning 47 million accounts worth €4.9tn in 2018), the OECD appears like the architect of a data protection disaster waiting to happen.

This letter ends with a GDPR Complaint before the French data protection authorities.

Click here to view.

2016 – 2019 correspondence with the OECD

This letter brings together our emails to the OECD that raise concerns in relation to the data protection. Most of them were ignored at the time and are now part of the material submitted to the OECD's Data Protection Commissioner and the French data protection regulator (CNIL) as part our data protection complaint against the OECD.

Click here to view the correspondence.

19 April 2020 – Letter to EDPB PETI TAXUD

The attached letter discusses the latest of a long series of cyber-attacks against tax authorities, government agencies and financial institutions.

These incidents demonstrate that FATCA exposes compliant taxpayers to unnecessary and disproportionate risks for their data security.  FATCA was designed almost a decade ago.  Since then, there have been countless high-profile incidents brought together in the Mishcon de Reya Hacking and Data Breaches List.

Click here to review.

13 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show how the parties involved in the development of a 'government to government' solution to FATCA were aware of negative advice from the Commission's department of Justice in relation to the lack of adequate data protection safeguards in the US.

Click here to view.

11 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional EU documents showing that the European Commission believed that the bilateral FATCA Agreements (known as 'IGAs') were a 'quick' and 'temporary' solution ahead of a bilateral EU-US solution, which would only solve 'some' of the existing data protection concerns.

The documents call into question recent statements from the Commission about its knowledge of data protection concerns back in 2010-12.

Click here to view.

9 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show that the European Commission failed to follow up on its own data protection concerns in its dialogue with the US concerning the adoption of a 'government to government' solution to extend FATCA to all EU Member States.

Whilst the European Commission raised data protection concerns, by the end of 2014 it was led by Pierre Moscovici, who signed the FATCA Agreement on behalf of France, thus making it politically difficult for the European Commission to react to additional concerns raised by data protection authorities between 2012 and 2016.

Click here to view.

7 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses internal documents from the EU which call into question a recent statement from the Commissioner Paolo Gentiloni according to whom 'to date there is no evidence' that the bilateral FATCA Agreements breach EU law.

Click here to view.

3 April 2020 - Letter to EDPB PETI TAXUD

This is the first of a series of letters discussing internal documents from the EU showing the 'worrying concerns' harboured by the European Commission ahead of the adoption of bilateral FATCA Agreements with the US.

Click here to view.

6 March 2020 - Letter re EDPB Guidelines

This letter, originally sent to the UK's data protection authority and later circulated to the European Parliament and data protection authorities, discusses the absence of any data protection safeguards in the bilateral FATCA Agreement signed by the UK and the US in the light of EU guidelines published in January 2020 for the transfer of data outside the EEA.

Click here to view.

16 Nov 2019 - Letter to PETI  EDPB following Public Hearing on FATCA

This letter expands on the presentation made by Filippo Noseda before the European Parliament during a public hearing organised to discuss the extraterritorial nature and data protection implications of FATCA following a petition by a US-born French citizen known as Jude.

Click here to view.

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

COVID-19 Enquiry

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select a contact method

I'm a client

Please enter your first name
Please enter your last name
Please enter your enquiry
Please enter a value

I'm looking for advice

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select a department
Please select a contact method

Something else

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select your contact method of choice