Correspondence

Posted on 29 July 2020

This page collects the correspondence between Mishcon de Reya and the relevant institutions, such as the Information Commissioner’s Office, the European Parliament, the Petitions Committee (PETI), the European Data Protection Board (EDPB), the European Commission (TAXUD) and the Organisation for Economic Cooperation and Development (OECD).

The Mishcon de Reya Hacking and Data Breaches List includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, supporting our client's claim that FATCA unnecessarily exposes sensitive personal and financial data to the risk of hacking. 

As the first law firm in Europe to instigate legal proceedings against the excessive nature of both FATCA and the CRS, the team at Mishcon de Reya has a deep understanding of the interaction between systems of automatic information exchange as well as the wider data protection angle.

Under the European Convention on Human Rights (ECHR), the right to privacy is a fundamental right. This means that any interference with this right is subject to strict legal requirements.

The Mishcon de Reya Hacking and Data Breaches List

This list was prepared to support Jenny's claim that FATCA unnecessarily exposes sensitive personal and financial data of compliant citizens to the risk of hacking. In another case, the UK tax authorities acknowledged that the incidents reported by Mishcon de Reya were 'serious', but refused to back down from automatically exchanging information across borders. The list includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, including a hacking against Bulgaria that led to the theft of the entire database of the local tax authorities (between 5 and 7 million citizens affected).  More recent incidents concerning the National Supercomputer and even the European Parliament confirm the fundamental problem of data security.

Click here to view.

Letters

October 2020
22 October 2020 to PETI re holding the Commission to account

This letters brings together the evidence showing how the European Commission might have misled the European Parliament in relation to the Commission's involvement with FATCA and its own 'worrying' concerns about the data protection implications of FATCA. Accordingly, this letter calls on the European Parliament to hold the Commission to account.

Click here to view the letter

22 October 2020 to the Information Commissioner about farcical delays

This letter considers two recent notices which the Information Commissioner's Office issued against itself for failing to respect deadlines.

This poor state of affairs is indicative of the difficulties encountered by citizens seeking to defend their fundamental right to data protection. At the time of writing this letter, almost a year elapsed since the original complaint was filed on 11 November 2019.

Click here to view the letter

10 October 2020 letter to EU & ICO re Tax Information Exchange judgment (C-245/19)

This letter discusses the implications of a judgment issued on 6 October 2020 by the Court of Justice of the European Union (CJEU) in relation to the compatibility of tax information exchange on request with the EU Charter of Fundamental rights. This judgment was issued on the same day of the Privacy International judgment which is discussed in our letter dated 6 October 2020.

Both judgments have wide-ranging repercussions for FATCA as well as the Common Reporting Standard (CRS).

Click here to view the letter.

6 Oct 2020 to EU & ICO re Privacy International (C-623/17)

This letter discusses the implications of the judgment from the Court of Justice of the European Union (CJEU) in a case brought by Privacy International against the UK for Jenny's legal challenge.

This is the latest of a string of judgments from the CJEU confirming the fundamental nature of the right to data protection and privacy.

Click here to view the letter.

 

September 2020
28 Sept 2020 letter to the EDPB re 'groundless claim'

This letter discusses the recent response from the UK tax authorities ('HMRC') in Jenny's crowdfunded case. According to HMRC, a legal challenge against the excesses of FATCA based on the fundamental rights enshrined in the EU Charter of Fundamental Rights and the European Convention on Human Rights (ECHR) is 'groundless and in large part comprise an abuse of process'. HMRC also considers that 'no court would make an order which would require HMRC to act unlawfully'.

The letter calls on the European data protection authorities to finally take position in the Kafkaesque debate on the data protection implications of FATCA and other systems of automatic exchange of information.

Click here to view the letter.

17 Sept 2020 to HMRC re Council of Europe's Support

This letter discusses a message of support received by Jenny's legal team praising it for its 'relentless defence of the right to data protection' and asks HMRC to drop its hostile and obstructionist approach in a case of significant public interest.

Click here to view the letter.

10 Sept 2020 to Elizabeth Denham re Preliminary Suspension Order in 'Schrems II' case

This letter discusses the gulf that exists between the UK Information Commissioner's Office and other major national data protection authorities in enforcing fundamental data protection rights, at least in the area of FATCA.

Click here to access the letter.

10 Sept 2020 letter to Andrea Jelinek (EDPB Chair) re IRS data breach affecting Austrians

This letter discusses the latest IRS data breach affecting EU citizens and criticises the lack of action by the European Data Protection Board (EDPB). 

Click here to view the letter.

9 Sept 2020 to the EU re UK government's breach of international law

This letter discusses the UK government's recent announcement that it will introduce legislation to partially override the Brexit agreement 'in violation of international law'. The letter also shows how the UK Government brushed aside concerns raised by the EU data protection authorities to sign the first ever FATCA agreement with the US, just two months after the EU data protection authorities had raised 'worrying' concerns.

Click here to view the letter.

7 September 2020 letter to the Council of Europe re their Schrems II statement

This letter discusses today's Joint Statement by the Chair of the Council of Europe data protection committee and its Data Protection Commissioner discussing the implications of the recent European judgment in the Schrems II case for data protection.

The Council of Europe was one of the first bodies to raise data protection concerns in relation to systems of automatic exchange of information and this letter invites the Council of Europe to reiterate its existing concerns in the light of the recent Schrems II judgment.

Click here to access the letter.

4 September 2020 to EDPB following Chair's appearance before European Parliament

This letter discusses the existence of two weights and two measures. The Chair of the European Data Protection Board's words before the European Parliament in defence of data protection following the recent Schrems II judgment sound very hollow when it comes to enforcing the same rights in the context of FATCA.

Click here to access the letter.

 

August 2020
25 August 2020 letter to the EU & the ICO re MPs criticism of the ICO

This letter discusses a recent appeal from 20 MPs to the UK's Information Commissioner criticising her office for failing to enforce people's rights and holing the Government to account 'in the current COVID-19 pandemic and beyond'.

Click here to view the letter.

14 Aug 2020 letters to the EU, the ICO and the OECD re Economist and Country-by-Country List

These letters discuss a recent article that appeared in The Economist about Jenny's crowdfunded case. It also discusses a list published by the Australian Tax Authorities showing aggregate information sent to approx. 100 jurisdictions, including many countries with a poor human rights record.

Click here to view the letter to the EU and the ICO

Click here to view the letter to the OECD

7 Aug 2020 to EU and ICO re public IRS 'Name & Shame' Lists

This letter considers the European Commission's invitation to US citizens who do not wish to be subject to FATCA to expatriate.

This letter shows that the IRS issues public 'Name & Shame' list of expatriating individuals, which violates most basic data protection principles under the GDPR and the EU Charter of Fundamental Rights and exposes the European Commission's disingenuous approach to FATCA.

Click here to view the letter.

 

July 2020
31 July 2020 to the EDBP Chair

This letter discusses the ICO's continued refusal to consider the implications of the recent judgment from the Court of Justice of the European Union which declared the existing EU-US legal framework for the transfer of data collected in the EU to the US to be illegal.

Click here to view the letter.

28 July letter to CNIL re GDPR Complaint against OECD

This letter considers the implications of the recent judgment of the Court of Justice of the European Union (CJEU) in the 'Schrems II' case on our GDPR complaint against the OECD.

The CJEU decided in 'Schrems II' that transfers of personal data to non-EEA Member States without 'adequate safeguards' are illegal.

In a letter to our Firm, the OECD's Secretary-General claims that this judgment does not apply to the OECD, confirming the view that the Common Transmission System operated by the OECD represents a huge data protection black hole at the heart of the EU.

Click here to view this letter.

28 July 2020 letter to Elizabeth Denhman re UK Government's statement on Schrems 2

This letter deals with the implications of Brexit on data protection. The UK Government confirmed in a written statement to Parliament that the recent CJEU decision in the Schrems II case is binding for the UK during the Brexit transitional period.

This has direct implications for Jenny's complaint.

Click here to view the letter.

26 July 2020 letter to the EDPB and the ICO re Schrems interview

This letter to the EDPB and the UK information Commissioner discusses a recent interview in which Maximiliam Schrems described the handling of GDPR complaints by national data protection authorities as 'kafkaesque'. It is noteworthy that the same term was used by a British MEP during the hearing on FATCA that took place before the European Parliament on 12 November 2019. (link to previous correspondence)

Click here to view the letter.

25 July 2020 Letter to Elizabeth Denham re Schrems FAQs

This letter considers the implications of the recent 'Frequently Asked Questions' (FAQs) published by the EDPB following the EU Judgment in the Schrems II case for Jenny's case.

The letter also refers to a data breach affecting the Florida Tax Office, which underpins the data security concerns of FATCA.

Click here to view the letter

25 July letter from Claimant to the EDPB (Austrian CRS Challenge)

Most of the correspondence in this section relates to FATCA and Jenny's legal challenge in the UK. However, the same issues arise in relation to the Common Reporting Standard (CRS), which is subject to a legal challenge in Austria. Following the publication of the EU judgment in the Schrems II case, the Claimant in that case sent a letter to the EU raising the similarities between his challenge and Jenny's case.

Click here to view the letter

23 July 2020 to ICO General Counsel re ICO's independence

Following the intervention of the ICO's General Counsel in Jenny's case (nearly eight months after the date of the original complaint), this letter is a reminder of the concerns that exist in relation to the handling of this case, in particular with reference to the ICO's independence.

Click here to view the letter

21 July to the Elizabeth Denham, Andrea Jelinek, Bruno Gencarelli, Dolors Montserrat

This letter contains a direct appeal to the UK Information Commissioner and its EU counterparts to intervene in the FATCA debate following the recent EU Judgment in the Schrems II case, which held that the existing legal framework for the transfer of data to the US is illegal.

Click here to view the letter

20 July 2020 letter to Ms Elizabeth Denham re Data Protection Impact Assessment (DPIA)

Following revelations in the press that the UK Government failed to adhere to the principles of the GDPR in relation to the Covid-19 track-and-trace programme, this letter asks the UK Information Commissioner to clarify its statements about the existence of an adequate 'Data Protection Impact Assessment' (DPIA) in relation to UK FATCA.

Click here to view the letter

20 July 2020 letter to Bruno Gencarelli, (Head of Unit – International Data Flows and Protection)

This letter to the Head of the European Commission's Unit on International Data Flows and Protection, which was written shortly after the Court of Justice of the European Union declared the framework for data flows between the EU and the US ('Privacy Shield') to be illegal, asks the Commission to take immediate action and consider the individual complaint that was filed on 8 April 2020.

In the complaint, Mishcon asked the European Commission to commence infringement proceedings against EU Member States in relation to the conclusion of FATCA agreements.

Click here to view the letter.

18 July 2020 Letter to the Chairs of the EDPB and the PETI

This letter is a riposte to the statement issued by the Chair of the EDPB following the recent CJEU judgment in the Schrems 2 case.

The statement claims that the EDPB has been raising concerns over the data protection implications of the transatlantic transfer of data.

However, the EDPB's alleged commitment in this area does not extend to FATCA, which is a type of system of EU-US data transfer.

Click here to view the letter.

16 July 2020 letters to ICO, EU and OECD following Schrems 2 Judgment

The attached letters discuss the implications of the EU judgment in the Schrems 2 case (C-311/18) for the various claims.

The judgment held that the existing EU-US framework for the transfer of data (known as 'Privacy Shield') is invalid.  This has direct implications for FATCA as well as CRS transfers to non-EU Member States

Click here to view the letter to the ICO

Click here to view the letter to the EU

Click here to view the letter to the OECD

15 July 2020 to EDPB and the CNIL

This letter discusses the recent decision from the OECD's Secretary-General in response to our data protection complaint under the OECD rules.

In its decision, which is the first of this kind since the introduction of the CRS, the OECD refused to assume any responsibility in relation to the data of individual bank account holders.

Given the huge numbers and risks at stake, the letter calls on the European Data Protection Board and the French Data Protection Commissioner to intervene.

Click here to view the letter.

 

June 2020
30 June 2020 to EDPB

This letter discusses the data protection implications of the statistics released on 30 June 2020 by the OECD which confirm that last year 84 million accounts were subject to automatic information exchange under the CRS, for an aggregate value of €10 trillion.

Click here to view the letter.

25 June 2020 to EDPB

This letter discusses the GDPR report published by the European Commission entitled 'Data protection as a pillar of citizens’ empowerment' and its repercussions for the ongoing legal challenges against the excessive nature of FATCA and the CRS.

Click here to view the letter.

19 June 2020 letter to EDPB

This letter discusses the recent decision from the UK Information Commissioner's Office in Jenny's case and its implications for the European Data Protection Board.

Click here to view the letter.

16 June 2020 letter to the EDPB

This letter considers the position of the European Data Protection Board (EDPB) following yesterday's judicial appeal against a decision from the Austrian Data Protection Authority, which was led by the Chair of the EDPB.

Click here to view the letter.

3 June 2020 letter to EDPB

This letter criticises the European Data Protection Board's refusal to intervene to enforce data protection in the context of FATCA and the CRS.

The letter is in response to an email from the EDPB, which you will find on page 2 of our letter.

Click here to view the letter.

 

May 2020
28 May 2020 letter to the OECD re lack of response/accountability

The attached letter to the OECD's Pascal Saint-Amans addresses the lack of response to our previous correspondence and the OECD's lack of accountability.

Click here to view the letter.

27 May 2020 letter to Elizabeth Denham CBE (UK Information Commissioner)

This letter asks for a direct intervention by the UK Information Commissioner into Jenny's data protection complaint following concerns about the policy driven decision-making of her staff. 

Click here to view this letter.

26 May 2020 letter to the OECD

This letter considers the OECD's recent move of hiring one technician to assist reporting jurisdictions with the data security implications of sending sensitive personal and financial data across borders.

The letter shows the inadequacy of the measures, which appear as a response to our investigation into the data protection risks of the Common Transmission System (CTS), which is the system used by 101 jurisdiction to exchange CRS data.

Click here to view the letter.

26 May 2020 letter to the ICO

This letter considers the numbers of accounts subject to FATCA and makes some comparisons with the size of the US Covid-19 stimulus package, the EU budget and the world's biggest sovereign funds. 

Click here to access the letter.

25 May 2020 letter to the ICO

On the second anniversary of the introduction of GDPR, this letter demands action in a file that has been  on the desk of the UK Information Commissioner's Office (ICO) for over six months.  In its previous correspondence, the ICO said that they were seeking a 'policy view' on the Complaint. As the UK's independent data protection authority, the ICO should not get itself involved with policy, nor the politics of FATCA. Similar letters have been sent to the European Commission and the European Parliament.

Click here to access the letter

21 May 2020 letter to the ICO

This letter considers the ICO's approach in the last stages of Jenny's data protection complaint.

In particular, it queries the ICO's intention to obtain 'a policy view' before issuing a decision.

Click here to access the letter.

19 May 2020 letter to the OECD

This letter considers the implications OECD's argument that the OECD does not have any knowledge in relation to the data that goes through the 'Common Reporting System' (CTS), a system developed and administered by the OECD used by tax authorities all over the world use to transmit CRS-data to each other.

The letter also consider the OECD's statement that the CTS is 'secure' in the light of recent hacking incidents against EasyJet, several European Supercomputers and even the European Parliament.

Click here to access the letter. 

14 May 2020 to EDPB PETI TAXUD

This letter discusses additional evidence from the European Commission showing that the European Commission was actively involved in a dialogue with the US on FATCA as far back as 2011.

The new evidence calls into question recent statements made by European Commissioners before the European Parliament, which deny the existence of any such dialogue and (indirectly) the existence of data protection concerns. This is contradicted by the evidence discussed in our earlier letters, notably the letters dated 3, 7, 9, 11 and 13 April 2020.

Separately, the letter raises fresh concerns in relation to the security of data exchanged under FATCA, following the hacking of the UK National Supercomputer on 12 May 2020.

Click here to access the letter.

8 May 2020 to EDPB PETI TAXUD

This letters brings together various instances in which the European Commission appears to have misled the European Parliament in relation to its own involvement in the negotiation of bilateral FATCA agreements between EU Member States and the US, known as 'Intra-governmental Agreements' (IGAs) – see also our letter dated 14 May 2020 for additional evidence.

This letter raises the question of the Commission's accountability to the European Parliament, which is enshrined in the EU Treaty.

Click here to access the letter.

5 May 2020 letter to the UK data protection authorities (ICO): Implications of ICO's COVID-19 statement for FATCA

This letter considers a statement made by the UK's Information Commissioner (Elizabeth Denham) before the Joint Human Rights Committee of the UK Parliament in relation to the data protection implications of COVID-19 tracing apps.

The letter claims that the same data protection principles (transparency, necessity, data security) apply to FATCA and asks the ICO to bring its investigation against the UK tax authorities to a conclusion.

Click here to access the letter.

1 May 2020 letter to the OECD

This letter, which was filed following our data protection complaint against the OECD in relation to the Common Transmission System (CTS), brings together the existing data protection concerns raised by multiple European data protection authorities, as well as the relevant case law.

Click here to access the letter.

 

April 2020
29 April 2020 correspondence with the OECD

This letter discusses the interaction between the GDPR and the OECD's own data protection rules in relation to the 'Common Transmission System' (CTS) which was developed and is managed by the OECD to enable governments to transfer CRS data to each other. 

The letter contains separate requests to the French data protection regulator, which is dealing with a GDPR Complaint against the OECD.

Click here to access the letter

26 April letter to the OECD

This letter addresses raising data security concerns following an investigation into the IT systems designed by the IRS and the OECD to enable tax authorities to transfer FATCA and CRS data to each other.

The investigation shows that the US 'International Data ExchangeSystem' (IDES) was designed by a company with close links to the US intelligence community.

The letter requests the OECD to provide evidence of an independent vetting of the system before it was deployed, as well as written reassurances from governments that they have not built a 'back-door' into the CTS and will not seek to access it for intelligence purposes.

Click here to access the letter.

22 April 2020 – Letter to the OECD

This letter discusses the data security risks posed by the 'Common Transmission System' (CTS) designed and operated by the OECD.  The CTS is the platform which tax authorities use to actually exchange information.  By creating a single-entry point for thousands of exchanges (4,500 bilateral exchanges concerning 47 million accounts worth €4.9tn in 2018), the OECD appears like the architect of a data protection disaster waiting to happen.

This letter ends with a GDPR Complaint before the French data protection authorities.

Click here to view.

19 April 2020 – Letter to EDPB PETI TAXUD

The attached letter discusses the latest of a long series of cyber-attacks against tax authorities, government agencies and financial institutions.

These incidents demonstrate that FATCA exposes compliant taxpayers to unnecessary and disproportionate risks for their data security.  FATCA was designed almost a decade ago.  Since then, there have been countless high-profile incidents brought together in the Mishcon de Reya Hacking and Data Breaches List.

Click here to review.

13 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show how the parties involved in the development of a 'government to government' solution to FATCA were aware of negative advice from the Commission's department of Justice in relation to the lack of adequate data protection safeguards in the US.

Click here to view.

11 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional EU documents showing that the European Commission believed that the bilateral FATCA Agreements (known as 'IGAs') were a 'quick' and 'temporary' solution ahead of a bilateral EU-US solution, which would only solve 'some' of the existing data protection concerns.

The documents call into question recent statements from the Commission about its knowledge of data protection concerns back in 2010-12.

Click here to view.

9 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show that the European Commission failed to follow up on its own data protection concerns in its dialogue with the US concerning the adoption of a 'government to government' solution to extend FATCA to all EU Member States.

Whilst the European Commission raised data protection concerns, by the end of 2014 it was led by Pierre Moscovici, who signed the FATCA Agreement on behalf of France, thus making it politically difficult for the European Commission to react to additional concerns raised by data protection authorities between 2012 and 2016.

Click here to view.

7 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses internal documents from the EU which call into question a recent statement from the Commissioner Paolo Gentiloni according to whom 'to date there is no evidence' that the bilateral FATCA Agreements breach EU law.

Click here to view.

3 April 2020 - Letter to EDPB PETI TAXUD

This is the first of a series of letters discussing internal documents from the EU showing the 'worrying concerns' harboured by the European Commission ahead of the adoption of bilateral FATCA Agreements with the US.

Click here to view.

 

March 2020
6 March 2020 - Letter re EDPB Guidelines

This letter, originally sent to the UK's data protection authority and later circulated to the European Parliament and data protection authorities, discusses the absence of any data protection safeguards in the bilateral FATCA Agreement signed by the UK and the US in the light of EU guidelines published in January 2020 for the transfer of data outside the EEA.

Click here to view.

 

16 Nov 2019 - Letter to PETI  EDPB following Public Hearing on FATCA

This letter expands on the presentation made by Filippo Noseda before the European Parliament during a public hearing organised to discuss the extraterritorial nature and data protection implications of FATCA following a petition by a US-born French citizen known as Jude.

Click here to view.

2016 – 2019 correspondence with the OECD

This letter brings together our emails to the OECD that raise concerns in relation to the data protection. Most of them were ignored at the time and are now part of the material submitted to the OECD's Data Protection Commissioner and the French data protection regulator (CNIL) as part our data protection complaint against the OECD.

Click here to view the correspondence.

 

 

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

COVID-19 Enquiry

Please enter your first name
Please enter your last name
Please enter your enquiry
Please enter your email address
Please enter your phone number
Please select a contact method

I'm a client

Please enter your first name
Please enter your last name
Please enter your enquiry
Please enter an email address
Please enter your phone number
Please enter a value

I'm looking for advice

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select a department
Please enter your email address
Please enter your phone number
Please select a contact method

Something else

Please enter your first name
Please enter your last name
Please enter your enquiry
Please enter your email address
Please enter your phone number
Please select your contact method of choice