Correspondence

Posted on 1 August 2021

This page collects the correspondence between Mishcon de Reya and the relevant institutions, such as the Information Commissioner’s Office, the European Parliament, the Petitions Committee (PETI), the European Data Protection Board (EDPB), the European Commission (TAXUD) and the Organisation for Economic Cooperation and Development (OECD).

The Mishcon de Reya Hacking and Data Breaches List includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, supporting our client's claim that FATCA unnecessarily exposes sensitive personal and financial data to the risk of hacking. 

As the first law firm in Europe to instigate legal proceedings against the excessive nature of both FATCA and the CRS, the team at Mishcon de Reya has a deep understanding of the interaction between systems of automatic information exchange as well as the wider data protection angle.

Under the European Convention on Human Rights (ECHR), the right to privacy is a fundamental right. This means that any interference with this right is subject to strict legal requirements.

The Mishcon de Reya Hacking and Data Breaches List

This list was prepared to support Jenny's claim that FATCA unnecessarily exposes sensitive personal and financial data of compliant citizens to the risk of hacking. In another case, the UK tax authorities acknowledged that the incidents reported by Mishcon de Reya were 'serious', but refused to back down from automatically exchanging information across borders. The list includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, including a hacking against Bulgaria that led to the theft of the entire database of the local tax authorities (between 5 and 7 million citizens affected).  More recent incidents concerning the National Supercomputer and even the European Parliament confirm the fundamental problem of data security.

Click here to view.

Letters

September 2021
13 Sept 2021 response to European Commission (FISMA)

This letter is a response to an email from the Head of the European Commission's financial services directorate in which he defended his recent statements before the European Parliament. The letter highlights the gap between the Commission's statements and the evidence (including internal documents from the Commission).

Click here to view the letter.

11 Sept 2021 – Letter to the EU and national DPAs – "an optical illusion"

This letter discusses the recent responses from the European Commission and national data protection authorities to our request to take action against the disproportionate nature of FATCA.

Click here to view this letter.

9 Sept 2021 reply to the European Commission

This letter discusses the European Commission's holding reply to our complaint dated 7 April 2020 under Art. 258 of the EU Treaty (infringement proceedings against EU Member States).

Click here to view the letter.

3 Sept 2021 to PETI and COM following latest FATCA Hearing (Fact-Check)

This letter fact-checks the statement made on behalf of the European Commissioners during the latest hearing on FATCA before the European Parliament's Petitions Committee.

Click here to view the letter.

 

August 2021
16 Aug 2021 letter to British MPs

This letter to concerned MPs discusses the implications, for FATCA, of the news that the UK Government is to scrap the proposed introduction of a centralised automated register of bank accounts 'following a benefits-cost analysis'.

Click here to view the letter.

10 August 2021 letters to EDPB and Commission re Art. 70 GDPR and Art. 258 TFEU

These letters discuss the implications of our recent correspondence to the data protection authorities of all EU Member States for the EDPB and the European Commission, who stated in 2012 that 'there is a strong argument that FATCA is now within the competence of the EU'.

Click here to view the letter to the European Commission.
Click here to view the letter to the EDPB.

1 August 2021 letters to national Data Protection Authorities (DPAs)

Following the 'invitation' from the European Data Protection Board to EU Member States to review the compatibility of FATCA agreements with the GDPR, these letters contain formal requests to a selected number of national DPAs to ensure that the invitation is followed up at national level.

Click here and here to view the letters to the Austrian DSB.
Click here to view the letter to the Belgian APD-GBA
Click here to view the letter to the Bulgarian CPDP
Click here and here to view the letters to the Croatian AZOP.
Click here to view the letter to the Cypriot DPC
Click here to view the letter to the Czech UOOU
Click here to view the letter to the Danish Datatilsynet
Click here and here to view the letters to the Dutch AP.
Click here to view the letter to the Estonian AKI
Click here to view the letter to the Finnish Data Protection Ombudsman
Click here and here to view the letters to the French CNIL.
Click here and here to view the letters to the German BfDI.
Click here to view the letter to the Greek DPA
Click here to view the letter to the Irish DPC
Click here and here to view the letters to the Italian GPPD.
Click here to view the letter to the Latvian DPA
Click here and here to view the letters to the Lithuanian VDAI.
Click here and here to view the letters to the Luxembourg CNPD.
Click here to view the letter to the Maltese DPC
Click here to view the letter to the Polish UODO
Click here to view the letter to the Portuguese CNPD
Click here to view the letter to the Romanian DPA
Click here to view the letter to the Slovak PD
Click here to view the letter to the Slovenian IP-RS
Click here to view the letter to the Spanish AEPD
Click here to view the letter to the Swedish IMY

 

July 2021
29 July 2021 letter to EU re Lithuanian response

This letter discusses the Lithuanian response to the need to review the FATCA agreements following recent case law from the Court of Justice of the European Union. The Lithuanian response is in direct contrast to the responses provided by the French, German and Dutch responses discussed in previous letters.

Click here to view the letter.

22 July 2021 to EDPB re reply to Dutch MEP re Statement 4/2021

This letter discusses the EDPB's formal reply to a Dutch MEP who queried the scope and effectiveness of the EDPB's invitation to EU Member States to review the compatibility of international data transfer with the GDPR in relation to FATCA.

The letter also discusses the European Parliament's latest study on the repercussions of the Schrems II judgment.

Click here to view the letter.

16 July letter to the EU re Official German statistics

This letter discusses official statistics published by the German Government on the number of accounts disclosed under FATCA, as well as the CRS.

The numbers confirm the enormous risks for the protection and safety of the data of compliant citizens.

Click here to view the letter.

14 July 2021 letter to British MPs

This letter is addressed to a group of British MPs who in the past addressed written questions to the UK government on FATCA.

Click here to view the letter.

13 July 2021 to EU re number of Petitions before PETI

This letter discusses the four FATCA-related petitions currently before the European Parliament's Petition Committee (PETI) and the implications for the lack of decisive action on the part of the European data protection authorities.

Click here to view the letter.

8 July 2021 to EDPB re Dutch response to Statement 4/2021

This letter to the European Data Protection Board discusses the recent response from the Dutch national data protection agency's invitation from the EDPB to consider the compatibility of FATCA with fundamental rights.

This letter should be read in conjunction with our riposte letters to the Chair of the French data protection authority (CNIL), the Dutch Ministry of Finance and the German data protection authority (BfDI) (19, 21 and 22 June 2021 respectively).

Click here to view the letter.

6 July 2021 to EDPB re agenda item on FATCA

This letter discusses the FATCA item on the agenda of the next plenary meeting of the European Data Protection Board (EDPB) and asks why the EDPB refuses to engage with data protection campaigners.

Click here to view this letter.

 

June 2021
23 June 2021 to EU re German MPs Motion 19/29264 on the CRS

This letter discusses the direct link between FATCA and the CRS through a motion tabled by 47 German MPs.

The letter calls on the EU and national data protection authorities to step into the debate on the compatibility of systems of automatic exchange of information (AEOI) in general with individuals' fundamental rights.

Click here to view this letter.

22 June 2021 to Chair of German BfDI

This letter to the Chair of the German data protection regulator (BfDI) is in response to a letter written by the BfDI to a German MP who had asked the BfDI to intervene on the FATCA debate following the EDPB's Statement 4/2021 on international transfers of data.

The letter criticises the Chair of the BfDI for ignoring recent case law from the CJEU, hinting to a political unwillingness to take active part in the FATCA debate.  The letter argues that this is contrary to the BfDI's duties under the GDPR.

This letter should be read in conjunction with our riposte letters to the Chair of the French data protection authority (CNIL) and the Dutch Ministry of Finance (19 and 21 June 2021 respectively).

Click here to view the letter to the Chair of the BfDI (German version)

Click here to view the letter to the Chair of the BfDI (English version)

Click here to view the letter to the EDPB

21 June 2021 to the Council of Europe (State of Play)

This letter provides the Council of Europe's consultative committee for the data protection convention n. 108 with an update of recent developments in the campaign to raise awareness on the data protection implications of FATCA and other systems of automatic exchange of information.

In its previous work, the Council of Europe raised concerns about the compatibility of automatic exchange of information with data protection rights.

Click here to view the letter

21 June 2021 to the EU – Dutch Finance Ministry

This letter discusses a recent response from the Dutch Finance Ministry in relation to the EDPB's invitation to review the compatibility of international data transfers agreements with individuals' fundamental rights.

The Dutch government considers the current system to be 'compliant with the GDPR' even before a review is carried out, suggesting the persistence of an institutional refusal to tackle the criticism levelled by the European Parliament against the European Commission and national data protection authorities.

The response from the Dutch government follows hot on the heels of a reply from the Chair of the French data protection authority (CNIL) to a French senator which conveniently forgot to mention recent legal developments.

Click here to view the letter.

19 June 2021 to Chair of French CNIL  

This letter to the Chair of the French data protection regulator (CNIL) is in response to a letter written by the CNIL to a French senator who had asked the CNIL to intervene on the FATCA debate following the EDPB's Statement 4/2021 on international transfers of data.

The letter criticises the Chair of the CNIL for omitting relevant information from her response, hinting to a political unwillingness to take active part in the FATCA debate.  The letter argues that this is contrary to the EDPB's duties under the GDPR.

Click here to view the letter to the Chair of the CNIL (French version)

Click here to view the letter to the Chair of the CNIL (English version)

Click here to view the letter to the EDPB

16 June 2021 Complaint to the EU Ombudsmam

The attached letter is a complaint against the European Commission for failure to engage with us in relation to our 3 April 2020 request: that infringement proceedings against EU Member States for signing FATCA IGAs are against the Commission's 'worrying' concerns about the data protection implications of FATCA

Click here to view the letter.

16 June 2021 to EU re Facebook judgment (C-645/19)

This letter discusses the implications of the latest data protection judgment from the Court of Justice of the European Union (CJEU) for FATCA, as well as the CRS.

The CJEU held in the Facebook judgment that the GDPR provides a direct legal basis for national data authority to bring legal proceedings for data protection violations.  This is in clear contrast with the stated position of the Austrian data protection authority led by the Chair of the European Data Protection Board in a case concerning the Common Reporting Standard and confirms the European Parliament's concerns about the 'insufficient level of enforcement of the GDPR' in relation to FATCA, 'despite the significant CJEU case law developments over the past five years'.

Click here to view the letter.

7 June 2021 letter to EU re 2012 letter from WP29 on 'highest level of protection'

This letter discusses the implications of a letter written by the EU's working party on data protection in 2012 for a recent statement issued by the European Data Protection Board on 'international transfers of data'.

The letter shows that the EDPB's predecessor was ahead of its time when it warned on the need to ensure the 'highest level of protection' for data leaving the EU (which is the core finding in the European Court of Justice judgment in the Schrems 2 case) and calls on the EU to take action now.

Click here to view the letter to the EDPB.

Click here to view the letter to the Commission.

4 June 2021 letter to European Commission re Politico interview

This letter discusses the implications of a recent interview given by Commissioner Věra Jourová to the political magazine Politico for Jenny's complaint about the excessive nature of FATCA, which has been on the Commission's desk since 7 April 2020.

Click here to view the letter.

 

May 2021
26 May 2021 to ICO re lack of inactivity (10 months)

This letter discusses recent events at international level and calls on the ICO to stop avoiding the issues raised in Jenny's complaint dated 11 November 2019.

Click here to view the letter.

20 May 2020 to EU following Parliament Resolution criticising Commission and EDPB

This letter discusses the repercussions of the latest resolution from the European Parliament which openly criticises the European Commission and the EU data protection authorities for failing to take decisive action against the excessive nature of FATCA.

Click here to view the letter to the Commission

Click here to view the letter to the EDPB

15 May 2021 letter to EU re article in 'Politico' confirming political interference

This letter discusses an article published in EU political magazine 'Politico' citing sources from EU officials who confirmed that the EDPB was forced to water down the language of its recent Statement 4/2021 on the compatibility of international agreements with data protection rights.

Click here to view this letter.

11 May  2021 letter to EDPB re State of Play, Politics and the missing WP29 letter

This letter discusses the latest development since the publication, by the European Data Protection Board, of its Statement 4/2021 by which the EDPB urged EU Member States to review the compatibility of FATCA with EU fundamental rights.

The letter also considers the curious story of a key piece of evidence that was removed from the European Commission's website.

Click here to view the letter.

7 May 2021 letter to the EDPB re national Data Protection Authorities       

This letter discusses various developments at national level following the publication of a statement by the European Data Protection Board in which the EDPB urged EU Member State to review automatic information exchange agreements with non-EU countries.

The letter calls on the EDPB to lean on national Data Protection Authorities to take decisive action.

Click here to view this letter.

 

April 2021
26 April 2020 letter to EU on forthcoming Commission statement on EDPB 4/2021

This letter discusses the ramifications of the recent statement issued by the European Data Protection Board (EDPB) on the need to review and renegotiate international data transfer agreements following a series of seminal judgments by the Court of Justice of the European Union (CJEU).

The letter urges the Commission to address the data protection issues connected with FATCA and the Common Reporting Standard.

Click here to view the letter.

14 April 2021 letter to EU on the EDPB Statement on international agreements

This letter discusses the EDPB's recent invitation to EU Member States to review international agreements involving data transfers and urges the EDPB to apply its principle to FATCA IGAs to reflect previous statements by the EU data protection body.

Click here to view the letter.

12 April 2021 letter to the EU regarding EDPS Necessity Checklist

This letter follows a long list of correspondence in which we raised the disproportionate nature of automatic exchange of information. Now, the European Data Protection Supervisor (EDPS) published a checklist on necessity and proportionality of data protection measures which applies neatly to FATCA, as well as the CRS.

Click here to view the letter.

11 April 2021 letter to EU on the Mishcon de Reya Hacking List's milestone

This letter discusses the growth of the Mishcon de Reya Hacking and Data Breaches List from 14 pages when it was first attached to our 16 November 2019 letter to the EU to over 70 pages currently. 

The amount of hacking incidents confirms that FATCA (as well as the CRS) expose millions of compliant citizens to disproportionate and unnecessary risks to their data protection and data security.

Click here to view the letter.

7 April 2020 letter to EU on the hack of European Commission

This letter discusses the coincidence of the European Commission's hack and its reply on the Solarwind hack. The letter confirms the point made in our Hacking List, that a hacking of FATCA and CRS data is a question of when, not if.

Click here to view the letter.

 

March 2021
10 March 2020 letter to the EU regarding the EDPB Statement 03/2021

This letter discusses the implications, for FATCA and the CRS, of the latest pronouncement from the European Data Protection Board on the importance of complying with the principles of proportionality and necessity when processing data.

Click here to view the letter.

9 March 2021 Letter to the EU on the EDPS Opinion 4/2021

This letter discusses the need for a fair and objective debate about the data protection implications of FATCA and the CRS, taking inspiration from an opinion issued by the European Data Protection Supervisor (EDPS) on 8 March 2021.

Click here to view the letter

3 March 2021 letter to EU regarding the Estonian case (C-746/18)

This letter discusses the latest case from the European Court of Justice confirming the illegality of generalised processing of data without judicial/independent oversight.

Click here to view the letter

 

February 2021
24 February 2021 to the EU Council's High Level Working Party on Taxation

This letter is addressed to the Council of the EU's working party on taxation ahead of its next meeting following the recent admission from the European Commission of the long-standing nature of FATCA's data protection issues.

Click here to view the letter.

19 February 2021 to the EU Commission regarding Infringement Proceedings

Three days after the Commission was forced to admit the long-standing nature of the data protection issues raised by FATCA, this letter asks the Commission to deal with our year old request that infringement proceedings be launched against EU Member States in circumstances where bilateral FATCA agreements breach the GDPR.

Click here to view this letter

18 February 2021 letter to the EU regarding EU's Human Rights' Action Plan

This letter discusses a plan published by the EU on 18 November 2020 which sets out the EU's priorities for human rights for 2020-2024, including mentioning data protection and privacy.

Click here to view the letter.

17 February 2021 letter to the EU on the Commission's acknowledgment of 'long standing' issue

This letter discusses the Commission's acknowledgment of the 'long-standing' nature of FATCA's data protection issues. This marks an important change of policy, as the Commission had previously refused to acknowledge the problem and represents a victory for data protection campaigners who have been trying to highlight inconsistencies in the European Commission's approach to FATCA.

Click here to view the letter.

16 February 2021 to the EU on the latest MEPs admonishment to the Commission

This letter discusses the latest call from Members of the European Parliament on the European Commission to 'stop turning a blind eye to the GDPR violations' under FATCA.

Click here to view this letter.

7 February: letter to the EU regarding the European Parliament Evaluation Report (PE662.603)

This letter discusses the latest official report on the effectiveness of automatic exchange of information within the EU.

A report issued by the European Parliament on 4 February 2021 confirms the concerns about the proportionality of automatic systems of information exchange, as well as the lack of evidence that they raise additional revenues, thus questioning the necessity of the measures.

Click here to view this letter.

3 February 2021 to the EU regarding concerns about data implications from 2013

This letter shows how the European Parliament was already aware of concerns about the data implications of FATCA in 2013. Five years later, the European Parliament adopted a resolution asking the European Commission to address these issues.

Click here to view this letter.

 

January 2021
29 January 2021 to the EU regarding concerns from the European Banking Federation

This letter discusses further evidence of the disproportionate nature of FATCA and other systems of automatic exchange of information, which require financial institutions and tax authorities to exchange information independently of the existence of any indicia of tax evasion.

This is in addition to the internal documents from the European Commission and the adverse expert opinions discussed in our previous correspondence.

Click here to view the letter.

22 January 2021 to the EU regarding Commission reply to E-005165/2020

This letter discusses the response from the European Commission regarding a parliamentary question on the data protection implications of FATCA against the backdrop of internal EU documents, confirming the existence of worrying data protection concerns that go as far back as 2010.

Click here to view the letter.

7 January 2020 to EU and ICO re upholding basic rights

These letters were written to remind the EU and the ICO of their individual responsibilities for upholding basic human rights in an age of political turmoil.

Click here to view the letter to the EDPB

Click here to view the letter to the European Parliament

Click here to view the letter to the European Commission

Click here to view the letter to the ICO

6 January 2021 letter to ICO and EU – Implications of end of Brexit Transition Period ('Adequacy')

This letter discusses the implications of the end of the Brexit Transition Period (31 December 2020) for UK FATCA.

Citing political developments over the past 10 years, the letter argues that the UK legal system might provide insufficient protection for data protection and human rights. In turn, this might have disastrous consequences for the UK digital economy, as the UK will need to show that its rule are 'effectively equivalent' to those in force in the EU in order to trade with the EU-bloc.

Click here to view the letter.

 

December 2020
31 December 2020 letters to the EU and the ICO re additional GDPR opinion (Belgium)

These letters discuss a recent opinion issued by the Belgian National Data Protection Authority which criticises the proposed introduction of a domestic register of bank accounts. This register is the domestic equivalent of FATCA and the CRS, which require the periodic transfer of bank data between two tax authorities (to reflect the foreign residence of account holders).

Click here to view the letter to the EDPB.

Click here to view the letter to the European Commission.

Click here to view the letter to the ICO.

22 Dec 2020 letter to EDPB re. OECD's statement about 'disproportionate data access'

This letter considers the implications, for FATCA as well as the CRS, of concerns raised by the OECD about 'unconstrained, unreasonable and disproportionate requirements by governments that compel access to personal data held by the private sector'.

The letter also refers to an article on FATCA that appeared in TIME Magazine on 22 December 2020.

Click here to view the letter.

21 Dec 2020 Letter to EU Commission re infringement proceedings

This letter follows on from our formal request to the European Commission to initiate infringement proceedings against EU Member States.

The original request was made on behalf of Jenny and is now been co-signed by J.R., the petitioner whose petition led to a European Parliament resolution calling on the Commission to enforce individuals' fundamental rights and take infringement proceedings in the context of FATCA.

Click here to view the letter.

19 Dec 2020 to EDBP re its 'Strategy 2021-2023'

This letter discusses the European Data Protection Board (EDPB)'s strategy paper for 2021-2023 insofar as it applies to FATCA as well as the Common Reporting Standard (CRS).

Click here to view the letter

18 Dec 2020 letter to EDPB and ICO re US Senate letter to the IRS following cyber-attack

The attached letters bring to the attention of the European Data Protection Board (EDPB) and the UK's Information Commissioner a letter that the US Senate sent to the IRS following the 'SolarWinds' attack against several US agencies, including the US Treasury.

Click here to view the letter to the EDPB

Click here to view the letter to the ICO

17 December 2020 to Chair of EDPB re dereliction of duty

This letter discusses the approach of the EDPB of non-intervention in relation to FATCA. The letter suggests that the EDPB is using the pretext 'we cannot comment on individual cases' to avoid the main issue. However, the ongoing campaign transcends Jenny's case, as it raises important data protection issues that affects millions of compliant individuals.

Click here to view the letter.

17 December 2020 letter to the European Parliament following EU letter to US

This letter takes issue with a recent letter sent by the European Council (which represents EU Member States' national governments) to the US Treasury asking to take action on the closure of bank accounts owned by a small number of 'Accidental Americans'.

The letter suggests that the EU is avoiding the main issue, which is the compatibility of FATCA as a whole with individuals' fundamental rights and calls on the European Parliament to bring the European Commission to account.

Click here to view the letter.

14 December letter to the EDPB regarding a huge cyber-attack against US Treasury

This letter discusses the latest revelations of a huge cyber-attack against the US Treasury and other US agency. It examines the implications that an increased risk of a hacking involving FATCA (as well as CRS) data have on the inactivity of the EU data protection authorities.

Click here to view the letter.

6 December 2020 letter to EDPB Chair following publication of EDPS report

This letter discusses the recent publication of a report by the European Data Protection Supervisor (EDPS) following the recent CJEU decision in the 'Schrems II' judgment (discussed in our separate letter dated 16 July 2020), and calls on the Chair of the European Data Protection Board (EDBP) to finally deal with our requests first raised in the letter dated 16 November 2019.

Click here to view the letter.

4 December 2020 letter to European Commission following condemnation by European Parliament

This letter urges the Commission to deal with Jenny's request to launch infringement proceedings against EU Member States following renewed criticism from the European Parliament against the Commission's passive approach to the US.

Click here to view the letter.

4 December 2020 letter to EDPB Chair following publication of critical report by European Parliament

This letter urges the Chair of the European Data Protection Board (EDPB) to reject political pressure from the European Commission following the publication of a damning report by the European Parliament criticising the European Commission.

Click here to view the letter.

2 December 2020 - Letter to the EDPB's Chair

This letter discusses data protection concerns contained in the recent report on information exchange published by the International Fiscal Association.

These concerns are in addition to the existing concerns discussed in our previous correspondence. 

They also amplify the concerns surrounding the EDPB Chair's role as head of the Austrian data protection authorities in relation to the CRS claim which is currently before the Austrian courts (discussed here).

Click here to view the letter.

 

November 2020
Letter dated 30 November to EDPB Chair regarding media scrutiny

This letter considers the growing media scrutiny over the European Data Protection Board's (EDPB) lack of action over the worrying data protection concerns raised in our correspondence with the EDPB.

This letter follows the publication of a leading article in Tax Notes International, a copy of which can be found at the end of the letter.

Click here to view the letter.

28 Nov 2020 letter to EDPB Chair

This letter, which was sent a day after filing a court claim in Germany in relation to the CRS, highlights the failings of the Chair of the European Data Protection Board (EDPB) in following up on concerns about the implications of the CRS, as well as FATCA, on individuals' fundamental rights.

Click here to view the letter.

27 Nov 2020 letter to the European Commission

This letter, which is part of an individual complaint made to the European Commission for breaches of EU Law by Member States in connection with FATCA, discusses recent attempts by the European Commission to influence the European data protection authorities and push FATCA and the CRS on its political agenda in spite of its own concerns about the impact of FATCA on individuals' fundamental rights.

Click here to view the letter.

14 November 2020 letter to the Chair of the EDPB following publications of EDPB Recommendations 1/2020 and 2/2020

This letter discusses the recent publication of recommendations by the European Data Protection Board following the seminal CJEU judgment in the Schrems II case, which declared the transatlantic framework for data transfer invalid.

The letter raises grave concerns in the light of the EDPB's consistent refusal to extend its analysis to systems of automatic exchange of information, such as FATCA, but also the Common Reporting Standard.

Click here to view the letter.

14 November 2020 letter to Elizabeth Denham (Information Commissioner) re EDPB Recommendations

This letter shows how the UK Information Commissioner's Office's decision dated 29 May 2020 was fundamentally flawed, as the ICO refused to consider the compatibility of UK FATCA with Jenny's fundamental rights, as required by the case law from the Court of Justice of the European Union and the Recommendations published by the European Data Protection Board.

Click here to view the letter.

10 November 2020 letter to the Chair of the European Parliament's PETI

This letter summarises some of the issues that were addressed during the public hearing before the European Parliament's Petition Committee (PETI) which has been conducting an investigation into the data protection implications of FATCA.

Click here to view the letter.

3 November 2020 letter to the EU re political interference

This letter discusses the implications of a working document issued by the European Council four days before the European Data Protection Board (EDPB) was due to meet to discuss exchange of information to non-EU countries.

The European Council represents national Governments and is therefore a political body. The intervention of politicians in the debate surrounding the legality and proportionality of FATCA represents an interesting development in what is essentially a legal battle.

Click here to view the letter.

 

October 2020
22 October 2020 to PETI re holding the Commission to account

This letters brings together the evidence showing how the European Commission might have misled the European Parliament in relation to the Commission's involvement with FATCA and its own 'worrying' concerns about the data protection implications of FATCA. Accordingly, this letter calls on the European Parliament to hold the Commission to account.

Click here to view the letter

22 October 2020 to the Information Commissioner about farcical delays

This letter considers two recent notices which the Information Commissioner's Office issued against itself for failing to respect deadlines.

This poor state of affairs is indicative of the difficulties encountered by citizens seeking to defend their fundamental right to data protection. At the time of writing this letter, almost a year elapsed since the original complaint was filed on 11 November 2019.

Click here to view the letter

10 October 2020 letter to EU & ICO re Tax Information Exchange judgment (C-245/19)

This letter discusses the implications of a judgment issued on 6 October 2020 by the Court of Justice of the European Union (CJEU) in relation to the compatibility of tax information exchange on request with the EU Charter of Fundamental rights. This judgment was issued on the same day of the Privacy International judgment which is discussed in our letter dated 6 October 2020.

Both judgments have wide-ranging repercussions for FATCA as well as the Common Reporting Standard (CRS).

Click here to view the letter.

6 Oct 2020 to EU & ICO re Privacy International (C-623/17)

This letter discusses the implications of the judgment from the Court of Justice of the European Union (CJEU) in a case brought by Privacy International against the UK for Jenny's legal challenge.

This is the latest of a string of judgments from the CJEU confirming the fundamental nature of the right to data protection and privacy.

Click here to view the letter.

 

September 2020
28 Sept 2020 letter to the EDPB re 'groundless claim'

This letter discusses the recent response from the UK tax authorities ('HMRC') in Jenny's crowdfunded case. According to HMRC, a legal challenge against the excesses of FATCA based on the fundamental rights enshrined in the EU Charter of Fundamental Rights and the European Convention on Human Rights (ECHR) is 'groundless and in large part comprise an abuse of process'. HMRC also considers that 'no court would make an order which would require HMRC to act unlawfully'.

The letter calls on the European data protection authorities to finally take position in the Kafkaesque debate on the data protection implications of FATCA and other systems of automatic exchange of information.

Click here to view the letter.

17 Sept 2020 to HMRC re Council of Europe's Support

This letter discusses a message of support received by Jenny's legal team praising it for its 'relentless defence of the right to data protection' and asks HMRC to drop its hostile and obstructionist approach in a case of significant public interest.

Click here to view the letter.

10 Sept 2020 to Elizabeth Denham re Preliminary Suspension Order in 'Schrems II' case

This letter discusses the gulf that exists between the UK Information Commissioner's Office and other major national data protection authorities in enforcing fundamental data protection rights, at least in the area of FATCA.

Click here to access the letter.

10 Sept 2020 letter to Andrea Jelinek (EDPB Chair) re IRS data breach affecting Austrians

This letter discusses the latest IRS data breach affecting EU citizens and criticises the lack of action by the European Data Protection Board (EDPB). 

Click here to view the letter.

9 Sept 2020 to the EU re UK government's breach of international law

This letter discusses the UK government's recent announcement that it will introduce legislation to partially override the Brexit agreement 'in violation of international law'. The letter also shows how the UK Government brushed aside concerns raised by the EU data protection authorities to sign the first ever FATCA agreement with the US, just two months after the EU data protection authorities had raised 'worrying' concerns.

Click here to view the letter.

7 September 2020 letter to the Council of Europe re their Schrems II statement

This letter discusses today's Joint Statement by the Chair of the Council of Europe data protection committee and its Data Protection Commissioner discussing the implications of the recent European judgment in the Schrems II case for data protection.

The Council of Europe was one of the first bodies to raise data protection concerns in relation to systems of automatic exchange of information and this letter invites the Council of Europe to reiterate its existing concerns in the light of the recent Schrems II judgment.

Click here to access the letter.

4 September 2020 to EDPB following Chair's appearance before European Parliament

This letter discusses the existence of two weights and two measures. The Chair of the European Data Protection Board's words before the European Parliament in defence of data protection following the recent Schrems II judgment sound very hollow when it comes to enforcing the same rights in the context of FATCA.

Click here to access the letter.

 

August 2020
25 August 2020 letter to the EU & the ICO re MPs criticism of the ICO

This letter discusses a recent appeal from 20 MPs to the UK's Information Commissioner criticising her office for failing to enforce people's rights and holing the Government to account 'in the current COVID-19 pandemic and beyond'.

Click here to view the letter.

14 Aug 2020 letters to the EU, the ICO and the OECD re Economist and Country-by-Country List

These letters discuss a recent article that appeared in The Economist about Jenny's crowdfunded case. It also discusses a list published by the Australian Tax Authorities showing aggregate information sent to approx. 100 jurisdictions, including many countries with a poor human rights record.

Click here to view the letter to the EU and the ICO

Click here to view the letter to the OECD

7 Aug 2020 to EU and ICO re public IRS 'Name & Shame' Lists

This letter considers the European Commission's invitation to US citizens who do not wish to be subject to FATCA to expatriate.

This letter shows that the IRS issues public 'Name & Shame' list of expatriating individuals, which violates most basic data protection principles under the GDPR and the EU Charter of Fundamental Rights and exposes the European Commission's disingenuous approach to FATCA.

Click here to view the letter.

 

July 2020
31 July 2020 to the EDBP Chair

This letter discusses the ICO's continued refusal to consider the implications of the recent judgment from the Court of Justice of the European Union which declared the existing EU-US legal framework for the transfer of data collected in the EU to the US to be illegal.

Click here to view the letter.

28 July letter to CNIL re GDPR Complaint against OECD

This letter considers the implications of the recent judgment of the Court of Justice of the European Union (CJEU) in the 'Schrems II' case on our GDPR complaint against the OECD.

The CJEU decided in 'Schrems II' that transfers of personal data to non-EEA Member States without 'adequate safeguards' are illegal.

In a letter to our Firm, the OECD's Secretary-General claims that this judgment does not apply to the OECD, confirming the view that the Common Transmission System operated by the OECD represents a huge data protection black hole at the heart of the EU.

Click here to view this letter.

28 July 2020 letter to Elizabeth Denhman re UK Government's statement on Schrems 2

This letter deals with the implications of Brexit on data protection. The UK Government confirmed in a written statement to Parliament that the recent CJEU decision in the Schrems II case is binding for the UK during the Brexit transitional period.

This has direct implications for Jenny's complaint.

Click here to view the letter.

26 July 2020 letter to the EDPB and the ICO re Schrems interview

This letter to the EDPB and the UK information Commissioner discusses a recent interview in which Maximiliam Schrems described the handling of GDPR complaints by national data protection authorities as 'kafkaesque'. It is noteworthy that the same term was used by a British MEP during the hearing on FATCA that took place before the European Parliament on 12 November 2019. (link to previous correspondence)

Click here to view the letter.

25 July 2020 Letter to Elizabeth Denham re Schrems FAQs

This letter considers the implications of the recent 'Frequently Asked Questions' (FAQs) published by the EDPB following the EU Judgment in the Schrems II case for Jenny's case.

The letter also refers to a data breach affecting the Florida Tax Office, which underpins the data security concerns of FATCA.

Click here to view the letter

25 July letter from Claimant to the EDPB (Austrian CRS Challenge)

Most of the correspondence in this section relates to FATCA and Jenny's legal challenge in the UK. However, the same issues arise in relation to the Common Reporting Standard (CRS), which is subject to a legal challenge in Austria. Following the publication of the EU judgment in the Schrems II case, the Claimant in that case sent a letter to the EU raising the similarities between his challenge and Jenny's case.

Click here to view the letter

23 July 2020 to ICO General Counsel re ICO's independence

Following the intervention of the ICO's General Counsel in Jenny's case (nearly eight months after the date of the original complaint), this letter is a reminder of the concerns that exist in relation to the handling of this case, in particular with reference to the ICO's independence.

Click here to view the letter

21 July to the Elizabeth Denham, Andrea Jelinek, Bruno Gencarelli, Dolors Montserrat

This letter contains a direct appeal to the UK Information Commissioner and its EU counterparts to intervene in the FATCA debate following the recent EU Judgment in the Schrems II case, which held that the existing legal framework for the transfer of data to the US is illegal.

Click here to view the letter

20 July 2020 letter to Ms Elizabeth Denham re Data Protection Impact Assessment (DPIA)

Following revelations in the press that the UK Government failed to adhere to the principles of the GDPR in relation to the Covid-19 track-and-trace programme, this letter asks the UK Information Commissioner to clarify its statements about the existence of an adequate 'Data Protection Impact Assessment' (DPIA) in relation to UK FATCA.

Click here to view the letter

20 July 2020 letter to Bruno Gencarelli, (Head of Unit – International Data Flows and Protection)

This letter to the Head of the European Commission's Unit on International Data Flows and Protection, which was written shortly after the Court of Justice of the European Union declared the framework for data flows between the EU and the US ('Privacy Shield') to be illegal, asks the Commission to take immediate action and consider the individual complaint that was filed on 8 April 2020.

In the complaint, Mishcon asked the European Commission to commence infringement proceedings against EU Member States in relation to the conclusion of FATCA agreements.

Click here to view the letter.

18 July 2020 Letter to the Chairs of the EDPB and the PETI

This letter is a riposte to the statement issued by the Chair of the EDPB following the recent CJEU judgment in the Schrems 2 case.

The statement claims that the EDPB has been raising concerns over the data protection implications of the transatlantic transfer of data.

However, the EDPB's alleged commitment in this area does not extend to FATCA, which is a type of system of EU-US data transfer.

Click here to view the letter.

17 July 2020 letters to the EU & the ICO following Luxembourg FATCA judgment

These letters discuss a recent judgment by which the Luxembourg Court of Appeal prohibited a bank from exchanging of FATCA information with the US.

This judgment was brought to the attention of the EU and the ICO one day after the Court of Justice of the European Union issued its seminal judgment in the 'Schrems II' case.

Click here and here to view the letters.

16 July 2020 letters to ICO, EU and OECD following Schrems 2 Judgment

The attached letters discuss the implications of the EU judgment in the Schrems 2 case (C-311/18) for the various claims.

The judgment held that the existing EU-US framework for the transfer of data (known as 'Privacy Shield') is invalid.  This has direct implications for FATCA as well as CRS transfers to non-EU Member States

Click here to view the letter to the ICO

Click here to view the letter to the EU

Click here to view the letter to the OECD

15 July 2020 to EDPB and the CNIL

This letter discusses the recent decision from the OECD's Secretary-General in response to our data protection complaint under the OECD rules.

In its decision, which is the first of this kind since the introduction of the CRS, the OECD refused to assume any responsibility in relation to the data of individual bank account holders.

Given the huge numbers and risks at stake, the letter calls on the European Data Protection Board and the French Data Protection Commissioner to intervene.

Click here to view the letter.

 

June 2020
30 June 2020 to EDPB

This letter discusses the data protection implications of the statistics released on 30 June 2020 by the OECD which confirm that last year 84 million accounts were subject to automatic information exchange under the CRS, for an aggregate value of €10 trillion.

Click here to view the letter.

25 June 2020 to EDPB

This letter discusses the GDPR report published by the European Commission entitled 'Data protection as a pillar of citizens’ empowerment' and its repercussions for the ongoing legal challenges against the excessive nature of FATCA and the CRS.

Click here to view the letter.

19 June 2020 letter to EDPB

This letter discusses the recent decision from the UK Information Commissioner's Office in Jenny's case and its implications for the European Data Protection Board.

Click here to view the letter.

16 June 2020 letter to the EDPB

This letter considers the position of the European Data Protection Board (EDPB) following yesterday's judicial appeal against a decision from the Austrian Data Protection Authority, which was led by the Chair of the EDPB.

Click here to view the letter.

3 June 2020 letter to EDPB

This letter criticises the European Data Protection Board's refusal to intervene to enforce data protection in the context of FATCA and the CRS.

The letter is in response to an email from the EDPB, which you will find on page 2 of our letter.

Click here to view the letter.

 

May 2020
28 May 2020 letter to the OECD re lack of response/accountability

The attached letter to the OECD's Pascal Saint-Amans addresses the lack of response to our previous correspondence and the OECD's lack of accountability.

Click here to view the letter.

27 May 2020 letter to Elizabeth Denham CBE (UK Information Commissioner)

This letter asks for a direct intervention by the UK Information Commissioner into Jenny's data protection complaint following concerns about the policy driven decision-making of her staff. 

Click here to view this letter.

26 May 2020 letter to the OECD

This letter considers the OECD's recent move of hiring one technician to assist reporting jurisdictions with the data security implications of sending sensitive personal and financial data across borders.

The letter shows the inadequacy of the measures, which appear as a response to our investigation into the data protection risks of the Common Transmission System (CTS), which is the system used by 101 jurisdiction to exchange CRS data.

Click here to view the letter.

26 May 2020 letter to the ICO

This letter considers the numbers of accounts subject to FATCA and makes some comparisons with the size of the US Covid-19 stimulus package, the EU budget and the world's biggest sovereign funds. 

Click here to access the letter.

25 May 2020 letter to the ICO

On the second anniversary of the introduction of GDPR, this letter demands action in a file that has been  on the desk of the UK Information Commissioner's Office (ICO) for over six months.  In its previous correspondence, the ICO said that they were seeking a 'policy view' on the Complaint. As the UK's independent data protection authority, the ICO should not get itself involved with policy, nor the politics of FATCA. Similar letters have been sent to the European Commission and the European Parliament.

Click here to access the letter

21 May 2020 letter to the ICO

This letter considers the ICO's approach in the last stages of Jenny's data protection complaint.

In particular, it queries the ICO's intention to obtain 'a policy view' before issuing a decision.

Click here to access the letter.

19 May 2020 letter to the OECD

This letter considers the implications OECD's argument that the OECD does not have any knowledge in relation to the data that goes through the 'Common Reporting System' (CTS), a system developed and administered by the OECD used by tax authorities all over the world use to transmit CRS-data to each other.

The letter also consider the OECD's statement that the CTS is 'secure' in the light of recent hacking incidents against EasyJet, several European Supercomputers and even the European Parliament.

Click here to access the letter. 

14 May 2020 to EDPB PETI TAXUD

This letter discusses additional evidence from the European Commission showing that the European Commission was actively involved in a dialogue with the US on FATCA as far back as 2011.

The new evidence calls into question recent statements made by European Commissioners before the European Parliament, which deny the existence of any such dialogue and (indirectly) the existence of data protection concerns. This is contradicted by the evidence discussed in our earlier letters, notably the letters dated 3, 7, 9, 11 and 13 April 2020.

Separately, the letter raises fresh concerns in relation to the security of data exchanged under FATCA, following the hacking of the UK National Supercomputer on 12 May 2020.

Click here to access the letter.

8 May 2020 to EDPB PETI TAXUD

This letters brings together various instances in which the European Commission appears to have misled the European Parliament in relation to its own involvement in the negotiation of bilateral FATCA agreements between EU Member States and the US, known as 'Intra-governmental Agreements' (IGAs) – see also our letter dated 14 May 2020 for additional evidence.

This letter raises the question of the Commission's accountability to the European Parliament, which is enshrined in the EU Treaty.

Click here to access the letter.

5 May 2020 letter to the UK data protection authorities (ICO): Implications of ICO's COVID-19 statement for FATCA

This letter considers a statement made by the UK's Information Commissioner (Elizabeth Denham) before the Joint Human Rights Committee of the UK Parliament in relation to the data protection implications of COVID-19 tracing apps.

The letter claims that the same data protection principles (transparency, necessity, data security) apply to FATCA and asks the ICO to bring its investigation against the UK tax authorities to a conclusion.

Click here to access the letter.

1 May 2020 letter to the OECD

This letter, which was filed following our data protection complaint against the OECD in relation to the Common Transmission System (CTS), brings together the existing data protection concerns raised by multiple European data protection authorities, as well as the relevant case law.

Click here to access the letter.

 

April 2020
29 April 2020 correspondence with the OECD

This letter discusses the interaction between the GDPR and the OECD's own data protection rules in relation to the 'Common Transmission System' (CTS) which was developed and is managed by the OECD to enable governments to transfer CRS data to each other. 

The letter contains separate requests to the French data protection regulator, which is dealing with a GDPR Complaint against the OECD.

Click here to access the letter

26 April letter to the OECD

This letter addresses raising data security concerns following an investigation into the IT systems designed by the IRS and the OECD to enable tax authorities to transfer FATCA and CRS data to each other.

The investigation shows that the US 'International Data ExchangeSystem' (IDES) was designed by a company with close links to the US intelligence community.

The letter requests the OECD to provide evidence of an independent vetting of the system before it was deployed, as well as written reassurances from governments that they have not built a 'back-door' into the CTS and will not seek to access it for intelligence purposes.

Click here to access the letter.

22 April 2020 – Letter to the OECD

This letter discusses the data security risks posed by the 'Common Transmission System' (CTS) designed and operated by the OECD.  The CTS is the platform which tax authorities use to actually exchange information.  By creating a single-entry point for thousands of exchanges (4,500 bilateral exchanges concerning 47 million accounts worth €4.9tn in 2018), the OECD appears like the architect of a data protection disaster waiting to happen.

This letter ends with a GDPR Complaint before the French data protection authorities.

Click here to view.

19 April 2020 – Letter to EDPB PETI TAXUD

The attached letter discusses the latest of a long series of cyber-attacks against tax authorities, government agencies and financial institutions.

These incidents demonstrate that FATCA exposes compliant taxpayers to unnecessary and disproportionate risks for their data security.  FATCA was designed almost a decade ago.  Since then, there have been countless high-profile incidents brought together in the Mishcon de Reya Hacking and Data Breaches List.

Click here to review.

13 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show how the parties involved in the development of a 'government to government' solution to FATCA were aware of negative advice from the Commission's department of Justice in relation to the lack of adequate data protection safeguards in the US.

Click here to view.

11 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional EU documents showing that the European Commission believed that the bilateral FATCA Agreements (known as 'IGAs') were a 'quick' and 'temporary' solution ahead of a bilateral EU-US solution, which would only solve 'some' of the existing data protection concerns.

The documents call into question recent statements from the Commission about its knowledge of data protection concerns back in 2010-12.

Click here to view.

9 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show that the European Commission failed to follow up on its own data protection concerns in its dialogue with the US concerning the adoption of a 'government to government' solution to extend FATCA to all EU Member States.

Whilst the European Commission raised data protection concerns, by the end of 2014 it was led by Pierre Moscovici, who signed the FATCA Agreement on behalf of France, thus making it politically difficult for the European Commission to react to additional concerns raised by data protection authorities between 2012 and 2016.

Click here to view.

7 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses internal documents from the EU which call into question a recent statement from the Commissioner Paolo Gentiloni according to whom 'to date there is no evidence' that the bilateral FATCA Agreements breach EU law.

Click here to view.

3 April 2020 - Letter to EDPB PETI TAXUD

This is the first of a series of letters discussing internal documents from the EU showing the 'worrying concerns' harboured by the European Commission ahead of the adoption of bilateral FATCA Agreements with the US.

Click here to view.

 

March 2020
6 March 2020 - Letter re EDPB Guidelines

This letter, originally sent to the UK's data protection authority and later circulated to the European Parliament and data protection authorities, discusses the absence of any data protection safeguards in the bilateral FATCA Agreement signed by the UK and the US in the light of EU guidelines published in January 2020 for the transfer of data outside the EEA.

Click here to view.

 

16 Nov 2019 - Letter to PETI  EDPB following Public Hearing on FATCA

This letter expands on the presentation made by Filippo Noseda before the European Parliament during a public hearing organised to discuss the extraterritorial nature and data protection implications of FATCA following a petition by a US-born French citizen known as Jude.

Click here to view.

2016 – 2019 correspondence with the OECD

This letter brings together our emails to the OECD that raise concerns in relation to the data protection. Most of them were ignored at the time and are now part of the material submitted to the OECD's Data Protection Commissioner and the French data protection regulator (CNIL) as part our data protection complaint against the OECD.

Click here to view the correspondence.

 

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

COVID-19 Enquiry

I'm a client

I'm looking for advice

Something else