Mishcon de Reya is acting for an Austrian client with a small bank account in Germany (€40) seeking to challenge the legislation relating to the Common Reporting Standard ("CRS"), which he believes breaches his fundamental rights to data protection and privacy.
Mishcon de Reya was the first firm to bring a data protection complaint against the excesses of CRS in the EU in a case that was reported in the press, including The Financial Times and The Guardian.
CRS and DAC2
Under the CRS, banks and other financial institutions based in any of the 100+ participating jurisdictions are required to send all personal and financial information of any account holder to the local tax authorities for onward transmission to the tax authorities of the country of residence of the account holder. The information exchange, which takes place on an annual basis and includes 'controlling persons' of corporate structures/trusts/foundations is independent of any actual underlying tax liability. All it takes is for an individual to have a bank account abroad/to be the 'controlling person' of a company/trust/foundation that has a bank account abroad.
In the EU, the CRS has been implemented through a directive commonly known as 'DAC2'.
Violation of the fundamental rights to privacy and data protection
Whilst the objective of preventing tax evasion is sound, the claim argues that the CRS/DAC2 are disproportionate and represent a violation of fundamental rights to privacy and data protection, as the transfer of information under the CRS/DAC2 does not require any indicia of tax evasion and operates independently of any underlying tax liability for the account holder.
However, EU law and the European Convention on Human Rights provide that limitations to the fundamental rights to privacy and data protection are only allowed to the extent that they are necessary to achieve the objective and both the European Court of Justice and the UK Supreme Court have held that the necessity test is a strict one.
Violation of GDPR principles
In addition, the claim argues that the sharing of personal and financial information is in direct breach of several GDPR principles (data minimisation and lawfulness of data processing, lack of safeguards for transfers of information to non-EEA countries).
Transfer of data to non-EEA countries
The need for strong safeguards for transfers of data to non-EEA countries was reiterated by Court of Justice of the European Union (CJEU) in a case concerning the transfer of data to the US ('Schrems 2' case). The need for appropriate safeguards for transfers of data outside the EEA was also at the heart of guidelines issued by the European Data Protection Board in January 2020, which also apply to FATCA and the CRS.
Data security risks
The OECD confirmed that in 2019, exchange under the CRS affected some 84 million accounts, covering total assets of €10 trillion. These are huge numbers (Germany's GDP in 2019 was less than US$ 4 trillion)
The CRS/DAC2 could expose compliant individuals to a potential hack throughout the data processing chain as data is passed from the bank to the local tax authorities and then on to the foreign tax authorities. Indeed, the OECD has already acknowledged that CRS data was stolen during the recent Bulgarian tax hack.
Mishcon de Reya had put together a comprehensive list of hacking and data breaches incidents affecting tax authorities, other government agencies, central banks, financial institutions and private companies that support the financial industry and the UK tax authorities have already acknowledged in a separate matter that these incidents are 'serious'.
Data protection vs political expendiency
Mishcon de Reya has seen correspondence written by the European Commission in 2011-12 expressing 'worrying' data protection concerns in relation to the rolling out of FATCA to the EU
Serious concerns were also raised by the European data protection authorities from 2012 until the end of 2016. This includes a letter from the Chair of the EU's data protection workgroup to the OECD and the European Commission reiterating its 'strong concerns' and asking for a 'joint effort to identify methods to pursue the legitimate aim of fighting tax evasion through efficient mechanisms that do not expose individuals' rights to disproportionate interference'.
Two weeks later, the CRS/DAC2 were a reality.
Our client has filed a complaint against the Austrian and German tax authorities before the data protection regulators in those countries. On 15 June 2020, an appeal was filed before the Austrian Federal Administrative Court.
This is the first GDPR complaint against the CRS to end up before the Courts in Europe.
Separately, Mishcon de Reya is acting for a client, Jenny, who has launched a crowdfunding campaign on CrowdJustice seeking to challenge the legislation relating to the Foreign Account Tax Compliance Act ("FATCA") which she believes breaches her fundamental rights to data protection and privacy.
Read more here…