Mishcon de Reya has taken legal steps against the Common Reporting Standard (CRS) and the Beneficial Ownership registers to call into question the wider repercussions for fundamental rights and the relationship between individuals and the State. The majority of UK bank account holders living in one of the 100 plus countries that have joined the CRS will be affected by this, with many of these countries having lesser standards of data protection and/or information security.
The CRS and the Beneficial Ownership registers have been introduced to fight tax evasion and money laundering. In addition, Beneficial Ownership registers should (in the eyes of their proponents) provide additional economic benefits by making information about the ownership of companies fully accessible to the public. In the UK, ultimate beneficial ownership information has been available online since 2016 and other EU Member States will have to remove the need to demonstrate a "legitimate interest" by 2020. Practically, anyone owning a substantial interest in a private company based in Europe (or with a European subsidiary) will see their details published, regardless of where they are resident, the nature of the business or the nature of their involvement in that business.
However the rights to privacy and data protection are fundamental rights. They are the cornerstone of the General Data Protection Regulation (GDPR) – which came into force in May 2018 – and emanate directly from European Convention on Human Rights and the EU's Charter of Fundamental Rights. The transformational nature of the GDPR in defining the relationship between businesses and their customers is indicative of the strength of the fundamental rights to privacy and data protection. In order to be justified, any interference with these rights needs to have a clear legal basis, pursue a legitimate public interest (such as the fight against crime); and be proportionate, i.e. limited to what is strictly necessary to achieve the objective pursued.
Our contention is that the publication of sensitive data concerning the internal governance and ownership of private companies by the Beneficial Ownership Registers is not necessary to achieve the stated objectives. Similarly, we believe that the exchange of information under the CRS is excessive, as information is exchanged indiscriminately and affects all account holders regardless of the size of the account. The information exchanged under the CRS includes sensitive personal data (such as the name, date/place of birth and tax identification number of the account holder) as well as financial data about the financial account itself such as the account number and balance. This exposes compliant account holders to risk of hacking and data loss: it could lead to identity theft on a grand scale.
The challenge, as stated by a European data protection authority (Article 29 Working Party) in a letter to the OECD and the EU dated 12 December 2016, is to "identify methods to pursue the legitimate aim of fighting tax evasion through efficient mechanisms that do not expose individuals' rights to disproportionate interference".
Multiple letters have been written to Her Majesty's Revenue and Customs (HMRC) and Companies House to ask for confirmation that they will not exchange or publish information under the CRS or the UK version of the Beneficial Ownership Registers (a.k.a. 'PSC' registers). HMRC has already formally refused to provide such confirmation.
Accordingly, a formal complaint has now been issued to the UK's Information Commissioner under the GDPR copying in the EU's data protection authorities.
Mishcon de Reya Partner Filippo Noseda, who is leading this legal action, said:
"After more than three years of assiduous campaigning on this issue and the publication of a comprehensive report by the Mishcon Academy, the time has come to take action. There is a wealth of objective evidence supporting our proposition not least the comparisons made between the CRS and the Data Retention Directive – the latter of which was effectively declared illegal by the European Court of Justice in 2016. In a democratic society, the rights to privacy and data protection are an essential safeguard to protect compliant citizens against potential abuses and must be treated with the appropriate seriousness by the authorities."
To find out more about the legal action please contact CRS@Mishcon.com.
EU national challenges HMRC over new data sharing rules - Financial Times (subscription only)