The Common Reporting Standard (CRS) requires banks and certain investment entities (trusts, companies, foundations, etc.) to collect sensitive personal and financial information concerning underlying individuals, and transfer that information to local tax authorities. Under the "automatic exchange of information" principle, those local authorities then transmit that information to the tax authorities of the jurisdiction in which the underlying individuals are resident.
The CRS became operative at the beginning of 2017. In the EU, the European Commission confirmed that as at December 2018, EU Member States have exchanged information in relation to 8.2 million financial accounts with an aggregate value of just under €3 trillion (€2,900 billion). According to data released by the OECD, in 2019, 83 million accounts were subject to information exchange, for an aggregate value of €10 trillion (more than twice Germany's GDP).
As the exchange of information takes place automatically, the CRS and its US counterpart (FATCA) raises fundamental questions concerning the compatibility with:
- the data protection principle that personal information should only be processed to the extent it is "necessary" to achieve the stated objective;
- the fundamental right to privacy; and
- security of information that is at risk to hackers.
Mishcon de Reya has instigated legal proceedings against the excessive nature of both FATCA and the CRS as representative of “Jenny”, a pseudonymous American living in Britain who crowdfunded the case. Jenny complained to Britain’s data-protection authority, challenging tax authorities' right to send her information to America (where she owes no tax). Doing so, she argued, breached her rights under GDPR. The claim was rejected, but the authority accepted that the tax authority did violate some GDPR guidelines.
On 29 August, Jenny sent a Letter Before Claim to HMRC, stating her intention to bring court proceedings under the Data Protection Act 2018. She is hoping to press on (with the continued support of Mishcon de Reya) despite being short of funds. The case could end up at the ECJ if it makes it there by 31 December, when the transition period for Britain’s exit from the EU ends.
To find out further information on the data protection work by Mishcon de Reya and to read the correspondence to data protection authorities, click here.