Eleanor Chuck
Welcome to this Mishcon Academy Digital Session. My name is Eleanor Chuck and I am Senior Business Development Manager in the Disputes Resolution Team at Mishcon de Reya. I am delighted to welcome and introduce you to our two panellists, Adam Rose, Partner in our Commercial and Data Protection Team, who has over 25 years’ experience advising corporates and individuals on data protection and freedom of information cases, and Filippo Noseda, Partner at Mishcon de Reya, Visitor Professor at King’s College and a dual qualified English solicitor and Swiss lawyer, specialising in advising clients on international tax and estate planning issues. In today’s session we will discuss the privacy lessons learnt from the recent Court cases around FATCA and CRS. Filippo and Adam will give us an overview of the case they are leading on for their client, Jenny, a US born UK resident who has become well-known for her ongoing challenge to the way the UK has allowed her personal financial data to be shared with the US Authorities under FATCA.
Filippo, shall we kick off by… do you want to tell us about FATCA and how it came to this, how we got here today?
Filippo Noseda
FATCA is an acronym, it stands for Foreign Accounts Tax Compliance Act. It was introduced in 2010 by the US Congress. It was designed as a reaction to scandals of the early 2000s, private banking scandals where the Americans realised that a lot of wealthy Americans were hiding money in secretive offshore accounts. The US said that in order for banks to invest in US assets, they would either suffer a penalty withholding tax of 30% or they could avoid such a withholding tax on making US investments on behalf of clients if they undertook to exchange information automatically about any US person owning a bank account abroad. So, effectively, it was a way of getting rid of banking secrecy. It’s a US law with extra territorial effect and therefore what Congress didn’t realise was that in order for foreign banks to plug into the system, they had to have some kind of domestic legislation and so pronto in 2012, the US with the help of a number of countries, released a standard agreement to be entered by Governments on a bilateral basis to effectively allow FATCA to operate. So the way FATCA operates is that I’m an American, I have a bank account outside of the US, America taxes Americans by virtue of the citizenship so, I might be sitting in the UK, I might have a bank account in the UK but I’m American. What happens next is that my bank collects my personal information and financial information, which is my name, my date of birth, my place of birth, my social security number, TIN we call it, my address, then my bank account number, how much I’ve got on the account, account balance, and how much was paid into the account throughout the year, then the bank either alone or with the help of outside service providers, send the information to the local tax authorities in the UK, that’s HMRC, which then either on its own or with the help of outside providers sends that information to the US, which then unpacks it and tries to match the information with whatever data the US citizen has put in their tax return.
Eleanor Chuck
Adam, what does this mean from a data protection perspective?
Adam Rose
The thing one’s got to remember about data protection law is it does the opposite to that. It basically is a piece of… at it’s greatest, it’s a piece of human rights legislation and it’s actually always worth going back, I should probably go back a bit and think the reason GDPR exists and GDPR came into force in 2018, is that Europe during the first half and indeed into the second half of the last century, was controlled by the kind of people who if you ended up on the wrong list, might kill you and knowing that that’s the philosophical background to all of this means that Europe has always taken, or has since then, taken privacy very seriously and taken the protection of data very seriously and sets out a whole bunch of rules which give individuals a number of rights over their data and puts obligations on the people who are controlling that data to take certain care in relation to data so, we’re only talking about personal data and personal data is any data that relates to living, identifiable individuals and GDPR, which is the current incarnation of data protection law but flows back, there was a 1995 directive, then we had the 2016 regulation which is GDPR and post-Brexit, we have a UK version called UK GDPR and Europe still has GDPR in its other 27 member states plus three other members of the EEA, the European Economic Area. All of those pieces of law set out some quite clear guidance as to what you have to do and in simple terms, you have to tell people what you are going to do with their data and then do that. It puts obligations on controllers, the people who decide what data they are holding, to hold that data so that they process it fairly and lawfully and in a transparent manner. It should only be collected for limited purposes and no more than is necessary and not kept any longer than is necessary. Data should be accurate, it should be kept secure. Individuals are given rights, in a number of occasions GDPR talks about effective judicial remedy for individuals whose rights are broken and the key thing, and all of that by way of background to where it intersects with Filippo talking about FATCA, so you can’t transfer data abroad unless certain things are put in place, certain protections are in place and I’m going to sort jump ahead or jump back to jump ahead, which is there was an Austrian PhD student called Max Schrems, who a number of people will have heard about, Schrems did two cases, the second case, the European Court decided that you couldn’t just simply sign a piece of paper of standard contractual clauses that people might have come across and send data to say America, you also had to think about who am I sending it to and is it protected once it arrives there? And the problem with FATCA and the reason why GDPR and FATCA are at loggerheads here, is data just gets sent to America, where we know because the European Court has said, we know it’s not as safe as if it was sitting here.
Eleanor Chuck
Let’s turn to Jenny, the famous case at the heart of this. How does it land on your desk?
Filippo Noseda
Jenny is an American by birth, she grew up in the US, in 2000 she moved to the UK for college, she never worked in the US beforehand, she went to college, she went to Uni, she fell in love with a Brit, they married, she naturalised as a UK national and then in 2016 she got a letter from her bank, remember that FATCA applied… was designed to catch Americans living in the US, hiding money offshore, but you have Jenny living in her town and she got a letter from next door, from the bank next door, high street, to say we believe we have information to suggest that you might be evading US tax and we therefore are going to exchange this information, i.e. date of birth, name of birth and everything to the US, to which Jenny was very compliant, got really scared because she has family back in the US and she was concerned that she might be denied entry to the US. She also found out that America potentially taxes Americans on a worldwide basis, just based on citizenship so, if you are American and effectively you pay tax in the UK then you have to pay also tax in the US and then there is a system between the US and the UK, the country where you are living and the country of nationality, affected to offset tax. And because that is complicated, the US Government brought in a rule to affectively facilitate relocation of Americans abroad to further US economic interest by saying that if you earn less than today 108,000 dollars then you do not have to pay tax. Very few people earn more than 108,000 dollars, certainly not Jenny so, when she rushed to an accountant to do her tax returns because she now knew that as an American you have to file a tax return in America even though you live somewhere else, and when the accountant said to her look there’s no tax to pay because you earn that, at that point she got you know from scared and puzzled to concerned and furious. She independently tried to talk to the Treasury in the UK, they said we’re not, you know, we’re not interested. She then sends a letter to the ICO, the presumably independent data commissioner in the UK, to ask for information about FATCA, she wanted to know if I am in this position when I do not owe any tax, how many people in my position and is it 90% and naturally HMRC turned her down and so she lodged a complaint with the ICO and surprisingly, and that’s why I say the ICO is supposedly independent, the ICO instead of looking to the GDPR in this philosophical issues that Adam was referring to earlier, sided with HMRC on the basis of a very close relationship between the US and the UK doesn’t make much sense from a data protection person. So, she came to us and we then started crowd funding and after a long and tortuous road, on October 27 I believe, we finally filed a claim before the High Court in London on her behalf with HMRC as Defendant and this is where we are at this stage.
Adam Rose
The sort of the extra territorial effect of FATCA which again is interesting because GDPR has an extra territorial effect…
Filippo Noseda
Absolutely.
Adam Rose
So you’ve got two laws which totally overreach what normal law does fighting each other.
Filippo Noseda
The narrative about FATCA is about these bad, rich fat cats who are stealing, hiding money and stealing tax and because that narrative is predominant and there has never been a debate outside of data protection circles about FATCA, people do not realise that in order to achieve a very noble objective, information about potentially 90% of people with bank accounts get swooped up, including Jenny, that have got no relevance whatsoever for data protection actually the reverse is true, the data of potentially 90% of people is exchanged over the internet because that’s how the data is exchanged, exposing a compliant citizen to huge risks of hacking and we know, we compiled a list which is on our Mishcon pages of now over a hundred pages listing incidents concerning the IRS, HMRC, central banks, everyone but that debate is not yet taking place and I think that we, you know, Jenny is actually putting that debate back in the, you know, in the forefront of people’s minds. In order for a state to limit legitimately a person’s right to privacy, three things need to be met. One, you have to have a legal basis and FATCA has a legal basis, B, you need to pursue a public objective and clearly FATCA does because it tries to stem out tax evasion but thirdly, it needs to be proportionate.
Adam Rose
It’s a lack of… I guess it’s a lack of proportionality in the whole approach of FATCA which is the sort of the offensive thing.
Eleanor Chuck
So, to sum up what you’ve just said, both of you, essentially it’s about proportionality and Jenny is merely holding the data protection authority, the ICO in the UK, to account because it hasn’t done what it said it would do.
Adam Rose
It’s two things, it’s the ICO and HMRC because HMRC is effectively just sort of acting as the poodle for FATCA, it’s just sort of… and possibly an unruly poodle.
Filippo Noseda
Well, it’s poodle sort of very naughty because HMRC says but we are simply implementing the law and the law is a agreement between our Government and the US Government to transfer this data so, you know, don’t look at us but the reality is that HMRC has been praising its whole leadership in achieving a global rollout of FATCA and the CRS so, I think it’s a bit naughty for a Government to say we want a law with which people do not potentially agree, then you apply that law in relation to a person, by doing so we violate someone’s rights under the GDPR and then that person cannot in a way complain because we are applying the law that we ourselves brought in. So, it’s, I think it’s important that Jenny’s fundamental right and the GDPR are ascertained, with a Court effectively declares that her rights have been violated and then from there, who knows, you know, others will have to take it from there. The European Commission is getting nervous and HMRC is getting nervous because the way they are throwing the kitchen sink at Jenny, trying to thwart her claim, is clearly a sense of weakness. If you really felt strong, you’d say, come and have a debate but they are really trying to avoid a debate in an open Court.
Eleanor Chuck
Where do you think this is going to end up?
Filippo Noseda
Well, there are other rules on transparency like public register or beneficial ownership of companies, there is a lot there but I think that the pendulum must come back and, you know, we must find a balance in the centre. If, as a bank, if you’re body, the British Bankers Association, if you are a European body, the European Banking Federation, writes letters to say that FATCA does not work and if your Government ignores you and introduced these laws and you know exactly that you’ve got two laws which are conflicting and you now decide because it’s good for business that you just follow this law here and you turn a blind eye to a law that you’ve been saying is not legal, people say FATCA has not yet been declared legal so you are doing fine but this law here is already in force and actually is a bit higher because GDPR is derived from the European Convention of Human Rights and for the EU, from the European Charter of Human Right, FATCA and everything else, it’s a exception to the rule so, if Jenny were to win her case, I wonder what the other Litigants might do.
Adam Rose
So the UK in trying to create its own path that’s different to the European path while somehow staying friends with Europe, it’s always sort of do we look west towards the Atlantic and towards America or do we look east towards Europe? It’s always interesting to see how that plays out. The UK Government has indicated it wants to review and revise data protection and it’s again looking in both directions at the same time, they are looking to try and give individuals more rights but also trying to reduce the amount of what they would call regulation and red tape and bureaucracy on organisations and I don’t think you can have both of those things, they again contradict each other so at the moment, whether the UK goes to become a sort of deregulated little island off the coast of Europe and we have no regulatory framework for this sort of thing at all, which obviously there are some cheerleaders for, how that would impact on the UK’s position, would the UK still feel comfortable involved in a CRS mechanism or a FATCA mechanism in those contexts, it’s very hard to tell where that will play out but meanwhile, Jenny’s case continues and you’d have thought other cases will follow, if not in this area, in other related areas as well.
Eleanor Chuck
Thank you ever so much Filippo, Adam for a fantastic session. Thank you to our audience for joining us today and to our speakers for their insight and practical advice. Thank you very much.
Filippo Noseda
Thank you.
The Mishcon Academy Digital Sessions. To access advice for businesses that is regularly updated, please visit mishcon.com.