Mishcon de Reya page structure
Site header
Main menu
Main content section

This page collects the correspondence between Mishcon de Reya and the relevant institutions, such as the Information Commissioner’s Office, the European Parliament, the Petitions Committee (PETI), the European Data Protection Board (EDPB), the European Commission (TAXUD) and the Organisation for Economic Cooperation and Development (OECD).

The Mishcon de Reya Hacking and Data Breaches List includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, supporting our client's claim that FATCA unnecessarily exposes sensitive personal and financial data to the risk of hacking. 

As the first law firm in Europe to instigate legal proceedings against the excessive nature of both FATCA and the CRS, the team at Mishcon de Reya has a deep understanding of the interaction between systems of automatic information exchange as well as the wider data protection angle.

Under the European Convention on Human Rights (ECHR), the right to privacy is a fundamental right. This means that any interference with this right is subject to strict legal requirements.

The Mishcon de Reya Hacking and Data Breaches List

We prepared a list to support Jenny's claim that FATCA unnecessarily exposes sensitive personal and financial data of compliant citizens to the risk of hacking. In another case, the UK tax authorities acknowledged that the incidents reported by Mishcon de Reya were 'serious', but refused to back down from automatically exchanging information across borders. The list includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU, including a hacking against Bulgaria that led to the theft of the entire database of the local tax authorities (between 5 and 7 million citizens affected).  More recent incidents concerning the National Supercomputer and even the European Parliament confirm the fundamental problem of data security.

Letters

2024
October 2024
1 Oct 2024 letter to the EDPB following today's Assange Hearing

This letter discusses the relevance of statements made by Julian Assange before the Council of Europe in the light of previous findings by the European Parliament in relation to FATCA.

Click here to view the letter.

 

September 2024
23 Sept 2024 to OECD's Secretary General following Indonesian Personal Tax Data Breach

This letter discusses the repercussions of recent revelations of a data breach that affected millions of Indonesian taxpayers for the CRS.

Click here to view the letter.

17 Sept 2024 to the EU and the ICO following TIGTA Warehousing Data Security Report

These letters discuss a report issued by the US Treasury Inspector General for Tax Administration (TIGTA) on the security issues of the IRS's massive data warehouse containing multiple years of Federal Tax Information and Personally Identifiable Information.

Click here to view the letter to the ICO

Click here to view the letter to the EU

17 Sept 2024 List of correspondence with the OECD

This list brings together the main correspondence with the OECD's Secretary General on the data protection, data security and human rights implications of the CRS.

Click here to view the list.

17 Sept 2024 to OECD's Secretary General re tax authorities "culture of care"

This letter discusses the implications of a recent report from the US Treasury report (TIGTA) and a data sharing scandal in New Zealand for the alleged "culture of care" put by the OECD at the centre of the CRS project.

Click here to view the letter.

 

August 2024
27 Aug 2024 letter to EDPB and Dutch AP following €290m Uber fine

This letter discusses the implications of a recent decision by the Dutch data protection authority to impose a €290 million fine against Uber for transferring data collected in the EU to the US.

Click here to view the letter. 

 

July 2024
31 Jul 2024 to the ICO re UK GDPR Complaint against HMRC

The attached letter follows the ICO's decision to review its decision of 29 May 2020 in the light of the European Court of Justice's judgment in the Schrems II Case (where the CJEU held that the US did not have appropriate data protection safeguards).

The letter considers recent developments and assessments by US government agencies on the deficiencies of FATCA and the IRS's systems.

Click here to view the letter.

2 Jul 2024 reply to the EDPB in relation to the scope of their powers

This letter discusses the EDPB's comments about the "limited scope" of their powers of intervention under Art. 70 GDPR.

Click here to view the letter.

 

June 2024
24 Jun 2024 to Commission re conflicting statements re jurisdiction/competence

The attached letter considers conflicting statements from the EU Commission on whether FATCA falls within its competence. 

Click here to view the letter.

22 Jun 2024 letter to PETI Chair following EU Elections (Quantitative Analysis)

This letter discusses an article containing independent data that shows the inefficiencies of FATCA and other transparency measures.

Click here to view the letter.

 

May 2024
31 May 2024 letter to the OECD following Santander hack

This letter discusses the implications of the recent Santander hack for the CRS, as well as FATCA.

Click here to view the letter.

22 May 2024 to EU Commission re Infringement Proceedings (acknowledgment)

This letter discusses today's acknowledgment, by the European Commission, of the complaint lodged on 7 April 2020 on behalf of Jenny and later extended to other EU FATCA petitioners.

Click here to view the letter.

12 May 2024 letter to the OECD following Europol hack

This letters discusses the implications of the recent Europol hack for the CRS.

Click here to view it.

 

April 2024
22 Apr 2024 to EU on recent US article on IRS data security

This letter discusses a recent article that appeared in the US quarterly magazine "National Affairs" criticising the data security track records of US agencies, including the IRS.  According to the authors', in the US Information insecurity prevails.

Click here to view the letter.

21 Apr 2024 to the EU re US Senate Comments on FATCA

This letter to the EU discusses recent comments made by US Senators during a recent hearing on Offshore Tax Evasion on the disproportionate, ineffectual and harmful nature of FATCA.

Click here to view the letter.

19 Apr 2024 to the EU and the OECD re IMF Global Financial Stability Report

This letter to the European Commission, the EDPB and the OECD discusses the implications of a recent report issued by the International Monetary Fund for existing data security concerns in relation to the safety of AEIO data.

Click here to view the letter.

5 April 2024 – Third Letter to EU on Legitimate Interest (Compromise Text)

This letter to the European Commission, the European Council and the European Data Protection Supervisor (EDPS) contains a request of information in relation to the underlying documents connected to the Compromise Text adopted in response to the CJEU Sovim judgment (C-601/20).  It also addresses the risk of abuses.

Click here to view the letter. 

 

 

 

2023
October 2023
11 Oct 2023 letter to EDPB following response from Swedish IMY

This letter discusses the recent response from the Swedish Data Protection Authority and the implications for the European Data Protection Board under Art. 70 of the GDPR.

Click here to view the letter.

2 Oct 2023 to EDPB Chair concerning Swedish report from 2014

This letter discusses the implication of an official published in Sweden in 2014 for the EDPB's contention that FATCA is not within the sphere of competence of the EDPB.

Click here to view the letter.

 

September 2023
 28 Sept 2023 letter to EDPB Chair following response to Dutch MEP

This letter discusses a recent response given by the Chair of the European Data Protection Board to a Dutch MEP who complained about the lack of progress in relation to FATCA.

The letter discusses the scope of Art. 70 GDPR (powers of the EDPB).

Click here to view the letter.

20 Sept 2023 letter to the EDPB discussing IRS weaknesses report issued by the GAO

The attached letter discusses the latest report from the US Government Accountability Office (GAO) raising concerns about the IRS's 'critical safeguard weaknesses'.

Click here to view the letter.

 

August 2023
30 Aug 2023 Letters to EU following German intervention

These letters to the EDPB and the German data protection authority (BfDI) discuss the implications of the BfDI's response to the Association of Accidental Americans, only a few months after its Belgian counterpart ruled on the illegality of FATCA.

Click here to view the letter to the German BfDI

Click here to view the letter to the EDPB

21 Aug 2023 Letter to Swedish IMY and Swedish Bar Association re historical opinions

This letter discusses historical opinions issued by the Swedish data protection authorities and the Swedish Bar Association in relation to the compatibility of FATCA with EU data protection rules.

A copy of this letter was forwarded to the Chair of the EDPB as evidence of the lack of coordination at EU level, which ought to be the EDPB's main task.

Click here to view the letter.

15 Aug 2023 letter to the FCA re debanking

Following a recent uproar in the UK due to the closure of politicians' bank accounts and the opening of an investigation by the Financial Conduct Authority (FCA), this letter requests the FCA to include FATCA-related denials of service and account closures in its investigation.

Click here to view the letter.

11 Aug 2023 letter to the EDPB re TIGTA report - "IRS lost data of millions of individuals"

This letter discusses a report issued by the US Treasury Inspector General for Tax Administration confirming the loss of millions of taxpayer data held on microfilm.

Click here to view the letter.

10 Aug 2023 letter to OECD Secretary-General

This letter to the Secretary General of the OECD follows recent questions to Parliament and a motion from 47 German MPs concerning the human rights implications of systems of automatic exchange of information, as well as fresh concerns about data safety following the hacking of the entire UK Electoral Register.

Click here to view the letter.

10 Aug 2023 letter to British MPs

This letter to British MPs who raised parliamentary questions on the human rights implications of systems of automatic exchange of information discusses recent developments in the media.

Click here to view the letter.

 

July 2023
28 July to EU Commission re Hacking Risks to the CTS and IDES

The attached letter discusses a recent revelation that the Australian Tax Office lost more than $557 million to cyber-attacks and the risks posed by the 'Common Transmission System' (CTS) maintained by the OECD and used by tax authorities the world over to exchange CRS data, as well as the 'International Data Exchange System' (IDES) maintained by the IRS. 

Click here to view the letter.

25 Jul 2023 to EDPB re the IRS's 'bubble-gum' IT systems

This letter discusses a recent testimony given by the former IRS Chief of Criminal Investigations before the US Congress Finance Committee confirming the poor state of the IRS's IT-systems processing taxpayers' data, raising further concerns about the data protection safeguards of FATCA data transferred from the EU.

Click here to view the letter.

20 Jul 2023 letter re EU Council's refusal to disclose internal documents

This letter discusses the recent decision by the General Secretariat of the Council of the European Union to disclose internal documents that discuss the data protection implications of systems of automatic exchange of information.

Click here to view the letter.

3 July 2023 to EDPB and national DPAs discussing Stephen Real's hacking case

This letter discusses a recent story appeared in the Canadian Press and the implications of the continued lack of activity on the part of the EDPB and national Data Protection Authorities for the security of EU citizens' data processed under FATCA, as well as the CRS.

Click here to view the letter.

 

June 2023
26 June 2023 letter to British MPs

This letter discusses two recent parliamentary questions about the data security implications of exchanging information with autocratic regimes.

Click here to view the letter.

14 June 2023 letters to the EU concerning declassified US National Security report on data acquisition

These letters discuss the implications of a declassified US intelligence report on the commercial acquisition of US citizens' data for Art. 46 GDPR and FATCA.

Click here to view the letter to EU Commissioners Reynders, Gentiloni and Jourová

Click here to view the letter to the EDPB and national Data Protection Authorities

9 June 2023 letters to the EDBP/DPAs and Commissioners Reynders, Gentiloni and Jurová following Belgian decision

These letters to the EU discuss the fall-out from the recent decision by the Belgian data protection authorities.

The letter summarise the failings of the European Commission and the EDPB in handling complaints under FATCA, which the recent Belgian decision have amplified.

Click here to view the letter Commissioners Reynders, Gentiloni and Jurová

Click here to view the letter to the EDBP and national Data Protection Authorities

 

May 2023
26 May 2023 to new Chair of the EDPB following Belgian decision and Polselli judgement

This letter follows hot on the heels of the recent Belgian decision to ban transfers of FATCA data to the US. It also mentions a recent US Supreme Court judgment on the IRS constraints when accessing bank accounts in the US.

Click here to view the letter

23 May 2023 to new Head of Unit (DG JUST) at the European Commission     

Following a change of personnel within the European Commission's Department for Justice, this letter summarises the engagement with the department to date.

Click here to view the letter.

22 May 2023 to the EU following €1.2bn GDPR fine against META

These letters discuss the implications, for FATCA, of today's GDPR fine levied by the Irish Data Protection Commissioner against Facebook's parent company 'META' following a procedure that involved the European Court of Justice.

Click here to view the letter to the European Commission

Click here to view the letter to the European Data Protection Board

Click here to view the letter to the national Data Protection Authorities

14 May 2023 letter to the European Council following its refusal to disclose documents

This letter asks the Council of the European Union to review a decision to refuse access to a presentation given by the OECD to the EU on data protection.

The letter highlights a consistent pattern on the part of the executive powers of the EU to frustrate access to documents in the area of FATCA and the CRS.

Click here to view the letter.

 

April 2023
14 April 2023: Information Access Requests to the EU

These letters request access to several internal EU documents as well as minutes relating to our 180+ letters to the EU .

Click here to view the First Access Request to the COM and the European Council (EUCO)

Click here to view the Second Access Request to the COM and EUCO

Click here to view the Third Access Request to the COM and EUCO

Click here to view the First Access Request to the EDPB

5 April 2023 to the EDPB Chair following her letter to the Commission on EU AML/CFT data sharing proposal

This letter discusses the parallels between the EDPB's recent letter to the European Commission discussing the EU proposals on data sharing for Anti-Money Laundering / Counter-Terrorism Financing (AML/CFT) and the letter sent a decade ago by the WP29 on FATCA.

Click here to view the letter.

3 April 2023 to the EDPB and the EU Commission on the Bank of England cyber alarm

These letters discuss the implications of the increased cybersecurity risks highlighted by the Bank of England for FATCA as well as the CRS, which require the automatic processing of sensitive personal and financial data of millions of account holders by financial institutions and tax authorities of several countries.

Click here to view the letter to the EDPB

Click here to view the letter to the Commission

 

March 2023
31 March 2023 letter to EDPB Chair on the 'Maladministration Decisions' against EDPB

This letter discusses two recent decisions by the EU Ombudsman which concluded that the way the EDPB refused access to information relating to FATCA amounts to 'maladministration'.

Click here to view the letter.

 

 

2022
November 2022
18 November 2022 to EU re Charles Rettig's article on FATCA

This letter discusses an article published by Charles Rettig two years before he became IRS Commissioner, which confirms the lack of proportionality of FATCA and its role in driving expatriations.

Click here to view the letter.

 

September 2022
30 September 2022 to EU regarding FATCA victims

This letter discusses a recent article in Bloomberg, on how US citizens are renouncing their citizenships to be able to open bank accounts.

By breaching fundamental rights to data protection and hindering the opening of bank accounts, FATCA is adversely affecting ordinary citizens.

View the letter and read the full piece (subscription required)

22 September 2022 to the EU re PETI Update Report

This letter discusses the European Parliament's updated report on the data protection implication of FATCA under EU law. The conclusions echo the original report released in May 2018. In addition, the Updated Report singles out the 'institutional dynamics' within the EU since 2018, notably the work of activists and the ineffectual approach of EU institutions ('institutional forbearance' in the case of the Commission and 'institutional deference' in the case of the European Data Protection Board.

Click here to view the letter.

19 September 2022 to the EU re Slovak DPA report

These letters discuss a report sent by the Slovak data protection agency to the Slovak ministry of finance confirming concerns about the compatibility of FATCA with the GDPR rules on the transfer of data to non-EU Member States.

The Slovak response comes one month after we sent out letters to the national data protection authorities of all EU Member States (see 1 August 2021).

Previously, concerns were also raised by the Lithuanian data protection agency (see 29 July 2021).

Click here to view the letter to the European Commission.

Click here to view the letter to the EDPB.

 

August 2022
25 August 2022 to the EU re Washington Post and Wall Street Journal IRS investigations

These letters discuss independent investigations carried out by the Washington Post and the Wall Street Journal into the document management deficiencies and the lack of funding of the IRS. 

These media reports amplify the concerns about the lack of sufficient safeguards in relation to data transferred to the IRS from the EU, which is relevant in the context of the GDPR (see our correspondence concerning the Schrems II judgment (see 16 July 2020).

Click here to view the letter discussing the Washington Post report.

Click here to view the letter discussing the Wall Street Journal report.

 

June 2022
15 Jun 2022 to EDPB Chair following letter from Dutch MEP (one year from Statement 4/2021)

The attached letter follows hot on the heels of a request sent by Dutch MEP Sophie in 't Veld to the Chair of the European Data Protection Board to receive an update of action taken by the EDPB and Member States one year from the publication of Statement 4/2021 by which the EDPB invited Member States to review the compatibility of FATCA agreements with the GDPR.

Click here to view the letter.

21 June 2022 to EDPB Chair on the Luxembourg Finance Minister's response to MEP/MP

This letter discusses a recent parliamentary response given by Luxembourg's Finance Minister. By referring back to discussions at EU level, this letter provides another example of the ineffectual back and forth between EU institutions and national authorities first reported in our letter dated 11 September 2021.

Click here to view the letter.

 

May 2022
4 May 2022 letter to OECD Secretary-General

This letter to the Secretary General of the OECD follows Russia's exclusion from the CRS and its wider implications for other countries that share a poor human rights record.

Click here to view the letter.

 

April 2022
14 April 2022 to EU Ombudsman – 2nd Complaint against Commission

This is the second complaint against the European Commission for failing to keep us informed on developments relating to our complaint brought under Art. 258 of the EU Treaty (lodged on 7 April 2020).

Click here to view the complaint.

13 April 2022 to Commission re US Treasury FATCA Report

This letter discusses a FATCA report issued on 7 April 2022 by the US Treasury Inspector General for Tax Administration (TIGA) outlining the costs and deficiencies of the implementation of FATCA by the IRS.

Click here to view this letter.

11 April 2022 letter to the Commission – 2 years' anniversary

This letter was written on the second anniversary since lodging our complaint based on Art. 258 of the EU Treaty (infringement proceedings against Member States). It brings together recent developments on both sides of the Atlantic and urges the European Commission to provide a meaningful update in relation to our complaint.

Click here to view this letter.

 

March 2022
23 March 2022 letter to PETI Chair following IRS Commissioner's testimony before Congress

This letter discusses the implications of the recent written testimony given by the IRS Commissioner Charles Rettig before the US Congress on the handling of FATCA returns for affected EU citizens.

Click here to view the letter.

9 March 2022 letter to PETI Chair following Commission response to PETI criticism

This letter discusses the European Commission's response to the PETI criticism for the lack of progress in relation to the data protection issues of FATCA.

Click here to view the letter.  

4 Mar 2022 letter to the EDPB Chair re FATCA State of Play

Following the uncovering of an internal meeting note acknowledging the increasing pressure from campaigners, this letters asks the Chair of the EU's Data Protection Board for an update on the current state of play in addressing the data protection implications of FATCA.

Click here to view the letter.

 

February 2022
17 Feb 2022 to the EU re FL House of Representatives memorandum

This letter discusses the implications of a recent memorandum sent by the Florida House of Representatives rejecting a domestic version of FATCA for the European Commission's handling of our data protection complaint dated 7 April 2020.

Click here to view the letter.

10 Feb 2022 to Reinhard Biebel (Taxud D.2) re Commission's misleading statements

This letter is a response to a letter from the European Commission's tax services 'strongly refuting' our fact-checking exercise which suggests that Commissioners Gentiloni and Jurová appear to have misled the European Parliament and MEPs on the existence of worrying concerns about the data protection implications of FATCA.

Click here to view the letter.

2 Feb 2022 to the Chair of the EDPB re DPA responses

This letter discusses responses from national data protection authorities to our letters dated 1 August 2021 and 18 December 2021.

The letter calls on the EDPB to ensure consistency in the application of the GDPR across the EU.

Click here to view the letter.

1 Feb 2021 to Emmanuel Crabit (European Commission, Director, JUST.C)

This letter asks Mr Crabit to provide a formal answer to our complaint dated 7 April 2020, following his 'Holding Reply' dated 8 September 2021, particularly in light of recent developments including the rejection of a domestic version of FATCA by the US Congress.

Click here to view the letter.

 

January 2022
17 Jan 2022 to EU Commissioner Bruno Gentiloni

This letter asks Commissioner Gentiloni to clarify the content of written answers given to parliamentary questions raised by two MEPs on FATCA.
The letter is based on evidence provided by internal Commission documents.

Click here to view the letter

17 Jan 2022 to EU Commissioner Věra Jourová

This letter asks Commissioner Jourová to clarify a statement she gave before the European Parliament during a hearing on FATCA that led to the adoption of a formal resolution in the context of J.R.'s EU Petition 1088/2016.

The letter is based on evidence provided by internal Commission documents.

Click here to view the letter

15 Jan 2022 to MEPs re Commissioner Gentiloni's answers

This letter was sent to the authors of two parliamentary questions raised within the European Parliament on FATCA. 

The letter asks the MEPs to challenge the Commission's responses based on the factual evidence contained in internal Commission documents.

Click here for the English version.

Click here for the French version.

14 Jan 2022 to Joint EU Petitioners Statement

This statement issued by the authors of the various EU FATCA petitions asks the European Parliament to exercise its supervisory powers to bring the European Commission to account in the light of the lack of response to petitioners' concerns.

Click here to view the statement

11 Jan 2022 to EU re COM response to Parliamentary Question E-004907/2021

This letter discusses the implications of today's response from the European Commission to a parliamentary question on FATCA for the work carried out by the European Parliament.

Click here to view the letter.

11 Jan 2022 to PETI Chair re national GDPR complaints

This letter discusses the delay faced by the authors of various GDPR complaints filed with national data protection authorities (DPAs) and the implications for the work carried out by the European Parliament to hold the European Data Protection Board and national DPAs to account.

Click here to view the letter.

7 Jan 2022 to Commission (UK decision)

This letter discusses the European Commission's decision not to take infringement proceedings against the UK and its implications for other EU Member States.

Click here to view the letter. 

 

 

2021
December 2021
30 Dec 2020 to Belgian and Dutch DPAs (GDPR Complaints)

These letters provide technical support to two individual GDPR complaints filed by a former member of staff of the European Union and the author of one of the EU FATCA petitions.

Click here and here for the letter to the Belgian DPA.

Click here and here for the letter to the Dutch DPA.

27 Dec 2021 to EU Commissioner Reynders

This letter to EU Commissioner Didier Reynders builds on our September 2021 correspondence with the Commission services following their 'Holding Reply' dated 12 Sept 2021 to our complaint  pursuant to Art. 258 of the EU Treaty (infringement proceedings).

Click here to view the letter.

19 Dec 2021 to the Chairs of the PETI and the EDPB

Following the recent rejection of a domestic version of FATCA by the US, these letters ask the European Data Protection Board and the European Parliament what action they are taking to put an end to the data protection crisis caused by FATCA in the EU.

Click here to view the letter to the Chair of the EDPB.

Click here to view the letter to the Chair of the PETI.

18 December 2021 letters to national Data Protection Authorities (DPAs)

Following the recent rejection of a domestic version of FATCA by the US due to data protection concerns, these letters contain formal requests to follow-up on our complaints dated 1 August 2021.

Click here to view the letter to the Austrian DSB

Click here to view the letter to the Belgian APD-GBA

Click here to view the letter to the Bulgarian CPDP

Click here to view the letter to the Croatian AZOP

Click here to view the letter to the Cypriot DPC

Click here to view the letter to the Czech UOOU

Click here to view the letter to the Danish Datatilsynet

Click here to view the letter to the Dutch AP

Click here to view the letter to the Estonian AKI

Click here to view the letter to the Finnish Data Protection Ombudsman

Click here to view the letter to the French CNIL

Click here to view the letter to the German BfDI

Click here to view the letter to the Greek DPA

Click here to view the letter to the Irish DPC

Click here to view the letter to the Italian GPPD

Click here to view the letter to the Latvian DPA

Click here to view the letter to the Lithuanian VDAI

Click here to view the letter to the Luxembourg CNPD

Click here to view the letter to the Maltese DPC

Click here to view the letter to the Polish UODO

Click here to view the letter to the Portuguese CNPD

Click here to view the letter to the Romanian DPA

Click here to view the letter to the Slovak PD

Click here to view the letter to the Slovenian IP-RS

Click here to view the letter to the Spanish AEPD

Click here to view the letter to the Swedish IMY

14 Dec 2021 to EU re US Independent Bankers Association (ICBA)

This letter discusses the privacy and data protection concerns raised by the Independent Community Bankers Association (ICBA) ahead of the recent rejection of a domestic version of FATCA by Congress.  Privacy is a 'fundamental right'.

Click here to view the letter.

13 Dec 2021 to EU re American Bankers Association (ABA)

This letter discusses the privacy and data protection concerns raised by the American Bankers Association (ICBA) ahead of the recent rejection of a domestic version of FATCA by Congress (see 30 October).  The ABA had 'serious financial privacy concerns'.

Click here to view the letter.

12 Dec 2021 to EU re US Congress letter (domestic FATCA)

This letter discusses the privacy and data protection concerns raised by a number of US Congressmen ahead of the recent rejection of a domestic version of FATCA by Congress (see 30 October). Congressmen wrote that privacy was 'one of our primary concerns'.

Click here to view the letter.

8 Dec 2021 to EU re US Senate letter (domestic FATCA)

This letter discusses the privacy and data protection concerns raised by a number of US Congressmen ahead of the recent rejection of a domestic version of FATCA by Congress (see 30 October).  Senators had 'serious privacy concerns' for an 'unreasonably burdensome' measure.

Click here to view the letter.

1 Dec 2021 to EU re FATCA State of Play

This letter provides a summary of the previous correspondence and asks for an urgent response to our 20 months' old complaint under Art. 258 of the EU Treaty (infringement proceedings against EU Member States).

Click here to view the letter.

 

November 2021

The attached excerpt from HMRC's Annual Report for 2020 shows that the UK tax authorities' data protection efforts have been rated a ‘code red’ risk, meaning taxpayers' information is vulnerable.

Click here to view the document

October 2021
30 Oct 2021 to EU re London High Court and Congress rejection of domestic FATCA

The attached letter discusses the filing of Jenny's case against HMRC before the High Court in London as well as the rejection, by the US Congress, of a proposal to introduce reporting requirements for domestic bank accounts over privacy and data protection concerns.

Click here to view the letter.

15 Oct 2021 to EU and national DPAs following report from Council of Europe

This letter discusses the latest report issued by the Council of Europe's Consultative Data Protection Committee (T-PD) on the data protection implications of automatic exchange of information.

Click here to view the letter.

14 Oct 2021 letter to the European Commission following renewed PETI criticism

This letter discusses a recent letter from the Chair of the European Parliament's Petitions Committee (PETI) to the European Commission and asks the Commission to deal with our GDPR-258 TFEU Complaint dated 3 April 2020.

Click here to view the letter

 

September 2021
27 Sept 2021 letter to the European Commission

This letter brings together a timeline of the main events concerning FATCA in the EU and asks the European Commission to provide a substantial answer to our complaint dated 7 April 2020.

Click here to view the letter.

13 Sept 2021 response to European Commission (FISMA)

This letter is a response to an email from the Head of the European Commission's financial services directorate in which he defended his recent statements before the European Parliament. The letter highlights the gap between the Commission's statements and the evidence (including internal documents from the Commission).

Click here to view the letter.

11 Sept 2021 – Letter to the EU and national DPAs – "an optical illusion"

This letter discusses the recent responses from the European Commission and national data protection authorities to our request to take action against the disproportionate nature of FATCA.

Click here to view this letter.

9 Sept 2021 reply to the European Commission

This letter discusses the European Commission's holding reply to our complaint dated 7 April 2020 under Art. 258 of the EU Treaty (infringement proceedings against EU Member States).

Click here to view the letter.

3 Sept 2021 to PETI and COM following latest FATCA Hearing (Fact-Check)

This letter fact-checks the statement made on behalf of the European Commissioners during the latest hearing on FATCA before the European Parliament's Petitions Committee.

Click here to view the letter.

 

August 2021
16 Aug 2021 letter to British MPs

This letter to concerned MPs discusses the implications, for FATCA, of the news that the UK Government is to scrap the proposed introduction of a centralised automated register of bank accounts 'following a benefits-cost analysis'.

Click here to view the letter.

10 August 2021 letters to EDPB and Commission re Art. 70 GDPR and Art. 258 TFEU

These letters discuss the implications of our recent correspondence to the data protection authorities of all EU Member States for the EDPB and the European Commission, who stated in 2012 that 'there is a strong argument that FATCA is now within the competence of the EU'.

Click here to view the letter to the European Commission.
Click here to view the letter to the EDPB.

1 August 2021 letters to national Data Protection Authorities (DPAs)

Following the 'invitation' from the European Data Protection Board to EU Member States to review the compatibility of FATCA agreements with the GDPR, these letters contain formal requests to a selected number of national DPAs to ensure that the invitation is followed up at national level.

Click here and here to view the letters to the Austrian DSB.
Click here to view the letter to the Belgian APD-GBA
Click here to view the letter to the Bulgarian CPDP
Click here and here to view the letters to the Croatian AZOP.
Click here to view the letter to the Cypriot DPC
Click here to view the letter to the Czech UOOU
Click here to view the letter to the Danish Datatilsynet
Click here and here to view the letters to the Dutch AP.
Click here to view the letter to the Estonian AKI
Click here to view the letter to the Finnish Data Protection Ombudsman
Click here and here to view the letters to the French CNIL.
Click here and here to view the letters to the German BfDI.
Click here to view the letter to the Greek DPA
Click here to view the letter to the Irish DPC
Click here and here to view the letters to the Italian GPPD.
Click here to view the letter to the Latvian DPA
Click here and here to view the letters to the Lithuanian VDAI.
Click here and here to view the letters to the Luxembourg CNPD.
Click here to view the letter to the Maltese DPC
Click here to view the letter to the Polish UODO
Click here to view the letter to the Portuguese CNPD
Click here to view the letter to the Romanian DPA
Click here to view the letter to the Slovak PD
Click here to view the letter to the Slovenian IP-RS
Click here to view the letter to the Spanish AEPD
Click here to view the letter to the Swedish IMY

 

July 2021
29 July 2021 letter to EU re Lithuanian response

This letter discusses the Lithuanian response to the need to review the FATCA agreements following recent case law from the Court of Justice of the European Union. The Lithuanian response is in direct contrast to the responses provided by the French, German and Dutch responses discussed in previous letters.

Click here to view the letter.

22 July 2021 to EDPB re reply to Dutch MEP re Statement 4/2021

This letter discusses the EDPB's formal reply to a Dutch MEP who queried the scope and effectiveness of the EDPB's invitation to EU Member States to review the compatibility of international data transfer with the GDPR in relation to FATCA.

The letter also discusses the European Parliament's latest study on the repercussions of the Schrems II judgment.

Click here to view the letter.

16 July letter to the EU re Official German statistics

This letter discusses official statistics published by the German Government on the number of accounts disclosed under FATCA, as well as the CRS.

The numbers confirm the enormous risks for the protection and safety of the data of compliant citizens.

Click here to view the letter.

14 July 2021 letter to British MPs

This letter is addressed to a group of British MPs who in the past addressed written questions to the UK government on FATCA.

Click here to view the letter.

13 July 2021 to EU re number of Petitions before PETI

This letter discusses the four FATCA-related petitions currently before the European Parliament's Petition Committee (PETI) and the implications for the lack of decisive action on the part of the European data protection authorities.

Click here to view the letter.

8 July 2021 to EDPB re Dutch response to Statement 4/2021

This letter to the European Data Protection Board discusses the recent response from the Dutch national data protection agency's invitation from the EDPB to consider the compatibility of FATCA with fundamental rights.

This letter should be read in conjunction with our riposte letters to the Chair of the French data protection authority (CNIL), the Dutch Ministry of Finance and the German data protection authority (BfDI) (19, 21 and 22 June 2021 respectively).

Click here to view the letter.

6 July 2021 to EDPB re agenda item on FATCA

This letter discusses the FATCA item on the agenda of the next plenary meeting of the European Data Protection Board (EDPB) and asks why the EDPB refuses to engage with data protection campaigners.

Click here to view this letter.

 

June 2021
23 June 2021 to EU re German MPs Motion 19/29264 on the CRS

This letter discusses the direct link between FATCA and the CRS through a motion tabled by 47 German MPs.

The letter calls on the EU and national data protection authorities to step into the debate on the compatibility of systems of automatic exchange of information (AEOI) in general with individuals' fundamental rights.

Click here to view this letter.

22 June 2021 to Chair of German BfDI

This letter to the Chair of the German data protection regulator (BfDI) is in response to a letter written by the BfDI to a German MP who had asked the BfDI to intervene on the FATCA debate following the EDPB's Statement 4/2021 on international transfers of data.

The letter criticises the Chair of the BfDI for ignoring recent case law from the CJEU, hinting to a political unwillingness to take active part in the FATCA debate.  The letter argues that this is contrary to the BfDI's duties under the GDPR.

This letter should be read in conjunction with our riposte letters to the Chair of the French data protection authority (CNIL) and the Dutch Ministry of Finance (19 and 21 June 2021 respectively).

Click here to view the letter to the Chair of the BfDI (German version)

Click here to view the letter to the Chair of the BfDI (English version)

Click here to view the letter to the EDPB

21 June 2021 to the Council of Europe (State of Play)

This letter provides the Council of Europe's consultative committee for the data protection convention n. 108 with an update of recent developments in the campaign to raise awareness on the data protection implications of FATCA and other systems of automatic exchange of information.

In its previous work, the Council of Europe raised concerns about the compatibility of automatic exchange of information with data protection rights.

Click here to view the letter

21 June 2021 to the EU – Dutch Finance Ministry

This letter discusses a recent response from the Dutch Finance Ministry in relation to the EDPB's invitation to review the compatibility of international data transfers agreements with individuals' fundamental rights.

The Dutch government considers the current system to be 'compliant with the GDPR' even before a review is carried out, suggesting the persistence of an institutional refusal to tackle the criticism levelled by the European Parliament against the European Commission and national data protection authorities.

The response from the Dutch government follows hot on the heels of a reply from the Chair of the French data protection authority (CNIL) to a French senator which conveniently forgot to mention recent legal developments.

Click here to view the letter.

19 June 2021 to Chair of French CNIL  

This letter to the Chair of the French data protection regulator (CNIL) is in response to a letter written by the CNIL to a French senator who had asked the CNIL to intervene on the FATCA debate following the EDPB's Statement 4/2021 on international transfers of data.

The letter criticises the Chair of the CNIL for omitting relevant information from her response, hinting to a political unwillingness to take active part in the FATCA debate.  The letter argues that this is contrary to the EDPB's duties under the GDPR.

Click here to view the letter to the Chair of the CNIL (French version)

Click here to view the letter to the Chair of the CNIL (English version)

Click here to view the letter to the EDPB

16 June 2021 Complaint to the EU Ombudsmam

The attached letter is a complaint against the European Commission for failure to engage with us in relation to our 3 April 2020 request: that infringement proceedings against EU Member States for signing FATCA IGAs are against the Commission's 'worrying' concerns about the data protection implications of FATCA

Click here to view the letter.

16 June 2021 to EU re Facebook judgment (C-645/19)

This letter discusses the implications of the latest data protection judgment from the Court of Justice of the European Union (CJEU) for FATCA, as well as the CRS.

The CJEU held in the Facebook judgment that the GDPR provides a direct legal basis for national data authority to bring legal proceedings for data protection violations.  This is in clear contrast with the stated position of the Austrian data protection authority led by the Chair of the European Data Protection Board in a case concerning the Common Reporting Standard and confirms the European Parliament's concerns about the 'insufficient level of enforcement of the GDPR' in relation to FATCA, 'despite the significant CJEU case law developments over the past five years'.

Click here to view the letter.

7 June 2021 letter to EU re 2012 letter from WP29 on 'highest level of protection'

This letter discusses the implications of a letter written by the EU's working party on data protection in 2012 for a recent statement issued by the European Data Protection Board on 'international transfers of data'.

The letter shows that the EDPB's predecessor was ahead of its time when it warned on the need to ensure the 'highest level of protection' for data leaving the EU (which is the core finding in the European Court of Justice judgment in the Schrems 2 case) and calls on the EU to take action now.

Click here to view the letter to the EDPB.

Click here to view the letter to the Commission.

4 June 2021 letter to European Commission re Politico interview

This letter discusses the implications of a recent interview given by Commissioner Věra Jourová to the political magazine Politico for Jenny's complaint about the excessive nature of FATCA, which has been on the Commission's desk since 7 April 2020.

Click here to view the letter.

 

May 2021
26 May 2021 to ICO re lack of inactivity (10 months)

This letter discusses recent events at international level and calls on the ICO to stop avoiding the issues raised in Jenny's complaint dated 11 November 2019.

Click here to view the letter.

20 May 2020 to EU following Parliament Resolution criticising Commission and EDPB

This letter discusses the repercussions of the latest resolution from the European Parliament which openly criticises the European Commission and the EU data protection authorities for failing to take decisive action against the excessive nature of FATCA.

Click here to view the letter to the Commission

Click here to view the letter to the EDPB

15 May 2021 letter to EU re article in 'Politico' confirming political interference

This letter discusses an article published in EU political magazine 'Politico' citing sources from EU officials who confirmed that the EDPB was forced to water down the language of its recent Statement 4/2021 on the compatibility of international agreements with data protection rights.

Click here to view this letter.

11 May  2021 letter to EDPB re State of Play, Politics and the missing WP29 letter

This letter discusses the latest development since the publication, by the European Data Protection Board, of its Statement 4/2021 by which the EDPB urged EU Member States to review the compatibility of FATCA with EU fundamental rights.

The letter also considers the curious story of a key piece of evidence that was removed from the European Commission's website.

Click here to view the letter.

7 May 2021 letter to the EDPB re national Data Protection Authorities       

This letter discusses various developments at national level following the publication of a statement by the European Data Protection Board in which the EDPB urged EU Member State to review automatic information exchange agreements with non-EU countries.

The letter calls on the EDPB to lean on national Data Protection Authorities to take decisive action.

Click here to view this letter.

 

April 2021
26 April 2020 letter to EU on forthcoming Commission statement on EDPB 4/2021

This letter discusses the ramifications of the recent statement issued by the European Data Protection Board (EDPB) on the need to review and renegotiate international data transfer agreements following a series of seminal judgments by the Court of Justice of the European Union (CJEU).

The letter urges the Commission to address the data protection issues connected with FATCA and the Common Reporting Standard.

Click here to view the letter.

14 April 2021 letter to EU on the EDPB Statement on international agreements

This letter discusses the EDPB's recent invitation to EU Member States to review international agreements involving data transfers and urges the EDPB to apply its principle to FATCA IGAs to reflect previous statements by the EU data protection body.

Click here to view the letter.

12 April 2021 letter to the EU regarding EDPS Necessity Checklist

This letter follows a long list of correspondence in which we raised the disproportionate nature of automatic exchange of information. Now, the European Data Protection Supervisor (EDPS) published a checklist on necessity and proportionality of data protection measures which applies neatly to FATCA, as well as the CRS.

Click here to view the letter.

11 April 2021 letter to EU on the Mishcon de Reya Hacking List's milestone

This letter discusses the growth of the Mishcon de Reya Hacking and Data Breaches List from 14 pages when it was first attached to our 16 November 2019 letter to the EU to over 70 pages currently. 

The amount of hacking incidents confirms that FATCA (as well as the CRS) expose millions of compliant citizens to disproportionate and unnecessary risks to their data protection and data security.

Click here to view the letter.

7 April 2020 letter to EU on the hack of European Commission

This letter discusses the coincidence of the European Commission's hack and its reply on the Solarwind hack. The letter confirms the point made in our Hacking List, that a hacking of FATCA and CRS data is a question of when, not if.

Click here to view the letter.

 

March 2021
10 March 2020 letter to the EU regarding the EDPB Statement 03/2021

This letter discusses the implications, for FATCA and the CRS, of the latest pronouncement from the European Data Protection Board on the importance of complying with the principles of proportionality and necessity when processing data.

Click here to view the letter.

9 March 2021 Letter to the EU on the EDPS Opinion 4/2021

This letter discusses the need for a fair and objective debate about the data protection implications of FATCA and the CRS, taking inspiration from an opinion issued by the European Data Protection Supervisor (EDPS) on 8 March 2021.

Click here to view the letter

3 March 2021 letter to EU regarding the Estonian case (C-746/18)

This letter discusses the latest case from the European Court of Justice confirming the illegality of generalised processing of data without judicial/independent oversight.

Click here to view the letter

 

February 2021
24 February 2021 to the EU Council's High Level Working Party on Taxation

This letter is addressed to the Council of the EU's working party on taxation ahead of its next meeting following the recent admission from the European Commission of the long-standing nature of FATCA's data protection issues.

Click here to view the letter.

19 February 2021 to the EU Commission regarding Infringement Proceedings

Three days after the Commission was forced to admit the long-standing nature of the data protection issues raised by FATCA, this letter asks the Commission to deal with our year old request that infringement proceedings be launched against EU Member States in circumstances where bilateral FATCA agreements breach the GDPR.

Click here to view this letter

18 February 2021 letter to the EU regarding EU's Human Rights' Action Plan

This letter discusses a plan published by the EU on 18 November 2020 which sets out the EU's priorities for human rights for 2020-2024, including mentioning data protection and privacy.

Click here to view the letter.

17 February 2021 letter to the EU on the Commission's acknowledgment of 'long standing' issue

This letter discusses the Commission's acknowledgment of the 'long-standing' nature of FATCA's data protection issues. This marks an important change of policy, as the Commission had previously refused to acknowledge the problem and represents a victory for data protection campaigners who have been trying to highlight inconsistencies in the European Commission's approach to FATCA.

Click here to view the letter.

16 February 2021 to the EU on the latest MEPs admonishment to the Commission

This letter discusses the latest call from Members of the European Parliament on the European Commission to 'stop turning a blind eye to the GDPR violations' under FATCA.

Click here to view this letter.

7 February: letter to the EU regarding the European Parliament Evaluation Report (PE662.603)

This letter discusses the latest official report on the effectiveness of automatic exchange of information within the EU.

A report issued by the European Parliament on 4 February 2021 confirms the concerns about the proportionality of automatic systems of information exchange, as well as the lack of evidence that they raise additional revenues, thus questioning the necessity of the measures.

Click here to view this letter.

3 February 2021 to the EU regarding concerns about data implications from 2013

This letter shows how the European Parliament was already aware of concerns about the data implications of FATCA in 2013. Five years later, the European Parliament adopted a resolution asking the European Commission to address these issues.

Click here to view this letter.

 

January 2021
29 January 2021 to the EU regarding concerns from the European Banking Federation

This letter discusses further evidence of the disproportionate nature of FATCA and other systems of automatic exchange of information, which require financial institutions and tax authorities to exchange information independently of the existence of any indicia of tax evasion.

This is in addition to the internal documents from the European Commission and the adverse expert opinions discussed in our previous correspondence.

Click here to view the letter.

22 January 2021 to the EU regarding Commission reply to E-005165/2020

This letter discusses the response from the European Commission regarding a parliamentary question on the data protection implications of FATCA against the backdrop of internal EU documents, confirming the existence of worrying data protection concerns that go as far back as 2010.

Click here to view the letter.

7 January 2020 to EU and ICO re upholding basic rights

These letters were written to remind the EU and the ICO of their individual responsibilities for upholding basic human rights in an age of political turmoil.

Click here to view the letter to the EDPB

Click here to view the letter to the European Parliament

Click here to view the letter to the European Commission

Click here to view the letter to the ICO

6 January 2021 letter to ICO and EU – Implications of end of Brexit Transition Period ('Adequacy')

This letter discusses the implications of the end of the Brexit Transition Period (31 December 2020) for UK FATCA.

Citing political developments over the past 10 years, the letter argues that the UK legal system might provide insufficient protection for data protection and human rights. In turn, this might have disastrous consequences for the UK digital economy, as the UK will need to show that its rule are 'effectively equivalent' to those in force in the EU in order to trade with the EU-bloc.

Click here to view the letter.

 

 

2020
December 2020
31 December 2020 letters to the EU and the ICO re additional GDPR opinion (Belgium)

These letters discuss a recent opinion issued by the Belgian National Data Protection Authority which criticises the proposed introduction of a domestic register of bank accounts. This register is the domestic equivalent of FATCA and the CRS, which require the periodic transfer of bank data between two tax authorities (to reflect the foreign residence of account holders).

Click here to view the letter to the EDPB.

Click here to view the letter to the European Commission.

Click here to view the letter to the ICO.

22 Dec 2020 letter to EDPB re. OECD's statement about 'disproportionate data access'

This letter considers the implications, for FATCA as well as the CRS, of concerns raised by the OECD about 'unconstrained, unreasonable and disproportionate requirements by governments that compel access to personal data held by the private sector'.

The letter also refers to an article on FATCA that appeared in TIME Magazine on 22 December 2020.

Click here to view the letter.

21 Dec 2020 Letter to EU Commission re infringement proceedings

This letter follows on from our formal request to the European Commission to initiate infringement proceedings against EU Member States.

The original request was made on behalf of Jenny and is now been co-signed by J.R., the petitioner whose petition led to a European Parliament resolution calling on the Commission to enforce individuals' fundamental rights and take infringement proceedings in the context of FATCA.

Click here to view the letter.

19 Dec 2020 to EDBP re its 'Strategy 2021-2023'

This letter discusses the European Data Protection Board (EDPB)'s strategy paper for 2021-2023 insofar as it applies to FATCA as well as the Common Reporting Standard (CRS).

Click here to view the letter

18 Dec 2020 letter to EDPB and ICO re US Senate letter to the IRS following cyber-attack

The attached letters bring to the attention of the European Data Protection Board (EDPB) and the UK's Information Commissioner a letter that the US Senate sent to the IRS following the 'SolarWinds' attack against several US agencies, including the US Treasury.

Click here to view the letter to the EDPB

Click here to view the letter to the ICO

17 December 2020 to Chair of EDPB re dereliction of duty

This letter discusses the approach of the EDPB of non-intervention in relation to FATCA. The letter suggests that the EDPB is using the pretext 'we cannot comment on individual cases' to avoid the main issue. However, the ongoing campaign transcends Jenny's case, as it raises important data protection issues that affects millions of compliant individuals.

Click here to view the letter.

17 December 2020 letter to the European Parliament following EU letter to US

This letter takes issue with a recent letter sent by the European Council (which represents EU Member States' national governments) to the US Treasury asking to take action on the closure of bank accounts owned by a small number of 'Accidental Americans'.

The letter suggests that the EU is avoiding the main issue, which is the compatibility of FATCA as a whole with individuals' fundamental rights and calls on the European Parliament to bring the European Commission to account.

Click here to view the letter.

14 December letter to the EDPB regarding a huge cyber-attack against US Treasury

This letter discusses the latest revelations of a huge cyber-attack against the US Treasury and other US agency. It examines the implications that an increased risk of a hacking involving FATCA (as well as CRS) data have on the inactivity of the EU data protection authorities.

Click here to view the letter.

6 December 2020 letter to EDPB Chair following publication of EDPS report

This letter discusses the recent publication of a report by the European Data Protection Supervisor (EDPS) following the recent CJEU decision in the 'Schrems II' judgment (discussed in our separate letter dated 16 July 2020), and calls on the Chair of the European Data Protection Board (EDBP) to finally deal with our requests first raised in the letter dated 16 November 2019.

Click here to view the letter.

4 December 2020 letter to European Commission following condemnation by European Parliament

This letter urges the Commission to deal with Jenny's request to launch infringement proceedings against EU Member States following renewed criticism from the European Parliament against the Commission's passive approach to the US.

Click here to view the letter.

4 December 2020 letter to EDPB Chair following publication of critical report by European Parliament

This letter urges the Chair of the European Data Protection Board (EDPB) to reject political pressure from the European Commission following the publication of a damning report by the European Parliament criticising the European Commission.

Click here to view the letter.

2 December 2020 - Letter to the EDPB's Chair

This letter discusses data protection concerns contained in the recent report on information exchange published by the International Fiscal Association.

These concerns are in addition to the existing concerns discussed in our previous correspondence. 

They also amplify the concerns surrounding the EDPB Chair's role as head of the Austrian data protection authorities in relation to the CRS claim which is currently before the Austrian courts (discussed here).

Click here to view the letter.

 

November 2020
Letter dated 30 November to EDPB Chair regarding media scrutiny

This letter considers the growing media scrutiny over the European Data Protection Board's (EDPB) lack of action over the worrying data protection concerns raised in our correspondence with the EDPB.

This letter follows the publication of a leading article in Tax Notes International, a copy of which can be found at the end of the letter.

Click here to view the letter.

28 Nov 2020 letter to EDPB Chair

This letter, which was sent a day after filing a court claim in Germany in relation to the CRS, highlights the failings of the Chair of the European Data Protection Board (EDPB) in following up on concerns about the implications of the CRS, as well as FATCA, on individuals' fundamental rights.

Click here to view the letter.

27 Nov 2020 letter to the European Commission

This letter, which is part of an individual complaint made to the European Commission for breaches of EU Law by Member States in connection with FATCA, discusses recent attempts by the European Commission to influence the European data protection authorities and push FATCA and the CRS on its political agenda in spite of its own concerns about the impact of FATCA on individuals' fundamental rights.

Click here to view the letter.

14 November 2020 letter to the Chair of the EDPB following publications of EDPB Recommendations 1/2020 and 2/2020

This letter discusses the recent publication of recommendations by the European Data Protection Board following the seminal CJEU judgment in the Schrems II case, which declared the transatlantic framework for data transfer invalid.

The letter raises grave concerns in the light of the EDPB's consistent refusal to extend its analysis to systems of automatic exchange of information, such as FATCA, but also the Common Reporting Standard.

Click here to view the letter.

14 November 2020 letter to Elizabeth Denham (Information Commissioner) re EDPB Recommendations

This letter shows how the UK Information Commissioner's Office's decision dated 29 May 2020 was fundamentally flawed, as the ICO refused to consider the compatibility of UK FATCA with Jenny's fundamental rights, as required by the case law from the Court of Justice of the European Union and the Recommendations published by the European Data Protection Board.

Click here to view the letter.

10 November 2020 letter to the Chair of the European Parliament's PETI

This letter summarises some of the issues that were addressed during the public hearing before the European Parliament's Petition Committee (PETI) which has been conducting an investigation into the data protection implications of FATCA.

Click here to view the letter.

3 November 2020 letter to the EU re political interference

This letter discusses the implications of a working document issued by the European Council four days before the European Data Protection Board (EDPB) was due to meet to discuss exchange of information to non-EU countries.

The European Council represents national Governments and is therefore a political body. The intervention of politicians in the debate surrounding the legality and proportionality of FATCA represents an interesting development in what is essentially a legal battle.

Click here to view the letter.

 

October 2020
22 October 2020 to PETI re holding the Commission to account

This letters brings together the evidence showing how the European Commission might have misled the European Parliament in relation to the Commission's involvement with FATCA and its own 'worrying' concerns about the data protection implications of FATCA. Accordingly, this letter calls on the European Parliament to hold the Commission to account.

Click here to view the letter

22 October 2020 to the Information Commissioner about farcical delays

This letter considers two recent notices which the Information Commissioner's Office issued against itself for failing to respect deadlines.

This poor state of affairs is indicative of the difficulties encountered by citizens seeking to defend their fundamental right to data protection. At the time of writing this letter, almost a year elapsed since the original complaint was filed on 11 November 2019.

Click here to view the letter

10 October 2020 letter to EU & ICO re Tax Information Exchange judgment (C-245/19)

This letter discusses the implications of a judgment issued on 6 October 2020 by the Court of Justice of the European Union (CJEU) in relation to the compatibility of tax information exchange on request with the EU Charter of Fundamental rights. This judgment was issued on the same day of the Privacy International judgment which is discussed in our letter dated 6 October 2020.

Both judgments have wide-ranging repercussions for FATCA as well as the Common Reporting Standard (CRS).

Click here to view the letter.

6 Oct 2020 to EU & ICO re Privacy International (C-623/17)

This letter discusses the implications of the judgment from the Court of Justice of the European Union (CJEU) in a case brought by Privacy International against the UK for Jenny's legal challenge.

This is the latest of a string of judgments from the CJEU confirming the fundamental nature of the right to data protection and privacy.

Click here to view the letter.

 

September 2020
28 Sept 2020 letter to the EDPB re 'groundless claim'

This letter discusses the recent response from the UK tax authorities ('HMRC') in Jenny's crowdfunded case. According to HMRC, a legal challenge against the excesses of FATCA based on the fundamental rights enshrined in the EU Charter of Fundamental Rights and the European Convention on Human Rights (ECHR) is 'groundless and in large part comprise an abuse of process'. HMRC also considers that 'no court would make an order which would require HMRC to act unlawfully'.

The letter calls on the European data protection authorities to finally take position in the Kafkaesque debate on the data protection implications of FATCA and other systems of automatic exchange of information.

Click here to view the letter.

17 Sept 2020 to HMRC re Council of Europe's Support

This letter discusses a message of support received by Jenny's legal team praising it for its 'relentless defence of the right to data protection' and asks HMRC to drop its hostile and obstructionist approach in a case of significant public interest.

Click here to view the letter.

10 Sept 2020 to Elizabeth Denham re Preliminary Suspension Order in 'Schrems II' case

This letter discusses the gulf that exists between the UK Information Commissioner's Office and other major national data protection authorities in enforcing fundamental data protection rights, at least in the area of FATCA.

Click here to access the letter.

10 Sept 2020 letter to Andrea Jelinek (EDPB Chair) re IRS data breach affecting Austrians

This letter discusses the latest IRS data breach affecting EU citizens and criticises the lack of action by the European Data Protection Board (EDPB). 

Click here to view the letter.

9 Sept 2020 to the EU re UK government's breach of international law

This letter discusses the UK government's recent announcement that it will introduce legislation to partially override the Brexit agreement 'in violation of international law'. The letter also shows how the UK Government brushed aside concerns raised by the EU data protection authorities to sign the first ever FATCA agreement with the US, just two months after the EU data protection authorities had raised 'worrying' concerns.

Click here to view the letter.

7 September 2020 letter to the Council of Europe re their Schrems II statement

This letter discusses today's Joint Statement by the Chair of the Council of Europe data protection committee and its Data Protection Commissioner discussing the implications of the recent European judgment in the Schrems II case for data protection.

The Council of Europe was one of the first bodies to raise data protection concerns in relation to systems of automatic exchange of information and this letter invites the Council of Europe to reiterate its existing concerns in the light of the recent Schrems II judgment.

Click here to access the letter.

4 September 2020 to EDPB following Chair's appearance before European Parliament

This letter discusses the existence of two weights and two measures. The Chair of the European Data Protection Board's words before the European Parliament in defence of data protection following the recent Schrems II judgment sound very hollow when it comes to enforcing the same rights in the context of FATCA.

Click here to access the letter.

 

August 2020
25 August 2020 letter to the EU & the ICO re MPs criticism of the ICO

This letter discusses a recent appeal from 20 MPs to the UK's Information Commissioner criticising her office for failing to enforce people's rights and holing the Government to account 'in the current COVID-19 pandemic and beyond'.

Click here to view the letter.

14 Aug 2020 letters to the EU, the ICO and the OECD re Economist and Country-by-Country List

These letters discuss a recent article that appeared in The Economist about Jenny's crowdfunded case. It also discusses a list published by the Australian Tax Authorities showing aggregate information sent to approx. 100 jurisdictions, including many countries with a poor human rights record.

Click here to view the letter to the EU and the ICO

Click here to view the letter to the OECD

7 Aug 2020 to EU and ICO re public IRS 'Name & Shame' Lists

This letter considers the European Commission's invitation to US citizens who do not wish to be subject to FATCA to expatriate.

This letter shows that the IRS issues public 'Name & Shame' list of expatriating individuals, which violates most basic data protection principles under the GDPR and the EU Charter of Fundamental Rights and exposes the European Commission's disingenuous approach to FATCA.

Click here to view the letter.

 

July 2020
31 July 2020 to the EDBP Chair

This letter discusses the ICO's continued refusal to consider the implications of the recent judgment from the Court of Justice of the European Union which declared the existing EU-US legal framework for the transfer of data collected in the EU to the US to be illegal.

Click here to view the letter.

28 July letter to CNIL re GDPR Complaint against OECD

This letter considers the implications of the recent judgment of the Court of Justice of the European Union (CJEU) in the 'Schrems II' case on our GDPR complaint against the OECD.

The CJEU decided in 'Schrems II' that transfers of personal data to non-EEA Member States without 'adequate safeguards' are illegal.

In a letter to our Firm, the OECD's Secretary-General claims that this judgment does not apply to the OECD, confirming the view that the Common Transmission System operated by the OECD represents a huge data protection black hole at the heart of the EU.

Click here to view this letter.

28 July 2020 letter to Elizabeth Denhman re UK Government's statement on Schrems 2

This letter deals with the implications of Brexit on data protection. The UK Government confirmed in a written statement to Parliament that the recent CJEU decision in the Schrems II case is binding for the UK during the Brexit transitional period.

This has direct implications for Jenny's complaint.

Click here to view the letter.

26 July 2020 letter to the EDPB and the ICO re Schrems interview

This letter to the EDPB and the UK information Commissioner discusses a recent interview in which Maximiliam Schrems described the handling of GDPR complaints by national data protection authorities as 'kafkaesque'. It is noteworthy that the same term was used by a British MEP during the hearing on FATCA that took place before the European Parliament on 12 November 2019. (link to previous correspondence)

Click here to view the letter.

25 July 2020 Letter to Elizabeth Denham re Schrems FAQs

This letter considers the implications of the recent 'Frequently Asked Questions' (FAQs) published by the EDPB following the EU Judgment in the Schrems II case for Jenny's case.

The letter also refers to a data breach affecting the Florida Tax Office, which underpins the data security concerns of FATCA.

Click here to view the letter

25 July letter from Claimant to the EDPB (Austrian CRS Challenge)

Most of the correspondence in this section relates to FATCA and Jenny's legal challenge in the UK. However, the same issues arise in relation to the Common Reporting Standard (CRS), which is subject to a legal challenge in Austria. Following the publication of the EU judgment in the Schrems II case, the Claimant in that case sent a letter to the EU raising the similarities between his challenge and Jenny's case.

Click here to view the letter

23 July 2020 to ICO General Counsel re ICO's independence

Following the intervention of the ICO's General Counsel in Jenny's case (nearly eight months after the date of the original complaint), this letter is a reminder of the concerns that exist in relation to the handling of this case, in particular with reference to the ICO's independence.

Click here to view the letter

21 July to the Elizabeth Denham, Andrea Jelinek, Bruno Gencarelli, Dolors Montserrat

This letter contains a direct appeal to the UK Information Commissioner and its EU counterparts to intervene in the FATCA debate following the recent EU Judgment in the Schrems II case, which held that the existing legal framework for the transfer of data to the US is illegal.

Click here to view the letter

20 July 2020 letter to Ms Elizabeth Denham re Data Protection Impact Assessment (DPIA)

Following revelations in the press that the UK Government failed to adhere to the principles of the GDPR in relation to the Covid-19 track-and-trace programme, this letter asks the UK Information Commissioner to clarify its statements about the existence of an adequate 'Data Protection Impact Assessment' (DPIA) in relation to UK FATCA.

Click here to view the letter

20 July 2020 letter to Bruno Gencarelli, (Head of Unit – International Data Flows and Protection)

This letter to the Head of the European Commission's Unit on International Data Flows and Protection, which was written shortly after the Court of Justice of the European Union declared the framework for data flows between the EU and the US ('Privacy Shield') to be illegal, asks the Commission to take immediate action and consider the individual complaint that was filed on 8 April 2020.

In the complaint, Mishcon asked the European Commission to commence infringement proceedings against EU Member States in relation to the conclusion of FATCA agreements.

Click here to view the letter.

18 July 2020 Letter to the Chairs of the EDPB and the PETI

This letter is a riposte to the statement issued by the Chair of the EDPB following the recent CJEU judgment in the Schrems 2 case.

The statement claims that the EDPB has been raising concerns over the data protection implications of the transatlantic transfer of data.

However, the EDPB's alleged commitment in this area does not extend to FATCA, which is a type of system of EU-US data transfer.

Click here to view the letter.

17 July 2020 letters to the EU & the ICO following Luxembourg FATCA judgment

These letters discuss a recent judgment by which the Luxembourg Court of Appeal prohibited a bank from exchanging of FATCA information with the US.

This judgment was brought to the attention of the EU and the ICO one day after the Court of Justice of the European Union issued its seminal judgment in the 'Schrems II' case.

Click here and here to view the letters.

16 July 2020 letters to ICO, EU and OECD following Schrems 2 Judgment

The attached letters discuss the implications of the EU judgment in the Schrems 2 case (C-311/18) for the various claims.

The judgment held that the existing EU-US framework for the transfer of data (known as 'Privacy Shield') is invalid.  This has direct implications for FATCA as well as CRS transfers to non-EU Member States

Click here to view the letter to the ICO

Click here to view the letter to the EU

Click here to view the letter to the OECD

15 July 2020 to EDPB and the CNIL

This letter discusses the recent decision from the OECD's Secretary-General in response to our data protection complaint under the OECD rules.

In its decision, which is the first of this kind since the introduction of the CRS, the OECD refused to assume any responsibility in relation to the data of individual bank account holders.

Given the huge numbers and risks at stake, the letter calls on the European Data Protection Board and the French Data Protection Commissioner to intervene.

Click here to view the letter.

 

June 2020
30 June 2020 to EDPB

This letter discusses the data protection implications of the statistics released on 30 June 2020 by the OECD which confirm that last year 84 million accounts were subject to automatic information exchange under the CRS, for an aggregate value of €10 trillion.

Click here to view the letter.

25 June 2020 to EDPB

This letter discusses the GDPR report published by the European Commission entitled 'Data protection as a pillar of citizens’ empowerment' and its repercussions for the ongoing legal challenges against the excessive nature of FATCA and the CRS.

Click here to view the letter.

19 June 2020 letter to EDPB

This letter discusses the recent decision from the UK Information Commissioner's Office in Jenny's case and its implications for the European Data Protection Board.

Click here to view the letter.

16 June 2020 letter to the EDPB

This letter considers the position of the European Data Protection Board (EDPB) following yesterday's judicial appeal against a decision from the Austrian Data Protection Authority, which was led by the Chair of the EDPB.

Click here to view the letter.

3 June 2020 letter to EDPB

This letter criticises the European Data Protection Board's refusal to intervene to enforce data protection in the context of FATCA and the CRS.

The letter is in response to an email from the EDPB, which you will find on page 2 of our letter.

Click here to view the letter.

 

May 2020
28 May 2020 letter to the OECD re lack of response/accountability

The attached letter to the OECD's Pascal Saint-Amans addresses the lack of response to our previous correspondence and the OECD's lack of accountability.

Click here to view the letter.

27 May 2020 letter to Elizabeth Denham CBE (UK Information Commissioner)

This letter asks for a direct intervention by the UK Information Commissioner into Jenny's data protection complaint following concerns about the policy driven decision-making of her staff. 

Click here to view this letter.

26 May 2020 letter to the OECD

This letter considers the OECD's recent move of hiring one technician to assist reporting jurisdictions with the data security implications of sending sensitive personal and financial data across borders.

The letter shows the inadequacy of the measures, which appear as a response to our investigation into the data protection risks of the Common Transmission System (CTS), which is the system used by 101 jurisdiction to exchange CRS data.

Click here to view the letter.

26 May 2020 letter to the ICO

This letter considers the numbers of accounts subject to FATCA and makes some comparisons with the size of the US Covid-19 stimulus package, the EU budget and the world's biggest sovereign funds. 

Click here to access the letter.

25 May 2020 letter to the ICO

On the second anniversary of the introduction of GDPR, this letter demands action in a file that has been  on the desk of the UK Information Commissioner's Office (ICO) for over six months.  In its previous correspondence, the ICO said that they were seeking a 'policy view' on the Complaint. As the UK's independent data protection authority, the ICO should not get itself involved with policy, nor the politics of FATCA. Similar letters have been sent to the European Commission and the European Parliament.

Click here to access the letter

21 May 2020 letter to the ICO

This letter considers the ICO's approach in the last stages of Jenny's data protection complaint.

In particular, it queries the ICO's intention to obtain 'a policy view' before issuing a decision.

Click here to access the letter.

19 May 2020 letter to the OECD

This letter considers the implications OECD's argument that the OECD does not have any knowledge in relation to the data that goes through the 'Common Reporting System' (CTS), a system developed and administered by the OECD used by tax authorities all over the world use to transmit CRS-data to each other.

The letter also consider the OECD's statement that the CTS is 'secure' in the light of recent hacking incidents against EasyJet, several European Supercomputers and even the European Parliament.

Click here to access the letter. 

14 May 2020 to EDPB PETI TAXUD

This letter discusses additional evidence from the European Commission showing that the European Commission was actively involved in a dialogue with the US on FATCA as far back as 2011.

The new evidence calls into question recent statements made by European Commissioners before the European Parliament, which deny the existence of any such dialogue and (indirectly) the existence of data protection concerns. This is contradicted by the evidence discussed in our earlier letters, notably the letters dated 3, 7, 9, 11 and 13 April 2020.

Separately, the letter raises fresh concerns in relation to the security of data exchanged under FATCA, following the hacking of the UK National Supercomputer on 12 May 2020.

Click here to access the letter.

8 May 2020 to EDPB PETI TAXUD

This letters brings together various instances in which the European Commission appears to have misled the European Parliament in relation to its own involvement in the negotiation of bilateral FATCA agreements between EU Member States and the US, known as 'Intra-governmental Agreements' (IGAs) – see also our letter dated 14 May 2020 for additional evidence.

This letter raises the question of the Commission's accountability to the European Parliament, which is enshrined in the EU Treaty.

Click here to access the letter.

5 May 2020 letter to the UK data protection authorities (ICO): Implications of ICO's COVID-19 statement for FATCA

This letter considers a statement made by the UK's Information Commissioner (Elizabeth Denham) before the Joint Human Rights Committee of the UK Parliament in relation to the data protection implications of COVID-19 tracing apps.

The letter claims that the same data protection principles (transparency, necessity, data security) apply to FATCA and asks the ICO to bring its investigation against the UK tax authorities to a conclusion.

Click here to access the letter.

1 May 2020 letter to the OECD

This letter, which was filed following our data protection complaint against the OECD in relation to the Common Transmission System (CTS), brings together the existing data protection concerns raised by multiple European data protection authorities, as well as the relevant case law.

Click here to access the letter.

 

April 2020
29 April 2020 correspondence with the OECD

This letter discusses the interaction between the GDPR and the OECD's own data protection rules in relation to the 'Common Transmission System' (CTS) which was developed and is managed by the OECD to enable governments to transfer CRS data to each other. 

The letter contains separate requests to the French data protection regulator, which is dealing with a GDPR Complaint against the OECD.

Click here to access the letter

26 April letter to the OECD

This letter addresses raising data security concerns following an investigation into the IT systems designed by the IRS and the OECD to enable tax authorities to transfer FATCA and CRS data to each other.

The investigation shows that the US 'International Data ExchangeSystem' (IDES) was designed by a company with close links to the US intelligence community.

The letter requests the OECD to provide evidence of an independent vetting of the system before it was deployed, as well as written reassurances from governments that they have not built a 'back-door' into the CTS and will not seek to access it for intelligence purposes.

Click here to access the letter.

22 April 2020 – Letter to the OECD

This letter discusses the data security risks posed by the 'Common Transmission System' (CTS) designed and operated by the OECD.  The CTS is the platform which tax authorities use to actually exchange information.  By creating a single-entry point for thousands of exchanges (4,500 bilateral exchanges concerning 47 million accounts worth €4.9tn in 2018), the OECD appears like the architect of a data protection disaster waiting to happen.

This letter ends with a GDPR Complaint before the French data protection authorities.

Click here to view.

19 April 2020 – Letter to EDPB PETI TAXUD

The attached letter discusses the latest of a long series of cyber-attacks against tax authorities, government agencies and financial institutions.

These incidents demonstrate that FATCA exposes compliant taxpayers to unnecessary and disproportionate risks for their data security.  FATCA was designed almost a decade ago.  Since then, there have been countless high-profile incidents brought together in the Mishcon de Reya Hacking and Data Breaches List.

Click here to review.

13 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show how the parties involved in the development of a 'government to government' solution to FATCA were aware of negative advice from the Commission's department of Justice in relation to the lack of adequate data protection safeguards in the US.

Click here to view.

11 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional EU documents showing that the European Commission believed that the bilateral FATCA Agreements (known as 'IGAs') were a 'quick' and 'temporary' solution ahead of a bilateral EU-US solution, which would only solve 'some' of the existing data protection concerns.

The documents call into question recent statements from the Commission about its knowledge of data protection concerns back in 2010-12.

Click here to view.

9 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses additional internal documents from the EU which show that the European Commission failed to follow up on its own data protection concerns in its dialogue with the US concerning the adoption of a 'government to government' solution to extend FATCA to all EU Member States.

Whilst the European Commission raised data protection concerns, by the end of 2014 it was led by Pierre Moscovici, who signed the FATCA Agreement on behalf of France, thus making it politically difficult for the European Commission to react to additional concerns raised by data protection authorities between 2012 and 2016.

Click here to view.

7 April 2020 - Letter to EDPB PETI TAXUD

This letter discusses internal documents from the EU which call into question a recent statement from the Commissioner Paolo Gentiloni according to whom 'to date there is no evidence' that the bilateral FATCA Agreements breach EU law.

Click here to view.

3 April 2020 - Letter to EDPB PETI TAXUD

This is the first of a series of letters discussing internal documents from the EU showing the 'worrying concerns' harboured by the European Commission ahead of the adoption of bilateral FATCA Agreements with the US.

Click here to view.

 

March 2020
6 March 2020 - Letter re EDPB Guidelines

This letter, originally sent to the UK's data protection authority and later circulated to the European Parliament and data protection authorities, discusses the absence of any data protection safeguards in the bilateral FATCA Agreement signed by the UK and the US in the light of EU guidelines published in January 2020 for the transfer of data outside the EEA.

Click here to view.

 

 

2019
16 Nov 2019 - Letter to PETI  EDPB following Public Hearing on FATCA

This letter expands on the presentation made by Filippo Noseda before the European Parliament during a public hearing organised to discuss the extraterritorial nature and data protection implications of FATCA following a petition by a US-born French citizen known as Jude.

Click here to view.

 

2016 – 2019 correspondence with the OECD

This letter brings together our emails to the OECD that raise concerns in relation to the data protection. Most of them were ignored at the time and are now part of the material submitted to the OECD's Data Protection Commissioner and the French data protection regulator (CNIL) as part our data protection complaint against the OECD.

Click here to view the correspondence.

 

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else