Do FATCA And The CRS Conflict With Europe’s GDPR Regulation? – A Europe Centric Basis For Attacking The Automatic Information Exchange Mechanisms Of The 21st Century
Legal attacks on the FATCA IGAs have attracted the attention of individuals and law firms in both Canada and the United States. The FATCA Canada lawsuit began in 2014. Jenny’s FATCA UK attack was organized in 2019. Jenny’s UK based challenge rests largely on the the claim individuals in Europe (courtesy of the GDPR), have rights to their personal information and that automatic information exchange violates those rights. (Europe takes privacy rights more seriously than America. Still, it has been difficult for Jenny to raise money for her lawsuit.) The ADCS FATCA Canada lawsuit is based on different legal principles. Regrettably, Canada does not have a GDPR. As a result the ADCS plaintiffs must argue that the FATCA IGA violates the general provisions of Canada’s Charter of Rights and Freedoms. On the other hand, the UK does not have a written and entrenched Charter of Rights and Freedoms. Therefore, Jenny’s lawsuit is contemplated to proceed on the basis of a breach of the GDPR. (The GDPR is new legislation and it’s impact is a live and evolving story.)
Additionally, it’s worth noting that the two lawsuits are based on philosophically different assumptions:
- the FATCA Canada lawsuit seeks to strike down the IGA and enabling provisions of Canada’s Income Tax Act in their entirety; and
- the proposed FATCA UK lawsuit does not assume that automatic bank information sharing provisions are bad per se, but that FATCA and CRS are excessive and go beyond what is necessary (proportionate) to achieve their goals.
This does NOT mean that the Canadian and UK attacks on FATCA are not relevant to each other. For example, a conclusion that the FATCA IGA violates Europe’s GDPR, would support an argument that the FATCA IGA violates various provisions of Canada’s Charter of Rights. Similarly a ruling in Canada that the IGA conflicts with Canada’s Charter of Rights would provide support for the “lack or proportionality” that is required by the GDPR.
Both the Canadian FATCA lawsuit and the UK FATCA lawsuit should be supported by all people (a diminishing number) who believe that individuals should and do have rights. A recent post at Brock described the “Pincer Attack” on Americans abroad, led by Chip Harter on behalf of US Treasury and former Prime Minister Of Italy – Paolo Gentiloni – on behalf of the EU. The “Gentiloni Doctrine” officially introduced the world to the principle that:
1. The United States can claim any European as a US citizen; and
2. Once claimed to be a US citizen, that individual is subject to US worldwide taxation.
The “Gentolini Doctrine” suggests strong European support for FATCA and the FATCA IGAs.
The purpose of this post is two-fold. First, (A) to discuss the claim that FATCA and the CRS conflict with Europe’s GDPR. Second (B), to consider the extent to which Europe has been complicit in FATCA and for how long.
Part A – FATCA And The CRS Meet Europes’s GDPR
First: – Attacking The CRS: The CRS Takes Effect in May 2018. On August 1, 2018, a UK Law Firm Launched At Attack On The CRS:
— U.S. Citizen Abroad (@USCitizenAbroad) May 7, 2020
In general the argument is that the automatic information exchange provisions of the CRS violate Europe’s GDPR (General Data Protection Regulation). In other words: The GDPR affords individuals rights with respect to their private information. The CRS (and presumably FATCA) violate those rights.
The comments to the Financial Times article are interesting. As usual, they seem to reflect the populist mindset that governments should have an unlimited right of access to information.
According to lawyer Filippo Noseda, a partner at law firm Mishcon de Reya who is acting for the EU national:
In a democratic society, the rights to privacy and data protection are an essential safeguard to protect compliant citizens against potential abuses’, says Mishcon de Reya. ‘They must be treated with the appropriate seriousness by the authorities.’
Additional media coverage on the case is here:
Attacking FATCA: 2019 – Jenny’s Similar Attack On FATCA
In 2019, “Jenny”, a a UK National with “US taint”, organized (and is continuing to Crowd Fund) a similar case against FATCA. Details on Jenny’s attack on FATCA are here. Jenny authors a blog on the progress of her case. A recent post links to an interview with her lawyer – Filippo Noseda – in which he discusses the reasons why both the CRS and FATCA breach the rights guaranteed to individuals in the GDPR. You will find the interview here and here. The discussion of CRS starts at 14:30 and the segment about my FATCA legal challenge begins at 21:20.
Part B – How Complicit Was The EU In The Creation And Enforcement Of FATCA On European Citizens?
When it comes to #FATCA, the questions are: What did the EU know and when did they know it?
The FATCA/AEOI Papers: Mishcon publishes research trove, unearthed as part of crowd-funded UK #FATCA case being brought by "Jenny" https://t.co/62goELHDIR @CrossBriton @TAPInternation @SophieintVeld @ExpatriationLaw @RepDonBeyer @DemsAbroad @ACAVoice pic.twitter.com/ow2M0yw4Nk
— Helen Burggraf (@helenburggraf) May 7, 2020
Ms. Burggraf’s article – supported by the release of correspondence from Mr. Noseda – suggests that Europe has prioritized its desire to please the United States over the protection of European citizens. For example
The ‘FATCA/AEOI Papers’
The trove of documents that comprise Mishcon de Reya’s “FATCA/AEOI Papers” is posted online in three parts, and Noseda says the plan is to continue to add to it as additional documents emerge.
The first part is called “Correspondence” and consists of around a dozen mostly letters and sets of correspondence dating back to last November (although linked-to documents go back much further), to and from such EU entities as the European Parliament’s Petitions Committee, European Data Protection Board, European Commission, the UK’s Information Commissioner’s Office and the OECD.
Among the most recent and important of the featured correspondences are a series of letters apparently conveyed via email, last month, between Noseda and OECD Data Protection Commissioner Billy Hawkes, which were copied to various other EU officials.
The Correspondence section ends with a link to a 15-page “Mishcon de Reya Hacking and Data Breaches List” that is explained as having been prepared “to support Jenny’s claim that FATCA unnecessarily exposes sensitive personal and financial data of compliant citizens to the risk of hacking”.
The second part of the Mishcon FATCA/AEOI Papers is a “Background and further information” section that basically spells out the case being brought on Jenny’s behalf by Mishcon de Reya. This is also where Mishcon’s decision to publish its letters to the European Parliament is explained, as having been taken in the wake of a key, two-and-a-half-hour European Parliament hearing last November into the “extra-territorial aspects” of FATCA because they are said to “show that the European Commission had ‘worrying’ concerns about the data protection implications of FATCA”.
The third part of the Mishcon “FATCA/AEOI Papers” references a 91-page-long report by Noseda that addresses the privacy and data protection issues of the Common Reporting Standard, as well as of new beneficial ownership registers in a growing number of countries.
You can read (highly recommended) Helen Burggraf’s complete article here.