In recent years, there have been several high-profile prosecutions for the crime of tax evasion (for example the actor, Wesley Snipes, and the footballer, Lionel Messi). Governments around the world have been making a concerted effort in an attempt to tackle this problem. Their objective is for their respective tax administrations to work together so that taxpayers pay the correct amount of tax in the correct jurisdiction.
Although most people would probably agree that tackling tax evasion and ensuring that we all pay our fair share of tax are admirable goals, the automatic exchange of personal data for tax purposes raises data protection issues.
The Automatic Exchange of Personal Data by Financial Institutions
The bank account information of citizens is now routinely exchanged amongst jurisdictions under a new automatic global information exchange program known as the Common Reporting Standard.
Most countries in the world – with the notable exception of the U.S. – have signed up to it since 2017.
It requires countries to obtain information from their financial institutions and automatically exchange that information with other jurisdictions on an annual basis. It sets out the financial account information to be exchanged, the financial institutions required to report, the different types of accounts and taxpayers covered, as well as common due diligence procedures to be followed by financial institutions.
U.S. Foreign Account Tax Compliance Act 2010
The United States is almost unique in that it taxes individuals on the basis of citizenship rather than their residence. This is unlike nearly every other country in the world - with the possible exception of Eritrea.
In 2010, President Barack Obama signed the Foreign Account Tax Compliance Act into law. The aim is to improve the ability of the U.S. Internal Revenue Service to prevent tax evasion by U.S. citizens who use foreign financial institutions to shield their identities and U.S. tax status from the U.S. government.
Amongst other things, it requires foreign financial institutions, which operate in the U.S, to report information about U.S. taxpayers to the U.S. Internal Revenue Service or face large fines ("non-compliant" banks face a 30% withholding tax on all of their financial flows coming in to them from the U.S.)
It has similar reporting requirements to the Common Reporting Standard.
Legal Challenges to FATCA
Since the Foreign Account Tax Compliance Act was brought into force, cases have been brought in several jurisdictions challenging its provisions. These cases have been brought both by American's living abroad and self-styled 'Accidental Americans' - those born in America but who left as children and often discovered their citizenship by accident.
France's top administrative court recently rejected the argument, that the way the procedure under the Foreign Account Tax Compliance Act is implemented violated the 'Accidental Americans' privacy.
French banks, in particular, are faced with a particularly difficult situation. Failure to comply with the U.S. legislation will leave them subject to fines. The only way to avoid this is to provide the information or to close the accounts. However, under French law, French banks are obliged to provide French citizens with an account (including dual-nationals).
In Canada, a Federal Court recently decided that a challenge to the Foreign Account Tax Compliance Act "failed to establish that the Impugned Provisions violate either section 8 or section 15 of the Canadian Charter of Rights and Freedoms." The case was, therefore, dismissed.
In Israel, a challenge that the legislation implementing the Foreign Account Tax Compliance Act was unconstitutional was also rejected.
Challenging HMRC's use of personal data
In the United Kingdom, an American citizen is crowdfunding to raise funds to bring a case against HMRC challenging the automatic exchange of her personal data with the U.S. Internal Revenue Service. She has been living and working in the U.K. since 2000. Interestingly, even though she says that her earnings are under the threshold to pay tax in the U.S., she still wishes to bring the case on data protection and privacy grounds.
She argues that her bank is breaching U.K. data protection laws and the GDPR by sending her personal data to the U.S. Internal Revenue Service without her permission. Additionally, she also argues that, in her particular case, the sending of the information is disproportionate to the aim of fighting tax evasion (because she says that she is not due to pay any U.S. taxes) and so cannot be justified on that basis.
Although the Foreign Account Tax Compliance Act focuses on U.S. citizens, it imposes obligations upon European Union established financial institutions to collect personal data about U.S. citizens residing in those countries. These European Union established financial institutions are also subject to the GDPR and national legislation implementing it. Therefore, the GDPR is applicable to the processing of the personal data by a controller established in the European Union.
Basis for processing and the lawfulness of the processing
HMRC and other financial institutions based in the UK are obliged to provide the relevant information to the U.S. in terms of an intergovernmental agreement signed by both countries. Therefore, HMRC can rely upon the basis for processing contained in Article 6(1)(c), of the GDPR - "processing is necessary for compliance with a legal obligation to which the controller is subject" - as their lawful basis for processing.
Article 46 of the GDPR makes clear that appropriate safeguards must be put into place when transferring personal data to third countries. (See for example, the judgment in the 'Safe Harbour' case under the predecessor to the GDPR.)
In 2016, the European Union's expert group on data protection ('Article 29 Working Party') provided guidelines for Member States on the criteria to ensure compliance with data protection requirements in the context of the automatic exchange of personal data for tax purposes. These are examples of best practice and effective mechanisms to safeguard the fundamental rights and freedoms of individuals and to provide an adequate level of data protection.
Therefore, unless the individual can show that HMRC are failing to implement these, she is unlikely to show that her data has not been adequately safeguarded.
It is clear that the the processing of the personal data is in pursuit of a legitimate aim - to combat tax avoidance - and that the processing is rationally connected to the legitimate aim.
The question is whether a less intrusive measure could be used without compromising the objective and whether a fair balance has been struck between the individual's rights and the interests of the wider community?
The information which is provided is personal data but it is not all of the individual's financial information. What is provided is clearly specified and is designed to be limited to that which is recognised as truly necessary for the purpose of meeting the requirements and the objectives of the legislation.
It is possible that a court may decide that a less intrusive measure would be a declaration by a third party (i.e. an accountant, solicitor etc.) that the individual does not meet the threshold to pay tax. However, this would rely upon the individuals to provide this declaration (or authorise their accountant, solicitor etc. to do so). The legislation was introduced because this was apparently not happening and so such an approach would seem to compromise the objective of the legislation.
Tax avoidance is not a problem limited to the U.S. There is a clear public interest in tackling tax avoidance and prosecuting financial crime. The international community has taken the view that the sharing of citizens' personal data is necessary to combat this crime and has introduced the Common Reporting Standard to share information automatically. At first glance, the automatic nature of the transfer of the data is one issue that points towards a possible lack of proportionality.
However, this automatic sharing is balanced by the fact that the sharing is subject to detailed guidelines. Moreover, there are numerous other examples of legislation that introduce measures which infringe upon private rights but assist in the detection and prevention of crime (for example, relating to DNA and CCTV evidence).
Although there is a clear public interest in the prevention and detection of crime, all UK financial institutions (including HMRC) must comply with data protection law when complying with their obligations under both the Common Reporting Standard and the legislation that implements the Foreign Account Tax Compliance Act.
The personal data that is shared is limited, is for a specified purpose and there are safeguards in place. Whether the public interest is outweighed by an individual's rights is a difficult question and is ultimately, a decision for the courts. Although challenges to the lawfulness of equivalent legislation has failed in several other jurisdictions, that is only indicative of what the courts in the UK would do, if the case is indeed raised.
However, in the author's opinion, a fair balance has been struck between the public interest and the individual's rights. Therefore, it is unlikely that any action brought against HMRC by the individual concerned will be successful.
For more information about your rights regarding personal data and the consequences of a personal data breach, contact our team.