America’s ongoing assault on firms from China, spurred by worries about its citizens’ personal data being passed to the Chinese government, will have put wry smiles on some faces—not least those of activists who for years have used similar arguments to try to stop their governments passing individuals’ financial data to America and other countries. Their legal challenges against transfers of tax-related data have had little success so far. But a recent ruling by the European Court of Justice (ecj), the eu’s top court, could change that.
War on tax evasion was officially declared in 2010, when America passed the Foreign Account Tax Compliance Act (fatca) in response to scandals involving rich Americans stashing undeclared money offshore. The law requires foreign banks and other financial firms to send data on American account-holders to the Internal Revenue Service. fatca spawned a global version. Under the Common Reporting Standard (crs), overseen by the oecd, more than 100 territories swap data on their financial firms’ foreign clients.
Who, apart from tax-dodgers, could complain about this? Quite a few people, it turns out. Critics say the sweeping arrangements favour transparency over privacy and data-protection rights. The transfers, they note, do not depend on there being any indication of tax evasion; all account-holders are treated with equal suspicion.
Europe takes privacy seriously; the eu’s General Data Protection Regulation (gdpr) is one of the bloc’s most treasured legal texts. But national governments have put up little resistance to fatca, despite qualms. Some of them worried about the poor optics of appearing to defend the tax-shy. Others simply had no stomach for a fight with the financial superpower.
Legal challenges to the data-swapping provisions of fatca and the crs have been launched in Britain, Canada, France and elsewhere. Most have failed. One that lives on was brought by “Jenny”, a pseudonymous American living in Britain who crowdfunded the case. She complained to Britain’s data-protection authority, challenging the taxman’s right to send her information to America (where she owes no tax). Doing so, she argued, breached her rights under gdpr.
The data tsar rejected her claim, even though it accepted that the tax authority did violate some gdpr guidelines. It is not the only European data-protection body to duck the matter. “It’s perceived as a political issue. They don’t want to rock the boat,” says Filippo Noseda of Mishcon de Reya, the law firm that represents Jenny. The European Commission has also pulled punches. After first raising concerns about the data implications of fatca, it then distanced itself from the issue, even claiming it had not been party to the original negotiations with the Americans, despite a document unearthed by an mep, and seen by The Economist, suggesting that it was.
Jenny has until August 29th to seek judicial review of her case. She is likely to press on despite being short of funds. The case could end up at the ecj—if it makes it there by December 31st, when the transition period for Britain’s exit from the eu ends.
The ecj has already sided with data privacy activists in two cases involving an Austrian who complained about Facebook sending his data to America. In the second ruling, in July, the court went beyond social media, punching a hole in the “Privacy Shield” deal which governs transatlantic data transfers. That arrangement, it ruled, was invalid because it did not sufficiently guard against data falling into the hands of, say, America’s National Security Agency. The judgment could be a “game changer” for fatca too, reckons Mr Noseda.
In the meantime, privacy is not the only worry. Security is one too. Tax authorities in Canada, Germany and elsewhere have had data stolen in cyber-attacks. In 2019 countries swapped data on 84m accounts, covering €10trn ($11.7trn)—nearly three times Germany’s gdp. A bane for tax-dodgers, then, but a boon for hackers. ■