On the 16th July 2020 the Court of Justice of the European Union (CJEU) delivered its long- awaited judgement in the Schrems 2 case.

The Court declared that the transfer of personal data from the EU to the US is illegal, because the US does not offer the same level of data protection as the EU.

This is the third time the European Commission has lost before the CJEU on data retention and data transfer to the US – but still it goes on – with serious GDPR consequences and ‘worrying’ concerns about hacking along the chain of transfer from bank to HMRC and across to the IRS.

This newsletter is taken from the pioneering work done in this area by Filippo Noseda, partner in Mischcon de Reya.

The CJEU case related to the transfer of data in the commercial sector. The claimant (a Facebook user) argued successfully that once his data was in the US, it could be accessed by the NSA. This was a commercial case, but exactly the same issues apply to the transfer of personal information to the US under the rules of FATCA and CRS.

In 2010 the US introduced FATCA which requires all foreign banks to report on any US citizen with monies in a bank account outside the US or face stringent withholding taxes. Under these rules, foreign banks are required to send all personal and financial information of any US citizen to US authorities on an annual basis whether or not there is any suspicion of tax avoidance or evasion.

Of course, tax evasion is wrong and should be stamped out, but collating and exchanging personal and financial information regardless of any suspicion of tax irregularity is not ‘necessary’ to stamp out tax evasion and is considered a violation of a person’s fundamental rights to privacy and data protection.

But it is not just that the exchange and sharing of financial information, which is against every person’s fundamental right to privacy, but also the transfer of information exposes the individual to the greater concern of hacking which is in direct violation of the GDPR principles.

Data needs to have strong safeguards, which is what GDPR sets out. Wherever personal data is held and especially if it is to be transferred it needs to be kept safe. The transfer of personal financial data from the bank to HMRC and out to the US IRS does not have the strong safeguards considered appropriate for this sort of information when transferred along the chain to the US.  

Although the Shrems 2 case involves the transfer of information to the US under the FATCA rules there is also extensive exchange of financial information now in place between all OECD countries including all financial centres from the Bahamas to Guernsey, and Mauritius to Zurich, the same concerns arise; – disproportionate intrusion of privacy to stamp out tax evasion and aggressive tax avoidance, and exposure of sensitive personal financial information to hacking and abuse

Filippo Noseda, partner with Mishcon de Reya is passionate about this misuse of power and violation of privacy, and protection of personal financial information. However, Filippo is not just cross about it, he is prepared to do something about it – but needs our help.

With the consent and blessing of his firm, Filippo has started a complaint against the UK tax authorities on behalf of ‘Jenny’ a US born, British citizen who due to her low level of her income could not possibly be avoiding or evading US tax.

This case cannot therefore be viewed as the rich protecting their interests – but at the same time Jenny cannot afford to make a complaint against FATCA without assistance. Mishcon de Reya has therefore launched a crowdfunding page to cover the legal fees.

Funds of £88,000 have already been raised from interested parties but a further £75,000 is needed to launch an appeal before the UK Court by 29th August 2020, at the latest. This is an appeal to anyone who is concerned about abuse of power and the invasion of privacy to contribute to this fund support Jenny who says on her crowdfunding page

 ‘A legal challenge of this type requires an enormous amount of work. It is complicated and untested which means it is hard to predict how it will develop. I have instructed Mishcon de Reya who are leaders in data protection and privacy issues. Dealing with HMRC, without going to Court, is costing several hundred thousand pounds’

I ask you to support Jenny – but we don’t have much time.

For background and further information, click here