THE TRANSATLANTIC MAGAZINE
A legal expert at the heart of a case against FATCA in Europe has warned that the procedure is a "Data privacy disaster waiting to happen".
Filippo Noseda, a partner at law firm Mishcon de Reya, has been representing the case of a US born UK citizen against FATCA regulations on the basis of privacy concerns. FATCA, the Foreign Account Tax Compliance Act, was introduced in 2010, and requires banks and financial institutions outside the US to report details on American clients and their finances back to the IRS. The cost and potential liability involved in this reporting have been cited as the reason why some banks and financial bodies refuse to accept US citizens as clients. However, Noseda's case and correspondence reveal further concerns over the possibility that data shared via FATCA could itself be vulnerable to cyber attacks.
In a letter dated July 15, Mr Noseda wrote to European bodies saying that there is "a GDPR black-hole in the heart of the EU." GDPR, or the General Data Protection Regulation, is an EU law introduced in 2018 aimed at developing stronger safeguards for data processed by EU countries. Noseda points to a recent decision by the OECD, the Organisation for Economic Co-operation and Development, as a particular concern. The OECD's Common Transmission System (CTS) is a mechanism for sharing data between tax administrations. Noseda notes that the OECD recently made a decision that it is "not accountable for the personal data of individual taxpayers transmitted through the CTS and thus not obliged to comply with the rules in relation to such data".
Noseda argues that this decision means that "In practice, EU Member States who exchange information using the OECD's Common Transmission System (in the case of the Common Reporting Standard, or CRS) or the US's International Data Exchange System (in the case of FATCA) are putting the data of millions of compliant citizens at serious risk of theft which, in the absense of any indicia of tax evasion, raises serious concerns about the proportionality of the rules."
Noseda also refers to the OECD's own analysis that "no known system of electronic transmission and storage of data can be represented as fully secure" to point out the risk of such large amounts of data being shared.
Although FATCA itself has been a source of concern for overseas Americans since its introduction in 2010, this new avenue of legal questioning is offering a different approach to challenging the regulation and its application in Europe. Noseda argues that the decision by the OECD, coupled with recent decisions by organizations including the UK's Information Commissioner's Office, amounts to 'passing the buck', and represents "a concerted effort to avoid any serious debate on the implications of systems of automatic exchange of information for individual's rights and, ultimately, deflect responsibility for future data breaches".
The full details of Mr Noseda's correspondence with the EU and other bodies on FATCA can be found at www.mishcon.com/news/correspondence