THE TRANSATLANTIC MAGAZINE
Filippo Noseda, a Partner at law firm Mishcon de Reya, has raised 'Serious' questions over the Information Commissioner's Office (ICO) decision that FATCA does not breach European data privacy rules. The ICO's decision came after a notable legal campaign against HMRC was spearheaded by a US-born British citizen named Jenny.
The campaign focused on the issue of FATCA's compatability with EU Data Protection laws such as GDPR. FATCA, the Foreign Account Tax Compliance Act, requires banks and financial institutions to report information on their US-connected clients (including US Citizens and Accidental Americans) back to the USA. As well as concerns over data protection, FATCA more generally has cited as a reason for increasingly limited access to banking and financial services for overseas Americans since it was introduced in 2010.
Noseda, whose firm Mishcon de Reya brought the legal case against HMRC on behalf of Jenny, outlined in a June 19 letter to the European Data Protection Board (EDPB) his views on the ICO ruling, and the implications for the EDPB. Addressing the ICO's response, Noseda argues that "the ICO has not spent a single word on the various decisions from the European Court of Justice (CJEU) and the European General Court (EGU) in the area of data protection, the transfer of data to the US and the principles of necessity and proportionality."
In the June 19 letter, Noseda goes on to argue that the ICO have also not referred to other recent opinions published by European bodies on issues surrounding data protection, and criticizes the ICO for 'escamotage' - a sleight of hand - to avoid connecting the case with other recent rulings on UK to US data sharing.
Although the legal case at present is of a highly technical nature, Noseda offers a simple warning at the conclusion of his letter which addresses one of the key concerns of FATCA - which is that data shared is prone to hacking, and this could lead to huge problems for overseas Americans whose data are shared with the US via the FATCA regulations. Noseda's last point to the EDPB says "in the absense of any action, the responsibility for another hacking involving CRS or FATCA data would lie squarely with the EDPB."
The full correspondence from the Mishcon de Reya case can be found on their website, at www.mishcon.com/news/correspondence