EU citizen alleges CRS account data sharing is unlawful
An Italian-domiciled woman has lodged an official complaint with the UK’s Information Commissioner, alleging that the disclosure of her personal and financial information to other countries under the OECD’s Common Reporting Standard (CRS) infringes the European Union’s General Data Protection Regulation.
The unidentified woman is being represented by Filippo Noseda TEP, a partner at law firm Mishcon de Reya. Noseda has been challenging the CRS since 2015, on the grounds that it has serious repercussions for fundamental rights such as privacy, and for the relationship between individuals and the state.
The recent EU initiative to introduce central registers of beneficial ownership of companies has the same drawback, he says. ‘Practically, anyone owning a substantial interest in a private company based in Europe, or with a European subsidiary, will see their details published, regardless of where they are resident, the nature of the business or the nature of their involvement in that business.’
Noseda contends that the publication of sensitive data concerning the internal governance and ownership of private companies by the beneficial ownership registers is not necessary to achieve the authorities’ stated objectives. ‘Similarly, we believe that the exchange of information under the CRS is excessive, as information is exchanged indiscriminately and affects all account holders regardless of the size of the account.’
The information exchanged under the CRS includes personal data such as the name, date/place of birth and tax identification number of the account holder, as well as financial data about the financial account itself such as the account number and balance.
‘This exposes compliant account holders to risk of hacking and data loss’, warns Noseda. ‘It could lead to identity theft on a grand scale.’
According to Mishcon, any interference with these rights can only be justified if it has a clear legal basis; pursues a legitimate public interest such as the fight against crime; and is proportionate, i.e. limited to what is strictly necessary to achieve the objective pursued. The firm has written to HMRC asking for assurances that they will not exchange or publish information under the CRS or the UK’s beneficial ownership registers (also called Persons with Significant Control or PSC registers). Not surprisingly, HMRC has refused to do so.
Mishcon has now decided to take formal action via its Italian-domiciled client. The client has an international background, having been UK tax resident for several years, and still has a UK bank account with a modest balance. It is this account that will be reported via HMRC to foreign tax authorities, along with her name, date of birth, and UK tax identification number. She has told the UK’s Office of the Information Commissioner – the data protection regulator – that these disclosures amount to a disproportionate risk of data loss and potential hacking.
‘In a democratic society, the rights to privacy and data protection are an essential safeguard to protect compliant citizens against potential abuses’, says Mishcon de Reya. ‘They must be treated with the appropriate seriousness by the authorities.’