A group of European Union legislators have called on the EU policymaking machine and member states to tackle data leaks which put individuals’ financial privacy at risk. Law firm Mishcon de Reya also claims that privacy is being threatened by cross-border data exchanges with jurisdictions including the US, breaching rules such as Europe’s GDPR regime. 

This week, Socialists & Democrats in the European Parliament issued a statement calling on the European Commission and EU governments to grapple with problems raised by the US Foreign Account Taxation Act and the data protection implications of shuffling information between the EU and US. Because the US taxes its citizens regardless of where they live, data exchange issues weigh particularly heavily on Americans living abroad.

The controversy highlights the friction between the drive for more transparency that governments have led in recent years, and legitimate financial privacy. The various “leaks” of data from Panama, the Bahamas and other offshore centers have stoked debate about where the line must be drawn.

US-born citizens living outside their place of birth, sometimes known as “Accidental Americans,” can be hit by demands for tax details from the US. The FATCA legislation, enacted by the Obama administration in 2010, which is designed to ensure that expats don’t dodge US tax, has been blamed for making it hard for Americans to access foreign financial services. 

Intra-governmental agreements to share data to weed out tax evaders have also been criticized in light of cybersecurity and acts by campaigning journalists to expose offshore companies.

Mishcon de Reya partner Filippo Noseda has campaigned for tighter data protection  in the case of FATCA and Common Reporting Standard. Noseda said the move by European Parliament figures is a major victory for the privacy case.

Noseda, in a letter shown to this publication, urges the European Data Protection Board, the EU body responsible for this area, to “intervene in the debate concerning the compatibility of FATCA and other systems of automatic exchange of information on individuals' fundamental rights to data protection, data security and data privacy.”

In its letter to the European Commission, meanwhile, the S&D group of MEPs said: “In 2018 the European Parliament denounced the discrimination and injustice that face a number of EU citizens known as ‘Accidental Americans.’ Three years on, we still have serious concerns that some member states continue to indulge the overreach of US tax authorities and that they are violating basic data protection rights in the process. GDPR rules are a gold standard in terms of protecting private information and these rules were hard-fought rights to be enjoyed by all EU citizens. It beggars belief that we are willing to cast these rules aside when faced with an authority outside the EU.   

“When EU Finance Ministers meet today , they will discuss the unfair consequences facing thousands of EU citizens known as ‘Accidental Americans.’ The S&D Group in the European Parliament is calling for the European Commission and EU governments to stop turning a blind eye to data protection violations under the US Foreign Tax Compliance Act ."

S&D Group spokesperson for the Parliament’s petitions committee, Alex Agius Saliba, said: “Through the petition's committee, the ‘Accidental Americans’ have always had a voice and a platform to explain the injustices they face. Today’s discussion among EU Finance Ministers is an opportunity to further the cause, but EU governments need to open discussions with the US and take action to do right by our citizens. In its role as guardian of the treaties, the European Commission has so far failed to fully protect citizens’ rights, but it should now investigate all possible breaches of GDPR rules under FATCA. There can be no more data protection breaches, no more fundamental rights violations, no more bilateral side-deals with the US and no more disproportionate fees for these ‘Accidental Americans’ to give up their citizenship.”

Asked about the MEPs’ letter, vice-president of the Commission, Valdis Dombrovskis, told a press conference yesterday: "FATCA has been addressed informally with the US authorities by members of the Commission and Commission services on several occasions. This is a long-standing issue touching many areas, including data protection."

Luxembourg breaches
Noseda said a recent assault on privacy involving Le Monde, the French newspaper, meant that policymakers must consider if data exchanges could breach GDPR legislation.

Le Monde, Noseda said, used software tools to comb through Luxembourg’s public register of beneficial ownership to build a record listing beneficiaries of 124,000 companies, and 3.3 million administrative acts and reports. 

“These are documents that have recently been made public, but are only available on the Luxembourg trade register website. Le Monde was able to extract them in their entirety for analysis, in partnership with the Suddeutsche Zeitung in Germany, Le Soir in Belgium, McClatchy in the United States, Woxx in Luxembourg, IrpiMedia in Italy, and the OCCRP Consortium of investigative journalists,” Noseda said.

“It is difficult to see how this indiscriminate processing and voyeuristic disclosure of the personal data of thousands of compliant citizens might be compatible with their fundamental rights to data protection and privacy,” Noseda said, citing a number of laws. He said the Luxembourg case meant that it was even more important for authorities to consider the GDPR implications of such conduct.

Noseda said the European Commission and authorities in Washington DC have known since at least late November 2011 that US data protection rules aren’t as tough as those in Europe, creating a potential collision.