Exchange of information vs data protection: A brave new world of transparency

Exchange of information vs data protection: A brave new world of transparency

Automatic exchange of information (“AEoI”) was developed a decade ago as the new cure-all in the fight against tax fraud for developed countries’ tax administrations. In our new context of global transparency, the set-up of these instruments seems to be an unstoppable trend.

However, while the purpose of AEoI is legitimate and reversing the situation is not an option, the AEoI raises, in its current form, genuine difficulties as regards fundamental principles in European law.

Let’s quickly take a look at the origins of AEoI and explain why it has developed so rapidly. Afterwards, we’ll discuss why the AEoI standards are in conflict with fundamental taxpayers’ rights. Finally, we’ll give you our thoughts about how to increase compatibility between the AEoI and the right to privacy.


AEOI, how it all began

Exchange of information (“EoI”) is almost older than the main staple of international tax law, double tax treaties (“DTT”): the first references to information exchange appear in the 1843 tax agreement between France and Belgium[1]. The OECD model convention has included an “exchange of information clause” from the very beginning[2].

EoI has three components: spontaneous exchange, exchange on request and automatic exchange. We can also identify a fourth type of exchange, the extraterritorial tax audit, which has emerged from the Directive on Administrative Cooperation (“DAC”). Until the 2000s, automatic exchange of information was still in its infancy and EoI on request was the only tool used by tax authorities.

The only real automatic exchange of information that had existed previously was the QI[3] protocol between the United States IRS[4] and foreign banks which guaranteed easier access to tax treaties signed between the country of residence of the foreign bank and the US. This heightened ease of access was based on the transfer of information concerning US taxpayers who had financial assets in these foreign banks to the IRS.

The implementation of (“FATCA”)[5] completely changed the paradigm and made exchange of information the go-to weapon in the fight against tax fraud by individuals. In 2010, FATCA imposed a bilateral data transfer between US citizens who are either clients of non-US banks or investors in non-US financial institutions, and the IRS.

This data transfer includes personal information about investors as well as information related to the investor’s bank accounts, amount of financial assets, and yearly revenues. Thanks to the IGA[6], the IRS has been able to integrate these rules into the local law of the States adopting FATCA norms. In this way, for the countries which opt for IGA model 1, the model most frequently adopted by third countries, an information transfer of the US investor’s data occurs firstly from the financial institution or bank to his tax administration and secondly, from the tax administration to IRS.

In 2013, it appeared that the OECD tax commission decided to take some inspiration from FATCA and apply its principles to a multilateral approach. The Common Reporting Standard (“CRS”) was born. Approved by the OECD counsel on 15 July 2013, this new multilateral approach to AEoI was subsequently validated by the European Counsel when CRS was added to the DAC in October 2014. Even if real practical and theoretical differences exist between these three standards (FATCA/CRS/DAC), they do share common objectives and similarities in how they are implemented.

The speed at which world has gone from bilateral exchange on request to a multilateral AEoI has been breakneck, and even more so if we consider that this development has also brought an end to banking secrecy. The rapid pace of change demonstrates tax administrations’ ultimate goal to put a stop to perceived international tax fraud. The purpose as stated seems legitimate but the instruments used to accomplish this purpose raise questions as to rights to privacy as well as other taxpayer rights.


Issues created by the AEoI

AEoI has created difficulties with regard to data protection and the right to privacy of taxpayers involved in the automatic information exchange. The exchange involves a (i) transfer of information collected by the financial institution to the reference tax administration; this tax administration then (ii) transmits data to a third party tax administration which retains in fine (iii) the information and uses it for their tax auditing purposes. With each of these steps, comes a risk of a data breach. This risk has been known from the beginning, to the point where CRS allows for the possibility to exchange information only between jurisdictions with comparable levels of IT security. However, in the rush to reach political consensus with this topic, taxpayer rights might not have been given sufficient consideration when assessing issues created by the AEoI prior to its implementation.

But what rights are we talking about? Provisions relating to privacy rights are clearly set out in Article 8 of the European Convention on Human Rights. Article 8 states that everyone has the right to privacy in their personal and family life, their home and their communications. The authorities must not breach this right except within specific circumstances related to national security or the economic interests of a country. Equivalent rules are set out in Article 7 of Charter of Fundamental Rights of the European Union. And Article 8 of the same Charter establishes the main principles governing the protection of personal data. The EU General Data Protection Regulation[7] (“GDPR”) is in line with this thinking by requiring organisations to take into account the protection of the personal data that they handle, process and store and therefore, to maintain a secure information system.

The DAC has been amended in direct reference to the Directive 2014/107/EU. Following these amendments, reporting organisations have been labeled as “data protection officers”. Therefore, exchange of information is directly targeted by data protection regulations and thus by the GDPR. In the context of the multilateralisation and automatisation of the exchange of information, the question is not to know if breaches will happen, but when breaches will happen. Failed systems of a tax administration could misplace information; data might be lost, stolen or poorly managed, all these acts would constitute a breach according to the right to privacy.

These potential breaches are as numerous as the exchange of information systems themselves:

  1. Three standards now coexist, leading to difficulties in controlling these norms and therefore generating operational risks;
  2. These standards were designed to be multilateral and involve as many jurisdictions as possible;
  3. These standards multiply the volume of data and the volume of data transmitted.

Furthermore, the tax administrations in their efforts to make the exchange as exhaustive and efficient as possible, have only rarely reviewed other jurisdictions’ ability to receive the data while ensuring optimal IT security or even ensure a fair reciprocal exchange of information. It could be noted that the US do not seem willing to systematically provide to foreign administrations their fair share of reciprocal exchange of information. It could also be noted that most countries seem to have not paid close attention to the state of democracy in the countries with which they exchange. A real risk exists that the data exchanged will be used by authoritarian states or democratic-dictatorships, in clear opposition of the principles laid down in Charter of Fundamental Rights of the European Union. In this case, there is little doubt that information obtained through AEoI mechanisms might be at risk of being exploited by a foreign government for political reasons.

We are not alone in our finding of inconsistency between the AEoI and data protection regulation. Some taxpayers[8] have even brought legal action against the various exchange of information standards. Undoubtedly, some of these cases will be won by the taxpayer and will help create a system which is more sensitive to and respectful of the taxpayer’s fundamental rights.

Another disputable topic seems the respect of the rights to a fair trial for the taxpayer. As the taxpayer is not systematically informed of the exchange of information he is submitted to, these rights seems to be widely ignored by EoI, automatic and on demand.

All this raises an essential question: do the ends justify the means? Once exchange of information has grown out of its infancy and tax administrations have drawn their first conclusions, it will be critical to reevaluate the coherence of all the standards and weigh the risks posed by their artificial coexistence. The AEoI has become an integral component of the international tax landscape and nothing will change this. However, there is ample room for improvement through a series of actions that we describe below.


The AEoI has a bright future… and will continue for a long time…

In order address some of the current issues as well as to limit the risk of data breaches in the future, the OECD should turn their attention to improving the system in the following areas:

  1. Harmonisation of automatic exchange with the switch from the three standards in favor of a single one;
  2. The adherence to this single standard by the US, therefore replacing and ending FATCA and achieving reciprocity;
  3. A simplification of the information transmitted. For example, declaring only foreign accounts without indicating an amount. Tax administrations would then be responsible for collecting missing information through specific information requests;
  4. The development of a common IT infrastructure in order to provide the highest guarantee of IT security in all jurisdictions;
  5. Set limits to the duration of data retention;
  6. Effective consideration to the taxpayers’ rights (e.g.: more systematic information to the taxpayers who are subject to the EoI) and the risks of misuse of the exchanged information.

There are many technical but above all political obstacles to the implementation of this exchange. As things stand, such obstacles seem quite difficult to overcome. As a consequence, we believe that if the system is not able to reform itself, the risk of increasing criticism and legal actions is not minor. We cannot exclude that in the future, such criticism even could call into question the very principle of EoI in and with some jurisdictions; it will be interesting to observe future developments in this discussion.


[1] « Convention pour régler les relations des administrations de l’enregistrement de France et de Belgique » dated 08/12/1843

[2] OECD Model tax convention dated 1963

[3] IRC par. 1441, qualified intermediary regulation.

[4] Internal Revenue Service

[5] Foreign Account tax compliance act was passed as part of the HIRE Act in 2010.

[6] Intergovernmental Agreement

[7] European regulation n°2016/679 / GDPR Directive adopted by the European Parliament on April 2016.

[8] Cf. Financial Times August, 1st 2018: « EU national challenges HMRC over new data sharing rules ».

 Antoine Dupuis
Antoine Dupuis, Partner - International & Corporate Tax

Posted on 28/09/2018