EU data protection regulator asks Member States to re-assess information exchange privacy
The EDPB statement is a result of several cases brought by taxpayers and law firms across the EU, arguing that certain transparency requirements, including the OECD Common Reporting Standard (CRS) and the US Foreign Account Compliance Act (FATCA), are incompatible with GDPR.
Article 96 of the GDPR, together with Article 61 of the Law Enforcement Directive (LED), assert that all international agreements involving the transfer of personal data to third countries or international organisations which were concluded by the EU Member States prior to 24 May 2016 or 6 May 2016 respectively and which comply with EU law as applicable before that date, shall remain in force until amended, replaced or revoked.
However, the EDPR has now acknowledged campaigners' concerns that the protection of natural persons guaranteed by the GDPR and the LED could be undermined when personal data is transferred outside the EU. Its statement asks EU Member States to check whether their tax information exchange agreement (TIEA) data transfers satisfy this criterion and to consider bringing them in line with the GDPR and LED requirements where this is not yet the case. It points Member States' governments to the guidelines the EDPR issued in 2020 and has also included some specific guidance on the safeguards to be included in these agreements in its work programme for 2021-2022.
'For almost five years, the European Commission and EU Member States, as well as the UK, have been ignoring calls from campaigners to address the breach of fundamental rights caused by automatic exchange of information' commented Mishcon de Reya Partner Filippo Noseda TEP. 'Now, after incessant lobbying, the European Data Protection Board acknowledged the problem…an invitation by the EU's data protection watchdog to review automatic exchange of information agreements with third countries, including the US, cannot be ignored'.
Complaints against the ‘nature’ of the CRS, beneficial ownership registers and FATCA have now been made in Austria, France, Luxembourg and the UK.
'It remains to be seen how this will impact the automatic exchange of information, including under FATCA', commented Sam Epstein, Solicitor at law firm Macfarlanes. 'Enforcing tax obligations is a legitimate reason for transferring data, but the review by Member States could result in appropriate safeguards being introduced to ensure that the right to privacy under GDPR is taken into consideration when information is being exchanged with third countries.'
The content displayed here is subject to our disclaimer. Read more
Connect with us