Does the right to privacy conflict with exchange of information?

07 May 2021

Transparency has been a major global focus in recent years, leading to the introduction of measures such as the Common Reporting Standard, which involves the automatic exchange of information between countries in relation to assets, income and taxation. Similar regimes exist for the transfer of other data between countries, perhaps the most well-known of which is FATCA, which requires the transfer of data to the US in respect of US citizens and taxpayers.

However, taxpayers across the EU have begun to fight back against the move towards transparency, with recent cases being brought in the courts of several EU jurisdictions arguing that certain transparency requirements are incompatible with the General Data Protection Regulation (GDPR) and the taxpayers’ right to privacy.

Similar objections have been raised in respect of the transfer of data to the US tax authorities under FATCA, resulting in a review by the European Data Protection Board (EDPB). The EDPB has released a statement confirming that, whilst all international agreements involving the transfer of personal data to third countries or international organisations which were concluded by the EU Member States remain in force, Member States should assess whether those agreements comply with the GDPR and the right to privacy. If they do not comply, thought should be given as to what is required to bring them in line with the GDPR.

It remains to be seen how this will impact the automatic exchange of information, including under FATCA. Enforcing tax obligations is a legitimate reason for transferring data, but the review by Member States could result in appropriate safeguards being introduced to ensure that the right to privacy under GDPR is taken into consideration when information is being exchanged with third countries.

The EDPB deems that, in order to ensure that the level of protection of natural persons guaranteed by the GDPR and the Law Enforcement Directive is not undermined when personal data is transferred outside the Union, consideration should be given to the aim of bringing these agreements in line with the GDPR and LED requirements for data transfers where this is not yet the case.