Though there were many major tax information data leaks, there is no discussion on the data protection aspects of international exchange of of tax information between governments, based on the Common Reporting Standard (‘CRS’). An example is the large Bulgarian leak of taxpayer information: BBC article, OECD reaction. In July this year the Australian tax office was hacked. There was a major breach in Canada. Etcetera.

Another questionable aspect of tax data sharing, is that it is also provided to dubious regimes

The only one who seems to pay attention to the risks of international exchange of tax information, seems to be the English attorney Filippo Noseda, who represents a victim of FATCA, the American law that harms people with the American nationality that do not live in the US. He publishes his correspondence with relevant institutions, such as the Information Commissioner’s Office (UK), the European Parliament, the Petitions Committee (PETI), the European Data Protection Board (EDPB), the European Commission (TAXUD) and the Organisation for Economic Cooperation and Development (OECD).

On 10 August he wrote a letter to English members of parliament, expressing concerns about providing financial data to dubious regimes:

Yesterday, a presidential candidate who had alleged links between organised crime and government officials in Ecuador was shot dead at a rally (see BBC news below).

Now, Ecuador appears on HMRC’s list of jurisdictions to whom it sends information about citizens with bank accounts in the UK (reproduced below for ease of reference). This exchange takes place automatically and without any indicia of tax evasion something that had been heavily criticised by data protection authorities before the UK adopted the CRS.

MPs on both sides of the political divide who care about Human Rights should take a closer look at HMRC’s list and ask themselves whether it is right that the UK government exchanges information almost mindlessly to regimes which could use the information to persecute its citizens, including jurisdictions that feature prominently on corruption indexes, such as the one published by Transparency International.

Some of his other recent letters on data protection matters are:

• Letter of 10 Aug 2023 to the OECD Secretary-General:

This letter to the Secretary General of the OECD follows recent questions to Parliament and a motion from 47 German MPs concerning the human rights implications of systems of automatic exchange of information, as well as fresh concerns about data safety following the hacking of the entire UK Electoral Register.

• Letter of 28 July to EU Commission re hacking risks to the CTS and IDES:

The attached letter discusses a recent revelation that the Australian Tax Office lost more than $557 million to cyber-attacks and the risks posed by the ‘Common Transmission System’ (CTS) maintained by the OECD and used by tax authorities the world over to exchange CRS data, as well as the ‘International Data Exchange System’ (IDES) maintained by the IRS.

• Letter of 25 Jul 2023 to EDPB re the IRS’s ‘bubble-gum’ IT systems:

This letter discusses a recent testimony given by the former IRS Chief of Criminal Investigations before the US Congress Finance Committee confirming the poor state of the IRS’s IT-systems processing taxpayers’ data, raising further concerns about the data protection safeguards of FATCA data transferred from the EU.

On 4 May 2020 Noseda sent a letter to OECD with an overview of his emails to OECD that raise concerns in relation to the data protection.

Noseda’s information on FATCA and cybersecurity of the exchange of tax information:
FATCA page, background information on FATCA and data protection, correspondence. Noseda has prepared a Hacking and Data Breaches List that includes various instances of hacking against tax authorities in the US, the UK and the rest of the EU.