The predecessor of the European Data Protection Board (EDPB), WP29 {1} on 12 December 2016 wrote a letter to the OECD {2}, that is still very relevant.
In this letter, WP29 emphasises that data protection principles must also be complied with in the international exchange of personal financial data under the OECD Common Reporting Standard (CRS). This includes ongoing monitoring of compliance by the non-EU country with fundamental rights and data protection rules.
The text of the letter follows, please note that the urls do not work anymore and refer to the WP29-archive page:
As you know, the Article 29 Working Party has been dealing with the data protection implications of automatic exchange of information mechanisms for tax purposes, including the OECD Common Reporting Standard (CRS), for the last few years.
By letter of 18 September 2014 [1] to the OECD, the WP29 expressed concerns regarding the impact of CRS on the right to the protection of personal data and highlighted the data protection principles to be respected so that the legitimate aim of combating fraud and tax evasion would be achieved while ensuring full compliance with fundamental rights as set forth by both European and international legal tools.
After your reply of 22 October 2014, the WP29 adopted a statement on 4 February 2015 [2], primarily addressed to national governments and EU institutions (which in the meanwhile had engaged in the preparation of EU legislation largely modelled after the CRS [3]), to draw their attention to the need that such exchanges should meet data protection requirements with particular regard to the principles of necessity and proportionality, and taking due account of the effects of the European Court of Justice’s judgment of 8 April 2014. Such judgment was indeed particularly relevant as it declared Directive 2006/24/EC (‘Data retention Directive’) invalid on the ground that EU legislators had exceeded the limits of proportionality in forging such Directive.
The statement was followed by the Guidelines [4] adopted by the WP29 on 16 December 2015, addressed to Member States, on the criteria to ensure compliance with data protection requirements in the context of automatic data exchange between competent authorities of different countries.On that occasion, the WP29 highlighted that: a) in respect of data exchange between an EU Member State and a third country not covered by an adequacy decision under Article 25.6 of Directive 95/46, it was crucial to ensure that the receiving country provided adequate protection to personal data through the adoption of an ad hoc agreement with binding safeguards; b) given the comprehensive and systematic nature of the data transfer concerned, the exceptions provided for in Article 26 (1,d) of the Directive 95/46/EC could not be applied.
Since then, the EU data protection framework has been evolving, in particular with the adoption of Regulation 2016/679 (‘GDPR’) and Directive 2016/680 [5] which have strengthened data protection rights and introduced more stringent criteria for the assessment of data transfers. In parallel, at international level, the modernisation of the Convention for the Protection of Individuals with regard to the Automatic Processing of Personal Data (Convention 108/1981) – aimed at reinforcing data protection safeguards, including specific rules on cross-border data flows with third countries has largely progressed.
Significant and more recent case law from the European Court of Justice has made it even more urgent to ensure that transfers of data from EU to third countries are accompanied by appropriate data protection safeguards and emphasized the role of data protection authorities in the supervision of such data transfers®.
Against this background, the WP29 wishes to reiterate its strong concerns regarding the repercussions on fundamental rights of mechanisms entailing major data processing and exchange operations such as those envisaged by the CRS.
Additional concerns in relation to the security of massive automatic data processing have been raised by recent reports in the media of high-profile cyber-attacks.
The WP29, while acknowledging confidentiality of data as an important element of data security, recalls that the entire range of data protection principles – as recognized by European and international instruments, including CoE’s Convention 108 and OECD Privacy Guidelines – require full compliance. Compliance with data protection principles is moreover important to reduce the risk of negative court decisions which may jeopardize the anti-evasion instruments at stake.
In particular the WP29 recommends that the OECD, by also involving the appropriate OECD bodies competent for data protection, assess the different interests at issue appropriately so as to ensure that tax evasion is countered and prosecuted without hampering individuals’ rights, as also recognized within the same OECD.
The WP29 would be grateful to be kept informed about any possible new elements in the OECD CRS process that may have repercussions on data protection. It wishes to open an active dialogue with the competent OECD bodies and proposes to hold a high-level meeting between the WP29 and the OECD to foster a real cooperation, in a joint effort to identify methods to pursue the legitimate aim of fighting tax evasion through efficient mechanisms that do not expose individuals’ rights to disproportionate interference.
Yours sincerely,
On behalf of the Article 29 Working Party (…)[1] http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140918_letter_on_oecd_common_reporting_standard.pdf.pdf
Annex to the letter containing specific issues identified in respect of CRS: http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2014/20140918_annex_oecd_common_reporting_standard.pdf.pdf[3] Directive 2014/107/EU of 9 December 2014 amending Directive 2011/16/EU as regards mandatory automatic exchange of information in the field of taxation
[5] On 4 May 2016, the official texts of the Regulation and the Directive were published in the EU Official Journal in all the official languages. While the Regulation came into force on 24 May 2016, it will apply from 25 May 2018. The Directive entered into force on 5 May 2016 and EU Member States have to transpose it into their national law by 6 May 2018.
[6] In particular, ECJ’s decision of 6 October 2015 (Case C-362/14, so called Schrems case) has stated that it is for the national data protection authorities to supervise and, where necessary, intervene by opening an investigation, if they have grounds to consider that the data protection safeguards implemented by the third country to which the data are transferred are not or no longer adequate – even in the presence of an adequacy decision by the Commission.
According to the said judgment, any adequacy decision must fully respect the criteria provided for in Article 25 of Directive 95/46/EC. The Court underlined that even a sectorial decision (such as the Safe Harbor decision) requires an in-depth, continuous analysis of the third country’s domestic laws and international commitments. The principle of law elaborated by the Court in this case also apply, mutatis mutandis, to the international exchange of personal financial information. In this context, a new framework for the transfer of personal data to the USA was adopted on the 15 of August, 2016 – the so-called Privacy Shield.
Notes:
{1} The Article 29 Data Protection Working Party.
{2} This letter is published (pdf) on the site of the European Commission. The recipients were:
- the Director of Centre for Tax Policy and Administration of the OECD,
- the Head of International Cooperation and Tax Administration Unit (Centre for Tax Policy and Administration OECD),
- the Head of Digital Economy Policy Division (Directorate for Science, Technology and Innovation OECD),
- the Director General of the EU Commission, DG TAXUD (European Commission),
- the European Council,
- the European Parliament.
Ellen Timmer - juridische artikelen en berichten 