When Fiscal Data Travel Between the EU and the US
IN THE LIGHT OF GDPR COMING INTO FORCE, IT IS NECESSARY TO ESTABLISH FULL RECIPROCITY AND PROTECTION OF PRIVACY IN THE TAX INFORMATION THAT THE EUROPEAN UNION EXCHANGES WITH THE UNITED STATESby Carlo Garbarino, Dept. of Legal Studies, Bocconi
Translated by Alex Foti
GDPR, the European Union’s General Regulation on Data Protection, which applies to any kind of online data, has been in force since May 25. It also applies to the automatic exchange of information on taxpayers between fiscal administrations, which information technology has made a lot easier to implement. This innovation was introduced following the proliferation of bilateral tax agreements that included fiscal information exchange, and the introduction of the multilateral framework called the Common Reporting Standard.
In 2010, the United States introduced legislation on the taxation of assets held abroad with the Foreign Account Tax Compliance Act (FATCA) which has an extra-territorial reach: foreign financial intermediaries, including European ones, must report to the IRS information regarding the accounts of US clients, under the threat of economic sanctions that are directly enforceable in the US. The information transmitted by EU financial institutions to US tax authorities presents critical issues regarding the protection of the data of EU clients; moreover, due to the high compliance costs associated with FATCA, certain European financial intermediaries are denying services to EU citizens, thus raising problems of disparity of treatment and respect for privacy, which are fundamental rights. This is particularly true of the so-called Accidental Americans, persons who are EU citizens and/or residents, but have automatically acquired US citizenship at birth, although they have no business in the United States.
These developments indicate that in the last decade the power of tax administrations has increased through the automatic exchange of information and FATCA, but the level of protection of personal data subject to such process has not evolved at the same pace, also with respect to intra-EU data transfers that are regulated by specific directives on administrative cooperation. GDPR now remedies this lack of protection by establishing the fundamental right to data protection and providing a legal framework for connected rights. The new regulation also balances the right of citizens to see their data protected against the pre-eminent interest of states to warrant fiscal revenues.
Another important aspect is that based on the combined operation of EU and FATCA regulations, the EU is transmitting important personal to a third party, i.e. the United States. GDPR also regulates these aspects by providing that personal data can be transferred only to third states that guarantee a level of security equivalent to that ensured by GDPR in the EU. The automatic exchange of fiscal data and FATCA were originally introduced as multilateral measures towards achieving a global system of tax information sharing between states with the view of implementing common strategies against transnational tax avoidance; FATCA, in particular, was presented as facilitating this cooperative process through bilateral administrative agreements between the EU and the US. In that context, multilateralism was understood as emerging from the sum of bilateral agreements based on full reciprocity. Unfortunately, administrative agreements between the states of the EU and the US do not function on the basis of reciprocity, since the United States does not transmit equivalent data to the European Union, so that the multilateral system originally envisaged by the EU and the US is now descending into crisis.
These critical issues were the subject of petitions to the European Parliament, calling for a revival of multilateralism in automatic exchange based on an EU-US accord. Reciprocity must be re-established by renegotiating tax agreements with America, so that there is full symmetry in the transfer of information between the United States and the European Union. Renegotiation of agreements is needed anyway to comply with the level of protection established by GDPR. If progress is not made, the EU could even contemplate drafting blocking legislation according to which tax data would no longer be transmitted until full reciprocity and GDPR protection are not implemented by the US.
