updated 2:57 PM CEST, Sep 21, 2023

The FATCA/AEOI Papers: Mishcon publishes research trove, unearthed as part of crowd-funded UK FATCA case

Filippo Noseda Filippo Noseda

Correspondence and other documents having to do with the way the U.S. tax evasion-prevention law known as FATCA was agreed upon, and is now enforced by EU governments – along with similar materials having to do with the OECD’s more recent automatic exchange of information (AEOI) regime known as the Common Reporting Standard – have been published by a campaigning lawyer with London’s Mishcon de Reya law firm.

The lawyer, Mishcon de Reya partner Filippo Noseda, pictured above, during a two-and-a-half-hour hearing on the "extra-territorial effects" of FATCA on EU citizens held by the European Parliament last year, has been compiling the materials over the last few years, he told the American Expat Financial News Journal this week.

Noseda says the documents reveal “a consistent pattern of unwillingness on the part of top European Union institutions to accept or address fundamental data privacy and legal issues” associated with the two AEOI regimes, as well as what he regards as a “puzzling lack of proportionality between the fight against tax evasion and the rights of individuals to a certain minimal degree of data confidentiality”.

This is particularly evident, he adds, when it involves the provision of data to the U.S., evidently reflecting an unwillingness on the part of EU institutions to risk provoking a negative reaction from Washington.

Noseda says he’s posting the trove of documents to help others who are interested in the issues to more easily see what has been said and written in the lead-up to now – and in some cases, to better spot the contradictions he says exist between what some people at certain EU institutions have said and went on to do, or say, later.

As reported, Noseda is overseeing a Mishcon team that’s bringing a crowd-funded legal complaint against the way the UK has handled the personal financial data of a U.S.-born British citizen who is known publicly only as “Jenny”, as part of its compliance with FATCA.

The case has got to the point where the UK’s Information Commissioner’s Office – the country’s data protection agency – has received a response from HM Revenue & Customs to questions it submitted to the government's tax agency last year. (The response has intentionally not been shared with the Mishcon team, Noseda said.)

The ICO’s next step will be to draft its own official response to Jenny’s challenge, which will then either see the matter brought to an end, or else continue to a formal court trial.

Challenger of AEOI regimes

Prior to taking on Jenny’s case last year, Noseda had already made a name for himself in recent years as a challenger of the fundamental legality of FATCA and the CRS.

In 2018 he represented another un-named litigant in a case almost identical to Jenny’s, except that the client was a woman now living in Italy but who had previously been resident in the UK, and her case concerned the way her data was being shared by the UK with Italy, under the Common Reporting Standard.

That case is also still ongoing.

“The need to file multiple complaints to get these concerns aired shows the Kafkaesque position in which compliant citizens find themselves,” says Noseda, of his dedication to the issues of data protection and personal data privacy concerns.

But he privately admits to frustration, alongside astonishment, that Europe’s top institutions, including the European Commission, have thus far failed to intervene over what he sees as a “grave and scandalous breach of European citizens’ fundamental rights” in connection with the way their personal data is being shared across international borders.

At the same time, he doesn’t understand why more people “outside the data protection community” haven’t taken the time to understand the issues and call for action themselves.

Noseda says this failure to take action, or even show much interest at all, is all the more surprising “now, in the wake of several significant data security breaches”, including what he notes was the widely-reported 2019 hacking “of the tax data of the entire population of an EU member state: Bulgaria”.

He regards that case as particularly important because he says the OECD admitted at the time it had involved data being transferred between tax authorities “under a system derived from FATCA”.

Jenny: U.S. has 'no intention
of acknowledging FATCA harms'

Noseda’s views are echoed by Jenny, his client and the crowd-funded FATCA-data transfer litigant. As previously reported, she has been described as married and working with deaf students at a university in the north of England, where she is a research associate.

In an email to her CrowdJustice.com supporters last month, Jenny said she saw a much-commented-on March 12 letter, in which a top U.S. Treasury official, Lafayette G. “Chip” Harter, effectively dismissed the EU’s Council’s concerns about FATCA, as evidence that “FATCA’s disproportionality is baked into the law itself”.

The U.S. government’s aim, she added in her CrowdJustice.com comment, “is to compile data on its citizens regardless of their tax liability, i.e., in flagrant violation of the principles of necessity and limitation of purpose.”

She added: “[Harter’s] letter demonstrates that the U.S. has no intention of fixing, or even acknowledging, the harms caused by FATCA.”

As for her and Mishcon de Reya’s compilation of recent hacks and leaks of personal data – which they say fills a 21-page document – Jenny told the American Expat Financial News Journal: “These data breaches are happening on a daily basis, and remote working due to the coronavirus pandemic has increased the risk and size of breaches to unprecedented levels.

“What my legal team’s documents show is that FATCA, and the wider automatic exchange of information (AEOI) regime now being rolled out by the Organization for Economic Co-operation and Development, provide hackers with a single entry point into a data treasure trove, of a size and value that the world has never seen before.”

Thus far, none of the organizations the American Expat Financial News Journal has contacted for a response to Noseda and Jenny’s claims, including European Union officials, has replied.

The 'FATCA/AEOI Papers'

The trove of documents that comprise Mishcon de Reya’s “FATCA/AEOI Papers” is posted online in three parts, and Noseda says the plan is to continue to add to it as additional documents emerge.

The first part is called “Correspondence”  and consists of around a dozen mostly letters and sets of correspondence dating back to last November (although linked-to documents go back much further), to and from such EU entities as the European Parliament’s Petitions Committee, European Data Protection Board, European Commission, the UK’s Information Commissioner's Office and the OECD.

Among the most recent and important of the featured correspondences are a series of letters apparently conveyed via email, last month, between Noseda and OECD Data Protection Commissioner Billy Hawkes, which were copied to various other EU officials.

The Correspondence section ends with a link to a 15-page “Mishcon de Reya Hacking and Data Breaches List” that is explained as having been prepared “to support Jenny's claim that FATCA unnecessarily exposes sensitive personal and financial data of compliant citizens to the risk of hacking”.

The second part of the Mishcon FATCA/AEOI Papers is a "Background and further information"  section that basically spells out the case being brought on Jenny's behalf by Mishcon de Reya. This is also where Mishcon's decision to publish its letters to the European Parliament is explained, as having been taken in the wake of a key, two-and-a-half-hour European Parliament hearing last November into the "extra-territorial aspects" of FATCA because they are said to "show that the European Commission had 'worrying' concerns about the data protection implications of FATCA".

The third part of the Mishcon “FATCA/AEOI Papers” references a 91-page-long report by Noseda that addresses the privacy and data protection issues of the Common Reporting Standard, as well as of new beneficial ownership registers in a growing number of countries.

“Disparities and inconsistencies” cited

One point Noseda stresses is the difference between what EU officials say they have done, and mean to do, and have publicly stated that they believe with respect to securing European citizens’ personal data, and what they actually have done, and said in private correspondence. “These disparities and inconsistencies are all the more worthy of examination, given the amount of data that is now being exchanged globally under automatic exchange of information agreements,” Noseda says.

“According to the OECD, data on 47 million financial accounts was exchanged in 2018, with a total value of around €4.9trn. To give an idea of the scale of this number, the recently announced U.S. stimulus package known as the CARES Act, said to be the largest such bailout in history US$2trn, is less than half this amount.”

Below, a table compiled by FATCA complainant "Jenny" that shows some of the discrepancies between what Noseda’s research has shown the European Commission to have said publicly on five aspects of FATCA, and what he says his correspondence has actually revealed.

EC claims vrs Mishcon correspondence
































Source: “Jenny”, anti-FATCA data misuse complainant