The United Kingdom's Information Commissioner’s Office (ICO) has decided not to uphold a closely-watched, crowd-funded complaint over data protection violations that a U.S.-born, UK-resident complainant alleges have resulted from the way HMRC has forwarded her personal information to the U.S., in compliance with that country’s FATCA legislation.
The decision, which finally was handed down on May 29, more than six months after the complaint was filed, will have been met with disappointment by Jenny's hundreds of supporters, many of whom contributed generously to her crowd-funding pot.
As of this week, the 452 pledges Jenny has received totaled £81,698, which Jenny told her CrowdJustice.co.uk supporters on Tuesday was "68% of our stretch target of £120,000".
As reported here last month, lawyers for “Jenny” – as the complainant in the case is known, to her supporters and the press – had been preparing themselves, and their client, for an unsatisfactory outcome, citing suspicions that the ICO would allow “policy concerns”, alongside such political considerations as the importance to the UK of maintaining good relations with the U.S., to be taken into account when it issued its decision in the politically-sensitive matter.
In her complaint, Jenny, who came to the UK around 20 years ago, and who has been a British citizen since 2010, argued that by providing her personal financial information to the U.S. tax authorities in compliance with the U.S. tax evasion law known as FATCA, HM Revenue & Customs had violated her fundamental rights to data protection and privacy, as set out by the EU’s General Data Protection Regulation (GDPR).
The case was said at the time it was filed, last September, to represent the first legal challenge to FATCA to be brought in Europe since the GDPR came into force in 2018.
In a statement today, Jenny said that while she and her legal team believe that there are very strong legal arguments to justify appealing the decision, this would require significant further funding that might not be easy to obtain.
In practice, therefore, whether Jenny's case will go to court will depend on the existence of significant ongoing public support.
In the meantime, Jenny said the decision represented "a very sad day for data protection and Accidental Americans" . ('Accidental Americans' are individuals who are citizens of other countries and who identify as such, but who, usually due to the fact they were born in the U.S., are deemed by the U.S. to be American citizens.)
Jenny added: “We now have less than three months in which to appeal the decision.
“As I said in my crowdfunding page, a case of this complexity is likely to cost several hundred thousand pounds to see through, and while the early response to it was overwhelming, the funds are insufficient as they stand right now to enable me to bring an appeal.
"I would therefore urge any interested party to consider making a contribution to my CrowdJustice page.”
HMRC ‘not obliged
to consider lawfulness’
The ICO doesn’t make copies of its decisions involving individual complainants available to the public, and thus far, Mishcon de Reya hasn’t published the decision in Jenny’s case either.
However, a spokesperson for the law firm did say note that, in relation to the compatibility of FATCA itself with the European Convention on Human Rights (ECHR) or the Charter of Fundamental Rights of the European Union (the charter), the ICO in its decision had said that “HMRC is not obliged to consider the lawfulness of the FATCA Legal Framework itself, and so that particular issue falls outside the scope of the ICO’s consideration of the complaint”.
The spokesperson added that with respect to the GDPR compatibility of HMRC’s practice of sharing Jenny’s personal data with U.S. officials, the ICO had referred to a French decision from 2019 in a case brought by the Accidental Americans Association.
In that 2019 case, the ICO had noted, the French Conseil d’Etat had found that appropriate safeguards were in place. (Accidentels' reel but vow to fight on, as France's Conseil d'Etat rules in support of current FATCA regime.)
Thus, in making its decision with respect to Jenny's complaint, the ICO noted that “while the FATCA legal framework does not rise to the gold standard set out in the EDPB guidelines, we are of the opinion that it does fall on the spectrum of compliance provided for by those guidelines.”
The Mishcon de Reya spokesperson said the ICO then went on to say that “When the US-UK IGA [Intergovernmental Agreement, which sets out the way HMRC complies with FATCA] is next reviewed, we recommend that the parties take into account at an early stage [any] applicable guidelines”.
The spokesperson said the ICO then concluded by noting that “Although HMRC may not have complied with all of its data protection obligations, having taken into account the circumstances of this case, we do not consider that it is necessary and proportionate to take any further regulatory action.”
‘A cause of grave concern’
Filippo Noseda, the Mishcon de Reya partner who has overseen Jenny’s ICO complaint, said in a statement today that the fact that the ICO had “refused to consider the compatibility of FATCA with the European Convention on Human Rights, and the EU Charter, is a cause of grave concern”.
Noseda, pictured left, who is an expert on data protection and privacy law, added: “In the past, several European data protection authorities, including the EU watchdog [European Data Protection Board, formerly the Working Party Article 29] have brought together representatives of all EU national authorities – thus, including the ICO – and raised serious concerns about the risks to individuals’ fundamental rights that were then increasingly emerging as a result of new systems of automatic information exchange."
Next stop Austria…
In a related development, Mishcon de Reya this week filed an administrative appeal against Austria’s data protection authorities in relation to the Common Reporting Standard (CRS), a global system of automatic exchange of information that began to be introduced around 2014 by the Organisation for Economic Cooperation and Development.
The CRS is well known for having been modeled on the U.S.’s FATCA, and like it, was conceived in the wake of the 2008 global financial crisis and a number of high-profile tax evasion cases that followed the leak of bank account details in such jurisdictions as Switzerland.
The Austrian case involves an Austrian citizen who happens to have a small bank account in Germany (€40). According to Mishcon de Reya, the claimant in this case believes that the way Austria processes and transfers his most sensitive personal and financial data across borders, in complying with the CRS, exposes him to unnecessary and disproportionate data protection and data security risks – the same argument advanced by Jenny, in her complaint against HMRC.
Although more than 100 countries have now signed up to participate in the CRS, which began coming into force in 2017, one of the few that have not is the U.S., which has said it doesn't need to because it already has FATCA.
- Questions being asked of EU officials about continued silence over FATCA's GDPR compatibility concerns
- Dutch news website picks up on anti-FATCA feeling in Europe
- Dems Abroad TTF in move to open door to discussions on FATCA's future
- ACA: 'TIGTA report on FATCA is further proof that Congressional hearings are needed now'
- U.S. TIGTA report finds 'actions needed' to fix FATCA compliance