updated 2:28 PM CEST, May 24, 2023

Switzerland suspends automatic exchange of info with Bulgaria in wake of data leak

Switzerland's Federal Council has announced that it has "decided to immediately suspend the automatic exchange of financial account information (AEOI) with Bulgaria" due to what it called "a problem with the country's data security" – a reference to the revelation earlier this year that the personal data of some 5 million Bulgarian and foreign taxpayers had been hacked from the Bulgarian National Revenue Agency.

The announcement, which was made last month in a statement but which came to the attention of the American Expat Financial News Journal only now, will be seen as significant to those who are concerned that the Common Reporting Standard and its American predecessor program (which is still in force and affects Americans with non-U.S. financial accounts), the Foreign Account Tax Compliance Act, represent a major security risk for those individuals whose information is gathered and disseminated globally as a function of both schemes.

In a statement on its website dated Sept. 20, Switzerland's Federal Council said that, in accordance with the Federal Act on the International Automatic Exchange of Information on Tax Matters (AEIA), it had had to "formally approve the suspension of the exchange of data with Bulgaria."

It added: "The Federal Tax Administration will therefore not provide the Bulgarian tax authorities with 2018 financial account data supplied to it by the Swiss financial institutions at the end of September 2019.

"Bulgaria will only receive information from its AEOI partners again once the data security problem has been resolved and the corrective measures taken have been validated by the Global Forum on Transparency and Exchange of Information for Tax Purposes."

As reported by The New York Times and other media organizations in July, Bulgaria’s national tax agency was the subject of a major “hack” that saw the names, addresses, incomes and social security information of as many as 5 million Bulgarians and foreign residents stolen – even though the country only has around 7 million people.

The incident was seen, the NYT report noted, as a measure of “the vulnerability of vast troves of digitized information” that now exists.

"Regardless of who perpetrated the hack, experts said the breach highlighted the ever-growing danger faced by both governments and their citizens in an increasingly digitized world,” the NYT report added.

It said the breach had been the largest theft of personal data ever reported in the Balkans, but that it was nevertheless “just the latest in a series of attacks that have exposed how much data remains insecure online despite a series of recent high-profile thefts.”

A 20-year-old computer programmer was reportedly arrested. 

Relevance to planned FATCA lawsuits in UK

The Swiss Federal Council's decision is likely to be seen as relevant in particular to a planned legal challenge to FATCA in the UK. 

In September, Mishcon de Reya partner Filippo Noseda specifically mentioned "the recent hacking of the tax data of the entire population of an EU member state [Bulgaria]" in discussing the approach his firm intended to take in challenging FATCA in the UK, "on the basis that [the UK's] implementation [of FATCA]" breached the EU General Data Protection Regulation as well as "individuals' fundamental rights enshrined in EU and UK legislation."

The case, as reported, is being brought by an American named "Jenny" who came to the UK 19 years ago, and who is in the process of raising the money she'll need to pursue her claim by means of a crowdfunding website. 

Jenny plans to will allege that by forwarding her data to the IRS, the UK's HM Revenue & Customs is breaching her data protection and privacy rights.

"The implementation of FATCA in the UK was rushed through against the advice of the European data protection authorities and even concerns raised by the European Commission," Noseda, a privacy and data-protection law specialist, said in a statement, when news of the proposed FATCA challenge was announced.

Noseda added that the "reverberations beyond the EU's borders" of the Bulgaria data-hacking case, "and the OECD's admission that the data stolen included data transferred between tax authorities under a system derived from FATCA [the Common Reporting Standard]" both showed "the importance of raising these issues."