Back to top

Transparency & Data Protection: Is the Pendulum About to Swing Back?

Transparency & Data Protection: Is the Pendulum About to Swing Back?

Find here the full transcript for Filippo Noseda's presentation during #TLTaxCon19 in Barcelona. Definitely worth a look if you're in favor of stringent data protection. Enjoy.

I'm supposed to talk to you about and it's a delight to talk to you about transparency. We all have got experience and knowledge and advise clients on the CRS (CRS) and on FATCA. And now if you are in the European Union, we're looking forward to what? CRS, that we've got but something new, exciting, and not exciting at all, even more. DAC6 and also the beneficial ownership registers. Yeah, it's all this wonderful transparency. Do we love transparency? No.

So, what is important, and leading actually to legal challenges against CRS and FATCA, and about to start one against the registers, which we are planning in Luxembourg because it's the first country that is going to bring in registers. But before we can say, you know, let's fight against it, we need to understand a few things. For example, what is the fuss all about? How did we get here? What are the concerns? And once we laid out the concerns, how do we deal with them? Because we can all complain. I've been at so many conferences and, you know, we will complain and complain and complain but then my wife says, “Filippo, you complain but what are you going to do about it?” and I said, “Well, usually nothing, but this time I decided that enough is enough and we are doing something now here.”

Okay, we all know that under CRS and FATCA, a lot of very sensitive personal information, as well as financial information, are already exchanged between tax authorities. So, in terms of personal information, you have your name, you have your address, you have your date of birth, you have your place of birth. And if you stop there, just for a second, if that data gets stolen over the Internet, what happens? You’ve got identity theft.

And it's really key because on the 27th of July 2019, the whole of the tax system of Bulgaria, a European member state, got hacked and data of 5 million people got stolen. And I had to do a bit of research, because of the claim that I'm leading, and we found out that even data of Canadians were affected by the hacking, because, of course, you have Canadians with bank accounts in Bulgaria or Bulgarians with bank accounts in Canada and the data of all of them has been stolen. I wrote to the European Commission and to the OECD to ask that the CRS be suspended while an investigation was undergoing as to what happened, and the European Commission replied very politically saying, “We are following very carefully the developments and we are talking to our friends in Bulgaria,” i.e. we're not doing anything. In addition to that very personal information under CRS, the account number, the name of the bank, the balance that you've got on your bank accounts, and also how much money went in and went out of the bank accounts in a year in aggregate is also going to be exchanged.

My mind goes to, for example, Hong Kong. By the way, what kind of taxation system does Hong Kong have for individuals? Territorial. So if I have a bank account in, say, the UK, it doesn't matter. But imagine that I am a leader of the Hong Kong protest. And, for some reason, as a student, I lived in the UK for a few years and I have a small bank account that I left there with Barclays, and I have 2000 pounds on it because it's what, you know, I kept at that point. And now, people from all over the world, asked me if they could contribute to the campaign. And I say, well, I'm not going to ask them to send the money to Hong Kong, because otherwise it's going to be too tricky for me, but I've got a bank account in London and why don't you send money there. So the Hong Kong tax authorities in one year's time are going to get all of my details and they know that as a student or as a professor I earn, I don't know, $50-60,000 and, all of a sudden, they realize that I have a bank account in London with 200,000 pounds and 400,000 pounds that came in a year and 400,000 pounds that went out in the year. What happens to me in Hong Kong? Well, I'm, you know, called in for questions so it's very personal information.

Now, the current status, as we know, we got the 5th AML Directive. That is not about the CRS, it’s about the beneficial ownership registers. By the 10th of January 2020, all European member states have to have beneficial ownership registers which are public and which will recall the information of anyone owning directly or indirectly more than 25% of any European company. And it gets tricky when on top of your structure you have a trust or a foundation because then everyone and that trust or foundation owns more than 25% of a company, because then any participant in that trust or foundation is going to be seen as a owner of 25% of the company, so very extensive information and that information is going to be fully public. Luxembourg, what is one of the first countries to introduce a fully public register, the UK already has it. The Netherlands already has it, but Luxembourg is a big holding company platform and, therefore, the implication there is going to be big.

We also having the Crown Dependencies, i.e. Jersey, Guernsey and the Isle of Man that decided to follow suit in a couple of years. And on Thursday Bermuda announced that they're also going to have beneficial ownership register because they want to be at the forefront of the international community and so there is this cancer in my view that is spreading very widely. And if Bermuda and the Channel Islands are going to introduce registers, the likelihood is that the pressure is then going to be on other jurisdictions outside the EU to introduce registers; it’s going to become the new gold standards.

And in terms of CRS and FATCA, well, FATCA has been around since 2010 implemented in most countries in 2015 or 16, and the CRS has been in place now for a number of years. Last year, the European Union published a report, which confirms that in the first year of automatic exchange within the EU, there was an exchange in relation to 8.2 million accounts, those were all high value accounts, i.e. accounts with a balance of $1 million of equivalent or over for an amount of 2.9 trillion Euros. Now I'm a poor lawyer, I don't quite understand what a trillion is, I understand it’s a lot so I try to find some comparables. Does anyone know how much 3 trillion Euros is? Well, it’s the combined market capitalization of Microsoft, Apple and Amazon.

How big is the Norwegian sovereign fund? Big but not as big in terms of value of the information that was exchanged in the EU. The Norwegian sovereign fund, which Thomas very proudly will tell us is the biggest sovereign fund in the world, is worth $1 trillion. The biggest private bank in the world, which is Bank of America Merrill Lynch, has got under management $2.7 trillion. UBS, the biggest Swiss private bank, has got $2.3 trillion. So, effectively, what the EU did last year took effectively the whole database of UBS, put it on emails and sent it to 27 other countries. You can imagine the kind of information that we've got and the kind of risks that we have, and we're going to talk about the risks later, but this is where we are at the moment and nobody actually said anything. You know we complain about so many things nowadays, about hacking and whatnot but when the European Union said that effectively the whole database of UBS was put on emails and swapped between tax authorities, including the tax authorities in Bulgaria whose tax database was hacked, nobody said anything. We've been so beaten by the CRS and FATCA into submission; we simply accept it is part of life.

But how did we get here? I think it's quite fascinating to see how we got here. Well, we know how many countries are on CRS. But let's have a quick look at how we got here and this is sort of my mental scheme of how we got here, so let's go through it in the next five to six minutes.

Do you remember that under the article 26 of the OECD model countries used to exchange such information that was as foreseeably relevant for tax liability or for the implementation of a double tax treaty? It was not just about double tax treaties; countries could exchange information upon request or on demand or even spontaneously provided the information was foreseeably relevant for taxes. So, for example, if the tax authorities in the UK where I live found out that I had a bank account in Belgium, and that there was some income there that didn't appear in my bank account in the UK, then Belgium and the UK could exchange information. Now, if the UK tax authorities said, “Did Filippo buy his wonderful green shoes using his bank account in Belgium?” I would say that's not relevant and therefore I could go to Belgium and in effect have a bit of a court fight and stop that information and, what I could do, I could stop fishing expeditions.

So, in a way, Article 26 of the OECD model was consistent with the European rights of privacy because article 8 of the European Convention on Human Rights, and also article 5 of GDPR, says that anyone has got a fundamental right to privacy, however, that right is not absolute. The authorities can, of course, limit my right. For example, if I go to the airport with you know a hand in my jacket like that. A policeman can stop me and if I say sorry, it's my private life. What is it going to say? The policeman is going to say, “Sorry I'm allowed to look under your jacket.” Because I need three things. There is a law and you might have regulations in the airports. It's in pursuance of a public objective. Yes. What public objective would the police officer be pursuing if he or she wants to look under my jacket? Security, prevention of crime. Absolutely. Those are public objectives recognized under the European Convention of Human Rights. But also the request must be proportionate. It must be necessary to achieve the objective. So if he says can you take the hand out of your pocket? That's proportionate. If they say can I put a finger up your…maybe that's not proportionate. Okay, so it's all about proportionality and article 26 of the OECD model was proportionate, because if the information was not foreseeably relevant, then it will be disproportionate for a state to ask for information.

The problem with article 26 of the OECD model is that it didn't work. Why didn’t it work? Because big countries, private banking countries such as my country of origin, Switzerland, but also Austria and Luxembourg and Hong Kong and Singapore said information exchange on article 26 cannot trump banking secrecy and therefore effectively article 26 was dead in the water. But at least it was proportionate. And also that article 5 for the GDPR data can be processed to the extent that is necessary for the purpose for which the data is exchanged.

Now, what's happening on the 9th of September? Sorry. One thing. In 1998, the OECD was tasked to publish the first report on tax havens. You remember harmful tax competition? There was a report in 1998, there was a definition of what a tax haven is. The problem was that the American government didn't like the idea of the OECD report because it actually criticized tax competition, and the Americans said we actually love tax competition. In May 2001, then Secretary of the Treasury in the US, Paul O'Neill, said, we actually disown the OECD report because the US believes in tax competition.

But then something big happened, which was 9/11. And with 9/11, with the attacks, there was a shift of focus on the fight against terrorism. And what happened is that the US and European committee went back to the OECD. This time not to talk about tax competition but went to… Have you ever been to the OECD? Or do you know where the OECD is based in? Paris. Have you ever seen, can you Google up Château de la Muette? It’s so beautiful, it’s basically like a tiny Versailles and the OECD is housed there. Now, when all this stuff came out, I thought that I might need a new profession. So I said, “Well, why not join the OECD?” and I was, you know, looking around the website and, first of all, I found out that if you work for the OECD, your salary is taxed at how much? Zero. And then I thought, what about the FATF? You know if it sounds very ominous. If I go to a cinema and I say can I have the last ticket, I work for the FATF, surely enough they let me in. And I realized that the FATF, the GAFI, is actually part of the OECD and is housed in Château de la Muette. And the Secretary of the FATF is party to the OECD. So after 9/11, after the US said no to the OECD harmful tax competitions reports in May, and in September, the US went back to the OECD and said, “Let's actually fight money laundering and terrorism finance,” and the OECD said, “Yippee, we are back in business,” so for the next few years what the FATF did was to revamp the standards on money laundering and on beneficial ownership, all very relevant to what we are discussing today.

And then we had another big event that is relevant for our purposes, which are, of course, the banking scandals of the early noughties, so UBS, LGT, Credit Suisse. I don't know if you ever watched the Levin report with…? Do you remember, I forget his name, Birkenfeld, first name, the Swiss American banker who was arrested by the FBI, who then turns witness and explained how UBS would help the American clients take, for example, diamonds out of the country by stuffing them into toothpaste? Well, he got now a reward of $102 million, I believe. And as a direct result of that, the US release FATCA in 2010 because the US said we cannot trust Swiss banks or any bank to provide us with information. Therefore, we are going to require every bank who does business in the US to provide information to the US. So the focus now shifted back on taxpayers, from terrorism back to taxpayers, and the US introduced the idea of automatic exchange of information but very importantly based on US law. Effectively, we’re going to see an example later, what FATCA says, if you owe me tax, I want to know. But if you do not owe me tax, then I can't be bothered, do not send me the information and there is an example in relation to trust. But then it catches also passive companies because what the Americans found out is that Swiss bankers and others were helping Americans hide behind offshore companies trusts and foundations so what FATCA requires is to look behind so-called passive NFIs, passive non financial institutions, and you can see that that was then borrowed by the CRS, and then the onus on compliance was shifted onto the bank because the Americans said, “Look, we cannot yet invade Switzerland and Austria. We can invade Nicaragua and all the rest but you’re a bit far far away. So, if you want to do business with the US, we're going to levy a 30% withholding tax, unless you comply with these rules,” so the onus finally went from the tax authorities onto the banks.

There was another big event in 2009. Do you remember Lehman Brothers? Remember the credit crunch? It sounds like the Middle Ages but it's directly relevant to where we are today. And on the second of April 2009, the G20 assembled in London under Gordon Brown, and Gordon Brown was pilloried on TV because he went to Parliament—and I saw the clip yesterday, if you google Gordon Brown, saving the world, the clip comes out—and he said that through his economic stimulus agreed in London in 2009, he saved the world. And that's quite typical of a son of a priest, but there you go. And so one of the things that the G20 came out with was an idea that offshore finance was bad because effectively money would be kept in offshore centres and part of the liquidity crunch was down to them. So what the G20 did, they tasked the OECD to come up with a global system of information exchange, and that is in the communiqué of the London summit, it’s the first time that I see that word, so you can see where we went yet from the 1998 tax report into the GAFI or FATF and then back to a global system of information exchange.

Now if we look at the OECD CRS that was therefore developed from 2009 to effectively 2014, if you read the foreword of the commentary to the CRS, you see all the key dates. And by 2013, the CRS was effectively fully formed. And if you look at it, CRS is a mixture of FATCA, but also of the rules that the FATF developed following the terrorist attacks on the World Trade Centre. For example, all the jargon that we do not understand and we've struggled to explain to our clients, financial institution, financial accounts, all the custodial accounts, active and passive NFIs, equity interest in a trust or partnership. Those are all derived from FATCA; they’re copied. What you haven't got is an F. Because under FATCA, you had the US and everything else was foreign. So, a foreign institute, a bank was an FFI, a foreign financial institution, but if you are working in a global world, nobody's foreign anymore. So you drop the F, and you're talking about a financial institution based in country A with a taxpayer based in country B. But all the rest is FATCA.

But, also, what is borrowed from FATCA is the complexity, because Americans do not write laws very clearly. Oh, actually FATCA is very clear. You know how long FATCA is? It is five articles in the US tax code, but what makes FATCA phenomenally complex is the regulations issued by the Treasury. There are 300 pages of regulations and the CRS copies that model. So if you look at the commentary, you have 311 pages and, because the commentary is not clear, you have 121 pages of handbook, and because the handbook is not clear, and sometimes actually goes against the commentary, then you have a lot of FAQs that my son once was reading one of my conferences, “Dad, what is the FAQs?” and I said that it has nothing to do with fuck, it’s FAQ, but it's really impossible to understand. And so when you're advising clients, and you’re up against compliance officers in the bank or they do not understand what's going on, they’re just regurgitating all this stuff, and you keep on arguing.

But the CRS is not just FATCA. People say FATCA on testosterone. I call it like a Zika mosquito. It's like a mosquito; 99% of its DNA, it's a mosquito. But then you have a bit of a mutant gene that makes the mosquito deadly. And what makes the CRS deadly by comparison to FATCA is that, in relation to passive entities, i.e. to trust companies and foundations holding a bank account effectively, in order to look behind that structure, whereas FATCA says, “Tell me who is the US taxpayer,” the OECD borrowed the concept of controlling person that the FATF had for years developed or been developing for KYC for anti money laundering. Now, if you are a compliance officer, and your concern is to find Pablo Escobar and Pablo Escobar’s lawyer tells you, “Oh, yeah, Mr. Escobar is the founder of the foundation. But you know what, under Colombian law, he doesn't owe tax, and therefore you shouldn't get information about him.” Would the compliance officer care if his or her task is to fight money laundering? No, whereas FATCA and the CRS were introduced to fight tax evasion. So whether or not someone owes taxes or not should be relevant, but because the CRS borrows the very wide definition of controlling persons from the KYC AML world, now you have the Zika, which is a system that provides information for the sake information without any connection anymore with taxation.

And there is a particular interest, a particular example here that works out. I look at the CRS as if it was a tree, a tree is FATCA, and then you graft on your tree a branch from a different tree. You know when you have pear trees and you can put apples and then you know you have apples growing in a pear tree. And this is what the CRS does, it takes the FATCA tree and inserts, grafts this FATF branch and what you got, it’s quite dangerous, because if you look at the tree itself. Who's familiar with trusts? Pretty much everyone. Okay, in the US, like in the UK, if you create a trust, you create a trust as a settlor or a grantor, effectively you can never get rid of the assets for tax purposes, the assets are effectively always yours. And that's a provision of US domestic tax law. And, therefore, FATCA says, “So, if there is a trust with a Swiss bank, and the set law, the grantor is American, then we want to have information about him or her. We don't really want to have information about the beneficiaries.” So the bank, the rules, the regulations say it’s not required to treat any of its beneficiaries as substantial US owners. So you have FATCA straight on domestic tax law. If you do not owe tax, we don’t want to know.

What is the approach of the OECD in relation to trust? Well, it is the controlling person. The term controlling persons means the natural person who exercises control over an entity in accordance with the FATF recommendations, so very wide. Now, the CRS says, in the case of a trust and also in a foundation, such term means the set law, the trustee, the protector, the beneficiaries and any other natural person exercising ultimate effective control over the trust. Not terribly clear, very very wide. Then there was a discussion about what if a protector does not exercise control, what if a protector has a power of veto but not a power of interference? And so the OECD in the commentary, very helpfully says, “Well, the set law, the trustee, the protector and the beneficiaries must always be regarded as controlling persons, regardless of whether or not any of them exercises control over the trust.” It’s a bit like my wife, she's always right, even when she's not right. Yeah, but this is, you can see, the CRS is developed by a organization built on suspicion. This is AML stuff. Do not please try to be the clever lawyer with me in relation to, if you have a trust, everyone has to be a controlling person. It doesn't make sense. For me, the CRS is a mess.

So what are the data protection implications of the CRS? Well, as I was looking around for examples I found this one here on the 2nd of February of 2018, where seven Argentinian tax officers were arrested with $5 million in cash for selling data of Argentinian taxpayers to criminal gangs, and Argentina had just come out of a tax amnesty system so a lot of data was coming into the US, and all of a sudden these tax offices realize that Mr. Martinez over here is actually quite rich, so why don't I sell that data to gangs so they can do whatever they want with their children and whatnot. But also, as I started getting wound up by this, I started to talk to the industry. I talked to a professional body called STEP in the UK and elsewhere. I talked to banks, I talked to governments, especially offshore governments, and nobody wanted to do anything, “Well, Filippo, actually that's the way we have to be first in class, we have to introduce these rules.” So I looked on the Internet and actually I realized that out there were people that were really concerned about CRS and FATCA, but they we're not in our industry, they we're in the data protection world. So if you look at the European data protection supervisor, it was an Italian who unfortunately just passed away a couple of weeks ago. His opinion was required in relation to an agreement between the EU and Switzerland on effectively the extension of CRS to Switzerland between the EU and Swiss and he said, “The exchange of information on a certain number of accounts on an annual basis confirms our view that the information is independent of the detection of any actual risk of tax evasion, thus questioning the proportionality of the measure itself.” Remember, a measure is fine in terms of limiting the rights to privacy provided it is necessary to achieve the objective, and this is the top data protection guy in Europe who says, you know, there is no indicia required of tax evasion and, therefore, it is not proportionate.

There was another body called the WP29, it means Working Party Article 29. It was a working party set up by Article 29 of the old European Data Protection Directive before the GDPR came into effect. And that body, the WP 29, brought together all the heads of the National Data Protection bodies. So, for example, the UK information commissioner’s offices. The national data protection authorities, the ones who are in charge of supervising the implementation of the GDPR, they were all members of this WP29 and the task was to advise the European Union and the European Commission on data protection issues. And in relation to FATCA in 2012, they issued an opinion to say that we do not believe that the objectives of FATCA and the objectives of the then Data Protection Directive are reconcilable. And in relation to the CRS in 2016, that was in December, just before the CRS came into effect in Europe, they said, “The WP 29 wishes to reiterate its strong concerns regarding the repercussion on fundamental rights of mechanisms such as those entailed by the CRS, and we had additional concerns in relation to the security of massive automatic data processing, because of recent reports of hacking.” And since then we have more hacking and in particular the Bulgarian tax hack. And not only, but last year, the Washington Post reported that the US Comptroller of Tax, one of the heads of the IRS went before Congress, and he said that there are systems of the IT of the IRS that date back to the 1960s. And there are many areas of the IRS database with software that are two to three versions out of date, but it's clear because especially under Republicans spending goes down and therefore they do not have money. So, the European data protection authorities, they realized the big concern and they issued a big warning.

Now, it's not just the data protection authorities, the European Court of Justice started weighing in. Now, as we said, the CRS was developed between 2009 and 2013 if you look at the foreword. What happened in a hotel room in Hong Kong in April 2013? There was an interview with a guy called Snowden, yeah. On the 5th or 6th of April of 2013, Snowden came out and said, “Do you remember the attacks on the World Trade Centers, the one that effectively gave the FATF a new mandate to find out who is behind structures? Well, this is what is happening.” And there was a guy called Maximilian Schrems, a young student, I believe 23-year-old Austrian student, who was a Facebook user. And he said, “Hold on a second? When I write a post about my girlfriend on Facebook, say, I love my girlfriend, tomorrow is our second anniversary, poof, I receive a commercial of, say, flowers,” and he says the way it works is that my data is picked up by Facebook, it's sent via Ireland to the US, it’s unpacked, love boy girl, flowers, sent back, and then I get my flowers and I know he said, because of Snowden, that my data can be picked up by the NSA. So he brought a claim against Facebook in Ireland, Facebook said, “Look, we can't do anything about that,” the European government said, “Who cares about you and your girlfriend, we are after terrorists.”

But the European Court of Justice said, “It doesn't matter, privacy means privacy because if you have a system where the authority can at anytime come and spy on you effectively, you haven't got a democratic state anymore.” And this is what the European Court of Justice said in relation to Facebook. And, in particular, an agreement dating back to 2000 between the US and the EU that effectively allowed EU companies to send data back to the US. Do you remember in 2000 what browser you used? Google. Not really. Explorer, maybe. What email account might you have had in 2000? Hotmail, Yahoo. And what happened when you try to go online in 2000? Do you remember dial up? Yeah, it was that kind of crap and if you want to see a picture how long did it take you to load the picture? Two minutes and you saw the forehead. If you had a guy like me you saw a lot of skin before you saw the rest of the face. But in those days, the data technology firms were really just in the US, and data had to be transferred over to the US, you didn't have servers in Ireland and the Channel Islands for tax. Now you got all permanent establishments. So, in 2000, the EU already had a Data Protection Directive, the US hadn't, but the EU and the US struck an agreement called the Safe Harbor agreement, under which the EU said, “If US companies treat data of European citizens in the same way they would if they were in Europe by way of self-certification, then there is a system of equivalency.” And what Schrems said, “Bollocks, because I know that as soon as the information gets to the US, either the NSA steals it or I know by reading the news that people like Facebook give the data to the American authorities, or they allow some kind of backdoors for the Americans to come in and constitutional rights in the US are only enjoyed by US citizens.” So he went to the European Court of Justice, a 23-year-old guy, and the European Court of Justice said you are absolutely right. Legislation permitting the public authorities, this is the European Court of Justice, to access on a generalized basis to the content of electronic communication must be regarded as compromising the essence of the fundamental right to respect of private life. And then they say legislation that authorizes storage of all the personal data on a generalized basis, without any differentiation, limitation or exception is not limited to what is strictly necessary.

Now this has nothing to do with a CRS. But if you apply to CRS, does CRS allow for any opt out? Can you go to the bank and say, “Dear bank, I live in Malta, and I have a bank account in Lebanon. I’m concerned that the Lebanese tax authorities might not deal with my data properly, and therefore, dear bank in Lebanon, the account here at the bank in Lebanon is declared in my tax return with a signature and the print and actually a receipt.” What does the bank in Lebanon say? “I don't care, I must declare the information.” What if you come with an opinion that says I am a beneficiary and like in America I'm not taxed until and unless I receive distributions? What does the bank say? I don't care. So we wrote to the UK tax authorities and they said to us that it doesn't matter because to allow people to come with excuses would perpetuate tax evasion and also would become very costly so it's a question of cost of implementation. But this runs against the principles of data protection as they've been outlined, stressed upon and decided by the European Court of Justice and the data protection authorities. So, as a result of that, there was this huge disconnect between the tax world over here and of the finance industry over here, which actually say we must have more transparency, and, unless we have more transparency, we are not a good country. So if you look at Bermuda’s announcement on the beneficial ownership registers, they said, two days ago, “We are the forefront…” Forefront of what? Forefront of trampling upon human rights, it doesn't matter. In the finance and banking and tax world, transparency in DAC6 and BO registers is the way forward. But, over here, the courts and the data protection authorities said we have real concerns.

So, you know, there were two different worlds. So what I started doing in 2015, I started writing. So I wrote letters and wrote articles, but you know what happens to an article when you publish it, it just goes into, you know some spam box of friends. Then I started writing letters so I managed to get letters published in the Financial Times and in the Economist. I realized that I was not making much headway, there was nothing happening apart from me getting frustrated and my wife saying “Oh Christ, not another letter.” And so I actually picked up the telephone and I rang the European data protection authorities, and I said, “Look, I am someone who deals with this part of the law, you deal with this part of the law, and I've been very impressed by the way you've been dealing with this.”

Now, it's a bit like an elephant. CRS is about tax. But you're not tax experts. But when you see an elephant, even if you're not an expert, you realize a few things. What do you realize when you see an elephant? It's huge. It's an elephant. Yeah, it's heavy. And what happens when it moves? It's dangerous and it creates damage. I said, “Look, I'm a vet.” This is what I said to the chairman of the European data protection authority. “I can tell you exactly as a vet how this elephant eats the information, digests the information—passive, active, NFIs, the rest of it—and in particular how it poops the information, i.e. what information really is then exchanged with the authorities. And when you analyze the poo, I can tell you scientifically that it confirms the principles that you've been worried about,” and he said, “Oh, I like that one. Why don’t you come and testify before us?” So in 2016, I went before the Council of Europe and before the WP 29, and I came up as a tax lawyer thinking they're going to shoot at me because they were the data protection authority but they were very much sympathetic and the chair of one of the two groups told me we've been trying to talk to the OECD for years, and for years they've ignored us, and as a result of that, they wrote then the letter on the 12th of December 2016 were they said we are very concerned. But look, the reality is that what happened is that I went there and was very happy and whatnot. But what changed? Nothing.

So if nothing changes, well, I made another effort. We wrote as a firm a report, if you go to the firm, you can download the 90-page reports on what we've just been talking about in the last 43 minutes. All of that but, again, it didn't make any difference. I also wrote to the OECD and nobody really replied. So I made another effort, so another, you know, letter to the Financial Times, greatest threats to our personal data since Orwell wrote 1984. At least, it meant that the public opinion, if they published the letter, it means that they sort of get it. If they thought he was just a right wing, you know, fanatic, and you just want to go back to tax evasion and banking secrecy, they will not do that. But if you raise a proper concern it’s interesting that newspapers, you know, can publish or not, they do. And so I said as a lawyer at the end of the day, I can either talk at conferences, I can write articles or what can I do, I can bloody sue.

And so I decided that that is the way forward. So for FATCA, I'm representing Jenny. Jenny is a wonderful woman. She was born in the US. She's 42. When she was 22 years old, she moved to the UK, right after college to study at university. She married a Brit. She lives in the north of England. She is a research assistant for her local university and she earns not very much working at university. And in 2016 she got a letter from a local bank 500 meters from where she lives, saying that we believe that you might owe US tax, and we're going to send you information to the IRS. And she freaked out. She said, “Why do I owe tax to the Americans?” Well, because of your nationality. She didn't know about that. So she started Googling and she saw UBS and people going to jail and she freaked out. And so she did a voluntary disclosure, whereby she filed four tax returns, old tax returns. And at the end of that she spent 10% of her income to do that and every tax returns said that she owed how much? Nothing because under US law if you are an American but live outside of the US, you can earn up to $104,000, and not owe any US tax. That measure was actually introduced in 1981 to encourage Americans to go and live abroad because at the time the US had an economic crisis and they wanted Americans to live abroad. So Jenny said, “Hold on a second here. I do not owe any tax, I spent 10% of my income to pay for a stupid accountant to do a tax return that says zero, my information is taken from my bank 500 meters from where I live, it’s sent to HMRC where they might lose the information, it’s then sent across to the IRS where they might lose information. For what?” And she said that that is disproportionate and I said, “Yes, Jenny, absolutely right.” So we wrote a letter before action to the UK tax authorities and then we did a lot of PR because we need a lot of PR because we haven't got a lot of friends. So that's the Financial Times talking about the case. In September, the woman known only as Jenny on the crowdfunding site is raising money arguing that the process puts her at the risk of hacking. We managed to get it published by The Guardian. The Guardian is a left wing newspaper and they actually were very sympathetic. And this is about law firm Mishcon de Reya that’s taken the case for the client. Her issue is with the disproportionality of the rules and The Guardian says, yeah, you’re right. And the Economist, I look back at their library, in 2014, so before FATCA really came into effect, they wrote this leading piece saying that FATCA is heavy-handed, inequitable and hypocritical. But then nothing happened. And right now in October, they run again a nice article about our case.

So, here we are making headways. How can you help? Would you like to help? Sure, yes? Do we like CRS and FATCA? No. Can we moan about it or can we do something positive about it? Well, I've decided for the last five years to do something positive. Well, I decided that words are cheap and facts or deeds are everything; you can complain as much as you want and I got very dissatisfied also with my professional bodies, they're all going to conferences, they locked themselves behind closed doors, they have these rounds and say this is all unconstitutional. So what are we doing? Well, can I ask you if there is any connection, take out your telephones, please, can you Google for me FATCA and Crowd Justice? Now what Jenny has done, Jenny earns nothing, and to take on the government in the UK it’s going to require a lot of money. Also under UK procedural law, if you lose, you have to pay the costs of the other side. Now if we take on the UK government on behalf of Jenny on a matter that entails, you’ve seen how complex the issue is—EU law, constitutional law, privacy law, tax law, the GDPR—and we lose, which we might, because I think that technically—slam dunk, very easy—but politically it’s 50-50 chance that we're going to win. Jenny might go bankrupt. And so she has launched a campaign and in 30 days she has raised not much, but it's a lot. 57,000 pounds from 222 people and if you look at the comments, it’s beautiful, you have people who gave 10 pounds with nice comments and that is a clear signal that when the authorities are going to say Mr. Noseda you are trying to fight the fight against tax evasion we say, “No, actually, we are representing someone who has a lots of sympathy and a lot of friends.” So if you want and I would encourage you, although I believe professional conduct rules do not allow us to do a proper commercial, but if in your free time you want to donate 20 euros, 20 pounds, and I'm going actually to check tomorrow if it's still at 57,250, in other words I will come and talk to you. Please do because it is really the only case running against FATCA at the moment. We're also running the case against the CRS and it's a way of bringing the concerns to the fore.

Now you might say, “Filippo, but you know it is not going to change much and you know as the newspapers have shown the public opinion, the pendulum is now swinging back. People are agreeing with you that FATCA and CRS, and the beneficial ownership registers raise significant concerns.” I don't believe so because if you look at how the Guardian, the same newspaper that picked up the story of Jenny, now titled an article last year when we took on the CRS. Look at the title, “Mishcon de Reya, my firm, complains about anti tax evasion measures.” Now what does the headline tell you? Yeah, Mishcon de Reya is full of dodgy clients, and he's trying to come up with an excuse based on data protection to fight CRS. And the same Guardian now sort of changed the view. It might help that FATCA is about the US, and not a lot of left wing people like the US, it’s that simple, it’s that stupid. But in relation to CRS last year, I was someone who was trying to protect dodgy affairs. The Economist, who wrote a very good piece about FATCA two years ago, ran a title about the holdout, about the Bahamas—okay, the Bahamas perhaps is not the most compliant of jurisdictions—but they said, the Bahamas justifies its resistance to CRS. What Bahamas wanted to do, the Bahamas got a lot of business with Latin America, they said that instead of having a global CRS we would like to go into a bilateral agreement system, and check whether the other country has got measures for privacy, corruption and all the rest of it, and the Economist said that there were excuses. Yeah. This looks like an excuse to drag its feet, so I wrote my letter to the editor, which was published. And I said, “Look, there are actually real concerns, and that was in October, 2016.” And then in December, The Economist did sort of change its view and said, “Arguments will grow whether fighting financial crime undermines the right to privacy, there are worries that governments have allowed the pendulum to swing too much in their rush to snuff out secrecy trampling down the legitimate right to privacy.” So it requires a lot of convincing to do, and look at what the same article said in 2016, relying on open registers could make things worse. So my conclusion and I’m up to my 50 minutes, is that FATCA, CRS and the beneficial ownership registers and, of course, DAC6 as well, raise fundamental issues in relation to data privacy and data protection and data security.

The other point is that nobody out there listens, unless you bring the debate out there, and Jenny is our bridgehead for debate because we believe that if we manage to bring a claim, the debate is going to come out there. And it’s not really relevant whether we're going to win or not. I think that what we need is for the debate to happen. Has the pendulum swung too much? Yes. You bet so. Thank you very much.