HM Revenue & Customs (HMRC) is facing a claim at the high court over alleged breaches of the EU’s data protection legislation due to its cooperation with the US Foreign Account Tax Compliance Act (Fatca).
This is the second time the taxman has been legally challenged on such grounds and by the same claimant, a dual British-US citizen known as ‘Jenny’.
Her legal representatives from law firm Mishcon de Reya filed the claim on 27 October 2021.
The challenge states that the sharing of Jenny’s personal information with the US tax authorities was done without her consent – as data privacy regulations set out – and that this has caused her “personal damage and stress”.
The matter is being brought as a breach of EU rules because, when the information sharing exercise happened, the UK was still part of the European Union and, as such, subject to the bloc’s regulation, according to the law firm.
Filippo Noseda, Jenny’s representative at Mishcon de Reya, said: “Jenny’s claim is symptomatic of the steady erosion of individuals’ data-privacy rights by governments.”
Timeline
Jenny first sued HMRC in 2019 because, even though Fatca requires US citizens and their foreign financial institutions to report data to the Internal Revenue Service (IRS) for tax purposes, the General Data Protection Regulation (GDPR) of 2018 requires people to give consent on whether they want their personal information shared.
She claimed that she was never asked and that any transfer of data could put her at risk of identity fraud.
The case was then brought before the Information Commissioner’s Office (ICO) in 2020, which sided with the UK taxman saying that it “complied with its data protection obligations in transferring [Jenny’s] personal data to the IRS”.
There was, however, one exception. HMRC failed to comply with “transparency obligations”.
Despite this, the ICO ruled that it did not consider it “necessary and proportionate to take any further regulatory action”.
Changes
What does this mean for Jenny the second time around?
Since the ICO ruling, there has been a landmark case at the EU Court of Justice.
Also known as ‘Schrems II’, the European court found that the 2016 EU-US Privacy Shield arrangement – a self-certification by US firms stating that personal data received from the EU would follow GDPR rules – was not valid under EU law.
Max Schrems’ case was against Facebook in Ireland and the sharing of information with the United States, but the ruling in his favour also meant that any issues related to Fatca could be revisited in relevant courts.
Noseda said: “In that case, the Court of Justice of the European Union held that US data protection rules are not essentially equivalent to those required under EU law.
“Jenny’s claim is a reminder that individuals’ data protection rights are relevant in the context of e-commerce, as well as data processing by governments.”
Jenny told International Adviser: “Getting to this stage has been very difficult and I am deeply grateful for the support that this legal challenge has received from hundreds of people around the world.”