In 2014, the Organization for Economic Co-operation and Development (OECD) established the Common Reporting Standard (CRS), laying the groundwork for a new global network of tax reporting. The CRS calls on the tax authorities of participating countries to obtain information from their financial institutions and automatically exchange that information with other countries on an annual basis. The purpose of the CRS is to combat international tax evasion. There are now more than 1,300 bilateral relationships in place across 101 jurisdictions committed to exchanging information in 2017 and 2018.

This comprehensive cross-border transfer of sensitive financial data between jurisdictions raises important privacy and data protection concerns. However, automatic exchange is subject to a privacy model imposed by the CRS, which cultivates the extraterritorial reach of privacy laws in an increasingly global market for data.

Driving Up Global Privacy Protection

The CRS imposes privacy and data protection obligations on every tax authority that participates in automatic exchange. Tax authorities are required to safeguard financial data, limit their use of data to prescribed purposes, and disclose any breaches of confidentiality.

When a jurisdiction receives financial data through automatic exchange, the CRS generally requires that the recipient protect that information in the same manner as it would be protected under the sending jurisdiction’s own domestic privacy laws. Furthermore, a jurisdiction sending data can require that the recipient implement additional safeguards for the information. Additional safeguards might be imposed where, for example, the domestic privacy laws of the recipient jurisdiction are relatively weak in comparison to those of the sender. Jurisdictions with robust privacy and data protection regimes (such as the European Union, especially under the General Data Protection Regulation) can require jurisdictions with limited protection to raise their standards, thereby driving up global privacy protection.

Room to Expand the Use of Data Beyond Its Intended Purpose

The general rule under the CRS is that financial data received by a jurisdiction through automatic exchange can only be disclosed to, and used by, authorities concerned with the enforcement of taxes. However, information may be used for other purposes where such use is permitted by the laws of the sending jurisdiction and is authorized by the sender. What this means is that the use of financial data can potentially be expanded beyond its intended purpose of combatting tax evasion. Under certain circumstances financial data can be transferred to third parties or shared with other law enforcement agencies and judicial authorities. It is worth noting, however, that the CRS does not dispense with the fundamental requirements for knowledge and consent as they exist in the domestic privacy laws of many jurisdictions.

For Compliance Purposes, the CRS is Just a Bigger FATCA

A failure to comply with the privacy and data protection requirements of the CRS is grounds for suspending the exchange of information. But when it comes to compliance, it is worth noting that the CRS is essentially a bigger FATCA. In the words of the OECD itself, jurisdictions that have had to consider confidentiality and safeguarding data in relation to their implementation of data sharing obligations resulting from the US Foreign Account Tax Compliance Act (FATCA) will be well placed when it comes to ensuring that equivalent arrangements apply with respect to data collected and exchanged under the CRS.