The Article 29 Working Party ("WP29") has published a statement addressed to national governments and EU institutions, with the aim of examining the new trends at European and international level which are intending to introduce mechanisms for the automatic inter-state exchanges of personal data for tax purposes and their impact on privacy and data protection.
The statement points out three key messages on this issue:
- The automatic exchange of personal data for tax purposes should meet data protection requirements. In order to ensure that the legitimate aim of preventing tax evasion is carried out with due respect for fundamental rights, any system of exchange of data, especially when it is based on automatic exchange of personal data related to a large number of individuals, should meet data protection standards, in particular the principles of purpose limitation and necessity.
As stated by the ECJ decision (8 April 2014 of the Grand Chamber) on data retention, the WP29 considers that in order not to violate the proportionality principle, it is necessary to demonstrably prove the necessity of the foreseen processing and that the required data are the minimum necessary for attaining the stated purpose and, thus, avoid an indiscriminate, massive collection and transfer.
- Member States that roll out the model of automatic massive storage and then forward this data for tax purposes should be aware that they may incur increased (security) risks and liability under EU data protection laws. The WP29 declares that, in order to respond to those increased risks and responsibilities, member States may imply adequate substantive measures in its national laws and bilateral/multilateral agreements. Moreover, the WP29 recommends a dialogue with the national DPAs to minimize risks.
- The WP29 confirms its approach on providing additional guidance to increase data protection safeguards in this area. The WP29 confirms its openness to discuss with the Commission in the coming months the different techniques to obtain more consistency at EU level in order to limit the data protection liability risk of the member states tax authorities and to facilitate a more consistent approach on data protection within the EU.
For the full statement, please click here