• • Introduction

In the current world scenario, international tax transparency has emerged as a cardinal tool to reduce information asymmetry and thus “level the playing field”.

In this new paradigm, global standards were agreed upon, one of which is the automatic exchange of financial information (AEFI), through the “Common Reporting Standard” (CRS), developed by the OECD, with the political support of the G-20.

However, the effectiveness and legitimacy of the former rests intrinsically on the confidentiality and secure handling of the information exchanged between jurisdictions.

Trust between participating jurisdictions and respect for taxpayers’ rights depend directly on the robustness of the confidentiality and security measures implemented. Without strong safeguards in this area, AEI could be perceived as a threat to privacy, undermining its purpose and generating resistance.

The first judicial precedents at the international level, emanating from the Swiss courts, emphasize several crucial aspects related to these issues for the correct implementation of the AEI, in line with the CRS.

• • The importance of confidentiality and data protection in the CRS.

Both the Model Competent Authority Agreement and the Commentaries to the CRS detail a number of essential requirements that jurisdictions must meet:

Solid legal framework: that ensures the confidentiality of the information exchanged and limits its use to the purposes provided for in the applicable information exchange instrument such as the Convention on Mutual Administrative Assistance in Tax Matters. The national legislation of each jurisdiction should provide for significant penalties for the disclosure or misuse of the information.

Information security management systems: TAs should develop practices and procedures to ensure that the information exchanged is used exclusively for tax (or other legally mandated) purposes and that its transfer to unauthorized persons or authorities is prevented. This includes aspects such as background checks of personnel with access to the information, employment contracts that include confidentiality clauses, and security training and awareness programs. Physical security measures should also be implemented to restrict access to the facilities where the information is stored.

Controlled and encrypted access: Policies and procedures should be in place to limit system access to authorized users and to protect data during transmission, reception and storage. Security and encryption requirements should be clearly defined for the transmission and reception of confidential data.

System and information integrity: it is crucial to have procedures in place to identify, report and correct faults in the information system in a timely manner.

Risk Evaluation: risk assessments should be conducted on the potential unauthorized access to the information and the damage that could be caused by its improper use or disclosure.

Specific protection of exchanged data: procedures must be implemented to ensure the protection of exchanged files and that they are clearly labeled. Policies should also be established for the proper disposal of information..

Compliance monitoring and sanctions: It is essential to have a mechanism for monitoring compliance with confidentiality rules and effective sanctions in case of violation. The TAs must be able to ensure that the information exchanged is used strictly for the purposes stipulated in the agreement.

Notification of non-compliance: each Competent Authority must immediately notify the other of any breach of the confidentiality obligation or failure of safeguards.

• • Swiss jurisprudence and data protection in automatic data interchange.

The sentence of the Federal Court 2C_946/2021 of 6/06/2023 of Switzerland resolved an appeal also related to the automatic transmission of information to the Tax Administration in Switzerland, regarding assets of a trust and identity of settlors residing in another country. The appellants requested the suspension of this transmission, which was rejected.

The appellants alleged the absence of the rule of law in that other country, which put their data and personal security at risk. They also referred to a “technical error” in a previous exchange of information. The prosecuting authority rejected the request, arguing that there were no concrete elements to fear unreasonable prejudice. It pointed out that this jurisdiction had been positively evaluated in terms of data protection by international organizations.

The Federal Court dismissed the appeal and confirmed that the “unreasonable prejudice” clause is interpreted as a threat to Swiss public policy. The appellants did not demonstrate in a sufficiently precise and credible manner a concrete risk of violation of such public order. The court also recalled that other legal mechanisms exist in Switzerland to protect the rights of individuals affected by the AEI, such as the right to be informed and to request rectification of inaccurate data.

The Swiss judiciary has been a pioneer in addressing the question of the compatibility of the EIA with fundamental rights, in particular the right to privacy guaranteed by Article 8 of the European Convention on Human Rights (ECHR).

The Federal Court, referring to the case law of the European Court of Human Rights (ECHR) on Article 8 ECHR, emphasized that this not only imposes on States the obligation to refrain from arbitrary interferences but may also derive positive obligations inherent to an effective respect for privacy, such as taking reasonable and appropriate measures to guarantee this right, preserving a fair balance between the general interest and the interests of the individual concerned.

In the context of the protection of personal data, the Federal Court recognizes that bank data are personal data protected by Article 8 ECHR and that their transmission, especially to a foreign authority, represents an interference with privacy. Therefore, Switzerland must take the necessary measures to ensure that the use of these data by the requesting authority will be in accordance with the guarantees of Article 8 of ECHR.

In line with ECHR case law [1], it also recognizes that the protection of confidentiality may yield to administrative assistance. In addition, it gives States a certain latitude to strike a balance between the protection of public interests and that of an individual’s interests in keeping his or her data confidential. In this sense, the protection of banking data is considered less intense than that of intimate data, which gives the State a wider margin of appreciation.

Regarding the compatibility of the AEI mechanism with the ECHR, the Federal Court notes that the MCAA (Multilateral Competent Authorities Agreement) does not provide for individual exceptions, and that Switzerland made no reservations when ratifying it to grant procedural rights to the persons concerned. However, it recognizes that the persons about whom information will be transmitted have a right, derived from the principle of informational self-determination of Article 8 ECHR, to object to a transmission of data without legal basis or contrary to law [2]. This does not mean that they can object to the administrative assistance procedure itself, but they should have legal avenues to claim a violation of Article 8 ECHR, including other procedures such as those provided for in the Federal Data Protection Act..

On the other hand, in a ruling of the Swiss Federal Administrative Court (A-88/2020) dated 09/01/2020, a Swiss bank classified a Bahamian resident entity as a “Non-Financial Passive Entity” (NFE), identified a resident in another jurisdiction (“parent”) subject to reporting under the CRS and sent information to the Swiss Tax Administration for transmission to the latter.

The subject asked the Administration to correct the data, arguing that the reporting bank had misclassified the entity and that there were no data protection guarantees in his country.

The Respondent Administration asserted that it did not conduct a substantive review of the classification made by the financial institutions and stated that the alleged misclassification did not constitute a transmission error remediable by it under Swiss law. It sustained that the appellant’s country of residence offered sufficient guarantees of data protection.

The court rejected the appeal and concluded that the Tax Administration is not competent to review the classification made by the bank, which must be challenged directly before the civil courts against the financial institution. It understood that the plaintiff failed to credibly demonstrate the lack of data protection guarantees in such a jurisdiction that could constitute a violation of “public order” and thus prevent the exchange of information. It was considered that the level of confidentiality and data security in that country had not been questioned in the peer reviews, and that both the European Commission and Switzerland had considered their level of data protection to be compliant.

This first jurisprudence of Swiss origin demonstrates a strong support for the AEI within the framework of the CRS. At the same time, it emphasizes the importance of proper self-certification by account holders and due diligence by reporting financial institutions. The existence of mechanisms for the notification and correction of errors, as well as the protection of information confidentiality, are key elements.

• • Final words.

Confidentiality and security in the AEI are not mere formalisms, but sine qua non conditions for the legitimacy and effectiveness of international tax cooperation. The requirements established by the CRS provide a robust framework that nevertheless requires rigorous implementation and constant monitoring by participating jurisdictions.

Swiss jurisprudence, as is clear from these rulings, underlines the need to balance fiscal transparency with respect for the right to privacy. While the exchange of financial information is considered a legitimate tool, jurisdictions must ensure that adequate safeguards are in place to protect the confidentiality of the data and provide recourse to individuals in the event of a breach of their rights.

[1] G.S.B. c. Suiza del 22 de diciembre de 2015.

[2] M.N. y otros contra San Marino del 7 de julio de 2015.

170 total views, 24 views today