On the day after the European Court of Justice (ECJ) ruling came down effectively terminating the EU-US Safe Harbor, I’m pondering what appear to be several ironies. I call them ironies because if I didn’t the only phrase might be ‘you surely cannot be serious!’

At a time that the ECJ effectively handed a major cost and operational headache to the corporate and financial world, there being no grace period associated with the ECJ’s judgment; these same governments are still actively engaged in setting up complex regulations to do exactly what the courts are saying corporates can’t do any more i.e. acquire private information about tax payers with foreign financial accounts and moving it around the world between themselves with no transparency about what happens to it when it gets there. The message appears to be “we want foreign financial institutions to be our local detectives and their governments to be our local ‘delivery men’. But, trust us, we’ll only use this data to catch tax evaders.”

It started with the US FATCA regulations, but we now have the OECD’s Common Reporting Standard (CRS) and Automatic Exchange of Information (AEoI) initiatives coming in the next two years, which in aggregate show a signed commitment by almost 100 governments to bilaterally force everyone else’s financial institutions to disclose customer names, addresses, tax IDs, account balances and gross payments and withdrawals. That’s nearly a hundred thousand permutations of reports every year swishing around between these partner countries’ governments.

I do not doubt that there will some tax evaders in the reported data, given that the reportable accounts are only those deemed to be at high risk of tax evasion – mainly by value. But financial institutions are already highly sensitive and risk averse. I come across many firms that, rather than take the risk, will just report all foreign account holders to their home jurisdiction, not just the ones in high-risk categories. Forget the NSA. What are all these governments going to do with all the mountains of financial and tax data they are going to be getting? Can they even cope? Will the data actually mean anything? How long will they keep it? Who else will they give it to? Where will it be stored? What security will they have in place against cyber threats? Even in the first round of reports sent to the IRS under FATCA there have been anecdotal comments about ‘garbage in – garbage out’.

In a further irony, the reason that these bilateral agreements are coming about in the first place is mainly to get round the data privacy issue caused by the EU Data Protection Directive. In this Directive, Principle number 8, paraphrased, states that it is illegal to transfer private data of a data subject outside the EU. One of the other reasons, just to be complete, was that the US was getting frustrated with the Swiss some years ago because its own framework prevented phishing for tax evaders i.e. at the time, you had to know the identity of your suspected tax evader to be able to use the international legal framework to ask for help under ‘mutual assistance’ principles.

With regard to the Directive, I have two points to make:

First, Principle number 8 is not exclusive to the US – it’s generic. So, moving private data to India, for a call centre operation for example, was and would be illegal, especially as India has very weak data protection laws. So, this is not a new thing that corporates are facing. It’s just that the US is a big player. Nor is this the first time that corporates have had to react to the US with commercially evasive (sic) tactics. When the US wanted to get into SWIFT messages to find evidence of terrorist funding activity, they claimed jurisdiction over SWIFT messages and the data they contained because much of it was pinging through servers located in the US. SWIFT’s response was to immediately set up a new server node on their network in Switzerland so that some messages would not ping into US jurisdiction. So, the judgment might seem odd, but corporates are, by design, full of really smart people and they’ll figure this out.

Second, most people, as I deliberately just did, cite the first part of that Principle without mentioning the last part, which is…‘without the explicit consent of the data subject’. Ever since I wrote my book “the New Global Regulatory Landscape”, I’ve been pointing out two things. Firstly, the Data Commissioner has already provided guidelines and even sample text (six pages) for what is considered ‘explicit consent’. Secondly, for many years now, most financial institutions have included standard text into their account opening contracts that provides for the cross border movement of their client’s data. The issue, as I pointed out at the time, is that there is a big difference between what the Data Commissioner thinks would be an acceptable demonstration of ‘explicit consent’ and what these standard clauses say and in particular the fact that they are buried in the small print.

The Safe Harbor framework has (or had) one important aspect in this regard. The ‘explicit consent’ referenced above is deemed either not to be required or is automatically granted for any firm certifying in the Safe Harbor. In other words, if you are a firm certified in Safe Harbor, you don’t need to worry about ‘explicit consent’ text, as that’s what the Safe Harbor gives you. Now that this appears to have gone, it does not mean that data transfers can’t happen. The corollary to ‘thou shalt not do this without explicit consent’ is of course ‘with explicit consent, you’re good to go’.

So, there would appear to be two directions this can go in. If nothing else happens, this will essentially force US firms to build lots of non-US based servers and force them to set up operations in many countries (and some would say that could be a good economic thing) and/or we can go get explicit consent from all our customers – or both.

As I said at the beginning, the biggest irony for me is that corporations will be forced by governments into taking extremely expensive steps to gain the specific consent of their customers. At the same time, nearly a hundred governments are setting up to acquire and then move private data between themselves with almost no oversight or transparency about what’s going to happen to all that private data in governmental hands.

I guess we should just trust them.

Image Credit: sprklg