The Common Reporting Standard (CRS) requires banks and certain investment entities (trusts, companies, foundations, etc.) to collect sensitive personal and financial information concerning underlying individuals, and transfer that information to local tax authorities. Under the "automatic exchange of information" principle, those local authorities then transmit that information to the tax authorities of the jurisdiction in which the underlying individuals are resident.
In the EU, the CRS became operative at the beginning of 2017. On 17 December 2018, the European Parliament released its report on the implementation of the CRS and the first cycle of information exchange. According to the report, EU Member States exchanged information in relation to 8.2 million financial accounts with an aggregate value of just under €3 trillion (€2,900 billion). This figure is only expected to increase, as the first exchange cycle only concerned "high value" accounts. According to the report, "when it comes to quantify the benefits … the Member States have repeatedly explained how difficult it is to define the direct monetary benefit of tax data received from abroad, which … may not lead to any additional tax revenues at all". The report therefore concludes that "the main benefits lie in the increased tax compliance and in the deterrent effect for taxpayers".
As the exchange of information takes place automatically, the CRS raises fundamental questions concerning its compatibility with the data protection principle that personal information should only be processed to the extent it is "necessary" to achieve the stated objective. As mentioned in the recent Tax Aware article, the House of Lords has warned about the steady accretion of powers in the hands of the tax authorities since 2012. There seems to be little doubt that the introduction of the GDPR in May 2018 has brought to light an inherent conflict between the CRS and individuals' fundamental rights to data protection and privacy. Whilst tax authorities must be put in a position to fight tax evasion, they must also respect individuals' fundamental rights and not expose their data to the risk of hacking. Additional concerns exist where individuals live in high risk jurisdictions.
For this reason, in July 2018 an account holder brought a formal complaint against the excessive nature of the CRS. It is believed that this is the first complaint of this kind in Europe, and possibly anywhere in the world. The complaint is currently pending before the UK's data protection agency (the Information Commissioners' Office).