The Common Reporting Standard and the Taxpayer’s Right to Privacy

In a world where many individuals voluntarily live their lives in full public view and share, albeit sometimes inadvertently, the most personal of information on various different social media platforms, one must consider the right to privacy in context.

In the UK, the right to privacy in its current guise has its origins in the 1948 Universal Declaration of Human Rights. The drafters of the European Convention on Human Rights (ECHR), which was ratified by the UK in 1951, drew heavily on the 1948 Declaration, and the ECHR became part of British domestic law via the Human Rights Act 1988 which came into force in October 2000. This was about the same time as the EU confirmed the principles enunciated in the ECHR in the EU Charter of Fundamental Rights in which Article 7 covers privacy and Article 8 covers data protection.

The term “right to privacy” is not actually defined as such in any of the ECHR, the EU Charter, or the Human Rights Act (which directly imports the wording of the ECHR). The ECHR describes such right as the “right to respect for private and family life, his home, and correspondence”1 but this right is “qualified”. The situations in which public authorities can interfere with these rights are where the authority can show that its action is (i) in accordance with the law, (ii) in pursuit of recognized legitimate aims, and (iii) necessary in a democratic society in order to:

  • Protect national security
  • Protect public safety
  • Protect the economy
  • Protect health or morals
  • Prevent disorder or crime
  • Protect the rights and freedoms of other people

So, how do these rights sit with obligations to divulge and share information under the Common Reporting Standard (CRS) and the automatic exchange of information? To answer this question, one needs to consider the origins of the CRS.

In response to the G20 request that fiscal authorities worldwide obtain information from their financial institutions and automatically exchange that information with other jurisdictions on an annual basis, the CRS developed alongside the inexorable drive on the European front towards transparency to combat money laundering, with the introduction in the past two years of beneficial ownership registers for both:

  • “Persons with significant control” of UK companies (accessible by anyone)
  • Trusts with UK tax consequences (currently only accessible by any law enforcement authority, which includes Her Majesty’s Revenue and Customs, the Financial Conduct Authority, and the National Crime Agency; the Fifth Anti-money Laundering Directive currently contemplates full public access)

The CRS incorporates progress made within the EU, as well as global anti-money laundering standards, with the intergovernmental implementation of the Foreign Account Tax Compliance Act (FATCA), having acted as a catalyst for the move toward automatic exchange of information in a multilateral context.2

As of 15 January 2018, according to OECD figures, 98 jurisdictions had signed up to exchange or commit to exchange information by September 2018. Under the CRS, essentially, banks and other “financial institutions” have to disclose information about their clients, which comprises:

  • Their name, date and place of birth, and tax identification number
  • The name of the bank, the account number, account balance, income, and withdrawals during the fiscal year


Akin to the indiscriminate nature of trawler fishing, the CRS requires the exchange of a wide range of information regardless of whether there is in fact any tax to catch


This information is being exchanged electronically between the financial institutions holding the accounts and the relevant fiscal authorities around the world.

Given the recent and well-publicized data leaks (either intentionally or through hacking), and the seeming inability of the relevant authorities to protect this very sensitive data, it is unsurprising that questions have been raised about the CRS’ compatibility with the right to privacy. This is separate from the fundamental question regarding legality of the disclosure requirements under the CRS. Remember that any action contrary to the right to privacy must be lawful, necessary, and proportionate.

While this article will not discuss data protection laws in detail, since these (and the safeguards enshrined within them) are inextricably linked with an individual’s right to privacy, it would be remiss not to allude  briefly to their effect and to issues related to them. There is an inherent tension between the right to privacy on the one hand and transparency on the other, with which both the OECD and the EU are grappling. As early as 2015, the European Data Protection Supervisor (EDPS) voiced concerns in an opinion (albeit in relation to an EU–Swiss automatic information exchange agreement) about data protection (privacy) and proportionality “with significant and unnecessary risks for the individual’s rights to privacy and data protection”. The warning and concerns of the EDPS in relation to the CRS and the lack of data protection safeguards were repeated in a further opinion in April 2017. In addition, within the past three years, the European Court of Justice has criticized such legislation permitting public authorities to have access on a generalized basis to the content of electronic communications as “compromising the essence of the fundamental right to respect for private life”.

Implementation of the CRS requires both domestic legislation to ensure that financial institutions correctly identify and report accounts held by non-residents, and an international legal framework for the automatic exchange of CRS information. The preferred route for putting the international legal framework in place is through the CRS Multilateral Competent Authority Agreement (MCAA), which defines the scope, timing, format, and conditions for the exchange of CRS information and is based on the multilateral Convention on Mutual Administrative Assistance in Tax Matters, the prime instrument for cooperation in tax matters. While the CRS MCAA is a multilateral agreement, exchange relationships for CRS information are bilateral in nature and are activated when both jurisdictions have the domestic framework for CRS exchange in place and have listed each other as intended exchange partners. In total, by December 2017 there were over 2,600 bilateral relationships for the automatic exchange of CRS information in place across the globe. The UK has 63 different arrangements with other jurisdictions. Aside from the complexity of the CRS (thanks to it having been based largely on FATCA), it  is essentially  a measure designed to combat cross-border tax evasion. Akin to the indiscriminate nature of trawler fishing, the CRS requires the exchange of a wide range of information regardless of whether there is in fact any tax to catch.

In terms of citizenship-by-investment (CBI) programs, for some of those individuals who are considering moving to a jurisdiction that offers CBI opportunities there is a concern that their personal financial information will be passed to the relevant authorities in that jurisdiction where it may not be as secure. However, where individuals are seeking CBI, they are often moving from a jurisdiction where protections and safeguards for personal information are lower than the jurisdiction to which they are seeking to relocate.


1 Article 8(1) of the ECHR; Schedule 1 of the Human Rights Act 1988

2 OECD (2017), Standard for Automatic Exchange of Financial Account Information in Tax Matters, Second Edition, OECD Publishing, Paris.


Register to receive the digital version of each edition of the Global Citizenship Review