The law firm, which has fired warnings about what it sees as cyber-security threats to data transfers under structures such as the Common Reporting Standard, is now urging Luxembourg authorities to suspend publication and processing of beneficial ownership information. This follows a recent Luxembourg court's move.
The law firm Mishcon de Reya is asking authorities in Luxembourg to suspend data transfers and publication of beneficial owners of companies registered in the jurisdiction, saying the processing of such information endangers privacy. The organisation also intends to file similar actions in other EU member states.
The firm has claimed that moves to set up public registers of beneficial ownership in the European Union threaten legitimate financial privacy unless there are safeguards. One of the firm’s partners, Filippo Noseda, has argued that a mass of cybersecurity breaches of various governments’ agencies highlight risks to data exchanges. (He has warned about data transfers arrangements for some time.)
In a statement on its website, Mishcon de Reya said it has “filed a lengthy GDPR Complaint” with the Luxembourg National Data Protection Commission. The complaint, it said, draws together the concerns raised by the European data protection community and relevant European judgments, including the 21 Oct 2016 judgment from the French Constitutional Council on the illegality of public trust registers.
The “GDPR” acronym refers to the General Data Protection Regulation regime enacted by the EU more than two years ago. The regulations are designed to improve protection over citizens’ personal information. Ironically, the framers of the GDPR regime have reignited a debate about how far governments can and should go in publishing data on people's financial situation.
Mishcon de Reya said its Luxembourg action comes after last week’s move by the Luxembourg District Court to refer the validity of laws to set up public registers and whether they are compatible with fundamental rights to the Court of Justice of the European Union.
The law firm said its complaint also mentions internal documents from the European Commission, which it said show that the Commission was opposed to the introduction of fully public registers and instead wanted to maintain the requirement of a demonstrable “legitimate interest” to access information contained on the registers.
"Unfortunately, due to the busy schedule of the CJEU [Court of Justice of the European Union], it will take several many months before the preliminary questions will be heard from the Court,” Noseda said. “In the meantime, the names of thousands of compliant citizens will continue to be disclosed publicly and other EU countries will continue on their journey to introduce public registers, unless they have already done so, thus infringing the rights of hundreds of thousands, if not millions, of compliant citizens.
“We are planning similar steps in other EU Member States to raise awareness and put the issue of public registers at the centre of the data protection debate across the continent," he added.
The issue around beneficial ownership disclosure is global. A week ago, the US Senate passed a veto-proof bill to ban the use of anonymous shell companies.
As an example of the volumes of data involved, in October 2018 Switzerland’s federal tax body said it passed over data on about two million accounts under the global automatic exchange of information (AEOI) regime. The global pacts to exchange data, known as the Common Reporting Standard, came into force and affected a first wave of countries in 2017, with a second group, including Switzerland, adopting the system this year. (About 100 jurisdictions in total are signed up to automatic information exchanges.) The CRS was introduced as a package of members of the Organisation of Economic Co-Operation and Development countries, and others, amid rising concerns about misuse of offshore centres. Switzerland, for example, has seen its bank secrecy laws, long a shield against foreign demands for data, come under assault. The country signed a pact in 2013 with the US under which scores of Swiss banks entered non-prosecution agreements and paid fines to draw a line under legal claims about illegal offshore accounts.
Ironically, the US is not a signatory to the CRS, and the US enforces tax of expats through the Foreign Account Taxation Act, aka FATCA, which was enacted initially in 2010. (This situation has prompted anger about alleged hypocrisy of the US over demands for potentially sensitive information.)
(The editors of this news service are interested in any comments other legal and data protection experts have on these issues. To comment and get in touch, email firstname.lastname@example.org)