The unnamed individual has asked the UK data regulator to rule on the legality of automatic exchange of information under CRS.
According to the Financial Times (FT), which broke the news of the case, the woman, who is now domiciled in Italy, has £4,000 ($5,253, €4,493) in a British bank account and has been tax resident in the UK.
Under CRS, both tax authorities automatically share her account number, balance, tax number and date of birth.
The FT has reported that the woman, who does not want to be named, is concerned about the security of her data and exposure to hacking because of the exchange of information.
An UK Information Commissioner’s Office (ICO) spokesperson told International Adviser: “We have received a complaint relating to HM Revenue & Customs and the common reporting standard and will be looking into the details.”
There is no set timescale for the ICO to rule on a complaint but it could bar or pause the automatic exchange of taxpayer data between governments if it breaches general data protection regulations (GDPR).
Deafening silence
Filippo Noseda, a partner with law firm Michcon de Reya, who has campaigned on the issue, argued in January that until there was test case there would be a “deafening silence surrounding the legality of CRS” in relation to an individual’s right to respect for personal information.
He observes that under CRS there is a lack of proportionality between the risk of tax evasion and the risk of the data falling into the wrong hands.
“No one outside the data protection community seems to have understood the issue and taken governments to task,” he said.
Breaches
In 2007, HMRC lost taxpayer data of 25 million people and, in February 2018, International Adviser reported on a sting in Argentina where seven tax officials were caught selling data to criminal gangs.
Argentina adopted CRS in 2017 and, globally, only the US is expected to have not adopted the Organisation for Economic Cooperation and Development rules by the end of 2018.
A spokesperson for HMRC said its handling of data was compliant with GDPR.