The United States and the world have experienced a dramatic erosion of privacy, particularly financial privacy, primarily as a result of the overreaction by the US government to the attacks on 11 September, 2001.
Because the US is a superpower and dominates many of the international organisations and informal groups that make international law and policy involving privacy rights, the international community has experienced a dramatic plummeting of privacy rights.
USA PATRIOT Act
On 11 September, 2001, the Bush Administration was poised to make anti-money laundering laws more balanced by imposing a sensible requirement that they be cost-effective. The presentation was to be made by Jimmy Gurule, Under Secretary for Enforcement, US Department of the Treasury.
Instead of balanced anti-money laundering laws, the US and the rest of the world got the “war on terrorism”. On 26 October, 2001, George W Bush signed the USA PATRIOT Act, which brought into law various laws emasculating privacy. The act allows the government to spy on US citizens and non-US citizens alike.
Previously, the law allowed law enforcement to only subject non-US citizens to clandestine surveillance. The USA PATRIOT Act then revised procedures, enabling law enforcement to tap into emails and voicemails of citizens and also permitted “roving wiretaps”.
The USA PATRIOT Act has led to the erosion of privacy rights under the Fourth Amendment. The Act permits the FBI to obtain telecommunication, financial and credit records without a court order. The Foreign Intelligence Surveillance Act’s 2008 amendment act gives US companies immunity from suit by their customers when they comply with illegal government surveillance requests.
Although Barack Obama promised to reform the PATRIOT Act and rescind the FISA Amendments during his candidacy for president in 2008, he has since changed his position.
Last year, the Electronic Frontier Foundation analysed the FBI’s use of National Security Letters from 2001 to 2008. The report concludes that the FBI might have violated the law as many as 40,000 times during that period. In numerous cases the companies involved, including phone companies, Internet service providers, financial institutions, and credit agencies, “contributed in some way to the FBI’s unauthorized receipt of personal information”.
The debate about the erosion of privacy is reflected in the debate over the Cyber Intelligence Sharing and Protection Act of 2011, which exempts companies from liability for sharing data with the government. It was one of several bills, which were introduced in Congress last year, that civil liberties groups and even the White House warn will result in additional erosion of consumer privacy.
Illegal surveillance of SWIFT
One of the examples of overreach by the “war on terrorism” was in its unlawful surveillance on transaction data from the Belgium-based Society for Worldwide Interbank Financial Telecommunication (SWIFT). On 27 September, 2006, the Belgium Privacy Commission ruled that US surveillance of transaction data from SWIFT was illegal.
The Privacy Commission reviewed the US surveillance programme at the request of the College for Intelligence and Security (Collège du renseignement et de sécurité), consulting with the EU’s Working Party 29 data protection group. The Working Party 29 group has criticised the lack of transparency in negotiations between EU officials and the US Treasury’s Office of Foreign Assets Control.
In the aftermath of 9/11, the Treasury served several subpoenas on SWIFT in the US, requesting a broad range of material on European financial transactions. According to the Privacy Commission’s report, the Treasury sought both general data retention and the ability to search retained data.
After verifying the subpoenas, SWIFT decided to comply and informed its control committee and the National Bank of Belgium.
The legal question of whether SWIFT was merely a processor of personal data – akin to a postal service – or a controller in the processing of personal data was at the heart of the legal controversy. SWIFT makes central management decisions beyond the normal decisions of a processor; in this case, agreeing to transfer data to the Treasury without informing its 7,800 clients.
According to the Privacy Commission, financial institutions are controllers because, in inter-bank traffic, they define the destination of, and the means to, carry out payment instructions.
The Privacy Commission opinion concludes that in the context of its normal processing of personal data, SWIFT should have complied with its obligations under Belgian privacy law, including notifying customers of personal data transfers to countries outside the EU. SWIFT had argued that US and European law conflicted on data transfers, noting that the Treasury had provided certain guarantees during its negotiations with the group.
Nevertheless, the opinion concludes that SWIFT “made some substantial errors of judgment in complying with American subpoenas. From the beginning, SWIFT should have been aware that the fundamental principles of European law were to be observed, apart from the enforcement of the American law, such as the principle of proportionality, the limited retention period, the principle of transparency, the requirement for independent control, and an adequate protection level.”
The opinion said that the competent authorities (the Privacy Commission, its peers and the European Commission) should have been informed from the start, so that they could have resolved the transfer of bank data to the US Treasury at the European level.
The Commission says it is available to further advise on the matter and urges the Belgian government to address the case at the European level, so that the EC can work toward a solution balancing security and privacy.
The opinion of the Privacy Commission is consistent with other recent opinions and actions in Europe, with respect to the transferring of bank information to the SWIFT in the US when the US government was monitoring such information. Since the ruling, the US and EU have concluded an agreement on the use of the SWIFT.
Airline passenger information
Another erosion of privacy has come in the use of airline passenger information.
On 30 May, 2006, the European Court of Justice (ECJ) ruled that an agreement requiring European airlines to forward personal details of passengers on trans-Atlantic flights was invalid because it violates European Union privacy laws. The court set a 30 September, 2006 deadline for the EU and the United States to find a satisfactory legal replacement for the Passenger, Name, Record (PNR) Accord.
The PNR Accord, which took 18 months to negotiate, was to run through 2007. It gave US law enforcement authorities access to 34 categories of information about passengers on all flights, from 25 EU members, as the passengers boarded in Europe.
The ECJ annulled the 17 May, 2004 Council Decision 2004/496/EC, which served as the basis to conclude the agreement to process and transfer PNR data by EU air carriers. However, it deferred the effect of the order. US legislation enacted in November 2001 required airline carriers operating flights to or from the US, or across US territory, to provide US customs authorities with electronic access to the data contained in the automated reservation and departure control systems (PNR data) within 15 minutes of takeoff. In June 2002, the European Commission informed US authorities that those provisions could conflict with Community and Member State legislation on data protection.
The US authorities postponed the entry into force of the new provisions, but ultimately refused to waive the right to impose penalties on airlines failing to comply with the legislation on electronic access to PNR data after 5 March, 2003. Eventually, the European Commission negotiated with the US, reaching an agreement on 17 May, 2004, despite reservations announced on 31 March, 2004 by the European Parliament.
After negotiations, the US agreed to accept the transfer of 34 (rather than 50) categories of information demanded by the US Department of Homeland Security. The PNR details required by airlines departing for the US include the names of all travellers and all contact details, including telephone numbers, addresses, e-mails, payment information, bank numbers and credit card data.
Originally, the US wanted to store the passenger data for 50 years.
However, the US agreed to save the information for three and a half years. The US also agreed to eliminate from the agreement meal orders and other specialised information that could identify a passenger’s religious or ethnic background.
On 19 April, 2012, the EU and US reached a new agreement. The US agreed to mask out passengers’ names and contact details after six months. The data will then be kept for up to five years, after which point it will move to a “dormant” database for 10 years more.
Inconsistent treatment of information on WikiLeaks
The treatment of WikiLeaks also exemplifies the erosion of privacy and overreaction that is part of the counter-terrorism initiative. When a former employee of Julius Baer used confidential financial information to try to extort former clients and then put the stolen private client data on WikiLeaks, the US government did not object. In fact, at least one Congressional Committee used the information to start and conduct an investigation.
However, the posting of so-called classified and national security information on WikiLeaks has led to a grand jury investigation against Julian Assange and the expenditure of significant political capital in an effort to support the United Kingdom’s efforts to extradite Assange to Sweden.
Use of informal groups and international organisations to erode privacy
This year has seen the US, pressed by severe fiscal deficits, continue to unilaterally act to capture revenue from the international sector, especially offshore undeclared bank accounts.
International organisations and informal groups have also increased their demands for more tax transparency, higher standards with respect to anti-money laundering/counter-terrorism financial compliance and enforcement, and compliance with other financial regulatory regimes.
The United States government has used international organisations and informal groups that it dominates to stifle privacy, especially financial privacy. The use of such organisations and groups that it dominates has enabled the US to categorise smaller international financial services jurisdiction as non-compliant and threaten them with countermeasures if they do not improve their laws and regulations to erode privacy.
The strengthening of tax information exchange and tax transparency as well as anti-money laundering and financial regulatory standards emanates from the G8 and G20.
After the financial crisis in 2009, the G20 had a series of meetings focused on dealing with the financial crisis. Even though most experts concluded that the financial crisis resulted from the selling internationally of synthetic financial instruments in the United States, the G20 decided to use the occasion to focus on the problems in the rest of the world, especially the so-called traditional tax havens.
This year the G20 applauded a supplementary report by the OECD shows growing adherence to automatic exchange of tax information. The OECD also announced a new initiative to tackle the misuse of corporate vehicles such as shell companies.
The Organisation of Economic Cooperation and Development
The US attack on financial privacy has come as part of one of the initiatives of the OECD now known as the “tax transparency” initiative.
The dominant player in the OECD tax transparency initiative has been the US. Initially, the OECD harmful tax practices (HTP) or competition initiative was concentrated on four key factors to identify tax havens:
- no or low effective tax rates;
- “ring fencing” of regimes;
- lack of transparency; and
- lack of effective exchange of information
On 18 July, 2001, Treasury Secretary Paul O’Neill asserted the Bush Administration’s opposition to portions of the OECD’s efforts to target tax havens. In particular, O’Neill said it was the sovereign right of every country to determine tax rates. Suddenly, the HTP initiative had two features:
- lack of transparency; and
- ineffective exchange of information.
The initiative was no longer the HTP initiative. It became and remains the tax transparency initiative.
After the OECD tried to defend the HTP against accusations that the initiative was illegitimate, in part because it was designed and implemented only by OECD members, the OECD created the Global Forum on Tax Policy and established a Peer Review evaluation to ascertain whether all the countries in the world met the standards of the initiative.
The Global Forum did a Peer Review Report of the US itself, reflecting the legal and regulatory framework as of February 2011. The PRR found that, “regarding the availability of information, the legal and regulatory framework is generally in place for all entities and arrangements to maintain ownership and identity information through the application of its federal tax provisions as well as applicable state law…”
The PRR failed to mention the lack of availability of beneficial ownership information of entities even though US Government Accountability Office reports, such as “Company Formations, Minimal Ownership Information Is Collected and Available” (Apr. 2006), which led to Sen. Carl Levin’s introduction of ITLEA in 2006, 2008, 2009 and 2011.
The purpose of the Global Forum and tax transparency is to enable other countries to have effective exchange of information from the US. At the time of the PRR of the US, the major way the US obtained information was through the Qualifying Intermediary (QI) regulations. However, foreign tax authorities have no access to such information. Yet the PRR is silent on the QI regulations and the lack of access to such information. One of the OECD standards in the exchange of information is to ensure due process.
In this regard, the US Treasury officials, in the context of trying to persuade the US private sector to support the ratification of the US joining the OECD/CoE Convention on Mutual Administrative Assistance in Tax Matters, said they would propose regulations to give notice and an opportunity to oppose any foreign requests for information under that proposed Convention and possibility for all TIEA requests.
25 years later, the US doesn’t have any laws or regulations giving notice or an opportunity to respond to foreign requests for tax information. In many cases, the Treasury uses informal measures, such as sending a letter to the record holder and requesting such person turn over information for use by the foreign country.
Moreover, the US has pioneered the provisions in Mutual Assistance in Criminal Matters Treaties (MLATs), often used for evidence gathering in transnational tax enforcement cases, which provides that the Convention is only for the use of the signatory parties (ie, governments) and do not permit defendants or third parties to use the MLAT to gather evidence or to try to exclude or delay evidence obtained under the MLAT.
Notwithstanding these gaps in due process, the PRR applauds the US for its due process and respect for the rights of individuals and privacy.
The Financial Action Task Force
The loss of privacy is also derived from the proliferation of soft laws from informal groups, such as the Financial Action Task Force (FATF). Composed of bureaucrats who are law enforcement and financial regulators, FATF officials are free to make up problems and propose solutions in the way of soft laws, with which all governments and businesses throughout the world must comply.
Non-compliant jurisdictions and financial institutions are blacklisted and subject to countermeasures. One of the soft laws is that “(c)ountries should ensure that financial institution secrecy laws do not inhibit implementation of the FATF Recommendations.”
The soft law gains significant importance with the fact that the new recommendations require signatory countries to start making tax offenses a money laundering offense.
On 16 February, 2012, the Financial Action Task Force issued revised recommendations after more than two years of efforts by member countries.
According to FATF, the revisions provide authorities with a stronger framework to act against criminals and address new threats to the international financial system. The main changes in the recommendations are:
- combating the financing of the proliferation of weapons of mass destruction through the consistent implementation of targeted financial sanctions, when these are called for by the UN Security Council;
- improved transparency to make it more difficult for criminals and terrorists to conceal their identities or hide their assets behind legal persons and arrangements;
- stronger requirements when the covered persons deal with politically exposed persons (PEPs); and
- expanding the scope of money laundering predicate offenses by including tax crimes.
A problem with the FATF recommendations is low compliance. Despite the low compliance, the large countries, such as the US, which dominate FATF, still want to extend the scope of AML to cover everything from nuclear proliferation to tax crimes, mainly because they will be used mostly against the smaller countries.
On 29 February, 2012, in response to the new FATF recommendations, the US Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advance notice of proposed rulemaking (ANPRM) to solicit public comment on a wide range of questions pertaining to the possible application of an explicit customer due diligence (CDD) obligation on financial institutions, including a requirement for financial institutions to identify beneficial ownership of their accountholders.
FinCEN explained that an express CDD program rule is an aspect of a broader US Department of the Treasury strategy to enhance financial transparency in order to strengthen efforts to combat financial crime. Other key elements of this strategy include: (i) improving the availability of beneficial ownership information of legal entities created in the United States; and (ii) facilitating global implementation of international standards (ie, new FATF recommendations) regarding CDD and beneficial ownership of legal entities.
US overreaction to counterterrorism and other national security threats has debilitated financial privacy and escalated financial regulatory controls through its unilateral imposition of new controls and its use of international organisations and informal groups to do its bidding.
As the US tries to manage its own deficit and budget challenges, the US initiatives risk diminishing its own access to capital and foreign investment and interposing barriers to globalisation at a time when the world economy is fragile.