CFR: Data privacy in financial affairs is important in large part because we worry what governments might do with access to our data. Canada has been at the forefront of privacy law, and so looking at how Canada is handling privacy in financial matters with respect to tax is helpful even for non-Canadian taxpayers.
Profs. Ainsworth & Madzharova analyse how the shift to electronic, real time collection of VAT raises important privacy issues. If you thought VAT was a problem already, wait until you read this.
Tax Secrecy and Tax Transparency – The Relevance of Confidentiality in Tax Law, Country Report: Canada, Institute for Austrian and International Tax Law (2012, Forthcoming)
Canadian National Report prepared for the Vienna University of Economics and Business, Conference on tax secrecy and transparency, Rust, Austria, July, 2012. The aim of the project is to assess how different countries regard the treatment of tax information and tax secrecy. Topics include the collection of data, the sharing of information domestically and internationally, interaction of tax rules with related regulatory rules, and access to taxpayer information by the public.
This report discusses Canada’s relatively low profile in the global market for offshore financial services. Overall, Canada’s tax regime attempts to strike a balance between protecting taxpayer rights to privacy and confidentiality, and ensuring that the government has sufficient information about taxpayers in order to enforce its own laws, as well as to cooperate with efforts by other countries to enforce their tax laws in respect of their residents who invest in Canada.
Richard Thompson Ainsworth and Boryana Madzharova
Real-Time Collection of the Value-Added Tax: Some Business and Legal Implications, Boston Univ School of Law, Law and Economics Research Paper No. 12-51
Recent estimates of the level of VAT fraud in the EU are commensurate with the EU budget. With the Green paper on the future of VAT, the European Commission stressed the urgency and necessity of comprehensive VAT reforms. This paper analyses the business and legal implications of the recently proposed split-payment mechanism, which, if implemented, would move VAT’s method of collection to real-time. The discussion is positioned in the context of two increasingly visible trends in the EU – the general shift towards greater reliance on indirect taxation and the growing popularity of electronic payment instruments.
The potential implementation of VAT withholding would be a radical reform, given its shift of the taxation system from voluntary to forced compliance. We argue that, on the one hand, real-time VAT collection would constitute a potent preventive measure against VAT fraud, which could generate synergetic effects within SEPA, and further deepen integration through the harmonisation of VAT policies. On the other hand, real-time audit/refund would require tax authorities’ access to confidential business information that may be incompatible with EU privacy rules. The trade-off between efficient tax collection and privacy concerns mirrors the general debate on data protection in a cashless economy.
CFR: Europe is on the forefront of privacy issues – whether theorising and passing Directives and Regulations or letting governments abet the theft of private entities’ data. These two recent papers discuss the “right to be forgotten” (except by tax collectors) and the larger framework for privacy issues.
Hans Graux, Jef Ausloos and Peggy Valcke
The Right to Be Forgotten in the Internet Era, ICRI Research Paper No. 11
Especially after its appearance in the European Commission’s recent proposal for a new Data Protection Regulation, the ‘right to be forgotten’ has provoked quite some criticism. Much of the opponents, however, seem uninformed on the actual scope and meaning of the proposed provision. Additionally, the concept is often confused with the much older ‘droit a l’oubli’, which finds its rationale in the protection of privacy as a fundamental human right.
This text starts by giving an overview of the more traditional droit a l’oubli and how it is applied throughout Europe. Subsequently, the more modern ‘right to be forgotten’ is analysed from a normative, market, technological and legal perspective. Finally, this text makes a thorough and critical analysis of the current proposal. Despite its laudable goal, some deficiencies should be resolved. But, in general, the right seems to restore the power balance by giving (back) effective control to individuals over their personal data.
The European Commission’s Proposed Data Protection Regulation: A Copernican Revolution in European Data Protection Law, Bloomberg BNA Privacy and Security Law Report (2012) February 6 2012, pages 1-15
In the 18th century Immanuel Kant famously initiated a “Copernican revolution” in philosophy by shifting the understanding of reality away from external objects and towards the cognitive powers of the individual. The European Commission’s recent proposal for a General Data Protection Regulation attempts a similar revolution in European data protection law by seeking to shift its focus away from paper-based, bureaucratic requirements and towards compliance in practice, harmonisation of the law and individual empowerment. Indeed, the Proposed Regulation represents the most significant potential change to European data protection law since adoption of the EU Data Protection Directive 95/46/EC in 1998.
The final success of the Proposed Regulation will perhaps depend on three key factors, namely the effectiveness of the “lead DPA” concept, the operation of the consistency mechanism and the ability of the Commission to issue delegated and implementing acts of high quality in a way that is timely and transparent and gives stakeholders an opportunity to provide input. If these three factors are realised, then it may work as designed to bring about a more harmonized level of data protection throughout the EU and the benefits could be great for data controllers, individuals, and the EU economy. But if they are weakened during the EU legislative process or if member states and DPAs undermine them, then many of the other positive changes foreseen in the text may lose much of their effect. Only time will tell if the final result is a revolution that brings about lasting improvements.
CFR: One key theme in privacy is the advent of “big data”. See Reading Privacy in this issue for a suggested primer. Three recent papers deal with different aspects of the problems raised by big data for existing legal understandings of privacy.
Omer Tene and Jules Polonetsky
Big Data for All: Privacy and User Control in the Age of Analytics, Northwestern Journal of Technology and Intellectual Property, Forthcoming
Data creates enormous value for the world economy, driving innovation, productivity, efficiency and growth. At the same time, the “data deluge” presents privacy concerns which could stir a regulatory backlash dampening the data economy and stifling innovation. In order to craft a balance between beneficial uses of data and in individual privacy, policymakers must address some of the most fundamental concepts of privacy law, including the definition of “personally identifiable information”, the role of individual control, and the principles of data minimization and purpose limitation.
This article emphasises the importance of providing individuals with access to their data in usable format. This will let individuals share the wealth created by their information and incentivize developers to offer user-side features and applications harnessing the value of big data. Where individual access to data is impracticable, data are likely to be de-identified to an extent sufficient to diminish privacy concerns. In addition, organisations should be required to disclose their decisional criteria, since in a big data world it is often not the data but rather the inferences drawn from them that give cause for concern.
Big Data: The End of Privacy or a New Beginning?, International Data Privacy Law (2013 Forthcoming)
This past January, the European Commission released a proposal to reform and replace the EU Data Protection Directive by adopting a new Regulation. The author argues that this Regulation relies too heavily on the discredited informed choice model and therefore fails to fully engage with the coming big data tsunami. His contention is that when this advancing wave arrives, it will so overwhelm the core privacy principles of informed choice and data minimisation on which the Directive rests that reform efforts alone will prove inadequate. Rather, an adequate response must combine legal reform with encouragement of new business models premised on consumer empowerment and supported by a personal data ecosystem.
This new business model is important for two reasons: first, existing business models have proven time and again that privacy regulation is no match for them. Businesses inevitably collect and use more and more personal data, and while consumers realise many benefits in exchange, there is little doubt that businesses, not consumers, control the market in personal data with their own interests in mind. Second, a new business model, which I describe in this paper, promises to stand processing of personal data on its head by shifting control over both the collection and use of data from firms to individuals.
This “control shift” – and this alone – stands a chance of making the Fair Information Practices efficacious by giving individuals the capacity to benefit from big data and hence the motivation to learn about and control how their data is collected and used, while also enabling businesses to profit from a new breed of services that are both data-intensive and imbued with privacy values.
Daniel J Solove
Privacy Self-Management and the Consent Paradox, Harvard Law Review, Vol. 126, 2013, Forthcoming
The current regulatory approach for protecting privacy involves what Solove refers to as the “privacy self-management model” – the law provides people with a set of rights to enable them to decide for themselves about how to weigh the costs and benefits of the collection, use, or disclosure of their information. People’s consent legitimises nearly any form of collection, use, and disclosure of personal data. Although the privacy self-management model is certainly a laudable and necessary component of any regulatory regime, Solove contends in this essay that it is being asked to do work beyond its capabilities.
Privacy self-management does not provide meaningful control. Empirical and social science research has undermined key assumptions about how people make decisions regarding their data, assumptions that underpin and legitimize the privacy self-management model. Moreover, even if individuals were well-informed and rational, they still cannot appropriately self-manage their privacy due to a series of problems.
For example, the problem of scale involves the fact that there are too many companies collecting and using data for a person to be able to manage privacy with everyone. The problem of aggregation involves the fact that privacy harms often consist of an aggregation of disparate pieces of data, and there is no way for people to assess whether revealing any piece of information will sometime later on, when combined with other data, reveal something sensitive or cause harm. The essay also discusses a number of other problems. In order to advance, privacy law and policy must confront a complex and confounding paradox with consent.
Consent to collection, use, and disclosure of personal data is often not meaningful, and the most apparent solution – paternalistic measures – even more directly denies people the freedom to make consensual choices about their data. No matter which direction the law takes, consent will be limited, and a way out of this dilemma remains elusive.