Can POPI and GDPR revive taxpayers’ right to privacy where the exchange of tax information is required?

Author: Ernest Marais

Service: Regulatory, and Andersen Tax


By Ernest Marais and Zinhle Novazi

The CRS imposes obligations on financial institutions to exchange tax and financial information on a global level with other countries - this cross-border transfer of sensitive financial data between jurisdiction raises data privacy and protection concerns.

The Protection of Personal Information Act (“POPI”)

POPI is South Africa’s data privacy law that provides the regulatory framework for when and how juristic persons such as financial institutions can collect, use, store, delete and manage personal information. POPI applies to all local and foreign persons (juristic and natural) processing personal information in South Africa. Section 107 of POPI details penalties that will apply to respective offences, for less serious offences the maximum penalty is a fine or imprisonment for a period not exceeding 12 months, or to both a fine and such imprisonment. Whereas for the more serious offences the maximum penalties are R10 million fine or imprisonment for a period not exceeding 10 years or to both a fine and such imprisonment.

The General Data Protection Privacy Regulation (“GDPR”)

The GDPR came into effect on the 25th of May 2018 and it not only applies to organisations within the European Union (“EU”) but it applies to any organisation outside of the EU if they offer goods or services to, or monitor the behaviour, of EU citizens. Breach of the GDPR may result in a penalty of 4% of the annual global turnover (or €20 million) for a breach or a fine of up to 2% of their turnover for not having their records in order. Failure to comply with the GDPR is clearly not an inconsequential fine and compliance can become intricate when balancing its provisions against the provisions of the Organisation for Economic Cooperation and Development (“OECD”) Common Reporting Standard (“CRS”).

CRS Obligations

The CRS imposes obligations on financial institutions to exchange tax and financial information on a global level with other countries which have signed up for CRS with the aim to combat international tax evasion. The cross-border transfer of sensitive financial data between jurisdiction raises data privacy and protection concerns.

In compliance with CRS obligations, article 6(1)(a) of the GDPR and section 13 of POPI financial institutions are obligated to collect personal information in accordance with a lawful purpose to pursue the legitimate aim of fighting tax evasion through efficient mechanisms, that do not expose individual right to disproportionate interference. Furthermore, financial institutions have a legal basis for processing personal information contained in article 6(1)(c) of the GDPR, mainly that processing is necessary for compliance with a legal obligation to which it is subject to, similarly in POPI in terms of section 4.

In terms of the CRS financial data received through automatic exchange can only be disclosed to, and used by authorities concerned with the enforcement of taxes unless the Sender’s laws make provision for the information to be used beyond its intended purpose of combating tax evasion or such use is authorised by it. Furthermore, in circumstances where the financial data must be transferred to third parties, other law enforcement agencies or judicial authorities the CRS requires the Receiver to inform the Sender and obtain its consent. This is in line with article 46 of the GDPR which provides the safeguards that must be put in place when transferring personal data to third parties and similarly with section 72 which provides safeguards for transferring personal information outside of South Africa.

Any organisation will be in breach of the GDPR and POPI if they exchange or release personal information which is not under a legal obligation to disclose under the CRS. The obligation to report information in terms of the CRS can be complex and continuously be subject to change. By means of an example, there is an obligation on a financial institution to report any controlling persons (usually <25% ownership) of a Passive NFE, but no obligation to report the controlling person of an Active NFE. A Passive NFE is defined in the negative as an entity that is not an Active NFE. An entity is an Active NFE if less than 50% of its income is passive income. The result being that the reporting obligations of a financial institution on an entity may differ from year to year depending on the financial performance of the relevant entity during that relevant financial year. Financial institutions, such as banks, can’t take a catch-all approach and report all information as they risk breaching the GDPR. The tax liability of a taxpayer should not depend on its tax affairs being reported or not; however incorrect reporting may incite the wrath of the data regulator.