Exchange of Information and the Rule of Law: Confidentiality and safeguards for the automatic processing of data in a world of big data


December 1, 2020

Exchange of information and the rule of law

Developed and developing countries have committed to implement global standards as developed by the OECD with the political mandate of the G20 including standards that provide for exchange of information among tax administrations. Some of  the reasons for this exchange to take place, is the need to provide tax administrations with the relevant information on taxpayer’s activities/assets abroad, as well as to ensure that taxpayers including multinationals pay their fair share of taxation. Exchange of information is the key instrument for tax administrations in order to prevent tax evasion, tax fraud, and aggressive tax planning.

The first standard was the Global Standard on Exchange of Information that provides for exchange of information on request, spontaneous and automatic regarding taxpayer information.   The second set of standards result from the BEPS Project and its 15 Actions mainly regarding the exchange of information of aggressive tax planning schemes (Action 12), multinationals transfer pricing documentation including country by country reporting (Action 13) and rulings i.e. agreements between tax administration and taxpayer (Action 5).

However, in this exchange of information, it is important to take into account the taxpayer’s rights in the framework of the rule of law. Even if information is necessary, and needed for countries to raise revenue,  countries should (i) introduce rules to guarantee the confidentiality and (ii) introduce safeguards to protect the taxpayer against abuses which may accompany the collection and processing of personal data including big data.

In a 2017 paper on the rule of law and the effective protection of taxpayers’ rights in developing countries we provided a comparative study in 4 countries: Brazil, Colombia, South Africa and Uruguay. In this paper, we argued that “ “as part of the rule of law, taxpayers need to trust that the tax administration will protect their rights to confidentiality, privacy and the right to participate in the exchange of information”.   Therefore, we recommended the update of the data protection rules of the countries which are mainly based in the 1995 Data Protection Directive and the exchange of best practices among countries. For instance, one best practice found in this study that could also be adopted by other countries is the training that takes place in South Africa to familiarize tax officials with tax treaties including the exchange of information in an international environment. This training has ensured that in every local revenue office there is at least one tax official that has the expertise to gather the information necessary to comply with an information exchange request. In the following paragraphs, we will discuss the challenges of countries to protect confidentiality, and to introduce safeguards, and also, we will provide some recommendations.


The access and collection of taxpayer information is addressed in the Income tax law or the Tax Administration Act. Once the information is being collected by the tax administration, this information can be exchanged with other tax administrations. The legal basis for exchange is an instrument either bilateral (art. 26 bilateral tax treaty or tax information exchange agreement TIEA), or multilateral (the Multilateral Convention on Mutual Administrative Assistance in Tax Matters). For automatic exchange of information, two instruments are relevant (the Multilateral Competent Authority Agreement (MCCA) regarding CRS and regarding Country by Country Reporting).

Rules to protect the confidentiality of the taxpayer information are found mainly in domestic law either Income Tax Law or the Tax Administration Act. Examples are rules to restrict the access to tax information and to ensure that tax information exchanged is protected. In our 2017 comparative study mentioned above, we found out that these rules are different among countries, and that the restrictions to the access to confidential information, the storage of the information (including requests of information within the tax administration) and to obtain the information required from another tax unit differ among countries.

Countries are facing challenges to protect confidentiality in exchange of information and even more in automatic exchange of information where bulks of information are being exchanged. Therefore, safeguards are needed to guarantee the confidentiality  and to prevent situations where the leak of information may result in risky situations for the taxpayer and the family.  Furthermore, since information is not only exchanged with tax officials but also for other purposes (corruption, illicit money flows), it is important that rules to protect confidentiality also extend to government officials, oversight authorities, civil servants, third parties (with contracts with the tax administration e.g. software developers) and public in general with also clear sanctions and remedies in case that confidentiality is being breached.

For instance in our 2017 comparative study, one best practice that can be shared was found in South Africa which extends the obligation to maintain confidentiality to persons to whom confidential information was improperly disclosed (Section 67 (3) of the Tax Administration Act 28 of 2011). This provision may have consequences or result in sanctions where, for instance, the information used is stolen or improperly disclosed.  Such a provision does not appear in Brazil, Colombia and Uruguay. Another interesting case in South Africa  is the introduction on the 29th February 2016, detailed regulations for the automatic exchange of information including also the confidentiality requirements to implement it.

Following our short analysis above, and our 2017 comparative study, we recommend to countries to introduce

  • Rules for confidentiality that provide sufficient protection to the taxpayer in case of breach of confidentiality, or misuse of information exchange with also specific sanctions and remedies.
  • Introduce rules to address personal data, genetic data and biometric data as taxpayer (sensitive) information subject to the provisions of confidentiality.
  • Introduce rules to regulate who has access to the data and introduce the same duty of confidentiality as tax officials to all government officials, oversight authorities, civil servants, third parties; public in general including also persons to whom the information has been improperly disclosed.
  • To enhance transparency and publicity of confidentiality rules, sanctions and remedies in case of breach of confidentiality or improper disclosure (use of stolen or illegally obtained information).
  • To introduce rules for training of local tax officials regarding exchange of information, confidentiality and safeguards.


In the international instruments mentioned above, the rules to safeguard the confidentiality of information exchanged including also automatic exchange are limited. Examples of non-binding instruments are for instance: (i) The 2006 OECD Manual on Information Exchange (ii) The 1980 (updated in 2013) OECD Guidelines on the protection of Privacy and Transborder Flows of Personal Data (iii) the 2013 OECD Guide on the Protection of Confidentiality of Information Exchanged for Tax purposes, (iv) the UN 1990 Guidelines on Privacy and Data Protection, and (v) the 2005 Asia-Pacific Economic Cooperation (APEC) Privacy Framework.

One (and only until the time of writing) binding instrument is the Council of Europe (CoE) Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data 1981 and its Additional Protocol of 8 Nov. 2001 (access to third countries). This Convention has been ratified by CoE members and also non-members (Argentina, Cabo Verde, Mauritius, Morroco, Senegal, Tunisia and Uruguay).  This Convention has been recently updated in October 2018 to address big data.  One of the drawbacks of this Convention is that only address personal data and it leaves out the protection of business data (e.g. trade secrets).

In a 2017 article with Filip Debelva (Privacy and Confidentiality in Exchange of Information: Some Uncertainties, Many Issues, but Few Solutions, Intertax, 45 (5): pp. 362-381) we presented based on the international instruments mentioned above, our own proposal for safeguards applicable to exchange of information including automatic exchange of information. In the 2017 article (p. 380), we recommended the sending of data if the following cumulative conditions are met:

  • similar data can be received from the receiving State (reciprocity);
  • the receiving State ensures adequate protection of confidentiality and data privacy that is guaranteed by a follow up by the supplying State to guarantee the respect of such confidentiality in the receiving State (security safeguards);
  • the exchange is adequate and relevant in relation to the purpose or purposes for which they are processed (purpose specification);
  • the sending of data does not constitute an excessive burden for the tax administration that lacks the administrative capacity or technical knowledge to develop a secure electronic system to exchange data (proportionality).
  • the data controller has the duty to carry out regular checks of the quality of personal data (accuracy).

In a blogpost in GLOBTAXGOV, and in article in 2018, we addressed the 1981 CoE Convention with its 2018 Protocol. In a nutshell, the 2018 Protocol recommends in order to protect automatic processing of personal data in a  world of big data:

  • Reinforcing the powers and independence of the data protection authorities and enhancing legal basis for international cooperation;
  • Greater transparency of data processing;
  • Stronger accountability of data controllers including also the obligation to declare data breaches.
  • Regarding privacy, the Convention recommends the “privacy by design” principle i.e. the design of the data processing is done in such a way that it prevents (or minimizes) the risk of interference with the data subjects’ rights and fundamental freedoms.
  • Regarding decision-making in a world of big data, art. 11. introduces new rights for the persons in an algorithmic decision-making  context,  which  are  particularly  relevant  in  connection  with  the development  of  artificial    For instance,  (i) in  order  to  obtain  confirmation  of  the processing of personal data on request, at reasonable intervals, and without excessive delay or expense, the communication of the processed data must take place in an intelligible form in order to ensure the transparency of processing and (ii) the data subjects have the right not to be subject to a decision significantly affecting him or her based solely on an automated processing of data without having his or her views taken into consideration.

Way forward

The OECD has stated in the 2019 report to the G20 the need to ensure that the exchange of information “meet the expected standards of confidentiality and data safeguards” (p. 20). In addition, the OECD is providing technical assistance to members of the Global Forum on Transparency and data safeguards. However, despite the good efforts of the OECD, there is not a specific multilateral instrument that provides for safeguards to protect the confidentiality of the information exchanged.

If one example can illustrate this is the breach of the Bulgarian tax agency’s security systems in July 2019 that resulted  in a data leak that exposed financial account information of four million Bulgarians and foreign taxpayers. This breach resulted in countries such as Switzerland and other countries participating in the Global Forum on Transparency to stop information exchange with Bulgaria.

In the international instruments mentioned above, the rules to safeguard the confidentiality of information exchanged including also automatic exchange are limited. Therefore,  in Latin America countries (e.g. Brazil) have follow the OECD Manual for exchange of information, and some countries (Argentina, Uruguay) have adopted the Council of Europe Convention for the processing of automatic processing of personal data.

In our view exchange of information requires adequate protection and even more now when bulks of information are being exchanged following the BEPS Project. It is the responsibility of the tax administrations to ensure that the exchange of information has sufficient safeguards to protect the confidentiality of the information exchanged. Our recommendations for countries in Latin America (but also extended to other countries including African countries) is to introduce rules to protect confidentiality as mentioned in section 2 above and to sign and ratify the CoE Convention on Automatic Processing of Personal Data including the 2018 Protocol applicable to big data.