Timothy Pilgrim, Privacy Commissioner
On this page
- Comments on entering into an IGA to implement FATCA
- The Office of the Australian Information Commissioner (OAIC) welcomes this opportunity to provide comment to Treasury on the advantages and disadvantages of an intergovernmental agreement (IGA) between Australia and the United States (US) in relation to the USForeign Account Tax Compliance Act (FATCA).
- The OAIC was established by the Australian Information Commissioner Act 2010 (the AIC Act) and commenced operation on 1 November 2010.
- The OAIC is an independent statutory agency headed by the Australian Information Commissioner. The Information Commissioner is supported by two other statutory officers: the Freedom of Information Commissioner and the Privacy Commissioner.
- The former Office of the Privacy Commissioner was integrated into the OAIC on 1 November 2010.
- The OAIC brings together the functions of information policy and independent oversight of privacy protection and freedom of information (FOI) in one agency, to advance the development of consistent workable information policy across all Australian government agencies.
- The Commissioners of the OAIC share two broad functions:
- the FOI functions, set out in s 8 of the AIC Act – providing access to information held by the Australian Government in accordance with the Freedom of Information Act 1982, and
- the privacy functions, set out in s 9 of the AIC Act – protecting the privacy of individuals in accordance with the Privacy Act and other legislation.
- The Information Commissioner also has the information commissioner functions, set out in s 7 of the AIC Act. Those comprise strategic functions relating to information management by the Australian Government.
- FATCA is US tax legislation passed by the US Congress. It has been described by the US Internal Revenue Service (IRS) as 'an important development in US efforts to combat tax evasion by US persons holding investments in offshore accounts.' It was signed into law in March 2010 with reporting obligations for financial institutions scheduled to commence on 1 January 2014.
- This US law applies to financial institutions worldwide. Its provisions require non-US based financial institutions to sign individual agreements with the IRS to provide the IRS with information about accounts and account holders exhibiting US indicia. Non-US based financial institutions that fail to comply with this law may have 30 per cent of their US-sourced payments withheld by a withholding agent in the US.
- The OAIC understands that many financial institutions and governments worldwide, including in Australia, raised concerns with the US Government about how the obligations imposed on financial institutions by FATCA would interact with the laws and legal restrictions in their respective jurisdictions.
- In February 2012 France, Germany, Italy, Spain and the United Kingdom issued a joint communiqué with the US outlining that they were working together on an intergovernmental approach to resolve legal issues associated with FATCA compliance.
- In July 2012 a Model IGA was released by the US Government, which was supported by France, Germany, Italy, Spain and the United Kingdom. In September 2012 the United Kingdom signed an IGA with the US under which the information required by the FATCA provisions will be exchanged.
- The Australian Government is now exploring the feasibility of entering into an IGA with the US based on the Model IGA. The IGA under consideration by the Australian Government is a reciprocal agreement that would oblige both Australia and the US to exchange information held by financial institutions in each country about account holders who exhibit certain indicia indicating they may be a citizen or resident of the other country for tax purposes.
- The Treasury states the objective of an IGA to implement FATCA would be to minimise compliance costs for Australian stakeholders and to enhance existing tax cooperation arrangements between Australia and the US. The OAIC understands that an additional aim is to address legal issues associated with FATCA compliance in Australia.
- As the privacy regulator in the Commonwealth sphere, it is not the OAIC's role to recommend which of the proposed FATCA implementation models is more advantageous. However, the OAIC appreciates this opportunity to make comments on the privacy issues associated with implementing FATCA through an IGA.
- The OAIC would appreciate the opportunity to consider and comment on any future policy documents or legislation arising from an IGA with the US in relation to FATCA.
- The advantage of the Australian Government seeking to implement FATCA activities in Australia via an IGA is that it provides an opportunity to ensure that the best possible privacy outcomes are achieved.
- In particular, there would be an opportunity to:
- have parliamentary scrutiny of the implementation approach
- develop consistent protections for the exchanged information
- exclude low value accounts and therefore minimise the number of account holders whose personal information needs to be exchanged
- leverage existing information exchange channels.
Explanation of each of these points is set out below.
- Based on the OAIC's understanding of the 'individual agreements' option, these opportunities are unlikely to be available if each financial institution negotiates its own FATCA agreement with the IRS.
- Entering into an IGA with the US would create an opportunity to bring the IGA and its information sharing obligations within the scrutiny of Parliament. This will provide Parliament with an opportunity to examine, among other issues, the privacy impacts of the implementation approach contained in the IGA and any enabling legislation.
- The OAIC suggests that, if information is to be exchanged on the basis of the proposed IGA, specific domestic legislative authority should be the basis on which an Australian Government agency is authorised to collect the personal information from domestic entities and to disclose that personal information to the US Government. Enacting the substance of the IGA into domestic legislation will ensure that the Australian Government's FATCA information sharing activities are appropriately subject to parliamentary scrutiny.
- On a related issue, specific domestic legislative authority would likely be necessary if the collection and disclosure of information under the IGA is to comply with the Privacy Act. For example, an Australian Government agency may be permitted to collect personal information from Australian financial institutions under Information Privacy Principle 1 (IPP), but the disclosure of that personal information to the US under the proposed IGA is unlikely to be permitted under IPP 11 unless an exception applies: for example, if individuals have consented to the disclosure or it is 'required or authorised by or under law'. Similarly, disclosure by financial institutions to the Australian Government may only be permitted if an exception under National Privacy Principle 2 (NPP) is met - for example, if individuals have consented to the disclosure or if it is 'required or authorised by or under law'.
- The OAIC understands from Article 3(7) of the Model IGA that it envisages that 'all information exchanged will be subject to the confidentiality and other protections provided for in the [Convention/Tax Information Exchange Agreement], including provisions limiting the use of information exchanged'.
- Assuming the Convention between the Government of Australia and the Government of the United States of America for the Avoidance of Double Taxation and the Prevention of Fiscal Evasion with respect to Taxes on Income (the Convention) will be the existing tax convention to which Article 3(7) refers, the OAIC acknowledges that the Convention provides some protection for personal information once it is disclosed to the US. The Convention provides that the information exchanged:
shall be treated as secret and shall not be disclosed to any persons other than those (including a Court or administrative body) concerned with the assessment, collection, administration or enforcement of, or with litigation with respect to, the taxes to which this Convention applies.
- While the OAIC acknowledges these existing protections, there is an opportunity for the Government to develop additional protections in relation to the handling of personal information exchanged for FATCA purposes. We expand on this point at paragraphs 47–51 of this submission.
- To assist in identifying the additional protections required, the OAIC suggests Treasury conduct a Privacy Impact Assessment (PIA) as part of its consideration of the feasibility of entering into this information sharing agreement with the US.
- A PIA allows an entity to identify and analyse privacy impacts during a project's design phase. The OAIC strongly encourages entities to undertake a PIA for any initiatives proposing changes in the way personal information is handled.
- Undertaking a PIA would assist Treasury to ensure the best privacy outcomes possible are achieved by identifying:
- privacy impacts, issues and risks associated with the IGA
- possible solutions to manage, minimise or eradicate those impacts.
- The OAIC has published a guide outlining the steps entities should take in conducting a PIA. A copy of the PIA Guide is available on the OAIC's website.
- The OAIC understands that the IGA process may allow for the exclusion of low-value accounts (generally those with a value of less than $50,000 as at 31 December 2013) from review, identification or reporting under the scheme, unless domestic rules provide otherwise.
- The OAIC supports excluding low-value accounts. Doing so could achieve a better privacy outcome by reducing the number of account holders whose personal information is being provided to the US, and protecting the personal information of those account holders whose information would otherwise have fallen within the scope of FATCA.
- The OAIC understands the strict exclusion of low value accounts under individual agreements is less certain. If low value accounts are not excluded then the personal information of additional account holders could be provided by Australian financial institutions to the US.
- The IGA approach is an opportunity for the Government to both leverage existing information exchange channels and limit the points from which personal information held in Australia will be exchanged with the US Government.
- There are likely to be advantages with an approach where all data to be exchanged under FATCA is disclosed from one Australian Government agency with experience in, and existing processes and safeguards for, transborder information exchange.
- Should it be decided that the Australian Tax Office (ATO) would be the Australian Government agency collecting and disclosing personal information from Australian financial institutions for the purposes of FATCA compliance, the ATO could use existing information exchange processes with the US. The OAIC acknowledges that the ATO has experience in exchanging information with the tax agencies of other countries, and notes that the exchange of information by the ATO would presumably be subject to existing review, audit and accountability mechanisms.
- The alternative under the individual agreements approach is that private sector organisations, some of whom may not have experience in securely transferring personal information to a foreign government, would individually transfer personal information to the IRS.
- The OAIC notes that private sector organisations have obligations in relation to the handling of personal information under the Privacy Act. However, there is an increased risk of a data breach or of personal information being mishandled when there are many Australian financial institutions transferring personal information to the US. This could be minimised if the transfer were conducted through an Australian Government agency.
- In addition, the internal processes of Australian Government agencies are subject to a high-level of external accountability, review and audit mechanisms.
- The OAIC notes that if the IGA model is enacted into domestic legislation, then the transborder disclosure of personal information by an Australian Government agency would be based on a 'required or authorised by or under law' exception in IPP 11, whereas the transborder disclosure under the individual agreements model would likely need to be based on consent from the individual account holder, under NPP 9.
- The individual agreement model would therefore give an individual account holder more control over their personal information by allowing them to agree to have the information provided to the US, have tax withheld on payments into the account, or have the account closed. Where possible, disclosure based on consent is preferable as it provides individuals with choice as to how their personal information is handled. The Australian Government could therefore consider whether a consent model can be incorporated into the process envisaged under the IGA.
- The OAIC notes that, if the Government does proceed with the IGA approach, there are a number of additional privacy issues and concerns raised by the IGA that will need to be considered.
- Australian financial institutions and Australian Government agencies will continue to be bound by existing privacy law when undertaking FATCA compliance activities.
- For example, in the context of FATCA activities under an IGA, it will be particularly important for individuals to be made aware why personal information is being collected and to whom it may be disclosed. This includes notifying existing account holders, noting that the FATCA arrangements are likely to apply retrospectively to the personal information of existing account holders provided prior to the commencement of the provisions. Australian financial institutions will need to continue to meet their obligations under NPP 1,which requires an organisation to take reasonable steps to ensure an individual it collects personal information from is aware of certain matters including:
- the purposes for which the information is collected
- the organisations (or the types of organisations) to which the organisation usually discloses information of that kind
- any law that requires the particular information to be collected
- the main consequences (if any) for the individual if all or part of the information is not provided.
- Similarly, the relevant Australian Government agency administering the IGA must comply with the IPPs in handling personal information. This will apply both when the Australian Government agency collects personal information from Australian financial institutions and discloses it to the US, and when personal information is collected from the US government or US financial institutions.
- The Australian Government agency will also be required to treat any Australian tax file numbers (TFNs) it receives from the US in accordance with Australian law and the Tax File Number Guidelines 2011.
- The OAIC suggests that the enabling legislation or the accompanying explanatory memorandum could reiterate that Australian financial institutions coming within the remit of the IGA and the Australian Government agency administering the IGA must continue to comply with applicable privacy principles, including those outlined above.
- The OAIC is concerned about the accountability for the handling of personal information once it has been transferred from Australia to the US, and the protections that will be afforded to it.
- In particular, neither the Convention nor the IGA appears to include provisions regarding the storage, security and retention of personal information, access to information, correction of information, or the limits on the use of personal information.
- The key concern arising out of this is that if personal information transferred to the US is subsequently mishandled or in need of correction, then there are potentially no remedies available to an individual in Australia.
- The OAIC is concerned to ensure that the information sent offshore is handled appropriately and that individuals have access to remedies if their information is mishandled.
- The OAIC suggests the IGA could clarify the protections which will apply to the personal information once it has been exchanged, as well as providing remedies where information has been mishandled or is in need of correction.
- The OAIC is concerned that there is a risk of unnecessary personal information being collected and disclosed in connection with FATCA activities.
- The due diligence obligations in Annex I to the Model IGA would require Australian financial institutions to examine their records and search for any accounts exhibiting 'US indicia'.
- The OAIC understands that in general, where an Australian financial institution discovers US indicia in relation to an account with a value exceeding $50,000, they are required to report the account unless the account holder provides proof of non-US citizenship or residency for tax purposes to the financial institution.
- The threshold for exhibiting US indicia under the FATCA arrangements is very low. As any US indicia are enough to trigger the reporting obligation and place an onus on an account holder to positively prove that they are not a US citizen or resident for tax purposes, the OAIC is concerned at the scope for the disclosure of unnecessary personal information. That is, personal information of account holders who may exhibit some US indicia, but are not US citizens or residents for tax purposes, would be disclosed.
- There may be a number of reasons why an account holder with an Australian financial institution may exhibit 'US indicia'. For example, standing instructions to transfer funds to an account maintained in the US is regarded as a US indicium; however, this may include non-US citizens or residents who are sending remittances to family members in the US, perhaps to retired family members or other family members travelling or studying in the US.
- There may also be reasons why an account holder does not satisfy the Australian financial institution before the personal information is provided to the Australian Government agency or US that the individual is not a US citizen or resident for tax purposes. There is therefore a real risk that personal information not required under FATCA will be disclosed to the US.
- Article 5(1) of the Model IGA envisages that the competent US government authority would be able to directly contact an Australian financial institution in the case of minor or administrative errors.
- As noted above, the IGA does not displace Australia's existing privacy laws. The OAIC considers that an Australian financial institution responding directly to such contact in relation to minor or administrative errors may breach those privacy laws. This provision therefore raises similar problems to those the IGA is attempting to solve.
- This IGA provision could require Australian financial institutions to disclose personal information to the US government in contravention of the NPPs. NPP 2 limits the disclosure of personal information unless a relevant exception applies. Of the exceptions, the two relevant exceptions would be that 'the individual has consented to the use or disclosure' or 'the use or disclosure is required or authorised by or under law'. Therefore, unless the Australian financial institution's disclosure to the US Government was required or authorised by law, or made with the individual's consent, the disclosure would breach NPP 2.
- Even if that disclosure was required or authorised by or under law, the disclosure may not comply with NPP 9 (transborder data flows) as there is no exception to NPP 9 for disclosures which are required or authorised by law. Therefore, unless the Australian financial institution is satisfied the transborder transfer is allowed because of an exception in NPP 9 (such as consent), the personal information cannot be provided directly to the US government agency by the Australian financial institution.
- To reduce the risk of non-compliance by the private sector with privacy laws, the Government should consider making the Australian Government agency administering the IGA the sole point of contact regarding the collection and use of personal information under this scheme.
 See <www.treasury.gov.au/ConsultationsandReviews/Submissions/2012/Intergovernmental-agreement-to-implement-FATCA>
  ATS 16.
 Article 25(2) of the Convention.
 Articles II(A) and III(A) of Annex I to the Model IGA.
 NPP 2 also applies to limit the disclosure of personal information by private sector organisations – see paragraph 60 for discussion of NPP 2.