Tax inspections: the balance between banking secrecy and the protection of privacy [1]

Carlotta Armuzzi [2]

1. The right to privacy in the European Convention on Human Rights and the Charter of Fundamental Rights of European Union

The right to respect for private life and the family, and the related right to protection of personal data, also defined as the right to privacy,[3] derives from international agreements and European law. In particular, the right to privacy[4] is guaranteed by the European Convention on Human Rights of 1950 (ECHR)[5] which establishes that this right cannot be curtailed by the State, unless a number of conditions are complied with[6]. More specifically, exemptions may be allowed provided: 1) they are “prescribed by law”,[7] which is essentially the principle of legal reservation; 2) they are deemed to be necessary in a democratic society for the protection of the public interest[8] (principle of proportionality).

The right to privacy also implies the right to protection of personal data, laid down in the Charter of Fundamental Rights of the European Union of 2000[9]. After restating the right to privacy in private life,[10] the Charter expressly recognized the right to protection of personal data[11]. The Charter, like the ECHR, established that these rights may be restricted by the State[12]. In particular, any restrictive measure must: 1) be “provided for by law”; 2) give rise to a “proportionate” and “necessary” limitation to the achievement of “general interest recognized by the Union” or to the need to protect the rights and freedoms of others (the “social function” of the exception).

The right to respect for private and family life and the related right to protection of personal data, laid down in the ECHR, are considered to be general principles of the European Union[13] and, since they are safeguarded by the Charter, they have the same legal value as the Treaties[14]. This means that the application of European Union law implies the application of these principles.  

2. Italian and European regulation of the right to protection of personal data

The right to protection of personal data is regulated by a specific European Directive[15]. It requires that the treatment (e.g. collection, processing, storage)[16] of personal data should: 1) take place in a legal manner;[17] 2) include the verification of their accuracy and subsequent updating (the “principle of accuracy”)[18]; 3) be inherent to the purposes for which it is performed[19] (the principle of relevance); 4) be avoided as much as possible[20] (the principle of proportionality). Violation of these principles implies, by express provision of the national legislature, the inadmissibility in a court of law of the personal data processed[21].

In implementing the Directive, the Italian Privacy Code also provides that, before adopting a regulation affecting the right to protection of personal data, the Minister concerned must consult the Italian Data Protection Regulator (Garante) for the protection of personal data[22]. As a rule, the protection of personal data (not of a “sensitive” kind),[23] requires the prior consent of those involved, but derogations are permitted and Member States also have the option to introduce further exemptions to protect the legitimate interests of the entity processing  the data. In Italy, in particular, when it is a public entity (such as the tax authorities) collecting, processing and storing personal data, the protection relating to the processing of personal data is normally limited to “disclosure” to the person concerned. However, in the case of sensitive personal data, the information cannot be processed without consent, except in specific cases. Under certain conditions,[24] Member States are allowed to make further exemptions.

Within these limits, Italy has stated that a public entity may proceed with the processing of sensitive data if and to the extent authorized by legislative provisions identifying the existence of a purpose of “overriding public interest”[25]. It is also specified that, with regard to tax matters, this interest is established by definition,[26] though the tax authorities are required to comply with the opinion of the Italian Data Protection Regulator on the protection of personal data in relation to the types of sensitive data that can be processed (relating to health, sexuality, and so on) and to the implementation of procedures (collection, processing, storage) in compliance with the provisions of the Italian Privacy Code.

3. Banking investigation and right to privacy     

In 2013, the Italian Courts[27] and the Italian Data Protection Regulator[28] limited the systematic intrusion of the tax authorities into the privacy of taxpayers, slowing down the trend towards total transparency in relation to the bank accounts of millions of citizens.

The Belgian Constitutional Court addressed similar issues in two decisions focusing on the proportionality of the obligations of collaboration and intrusion into the private sphere[29]. The Belgian Court dealt with the issue of access to bank data, and handed down some significant rulings. In particular, it ruled on the constitutionality of the law regulating banking investigation procedures, deeming it to be compatible with the right to privacy laid down in Article 22 of the Belgian Constitution and Article 8 of the ECHR.

The two judgments establish a connection between banking secrecy and a number of issues and, in particular, whether the protection of banking information falls within the broader scope of the protection of privacy; whether and to what extent privacy should be balanced against the financial interests of the State; whether and to what extent the taxpayer can invoke the right to remain silent.

Prior to these questions is the one of whether the taxpayer can cite safeguards upheld not only by internal laws, including constitutional guarantees, but also by the European Convention on Human Rights and the case-law of the European Court of Human Rights. On this last point, the Court ruled that the Belgian tax investigations must respect the limits and principles of the Convention. The case-law of the ECHR[30] is clear in considering the power of the State to raise taxes as bound by the limits derived from fundamental human rights, such as core property rights, including the right to privacy.

4. Conclusions

In this comparative study taking account of both the Italian and the Belgian experience, it is important to highlight that in Belgium, unlike Italy,[31] the legislation allows tax inspections only if there are specific and detailed conditions; it requires prior notice by the tax administration to the taxpayer; and the taxpayer can appeal to the competent court. It is on the basis of these robust safeguards that the Belgian Court deems tax inspections to be reasonably justified.

On the other hand, the Italian legislator, in abolishing banking secrecy, has left the tax authorities as the arbiters of when to initiate this type of assessment[32]. The tax administration has stated that banking investigations are allowed only if there is “strong evidence of tax evasion”: this condition, however, is not laid down by law.

In short, the present legislative framework gives rise to a risk that banking investigations may be carried out without any effective need. As a result, it must be concluded that the Italian regulation of banking investigations is not aligned with the right to privacy as regulated by the ECHR and by the European Charter of Fundamental Rights. Considering that the legislative provisions permitting the collection and processing of certain types of information can result in an infringement of human rights, how can this type of infringement be avoided? Information should be used by the tax authorities in a proportionate manner: otherwise a law seems to be needed to strike a balance between the constitutional rights concerned.

© Copyright Seast – All rights reserved

Footnotes    (↵ returns to text)
  1. How to quote this article: C. Armuzzi, Tax inspections: the balance between banking secrecy and the protection of privacy, in European Tax Studies, 2014, No. 2, (www.seast.it/magazine), pp. 40-45.
  2. Carlotta Armuzzi, PhD candidate in European Tax Law at European School of Advanced Tax Studies – Alma Mater Studiorum, University of Bologna, Italy.
  3. In Italy, the term “privacy” refers to the legislation implementing Directive no. 95/46/EC and regulating the protection of personal data: Legislative Decree no. 196/2003, knownas the Privacy Code.
  4. The European Court of Human Rights has clarified that Article 8: “protects the moral and physical integrity of the individual, including the right to live privately, away from unwanted attention» (cf., European Court of Human Rights,Sidabras e DÅ 3/4iautas v. Lithuania, October 27, 2004, par. 43).
  5. Art. 8, par. 1 ECHR, signed in Rome on 4 November 1950 and ratified by Italy with Law no. 848/1955, lays down that: “Everyone has the right to respect for his private and family life, his home and his correspondence”.
  6. Art. 8, par. 2 ECHR, establishes that: “There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others”.
  7. It required the measure to be based on a “domestic law” (cf., European Court of Human Rights,Shimovolos v. Russia, June 21, 2011, par. 67). This law must, moreover, be “accessible to the person concerned, who must, moreover, be able to foresee its consequences for him” (cf., European Court of Human Rights,Kruslin v. France, April 24, 1990, par. 27; EuropeanCourt of Human Rights, Lambert v. France, August 24, 1998, par. 23). Regarding the requirement of “foreseeability”, the Court considered this quality is lacking in national measures which do not establish “with any reasonable certainty what elements of the powers (…) were incorporated in legal rules and what elements remained within the discretion of the executive” (cf. European Court of Human Rights,M.M. v. United Kingdom, April 29, 2013,  194).
  8. According to the European Court of Human Rights “an interference will be considered ‘necessary in a democratic society’ for a legitimate aim if it answers a ‘pressing social need’ and, in particular, if it is proportionate to the legitimate aim pursued” (cf. European Court ofHuman Rights, M.M v. United Kingdom, April 29, 2013, par. 187).
  9. The Charter, signed on 7 December 2000, was adopted on 12 December 2000. In December 2009, with the entry into force of the Lisbon Treaty, the Charter acquired the same legally binding effect as the treaties (cf. Art. 6 , par. 1, the Treaty of the European Union – TEU). For this reason, the Charter was amended and proclaimed a second time in December 2007.
  10. Cf. Art. 7, Charter of Fundamental Rights of the European Union “Respect for private and family life”.
  11. Cf. Art. 8, Charter of Fundamental Rights of the European Union “Protection of personal data”.
  12. Cf. Art. 52, par. 1, Charter of Fundamental Rights of the European Union “Essence of the rights and freedoms recognized by the Charter”.
  13. Cf. Art. 6, par. 3, TEU.
  14. Cf. Art. 6, par.1, TEU.
  15. Directive n. 95/46/EC - Privacy Directive.
  16. For the notion of treatment cf. Art.2, par. 1, let. b), Privacy Directive and, in implementation, cf. Art. 4 of the Italian Privacy Code.
  17. Cf. Art. 6, par. 1, let. c), Privacy Directive and, in implementation, cf. Art. 11, par. 1, let. a) of the Italian Privacy Code.
  18. Cf. art. 6, par. 1, let. c), Privacy Directive and, in implementation, cf. Art. 11, par. 1, let. c) of the Italian Privacy Code.
  19. Cf. art. 6, par. 1, let. c), Privacy Directive and, in implementation, cf. Art. 11, par. 1, let. d) of the Italian Privacy Code.
  20. Cf. art. 6, par. 1, let. c), Privacy Directive and, in implementation, cf. Art. 11, par. 1, let. d) of the Italian Privacy Code. According to the European Commission, to verify compliance with the principle of proportionality it is necessary to determine whether a similar result could be accomplished by processing anonymous data or personal data of a different nature – cf. European Court of Justice, May 20, 2003 in joined cases C-465/00, 138/01 and 139/01, Österreichischer Rundfunk, par. 57). The Italian transposition of the principle in question confirms this approach (cf. Art. 3 Italian Privacy Code).
  21. Cf. art. 11, par. 2, Italian Privacy Code.
  22. Cf. art. 28, par. 2, Privacy Directive and, in implementation, cf. Art. 154, par. 4, of theItalian Privacy Code. However, the Data Protection Regulator must take action whenever the processing of personal data is likely to “present specific risks to the rights and fundamental freedoms, and for the dignity of the person concerned”.
  23. According to the Community wording, “special” – cf. art. 8, par.1, Privacy Directive.
  24. The derogations must be justified by “reasons of general interest”, and, in any case, on condition that prior notification has been sent to the European Commission (cf. Art. 8, par. 4, Privacy Directive).
  25. Cf. Art. 20, par. 1 of the Italian Privacy Code. In addition, the law has to specify the types of sensitive data and the “types of operations” that are permitted (eg. collecting, processing, and so on).
  26. Cf. art. 66 of the Italian Privacy Code.
  27. Court of Naples, Pozzuoli branch, judgment of February 21, 2013 – in Dialoghi Tributari n. 1/2013, p. 16 and Regional Tax Commission of Lombardy, branch of Brescia n. 76/65/2013.
  28. www.garanteprivacy.it doc. web. n. 1886775 and n. 2099774.
  29. Belgian Constitutional Court judgment of February 14, 2013 and judgment of March 14, 2013 –  www.europeanrights.eu.
  30. Cf, ECHR, André and another v. France, July 24, 2008; ECHR,Bernh Larsen Holding As and Others v. Norway, March 14, 2013.
  31. Further evidence of the ample administrative discretion characterising Italian banking investigations, in violation of the provisions of the ECHR and the Charter intended to protect the right to privacy, is provided by the fact that: I) no authorization needs to be notified to the taxpayer; II) the issuing of this authorization cannot be challenged in an action against the tax authorities nor before the competent court; III) it is not required for the authorization to specify any motives; IV) in cases before the courts, the absence of authorization does not invalidate the tax assessment notification.
  32. Cf. Art. 32, n.7, D.P.R. n. 600/1973.