In recent years, two important legal developments have accelerated and are currently on a collision course. The first is the rapid proliferation of data-privacy laws across the globe. As explained below, these laws--such as the European Union's recently enacted General Data Protection Regulation (GDPR)--broadly prohibit unauthorized collection and transmission of data under the threat of substantial financial and other penalties. Indeed, on January 21, 2019, France's National Data Protection Commission fined Google [euro]50 million for violating the GDPR. (1)
The second development is the Internal Revenue Service's expanding ability to seek and obtain data from taxpayers all over the world. The IRS has an increasingly diverse set of tools that generally require taxpayers to collect and transmit data to the IRS, also under the threat of substantial financial and other penalties.
What are taxpayers--who might be subject to one set of penalties if they transmit data to the IRS and another set of penalties if they do not--to do? This article examines that question and concludes with a handful of recommendations for taxpayers and one request of the IRS: that the IRS issue guidance clarifying its position on the looming collision between the proliferation of data-privacy laws and the IRS' growing assortment of information-gathering tools. In short, finding ways to provide the IRS with the information it needs without risking fines and penalties for violating data-privacy laws is a laudable goal that taxpayers and the IRS should pursue.
Rapid Proliferation of Data-Privacy Laws Across the Globe
In the past year alone, there has been a significant and rapid development of privacy laws worldwide addressing the collection, use, and disclosure of personal data. The GDPR in Europe, which took effect in 2018, has led the way. Arguably the strictest privacy law in the world, the GDPR regulates how companies may collect and use the personal data of EU residents. In the United States, data-privacy laws have tended to be industry-specific--for example, the Gramm-Leach-Bliley Act governs nonpublic personal information collected by financial institutions, (2) the Health Insurance Portability and Accountability Act (HIPAA) governs medical data, (3) the Family Educational Rights and Privacy Act (FERPA) governs privacy of student education records, (4) and the Children's Online Privacy Protection Act (COPPA) governs the online collection of information from children under age 13. (5) But now a growing number of states are proposing and passing their own data-privacy laws seeking to regulate the use of personal data of their residents outside industry-specific contexts. The introduction of these laws by state legislatures--currently at an all-time high--reflects a developing trend toward regulating personal data and protecting the privacy of residents. One example is the recent California Consumer Privacy Act (CCPA), which bears similarities to the GDPR.
This article focuses in particular on the obligations imposed on businesses and restrictions on sharing personal data under the GDPR and the CCPA. However, other data-privacy laws may apply depending on whose data a taxpayer collects and where those subjects are located.
The GDPR (2016/679), which went into effect on May 25, 2018, significantly changed how companies may collect and use the personal data of EU residents. This sweeping regulation applies to all organizations within the EU--as well as those outside the EU, if those organizations offer goods or services to, or monitor the behavior of, individuals residing in the EU. (6) The extraterritorial scope of the GDPR represents a substantial expansion of data protection obligations to cover all processing activities relating to EU-based data subjects. As a result, the GDPR affects U.S. organizations with employees, customers, clients, or investors located in the EU or that collect personal data about individuals located in the EU.
The GDPR defines "personal data" broadly as any information that relates to an identified or identifiable natural person. (7) Data that identifies a natural person refers to "a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person." (8) Under the GDPR, therefore, personal data can include basic information such as names, home addresses, email addresses, and work contact information.
The GDPR generally prohibits transfers of personal data to countries outside the EU if those countries have not been recognized by the European Commission as having adequate data protection. (9) The United States, for example, is considered not to have an adequate level of data protection. This means that an organization cannot lawfully transfer personal data of individuals located in the EU (that is, data protected by the GDPR) to the United States unless one of the following mechanisms is in place: 1) an agreement containing the EU Standard Contractual Clauses; 2) the organization has Binding Corporate Rules (which govern intragroup data transfers); 3) the organization has an EU-U.S. Privacy Shield certification; or 4) where appropriate designations are satisfied, such as the explicit, informed consent of the data subject, where transfer is necessary to the performance of a contract between the individual and the organization, or where transfer is necessary for important reasons of public interest or to establish, exercise, or defend legal claims. (10) Even if a data request derives from a non-EU governmental or regulatory body (for example, the IRS), such a request is enforceable only if it is based on an international agreement such as a mutual legal assistance treaty."
Moreover, to the extent that an organization relies on service providers or others to process the personal data of EU residents--whether for its own operations or where needed to respond to an inquiry from a governmental or regulatory body--the GDPR mandates that contracts with such processors include certain key clauses. These clauses typically apply to the processor and include a restriction on processing data other than on documented instructions, a requirement that those authorized to process personal data commit to maintaining its confidentiality, and the obligation to implement all measures to ensure appropriate security. (12) To comply with these requirements, many organizations execute data processing addenda with vendors.
Violations of the GDPR carry steep fines and penalties--up to the greater of four percent of a company's global revenue or [euro]20 million (nearly $23.5 million). (13) Therefore, companies needing to collect, review, and transfer documents and information deriving from sources in the EU are strongly encouraged to first consider 1) does the data include personal data of individuals located in the EU, and, if so, 2) is there a lawful mechanism in place to transfer the data from the EU to the United States?
"GDPR-Lite" in the United States
Less than a year after the GDPR went into force, California enacted the CCPA. The law takes effect on January 1, 2020, although enforcement by the Attorney General's Office is likely to be delayed until July 1, 2020. Although not as strict as the GDPR, the CCPA is a comprehensive consumer...