Pending between Finnish publicly listed bank and the Finnish Tax Administration since 2013
A Finnish publicly listed bank (Bank A) finally got a closure to a case having been pending since 2013 relating to its obligation to provide the Finnish Tax Administration with certain information on its clients to be used for taxation purposes.
The Tax Administration’s information request included, amongst others, detailed information on
- Bank A’s customers
- Granted loans
- Insurances for which Bank A had acted as an insurance broker
- International money transfers for certain countries
- Statistics relating to international money transfers
One of the main questions the Supreme Administrative Court had to take a stand on was weather the Tax Administration’s information request was proportionate and limited to what is necessary in relation to the purposes (taxation of customers) as set forth under the GDPR as well as under Finnish Data Protection Act.
Tax compliance surveillance vs. GDPR’s requirement of data minimization
In the case at hand the information requested by the Tax Administration was not limited but concerned all customers included in Bank A’s customer register. The Tax Administration had, amongst other things, requested Bank A to provide it with a list including details of all its customers as per end December 2012.
Under the GDPR the legal ground on which the requested data could be submitted and processed by the Tax Authority is that this is necessary for the performance of a task carried out in the public interest (in this case taxation) or in the exercise of official authority vested in the controller (in this case the Tax Authority). To the extent personal data is processed on the mentioned grounds GDPR requires that it must also have a basis in Finnish law and that such basis must meet an objective of public interest and be proportionate to the legitimate aim (in this case taxation) pursued.
The relevant Finnish tax law, providing the Tax Authority with the right to request certain information for taxation purposes, has not been amended after the entry into force of the GDPR and does, therefore, not specifically include the principle of proportionality required by the GDPR. However, this principle of proportionality is included in the Finnish Data Protection Act.
Based amongst others on the above considerations the Supreme Administrative Court ruled that the impact of the delivery of all the requested information may, even if the information request did not cover all customer records, be compared with delivering an entire customer register and can, therefore, not be regarded as proportionate for the purposes of tax supervision.
It should be noticed that even if the Tax Administration placed its information request in 2013, i.e. before the entry into force of the GDPR, the Supreme Administrative Court assessed the lawfulness of the information request in light of the GDPR since, if having been deemed lawful, the information request would have been executed now in 2020 when the GDPR applies.
Reasonable costs for providing the requested data
The above discussed case was in fact more complex than explained above, and before the final ruling of the Supreme Administrative Court the case had already once been brought before the Supreme Administrative Court who, at that time, was requested to rule on the fair amount of costs involved for Bank A for complying with the Tax Administration’s information request. The Supreme Administrative Court, however, returned the case to the administrative court for the above assessment.
While Bank A held that the costs for providing the requested information was unreasonable (between EUR 450,000 – 560,000) the Tax Administration claimed that the estimated costs were not specified enough. In 2017 the administrative court, again, ruled that Bank A had not been able to prove that the above cost estimate would be exceptional or that the work load would be exceptionally high – especially when compared with other banks who had been requested to provide the Tax Administration with the same information (and who had not claimed that the costs and workload would be unreasonable). The administrative court stated that an increased workload and costs do not constitute grounds that under the Data protection Directive (95/46/EC) or the Finnish Data Protection Act (in force before GDPR) would free Bank A from providing the requested information.
Bank A appealed to the Supreme Administrative Court who, nevertheless, did not take a stand on the amount of the costs involved for Bank A but assessed the lawfulness of the Tax Administration’s information request in light of the principle of proportionality set forth in the GDPR and discussed above.
Key outcome of the ruling
While the Supreme Administrative Court ruled that it is not its task to assess how information requests should be carried out it, nevertheless, stated that it is clear that authorities must in the future specify and limit information requests to cover only such personal data that may be regarded necessary in order for the authority in question to be able to carry out its tasks. For the Tax Authority this may, for example, entail that it must be able to specify its information requests to cover transactions of a certain size or involving specific countries or to cover certain categories of customers by their size or line of business.
As regards the impact of high costs to the obligation to comply with an authority information request it would seem like a fair approach that such costs, especially if connected to information that the controller-entity should possess (even if having outsourced this obligation to a third party provider), cannot serve as a ground that would release the controller-entity from its obligation to provide the requested information. This particularly since, and as also noted by the administrative court, entities are free to decide on how to take care of their legal obligations and may this way control at least some of the costs connected with complying with authority information requests. As said above, however, the implication of high costs to Bank A’s obligation to comply with the Tax Administration’s information request was not this time tested before the Supreme Administrative Court.