W HEN THE Foreign Account Tax Compliance Act ( FATCA ) was passed by America’s Congress in 2010, it was overshadowed by the jobs bill into which it had been shoehorned as a revenue-raising provision. But of the two, FATCA packed the stronger punch. The law, designed to stop Americans stashing money abroad to evade tax, ushered in a global revolution in financial transparency. It forced banks worldwide to start coughing up, via their tax agencies, information on clients with links to America. And it spawned the Common Reporting Standard ( CRS ), whereby over 100 countries swap data with each other to discourage cross-border tax dodging.

FATCA ’s detractors extend well beyond the tax-shy, however. Sifting clients for “ US persons” has given financial firms a compliance headache. Some have refused to serve Americans living overseas for fear of fines under FATCA ’s draconian provisions. Many of the roughly 9m Americans based abroad—including “accidental Americans” who have spent most of their lives elsewhere but face tax liabilities in America because they were born there, making them citizens—have formed groups to lobby for less brutal treatment.

Some critics go further, arguing that a principle is at stake. They maintain that FATCA and the CRS have swung too far towards transparency and away from privacy. And they see potential for redress in the European Union’s data-protection laws.

A woman known only as Jenny, represented by Mishcon de Reya, a British law firm, is trying to raise £50,000 ($62,000) on a crowdfunding site to challenge the right of HMRC , Britain’s tax authority, to pass her information on to America’s Internal Revenue Service ( IRS ). Jenny, a university researcher born in America but resident in Britain for nearly 20 years, claims the transfer breaches her rights under the EU ’s General Data Protection Regulation of 2016. She argues that her information is irrelevant to FATCA ’s objective—to catch tax evaders—because she earns less than $104,000 and thus qualifies for an income-tax exemption under American rules.

Jenny is not the first to challenge FATCA . A group called the Association of Accidental Americans brought a case in France, but it was dismissed. An anti- FATCA lawsuit in America, backed by Rand Paul, a Republican senator, was tossed out in 2017 on the ground that America’s constitution provides no expectation of privacy regarding financial records. But America’s data-protection standards are significantly lower than Europe’s, points out Filippo Noseda of Mishcon de Reya. The French case, he notes, focused on lack of reciprocity, not data privacy; America has been slow to share information on its own banks’ foreign clients. The EU ’s executive, parliament and data-protection authorities have all expressed queasiness over FATCA .

Officials in America and at the OECD , a club of 36 countries that oversees the CRS , brush off concerns that information-sharing might undermine data security. But such fears are understandable. Bulgaria’s tax agency has been hacked into, exposing the data of 5m taxpayers, including information exchanged under the CRS . America’s IRS has not suffered a comparable breach but its computer systems are rickety. State tax agencies, including South Carolina’s, have had data stolen.

Mr Noseda sees Jenny’s claim as an important test case which, if successful, could spawn others. Another client of Mishcon de Reya has complained to Britain’s data-protection regulator about HMRC ’s data-sharing under the CRS . The law firm has also been instructed by a European company to look at ways of challenging national public registers of corporate ownership. With registers “it’s the same argument but more so, since the information is shared not just with tax authorities, but everyone,” says Mr Noseda.

Anti-corruption campaigners pooh-pooh such efforts, which they view as doomed rearguard actions by a tax-averse elite. But Mr Noseda insists it is about more than minimising tax bills: “There is a big tension between transparency and privacy, and we need to find the right balance.”■