The Panama Paper leaks could see governments chase transparency as clients fight a data breach says James Castro-Edwards
Mossack Fonseca, the Panama based law firm is at the centre of a furore following what has been described as one of the largest data breaches ever reported. The leaked data allegedly includes information concerning the beneficial ownership of offshore companies and identifies a number of high profile figures using offshore schemes. The revelations have already triggered investigations by governments around the world.
Over eleven million documents are reported as having been leaked, showing how Mossack Fonseca helped its clients avoid tax, launder money and circumvent sanctions. The documents were passed to German newspaper Sueddeutsche Zeitung and the International Consortium of Investigative Journalists. The firm is based in Panama but operates globally and its services include offshore company incorporation. The use of offshore companies is legal and may be used for a variety of legitimate purposes, however, tax evaders and money launderers can benefit from the anonymity of these corporations to conceal illegal activity.
The leak comes at a time when laws governing the use of information are becoming more complex and companies increasingly face the challenge of maintaining a balance between protecting individuals’ privacy while making some types of information available to government bodies.
Data protection laws seek to protect individuals’ information by imposing obligations upon organisations. For example, the European draft General Data Protection Regulation, likely to take effect in 2018, would enable fines of up to 4 per cent worldwide annual turnover to be imposed upon organisations that fail to protect personal information adequately.
At the same time, an emerging body of case law recognises privacy as a fundamental human right and recent developments in English common law could allow individuals to sue companies where the misuse of their personal information causes distress, even where no financial loss has been suffered. Organisations that fail to adequately protect personal information risk regulatory action for breaching data protection legislation as well as civil claims by individuals for breaches of privacy. Mossack Fonseca potentially risks actions by both regulators and affected clients and ex-clients.
In direct contradiction to the protection of individuals’ privacy, many governments are increasingly seeking to adopt laws mandating the disclosure of certain types of information where doing so serves the wider public interest. For example, from June of this year, following the Small Business, Enterprise and Employment Act 2015, all UK companies must maintain a register of people exercising significant control over them (or PSC Register), in a move to make company ownership more transparent.
Other proposed legislation would require the retention of communications data to assist with the detection and prevention of criminal activity and terrorism. This trend towards transparency and government access is likely to continue as governments seek to crack down on tax avoidance. A highly likely consequence of the Mossack Fonseca data breach is that it will provide governments around the world with justification for imposing more rigorous transparency obligations.
James Castro-Edwards is Partner and Head of Data Protection at Wedlake Bell LLP