Confidentiality in a transparent age
09 April 2018
Guernsey Finance Chief Executive Dominic Wheatley was recently part of a conference discussion panel on 'Confidentiality in a transparent age'. In an article for International Adviser, he discusses this highly topical issue which has profound considerations for many aspects of modern civil society.
Confidentiality is an issue with some significant pressure points – for instance between the demands of regulations such as GDPR to protect the privacy of personal data, and the demands of many for personal data to be publicly available – and areas where clarification is needed – for instance, the distinction between legitimate public interest concerns and public curiosity.
These issues are not straightforward and lend themselves to much subjective thinking. Furthermore, as with many aspects of human behaviour, obvious responses based on shallow thinking are as dangerous as simply avoiding the issues and making things up as we go along.
In the modern world we are, in a very real sense, our data, and our data is us. It impinges on all aspects of modern lives, and the data environment in which we live can have a profound effect upon the type of society that we create.
The right to privacy
I am old enough to have studied George Orwell’s 1984 before the date itself. From the innocent age of the 1970s the world he portrayed seemed alien and extreme. It no longer does.
The fact is that normal standards of privacy that applied in the pre-internet age have been substantially eroded by increasingly intrusive technology, increasingly data-led lifestyles, and changing social and political attitudes. For all of us, the impact of this is profound, but there is certainly a lot of disagreement about whether society is better or worse as a result. For most of us we view it as the curate’s egg – good in places.
Most people, I believe, would accept that there must be rights to reasonable privacy in civilised society. The issue is not whether such rights should exist in principle, but who has them, in relation to what, and how they should apply. As with all subjective matters, there is a continuum between data that all agree should be private (such as personal medical records) and where all agree it should be public (such as the personal commercial interests of politicians). In between these lies a large grey area where opinions will vary widely and matters will often be viewed on the basis of specific circumstances rather than judged against defining principles.
This raises the very substantial issue of who decides what may and may not be kept confidential.
Regulation and law
Into this morass the EU has stepped in with their heavy boots and the General Data Protection Regulations. To be fair, they have done their best to deal with the extreme complexity of the issues but in the process have produced regulations that are themselves dazzlingly complex to normal people. To date, the main outcome has seen ordinary companies frightened by threats of extreme sanctions in the event of a breach.
The reality is that proscriptive regulations to deal with all facets of data protection were always going to be very complex, suffer from the usual law of unintended consequences, and only partially address the concerns that exist. Nor do they provide any real clarity on the core issue of what is and what is not legitimate privacy.
Most law has sought to limit the rights of the individual and corporations to privacy where governments have legitimate interests in the information involved. This has led to FATCA, CRS, Registers of Beneficial Ownership and so on. No doubt there is more of the same to come.
This is to be cautiously welcomed. There is more than a marginal difference between legitimate and reasonable privacy from the prying eyes of the merely curious and the rights of legitimate public authorities charged with the collection of taxes, the protection of citizens from crime and terrorism, and the general management of the property within their governance.
It is entirely appropriate, for instance, for a leading film actress plagued by paparazzi to use an offshore ownership structure to conceal her normal residential address, provided that she does not seek to keep her ownership of the property secret from the appropriate public authorities.
It is entirely appropriate for international capital flows to channel through offshore funds where the expertise and substance exists to reconcile the often-conflicting demands of multiple interested parties located in multiple jurisdictions, provided the authorities where investors reside get all the tax that is due to them, and those where invested assets are located likewise, and the offshore activity is itself taxed in line with international standards.
The right to legitimate privacy from public gaze cannot and should not be conflated with secrecy of income and assets from legitimate authorities. This is why, in common with other reputable offshore jurisdictions, Guernsey has enthusiastically adopted and implemented such initiatives as a 'first mover' rather than a reluctant follower.
Where are we today
Demands for public access to personal data, however, are a very different matter.
Recent events have served to remind us that the right to a private life is fundamental, indeed being enshrined in the European Convention on Human Rights. It also features in the constitutions of many countries, including France, where its trust register was deemed unconstitutional and had to be discontinued as a public register.
It is unhelpful that common law in England does not contain any general privacy protections, especially where this comes up against the proscriptive requirements of GDPR. The inherent conflicts of this brings even greater uncertainty to an already muddy situation.
Even where public access to personal data exists, there has been disquiet at the idea that individuals' personal financial data can be secretly accessed without their knowledge. The tax authorities in Norway, where tax returns can be viewed online, have addressed these concerns by emailing every individual whose return is viewed to tell them who has viewed it. Clearly transparency needs to apply as much to the snooper as to the “snoopee”. Interestingly, the number of accesses has dropped substantially after the snoopers were outed.
It is worth noting that there is little global convergence in this area.
Throughout much of the world there is little effective limit to the access of governments to data, personal or otherwise. In the USA, secrecy is actively enabled and encouraged in many circumstances at levels that are not legally possible in western Europe. In many States there are even options within "quiet" or "silent" trusts under which settlors can prevent trustees from disclosure to beneficiaries themselves.
It is interesting to note that, throughout history, the most despotic regimes have sought to accumulate and abuse data about their subjects and matched a lack of privacy among the population with a lack of transparency regarding the affairs of the state.
What advice can be offered in a private wealth context?
It is easy to view privacy in terms of what levels of legal protection exist and what parameters of disclosure and publication exist within particular jurisdictions. However, that is only part of the picture.
The reasons for wanting privacy are important in defining the best strategy to deliver it. In the event of private information coming into the public domain, the damage caused – particularly the reputational damage – will be as much determined by the motivation for keeping it confidential as by the nature of the information per se. The avoidance of tax will play badly in the media, whereas the avoidance of paparazzi may get significant public sympathy.
While legal protection and a lack of disclosure requirements may be superficially attractive, there is also the issue of data security and the sustainability of arrangements both in the jurisdiction of private wealth structures and in the increasingly extra-territorial requirements of those interested in access data.
Furthermore, there is little point in taking steps to prevent others being forced to divulge information that you yourself can be ordered to provide.
Guernsey’s Register of Beneficial Ownership, launched last year, goes to great lengths to limit access. It is held in an electronic format but on a closed system, so access to the information would require access to the physical building where the server is held. It is seen as a statement for Guernsey clients worldwide that the island will not compromise on data protection and privacy.
So I offer three pieces of generic advice.
Firstly, be clear about what information needs to be kept private and why. Ensure that all legitimate official interests are met and that arrangements themselves are not secretive.
Secondly, recognise the risk of private information getting into the public domain and have contingency plans in place to manage any reputational impact it may have. Be ready to explain why information is being kept private, and that these reasons are not contrary to the public interest.
Thirdly, as well as looking at the legal privacy environment, give consideration to the data protection environment and the technical environment in which data will be held. All the legal protection in the world cannot put the genie back in the bottle once it gets out.
Where are we headed?
Recent questions arising out of the Facebook/Cambridge Analytica case have brought matters of data security and privacy to prominence. These were already in play given the alleged abuse of data by malign agencies in recent elections.
The need for regulation and control of an industry dominated by large, politically unaccountable corporations controlled by a small number of individuals is obvious and increasingly urgent given the ever-growing importance of data in our lives.
It cannot be right for these fundamentally important issues to be decided by unaccountable media, nor by the clarion calls of public sentiment expressed through social media. The rule of law is as necessary here as in all aspects of civil society.
What is needed is far better legal clarity concerning how various existing legal rights and privileges will apply in practice, and how the parameters of our data lives will be decided.
The pending UK case regarding the so-called Paradise Papers is an opportunity for the courts to define clearly the obligations of the media regarding respect for confidential information. It may also be an opportunity for them to articulate clearly the difference between the public interest and the curiosity of the public. Clarity on both issues would be a welcome start.
We are already 34 years beyond 1984 and we are still working out the complexities and issues of the data age. Let us hope we can do so quickly enough to avoid it turning into a Brave New World.
Dominic Wheatley was a panellist at the Mourant Ozannes Guernsey Trusts Forum. Other panel members, some of whose comments are included in this article, were Matthew Guthrie of Mourant Ozannes, Nicole Mann from McDermott Will & Emery, and Julian Washington of RBC Wealth Management.
An original version of this article first appeared in International Adviser, April 2018
Get the latest news first
Sign up for our newsletter and get the latest news from the financial industry.