I’ve watched tax authorities operate across Europe for years. Most follow rules. Some follow process. A few operate with powers so broad they create structural risk for everyone.
Italy just got called out for the latter.
In January 2026, the European Court of Human Rights ruled Italian tax authorities violated Article 8 of the European Convention on Human Rights. The issue: they accessed citizens’ banking data directly from financial institutions without judicial authorization and without notifying the taxpayers.
Two taxpayers challenged the system. The court agreed with them.
The ruling exposes a systemic problem: unfettered discretion dressed up as administrative efficiency.
The Mechanism Behind the Violation
Here’s how the system worked.
Tax authorities requested banking information from financial institutions during audits. No judge approved it. No independent review happened. The taxpayer found out only after the bank notified them.
In the cases triggering the ECHR ruling, taxpayers were notified by their banks in July 2019 and July 2020. They filed their applications with the court eight days and two weeks later. The speed of their response shows how immediate the privacy concern felt.
The Italian government argued existing remedies provided sufficient protection. The court disagreed.
The ECHR found none of the three remedies the government relied upon provided effective ex post judicial or independent review. One remedy depended on whether the tax authority issued an assessment notice, which happens years after the audit. Another was uncertain and inaccessible. The third lacked independence.
The court concluded Italian legislation did not contain sufficient safeguards against arbitrariness. In matters affecting fundamental rights, unfettered discretion creates structural fragility.
The ruling didn’t address two cases alone. It identified a systemic character in the shortcomings and called for general legislative reform.
Why This Pattern Keeps Appearing
Italy is not alone in granting tax authorities broad access powers.
Governments face pressure to combat tax evasion and fraud. The pressure creates demand for fast access to financial data. Administrative efficiency becomes the priority. Safeguards become obstacles.
The problem compounds when three conditions exist:
No clear legal criteria defining when access is justified.
No requirement for authorities to justify their decisions in writing.
No effective independent review after the fact.
When all three conditions exist, discretion becomes power without accountability.
The ECHR recognized this. The court noted in matters affecting fundamental rights, legal discretion expressed as unfettered power contradicts the rule of law. Authorities must justify their exercise of power.
This principle applies beyond tax audits. It applies to any system where access to private information happens without checks.
The Broader European Context
The Italian ruling follows another significant judgment. In February 2025, the ECHR ruled on Italgomme Pneumatici and Others v Italy, which concerned 13 applications by Italian companies challenging tax raids.
The court found Italian law did not place sufficient limits on the discretionary powers of tax authorities. The legislation lacked an obligation for the tax authority to justify why a raid was necessary. It did not adequately define the scope and purpose of investigations.
The pattern is consistent: broad powers, weak justification requirements, insufficient review.
Italy responded with Law No. 108/2025, which amended the Taxpayer’s Statute. The amendment requires authorizations and access reports expressly state the circumstances and conditions justifying the inspection.
The change represents progress. Tax authorities now must provide reasoned justifications rather than operating with broad discretion.
The reform remains insufficient. Italy still lacks effective ex post judicial review and detailed administrative guidelines defining the precise circumstances for access.
The Tension Between Tax Enforcement and Data Protection
Tax authorities operate under growing scrutiny across Europe.
The OECD requires countries to have laws ensuring confidentiality and safeguarding of data. Tax authorities must have information security management arrangements adhering to international good practice standards.
Taxpayers expect governments to treat their personal data with the highest standards of care.
The European Data Protection Supervisor recognizes the urgency of combating large-scale cross-border VAT fraud. The supervisor emphasizes exceptional access to administrative databases for law enforcement purposes must remain precisely what the name suggests: exceptional, clearly circumscribed, and carefully safeguarded.
Exceptional access should not become a backdoor precedent for broad or routine access.
The tension appears in other jurisdictions. A Belgian court asked the EU Court of Justice about the legality of transferring EU residents’ banking data to the United States under FATCA. The court must determine whether collecting and retaining tax data without a time limit and without evidence of tax evasion complies with GDPR.
The question tests the boundaries of tax authorities’ data access powers across Europe.
What This Means for Founders and Companies
If you operate in Europe, you face tax authorities with varying levels of discretion and oversight.
The ECHR rulings signal a shift. Courts are scrutinizing whether access powers contain adequate safeguards. Governments must justify their actions. Independent review must exist.
For companies, this creates both risk and opportunity.
Risk: Tax authorities still operate with broad powers in many jurisdictions. You face data access requests without prior notice or clear justification. Your ability to challenge those requests depends on local remedies, which are often weak or uncertain.
Opportunity: The legal framework is tightening. Courts are establishing clearer boundaries. Companies use these precedents to demand better process and stronger safeguards.
Here’s what to do:
Understand the local framework. Know what powers tax authorities have in your jurisdiction. Know what safeguards exist. Know what remedies you can access if authorities overstep.
Document everything. If tax authorities request banking data, document the request, the timing, the scope, and the justification they provide. Create a record you can use if you need to challenge the access later.
Monitor legislative changes. Governments are responding to ECHR rulings by amending laws. Track those changes. Understand how they affect your exposure.
Demand justification. If authorities access your data, ask for written justification. Ask what legal basis they rely on. Ask what scope the investigation covers. Make them state it clearly.
Prepare for audits with structure. The best defense against overreach is having nothing to hide and everything to prove. Maintain clean records. Separate duties. Install controls demonstrating compliance.
The Control Point
The ECHR ruling on Italy exposes a structural problem existing in many systems: power without accountability.
Tax authorities need tools to enforce compliance. Those tools must operate within boundaries. Clear criteria. Written justification. Independent review.
When those boundaries disappear, the system creates risk for everyone.
Italy must now establish specific rules indicating the circumstances and conditions for accessing taxpayers’ banking data. It must provide for effective judicial or independent review.
Other countries should watch closely. The precedent applies beyond Italy.
For founders and companies, the lesson is simple: privacy rights exist even in tax matters. Authorities must justify their access. You have the right to demand justification.
If you don’t have proof the access was justified, the system failed. If the system allows unjustified access, the system needs reform.
Structure protects you. Proof protects you. Knowing your rights protects you.
The court made that clear.
