French Finance Ministry Sued Over Global Surveillance Database
The bitcoin exchange Bull Bitcoin is suing the French finance ministry over its implementation of a crypto asset reporting framework that establishes a global surveillance database of cryptocurrency transactions.
"The EU has passed a law that puts the security and privacy of millions of Bitcoin users at risk," says Francis Pouliot, CEO of Bull Bitcoin, speaking from his home in Costa Rica. "We cannot in all good conscience do nothing about this. We must fight it with every legal means at our disposal."
What to the uninitiated may sound like yet another crypto-bro conspiracy theory is in practice as dangerous as it sounds. The European Union, along with over 70 other nations around the world, is building a transaction database of all cryptocurrency users – based on an unprecedented regulation, even within the commonly surveillance-excessive anti-money laundering (AML) landscape.
Under this new law, your entire transaction activity, from online purchases to transfers to self-custody, is reported to the authorities every year, without any grounds for suspicion.
So Pouliot is suing the French Finance Ministry – using a little known precedent from Belgium; and the Union's own charter on fundamental rights.
Global, Transaction-Wide Reporting
The Organization of Economic Co-Development (OECD), an international consortium that consists of 35 member countries who set standards and best practices for tax issues around the world, has been lobbying for a new tax-transparency law called CARF, or Crypto Asset Reporting Framework, that would effectively establish a massive dragnet surveillance network to track cryptocurrency transactions across countries and jurisdictions under the guise of tax compliance.
So far, 78 countries have subscribed to the CARF reporting framework, including Canada, the EU, the UK, and the United States.
CARF is an adaptation of the OECD's Common Reporting Standard, or CRS, that is tailored specifically to cryptocurrencies. Similar to CARF, CRS enables the cross-border sharing of tax-related information, wherein participating countries annually and automatically exchange account- and beneficial ownership information between each other as reported by financial institutions.
The main difference between CARF and CRS lies in the level of detail that is shared with the authorities. With CRS, this information is broadly limited to identifying information and account balances, whereas CARF captures users' transaction activity itself: annual totals, volumes, and the number of transactions for each category of activity — exchanges between cryptocurrency and fiat, crypto-to-crypto exchanges, payments, and transfers, including those to self-custodial wallets.
As the framework states, CARF reporting will enable the sharing of "relevant Transactions, which includes information on the Relevant Transactions carried out by a Crypto-Asset User that are reportable under the CARF, namely exchanges between Relevant Crypto-Assets and Fiat Currencies, exchanges between one or more forms of Relevant Crypto-Assets and Transfers (including Reportable Retail Payment Transactions and Transfers to unhosted wallets) of Relevant Crypto-Assets."
Once collected, the information is planned to be automatically shared with signatory countries for tax-obliged citizens – including those with rather questionable human rights records, like the United Arab Emirates, Uganda, Bahrain, and Azerbaijan.
But the sharing of financial information with authorities without just cause is not without precedent in Europe – a precedent Pouliot now plans to use to his advantage.
Suing the French Finance Ministry
DAC8, short for the Eighth Directive on Administrative Cooperation, encapsulates the EU's translation of the CARF framework into national regulations. And it has a lot of problems, Pouliot says, especially when it comes to the implementation currently active in France.
First, the implementing decree extends the reporting obligation to services, notably crypto staking and lending, that the French statute itself does not cover, which the petitioners argue exceeds the government's regulatory powers.
Second, and most importantly, the EU's DAC8 might violate Article 7 of the EU's own charter. It reads:
"Everyone has the right to respect for his or her private and family life, home and communications."
In 2022, in a case brought by Belgian bar associations, the EU Court of Justice struck down part of an earlier version of the same directive for breaching the Charter's privacy guarantee, confirming these directives can be invalidated when they go beyond what is strictly necessary. Bull Bitcoin's challenge argues DAC8's blanket, suspicionless reporting fails that same test.
"Most of our clients' data actually stays within our system," Pouliot told attendees of the Prague Bitcoin Conference in June, addressing the risks of DAC8 in light of the cybersecurity measures his firm employs to ensure that customer information is not leaked to third parties. "All of that is about to change."
"DAC8 turns every single crypto service provider into a data collection, aggregation, and transmission platform, sending all users' data directly to the tax authorities by integrating that data into the EU's Automatic Information Exchange program," Pouliot continued.
"Exchanges report all of these users' transaction activity to their own tax authority, along with their personal information. The national tax authorities aggregate all this information from all the crypto service providers into one big database – Not only that, the member states share their databases with each other, in effect creating a global crypto honeypot of extremely sensitive personal information."
To Pouliot, this means that cryptocurrency service providers are no longer just apps. "They are an extension of the surveillance infrastructure of the EU's tax authorities."
But the road to annulling a Directive like DAC8 is long, beginning with a referral to the European Court of Justice by French authorities.
Lives At Stake
The risks such a law subjects cryptocurrency users to is real – especially in France, a country which accounts for around 70% of all wrench attacks worldwide. By mid-April, wrench attacks in France were occurring at a rate of 2.5 cases per day, with the French interior minister announcing 77 verified cases of kidnapping, unlawful detention, extortion, or attempted extortion in the first half of 2026.
Behind the attacks reportedly lie sophisticated networks conducted by "remote organizers" recruiting petty criminals – many of them minors – over social media into hierarchical structures.
The data necessary to plan such attacks often stems from leaked personally identifiable information – such as Know Your Customer (KYC) data held at ransom by Coinbase employees at the end of last year, or customer databases from the hardware wallet provider Ledger, which were dumped for public view on darknet forums in 2020, and again hacked in 2026. Ironically, Ledger co-founder David Balland fell victim to a wrench attack in France himself last year, costing him a finger.
But France's trove of identifiable information can arguably be traced back to a single rogue tax employee, who sold information on cryptocurrency holders directly to criminals – as well as to the hacking of France's national bank account database, which exposed over 1.2 million sensitive records to the public; run by the very same tax authority now meant to keep the transactions of cryptocurrency holders safe.
In both cases, the public entrusted authorities with their personal information, and both cases have had real world consequences for cryptocurrency holders, while neither instills confidence that the French tax authority – or any authority, for that matter – should be trusted with the identifying information of individuals who are not suspected of having committed a crime.
Independent journalism does not finance itself. If you enjoyed this article, please consider making a donation. If you would like to note a correction to this article, please email corrections@therage.co