In the last decade, there have been major developments in the areas of exchange of tax information and data protection. Technological developments have facilitated the processing of personal data and have led to more efficient tax administration and tax enforcement as well as a substantial increase of the volume of personal data processing. In the area of exchange of information, automatic exchange of financial account information, tax rulings, country-by-country reports and reportable cross-border arrangements have been and are being introduced in the European Union and on a global level. In addition, public country-by-country reporting is currently being discussed. In the area of data protection, the General Data Protection Regulation was adopted on 27 April 2016 after four years of negotiations and entered into force on 25 May 2018. It replaces the Data Protection Directive and provides for further harmonization of data protection in the European Union. What is more, the ECJ has stressed the importance of data protection in some high-profile cases. In Digital Rights Ireland (Joined Cases C-293/12 and C-594/12), the ECJ declared the Data Retention Directive invalid and, in Schrems (Case C-362/14), the ECJ held that data processing on the basis of the Safe Harbour Agreement that the European Union had concluded with the United States was not in line with EU data protection safeguards. We can thus observe an expansion of both data protection and exchange of information. These two fields of law, however, are not always easy to align with each other.