Belgium prohibits FATCA transfers to the US

The decision follows a number of complaints made under the EU's General Data Protection Regulation (GDPR) that argued that the FATCA reports exposed compliant bank account holders to disproportionate and unnecessary risks to their data protection and security. Since 2014, FATCA and the associated bilateral intergovernmental agreements have required non-US banks to routinely report American clients' bank accounts to the US Internal Revenue Service, usually via their own domestic tax agencies acting as intermediaries. The reporting takes place annually without any checking for indications of tax evasion, and most financial institutions file reports regardless of the amounts held in relevant bank accounts.

This led certain expatriate Americans in Europe to challenge the intergovernmental agreements under the GDPR. Vincent Wellens, of law firm NautaDutilh, led the accidental American and the Association of Accidental Americans (AAA) of Belgium in the complaint to the Belgian DPA. Belgium is the first EU Member State to allow such challenges. The DPA’s statement said the data processing carried out under the Belgian agreement does not comply with all the principles of GDPR, including the rules on data transfers outside the EU, and instructed the Belgian Federal Public Service Finance (FPS Finance) to stop the transfers and alert the legislator of the law's shortcomings. Wellens commented,'The decision of the Belgian DPA recalls the case law of the CJEU; that schemes aimed at generalised and indiscriminate collection and further processing of personal data, especially in the field of taxation, risk to be disproportionate. Indeed, they lead to the processing of data that are simply not necessary for the purposes and the aim pursued. In this case, the US aim to fight tax evasion and tax fraud via FATCA. As FATCA requires to process data of US nationals living abroad, most of whom never have to pay taxes in the US, it is manifestly out of proportion.'

FPS Finance defended its practice by citing a 'standstill' exception in article 96 of the GDPR, under which pre-existing international agreements could remain in force if they complied with the law applicable at the time they were concluded. However, the DPA ruled that this article was too limited in scope to permit the 'generalised and undifferentiated' processing of FATCA reports.

'Ordering the cessation of data flows to the United States under the FATCA agreement may seem harsh, but once we find that they do not comply with the applicable law, we are obliged to stop these data flows', commented Hielke Hijmans, chairman of the authority's Litigation Chamber. This principle has been confirmed in the European Court of Justice rulings known as the Schrems rulings, named after two pivotal cases brought by a Dutch privacy campaigner.

The decision confirms that governments are subject to the same GDPR obligations as commercial enterprises, commented Filippo Noseda TEP of law firm Mishcon de Reya, which has been supporting another complainant, an individual with dual Belgian and American citizenship. Noseda has now written to the data protection authorities of all EU Member States asking them to follow the Belgian lead.

Sources

• Belgian DPA
• Belgian DPA (decision 61/2023, PDF, French)
• Mishcon de Reya
• Bloomberg