Search
Close this search box.

Belgium declares US FATCA in violation of EU GDPR

US FATCA in violation of EU GDPR

FATCA reporting

FATCA or the ‘Foreign Account Tax Compliance Act’ provides for the exchange of information with the IRS relating to US citizens residing abroad for the purpose of combating tax fraud.

Financial institutions in Belgium are required to forward any relevant financial data to the Belgian tax authorities, which in turn forward this to the IRS. This practice has officially been in place already since 2014, when Belgium and the US signed an Intergovernmental Agreement (IGA).

This reporting includes important financial information from both US citizens and US residents, as well certain legal entities or asset structures of which US taxpayers are beneficial owners. The emphasis with FATCA is on transparency and not, as such, on income taxation.

The cooperation between the EU and the US around FATCA has been part of a broader plan of the G20, the OECD and the EU to achieve an automatic exchange of information based on a single global standard. This standard, also known as the Common Reporting Standard (CRS) includes the minimum standard for information that is currently exchanged, at a European and global level.

Not GDPR compliant

To allow the exchange of information under FATCA, the Belgian tax authorities had to invoke an exception provided for in Article 96 GDPR (General Data Protection Regulation). This provision allows international agreements existing before the implementation of GDPR, to remain in force, provided they comply with the law applicable at the time they were concluded.

And this is apparently where the proverbial ‘shoe’ pinches…

To allow the exchange of information under FATCA, the Belgian tax authorities had to invoke an exception provided for in Article 96 GDPR (General Data Protection Regulation). This provision allows international agreements existing before the implementation of GDPR, to remain in force, provided they comply with the law applicable at the time they were concluded.

After a complaint was filed back in 2020 by a taxpayer with dual Belgian and American citizenship (represented by the ‘Accidental Americans Association of Belgium’), the Belgian Data Protection Authority (DPA) recently came to the conclusion that the exchange of information with the IRS does not comply with the principles of the GDPR and should therefore be stopped.

More precisely, the DPA stressed that the ‘stand still’ effect of Article 96 GDPR is limited in scope and must be read in a restrictive way. EU Member States should always (re)negotiate an agreement to make it GDPR compliant.

The current existing generalized and undifferentiated transfer of tax data does not respect:

  • Principle of purpose limitation: FATCA does not contain precise objectives for the transfer of data;
  • Principle of proportionality and data minimisation: only data strictly necessary for the reason FATCA was initially established – in this case fighting tax fraud – can be processed.

The Belgian DPA concluded that FATCA does not contain sufficient safeguards to ensure that exported personal data is granted a similar level of protection as data exchanged within the EU.

Unlawful data flow

The Belgian DPA declared the exchange of information under FATCA to be unlawful and decided to prohibit the transfer of personal data of Belgian ‘Accidental Americans’ by the Belgian tax authorities to the IRS (or basically to any country outside the EU).

An Accidental American is someone whom US law deems to be a US citizen, but who has only a tenuous connection with that country. The term is used to describe approx. 300,000 Europeans who, while born in the US, only lived there for a very short while or not at all. They are often unaware of the US tax and financial reporting requirements associated with their US nationality until they encounter problems when opening a non-US bank account abroad with their status as a US citizen.

The Belgian DPA has instructed the Belgian tax authorities to provide, in an accessible manner, a complete overview of all taxpayers subject to the data processing as part of the FATCA agreement and its modalities. It also instructed them to carry out a ‘DPIA’ (Data Protection Impact Assessment) which is an analysis of the risks associated with this type of data processing.

That’s not all folks!

While the recent decision from the Belgian DPA could still be appealed, this is the first time that FATCA has been officially declared unlawful. This on the grounds that it violates European and national laws on personal data protection and privacy, including the EU GDPR.

The basic problem is that EU Member States breach their own laws in order to comply with US law,” Fabien LEHAGRE, founder of the Paris-based Accidental Americans Association (AAA), said in a statement afterwards.

In June 2021, the Slovak DPA had already cast doubt on the legality of FATCA-induced data transfers, but Belgium is the first to prohibit tax authorities from processing and sending data to the IRS.

Another case is also pending before the French Conseil d’Etat, and the AAA has also launched a lawsuit in the Netherlands and in Luxembourg. The AAA has confirmed there is more to come. It also plans to file similar lawsuits in Italy, Germany, Ireland and Norway.

Share