Mishcon de Reya page structure
Site header
Menu
Main content section
Abstract glass building

Belgian data protection authority declares FATCA processing illegal

Posted on 1 May 2025

In a seminal decision in a case brought by the Association of Accidental Americans, the Belgian data protection authority confirmed its previous finding that the FATCA related processing of sensitive personal and financial data by the tax authorities under the relevant FATCA Agreement represents is illegal. 

The judgment follows a small number of claims throughout Europe, including Jenny's case before the High Court in London.  

Read our summary of the decision

Filippo Noseda, the Mishcon de Reya Partner who has been leading the firm's work on the data protection implications of the US Foreign Accounts Tax Compliance Act (FATCA), as well as the OECD's Common Reporting Standard (CRS) and beneficial ownership registers commented: “The Belgian decision represents a victory for data protection and the Rule of Law in an extremely politicised context.”  

 “Our research shows that the European Commission believed as early as 2012 that processing sensitive personal and financial information under FATCA (the US Foreign Accounts Tax Compliance Act) was disproportionate and that the US offered lower levels of data protection than Europe.  However, following the UK's signing of the first bilateral Agreement against the negative advice of EU data protection experts, the Commission went along with the idea of "temporary" agreements to be signed by EU Member States.  Once that happened, our research shows that new Commissioners started resisting calls from campaigners and data protection authorities to review the position. We published a timeline and chronology of events based on internal EU documents and have been pressing the EU for the disclosure of additional documents that show the true extent of the problem. 

 “Nobody should engage in tax evasion. However, the fight against tax evasion must be conducted respecting the fundamental rights of compliant citizens. FATCA entails the automatic processing and transfer of sensitive personal data without any indicia of tax evasion, which exposes compliant citizens to serious risks for their data and the Belgian data protection authority confirmed its previous finding that a generalised processing of personal data violates the principle of proportionality enshrined in the EU Charter of fundamental rights and the GDPR.  The Belgian data protection authority also found that the relevant FATCA Agreement violates basic data protection principles, including the principle of purpose limitation and the prohibition against excessive data retention.  What's more, the decision confirms a previous finding from the UK's Information Commissioner's Office that affected citizens are not provided with sufficient information over the existence and extent of data processing, which violates the principle of transparency of data processing." 

Filippo added: "This is the second time that the Belgian data protection authority found that FATCA is illegal.  However, a previous decision handed down in May 2023 was appealed by the Belgian State on procedural grounds.  This is reminiscent of the approach taken by HMRC in Jenny's case.  Instead of engaging with the substance of Jenny's claim, HMRC mounted a procedural battle aimed at blocking any criticism of HMRC's handling of FATCA against the better judgment of the European Commission and the EU's data protection working party that had already reached the conclusions contained in the Belgian decision before HMRC jumped the gun and signed up to FATCA, thus opening the floodgates. Jenny's case remains pending before the UK's Information Commissioner's Office. 

Today’s judgment is likely to have practical implications beyond the EU, including the UK. The UK was the first country to sign a FATCA agreement with the US.  While the UK is no longer a member of the EU, the GDPR continues to survive in the UK, albeit with a new name (UK GDPR). Also, the EU Charter of fundamental right (which no longer applies to the UK) is based on the European Convention on Human Rights, which continues to apply to the UK. 

[The European Convention on Human Rights was the brainchild of Winston Churchill and remains relevant for the UK.  Art. 8 of that Convention introduced a right to privacy aimed at giving citizens back control over their lives after the horrors perpetrated by fascist States during World War II.  While the right to privacy is not absolute, any restriction is subject to the principle of proportionality and the Belgian decision confirms that the indiscriminate and generalised processing and transfer of data is disproportionate, and thus illegal.  At a time where populism is on the rise and the Rule of Law is under attack in liberal countries, the right to privacy and data protection is a principle worth fighting for.] 

Mishcon de Reya has been at the forefront of addressing the data protection implications of systems of automatic exchange of information under FATCA and the CRS, as well as public registers of beneficial ownership.  In 2018, Mishcon Academy, the firm’s think-tank, published a report entitled The Great Debate: Privacy vs Transparency’. The firm has also published its research into internal EU documents and its correspondence with the EU, the OECD, as well as the UK Information Commissioner’s Office to ensure accountability of the work carried out by public authorities and raise awareness over the underlying data protection issues.   

The firm's work in this area has been widely reported in the media (including The Financial Times, The Economist, TIME Magazine, Forbes and Bloomberg) and specialised press (including Tax Analyst  in the US and Trusts & Trustees in Europe).  

How can we help you?
Help

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

Crisis Hotline

I'm a client

I'm looking for advice

Something else