Following a number of GDPR complaints, including with the assistance of Mishcon de Reya, the Belgian data protection authority has held that the transfer of data to the United States under FATCA is illegal.
FATCA requires the automatic exchange of sensitive personal and financial information relating to bank accounts to the US (see our background note).
Under FATCA, information exchange takes place on an annual basis and without the requirement of any indicia of tax evasion. In addition, most financial institutions exchange information regardless of the amounts held on relevant bank accounts, exposing compliant bank account holders to disproportionate and unnecessary risks for the protection and security of their data, according to several EU data protection experts and the European Parliament.
Following a GDPR complaint brought by an affected citizen, the Belgian data protection authority confirmed that FATCA transfers are incompatible with EU law.
According to the press release accompanying the decision:
"The Belgian Data protection authority today declared unlawful, and decided to prohibit, the transfers of personal data of Belgian “Accidental Americans” by the Belgian Federal Public Service Finance (FPS Finance) to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian DPA, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU."
The decision comes following intense scrutiny by Mishcon de Reya, which took the unprecedented decision to publish 200+ letters to the EU and the OECD online to ensure an adequate level of transparency and accountability of the work carried out by EU institutions. The correspondence includes amicus briefs in supports of existing GDPR complaints in Belgium and the Netherlands, as well as a detailed chronology of the concerns raised by EU institutions in the period leading to the adoption of FATCA by the UK, which opened the floodgates of bilateral agreements between all EU governments and third countries with the US.
The correspondence also shows FATCA's flaws and the rejection of a domestic version of FATCA in the US due to data protection concerns.
Partner Filippo Noseda said: "This decision marks a victory for data protection advocates. It comes after years of resistance and obfuscation by the current European Commission and the European Data Protection Board, which have been expressly criticised by the European Parliament for failing to enforce the data protection of affected EU citizens. This is notwithstanding clear warnings by the EU's own data protection experts and a string of ECJ judgments reaffirming the fundamental nature of data protection and the need for appropriate safeguards when transferring data outside the US. "
The EU has been taking tough action against US tech giants for allegedly violating basic GDPR principles, including the Italian data protection authority's decision to take ChatGPT offline and the Irish data protection authority's decision to impose a €1.2bn fine against Facebook's parent company META for transferring data to the US.
Today's decision by the Belgian data protection authority confirms that governments are subject to the same GDPR obligations as commercial enterprises."
Mishcon de Reya represents a client in a legal challenge against HMRC concerning the disproportionate nature of FATCA. Her case has been covered by the Financial Times, the Economist, Bloomberg, Forbes, the Wall Street Journal and TIME Magazine. Mishcon de Reya also represents a client in a legal challenge in the EU against the disproportionate nature of the Common Reporting Standard (CRS), which is modelled on FATCA and extends automatic exchange of information between countries outside the US.