Belgian DPA prohibits the transfer of tax data of Belgian “Accidental Americans” to the USA
The Belgian Data protection authority today declared unlawful, and decided to prohibit, the transfers of personal data of Belgian “Accidental Americans” by the Belgian Federal Public Service Finance (FPS Finance) to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian DPA, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU. It also asks the FPS Finance to alert the competent legislator of the shortcomings identified by the DPA.
Generalized tax data sharing under FATCA
The intergovernmental agreement commonly called "FATCA" (“Foreign Account Tax Compliance Act”) provides for the communication of data relating to Americans residing abroad to the American tax authority (IRS) for the purpose of combating tax fraud. Domestic financial institutions are required to forward this data to the tax authority of the country of residence (in Belgium: the FPS Finance), which, under the agreement, will in turn transfer the data to the IRS.
At the end of 2020, the Belgian DPA received a complaint from a person with dual Belgian and American citizenship and from the “Accidental Americans Association of Belgium”. The complainants believe that the exchange of information with the IRS under the agreement does not comply with all the principles of the GDPR and should be stopped. The FPS Finance invokes an exception provided for in Article 96 of the GDPR, according to which international agreements existing before the implementation of the GDPR may nevertheless remain in force, provided that they complied with the law applicable at the time they were concluded.
The Litigation Chamber of the Belgian DPA notes that the generalized and undifferentiated transfer of tax data provided for in the agreement does not respect the principle of purpose limitation (the agreement does not contain exact objectives for the transfer of data); nor the principle of proportionality and data minimisation (only data strictly necessary for the purposes sought, in this case combatting tax fraud, can be processed). The Litigation Chamber also notes that the "stand still" effect of article 96 GDPR is limited in scope.
Moreover, the Litigation Chamber recalls that this article 96 has to be read in a restrictive way.
Hielke Hijmans, Chairman of the Litigation Chamber: "Tomorrow we celebrate the 5th year of application of the GDPR. Article 96 cannot be intended to allow that international agreements remain contrary to the GDPR over time. The exception provided for international agreements concluded before the implementation of the GDPR does not exempt EU member states from (re)negotiating an agreement to make it GDPR compliant."
The Litigation Chamber also finds that the FATCA agreement does not contain appropriate safeguards to ensure that exported personal data is afforded a similar level of protection as data within the EU.
Conclusions of the Litigation Chamber
The Litigation Chamber concludes that the transfers of data of Americans residing in Belgium to an authority located in a country outside the EU (which cannot offer an adequate level of data protection) are unlawful. For this reason, the Belgian DPA prohibits the FPS Finance from processing the complainants' data and asks it to alert the competent legislator of this prohibition and of the shortcomings found.
The Belgian DPA also orders the FPS Finance to inform in a complete and accessible manner the data subjects of the data processing carried out as part of the FATCA agreement and of its modalities. It also asks to carry out a “DPIA” which is an analysis of the risks associated with this data processing.
The parties can appeal this decision.
Hielke Hijmans, Chairman of the Litigation Chamber, concludes: "Ordering the cessation of data flows to the United States under the FATCA agreement may seem harsh, but once we find that they do not comply with the applicable law, we are obliged to stop these data flows. This principle has been confirmed in the rulings known as the "Schrems rulings".