EU Court of Justice to Examine GDPR Compliance of FATCA-Related Bank Data Transfers
- Ana Hadnes Bruder,
- Oliver Yaros,
- Jared B. Goldberger,
- Christopher Lalloz,
- Ellen Hepworth,
- Shannon Balnaves
The EU Court of Justice (“CJEU”) has been asked by a Belgian court about the legality of transferring EU residents’ banking data to the United States under the Foreign Account Tax Compliance Act 2010 (“FATCA”).
The Belgian court has made a request for a preliminary ruling on whether data transfers required under FATCA, and implemented via bilateral agreements between EU Member States and the United States, comply with the EU’s General Data Protection Regulation (“GDPR”). The proceedings arise from a complaint by an individual with dual Belgian and US citizenship and the Association of Accidental Americans, challenging the compatibility of FATCA-mandated transfers with core GDPR principles.
Background: FATCA and the EU / US Data Transfer Framework
FATCA requires non-US financial institutions (“FFIs”) to report information about accounts held by US persons for US tax purposes, including US citizens, to the US Internal Revenue Service (“IRS”). This reporting regime was enacted to combat US tax evasion through offshore accounts. An FFI’s non-compliance with FATCA generally results in a 30% US withholding tax imposed on payments received from investments in US securities. For purposes of FATCA, FFIs broadly include banks, custodians, broker-dealers, investment managers, investment funds, and insurance companies issuing cash-value policies.
Belgium, like many EU Member States, implemented FATCA via a bilateral agreement with the United States known as an intergovernmental agreement or IGA. Most EU Member State IGAs shift implementation and enforcement responsibilities of FATCA to the local tax authorities.
The Belgian Court's Reference to the CJEU
The Belgian government appealed a decision by the country’s data-protection authority that found that transferring US persons’ banking information from Belgium to the US for FATCA purposes violated Belgian and EU data-protection law.
The Belgian government’s position is that the FATCA Intergovernmental Agreement (“IGA”) entered into with the United States should be upheld because it was concluded before the GDPR was adopted in 2016 and entered into force in 2018.
The Belgian court has therefore referred a number of questions to the CJEU.
Compliance with Article 96 GDPR
Under the GDPR’s Article 96, international agreements that existed before the GDPR’s implementation may remain in force, provided that they comply with the law that was applicable when they were concluded.
The Belgian court seeks clarity from the CJEU as to whether EU member states should continue to apply preexisting international agreements without determining whether they comply with GDPR.
Compliance with GDPR Principles
The Association of Accidental Americans argues that FATCA results in mass, indiscriminate transfer of bank data to the US without any suspicion of wrongdoing or tax evasion, contravening GDPR principles such as data minimisation.
The Belgian court specifically asks whether collecting and retaining tax data without a time limit and without any evidence of tax evasion is compatible with GDPR.
Compliance with EU–US Data Privacy Framework
The Belgian court also asked whether the FATCA regime aligns with the EU–US Data Privacy Framework, which was agreed upon in 2023 following the annulment of two agreements by the EU Court of Justice.
Significance of the Potential Decision
The outcome may have wide consequences:
- A CJEU ruling against FATCA-style transfers could affect all EU–US automatic tax-information exchanges.
- EU Member States might need to renegotiate their FATCA IGAs; alternatively, the EU Member State IGAs may no longer have effect, resulting in FFIs resident in EU jurisdictions to be subject to the US FATCA regime rather than the IGA.
- Financial institutions may need to reassess their FATCA compliance procedures, data-retention practices, and intra-group or cross-border reporting frameworks.
This referral is clearly a test of how far the GDPR can limit governmental data transfers under international agreements.
Conclusion
The Belgian court’s reference to the CJEU marks a pivotal moment for the intersection of international tax enforcement and EU data-protection law. The questions raised go to the heart of the GDPR's extraterritorial reach, the limits of pre-GDPR agreements, and the ongoing transfer of sensitive financial data to US authorities.
While FATCA itself remains in force, the CJEU's forthcoming judgment may reshape how EU Member States and financial institutions implement those obligations. If the CJEU’s judgment results in EU Member State resident FFIs becoming subject to the US requirements of FATCA rather than the IGA, such FFIs will have to report US accounts to the IRS rather than to local tax authorities. In addition, EU Member State FFIs will be required to certify to the IRS every three years with respect to its FATCA compliance. As previously noted, FATCA non-compliance creates significant tax consequences, including a 30% withholding tax imposed on payments received from investments in US securities (regardless of whether such a payment is received for the benefit of an FFI’s customer or for the FFI itself), as well as financial penalties and reputational risks.
