“The Belgian Data protection authority today declared unlawful, and decided to prohibit, the transfers of personal data of Belgian “Accidental Americans” by the Belgian Federal Public Service Finance (FPS Finance) to the US tax authorities under the intergovernmental FATCA agreement. According to the Belgian DPA, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU. It also asks the FPS Finance to alert the competent legislator of the shortcomings identified by the DPA.
. . . .
“Hielke Hijmans, Chairman of the Litigation Chamber: ‘Tomorrow we celebrate the 5th year of application of the GDPR. Article 96 cannot be intended to allow that international agreements remain contrary to the GDPR over time. The exception provided for international agreements concluded before the implementation of the GDPR does not exempt EU member states from (re)negotiating an agreement to make it GDPR compliant.’
“The Litigation Chamber also finds that the FATCA agreement does not contain appropriate safeguards to ensure that exported personal data is afforded a similar level of protection as data within the EU.
“The Litigation Chamber concludes that the transfers of data of Americans residing in Belgium to an authority located in a country outside the EU (which cannot offer an adequate level of data protection) are unlawful. For this reason, the Belgian DPA prohibits the FPS Finance from processing the complainants’ data and asks it to alert the competent legislator of this prohibition and of the shortcomings found”.
. . . .
The DPA has given the Tax Authority three months to confirm its compliance. The TA can also appeal the ruling.
Thanks to Ron Henderson for posting news of this decision on our Media thread.
Further reading:
American Citizens Abroad statement on the recent Belgian Data Protection Authority ruling on FATCA
Belgium stops ‘unlawful’ sharing of Accidental American’s data, Isabel Gottlieb, Bloomberg Tax.
The same week a Belgian bank froze my accounts because I haven’t given them my SSN. Apparently there is some kind of deadline June 1. Now hopefully even if they transfer the data to local tax authorities it won’t be forwarded to the US (I am absolutely not holding my breath).
Looks like the EU are rapidly running out of places to kick the complaints can further down the road.
Well done to the Belgian DPA for this strong ruling in support of ordinary citizens’ fundamental data protection and privacy rights. Now the European Data Protection Board needs to stop dithering and provide a consistent application of these rights across the EU as per their duty under Article 70 GDPR. https://www.crowdjustice.com/case/fatcahmrcprivacybreach/
Yeah, let’s hope they make it apply to the whole of the EU.