After years of appearing not to take on board mounting criticism of the U.S. tax evasion prevention law known as FATCA, which mandates that non-U.S. financial institutions provide personal data about their U.S. clients to U.S. officials on an annual basis, a European agency has told EU member states to consider a "review" of their international agreements "that involve international transfers of personal data, such as those relating to taxation (e.g. to the automatic exchange of personal data for tax purposes)."
The European Data Protection Board announcement was enthusiastically welcomed by anti-FATCA campaigners today, many of whom have long called on the EDPB to take action over the way data is routinely being forwarded to the U.S., on grounds that such personal data transfers violated the EU's General Data Protection Regulation.
GDPR concerns were, in fact, the EDPB's reason for calling on EU member states to revisit the way they are enabling these "international transfers of personal data," particularly after taking into account the EDPB's announcement that it has decided to "recall the requirements" of two articles of its Law Enforcement Directive (LED).
These two articles, the EDPB statement explained, had concerned "all international agreements involving the transfer of personal data to third countries or international organizations" which had been "concluded by the EU Member States prior to 24 May 2016 or 6 May 2016 respectively, and which comply with [EU] law as applicable prior to that date," stating that these international agreements should "remain in force until amended, replaced or revoked."
Added the EDPB statement, which may be viewed by clicking here: "The EDPB deems that, in order to ensure that the level of protection of natural persons guaranteed by the GDPR and the LED is not undermined when personal data is transferred outside the [European] Union, consideration should be given to the aim of bringing these agreements in line with the GDPR and LED requirements for data transfers where this is not yet the case."
The EDPB statement doesn't mention the word FATCA, or "Foreign Account Tax Compliance Act" as it's formally known, but FATCA opponents are in little doubt that FATCA is at issue, and point to the EDPB statement's mention of "the case law of the European Court of Justice, including the Schrems II judgment of 16 July 2020."
As reported, that case struck down the main mechanism used for years by the EU to protect the personal data of EU citizens when it's transferred to the U.S. – the so-called EU-U.S. Data Protection Shield – and was declared at the time to be a potential "game changer" with respect to FATCA.
Schrems II gets its name from a privacy law case involving a 30-something Austrian national named Maximilian Schrems, which ended in a decision that came to be known as Schrems I.
'Campaigners' calls ignored'
In a statement on Sunday, Filippo Noseda (pictured left), the Mishcon de Reya law firm partner who has been overseeing a widely-publicized, crowd-funded complaint about FATCA that was filed in 2019 with the UK's Information Commissioner's Office, noted that "for almost five years" the European Commission and EU Member States, as well as the UK, had ignored calls from campaigners "to address the breach of fundamental rights caused by automatic exchange of information" that had begun to take place throughout Europe.
"Now, after incessant lobbying, the European Data Protection Board [has] acknowledged the problem," Noseda added.
"Although the latest statement is couched in diplomatic wordings and does not mention FATCA by name, an invitation by the EU's data protection watchdog to review automatic exchange of information agreements with third countries, including the US, cannot be ignored.
"This development follows years of campaigning by concerned individuals, including our clients 'Jenny' and 'Philipp,' 'J.R.' – who filed a petition before the European Parliament – as well as associations of Accidental Americans.
"We will continue to campaign to address the breach of fundamental rights caused by AEOI."
The EDPB statement was also welcomed by the Paris-based Association of Accidental Americans (AAA), one of many such organizations around Europe that lobby on behalf of so-called "accidental" Americans. Such "accidentals" are citizens of other countries whom the U.S. regards as Americans (and thus U.S. taxpapers) as well because, typically, they were born there before moving back to the country where their parents were from, and growing up and living there.
Vincent Wellens, a partner in the Luxembourg office of the international law firm Nauta Dutilh, which is representing the AAA in a number of legal matters, said the EDPB's statement of last week "clearly indicates that bilateral FATCA agreements between the individual EU member states and the U.S. should be reassessed."
Added Wellens: "This is good news, because too many EU member states now rely on Article 96 [of the] GDPR, a grandfathering rule for international agreements [that was] concluded before the adoption of the GDPR – even when this rule only applies where the international agreement is in line with Directive 95/46/EC, which is not the case for FATCA.
"So, the EDPB demands that [the] individual EU member states must make this assessment on their own, whereas the latter conclude FATCA agreements on fairly similar terms and, hence, a coordination and more in-depth guidance by the EDPB would have been more adequate.
"If neither the EDPB nor the national data protection authorities take their responsibility, the courts will decide. No doubt about that."
Possibility of EDPB action
flagged up in January
Last week's EDPB statement came less than three months after EU Justice Commissioner Didier Reynders revealed in a three-sentence statement, in response to a parliamentary question posed a few months earlier by Dutch MEP Sophie In 't Veld, a well-known campaigner on behalf of Dutch and other EU citizens who are also U.S. citizens, that the EDPB was to re-examine its data-protection regulations with respect to the way they applied to FATCA.
In his statement, Reynders said the data protection body was to "again look into" the degree to which the processing and transferring of the personal data of European citizens to the U.S. by EU countries, in compliance with the U.S. legislation, could violate the bloc's General Data Protection Regulation law.
The EDPB's statement was signed by Andrea Jelinek, chair of the organization. Prior to her appointment in 2018, Dr. Jelinek, who is from Austria, headed up that country's privacy watchdog for four years.