updated 2:57 PM CEST, Sep 21, 2023

EU Data Protection Board to revisit FATCA data protection issues: Justice Commissioner Reynders

The EU's Data Protection Board is to "again look into" the degree to which the processing and transferring of the personal data of European citizens to the U.S. by EU countries, in compliance with the U.S. tax evasion prevention law known as FATCA, could violate the bloc's General Data Protection Regulation (GDPR), an EU official has said.

The announcement, by EU Justice Commissioner Didier Reynders, was contained in a three-sentence, written response last Thursday to a parliamentary question posed last September by Dutch MEP Sophie In 't Veld, a well-known campaigner on behalf of Dutch and other EU citizens who are also U.S. citizens, typically as a result of having been born in the States. 

Such dual citizens in many cases have been adversely impacted by FATCA (Foreign Account Tax Compliance Act), particularly recently, as non-U.S. banks have begun pressuring such individuals for such data as Social Security numbers that these so-called "accidental Americans" who have lived most of their lives abroad, often lack – and threatening to close their accounts if they don't provide them. 

FATCA was signed into law by President Obama in 2010, and came into force in 2014.  The EU's GDPR was passed by the EU in 2016, but didn't come into force until May of 2018. 

The EDPB was set up to oversee and adjudicate potential issues arising from the GDPR. 

Aimed at preventing money laundering, the financing of terrorism and tax evasion, FATCA requires non U.S. (“foreign") financial institutions such as banks to report the identities of their American customers and any assets those Americans hold to the U.S. government, via "intergovernmental agreements" signed with the countries in which these FFIs are located.

Under FATCA, institutions found not to be in compliance are potentially subject to a 30% withholding tax on any of their own transactions in the U.S., which is seen as making banks extremely wary of having on their books any American clients whose Social Security numbers and other FATCA-mandated data they lack. As this and other publications have been reporting for years, even many American financial institutions decline to have American expats as clients, even though they will have non-Americans who are resident abroad, because of the potential risks of being found to be in violation of FATCA. 

Plan to revisit FATCA 'welcomed'

News that the European Data Protection Board would be revisiting the FATCA data protection issue, after having – in Reynders's words – "come to the conclusion in 2018 that there had been no occasions where they ‘had to prohibit the processing and transfer of personal data to the U.S. under the FATCA regime'" was welcomed by individuals and groups representing accidental Americans in Europe, as well as others who have been campaigning for years for changes to be made in the way FATCA is enforced. 

Some also suggested the EU Commission's change of heart wasn't a complete surprise, in the wake of certain recent court rulings and other developments, including a European Court of Justice decision last July ("Schrems II") that struck down the main mechanism currently used to protect the personal data of EU citizens when it's transferred to the U.S.

As reported, anti-FATCA lawyers and campaigners described that decision at the time as a "potential game changer" that they predicted could could force a re-examination of the way FATCA is enforced by EU countries.  

Filippo Noseda, a London-based Mishcon de Reya partner who has been among those challenging the data protection aspects of FATCA in Europe recently, cited the Schrems II judgment as well as other recent rulings by the CJEU and other courts, in a letter in a letter to EDPB Chair Andrea Jelinek and other key EU officials that he fired off on Friday. 

He also pointed out, as he has previously, that concerns about "the repercussions of FATCA" with respect to individuals' fundamental rights had been raised in Europe as long ago as 2010, and declared that Reynders's response to in't Veld's question was "disingenuous" and an example of the Commission "continu[ing] with its cover-up activity". 

Today, he told the American Expat Financial News Journal that he think the European Commission "is being economical with the truth", and using the "non-committal" phrase that the EDPB was "looking again into this" to "kick the ball into the long grass".

"What's more, by saying 'to date the Commission is not aware of any occasion where data protection authorities had to prohibit the process and transfer,' the Commission is brushing its own historical concerns about FATCA under a carpet," Noseda added.

"The EDPB has had over a year to consider the issue, and to date it has not done anything, notwithstanding the wealth of evidence of internal EU documents showing 'worrying' data protection concerns." 

Fabien Lehagre, founder and president of the France-based Association of Accidental Americans (AAA) – which, like in 't Veld, has been calling for EU lawmakers to address FATCA for years – said he believes "the main reason the European Commission doesn't want to open infringement proceedings" against individual EU member states over the way they comply with FATCA is because they fear the "potentially disastrous" financial sanctions that the U.S. would be likely to hit them with in response. 

"Rather than enter into a direct confrontation with the United States, enforce its own sovereignty and put tools in place to counter extraterritorial sanctions by the U.S., the European Commission prefers to sacrifice the fundamental rights of its European citizens," Lehagre said.

"It could defend its banks as well as the rights of its citizens, but this would mean having to stand up to the United States. So it has made its choice – not to." 

Last week, Lehagre responded to the news of Reynders's response to In 't Veld's question with his own reminder to the Commission that "more than a year" had passed since his organization had filed its own formal complaint  over what it claimed was a "violation of European Union law" on the part of France, in the way that it was accommodating the U.S. FATCA law by providing U.S. officials with French/American dual citizens' personal data.

"It is the responsibility of the European Commission to initiate infringement proceedings or to refer the matter to the Cour de justice de l'Union Européenne, and not to the national data protection supervisory authorities," Lehagre added, in his reminder to the Commission.

"I call on Commissioner Reynders to act on our complaint without further delay." 

In 't Veld: 'Is FATCA info
transfer GDPR compliant?'

Sophie in t Veld of European Parliament v cropped LR

In 't Veld, pictured left, began her three-part question to the European Commission, which was originally dated Sept. 22 and updated on Oct 9, by noting that FATCA currently obliges "accidental Americans, who are EU citizens, [to] have to transmit a [U.S.] Social Security Number  to their bank", and that they risk the "closure of their bank account" if they failed to do so.

"In order to obtain this SSN, these people have to provide very sensitive data to the Federal Benefit Unit of U.S. embassies, which are subsequently transferred to the U.S.," she added.

"Does the Commission consider this transfer of information to be in line with the General Data Protection Regulation (GDPR)? 

"Does the Commission consider that this transfer of information is a direct consequence of the intergovernmental agreements concluded by the [EU] Member States to implement FATCA?

"What actions does the Commission undertake to protect the transfer of this information to the U.S.?

"Will the Commission open infringement procedures against the Member States" [for providing their clients' personal data to the U.S., if the transfer does turn out to be in violation of the GDPR]?"

It wasn’t immediately known when the European Commission would begin its re-examination of the GDPR implications of FATCA, who would oversee it, or what form and how long it would take.

Commissioner Reynders didn't immediately reply to an emailed request for comment and further detail about the nature of the EDPB's planned revisiting of the potential GDPR issues raised by FATCA. 

Separately, the European Commission issued a press release last Tuesday in which it included "developing EU financial market infrastructures and improving their resilience, including towards the extra-territorial application of sanctions by third countries" among one of three "mutually-reinforcing pillars" of a "new strategy to stimulate the openness, strength and resilience of the EU's economic and financial system for the years to come". 

To read this press release, and further details of this "new strategy", click here.