On May 23, a decision (Decision) by the Belgian Data Protection Authority (BDPA) now prohibits the Belgian tax authorities (the defendant in this case) from transferring to the Internal Revenue Service (IRS) the personal data of Belgian “Accidental Americans” (and likely other US persons with accounts in Belgium) pursuant to the ”FATCA” Intergovernmental Agreement between the USA and Belgium (IGA). According to the BDPA Decision, the data processing carried out under the IGA does not comply with the principles of the General Data Protection Regulation (GDPR) adopted within the European Union. Generally, the guiding principles of the GDPR are lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality; and accountability.
From the Decision, Point 178 makes clear the transfer of information to the IRS under the IGA is an overreach, not well circumscribed and is disproportionate given the purpose for which the IGA was negotiated (underscore mine):
“In this respect, the Contentious Chamber is of the opinion that the sole nationality of the first complainant and, more generally, of the Belgian accidental Americans defended by the second complainant, is an insufficient criterion with regard to the purpose pursued. The fact that a list of data concerning them has been drawn up does not constitute a relevant and sufficient targeting criterion. The communication of personal data relating to all Belgian accidental Americans – apart from those whose account balances are below the declarable threshold – without any other indication of tax evasion or avoidance is disproportionate, especially with regard to those who would not be subject to taxation in the United States, taking into account any exemptions authorized by American law, as pointed out by the complainants.” [Here the Decision is likely referring to exemptions generally applicable to the US person abroad, such as the foreign earned income and housing exclusions].
Is the Decision Limited to “Accidentals”?
While I cannot say with certainty, I think the Decision is not limited to “accidentals” despite the fact the language of the Decision (quoted below) focuses solely on them. If the principles of the GDPR have been violated by the IGA, then the principles should apply to all individuals who are protected by the GDPR whose information is being sent to the IRS by the Belgian tax authorities, not just the accidentals. Applying this analysis, the Decision would extend beyond accidentals to all Americans residing in Belgium and perhaps, as well, to the American who is residing in another EU country but who maintains an account with a Belgian financial institution. While I am not an expert on GDPR, I understand that the GDPR applies to natural persons regardless of their citizenship status as long as they are within the territorial boundaries of the EU.
GDPR Recital 2 states “rules on the protection of natural persons with regard to the processing of their personal data should, whatever their nationality or residence, respect their fundamental rights and freedoms, in particular their right to the protection of personal data.”
GDPR Recital 14 states that the protection afforded by the GDPR applies to “natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data.”
Likely, the Decision focuses on “accidentals” because the plaintiffs themselves were either accidentals or representing them as a group.
Should there be a carve-out for “accidentals”? Do they have greater privacy and data protection rights than others? The accidentals argued that they have been unfairly swept into the FATCA disclosure net for a country with which they have no connection. Many have no US taxpayer identification number, the US “Social Security Number” or SSN. This has resulted in denial of services by the financial institutions in their home countries as well as other bureaucratic problems. Perhaps this group is viewed by the BDPA as more “vulnerable” than a non-accidental? If so, based on the explanation below, I believe this is incorrect. Non-accidentals face the exact same hurdles!
From Point 261 “ The persons concerned can be described as “vulnerable persons” (see recital 75) if an imbalance in their relationship with the [BDPA] defendant and even more so with the IRS can be identified. This imbalance results not only from the fact that the transfer is imposed on the persons concerned without their being able to oppose it, but above all from the complexity of the legal framework, including the existence of possible means of appeal for the exercise of their rights (see below the finding regarding the absence of this guarantee – point 212).”
Points from the Decision:
- On the basis of the documents in the file and at the end of its analysis, the Contentious Chamber concludes,…. that the processing of the first complainant’s personal data by the defendant, including their transfer to the IRS, is unlawful, since this processing is in violation of the principles of purpose, necessity and minimization/proportionality and the rules of Chapter V of the GDPR. The Contentious Chamber has shown that this unlawfulness affects not only the processing of the plaintiff’s personal data but also, more generally, the processing of personal data of Belgian accidental Americans.
- In view of this unlawfulness, the Contentious Chamber decides to order the prohibition of the processing of the data of the first plaintiff and the Belgian accidental Americans in execution of the “FATCA” agreement and the Law of December 16, 2015, in application of article 100.8 of the LCA as well as article 58.2 f) and j) of the GDPR.
Who Qualifies as an Accidental American?
Most glaringly, what is not explained in the Decision is “who” is to be considered an “Accidental American”.
According to the Decision, “[T]he first complainant resides in Belgium and has dual Belgian and American nationality. With respect to the latter nationality, the first Complainant describes himself as an accidental American because he was only born in the United States at Stanford without having retained any significant ties to that country. The complainant resides in Belgium.” The lack of significant US ties is mentioned later in the Decision (Decision at Point 268 “have no connection with the state in question other than its nationality”).
It seems this is the closest we can glean from the Decision as to who is an “accidental American”. What are “significant ties”? What is meant by “no connection”? What if the individual does not reside in Belgium? Is the dual national an “Accidental” if he was born in the US by happenstance, and lived there for say, 5 years, 10 years, 20 years before leaving? Where is the line drawn?
Is the dual national an “Accidental” if he was born in the US by happenstance, but has a US passport and uses it for travel outside the US? Is having and using the US passport “no connection”? In many cases with which I am familiar, individuals holding dual nationality are very happy to have the US passport for travel purposes as it typically prevents the need for obtaining visas. Would this disqualify the individual from being “accidental”?
What if that same individual maintains property in the US or frequently travels there for business or for pleasure? What if he invests in the US stock market? Do these “connections” destroy “accidental” status? After all, many foreign persons do these things!
The Decision certainly leaves the doors open for interpretation, and I suspect that this was purposefully done.
Can this Decision be Appealed?
Yes, it can. If the Decision stands, The BDPA will consider what it must do to abide the Decision. Undoubtedly, it will be discussing the matter with the US tax authorities. The Belgian financial institutions will be anxiously awaiting guidance!
Can Something be Done to Rectify the Data Protection Inadequacies?
The IGA can be amended (see US Belgian IGA at Article 8). If amended to address the GDPR inadequacies, it may be back to business as usual (i.e., automatic information exchange).
From the Decision:
[Point] 186. In other words, the transfer of data by an authority in the EU such as the defendant to, as in this case, an authority in a third country that does not provide adequate protection, can only take place if the controller, i.e. the defendant, has provided for appropriate safeguards and on the condition that the data subjects have enforceable rights and effective remedies either through “a legally binding and enforceable instrument between public authorities or public bodies” (Article 46.2.a) of the GDPR); or by “provisions to be included in administrative arrangements between public authorities or public bodies that provide for enforceable and effective rights for data subjects” within the meaning of Article 46.3. b) of the GDPR.
[Point] 188. It is clear from the text of Article 46.2. a) of the GDPR (as it is from Article 46.3. b)) that the appropriate safeguards must be included in the legally binding instrument (or in the relevant administrative arrangement).
What is the US Treasury / IRS Thinking Now?
No one knows. The Treasury has not responded to requests for comment. Many other countries will be watching closely. Further actions are surely in the works to bring GDPR challenges against IGA’s in other European nations.
Listen to the podcast with John Richardson – we discuss many aspects of this decision.
Posted May 30, 2023
All the US tax information you need, every week –
Named by Forbes, Top 100 Must-Follow Tax Twitter Accounts @VLJeker
Named by Bloomberg, Tax Professionals to Follow on LinkedIn
Subscribe to Virginia – US Tax Talk to receive my weekly US tax blog posts in your inbox. My blog specializes in foreign and US international tax issues.
You can access my papers on the Social Science Research Network (SSRN) at https://ssrn.com/author=2779920
Virginia - US TAX TALK 