The European Data Protection Board (EDPB) on 25 November published its letters to the Association of Accidental Americans (AAA) and to MEP In’t Veld on the intergovernmental agreements (‘IGAs’) implementing the US Foreign Account Tax Compliance Act (FATCA).
EDPB writes to AAA that it thinks that “assessing the compatibility of the different IGAs implementing FATCA with the GDPR is not in the competence of the EDPB“. It is curious that EDPB talks about “the different IGAs” because the US has entered into (almost) the same IGA with all countries in Europe.
EDPB refers to Article 70(1)(a) of GDPR and says this provision does not apply, when there are several other provisions in Article 70 that can be basis for action by EDPB, e.g. (e):
examine, on its own initiative, on request of one of its members or on request of the Commission, any question covering the application of this Regulation and issue guidelines, recommendations and best practices in order to encourage consistent application of this Regulation
issue guidelines, recommendations and best practices in accordance with point (e) of this paragraph for the purpose of further specifying the criteria and requirements for the personal data transfers on the basis of Article 49(1)
Typically, the FATCA issues are:
– the concluded IGAs are (almost) identical;
– the IGAs concern only one very powerful country (the US);
– the subject matter of the IGAs concerns only one tax system, that of the US, which deviates from OECD world standards through Citizenship-Based Taxation.
There is thus every reason for a central assessment by EDPB under Article 70 GDPR.
- Introduction (Dutch) on the harm done by the US government to everyone with the American nationality. Explanation in English by SEAT – Stop Extraterritorial American Taxation on their homepage, read the report.
- Articles on this blog on FATCA and related matters.
- Page with information sources.
- Page with chronological information from third parties.
Full text of the letters:
To the Association des Américains Accidentels (AAA)
Mr Fabien Lehagre
President of the Association des Américains Accidentels
Mr Vincent Wellens
Brussels, 4 November 2022
by e-mail only
Dear Mr Lehagre and Mr Wellens,
Thank you for your letter of 13 April 2022 regarding the processing of personal data based on the obligations stemming from the intergovernmental agreements (IGAs) implementing the US Foreign Account Tax Compliance Act (FATCA) and your sub-sequent analysis on the interplay of the IGAs with the GDPR.
In your letter, you call upon the EDPB and EU supervisory authorities to take immediate action in respect of possible inconsistencies of IGAs with data protection principles set forth in the GDPR.
As already highlighted by the EDPB on other occasions, assessing the compatibility of the different IGAs implementing FATCA with the GDPR is not in the competence of the EDPB.
According to Article 70, paragraph 1 a) of the GDPR, the EDPB shall monitor and ensure the correct application of the GDPR in the cases provided for in Articles 64 and 65, without prejudice to the tasks of the EU supervisory authorities. The EDPB, as an independent European body, does not constitute a supranational institution, monitoring the work of the EU supervisory authorities in individual cases, which are subject to their territorial powers, and the EDPB has no competence to take decisions in their place.
Hence, it is up to the competent supervisory authorities to monitor and enforce, where necessary, the relevant GDPR provisions and to provide information upon request on their ongoing proceedings to the extent possible according to their national procedural law.
Further, the EDPB (preceded by its precursor the Article 29 Working Party) took position on the automatic exchanges of personal data for tax purposes including FATCA, on several occasions.
More recently, in the light of the task of ensuring a consistent application of the GDPR as provided for by Article 70 GDPR and considering the existence of data protection aspects common to the different Member States, the supervisory authorities engaged in a common effort to identify questions which could be addressed to their respective competent national authorities concerning the consistency of IGAs with GDPR principles (including accountability, purpose limitation, proportionality and rules on data transfers that you specifically mentioned in your letter).
In the hope of having reassured you on the continuous attention paid by the EDPB and the supervisory authorities on the interplay between the processing based on the obligations stemming from the IGAs implementing FATCA and the GDPR, I thank you again for your consideration regarding the data protection implications of the automatic exchanges of personal data for tax purposes and the activity of the EDPB on that matter.
To Sophie in’t Veld, member of the European Parliament
Sophie in’t Veld European Parliament Rue Wiertz 60
B-1047 Brussels Belgium
Brussels, 4 November 2022
by e-mail only
Dear Mrs in‘t Veld,
Let me first of all thank you for your letter of 15 June 2022 regarding the transfers of personal data based on the obligations stemming from the intergovernmental agreements (IGAs) concluded between the Member States and the US and implementing the US Foreign Account Tax Compliance Act (FATCA) and in particular, the measures taken in that respect by the supervisory authorities (SAs) and the EDPB.
With regard to the first question related to the complaints received by SAs on the above-mentioned matter, we would like to inform you that the complaint referred to in your letter and mentioned in the EDPB response of 7 July 2021 has been received by the Belgian SA. Other complaints were brought before other SAs following the publication of the statement.
Regarding your second question about details and the state of play of the discussions of each SA with their respective government on the review of the IGA, we would like to highlight that we are not in a position to provide you with more detailed information as revealing details and the state of play of these discussions could jeopardise the actions carried out at national level.
With regards to your last question, we would like to remind you that assessing the compatibility of the different agreements concluded bilaterally between a Member State and the US with the GDPR is not within the competence of the EDPB and that it is up to the different SAs to monitor and enforce, where necessary, the protection of personal data of data subjects within their jurisdiction.
However, considering the fact that the matter concerns various Member States, the SAs decided to join in a common effort with the aim of identifying possible questions which could be addressed to their respective competent national authorities concerning the consistency of transfers based on IGAs with GDPR principles, including those of necessity and proportionality.
Please be assured that the EDPB is aware of the problematics raised by different stakeholders on this matter and it continues to offer a forum for the exchange on this topic between the different SAs.