This article contains some recent information about FATCA / Citizenship-Based Taxation and about attempts to persuade national governments and the EU to give substance to the fundamental rights to which European citizens are entitled.
Article: ‘Reconsidering Citizenship Taxation’, by Tsilly Dagan and Ruth Mason
Dagan and Mason wrote on the concept of citizenship taxation that is appealing to some states, read the abstract [1]. John Richardson published an AI generated podcast on the article.
Questions to the European Commission, answered on 22 July 2025
On 14 May 2025 the member of the European Parliament François-Xavier Bellamy asked the Commission a question on ‘Non-evaluation of FATCA agreements by Member States and protection of fundamental rights of EU citizens‘ [2]. Commissionar Mr McGrath answered on 22 July 2025 [3] on behalf of the European Commission.
Disappointing decision by the Gelderland court, 23 July 2025
The Rechtbank Gelderland on 23 July 2025 decided in a Dutch FATCA-case that the Dutch tax authority does not have to stop providing personal data on accidental Americans. There is a press release on the decision.
AAA-letter to EDPB of 20 September 2025
The president of the French association of Accidental Americans, l’Association des Américains Accidentels (AAA), Mr. Lehagre informed the public that on 20 September 2025 AAA has sent a letter to the European Data Protection Board (EDPB) to raise concerns about the risks linked to tax data transfers to the United States under FATCA [4].
Decision Polish Data Protection Authority of 23 July 2025
In another message [5] Lehagre refers to a recent decision of the Polish Data Protection Authority (UODO) in case DKN.5112.6.2020 that European data protection law (GDPR) also applies when applying AML/CFT rules [6].
Hearing in Belgian FATCA-case on 22 October 2025
Lehagre also mentions [4] that in the Belgian FATCA-case the Brussels Court of Markets on 22 October will hear the Belgian government’s appeal against the decision of the Belgian Data Protection Authority prohibiting FATCA-transfers.
Accidental Americans ask EDPB to intervene
Filippo Noseda, a lawyer who represents accidental Americans with the European Parliament (PETI committee), wrote a letter to EDPB on 23 September 2025 [7].
Notes
[1] Published on SSRN, abstract:
“The pressures of globalization undermine the ability of states to collect taxes and pursue distributive justice. Free movement and other opportunities for people to engage with different jurisdictions on a personal and economic level are essential for liberty. But unrestrained market competition between states to provide the world’s wealthiest and most skilled a fragment of the social contract in exchange for a reduction in their tax obligations imperils the welfare state.
If the duty to pay taxes for redistribution exists within self-defining communities, then our new world of multiple and partial community allegiances raises fundamental questions. People are increasingly mobile, frequently live outside their state of nationality, and interact with multiple jurisdictions in a variety of ways. Although what constitutes membership may be decided by each such community independently, human mobility and interstate competition erode the ability of a single community, acting alone, to enforce its view of membership. As the community loses the ability to define itself and to bind people it considers members to that choice, the community also loses the material support it needs to sustain itself. In such a world, the very definition of community becomes subject to the rules of supply and demand, under which diverging elasticities and the relative attractiveness of both jurisdictions and taxpayers become paramount.
The strongest states may be able to overcome these challenges unilaterally with the aid of citizenship taxation. We emphasize, however, that the United States may remain an outlier in assessing citizenship taxation. US citizenship has proved extremely sticky, and therefore capable of sustaining a lightly administered form of citizenship taxation characterized by toleration for what is presumed to be widespread noncompliance. But weaker and less attractive states may be unable to sustain even a limited form of citizenship taxation, and they may therefore lose their tax base as they lose residents.
A cooperative accord on the global level could tame some interstate competition over migrants. Such a global accord would, however, face difficulties, including setting the desirable balance between personal liberty and community responsibility; determining the duty of justice between states; and defining the procedures that will determine the arrangements. States would also face accountability, legitimacy, and practical difficulties in implementing any such arrangements. These difficulties should not be underestimated, yet overcoming them is one of the challenges of the next 100 years of taxing people.”
[2] The question:
“On 13 April 2021, the European Data Protection Board (EDPB) invited Member States to re-evaluate their international agreements involving transfers of personal data, in particular agreements struck with the United States under the Foreign Account Tax Compliance Act (FATCA), in order to make these agreements compliant with the General Data Protection Regulation (GDPR). Four years later, and not a single Member State has published the required evaluation. This inaction constitutes a blatant violation of the obligation of responsibility laid down in Article 24 of the GDPR. During this time, the data of thousands of EU citizens continues to be passed on to the Internal Revenue Service (IRS), the US tax authority, without demonstrated legal safeguards.
In France, the Finance Act for 2022 required the French Government to submit a report on the implementation of its information exchange commitments, in line with the GDPR and the recommendations of the EDPB. This report has never seen the light of day. The lack of political will to protect fundamental rights is clear.
At the same time, the IRS publicly asserts its right to collect data outside the United States, in total disregard of EU legislation.
1. Does the Commission consider it acceptable that this situation persists?
2. Does the Commission plan to launch infringement proceedings against the Member States that are failing to fulfil their obligations under EU law?
3. And, above all: is the Commission finally ready to guarantee that EU citizens’ data will be duly protected, even from non-EU powers?“.
[3] The answer:
“The independent authorities competent to monitor and enforce compliance with the General Data Protection Regulation (GDPR) are the data protection authorities (DPAs) in the Member States, under the control of national courts.
Referring to Article 96 of the GDPR, the European Data Protection Board (EDPB), which brings together all EU DPAs, has invited Member States to assess their existing international agreements and, where necessary, review them with the aim of bringing them in line with EU law [1].
The DPAs have agreed to assist the Member States in this exercise and the Commission understands that several of them are in discussions with the relevant ministries [2].
Several DPAs have also been dealing with requests concerning the data protection aspects of these international agreements. For instance, the Belgian DPA recently issued a decision [3] on the Belgian agreement implementing the Foreign Account Tax Compliance Act (FATCA), concluding that the transfer of personal data of ‘accidental Americans’ to the Internal Revenue Service was unlawful.
The Belgian DPA ordered the relevant authority to bring the transfer of data in compliance within one year . Investigations in the same field are also ongoing in other Member States.
The Commission continues to closely follow further developments in this regard, including in collaboration with the EDPB. The Commission also continues to work with the authorities of the United States (US) including in the context of the bi-annual EU-US Regulatory Forum.
In parallel, the Commission is in close contact with the Member States, for example in the Council working group on tax questions, where Member States are exchanging views about the implementation of their international agreements in this area, including data protection safeguards.
[1] See EDPB Statement 04/2021 of 13 April 2021, available at https://www.edpb.europa.eu/system/files/2021-04/edpb_statement042021_international_agreements_including_transfers_en.pdf.
[2] See also the letter from the EDPB of 7 July 2021, available at https://www.edpb.europa.eu/system/files/2021-07/edpb_letter_out2021-0119_intveld_igas.pdf.
[3] Issued on 24 April 2025, see https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n0-79-2025.pdf.“
[4] The president of the Association des Américains Accidentels (AAA), Fabien Lehagre, wrote on linkedin:
“✍ 𝐓𝐨𝐝𝐚𝐲, 𝐈 𝐬𝐞𝐧𝐭 𝐚 𝐥𝐞𝐭𝐭𝐞𝐫 𝐭𝐨 𝐭𝐡𝐞 𝐄𝐮𝐫𝐨𝐩𝐞𝐚𝐧 𝐃𝐚𝐭𝐚 𝐏𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐁𝐨𝐚𝐫𝐝 (𝐄𝐃𝐏𝐁) 𝐭𝐨 𝐫𝐚𝐢𝐬𝐞 𝐜𝐨𝐧𝐜𝐞𝐫𝐧𝐬 𝐚𝐛𝐨𝐮𝐭 𝐭𝐡𝐞 𝐫𝐢𝐬𝐤𝐬 𝐥𝐢𝐧𝐤𝐞𝐝 𝐭𝐨 𝐭𝐚𝐱 𝐝𝐚𝐭𝐚 𝐭𝐫𝐚𝐧𝐬𝐟𝐞𝐫𝐬 𝐭𝐨 𝐭𝐡𝐞 𝐔𝐧𝐢𝐭𝐞𝐝 𝐒𝐭𝐚𝐭𝐞𝐬 𝐮𝐧𝐝𝐞𝐫 𝐅𝐀𝐓𝐂𝐀.
The repurposing of such data for non-tax purposes, without effective safeguards on the U.S. side, is a clear violation of the #GDPR.
This matter will soon be at the center of attention in Brussels, as the Market Court is set to hold a crucial hearing on October 22, following the landmark decision of the Belgian Data Protection Authority that #FATCA transfers violate the GDPR.
As national data protection authorities have reached divergent conclusions, it is urgent that clarification be provided at the European level. This is why we are calling on the European Data Protection Board to:
✅ take a position on how the GDPR applies to FATCA,
✅ encourage a preliminary reference to the CJEU,
✅ reaffirm that Article 49 derogations cannot legitimize systematic and recurring transfers.
🔒 𝐓𝐡𝐢𝐬 𝐟𝐢𝐠𝐡𝐭 𝐝𝐨𝐞𝐬 𝐧𝐨𝐭 𝐨𝐧𝐥𝐲 𝐜𝐨𝐧𝐜𝐞𝐫𝐧 𝐀𝐜𝐜𝐢𝐝𝐞𝐧𝐭𝐚𝐥 𝐀𝐦𝐞𝐫𝐢𝐜𝐚𝐧𝐬: 𝐢𝐭 𝐢𝐬 𝐚𝐛𝐨𝐮𝐭 𝐩𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐧𝐠 𝐭𝐡𝐞 𝐩𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐝𝐚𝐭𝐚 𝐨𝐟 𝐚𝐥𝐥 𝐄𝐮𝐫𝐨𝐩𝐞𝐚𝐧 𝐜𝐢𝐭𝐢𝐳𝐞𝐧𝐬.“.
The letter can be uploaded here.
[5] The message:
“🔎 𝐃𝐚𝐭𝐚 𝐩𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐚𝐧𝐝 𝐅𝐀𝐓𝐂𝐀: 𝐚 𝐭𝐞𝐬𝐭 𝐟𝐨𝐫 𝐄𝐮𝐫𝐨𝐩𝐞
The recent decision of the Polish Data Protection Authority (UODO) in case DKN.5112.6.2020 reminds us that, even when complying with AML/CFT rules, banks cannot collect or process data in violation of the GDPR.
👉 𝐓𝐡𝐢𝐬 𝐩𝐫𝐢𝐧𝐜𝐢𝐩𝐥𝐞 𝐝𝐢𝐫𝐞𝐜𝐭𝐥𝐲 𝐫𝐞𝐬𝐨𝐧𝐚𝐭𝐞𝐬 𝐰𝐢𝐭𝐡 𝐭𝐡𝐞 𝐅𝐀𝐓𝐂𝐀 𝐜𝐚𝐬𝐞.
Here, not only is there a systematic collection of banking information, but this data is also transferred to a country – the United States – that does not provide equivalent data protection guarantees. Even worse, the #FATCA agreement governing these transfers lacks the safeguards normally required under the #GDPR.
📌 On 𝐎𝐜𝐭𝐨𝐛𝐞𝐫 𝟐𝟐, the Brussels Court of Markets will hear the Belgian government’s appeal against the decision of the Belgian Data Protection Authority prohibiting such transfers.
👉 𝐀 𝐝𝐚𝐭𝐞 𝐧𝐨𝐭 𝐭𝐨 𝐛𝐞 𝐦𝐢𝐬𝐬𝐞𝐝, 𝐚𝐬 𝐭𝐡𝐞 𝐢𝐦𝐩𝐥𝐢𝐜𝐚𝐭𝐢𝐨𝐧𝐬 𝐰𝐢𝐥𝐥 𝐛𝐞 𝐝𝐞𝐜𝐢𝐬𝐢𝐯𝐞 𝐟𝐨𝐫 𝐭𝐡𝐞 𝐟𝐮𝐭𝐮𝐫𝐞 𝐨𝐟 𝐝𝐚𝐭𝐚 𝐩𝐫𝐨𝐭𝐞𝐜𝐭𝐢𝐨𝐧 𝐢𝐧 𝐄𝐮𝐫𝐨𝐩𝐞.
🔗 𝐘𝐨𝐮 𝐜𝐚𝐧 𝐫𝐞𝐚𝐝 𝐭𝐡𝐞 𝐏𝐨𝐥𝐢𝐬𝐡 𝐃𝐏𝐀’𝐬 𝐝𝐞𝐜𝐢𝐬𝐢𝐨𝐧 𝐡𝐞𝐫𝐞 (𝐢𝐧 𝐄𝐧𝐠𝐥𝐢𝐬𝐡): https://gdprhub.eu/index.php?title=UODO_(Poland)_-_DKN.5112.6.2020“.
[6] From the summary on GDPR Hub on this case regarding ING Bank:
“The DPA fined a bank PLN 18,416,400 (approximately €4,300,000) over the excessive and unlawful processing of customers’ identity documents. The DPA clarified that AML legislation does not allow for the indiscriminate scanning of customers’ IDs. (…)
AML law did not allow the controller to indiscriminately scan the ID documents of customers. Instead, the controller should have assessed each customer’s case individually before deciding whether the scanning of their ID was a necessary measure for AML compliance.
The DPA also considered that the scan of an ID document revealed more data than strictly necessary for customer identification. In the DPA’s view, it would have been sufficient to record the customer’s social security code (or, in the case of customers with no such code, to record other information on the documents, such as the document’s number and the customer’s personal details).
On these grounds, the DPA held that the controller violated Articles 5(1)(a)(b)(c) and 6(1) GDPR and fined the controller PLN 18,416,400 (approximately €4,300,000).
The DPA also clarified that while ID documents do not constitute sensitive data under the GDPR, their processing still involves a high risk.”
[7] Upload the letter on this url.
Ellen Timmer - juridische artikelen en berichten 