In the context of international tax compliance, the US Foreign Account Tax Compliance Act (FATCA) has been a topic of discussion and debate for several years.
In May 2023, the Belgian Data Protection Authority (DPA) ruled that the automatic information exchange based on the FATCA Agreement between the US and Belgium violated the General Data Protection Regulation (GDPR). However, the DPA’s decision was suspended and annulled by the Appeal Court, allowing FATCA data exchanges by the Belgian tax authorities to continue in 2023 as per their usual practice.
Following its decision of December 20, 2023, the Appeal Court referred the case back to the DPA for reassessment on its merits, with a differently composed chamber. While the DPA’s new decision is expected to uphold the FATCA reporting status quo, this discussion remains pertinent as it could indicate a shift towards more stringent FATCA compliance requirements in the future.
Understanding FATCA (and CRS)
Certain cross-border transactions and structures require data concerning financial accounts to be exchanged between the tax authorities in different countries. This data exchange aims to counter tax evasion by citizens who hold financial assets abroad and occurs among the member states of the European Union and third countries (under the Common Reporting Standards) and the United States (under the FATCA Agreement).
The automatic data exchange under the Common Reporting Standards (CRS) and the Foreign Account Tax Compliance Act (FATCA) was implemented in Belgium by the Law of December 16, 2015 (CRS/FATCA Legislation). Based on the aforementioned legislation, Belgian financial institutions are required to report their account holders to the Belgian tax administration, which in turn will transmit this data to the tax administration of the residence state of the individuals holding a financial account (directly or indirectly) in the financial institution.
According to the CRS Guidelines issued by the Belgian tax authorities, a Private Privak is categorized as a ‘financial institution’, thereby falling under the provisions of the CRS. This classification is also upheld in the context of FATCA. As a result, Private Privaks are required to adhere to the due diligence and reporting obligations outlined in the CRS/FATCA Legislation.
FATCA vs. GDPR
On May 24, 2023, Belgium’s DPA took a significant step in addressing concerns surrounding FATCA by issuing a landmark ruling that declared the FATCA Agreement unlawful.
The DPA deemed that the current practice of sharing information in the context of FATCA violated privacy rights and protection afforded to Belgian citizens under GDPR and therefore ordered the immediate suspension of data transfers by the Belgian State to the IRS (Internal Revenue Service). In essence, the DPA argued that FATCA compliance breaches multiple articles of the GDPR due to (i) its lack of specific objectives for data transfers as required by the GDPR and (ii) its general and systematic data transfers, breaching the GDPR’s principles of proportionality. The DPA’s decision was reached despite Article 96 GDPR, which provides for an escape in case an international agreement has been concluded prior to the implementation of GDPR (such as the FATCA Agreement), on the condition that such agreement was in conformity with EU legislation applicable at that moment. However, the DPA considered that the standstill effect of the aforementioned provision declines over time and with the evolution of EU law interpretation.
The Belgian tax authorities appealed against the DPA’s decision.
In an interim ruling dated June 28, 2023, the Appeal Court stated that the decision by the DPA indeed prevented the Belgian State from fulfilling its international commitments and reciprocal obligations towards the US and suspended the execution thereof. The Court referenced the Vienna Convention, Belgium’s international reputation, and the risk of losing taxable income if the US, on its turn, also refrained from submitting information to the Belgian State. This interim ruling allowed the Belgian tax authorities to proceed with the data exchange to the IRS under the usual conditions and modalities for 2023.
The Appeal Court, on December 20, 2023, annulled the Belgian DPA’s decision and directed it to reconsider the case with a newly constituted litigation chamber and provide reasoned justification. As of today, the case is still pending awaiting a new decision by the DPA.
Relevance and conclusion
Based on the most recent decision of the Appeal Court at the end of 2023, the automatic data exchange in Belgium will continue under the established conditions outlined in the CRS/FATCA Legislation. The new decision by the DPA is likely to affirm the Appeal Court’s decision.
Nonetheless, the decision by the DPA on May 24, 2023 remains significant as it marks the first instance where a national DPA officially declares FATCA to be in violation of GDPR, prohibiting tax authorities from processing and transmitting data to the IRS.
This is particularly relevant as, internationally, there have been other indications that FATCA might not align with GDPR standards. Slovakia has previously raised concerns about the legality of the FATCA agreement, and ongoing cases in other EU Member States suggest uncertainty regarding FATCA’s conformity with GDPR.
Belgian investment funds, including Private Privaks, face substantial compliance challenges due to the general and systematic scope of FATCA (and CRS). Moreover, these funds must adhere to GDPR requirements. A move towards more stringent FATCA (and CRS) compliance, while also taking into account GDPR’s principles of proportionality and purpose limitation, would therefore be highly beneficial.
***
FATCA reporting remains applicable pending further developments. Private Privaks are expected to submit their next FATCA and CRS filings by the end of June 2024.