knowledge 21 May 2025 |

Belgian DPA Decision Raises Questions over EU-US FATCA Arrangements

Belgium’s Data Protection Authority (the “DPA”) recently held that transfers of personal information relating to U.S. accountholders in Belgian financial institutions by Belgium’s tax authority to the IRS in the U.S. for FATCA purposes are not compliant with the GDPR. While the decision focuses specifically on Belgium’s tax authority’s GDPR compliance measures, it raises broader questions regarding the compatibility with the GDPR of current FATCA arrangements between certain EU Member States and the U.S. (which were generally put in place some time ago and have not been updated recently).  

Pursuant to certain provisions of the U.S. Foreign Account Tax Compliance Act (“FATCA”) a “foreign financial institution” may be required to withhold tax from certain payments it makes to persons that fail to meet certain certification, reporting or related requirements. The purpose of FATCA is to reduce tax evasion and to improve tax compliance in relation to offshore assets held by U.S. resident taxpayers. FATCA imposes a 30% withholding tax on U.S. source income or proceeds unless FATCA documentation requirements are met in full.

Under bilateral intergovernmental agreements entered into between the Government of the United States of America and the Governments of certain EU Member States (an “IGA”), financial institutions in EU Member States will not generally be subject to withholding under FATCA if they comply with local laws that require them to provide the name, address and taxpayer identification number of, and certain other information with respect to, certain accountholders to the competent tax authority in the relevant EU Member State, so that the authority can transfer it to the U.S. Internal Revenue Service (“IRS”). In Belgium, financial institutions provide FATCA information to the Federal Public Service Finance (“FPSF”), which then transfers it to the IRS. Similarly, in Ireland, FATCA information is provided to the Revenue Commissioners of Ireland which then transfers it to the IRS.

Belgian DPA’s Decision

The Belgian DPA decided that the FPSF’s arrangements for transferring the FATCA information it receives from financial institutions in Belgium to the IRS in the U.S. are not compliant with its obligations under the GDPR. Among other things, the Belgian DPA determined that the FPSF’s privacy notice was not sufficient to comply with its transparency obligations under Article 14 of the GDPR and that it had failed to comply with Article 35 of the GDPR since it had not carried out a documented DPIA in relation to this processing activity. 

Of potentially broader significance, the Belgian DPA also held that the FPSF’s arrangements for transferring this personal data to the IRS do not comply with its obligations under Chapter V of the GDPR (which provides for restrictions on transfers of personal data outside the European Economic Area, subject to exceptions). The Belgian DPA held that:

• The IGA in place between the Belgian Government and the Government of the United States of America does not comply with the requirements of Article 46(2)(a) or 49(1)(d) of the GDPR.
• Even though the IGA was entered into before 24 May 2016 and was potentially covered by the grandfathering provision in Article 96 of the GDPR, in the Belgian DPA’s view the IGA was not covered by Article 96 because it was not compliant with applicable data protection law that applied before 24 May 2016 either. In particular, the Belgian DPA determined that the IGA breached the principle of proportionality having regard to the purposes for which personal data is transferred under the IGA.  

The Belgian DPA decided to issue:

• an order to the FPSF under Article 58(2)(d) of the GDPR, requiring it to bring its transfer arrangements into compliance with the GDPR within 12 months.
• a reprimand to the FPSF for its failure to comply with its obligations under the GDPR, including in relation to transparency and the requirement to carry out a DPIA.

This decision is subject to appeal.

A wider EU concern?

The Belgian DPA may be the first EU data protection authority to issue a formal decision on the compatibility of current FATCA arrangements in an EU Member State with requirements under GDPR, but concerns have been expressed elsewhere in the EU. Luxembourg, France and the Netherlands have all had parliamentary questions or regulatory commentary questioning whether current FATCA data transfers are compliant with EU data protection law. The Belgian DPA’s decision could trigger fresh scrutiny of these arrangements, whether by other DPAs, the European Data Protection Board (“EDPB”) or by other interested parties.

What does this mean for financial institutions in Ireland?

In the short term, this decision has no direct impact on anyone other than the FSPS. Financial institutions who are subject to FATCA reporting obligations under EU Member State laws continue to be subject to those obligations.

However, questions may be raised in Ireland and in other EU Member States as to whether FATCA transfers between their competent tax authorities and the IRS are operating on a similar basis to those in Belgium and, if so, whether any changes need to be made to them to ensure they are compliant with GDPR requirements, particularly bearing in mind the evolving case law and enforcement activity regarding Chapter V of the GDPR.  

If DPAs in other EU Member States adopt the same view as the Belgian DPA did in this case, then there may be friction between DPAs and competent tax authorities regarding the application and scope of FATCA regimes pending any updates to the current intergovernmental agreements with respect to FATCA.  Financial institutions who are subject to FATCA reporting obligations will need to consider how best to navigate this in the context of addressing their obligations under applicable laws.