Belgian DPA's new FATCA ruling adds pressure on EU-US data transfers

In Decision 79/2025 (the Decision), the Belgian Data Protection Authority (the DPA) reaffirmed that the transfer of Belgian bank account data concerning so-called accidental Americans to the United States under the FATCA regime violates the EU General Data Protection Regulation (GDPR). 

The Decision, issued after the Markets Court annulled a previous version of it for insufficiently grounded reasoning, confirms its original findings: FATCA data transfers violate EU rules on proportionality, transparency and international transfers. The decision also finds that Belgium's Intergovernmental Agreement (IGA) with the US, which implements FATCA, does not qualify for the exemption under Article 96 GDPR for pre-GDPR international treaties, because it already violated EU law when it was adopted. The Belgian federal tax authority (the FPS Finance) must either bring the transfers into compliance or halt them by 24 April 2026.

The Decision comes at a politically sensitive moment. Several other EU data protection authorities are reviewing the compatibility of their own FATCA arrangements with the GDPR. The debate has even reached the Vatican: commentators note that the newly elected Pope Leo XIV, born in the United States, may technically fall within FATCA’s scope if he maintains financial accounts in the eurozone. Meanwhile, concerns persist about the level of protection afforded to personal data transferred to the US under the EU–US Data Privacy Framework. 

The implications extend to both financial institutions and public authorities involved in FATCA reporting and intensify calls for an EU-wide reassessment of transatlantic data transfer instruments.

Background

FATCA in Belgium

The Foreign Account Tax Compliance Act (FATCA) is a US law that requires financial institutions worldwide to report information on accounts held by US citizens to the US Internal Revenue Service (IRS). Most countries, including Belgium, implement FATCA through bilateral intergovernmental agreements. Belgium's 2014 FATCA IGA, implemented by the Law of 16 December 2015 (the 2015 Law), requires Belgian banks to identify accounts of US persons and transfer their data to the FPS Finance, which then transfers the data to the IRS on an annual basis.

This reporting obligation also affects so-called accidental Americans: individuals born in the US but who have lived in Europe all their lives and are often unaware that they are considered tax residents under US nationality law.

Complaint and initial Decision 61/2023

On 22 December 2020, the Belgian Accidental Americans Association (AAAB) and one of its members, a Belgian-resident accidental American, lodged a complaint with the DPA. They requested for the DPA to order the FPS Finance to erase any personal data already sent to the IRS under FATCA and to halt all current and future FATCA transfers concerning the complainant and other Belgian accidental Americans.

In Decision 61/2023, the DPA upheld the complaint, finding that the transfer of personal data by the FPS Finance to the IRS under FATCA was unlawful. It ordered the FPS Finance to cease such transfers for both the complainant and other Belgian accidental Americans, citing violations of the GDPR’s principles of purpose limitation, necessity, proportionality, and Chapter V transfer rules. The DPA imposed corrective measures and required the FPS Finance to provide proof of compliance within three months.

Appeal to the Markets Court

The FPS Finance filed a claim for suspension and annulment of Decision 61/2023 before the Markets Court. The Markets Court suspended the execution of Decision 61/2023 on 28 June 2023 and annulled it on 20 December 2023, holding that the DPA had not provided sufficient motivation for its decision. Following the annulment, the case was sent back to a newly constituted panel of the DPA’s Litigation Chamber, which issued the revised Decision 79/2025.

Decision 79/2025: key legal findings

In the Decision, the DPA reassessed the GDPR compliance of the FPS Finance’s transfer of personal data to the IRS, structuring its analysis as follows:

‘Grandfathering clause’ (Article 96 GDPR)

The FPS Finance argued that the 2014 FATCA IGA remained valid under Article 96 GDPR, which allows Member States to honour pre-GDPR international agreements — provided those agreements complied with EU law as it stood before the adoption of the GDPR (24 May 2016). The central question was therefore whether the FATCA IGA conformed to Directive 95/46/EC (the predecessor of the GDPR) and the Charter of Fundamental Rights at the time it was concluded.

The DPA held that this standard was not met. Emphasising the controller’s burden of proof under the accountability principle, the DPA found that the FPS Finance had failed to demonstrate that the FATCA IGA met the applicable legal standards. It pointed to fundamental structural deficiencies: FATCA’s nationality-based reporting obligation, its bulk data transmission design, and the lack of safeguards ensuring necessity and proportionality, required under the Charter of Fundamental Rights and Directive 95/46. The DPA therefore held that Article 96 could not be relied upon to justify the ongoing data transfers.

International transfers (Chapter V GDPR)

With Article 96 GDPR deemed inapplicable, the DPA examined whether the FATCA transfers could be justified under the GDPR’s general rules on international transfers under Chapter V (Articles 44–49).

Article 46(2)(a) GDPR – Instrument between public authorities. The FPS Finance relied primarily on Article 46(2)(a), which allows transfers between public authorities based on a legally binding and enforceable instrument, provided it offers 'appropriate safeguards’, including enforceable data subject rights and effective remedies.

The DPA acknowledged that a bilateral agreement like the FATCA IGA could, in principle, fall under this provision. However, it identified several shortcomings:

• Lack of data protection safeguards. The FATCA IGA is silent on privacy protections and includes no provisions to ensure compliance with EU data protection standards.
• Proportionality. The FATCA IGA requires reporting on all US persons regardless of individual circumstances or actual risk of tax fraud. The DPA found this to be inconsistent with the GDPR's purpose limitation and data minimisation principles.
• No retention limits. The 2015 Law imposes a 7-year retention period on the FPS Finance, but this does not bind the IRS. Once data is transferred to the US, the FATCA IGA imposes no corresponding deletion obligation. The DPA found this breached the GDPR’s storage limitation principle.
• Lack of enforceable rights. The agreement does not allow data subjects to access, correct, or seek redress for their data once processed by the IRS. The DPA found this incompatible with the requirement of enforceable rights and remedies under Article 46.

Article 49(1)(d) GDPR – Public interest derogation. As no adequate safeguards were found, the DPA considered whether the exception under Article 49(1)(d) could apply, allowing transfers necessary for important public interests. It concluded that this derogation was inapplicable. FATCA transfers are neither occasional nor exceptional; they occur annually, on a large scale, and form part of a systematic framework. The DPA emphasised that Article 49 derogations are not intended to legitimise ongoing large-scale transfers.

Accordingly, the DPA found that the FATCA transfers infringed the GDPR provisions on international data transfers.

Transparency obligations (Articles 12 and 14 GDPR)

Articles 12 and 14 GDPR require data controllers to provide clear, comprehensive information to data subjects when processing personal data obtained indirectly. This information must specify the processing purposes, data categories, and potential recipients. Though banks had provided disclosures to their customers, the DPA ruled this did not exempt FPS Finance from its responsibilities as data controller — responsibilities it had failed to fulfil by neither publishing a privacy notice for FATCA-related processing nor implementing other transparency measures.

The DPA therefore concluded that the FPS Finance breached its independent transparency obligations under Articles 12 and 14 GDPR.

Data Protection Impact Assessment (Article 35 GDPR)

No DPIA was conducted by the FPS Finance when FATCA was implemented, as Belgium’s IGA predates the GDPR and Directive 95/46 did not contain an equivalent obligation. However, under Article 35 GDPR, controllers must assess existing processing operations involving high risks, even if initiated before 2018.

The FPS Finance argued that no DPIA was required, citing technical safeguards and a legal basis in Belgian law. It also claimed that a preliminary assessment by its DPO had concluded that no DPIA was required. The DPA rejected this defence on three grounds:

• No documentary evidence. The FPS Finance could not produce the preliminary assessment.
• Legislation alone is not enough. Under Article 35(10) GDPR, the DPIA requirement is only waived if the legislation itself contains a detailed impact assessment and fully regulates the processing. The 2015 Law does not do this.
• High risk criteria remain. Applying the risk indicators in the EDPB Guidelines, the DPA found that the FATCA transfers were inherently high risk and required a DPIA post-2018.

The Decision confirms that a legal obligation to process data does not override the requirement to assess and document risks where processing remains high-risk in practice.

Accountability (Articles 5(2) and 24 GDPR)

The DPA concluded that the FPS Finance had breached its accountability obligations under Articles 5(2) and 24 GDPR. It highlighted that the FPS Finance had failed to document key compliance steps — such as the legal analysis supporting reliance on Article 96, the safeguards applicable to international transfers, and the preliminary assessment allegedly carried out by its DPO. The absence of this documentation meant that the FPS Finance could not demonstrate that its processing complied with the GDPR.

Corrective measures ordered

Under Article 221, §2 of the Belgian Data Protection Act of 30 July 2018, public bodies are exempt from GDPR fines in Belgium. Therefore, the Litigation Chamber issued a formal reprimand and ordered the FPS Finance to implement corrective measures within one year:

• Achieve GDPR-compliant transfers. The FPS Finance must align data transfers with the requirements of the GDPR. This may require negotiating amendments or additional safeguards in the FATCA framework in cooperation with the US IRS.
• Transparency. The FPS Finance must publish a notice about the FATCA data transfers on its website, informing data subjects in accordance with Articles 12(1) and 14 GDPR. This will likely take the form of a dedicated privacy notice addressing FATCA processing.
• Conduct a DPIA. The FPS Finance must conduct a DPIA for the FATCA processing. Notably, the DPA stated that, even though the GDPR does not require DPIAs to be published, in this case the FPS Finance should consider publishing at least a summary or conclusion of the DPIA to demonstrate its commitment to transparency and accountability.

Divergent approaches in other Member States

The Belgian DPA’s rejection of Article 96 GDPR stands in contrast with the positions taken by other EU data protection authorities and courts. The regulatory picture remains fragmented:

• In France, the CNIL took the opposite view to the Belgian DPA in response to a similar complaint from the AAAB, finding that the French FATCA IGA was compatible with the GDPR. It accepted that the agreement qualified for the ‘grandfathering’ exemption under Article 96 GDPR. This position was upheld by the French Council of State on 30 January 2024.
• Luxembourg's Administrative Court upheld FATCA transfers on 13 December 2024, also relying on Article 96 GDPR. 
• In Germany, the Federal Commissioner for Data Protection (BfDI) has not initiated enforcement. A Bundestag research note records the BfDI's position that FATCA qualifies as a pre-2016 treaty and therefore "remains in force under Article 96".
• In the Netherlands, The Dutch DPA has not taken a formal position. In a May 2023 letter to Parliament the Finance State‑Secretary confirmed that the Dutch AP is "assessing privacy aspects of the current FATCA data exchange". 
• In Slovakia, the supervisory authority issued a non-binding opinion in 2021 (reported here) that its FATCA IGA breaches GDPR principles on purpose limitation, proportionality and international data transfers.

These divergent outcomes strengthen the Belgian DPA’s call for a coordinated EU-level position. The European Data Protection Board has previously urged Member States to review international agreements involving personal data transfers, notably in Statement 01/2019 and Statement 04/2021. However, no harmonised approach has yet emerged.

Next steps and implications

The Decision is the first published enforcement decision to explicitly reject the application of Article 96 GDPR to a pre-2016 intergovernmental agreement. By holding that the Belgian FATCA IGA fails to meet the GDPR’s requirements on proportionality, data subject rights, and international transfers, the DPA has created a reference point likely to influence how other supervisory authorities and courts assess similar treaties.

An appeal before the Market Court by 24 May 2025 is expected, given the 2023 annulment, and could lead to preliminary questions being referred to the Court of Justice of the European Union. A confirmation by the Markets Court would significantly raise pressure for a renegotiation of FATCA agreements at EU level or coordinated technical adjustments.

More immediately, financial institutions should anticipate further scrutiny of their role in FATCA data chains. Although the DPA’s order is directed at the FPS Finance, its reasoning, particularly on DPIAs, transparency obligations, and international data transfers, signals broader expectations of all actors involved in such processing. Financial institutions should assess how their own reporting practices interact with these obligations.

Beyond FATCA, the Decision sets out a structured approach for assessing the GDPR compliance of large-scale, government-led data transfers involving sensitive financial or identity information. Similar issues of proportionality, transparency, and redress may arise in the context of anti-money laundering (AML) and prevention of terrorism reporting regimes, sanctions reporting regimes, Passenger Name Record (PNR) systems, or the OECD’s upcoming Crypto-Asset Reporting Framework. As supervisory authorities intensify scrutiny of institutional data-sharing frameworks, both public and private actors should expect to justify the necessity and proportionality of such processing through specific, documented assessments.