APD/GBA (Belgium) - 61/2023: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=61/2023 |ECLI= |Original_Source_Name_1=DPA/GBA |Original_Source_Link_1=https://www.autoriteprotectiondonnees.be/publications/decision-quant-au-fond-n-61-2023.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Origi...")
 
No edit summary
Line 88: Line 88:


=== Facts ===
=== Facts ===
A data subject had both Belgian and American nationalities. For tax purposes, he was subject to the US system because of his nationality. To collect information and tax Americans living abroad, the USA signed agreements with other countries under the Foreign Account Tax Compliance Act (FATCA). In Belgium, this implied that banks were obliged to inform the tax authorities if a US citizen had an account in Belgium.
A data subject had both Belgian and American nationalities. Under US tax regulation, he was subject to the US system because of his nationality. To collect information and tax Americans living abroad, the USA signed agreements with other countries under the Foreign Account Tax Compliance Act (FATCA). In Belgium, this implied that banks were obliged to inform the tax authorities if a US citizen had an account in Belgium.


In May 2020, the bank where the data subject had an account informed him that it was legally obliged to inform the tax authorities that the data subject had an account, as well as his name, address, jurisdiction of residence, tax identification number, date of birth, account balance, account number and other information relating to his banking assets.  
In May 2020, the bank where the data subject had an account informed him that it was legally obliged to inform the tax authorities that the data subject had an account, as well as his name, address, jurisdiction of residence, tax identification number, date of birth, account balance, account number and other information relating to his banking assets.  
   
   
On 22 December 2022, the data subject and the Association Accidental Americans of Belgium filed a complaint with the Belgian DPA. Under Article 17(1)(d), the data subject asked the tax authorities to delete his data obtained on the basis of the FATCA agreement and under Article 18(1)(b) to limit the processing thereof.  
On 22 December 2022, the data subject and the Association Accidental Americans of Belgium filed a complaint with the Belgian DPA. Under [[Article 17 GDPR|Article 17(1)(d)]], the data subject asked the tax authorities to delete his data obtained on the basis of the FATCA agreement and under [[Article 18 GDPR|Article 18(1)(b)]] to limit the processing thereof.  


The complainants also requested to stop the exchange of information between the Belgian and US administrations on the basis of the FATCA agreemen. They considered that this processing, based on the FATCA agreement, violated Articles 45, 46 and 49 GDPR, the principle of purpose limitation (5(1)(b) GDPR), proportionality and data limitation (5(1)(c) GDPR), storage limitation (5(1)(e)), transparency (Articles 12 to 14 GDPR) and that an impact assessment should have been carried out (Article 35).
The complainants also requested to stop the exchange of information between the Belgian and US administrations on the basis of the FATCA agreemen. They considered that this processing, based on the FATCA agreement, violated Articles 45, 46 and 49 GDPR, the principle of purpose limitation [[Article 5 GDPR|(5(1)(b) GDPR)]], proportionality and data limitation [[Article 5 GDPR|(5(1)(c) GDPR)]], storage limitation [[Article 5 GDPR|(5(1)(e) GDPR)]], transparency (Articles [[Article 12 GDPR|12]] to [[Article 14 GDPR|14 GDPR]]) and that an impact assessment should have been carried out ([[Article 35 GDPR]]).
   
   
The Belgian administration argued that under [[Article 96 GDPR|Article 96 GDPR]], the FATCA agreement was valid. This article states that international agreements existing before the GDPR remain in force provided that they comply with applicable legislation at the time they were concluded.  
The Belgian administration argued that under [[Article 96 GDPR|Article 96 GDPR]], the FATCA agreement (and therefore the transfer) was valid. This article states that international agreements existing before the GDPR remain in force provided that they comply with applicable legislation at the time they were concluded.  


Following the complaint, the DPA's investigation department investigated and concluded that there was no apparent breach of the GDPR.
Following the complaint, the DPA's investigation department investigated and concluded that there was no apparent breach of the GDPR.
Line 105: Line 105:
The DPA then analysed each point raised by the parties.
The DPA then analysed each point raised by the parties.


With regard to [[Article 96 GDPR|Article 96 GDPR]], from the point of view of material application, the DPA considered that this article only applies to the content of the agreement and therefore does not prevent the articles of the GDPR from applying. For example, the FATCA agreement contains no information obligation, which does not mean that the controller has no information obligation. From a temporal point of view, the DPA considered that Article 96 allows the rights of third countries under international agreements to be preserved, but this does not imply that these rights are acquired without a time limit. The DPA therefore considered that, as part of their duty of loyalty, the Member States should (re)negotiate agreements to make them GDPRcompliant. In conclusion, the DPA considered that Article 96 should be interpreted restrictively and that its standstill effect is limited. It could therefore “disregard” Article 96 if its application had disproportionate effects on the rights of complainants.  
With regard to <u>[[Article 96 GDPR]]</u>, from the point of view of material application, the DPA considered that this article only applies to the content of the agreement and therefore does not prevent the articles of the GDPR from applying. For example, the FATCA agreement contains no information obligation, which does not mean that the controller has no information obligation. From a temporal point of view, the DPA considered that [[Article 96 GDPR|Article 96]] allows the rights of third countries under international agreements to be preserved, but this does not imply that these rights are acquired without a time limit. The DPA therefore considered that, as part of their duty of loyalty, the Member States should (re)negotiate agreements to make them GDPRcompliant. In conclusion, the DPA considered that [[Article 96 GDPR|Article 96]] should be interpreted restrictively and that its standstill effect is limited. It could therefore “disregard” [[Article 96 GDPR|Article 96]] if its application had disproportionate effects on the rights of complainants.  


With regard to the principle of purpose limitation, the DPA considered that the purposes of the FATCA agreement are not sufficiently determined in that they do not make it possible to assess the extent to which the data processed is necessary to achieve those purposes.
With regard to the <u>principle of purpose limitation</u>, the DPA considered that the purposes of the FATCA agreement are not sufficiently determined in that they do not make it possible to assess the extent to which the data processed is necessary to achieve those purposes.


As regards necessity and minimisation, the DPA held that the mere nationality of the data subjects was not a sufficient criterion in view of the purpose pursued. In this case, the FATCA agreement therefore did not comply with the principle of necessity, proportionality and minimisation. Consequently, the Belgian authority could not rely on either Article 6(1)(c) or 6(1)(e) for the transfers.
As regards <u>necessity and minimisation</u>, the DPA held that the mere nationality of the data subjects was not a sufficient criterion in view of the purpose pursued. In this case, the FATCA agreement therefore did not comply with the principle of necessity, proportionality and minimisation. Consequently, the Belgian authority could not rely on either [[Article 6 GDPR|Article 6(1)(c)]] or [[Article 6 GDPR|6(1)(e)]] for the transfers.


As regards the framework for data transfer, there was no adequacy decision. It was therefore necessary for the international agreement, as the legal basis for the transfer, to include appropriate data protection safeguards under Article 46(2)(a). In this case, the DPA found that the agreement contained no definition of data protection, no retention period, no mention of the rights of data subjects and no mention of appeal mechanisms.  
As regards the <u>framework for data transfer</u>, there was no adequacy decision. It was therefore necessary for the international agreement, as the legal basis for the transfer, to include appropriate data protection safeguards under [[Article 46 GDPR|Article 46(2)(a)]]. In this case, the DPA found that the agreement contained no definition of data protection, no retention period, no mention of the rights of data subjects and no mention of appeal mechanisms.  


The DPA therefore concluded that the Belgian tax authority could not rely on [[Article 96 GDPR|Article 96 GDPR]] to continue transferring data to the USA on the basis of the FATCA agreement when that agreement did not comply with the GDPR.  
The DPA therefore concluded that the Belgian tax authority could not rely on [[Article 96 GDPR|Article 96 GDPR]] to continue transferring data to the USA on the basis of the FATCA agreement when that agreement did not comply with the GDPR.  


As regards the <u>obligation to provide information,</u> the Belgian tax authority, as controller, was subject (without the derogation provided for in [[Article 14 GDPR|Article 14(5)]]) to Articles [[Article 13 GDPR|13]] and [[Article 14 GDPR|14 GDPR]]. On its website, the controller referred to the FATCA agreement with a general explanation that was not very accessible or comprehensible. The DPA held that the controller was therefore in breach of Articles [[Article 14 GDPR|14(1)]] and [[Article 14 GDPR|(2)]] and [[Article 12 GDPR|12(1) GDPR]].


As regards the obligation to provide information, the Belgian tax authority, as controller, was subject (without the derogation provided for in Article 14(5)) to Articles 13 and 14 GDPR. On its website, the controller referred to the FATCA agreement with a general explanation that was not very accessible or comprehensible. The DPA held that the controller was therefore in breach of Articles 14(1) and (2) and 12(1) GDPR.  
With regard to the <u>obligation to carry out an impact assessment</u>, the DPA considered that the transfer of data to the USA involved a high risk for the rights and freedoms of individuals within the meaning of [[Article 35 GDPR#1|Article 35(1) GDPR]]. Although expert advice was sought, an impact assessment should therefore have been carried out, which the controller failed to do, in breach of [[Article 35 GDPR#1|Article 35(1) GDPR]].  


With regard to the obligation to carry out an impact assessment, the DPA considered that the transfer of data to the USA involved a high risk for the rights and freedoms of individuals within the meaning of [[Article 35 GDPR#1|Article 35(1) GDPR]]. Although expert advice was sought, an impact assessment should therefore have been carried out, which the controller failed to do, in breach of [[Article 35 GDPR#1|Article 35(1) GDPR]].  
As regards <u>accountability principle</u>, the DPA concluded that the controller had failed to demonstrate that it had put in place appropriate measures to ensure compliance with the GDPR. It therefore violated Articles [[Article 5 GDPR|5(2)]] and [[Article 24 GDPR|24 GDPR]].  


As regards accountability, the DPA concluded that the controller had failed to demonstrate that it had put in place appropriate measures to ensure compliance with the GDPR. It therefore violated Articles 5(2) and 24 GDPR.  
Consequently, on the basis of Article 58(2)(f) and in accordance with the CJEU's ''Schrems II'' case law, the DPA ordered a ban on processing the data subject's data pursuant to the FACTA agreement. The DPA considered that this was the only measure capable of putting an end to the unlawfulness of the processing.  


Consequently, on the basis of Article 58(2)(f) and in accordance with the CJEU's Schrems II case law, the DPA ordered a ban on processing the data subject's data pursuant to the FACTA agreement. The DPA considered that this was the only measure capable of putting an end to the unlawfulness of the processing.
The DPA also held that the controller had breached Articles [[Article 14 GDPR|14(1) and (2)]], [[Article 12 GDPR|12(1)]], [[Article 35 GDPR|35(1)]], [[Article 5 GDPR|5(2)]] and [[Article 24 GDPR|24 GDPR]] and issued a reprimand to the controller. The DPA also ordered compliance, which consisted of alerting the relevant legislator.
 
The DPA also held that the controller had breached Articles 14(1) and (2), 12(1), 35(1), 5(2) and 24 GDPR and issued a reprimand to the controller. The DPA also ordered compliance, which consisted of alerting the relevant legislator.


== Comment ==
== Comment ==

Revision as of 15:15, 31 May 2023

APD/GBA - 61/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 17(1)(d) GDPR
Article 18(1)(b) GDPR
Article 24 GDPR
Article 35 GDPR
Article 46 GDPR
Article 58(2)(f) GDPR
Article 96 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 24.05.2023
Published:
Fine: n/a
Parties: SPF Finances
National Case Number/Name: 61/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: DPA/GBA (in FR)
Initial Contributor: n/a

The Belgian DPA ordered a ban on US transfers of tax data of Americans residing in Belgium under the FATCA agreement. The DPA considered that this agreement did not comply with the GDPR and that the Belgian tax authority should have conducted an impact assessment.

English Summary

Facts

A data subject had both Belgian and American nationalities. Under US tax regulation, he was subject to the US system because of his nationality. To collect information and tax Americans living abroad, the USA signed agreements with other countries under the Foreign Account Tax Compliance Act (FATCA). In Belgium, this implied that banks were obliged to inform the tax authorities if a US citizen had an account in Belgium.

In May 2020, the bank where the data subject had an account informed him that it was legally obliged to inform the tax authorities that the data subject had an account, as well as his name, address, jurisdiction of residence, tax identification number, date of birth, account balance, account number and other information relating to his banking assets.

On 22 December 2022, the data subject and the Association Accidental Americans of Belgium filed a complaint with the Belgian DPA. Under Article 17(1)(d), the data subject asked the tax authorities to delete his data obtained on the basis of the FATCA agreement and under Article 18(1)(b) to limit the processing thereof.

The complainants also requested to stop the exchange of information between the Belgian and US administrations on the basis of the FATCA agreemen. They considered that this processing, based on the FATCA agreement, violated Articles 45, 46 and 49 GDPR, the principle of purpose limitation (5(1)(b) GDPR), proportionality and data limitation (5(1)(c) GDPR), storage limitation (5(1)(e) GDPR), transparency (Articles 12 to 14 GDPR) and that an impact assessment should have been carried out (Article 35 GDPR).

The Belgian administration argued that under Article 96 GDPR, the FATCA agreement (and therefore the transfer) was valid. This article states that international agreements existing before the GDPR remain in force provided that they comply with applicable legislation at the time they were concluded.

Following the complaint, the DPA's investigation department investigated and concluded that there was no apparent breach of the GDPR.

Holding

The DPA began by classifying the Belgian tax authorities as controllers, regardless of the fact that they do not have access to the content of the data they transfer. Financial institutions (banks) were also considered to be controllers.

The DPA then analysed each point raised by the parties.

With regard to Article 96 GDPR, from the point of view of material application, the DPA considered that this article only applies to the content of the agreement and therefore does not prevent the articles of the GDPR from applying. For example, the FATCA agreement contains no information obligation, which does not mean that the controller has no information obligation. From a temporal point of view, the DPA considered that Article 96 allows the rights of third countries under international agreements to be preserved, but this does not imply that these rights are acquired without a time limit. The DPA therefore considered that, as part of their duty of loyalty, the Member States should (re)negotiate agreements to make them GDPRcompliant. In conclusion, the DPA considered that Article 96 should be interpreted restrictively and that its standstill effect is limited. It could therefore “disregard” Article 96 if its application had disproportionate effects on the rights of complainants.

With regard to the principle of purpose limitation, the DPA considered that the purposes of the FATCA agreement are not sufficiently determined in that they do not make it possible to assess the extent to which the data processed is necessary to achieve those purposes.

As regards necessity and minimisation, the DPA held that the mere nationality of the data subjects was not a sufficient criterion in view of the purpose pursued. In this case, the FATCA agreement therefore did not comply with the principle of necessity, proportionality and minimisation. Consequently, the Belgian authority could not rely on either Article 6(1)(c) or 6(1)(e) for the transfers.

As regards the framework for data transfer, there was no adequacy decision. It was therefore necessary for the international agreement, as the legal basis for the transfer, to include appropriate data protection safeguards under Article 46(2)(a). In this case, the DPA found that the agreement contained no definition of data protection, no retention period, no mention of the rights of data subjects and no mention of appeal mechanisms.

The DPA therefore concluded that the Belgian tax authority could not rely on Article 96 GDPR to continue transferring data to the USA on the basis of the FATCA agreement when that agreement did not comply with the GDPR.

As regards the obligation to provide information, the Belgian tax authority, as controller, was subject (without the derogation provided for in Article 14(5)) to Articles 13 and 14 GDPR. On its website, the controller referred to the FATCA agreement with a general explanation that was not very accessible or comprehensible. The DPA held that the controller was therefore in breach of Articles 14(1) and (2) and 12(1) GDPR.

With regard to the obligation to carry out an impact assessment, the DPA considered that the transfer of data to the USA involved a high risk for the rights and freedoms of individuals within the meaning of Article 35(1) GDPR. Although expert advice was sought, an impact assessment should therefore have been carried out, which the controller failed to do, in breach of Article 35(1) GDPR.

As regards accountability principle, the DPA concluded that the controller had failed to demonstrate that it had put in place appropriate measures to ensure compliance with the GDPR. It therefore violated Articles 5(2) and 24 GDPR.

Consequently, on the basis of Article 58(2)(f) and in accordance with the CJEU's Schrems II case law, the DPA ordered a ban on processing the data subject's data pursuant to the FACTA agreement. The DPA considered that this was the only measure capable of putting an end to the unlawfulness of the processing.

The DPA also held that the controller had breached Articles 14(1) and (2), 12(1), 35(1), 5(2) and 24 GDPR and issued a reprimand to the controller. The DPA also ordered compliance, which consisted of alerting the relevant legislator.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.