APD/GBA (Belgium) - 61/2023

From GDPRhub
APD/GBA - 61/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 5 GDPR
Article 6 GDPR
Article 12 GDPR
Article 13 GDPR
Article 14 GDPR
Article 17(1)(d) GDPR
Article 18(1)(b) GDPR
Article 24 GDPR
Article 35 GDPR
Article 46 GDPR
Article 58(2)(f) GDPR
Article 96 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 24.05.2023
Published:
Fine: n/a
Parties: SPF Finances
National Case Number/Name: 61/2023
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): French
Original Source: DPA/GBA (in FR)
Initial Contributor: n/a

The Belgian DPA ordered a ban on the transfer of tax data of US citizens residing in Belgium to the US. According to the DPA the FATCA agreement, which provides for such transfers, is not in line with the GDPR and the Belgian tax authority should have conducted an impact assessment.

English Summary

Facts

The data subject holds both Belgian and US nationality. Under US tax regulation, he was subject to the US tax system because of his nationality. To collect information and tax from Americans living abroad, the US signed agreements with other countries under the Foreign Account Tax Compliance Act (FATCA). In Belgium this implied that banks were obliged to inform the tax authorities if a US citizen had an account in Belgium.

In May 2020, the bank where the data subject had an account informed him that it was legally obliged to inform the tax authorities that the data subject had an account, as well as his name, address, jurisdiction of residence, tax identification number, date of birth, account balance, account number and other information relating to his bank assets.

On 22 December 2022, the data subject and the Association Accidental Americans of Belgium filed a complaint with the Belgian DPA. The DPA joined the cases. Under Article 17(1)(d) GDPR the data subject requested that the tax authority delete his data obtained on the basis of the FATCA agreement and under Article 18(1)(b) GDPR to limit the processing thereof.

The complainants also requested to stop the exchange of information between the Belgian and US administrations on the basis of the FATCA agreement. They considered that this processing, based on the FATCA agreement, violated Articles 45, 46 and 49 GDPR, the principle of purpose limitation (Article 5(1)(b) GDPR), proportionality and data limitation (5(1)(c) GDPR), storage limitation (5(1)(e) GDPR), transparency (Articles 12 to 14 GDPR) and that an impact assessment should have been carried out (Article 35 GDPR).

The Belgian administration argued that under Article 96 GDPR, the FATCA agreement (and therefore the transfer) was valid. This article states that international agreements existing before the GDPR remain in force provided that they comply with applicable legislation at the time they were concluded.

Following the complaint, the DPA's investigation department investigated and concluded that there was no apparent breach of the GDPR.

Holding

The DPA began by classifying the Belgian tax authority as controller, regardless of the fact that they do not have access to the content of the data they transfer. Financial institutions (banks) were also considered to be controllers.

The DPA then analysed each point raised by the parties.

With regard to Article 96 GDPR, from the point of view of material application, the DPA considered that this article only applies to the content of the agreement and therefore does not prevent the articles of the GDPR from applying. For example, the FATCA agreement contains no information obligation, which does not mean that the controller has no information obligation. From a temporal point of view, the DPA considered that Article 96 GDPR allows rights of third countries under international agreements to be preserved, but this does not imply that these rights are acquired without a time limit. The DPA therefore considered that the Member States should (re)negotiate agreements to make them GDPR compliant. In conclusion, the DPA considered that Article 96 should be interpreted restrictively and that its "standstill effect" is limited. It could therefore “disregard” Article 96 if its application had disproportionate effects on the rights of complainants.

With regard to the principle of purpose limitation, the DPA considered that the purposes of the FATCA agreement are not sufficiently determined. It is therefore not possible to assess the extent to which the data processed is necessary to achieve those purposes.

As regards necessity and minimisation, the DPA held that the mere nationality of the data subjects was not a sufficient criterion in view of the purpose pursued. In this case, the FATCA agreement is not in line with the principle of necessity, proportionality and minimisation. Consequently, the Belgian authority could not rely on either Article 6(1)(c) or 6(1)(e) GDPR for the transfers.

As regards the framework for data transfers to the US, there was no adequacy decision. It was therefore necessary for the international agreement, as the legal basis for the transfer, to include appropriate data protection safeguards under Article 46(2)(a) GDPR. In this case, the DPA found that the agreement contained no definition of data protection, no retention period, no mention of the rights of data subjects and no mention of appeal mechanisms.

The DPA therefore concluded that the Belgian tax authority could not rely on Article 96 GDPR to continue transferring data to the US on the basis of the FATCA agreement when that agreement is not in line with the GDPR.

As regards the obligation to provide information, the Belgian tax authority, as controller, was subject to Articles 13 and 14 GDPR. On its website, the tax authority referred to the FATCA agreement with a general explanation that was not easily accessible or comprehensible. The DPA held that the controller was therefore in breach of Articles 14(1) and (2) and 12(1) GDPR.

With regard to the obligation to carry out an impact assessment, the DPA considered that the transfer of data to the USA involved a high risk for the rights and freedoms of individuals within the meaning of Article 35(1) GDPR. Although expert advice was sought, an impact assessment should have been carried out, which the controller failed to do, in breach of Article 35(1) GDPR.

As regards the accountability principle, the DPA concluded that the controller had failed to demonstrate that it had put in place appropriate measures to ensure compliance with the GDPR. It therefore violated Articles 5(2) and 24 GDPR.

Consequently, on the basis of Article 58(2)(f) GDPR and in accordance with the CJEU's Schrems II case law, the DPA ordered a ban on processing the data subjects data pursuant to the FACTA agreement. The DPA considered that this was the only measure capable of putting an end to the unlawfulness of the processing.

The DPA also held that the controller had breached Articles 5(2), 12(1), 14(1) and (2), 24 and 35(1) GDPR and issued a reprimand to the controller. The DPA also ordered compliance, which consisted of alerting the relevant legislator.

Comment

The Belgian State appealed this decision. The appeal decision is available here : https://www.gegevensbeschermingsautoriteit.be/publications/tussenarrest-van-28-juni-2023-van-het-marktenhof-ar-801-beschikbaar-in-het-frans.pdf

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

A machine translation of the decision, used by the EDPB and obtained via a Freedom of Information request, is linked below. Please refer to the French original for more details.

https://www.asktheeu.org/en/request/13099/response/46215/attach/9/Document%204.pdf?cookie_passthrough=1