Banner2.png

Cour Administrative - 49701C

From GDPRhub
Cour Administrative - 49701C
Courts logo1.png
Court: Cour Administrative (Luxembourg)
Jurisdiction: Luxembourg
Relevant Law: Article 2(2)(b) GDPR
Article 2(2)(d) GDPR
Article 4(1) GDPR
Article 17(3)(b) GDPR
Article 18(1)(b) GDPR
Article 96 GDPR
Article 25 and 26 of Directive 95/46 EC
Article 267 (3), of the Treaty on the Functioning of the European Union (TFUE)
Art. 11 of the Luxembourg Constitution
Luxembourg law of the 1st August 2018 about the organisation of the Commission Nationale pour la Protection des Données (CNPD, the Luxembourg data protection supervisory authority) and the implementation of Regulation (EU) 2016/679 replacing Directive 95/46 EC
Luxembourg law of the 2nd August 2002 about the implementation of Directive 95/46 EC
LuxembourgForeign Account Tax Compliance Act « loi du 24 juillet 2015
Decided: 12.12.2024
Published: 13.12.2024
Parties: ASBL AA and B v. Direct Tax Administration (ACD)
National Case Number/Name: 49701C
European Case Law Identifier: LU:CADM:2024:49701
Appeal from: Administrative Tribunal (Luxembourg)
45851
Appeal to: Unknown
Original Language(s): French
Original Source: https://ja.public.lu/45001-50000/49701C.pdf (in French)
Initial Contributor: lszabo

The Court held that personal data transfer to the US based on the FATCA agreement is lawful, as it is based on a derogation in Directive 95/46 (public interest) and it remained lawful at the entry into force of the GDPR, as per Article 96 GDPR.

English Summary

Facts

On 19 May 2020, a Luxembourg bank informed the complainant that, by 30 June 2020, they would transmit the complainant's bank account information to the Luxembourg fiscal authorities. Afterwards, by latest the 30th September 2020, the Luxembourg fiscal authorities will share this information with the US fiscal authorities.

The complainant, a French and American citizen connected to the association for the protection of civil rights ASBL, turned to the Luxembourg direct Tax Office (hereinafter: ACD), explaining that the data to be transferred on the basis of the FATCA concern identification, financial and economic data, i.e. personal data as defined in the GDPR.

Thus, the complainant requested the ACD to erase the personal data and immediately discontinue the exchange of information between the ACD and the American fiscal authorities.

The director of the ACD rejected this request, stating that the ASBL is not a data subject and the processing of the personal data of the complainant was necessary to respect the Luxembourg FATCA Agreement law to which the ACD is subject, Thus, in their view the request to restrict processing is not justified.

The complainant turned to the Luxembourg Administrative Tribunal, which rejected the injunctive request to suspend the information sharing with the US fiscal authorities. The Tribunal also declared itself entitled neither to decide on the decision of the ACD, nor to invalidate it.

As to the merit, the Tribunal found the request for invalidation unfounded, rejecting the request for a reimbursement and ordering the complainant to pay the costs.

The ACD challenged the receivability of appeal.

Holding

In relation to the GDPR-related questions, the court held the following.

  • Whether the GDPR was applicable to the data transfer

With regards to the applicability of the GDPR and the law of the 1st August 2018 about the organisation of the Commission Nationale pour la Protection des Données (CNPD, the Luxembourg data protection supervisory authority) and the implementation of Regulation (EU) 2016/679 replacing Directive 95/46 EC and the law of the 2nd August 2002 about the implementation of said directive.

The subject of the case is neither direct prevention, detection and prosecution of criminal activities (when Directive (EU) 2016/680 would apply), nor is it within the area of the Common Foreign and Security Policy (which is exempt from the application of the GDPR), therefore the GDPR applies.

In respect of the prevention, detection and prosecution of criminal activities, Directive (EU) 2016/680 would only apply if the data controller were a competent authority. These authorities are only authorities of law enforcement, and the tax office is not one of them.

The processing in question in the case at hand concerns the exercise of the rights of Member States in the area of taxation, in particular the mutual cooperation in tax matters through the automatic exchange of information.

  • Whether the FATCA Agreement was valid in the light of the GDPR

In interpreting the GDPR related to the case, the court found furthermore, that Article 96 GDPR applies, i.e. as an existing international treaty, the FATCA Agreement is valid even if it contradicts the GDPR. As the FATCA Agreement was signed the 28th March 2014 and enacted by the law of the 24th July 2015, it was concluded before the GDPR entered into force and is thus covered by Article 96 of the GDPR. There is also no stipulation which would require – contrary to what the appellants state – to modify the FATCA Agreement in view of the GDPR.

The primacy of international law over the national law, which is enshrined in Luxembourg law, in case when there is a conflict between rules of an international treaty and those in national law, even a posteriori (i.e. when the rules of national law are adopted after the entry in force of the international treaty), the international norm has precedence over the national norm. Thus, in case of a hypothetical contradiction with the law of the 2nd August 2002, the FATCA Agreement would prevail.

  • Whether the transfer of personal data to the US should have been preceded by a Transfer Impact Assessment and whether the transfer to the US was lawful

Concerning the further two questions proposed to be asked from the CJEU, the court was of the opinion that these were not necessary to decide the present case.

Given that Article 96 GDPR applies, the legality the decision of the director of ACD of the 22nd March 2021, having refused to stop the transfer of the personal data provided by the Luxembourg financial institutions through the automatic exchange of information to the fiscal administration of the United States in the framework of the FATCA Agreement has thus to be examined exclusively in the light of the Directive 95/46 EC, as this directive remains in force (due to Article 96 GDPR) as the only legal reference to judge the lawfulness of the measure, as no withdrawal or modification of FATCA Agreement was necessary.

Articles 25 and 26 of Directive 95/46 EC are the rules to be taken into account as specific rules as the automatic exchange of information according to FATCA Agreement is a transfer of personal data to third countries, and these rules are part of chapter IV of Directive 95/46 EC, entitled “transfer of personal data to third countries”.

The appellants claim that in this respect, ACD should have investigated the adequate level of protection in the US. However, in Mémorial (the Luxembourg official journal), series A n° 156 of the 10th August 2015 (p. 3796) establishes that "the conditions of entry into force of the agreement about the exchange of notes indicated above (i.e. the exchange of notes regarding FATCA Agreement, signed the 31st March and 1st April 2015) being fulfilled the 29th July 2015, the said acts entered into force between the Contracting Parties the 28th July 2015, according to Article 10 of the Agreement. Thus, the State had sufficient elements of information to conclude that the exchanged data remain confidential, will be used for fiscal purposes and will be processed by infrastructures which ensure such confidentiality. Thus, the State did not find any elements to doubt in this regard at that point.

Article 26 (1), point d Directive 95/46 authorises Member States to foresee or authorise transfers of personal data to a third country also when the legal system of this latter does not ensure an adequate level of protection, namely in the case when this transfer is necessary for the concerned Member State to preserve an important public interest. This stipulation has to be understood as giving Member States a certain freedom of manoeuvre concerning the content of the notion of important public interest which they consider justifying the transfer of personal data to third countries which do not guarantee an adequate level of protection, given that the interests which merit protection are not entirely the same in the different Member States.

In general, the State rightly argues that the CJEU recognised the fight against aggressive tax planning and the prevention of risk of tax avoidance and tax fraud as objectives in the general interest recognised by the Union which can justify the restriction of rights guaranteed in the Charter of Fundamental Rights (judgment of the 8th December 2022, case C-694/20, Orde van Vlaamse Balies e.a. and of the 29th July 2024, case. C-623/22, Belgian Association of Tax Lawyers). The transfer of information serves this objective.

The appellants contest nevertheless this analysis, referring to the Guidelines 2/2020 the EDPB according to which the derogations should be interpreted narrowly and concern mainly occasional and on-repetitive transfers but cannot justify transfers on a large scale, as foreseen in the FATCA Agreement. This restriction does not, however, stem from Article 26 (1), point d of Directive 95/46 EC, neither from the relevant Recitals of Directive 95/46 EC. Even if the EDPB has a certain role in the harmonised application of the Directive 95/46 EC and afterwards of the GDPR by all member States, its analysis in its guidelines is not binding.

The appellants also claim that there should be a similar provision of information from the US fiscal authorities to the European authorities. Nevertheless, such a requirement of reciprocity is not required neither from Article 26 (1), point d), nor from the recitals of Directive 95/46 EC. Even when such a reciprocity corresponds a certain logic of cooperation, such a logic is in political domain but does not influence the interpretation of a rule of Union law.


Based on the above considerations, the court considers that the execution of the FATCA Agreement and of the law of the 24th July 2015 by the ACD is lawful based on Article 26 (1) point d), of Directive 95/46 EC, even when the US does not guarantee and adequate protection of personal data pursuant to Article 25 (1), of Directive 95/46 EC. Therefore, the arguments of the appellants to the contrary have to be rejected.

This analysis is also sufficient to support that there is no need to request a preliminary ruling from the CJEU.

Therefore, the Administrative Court of Luxembourg rejected the appeal.

Comment

The case is important as it deals with lawfulness of international agreements which were in force at the entry into force of the GDPR, with the interpretation of the public interest derogation and also pronounces an opinion on the force of EDPB guidances.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details. 

the tax administration of
GRAND-DUCHÉ DE LUXEMBOURG
COUR ADMINISTRATIVE
Roll number: 49701C
ECLI:LU:CADM:2024:49701
Registered on 13 November 2023
2
Grand Duchy of Luxembourg and that of the United States of America pursuant to the “Foreign Account Tax Compliance Act” approved by a law of 24 July 2015, received the principal appeal for annulment in form, in substance, the said unjustified and therefore, dismissed the applicants, rejected the request for allocation of a procedural indemnity of 5,000 euros made by the applicants and ordered the latter to pay the costs and expenses of the proceedings;
Having regard to the response brief of Mr. Government Delegate Sandro LARUCCIA filed with the registry of the Administrative Court on 12 December 2023; Having regard to the reply brief filed with the registry of the Administrative Court on 15 January 2024 by Maître Vincent WELLENS on behalf of the limited liability company NAUTADUTILH AVOCATS LUXEMBOURG s.à r.l., on behalf of the appellants;
Having regard to the documents submitted in the matter and in particular the judgment under appeal;
The rapporteur heard in his report, as well as Maître Vincent WELLENS and Mr. Government Delegate Eric PRALONG in their respective pleadings at the public hearing on 29 February 2024.
----------------------------------------------------------------------------------------------------------------
Mr. (B) is a French resident who considers himself to be an “accidental” American, namely a person who possesses both French and American nationality and who has been automatically granted American nationality solely by virtue of his birth in the territory of the United States without having any other significant connection with that country. By letter dated 19 May 2020, a Luxembourg bank informed him that by 30 June 2020 at the latest, it would transmit to the Luxembourg tax authorities information relating to the bank account opened by him with said bank and that by 30 September 2020 at the latest, the Luxembourg tax authorities would communicate this data to the US tax authorities, in accordance with the amended law of 24 July 2015 approving the Agreement between the Government of the Grand Duchy of Luxembourg and the Government of the United States of America to improve compliance with tax obligations internationally and relating to the provisions of the United States of America concerning the exchange of information commonly known as the “Foreign Account Tax Compliance Act”, hereinafter respectively referred to as the “law of 24 July 2015” and the “FATCA agreement”. By letter dated 22 December 2020 from their joint representative, the non-profit association under French law (AA), hereinafter the “(AA)”, and Mr (B) contacted the Direct Contributions Administration, hereinafter the “ACD”, to point out that the data to be exchanged under the FATCA agreement would include “largely identification data, as well as data of an economic and financial nature” which would constitute personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of data, and repealing Directive 95/46/EC, hereinafter the “GDPR”. They therefore asked him "(…) to erase the personal data of the French accidental [A]mericans and Mr. (B) obtained under the FATCA Agreement, or even to limit their processing and, in any event, to immediately stop the exchange of information between the ACD and the American tax authorities taking place each year on the basis of the Agreement and, for the year 2019, before December 31, 2020, insofar as this transfer of data disregarded several key principles of the right to the protection of personal data, as applicable
3
in the Grand Duchy of Luxembourg and, more generally, within the European Union. (…)". By decision of March 22, 2021, the director of the ACD, hereinafter the “director”, rejected this request in the following terms:
“(…) I hereby return to your letter under the heading received on December 22, 2020 conveying on behalf of the (AA), whose purpose is to defend and represent the interests of persons of Franco-American nationality who reside outside the United States, as well as Mr. (B), several requests to exercise rights granted by the General Data Protection Regulation (GDPR) to the persons concerned.
Your client, the (AA), has its registered office in Paris and its purpose is to defend the interests of natural persons of Franco-American nationality residing outside the United States, against the harmful effects of the extraterritorial nature of American legislation. The (AA) is not to be considered a person concerned within the meaning of the GDPR, that is to say an identified or identifiable natural person. Since the GDPR limits the circle of beneficiaries of GDPR rights to the persons concerned only, I am not in a position to respond favourably to your requests on behalf of the (AA).
You also exercise GDPR rights on behalf of the French accidental Americans. However, since the wording "French accidental Americans" alone does not allow the Direct Contributions Administration (ACD) to identify the persons concerned by its own means in a precise manner and since you do not provide any information for their certain identification, I inform you that in application of Article 12(2) GDPR I regret not being able to respond favourably to your requests concerning the French accidental Americans.
Regarding the exercise of the right to erasure on behalf of Mr. (B), I inform you that pursuant to Article 17(3b) GDPR I cannot grant it since the processing of Mr. (B)'s personal data is necessary for compliance with the amended law of 24 July 2015 relating to FATCA to which the data controller is subject.
Regarding the exercise of the right to limit processing on behalf of Mr. (B), I inform you that Article 18(1b) cited does not apply since the processing is necessary for compliance with the amended law of 24 July 2015 relating to FATCA.
If desired, a complaint may be sent to the supervisory authority:
National Commission for Data Protection
15, Boulevard du Jazz,
L-4370 Belvaux.
Alternatively, a legal appeal may be filed. (…)”. By application filed with the registry of the administrative court on April 2, 2021 and registered under number 45851 of the list, the (AA) and Mr. (B) brought an appeal seeking the annulment, if not the reformation, of the aforementioned directorial decision of March 22, 2021.
By application filed with the registry of the administrative court on August 31, 2021, registered under number 46416 of the list, Mr. (B) requested the suspension of the communication of the
4
data concerning him to the American tax authorities until the court had ruled on his appeal of April 2, 2021. This application for the establishment of a safeguard measure was dismissed by an order of the president of the administrative court of September 24, 2021.
By judgment of September 29, 2023, the court declared itself incompetent to hear the subsidiary appeal for reformation directed against the director's decision of March 22, 2021, granted the principal appeal for annulment in form, in substance, the said unjustified and therefore dismissed the applicants, rejected their request for the allocation of procedural compensation of 5,000 euros and ordered them to pay the costs and expenses of the proceedings.
By application filed with the registry of the Administrative Court on 13 November 2023, entered under number 49701C of the roll, the (AA) and Mr (B) appealed this judgment.
I. As to the admissibility of the appeal
The State points out that the judgment under appeal dates from Friday 29 September 2023 and that the appeal was only filed on 13 November 2023, i.e. 45 days later. Consequently, according to the State, the appeal should be declared inadmissible due to being out of time.
Under Article 38 of the amended law of 21 June 1999 on the rules of procedure before administrative courts, hereinafter the “law of 21 June 1999”, the time limit for lodging an appeal against judgments of the administrative court is, under penalty of foreclosure, forty days and it runs for all parties from the day on which the judgment is notified to them by the registry of the court of first instance. Furthermore, according to Article 5 of the European Convention on the computation of time limits, signed in Basel on 16 May 1972 and approved by a law of 30 May 1984, “where the dies ad quem of a time limit before the expiry of which an act must be performed is a Saturday, a Sunday, a public holiday or a holiday regarded as such, the time limit shall be extended so as to include the first working day that follows”. In this case, it is clear from the postal receipt that the notification of the judgment was made on 3 October 2023. The time limit for filing an appeal therefore began to run on 3 October 2023 and the last day of said time limit was postponed to Monday 13 November 2023, 11 November 2023, the fortieth day from the notification, being a Saturday. The appeal was therefore lodged within the legal time limits.
Consequently, since the appeal is admissible ratione temporis, the State's argument of inadmissibility must be rejected as unfounded. The State then raises the inadmissibility of "the present appeal" "for lack of quality, or even lack of interest" on the part of the (AA), relying on Articles 79 and 80 of the GDPR, Articles 2, 5 and 6 of the amended French law of 1 July 1901 relating to the association contract and the principle according to which "no one pleads by proxy".
This argument of the State seeking to challenge the admissibility of the appeal at first instance insofar as it was brought by the (AA), it is to be examined in the section of the judgment relating to the merits of the case. Indeed, on appeal, the question of the admissibility of the appeal at first instance is a question relating to the merits of the case on appeal.
Since the appeal was brought in accordance with the forms and time limits of the law, it is admissible.
5
II. As to the merits
The appellants consider that the administrative court:
- wrongly dismissed their argument based on a lack of motivation for the appealed directorial decision;
- wrongly considered that the GDPR was not applicable;
- wrongly refused to find that there was a violation of Article 11, paragraph (3), of the Constitution in its numbering prior to 1 July 2023 and of the corresponding provision of the revised Constitution;
- should have annulled, if not reformed, the Director's decision of 22 March 2021 for lack of motivation for this decision and violation of several key provisions and principles of the GDPR and Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, hereinafter "Directive 95/46", or even of the Constitution.
Furthermore, they ask the Court to refer several preliminary questions to the Court of Justice of the European Union, hereinafter the "CJEU", as well as a preliminary question to the Constitutional Court. Since the Court is not bound by the order of the arguments in which they were submitted to it and has the power to assess them in accordance with the proper administration of justice and the useful effect that results from them, it is appropriate to examine first, in accordance with sound legal logic, the question of the admissibility of the appeal at first instance insofar as it was brought by the (AA).
A. As to the interest in bringing proceedings of the (AA)
As indicated above, the State challenges the admissibility of the appeal at first instance insofar as it was brought by the (AA). In the appeal proceedings, the State may validly bring this question of admissibility back into the debate as a means of defence of the respondent without filing an incidental appeal against the judgment, the operative part of which does not cause it any grievance, in view of the dismissal on the merits of the appeal of the applicants.
The Court is however led to reject this argument. Indeed, the first judges were right to point out that groups regularly constituted in the form of a foundation or non-profit association, which intend to seek legal redress for the damage to the collective interests they defend, are permitted to act as long as the collective action is dictated by a specific corporate interest and that these collective actions are intended to benefit all of the partners. The court also rightly noted that (i) the (AA) has a distinct corporate interest that is not the same as the general interest, given that it defends, through the disputed application and the appeal under review, the interest of all its members, namely accidental French Americans with a bank account in Luxembourg, against the application of the FATCA agreement resulting in the transmission of its members' banking information, via Luxembourg financial institutions and the ACD, to the American tax authorities, and that (ii) said action falls within the corporate purpose of the (AA), as defined in Article 2 of its statutes, according to which its aim is "(…) the defense of the interests of Franco-American individuals who reside outside the United States, against the harmful effects of the extraterritorial nature of American legislation. (…)". 6
Consequently, the trial court judges were right to conclude that the (AA) has an interest in bringing proceedings against the contested directorial decision of 22 March 2021 and to reject the related plea of inadmissibility. It is therefore appropriate to also reject the said plea on appeal.
Still in accordance with good legal logic, it is now appropriate to examine the appellants' plea relating to the external legality of the director's decision of 22 March 2021 before those relating to its internal legality. B. As to the alleged lack of motivation for the disputed directorial decision
1. Arguments of the parties
According to the appellants, in the absence of adequate motivation, the director's decision of 22 March 2021 violates Article 6 of the Grand-Ducal Regulation of 8 June 1979 relating to the procedure to be followed by administrations under the State and the municipalities, hereinafter the "Grand-Ducal Regulation of 8 June 1979". Indeed, the directorial decision is extremely succinct and does not contain a position on all the requests made by them and all the violations they allegedly invoked. Consequently, in accordance with case law, this manifest lack of motivation should lead to the annulment of the disputed directorial decision.
For its part, the State has not specifically taken a position on this point, but requests in the operative part of its response the confirmation of the contested judgment "in its entirety".
2. Analysis by the Court
It should first be noted that while Article 5 of the law of 1 December 1978 regulating non-contentious administrative procedure excludes the application of this law and its implementing regulations, in particular the Grand-Ducal Regulation of 8 June 1979, to the matter of direct contributions, this exclusion is justified in the parliamentary proceedings relating to this law by the consideration that "the matter [is] the subject of exhaustive regulation that respects the rights of the taxpayer" (draft law regulating non-contentious administrative procedure, doc. parl. 2209, p. 5) and the term direct contributions refers to taxes falling under the procedural law created by a specific law, the General Tax Law of 22 May 1931, known as the "Abgabenordnung", abbreviated to "AO" (Jean OLINGER, La procédure administrative non contentieuse, 1992, éd. St-Paul, No. 177). Consequently, the legislator has recognised the exclusive applicability of the AO in matters of direct taxes and provided for the exclusion of the matter governed by it from the scope of rules deemed to constitute common law in administrative matters.
However, Article 4, paragraph (2) of the law of 24 July 2015 expressly provides that the ACD “has the same powers of investigation as those implemented in the context of taxation procedures aimed at setting or controlling taxes, duties and charges, with all the guarantees provided for therein”.
To the extent that this provision makes applicable in matters of exchanges based on the FATCA agreement all the provisions of domestic law which define the powers and obligations of the ACD in the exercise of its own powers in matters of direct taxes, including necessarily those of the AO, the same provision means that the provisions of the law of 1 December 1978 and the Grand-Ducal regulation of 8 June 1979 cannot be applied in this matter of exchanges based on the FATCA agreement. 7
It follows that the appellants’ argument must be dismissed insofar as it is based on Article 6 of the Grand-Ducal Regulation of 8 June 1979.
For the sake of completeness, the Court agrees with the finding of the trial judges that in this case, the decision under appeal is reasoned both in fact and in law, since it expressly refers to the appellants’ factual situation and states that the processing of personal data in dispute would be necessary to comply with the law of 24 July 2015, so that the request of the (AA) and Mr (B) cannot be granted. The reasoning provided by the Director, although succinct, allowed the appellants to ensure the defence of their interests with full knowledge of the facts.
The court was therefore right to reject the appellants’ argument based on a failure to state reasons.
C. As to the applicability of the GDPR
1. Grounds of appeal of the parties
The appellants criticise the administrative court for having rejected, on the basis of Article 2(2)(a) of the GDPR, the application of this Community regulation in this case. However, State activities in tax matters are clearly not covered by the exception provided for in this article, which is to be interpreted strictly and is limited to State activities in the context of national security, as the CJEU pointed out in its judgment of 22 June 2021 in the case of B v. Latvijas Republikas Saeima (case C-439/19).
Moreover, the European Commission and the European Data Protection Board (also known by its English name European Data Protection Board or acronym EDPB) have reportedly stated that international agreements for the automatic exchange of data in tax matters should be reviewed in light of the GDPR and the Belgian data protection authority has reportedly stated, in a case similar to the present one, that data transfers carried out under the FATCA agreement were illegal. The appellants argue that the State party would never have invoked the above-mentioned exception and that, if so, it would be appropriate to refer the following preliminary question to the CJEU:
“Does Article 2(1)(a) [read Article 2(2)(a)] of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) exclude from the scope of that regulation the tax area of the Member States, including their bilateral agreements on the automatic exchange of information for tax purposes concluded with third States? "For its part, the State asks the Court to confirm the first judges in that they held that the processing of personal data in dispute does not fall within the scope of Union law, so as not to be subject to the GDPR in accordance with Article 2, paragraph 2, subparagraph a), of said Community regulation.
The State also criticises the appellants for the failure to intervene on the part of the Luxembourg financial institutions involved in the collection of the data subject to the transfer, the illegality of which is nevertheless asserted by the appellants.
8
2. Analysis of the Court
It is first appropriate to retrace the factual and legal framework of the present dispute.
In this case, the appellants criticise the collection, by the ACD, of data relating to accidental Americans having a bank account with banks established in Luxembourg and the subsequent transfer of this data by the ACD to the American tax authorities. Since the request for erasure, or otherwise limitation of the data collected and cessation of the transfer of this data was submitted to the ACD on 22 December 2020, after Mr (B) was informed in May 2020 by a Luxembourg bank that the collection and transfer of the data would take place from June and September 2020 respectively, it must be held, in the absence of evidence to the contrary, that the collection and transfer in dispute took place at the earliest in 2020, i.e. after 25 May 2018, the date on which the GDPR began to be applicable pursuant to Article 99, paragraph (2) thereof.
Furthermore, it is not disputed that the collection and transfer of the data in dispute were carried out by the ACD pursuant to the law of 24 July 2015, in order to ensure compliance by Luxembourg with the commitments it made when concluding the FATCA agreement.
Indeed, Article 1, paragraph (1) of the law of 24 July 2015 states that:
“The following are approved:
1. the Agreement between the Government of the Grand Duchy of Luxembourg and the Government of the United States of America to improve international tax compliance and relating to the provisions of the United States of America concerning the exchange of information commonly known as the "Foreign Account Tax Compliance Act", including its two annexes and the related "Memorandum of Understanding", signed in Luxembourg on 28 March 2014;
2. the exchange of notes relating thereto, signed on 31 March and 1 April 2015;
hereinafter referred to as "the Agreement". »
However, under Article 2 of the FATCA agreement, entitled "Obligations to Obtain and Exchange Information with Respect to Reportable Accounts", Luxembourg must collect a certain amount of information relating to "reportable US bank accounts" ("U.S. Reportable Accounts"), such as the name, address and US tax identification number of the account holder, the account number and the account balance, and must provide them annually and automatically to the US tax authorities. Article 3, paragraph (3) of the Law of 24 July 2015 specifies that “[t]he Administration des contributions directes and the Luxembourg reporting financial institutions are considered to be the data controllers for the purposes of the amended Law of 2 August 2002 on the protection of individuals with regard to the processing of personal data, each for the processing that it implements”, the aforementioned Law of 2 August 2002 being hereinafter referred to as the “Law of 2 August 2002”. In this case, the appellants contest in substance the legality of the transfer of data to the United States of America (cf. “this transfer of data disregards several key principles of the right to the protection of personal data” in the appellants’ request addressed to the ACD), but not the communication of the same data by the Luxembourg financial institutions to the ACD. However, in view of Article 3, paragraph (3) of the law of 24 July 2015 cited above, it is the ACD, as the author of the said transfer of the data collected to the United States, which is to be considered responsible for this processing.
It is therefore appropriate to dismiss as unfounded the State's criticism relating to the lack of intervention of the Luxembourg financial institutions involved in the collection of the data subject to the transfer, given that the processing of personal data carried out by them is not the subject of the appellants' criticisms. It should be added that the State has not ruled on the legal consequences that it intended to attach to this criticism and that in this case, there is in any case no obligation on the administrators to prosecute all those potentially responsible for the violation that they allege. The law of 2 August 2002 transposed Directive 95/46, which has since been repealed and replaced by the GDPR.
The law of 2 August 2002 was repealed by the law of 1 August 2018 on the organisation of the National Commission for Data Protection and implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), amending the Labour Code and the amended law of 25 March 2015 establishing the processing regime and the conditions and arrangements for the advancement of civil servants, hereinafter the "law of 1 August 2018-GDPR".
In addition, the Law of 1 August 2018 on the protection of individuals with regard to the processing of personal data in criminal matters and in matters of national security, hereinafter the “Law of 1 August 2018-criminal matters”, also governs certain aspects of the field of data protection. However, the processing of personal data in dispute by the ACD under the FATCA agreement does not have a repressive purpose and does not fall within the scope of the common foreign and security policy of the European Union. Consequently, the collection and transfer of data in dispute do not fall within the scope of the Law of 1 August 2018-criminal matters. Neither party has raised this question of the applicability or not of the Law of 1 August 2018-criminal matters. Before examining the possible implications of the law of 1 August 2018-GDPR and, more specifically, of its Article 1, paragraph (1), which extends the scope of application of certain rules of the GDPR, it is appropriate first of all to examine the question of the applicability of this Community regulation under its own provisions in order to correctly determine the reference framework against which the legality of the disputed data processing carried out by the ACD should be assessed.
As rightly pointed out by the State party, the question of the impact of Article 2, paragraph 2, sub a), of the GDPR was raised ex officio by the administrative court. In these circumstances, contrary to what the appellants suggest, the fact that the State party is not the initiator of the debate on the consequences of the application of this provision is not relevant. The court in fact raised ex officio the question of the applicability of the GDPR in light of the State’s plea relating to the inadmissibility of the action brought by the (AA) based on Articles 79 and 80(1) of the GDPR. The court held in essence that the processing of personal data in dispute does not fall within the scope of Union law due to the applicability of the exclusion provided for in Article 2(2)(a) of the GDPR, meaning that the said Community regulation would not be applicable. It based this analysis essentially on the consideration that the said processing is based on a bilateral international convention concluded between the United States of America and the Grand Duchy of Luxembourg, and relating to an automatic exchange of information by financial institutions for tax purposes, which does not constitute a matter falling, in general, under Community law. Still relying on recital 16 of the GDPR, he concluded that the reference to activities relating to national security, the foreign policy of the Member States and the common security policy of the Union would be a non-exhaustive list of examples of areas in which the GDPR is not applicable and that the aforementioned judgment of the CJEU of 22 June 2021, limited to the category of activities aimed at preserving national security, would not call into question his conclusion that the GDPR is inapplicable in this case.
Article 2(2)(a) of the GDPR provides that:
“This Regulation [the GDPR] shall not apply to the processing of personal data carried out: (a) in the context of an activity which falls outside the scope of Union law”.
In light of the case-law of the CJEU, the Court is forced to note that, contrary to what the court seems to suggest, Article 2, paragraph 2, subparagraph a), of the GDPR does not mean that for the processing of personal data to be covered by this regulation, the controller would have to carry out said processing on the basis of a provision of European Union law. Thus, by way of illustration, in the judgment of 16 July 2020 (Case C-311/18, Facebook Ireland and Schrems, known as the Schrems II judgment), the data processing at issue, namely the transfer of personal data carried out for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country, had taken place due, in essence, to the Facebook group’s desire to adopt a business model involving such a transfer, since, as explained by the CJEU in recital 51 of its judgment, ‘[a]ny person residing in the territory of the Union and wishing to use Facebook [was] required to conclude, when registering, a contract with Facebook Ireland, a subsidiary of Facebook Inc., itself established in the United States.’ The personal data of Facebook users residing in the territory of the Union [were], in whole or in part, transferred to servers belonging to Facebook Inc., located in the territory of the United States, where they [were] processed.
Then, in the aforementioned case B v. Latvijas Republikas Saeima, the processing of information relating to penalty points imposed on vehicle drivers was at issue, carried out pursuant to the Latvian Road Traffic Act and a Latvian Ministerial Decree on the rules for implementing the penalty points system.
In judgment C-306/21 of 20 October 2022, Koalitsia “Demokratichna Bulgaria – Obedinenie”, video recordings had been made in the context of an electoral process on the basis of instructions issued by the Bulgarian equivalent of the CNPD and by the Bulgarian Central Election Commission.
Finally, in judgment C-33/20 of 16 January 2024, Österreichische Datenschutzbehörde v. WK, the data processing in question consisted of the non-anonymised publication on the Austrian Parliament’s website of the minutes of a hearing held as part of an investigation by a committee set up under Austrian Federal Constitutional Law to shed light on the existence of possible political influence on the Bundesamt für Verfassungsschutz und Terrorismusbekämpfung.
11
In these four cases, the data processing in question had therefore not taken place under primary European Union law, a European regulation or national provisions transposing a European directive. However, in these four cases, the CJEU held in the following terms that the exception provided for in Article 2(2)(a) of the GDPR was not applicable, so that the processing of personal data at issue did indeed fall within the scope of the GDPR:
- “(…) Article 2(1) and (2) of the GDPR must be interpreted as meaning that a transfer of personal data carried out for commercial purposes by an economic operator established in a Member State to another economic operator established in a third country falls within the scope of that regulation, notwithstanding the fact that, during or following that transfer, those data may be processed by the authorities of the third country concerned for purposes of public security, defence or state security” (judgment cited above in Facebook Ireland and Schrems, paragraph 89);
- "(…) Article 2(2)(a) and (b) of the GDPR is partly a continuation of Article 3(2), first indent, of Directive 95/46. It follows that Article 2(2)(a) and (b) of the GDPR cannot be interpreted as having a broader scope than the exception arising from Article 3(2), first indent of Directive 95/46, which already excluded from the scope of that directive, in particular, the processing of personal data taking place in the context of "activities which do not fall within the scope of Community law, such as those provided for in Titles V and VI of the [EU] Treaty, in its version prior to the Treaty of Lisbon, and, in any event, [processing] carried out for the purposes of public security, defence, State security [...]". 65. However, as the Court has repeatedly held, only the processing of personal data carried out in the context of an activity specific to States or State authorities and expressly mentioned in Article 3(2), or in the context of an activity which could be placed in the same category, was excluded from the scope of that directive (see, to that effect, judgments of 6 November 2003, Lindqvist, C‑101/01, EU:C:2003:596, paragraphs 42 to 44; of 27 September 2017, Puškár, C‑73/16, EU:C:2017:725, paragraphs 36 and 37; and of 10 July 2018, Jehovan todistajat, C‑25/17, EU:C:2018:551, paragraph 38). 66. It follows that Article 2(2)(a) of the GDPR, read in the light of recital 16 of that regulation, must be regarded as having the sole purpose of excluding from the scope of that regulation the processing of personal data carried out by State authorities in the context of an activity aimed at safeguarding national security or an activity which may be classified in the same category, so that the mere fact that an activity is specific to the State or to a public authority is not sufficient for that exception to be automatically applicable to such an activity (see, to that effect, judgment of 9 July 2020, Land Hessen, C‑272/19, EU:C:2020:535, paragraph 70). 67. The activities aimed at preserving national security referred to in Article 2(2)(a) of the GDPR cover, in particular, as the Advocate General also noted in substance in points 57 and 58 of his
12
Opinion, those aimed at protecting the essential functions of the State and the fundamental interests of society.
68. However, activities relating to road safety do not pursue such an objective and cannot, consequently, be classified in the category of activities aimed at preserving national security, referred to in Article 2(2)(a) of the GDPR. (judgment cited above in B v Latvijas Republikas Saeima, paragraphs 64 to 68);
- “(…) Article 2(2)(a) of the GDPR must be interpreted as meaning that the processing of personal data in the context of the organisation of elections in a Member State is not excluded from the scope of that regulation” (judgment cited above in Koalitsia “Demokratichna Bulgaria – Obedinenie”, paragraph 42); - “(…) Article 2(2)(a) of the GDPR, read in the light of recital 16 thereof, must be interpreted as meaning that the activities of a committee of inquiry set up by the parliament of a Member State in the exercise of its power of control over the executive, the purpose of which is to investigate the activities of a police authority for the protection of the State on the grounds of suspicion of political influence over that authority, cannot be regarded as such as activities relating to national security falling outside the scope of EU law within the meaning of that provision” (judgment cited above in Österreichische Datenschutzbehörde v WK, paragraph 57). It follows from these extracts of the case law that the CJEU intends to limit the scope of the exclusion provided for in Article 2(2)(a) of the GDPR to activities which aim to preserve national security or which can be placed in the same category in that they have as their object the protection of the essential functions of the State and the fundamental interests of society.
The question which therefore arises is whether the activities of the Member States linked to the exercise of their national powers in the matter of fixing and collecting taxes provided for by their internal laws, including the exchange and cooperation measures provided for with a view to the correct collection of taxes and the fight against tax evasion and fraud, fall within this category of activities having as their object the protection of the essential functions of the State and the fundamental interests of society.
However, the applicability of the GDPR to requests for information addressed by the tax administration of a Member State to a third party and the requirements arising therefrom have been the subject of an analysis by the CJEU in the context of a Latvian case concerning a request for information addressed by the Latvian tax administration to an economic operator operating a website for car sales advertisements and seeking to obtain data on all car sales (text of the advertisement, make, model, chassis number and price of the car and telephone number of the seller) for a previous period of one and a half months and for the future monthly without any time limit. In its judgment of 24 February 2022 (Case C-175/20, “SS” SIA v Valsts ieņēmumu dienests), the CJEU rejected the exception provided for in Article 2(2)(d) of the GDPR, according to which the GDPR does not apply to the processing of personal data carried out “by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security”. It considered that the term “competent authority” refers to authorities that are competent in the specific areas listed in point (d) above, but that a national authority that is competent for the collection of taxes and the fight against tax evasion does not fall into this category (paragraphs 43 and 44 of the judgment). Although the CJEU did not expressly examine the applicability of the exception provided for in Article 2(2)(a) of the GDPR relating to the scope of Union law, it nevertheless confirmed the applicability of the GDPR to a tax administration of a Member State, more particularly with regard to the request by it of personal data from an economic operator which constitutes a process of “collection” of such data within the meaning of Article 4(2) of the GDPR, meaning that it must comply, in particular, with the principles relating to the processing of personal data set out in Article 5 of that regulation. The Court concludes that the case-law of the CJEU clearly suggests that the exception provided for in Article 2(2)(a) of the GDPR does not apply to the activity of Member States falling within the exercise of their national powers in the area of national taxes not harmonised at European level and not falling directly within the competence of the European Union. It should be added that the French Council of State, also referred to by the (AA) with a view to ruling on the validity of the processing of personal data carried out by the French tax authorities under the French equivalents of the FATCA agreement and the law of 24 July 2015, concluded in a judgment of 19 July 2019 (no. 424216) that the disputed processing fell within the scope of the GDPR and examined the compatibility of the French equivalent of the FATCA agreement with several provisions of the GDPR.
Furthermore, the Luxembourg Court of Appeal, in a judgment of 6 December 2023 (No. 141/23-II-CIV, number CAL-2021-00650 of the list), applied the provisions of the GDPR in a case concerning the transmission to the American authorities, by a Swiss bank, of banking data relating to a natural person who had opened accounts with the Luxembourg branch of this Swiss bank.
Finally, reference is made to a recent judgment of the German Bundesfinanzhof of 13 August 2024 (No. IX R 6/23) which also confirmed the applicability of the GDPR to an investigative measure of the German tax administration which required a taxpayer to provide the lease agreements relating to its real estate rental activity and which dismissed on the merits the taxpayer's arguments relating to non-compliance with various provisions of the GDPR.
The Court concludes that the analysis of all this case law clearly allows us to conclude that none of the exceptions provided for in Article 2, paragraph 2, of the GDPR applies to the data processing operations at issue in this case, which fall within the exercise by the Member States of their powers in matters of taxation and, more particularly, in matters of mutual cooperation in matters of taxation through the automatic exchange of information. Therefore, even if Article 267(3) of the Treaty on the Functioning of the European Union (TFEU) establishes the principle that a court of last instance must refer a question of interpretation of EU law raised before it to the CJEU for a preliminary ruling, the Court considers that, in accordance with the principles set out in the judgments of the CJEU of 6 October 1982 (Case C-283/81, CILFIT) and 6 October 2021 (Case C-561/19, Consorzio Italian Management and Catania Multiservizi SpA v. Rete Ferroviaria Italiana SpA, also known as the CILFIT II judgment), it is entitled to accept that the existing interpretation of the CJEU allows it to be concluded without reasonable doubt that the GDPR must apply to the processing of personal data at issue in the present case, without it being required to
14
request the CJEU to rule on this question for a preliminary ruling. There is therefore no need to submit to the CJEU the preliminary question proposed by the appellants.
It follows that the trial judges were wrong to conclude that the exception provided for in Article 2(2)(a) of the GDPR applied in this case and to dismiss the appeal under review on the basis of that analysis alone.
To the extent that, in adopting that conclusion, the trial judges nevertheless ruled on the substance of the dispute and that the Court is therefore seised of the entire dispute due to the devolutive effect of the appeal, it is necessary to further examine the other substantive grounds put forward by the parties in the appeal proceedings.
D. As for the application of Article 96 of the GDPR
As part of its examination of the various arguments of the parties following a good administration of justice and the useful effect resulting therefrom, it is appropriate to proceed at this stage to the analysis of the arguments of the parties relating to the impact of Article 96 of the GDPR. The latter constitutes a specific provision targeting international agreements concluded by the Member States before the entry into force of the GDPR and which they intend to continue to implement. 1. Arguments of the parties
According to the appellants, insofar as the State party relies on Article 96 of the GDPR, it would be for it to prove the conformity of the FATCA agreement with EU law as it was applicable before 24 May 2016. In any event, the transfer of data in the context of the FATCA agreement would undoubtedly constitute a violation of EU law applicable before 24 May 2016 and, more specifically, of Directive 95/46.
In this context, the appellants emphasise that in two letters addressed in 2012 to the Director-General of the Taxation and Customs Union Directorate of the European Commission, the Article 29 Working Party, the predecessor of the European Data Protection Board, expressed numerous doubts as to the compatibility of the FATCA agreement with Directive 95/46. Subsequently, in 2017, the European Data Protection Board itself invited Member States to assess and, where appropriate, review their international agreements – in particular national agreements corresponding to the FATCA agreement – in the light of legal and jurisprudential developments in the field of European law on the protection of personal data, and taking into account its Guidelines 2/2020 relating to Article 46(2)(a) and (3)(b) of Regulation (EU) 2016/679 for transfers of personal data, adopted on 15 December 2020, hereinafter “Guidelines 2/2020”. The appellants then put forward several arguments to demonstrate that the transfer of personal data to the US tax authorities under the FATCA agreement would not be lawful, in particular because of the violation of several provisions of Directive 95/46 – assuming that the latter is the reference standard due to the application of Article 96 of the GDPR –, if not of the provisions of the GDPR itself.
For its part, the State points out that the FATCA agreement predates 24 May 2016, so that under Article 96 of the GDPR, it would be the EU law applicable before that date that would have to be taken into account. The State also emphasises that Article 96 of the GDPR provides that international agreements concluded remain in force and considers that assessing
15
the FATCA agreement in light of the provisions of the GDPR would deprive Article 96 of the GDPR of all its substance.
The applicable EU law before 24 May 2016 would be Directive 95/46 transposed into national law by the law of 2 August 2002, so that the FATCA agreement should be assessed in the light of that law.
2. Analysis of the Court
The Court recalls that under Article 96 of the GDPR: "International agreements involving the transfer of personal data to third countries or to international organisations which were concluded by Member States before 24 May 2016 and which comply with EU law as applicable before that date shall remain in force until they are amended, replaced or revoked".
Consequently, it is appropriate to reject from the outset the State’s argument that the FATCA agreement should be assessed in relation to the law transposing Directive 95/46, namely the law of 2 August 2002. In any event, such an assessment would not be necessary, since, due to the principle of primacy of international law over national law recognised in Luxembourg law, in the event of a conflict between the provisions of an international treaty and those of a national law, even a subsequent one, the international standard should prevail over the national standard. Consequently, in the event of a conflict between the FATCA agreement and the law of 2 August 2002, it would be the FATCA agreement that would prevail. The Court then notes that the appellants have formulated in the operative part of their application for appeal two preliminary questions concerning Article 96 of the GDPR (grouped under question No. 2, according to the numbering appearing in the operative part of their reply), without the relevance of these questions being demonstrated in any way in the body of the application for appeal and the reply. These two questions are formulated as follows:
“Is Article 96 of the [GDPR], taken alone or read in conjunction with Article 4, paragraph 3 of the Treaty on European Union and/or Article 351 of the Treaty on the Functioning of the European Union, [must] be interpreted as meaning that Member States have an obligation to use their best efforts to amend, replace or revoke international treaties to which they are party which do not comply with the provisions of that regulation?
If so, can a Member State which in 2023 has not used its best efforts to amend, replace or revoke an international treaty to which it is a party, which does not comply with the provisions of the [GDPR], rely on Article 96 of that regulation to justify conduct incompatible with that regulation? » The Court notes that while, according to the aforementioned CILFIT judgment of the CJEU, “a court or tribunal against whose decisions there is no judicial remedy under domestic law is required, when a question of Community law arises before it, to comply with its obligation to refer the matter to the Court, unless it has found that the question raised is not relevant (…)”, the Court nevertheless finds that the questions suggested by the appellants are not necessary for the resolution of the present dispute. Indeed, the Court recalls that it is seized of an action for annulment directed against an administrative act – the decision of the Director of 22 March 2021 –, which implies, firstly, that it has to judge an act and not, as the two questions mentioned above suggest, the conduct of the State and, secondly, that it has to carry out its analysis by placing itself at the time of
16
the adoption of the act, so that the conduct of the State in 2023 is a priori completely irrelevant in the present case.
Consequently, the two questions set out under No. 2 of the operative part of the reply must be dismissed as irrelevant.
The appellants have formulated other preliminary questions in relation to Article 96 of the GDPR, but these do not concern the interpretation of Article 96 itself. Indeed, they simply refer to that article to say that if it were applicable, then the said questions would also have to be answered in the light of certain provisions of Directive 95/46. Those questions are therefore also not relevant in the context of the present examination.
The provision of Article 96 of the GDPR constitutes in substance a transitional provision that allows Member States to continue to apply international agreements that provide for transfers of protected personal data to third countries and that they had concluded before 24 May 2016, the date of entry into force of the GDPR, even if the terms agreed in these agreements do not correspond to the standards set by the GDPR, in order to avoid the continued execution of said agreements coming up against new or more stringent requirements of the new Community regulation. The exemption from compliance with the GDPR permitted by this provision is nevertheless conditioned by compliance with “Union law as it [was] applicable before [24 May 2016]”, i.e. the standards applicable before 24 May 2016. Furthermore, this exemption is only intended to continue until the amendment, replacement or revocation of these previous international agreements. This concept necessarily refers to Directive 95/46 as the reference standard in the field of personal data protection that preceded the GDPR, since the latter specifically repealed it with effect from 25 May 2018 through its Article 94.
Since the FATCA agreement was signed on 28 March 2014 and approved by the law of 24 July 2015, it was concluded before the entry into force of the GDPR and therefore falls within the scope of Article 96 of the GDPR. Consequently, the legality of the directorial decision of 22 March 2021 refusing to stop the transfers of personal data provided by Luxembourg financial institutions through the automatic exchange of information to the US tax administration in execution of the FATCA agreement must be examined exclusively in relation to the provisions of Directive 95/46, maintained in force as a reference framework to this extent, no amendment or revocation of the FATCA agreement having been invoked in question.
It follows that all the parties' arguments and developments based solely on the substantive provisions of the GDPR must be dismissed as not being relevant. Still within the framework of its examination of the various arguments of the parties following a good administration of justice and the useful effect resulting therefrom, it is appropriate to proceed subsequently to the examination of the arguments of the parties linked to Articles 25 and 26 of Directive 95/46, in view of the finding that the automatic exchange of information provided for by the FATCA agreement constitutes a transfer of personal data to a third State, so as to be governed by these specific provisions, included in Chapter IV of Directive 95/46, entitled "transfer of personal data to third countries". 17
E. As to the alleged violation of Articles 25 and 26 of Directive 95/46
1. Grounds of appeal of the parties
According to the appellants, both Article 25(1) of Directive 95/46 and Article 45 of the GDPR provided that a transfer of personal data outside the European Economic Area could only take place if the country of the data importer ensured a level of protection equivalent to that provided by the European Union and provided that the European Commission had taken an adequacy decision relating to that country. However, no such adequacy decision exists for the United States and it is apparent from the aforementioned Schrems II judgment of the CJEU that the level of protection offered by the internal regulations in the United States did not meet the requirements of EU law.
It would therefore be up to the controller and the recipient to ensure, by appropriate safeguards and effective measures, the level of protection required by EU law. In order for the ACD to be able to transfer personal data to the US tax authorities, it would have had to provide appropriate safeguards either in the FATCA agreement or in “another administrative arrangement” under the supervision of the CNPD. Such safeguards would be lacking, because the FATCA agreement would merely refer to a few measures provided for by the 1996 Double Taxation Convention concluded between the United States of America and the Grand Duchy of Luxembourg as amended by a 2009 protocol. However, these measures would aim to circumscribe the purposes of the use of the information exchanged and to ensure its confidentiality, but would be far from representing appropriate safeguards. For example, they would not provide any guarantees regarding the retention of data (including a retention period and a deletion and anonymisation mechanism), the exercise of the rights of data subjects (including the right to an effective remedy), the establishment of a procedure in the event of a data breach and technical or organisational measures, or the possibility of control against the recipient. Furthermore, for the purposes of analysing the situation in relation to Directive 95/46, the appellants point out that, pursuant to Article 26(2) of Directive 95/46 and Article 19(3) of the Law of 2 August 2002, the ACD should have previously obtained authorisation from the CNPD, on the basis of a duly substantiated request, to carry out data transfers under the FATCA agreement, authorisation which would only be granted ‘where the controller offers sufficient guarantees with regard to the protection of privacy and the fundamental rights and freedoms of the persons concerned, as well as the exercise of the corresponding rights’. However, such authorisation was never issued by the CNPD. The latter would not even have been consulted during the negotiation of the FATCA agreement and would therefore not have been able at any time to "validly decide" on the compatibility of the FATCA agreement with data protection law as applicable in Luxembourg before 24 May 2016.
Since it was unable to justify the transfer of the disputed data on the basis of Article 26, paragraph (2) of Directive 95/46, the State would still only have been able to attempt to invoke, among the exceptional situations within the meaning of Article 26, paragraph 1 of Directive 95/46, that of the transfer "necessary for important reasons of public interest", but as the European Data Protection Board clarified in its Guidelines 2/2020, recourse to this exception would not lend itself to large-scale data transfers, such as those provided for by the FATCA agreement. Furthermore, according to the appellants, the exemption relating to the existence of a “public interest” would contain a requirement of reciprocity, which should moreover be equivalent and effective, but which, in this case, would be lacking, since even if the FATCA agreement formally provides for reciprocity in the obligations to exchange information, this agreement would only benefit the United States of America. However,
18
in the absence of reciprocity in practice – an element which was notably criticised in a letter sent in December 2019 by the Finnish Presidency of the Council of the European Union to the US Minister of Finance, and which was recognised on 7 April 2022 by the Commissioner at the head of the US tax administration, during a hearing before the US Senate – the FATCA agreement would only benefit the United States, so that the public interest criterion would not be met in this case. In conclusion, the disputed data transfer would have no legal basis with regard to Articles 25 and 26 of Directive 95/46. In case of doubt on this point, the appellants ask the Court to refer the following question to the CJEU for a preliminary ruling:
“Can national legislation approving an international agreement between a Member State and the United States of America within the framework of the provisions of the latter [sic] concerning the exchange of information under the American Foreign Account Tax Compliance Act, such as the Luxembourg law of 24 July 2015 on FATCA, under which the tax authority of that Member State is obliged to automatically communicate personal data of individuals in relation to financial accounts held directly or indirectly by US citizens and persons residing in the United States with a financial institution in that Member State, establish a “public interest” within the meaning of Article 49(1)(d) of the [GDPR], or even Article 26(1)(d) of [Directive 95/46] (taking into account the possible application of Article 96 of the [GDPR]), it being understood that the United States does not guarantee effective reciprocity and that the US tax authority does not provide the tax authority of the Member State in question with the same types of data in relation to accounts held by citizens and residents of that Member State with financial institutions in the United States? »
For its part, the State concedes that certain guiding principles applicable to data protection, such as the lawfulness of processing, legitimacy, proportionality, purpose and rights of appeal, are provided for in both the Law of 2 August 2002 and the GDPR, but argues that the scope of certain articles is not exactly the same and that obligations such as the obligation to carry out an impact assessment, established in Articles 35 et seq. of the GDPR, do not exist, either in Directive 95/46 or in the Law of 2 August 2002. Furthermore, while the latter two provisions require an adequate level of protection, the rules relating to adequacy decisions and those applicable to data transfers with third countries set out in the GDPR differ from those provided for in Article 18, paragraph (3) of the Law of 2 August 2002. In this context, the State insists on the fact that, contrary to According to the appellants, Article 26(1)(d) of Directive 95/46, transposed by Article 19 of the Law of 2 August 2002, does not provide for any reciprocity. Even assuming that the reciprocal nature of the processing is relevant, this nature would be apparent from Article 3(1) of the Law of 24 July 2015, concerning the processing of information to be communicated to the United States of America or received from them. Furthermore, the CNPD played a much more active role under the Law of 2 August 2002.
The State further argues that the law of 2 August 2002 does not contain the obligations provided for by Article 46, paragraphs 2 and 3, of the GDPR concerning the transfer of data to third countries and the appellants’ argument based on the invalidation by the CJEU of the “privacy shield”, in the aforementioned Schrems II judgment, is not relevant, since the present case does not concern the execution of contractual clauses towards American companies.
19
The State further emphasises, with regard to the public interest referred to in Article 26, paragraph 1, subparagraph d), of Directive 95/46, that the CJEU has recognised the fight against international tax fraud and evasion as an objective of general interest recognised by the European Union.
Stating that at first instance, the preliminary questions suggested by the appellants would have focused solely on the GDPR, so that on appeal, by adding the provisions of Directive 95/46 that they considered similar, the appellants would have “changed their approach”, the State further suggests that “this [would] not be contextually possible”, due to the divergences between the GDPR and Directive 95/46.
2. Analysis of the Court
Article 25 of Directive 95/46 provides in its paragraphs 1 and 2 as follows:
“1. Member States shall provide that the transfer to a third country of personal data which are being processed, or which are to be processed after their transfer, may take place only if, subject to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection.
2. The adequacy of the level of protection offered by a third country shall be assessed in the light of all the circumstances relating to a transfer or category of transfers of data; in particular, the nature of the data, the purpose and duration of the processing operations envisaged, the countries of origin and final destination, the general or sectoral legal rules in force in the third country in question, as well as the professional rules and security measures complied with there shall be taken into account." This framework must be supplemented by the provisions of paragraphs (2) to (4) of Article 18 of the Law of 2 August 2002, which are as follows:
“(2) The adequacy of the level of protection offered by a third country must be assessed by the data controller in the light of all the circumstances relating to a transfer or category of data transfers, in particular the nature of the data, the purpose and duration of the intended processing, the country of origin and the country of final destination, the general and sectoral legal rules in force in the country in question, as well as the professional rules and security measures complied with there.
(3) In case of doubt, the data controller shall immediately inform the National Commission, which shall assess whether a third country ensures an adequate level of protection. The National Commission shall notify the European Commission in accordance with Article 20 of the cases in which it considers that the third country does not ensure an adequate level of protection.
(4) Where the European Commission or the National Commission finds that a third country does not have an adequate level of protection, any transfer of data to that country is prohibited." In light of these provisions, the appellants rightly argue that the ACD, in its capacity as controller of the personal data collected from Luxembourg financial institutions in execution of the FATCA agreement conferred on it by Article 3, paragraph (3) of the Law of 24 July 2015, was required to examine the question of the adequacy of the level of protection offered by the United States, in light of the criteria provided for in Article 25, paragraph 2, of Directive 95/46 and repeated by Article 18, paragraph (2) of the Law of 2 August 2002, before beginning its implementation through the execution of the first transfer of the data collected to the American tax authorities. However, it appears from a publication appearing in Mémorial A No. 156 of 10 August 2015 (p. 3796) that “[t]he conditions required for the entry into force of the Agreement and exchanges of notes referred to above [exchange of notes relating to the FATCA agreement, signed on 31 March and 1 April 2015] having been met on 29 July 2015, the said Acts entered into force with respect to the two Contracting Parties on 29 July 2015, in accordance with Article 10 of the Agreement.” It would therefore appear that as early as 29 July 2015, the State had sufficient evidence to conclude that there were sufficient guarantees in the United States of America to ensure that the personal data exchanged remained confidential, were used only for tax purposes and were processed through infrastructures ensuring such confidentiality. However, in this case, the State has not provided any evidence regarding its analysis made at the time in this regard.
It is also pertinent that the appellants argue that following the conclusions of the CJEU in its Schrems II judgment concerning the protection granted to personal data by the American legal system, the ACD should have doubted the reality of adequate protection, in accordance with Article 25(2) of Directive 95/46, granted to the personal data of natural persons communicated in execution of the FATCA agreement. Consequently, it should have referred the question of whether the United States could still be considered a third country ensuring an adequate level of protection to the CNPD. However, there is no evidence in the file - and the State does not support this - that the ACD complied with this legal obligation to refer the matter to the CNPD, it being specified that this obligation cannot be dismissed as being provided for by a simple national law which cannot affect the execution of an international convention in view of the provision of these obligations by Articles 25 and 28 of Directive 95/46, the latter article defining the powers with which a national supervisory authority must necessarily be provided. In order to counter this a priori conclusion of a failure to comply with Directive 95/46 and the Law of 2 August 2002 which could affect the legality of the directorial decision of 22 March 2021, the State invokes Article 26, paragraph 1, point d), of Directive 95/46 which is as follows:
"1. By way of derogation from Article 25 and subject to contrary provisions of their national law governing specific cases, Member States shall provide that a transfer of personal data to a third country which does not ensure an adequate level of protection within the meaning of Article 25 paragraph 2 may be carried out, provided that: (…)
(d) the transfer is necessary or legally required for the protection of an important public interest, or for the establishment, exercise or defence of legal claims".
Article 19, paragraph (1), point (d), of the Law of 2 August 2002 uses exactly the same wording.
Article 26, paragraph 1, point (d), of Directive 95/46 therefore authorises Member States to provide for or authorise transfers of personal data to a third country even if the legal system of the latter does not ensure an adequate level of protection, in particular where the Member State concerned needs to safeguard an ‘important public interest’.
21
This provision must be understood as granting Member States a certain discretion as to the content of the concept of ‘important public interest’ that they intend to safeguard through transfers of personal data to a third country that does not guarantee an adequate level of protection, given that the interests that deserve to be safeguarded are not necessarily entirely the same for all Member States.
In general, the State rightly argues that the CJEU qualifies the fight against aggressive tax planning and the prevention of the risks of tax evasion and fraud as objectives of general interest recognised by the Union which allow limitations to the exercise of rights guaranteed by the Charter of Fundamental Rights of the European Union (see CJEU 8 December 2022, case C-694/20, Orde van Vlaamse Balies e.a.; CJEU 29 July 2024, case C-623/22, Belgian Association of Tax Lawyers).
However, as is clear from the preamble to the FATCA agreement, the automatic exchanges of information under its provisions are part of this aim of improving compliance with tax laws, an aim that Luxembourg declares to support by signing this agreement, and the international coordination of reporting obligations relating to financial assets for tax purposes.
It follows that the implementation of the FATCA agreement is a priori likely to be provided for the protection of an important public interest.
The appellants, however, contest this analysis by referring first to Guidelines 2/2020 of the European Data Protection Board and to the analysis made therein according to which the derogating provisions should be interpreted restrictively and would mainly concern occasional and non-repetitive processing activities, but cannot justify large-scale data transfers, such as those provided for by the FATCA agreement.
However, such a restriction does not emerge either from the wording of Article 26(1)(d) of Directive 95/46 or from the relevant recitals of Directive 95/46. Although the Committee is certainly recognised as having a certain role with a view to the uniform application of Directive 95/46 and subsequently of the GDPR by all Member States, its analyses made in guidelines have no binding effect.
Still in the context of the interpretation of the concept of "important public interest" contained in Article 26(1)(d) of Directive 95/46, the appellants then put forward the existence of a requirement of equivalent and effective reciprocity in the information exchange obligations, which is lacking, since even if the FATCA agreement formally provided for reciprocity, this agreement would only benefit the United States of America. It is certainly true that the documents relied on in support of this argument by the appellants, including in particular a study published in 2018 by the Policy Department for Citizens’ Rights and Constitutional Affairs of the European Parliament, a letter of 3 December 2019 addressed to the US tax authorities by the Finnish Minister of Finance on behalf of the Member States of the European Union, under the Finnish Presidency of the Council of the European Union, and a document published by the OECD Global Forum on Transparency and Exchange of Information for Tax Purposes, entitled “Automatic Exchange of Information (AEOI): Status of Commitments” and up to date as of 23 April 2024, provide a certain body of evidence concerning the absence of effective reciprocity in the implementation of the FATCA agreement, with reciprocity appearing to be confined to a theoretical level, through the taking of political commitments by the United States of America which have yet to be translated into the adoption of legally binding standards.
However, here again, it is clear that such a requirement for equivalent and effective reciprocity does not emerge either from the wording of Article 26(1)(d) of Directive 95/46 or from the relevant recitals of Directive 95/46. While the claim in substance that the transfer of personal financial data of American nationals, collected by European financial institutions, to the American tax administration under FATCA agreements concluded by the Member States of the European Union under a regime derogating from Directive 95/46 or the GDPR has as a counterpart an equivalent transfer of the same data, collected from American financial institutions, concerning nationals or residents of the Member States by the American tax administration to the tax authorities of the Member States certainly corresponds to a logic of equivalent cooperation with a view to the common fight against tax evasion, this question of reciprocity is situated at a political level, or even of public international law, but not at the level of the interpretation of a regulation of Community law. It should be added that, in view of the necessary discretion granted to Member States as to the content of the concept of “important public interest” that they intend to safeguard through transfers of personal data to a third country that does not guarantee an adequate level of protection, it must be admitted that, in view of the importance of the Luxembourg financial sector for the national economy and public finances, even in the absence of an effective and equivalent exchange of financial data provided by the American tax administration, the purpose, mentioned in principle in the documents cited by the appellants and referred to above, of guaranteeing Luxembourg financial institutions, obliged by this American law to provide their customers’ personal data, legal certainty in the implementation of the FATCA regime and of preventing the application to them of the penalty of the 30% withholding tax provided for by American law with regard to any payment to a foreign financial institution that does not provide this data, must be considered as corresponding to an “important public interest” public interest” within the meaning of Article 26(1)(d) of Directive 95/46.
In the light of these developments, the Court considers that the implementation of the FATCA agreement and the Law of 24 July 2015 by the ACD is legitimised by the derogation provision of Article 26(1)(d) of Directive 95/46, although the transfer of personal financial data of US nationals collected from national financial institutions to the US tax authorities is carried out without any guarantee that the United States will provide the personal data received with an adequate level of protection, within the meaning of Article 25(1) of Directive 95/46. The appellants’ arguments to the contrary must therefore be dismissed.
In view of the exemption from compliance with the principles and substantive rules laid down in Directive 95/46 resulting from this derogation, there is no longer any need to examine the appellants’ relevant pleas.
The Court further considers that even if Article 267(3) TFEU establishes the principle that a court of last instance must refer a question of interpretation of EU law raised before it to the CJEU for a preliminary ruling, it is entitled to accept, in accordance with the principles adopted in the CILFIT and CILFIT II judgments, that the above analysis allows it to conclude beyond reasonable doubt that Article 26(1)(d) of Directive 95/46 applies in the present case, so that it is not required to request the CJEU to give a preliminary ruling on that question. The questions referred for a preliminary ruling by the appellants must therefore be dismissed.
23
F. As to the alleged violation of the Constitution
The Court notes that in the operative part of their appeal application and their reply, the appellants ask it to refer the following question to the Constitutional Court:
“Does the processing of personal data under the FATCA Agreement violate [sic] Article 11(3) of the Constitution (in its version of 1 July 2023 and in its equivalent provision in force after that date), in particular in view of its disproportionate nature?”.
The appellants do not develop any arguments in support of this request, merely alleging that the court wrongly refused to find that there had been a violation of Article 11, paragraph (3), of the Constitution in its numbering prior to 1 July 2023 and of the corresponding provision of the revised Constitution.
The Court notes that the court indicated that it "cannot take a position on such a merely suggested argument, since the applicants have failed to specify how the said article was allegedly violated in this case, while their legal argument focuses, in their appeal, on violations of the GDPR, respectively, in their reply on the GDPR, respectively the corresponding articles of Directive 95/46/EC, as well as the law of 2 August 2022, without said documents containing any detailed explanation concerning a possible violation of the aforementioned constitutional provision, it being further recalled in this regard that it is not for the court to make up for the applicants' failure to present their arguments and to seek itself the legal arguments that could have been the basis of their conclusions". However, the appellants do not provide any evidence to contradict this analysis. Furthermore, it is appropriate to recall the principle of primacy of international law, according to which an international treaty – in this case, the FATCA agreement –, incorporated into domestic legislation by an approving law – in this case, the law of 24 July 2015 – is a law of superior essence having a higher origin than the will of an internal body (Adm. Court, 11 December 1997, nos. 9805C and 10191C, Pas. adm. 2023, V° Lois et règles, no. 80 and the other references cited therein). Consequently, in the event of a conflict between the provisions of an international treaty and those of a national law, even a later one and even if it were the Constitution, international law must prevail over national law. In other words, given the principle of primacy of international law, the question of constitutionality raised by the appellants is in any case not relevant to resolving the present dispute. It follows that the Court is not required to refer the said preliminary question to the Constitutional Court.
G. Conclusion
It follows from all of the foregoing developments that the Director was right to reject in his decision under appeal of 22 March 2021 the appellants' request to immediately stop the exchange of information between the ACD and the US tax authorities taking place each year on the basis of the FATCA agreement. It was therefore also right that the trial judges dismissed the appellants' contentious appeal against this decision as not being justified, although the judgment a quo should be confirmed for different reasons. 24
The appellants also request the allocation of a procedural allowance of EUR 5,000 for the first instance, by reforming the judgment appealed, and a procedural allowance of EUR 5,000 for the appeal instance, relying on the clear contradiction of the directorial decision of 22 March 2021 with the GDPR and the Luxembourg Constitution.
In view of the above analysis of the appellants' arguments and the solution on the merits, it does not appear from the elements of the file in what way it would be unfair to leave the appellants to bear the costs not included in the costs, so that this double request must be dismissed in its entirety.
Consequently, the appeal under examination is liable to be dismissed. FOR THESE REASONS
the Administrative Court, ruling with respect to all the parties involved,
admits the appeal on the grounds of form,
on the merits, dismisses it as unfounded,
therefore, confirms the judgment appealed, albeit for partially different reasons,
rejects the appellants’ request for the allocation of procedural compensation of EUR 5,000 for the first instance and EUR 5,000 for the appeal instance,
orders the appellants to pay the costs of the appeal instance.
Thus deliberated and judged by:
Henri CAMPILL, Vice-President,
Serge SCHROEDER, First Counsellor,
Annick BRAUN, Counsellor,
and read by the Vice-President at the public hearing of 12 December 2024 at the ordinary hearing venue of the Court, in the presence of the Court Registrar Jean-Nicolas SCHINTGEN.
s. SCHINTGEN s. CAMPILL
Reproduction certified as true to the original
Luxembourg, 13 December 2024
The Registrar of the Administrative Court
Retrieved from "https://gdprhub.eu/index.php?title=Cour_Administrative_-_49701C&oldid=46437"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki