Navigating GDPR Compliance After BDPA’s FATCA Ruling – 29 April 2025

On 24 April 2025, the Belgian Data Protection Authority’s Litigation Chamber issued Decision 79/2025, declaring that the automatic transfer of personal data by the Service Public Fédéral Finances to the United States Internal Revenue Service under the FATCA agreement violates the General Data Protection Regulation. This landmark ruling, following a Brussels Court of Appeal remand, underscores the primacy of data protection law over international agreements and offers critical lessons for businesses handling cross-border data transfers. This legal insight of Allegiance Law breaks down the decision’s implications and provides actionable strategies for ensuring General Data Protection Regulation compliance when concluding contracts.

Key Findings of Decision 79/2025

The complaint, filed by an individual and the Accidental Americans Association of Belgium, challenged the Service Public Fédéral Finances’ transfer of personal data—such as names, addresses, tax identification numbers, and financial account details—to the United States Internal Revenue Service. These transfers, mandated by the 2014 FATCA agreement between Belgium and the United States, aim to combat tax evasion by United States citizens, including “accidental Americans” with minimal ties to the United States. The Belgian Data Protection Authority found multiple violations of the General Data Protection Regulation, reinforcing the regulation’s stringent requirements for international data transfers. Key findings include:

Inapplicability of Article 96 General Data Protection Regulation

The Service Public Fédéral Finances argued that Article 96 of the General Data Protection Regulation, which allows pre-May 24, 2016, international agreements to remain valid if compliant with prior European Union law (Directive 95/46/EC), shielded the FATCA transfers. The Belgian Data Protection Authority rejected this, ruling that the agreement failed to meet even the earlier directive’s standards, as it lacked a precise purpose and proportionality, necessitating full compliance with the General Data Protection Regulation.

Violation of Core General Data Protection Regulation Principles

The transfers breached several General Data Protection Regulation principles (i) purpose Limitation (Article 5.1.b) because the broad scope of data collected lacked a sufficiently specific purpose tied to tax enforcement (ii) diata Minimization (Article 5.1.c) because the systematic, annual transfer of financial data, regardless of tax evasion indicators, was deemed disproportionate, (iii) transparency (Articles 12, 14) because the Service Public Fédéral Finances failed to adequately inform data subjects about the transfers, with its website providing only general, technical information that was neither accessible nor comprehensive, and (iv) accountability (Articles 5.2, 24) because the Service Public Fédéral Finances did not demonstrate proactive compliance, ignoring risks to data subjects’ rights.

Non-Compliance with International Transfer Rules

The transfers lacked appropriate safeguards under Article 46 of the General Data Protection Regulation, as the FATCA agreement did not incorporate protections equivalent to European Union standards. The Belgian Data Protection Authority also dismissed Article 49 derogations (e.g., public interest), citing their inapplicability for systematic transfers. This echoes the Court of Justice of the European Union’s Schrems II ruling, which invalidated the Privacy Shield for insufficient United States data protections.

Failure to Conduct a Data Protection Impact Assessment

Despite the high risks posed by transferring sensitive financial data to a non-European Economic Area country, the Service Public Fédéral Finances did not perform a Data Protection Impact Assessment (Article 35). The Belgian Data Protection Authority deemed this a significant oversight, given the treatment’s scale, systematic nature, and potential impact on vulnerable data subjects.

Corrective Measures and Reprimand

The Belgian Data Protection Authority issued a reprimand and ordered the Service Public Fédéral Finances to bring the transfers into General Data Protection Regulation compliance within one year (by April 24, 2026). This includes ensuring proportionality, implementing robust safeguards, providing clear information to data subjects, and conducting a Data Protection Impact Assessment. Notably, the Belgian Data Protection Authority opted against an immediate suspension or prohibition of transfers, citing Belgium’s international obligations, though some argue Schrems II warranted stronger action.

Implications for Businesses

Decision 79/2025 reaffirms that public authorities and businesses cannot rely on international agreements to bypass General Data Protection Regulation obligations, particularly for data transfers to non-European Economic Area countries like the United States. For companies involved in cross-border data sharing—whether with tax authorities, partners, or vendors—this ruling highlights the need for rigorous compliance to avoid legal and reputational risks. The Belgian Data Protection Authority’s emphasis on transparency, proportionality, and impact assessments sets a high bar for all data controllers, especially those handling sensitive financial or personal data.

Allegiance Law’s Practical Tips for Concluding Contracts

To align with Decision 79/2025 and General Data Protection Regulation requirements, Allegiance Law offers the following tips for businesses drafting contracts involving personal data transfers:

1. Embed General Data Protection Regulation-Compliant Transfer Clauses

Include explicit contractual terms ensuring that any cross-border data transfers comply with Chapter V of the General Data Protection Regulation (Articles 44–50). Specify the use of approved safeguards, such as European Commission Standard Contractual Clauses, and require due diligence to verify the recipient country’s data protection adequacy, avoiding reliance on outdated agreements.

2. Mandate Transparency Obligations

Incorporate clauses requiring all parties to inform data subjects clearly and accessibly about data processing, including transfers to third countries. Ensure contracts detail who is responsible for providing information under Article 14, covering purposes, recipients, safeguards, and data subject rights, to prevent gaps like those identified in the Service Public Fédéral Finances’ website.

3. Require Data Protection Impact Assessments for High-Risk Transfers

Stipulate that any party transferring sensitive data (e.g., financial information) to a non-European Economic Area country must conduct a Data Protection Impact Assessment before processing. Contracts should outline timelines and documentation requirements to demonstrate compliance with Article 35, mitigating risks of oversight.

4. Ensure Proportionality and Minimization in Data Sharing

Draft contracts to limit shared data to what is strictly necessary for the stated purpose. Include terms prohibiting systematic or overly broad transfers, requiring parties to assess whether less intrusive data collection methods can achieve the same goals, aligning with the Belgian Data Protection Authority’s proportionality critique.

Why Allegiance Law?

The Belgian Data Protection Authority’s Decision 79/2025 is a wake-up call for businesses to prioritize General Data Protection Regulation compliance in all data-related operations. Allegiance Law’s expert team specializes in drafting contracts that meet these stringent standards, protecting your business from regulatory scrutiny. Whether you’re navigating international agreements or local data-sharing arrangements, we provide tailored solutions to keep you compliant.

#GDPR #FATCA #DataProtection #BelgiumLaw

Read the full decision of the Belgian GBA here