Tax Notes logo

Does FATCA Have a General Data Protection Regulation Problem?

Posted on Nov. 30, 2020
Robert Goulder
Robert Goulder

Let’s begin with a simple question: Does the Foreign Account Tax Compliance Act violate the EU’s general data protection regulation (GDPR)? It has proven difficult to get a straightforward answer, despite the efforts of a few taxpayers who are pressing forward with legal challenges. A related question is whether FATCA separately violates the European Convention on Human Rights or the Charter of Fundamental Rights of the European Union. Again, obtaining answers is not easy.

Moreover, the behavior of some EU officials shows them to be keen to avoid such inquiries to the point of engaging in a bit of revisionist history. It’s as if the European Commission is overcome by a surge of anxiety when the words “FATCA” and “GDPR” are used in the same sentence. Too bad for them — the issue isn’t going away.

Readers may recall that I took issue with several aspects of FATCA, particularly in the context of citizenship-based taxation. There’s a good case to be made for a same-country exception.1 FATCA would be far less objectionable if the United States adopted residence-based taxation, like every other country (except Eritrea). To that point, these pages recently ran an insightful piece explaining how the U.S. Treasury Department could effectuate the desired change through the regulatory process, bypassing Congress entirely.2

The focus of this article isn’t Washington, however, but Brussels. It’s understandable that U.S. tax officials would do things to bolster FATCA; it’s their statutory scheme, after all. But why should the commission be similarly invested in upholding the data harvesting regime, to the point of hushing up their initial criticism of its implementation? The European Data Protection Board (EDPB), which is charged with seeing the regulation evenly applied, shows no appetite for challenging FATCA — despite the group’s own guidelines. Meanwhile, the best hope for adversely affected taxpayers lies in getting a proper FATCA challenge before the Court of Justice of the European Union. A CJEU judgment from earlier this year offers hope.3 But that assumes the judges who make up the CJEU aren’t influenced by the commission’s preference for leaving FATCA unscathed.

Whose IGA Should It Have Been?

FATCA was designed to catch U.S. tax cheats, specifically those who conceal wealth in offshore banks. That’s perfectly legitimate. The basic U.S. individual income tax return asks taxpayers to declare whether they have a foreign bank account and to report any related income and gains. But self-reporting only goes so far. The U.S. tax system, as a whole, enjoys high compliance rates because of withholding and third-party reporting. FATCA is best understood as an attempt to extend third-party reporting to financial institutions in other countries.

Foreign banks wouldn’t participate if left to their own commercial instincts. They had to be coerced into doing it by the threat of punitive withholding. The threat was necessary because softer attempts at gaining cooperation — the know-your-customer rules and qualified intermediary regime — were widely disregarded. As far as Congress was concerned, one of the takeaways from the UBS episode was that foreign banks (particularly their private banking units) internally viewed the know-your-customer rules and the QI regime as flimsy, while outwardly claiming to take them seriously.4 There was no way Congress was going to let that lie. Abuse begets reform, as the saying goes. FATCA relies on an intimidating stick, making it a different beast from the OECD’s common reporting standard (CRS), premised on the carrot of reciprocity. CRS wouldn’t exist without FATCA.

It’s worth noting how quickly CRS became the global standard for this type of information exchange. The wide acceptance of CRS shows that the United States was never alone in its concern about taxpayers dabbling in the offshore sector. Although other countries aren’t tasked with citizenship-based taxation, their tax administrators still crave information on overseas accounts. That’s why my principal objection to FATCA is less about the concept of third-party reporting and more about who is deemed a “taxpayer” under the IRC.

The onset of FATCA was soon followed by a wave of bilateral intergovernmental agreements. Each IGA is a pseudo-treaty that provides a legal mechanism for conveying the desired account information from foreign financial institutions to the IRS.5 The U.S. government has more than 100 of these IGAs, most of which were executed in the years just after FATCA went live. That was well before the GDPR came into effect in 2018, but EU law at the time was not silent as to data privacy. The Data Protection Directive (95/46/EC) was already operative and regulated the processing of personal data of individuals located in the European Economic Area.6 These protections apply regardless of the location of the entity handling the data. As such, the directive would apply to the collection, retention, and transmission of account data from non-U.S. banks to the IRS under FATCA.

Were we to go back a decade, we’d see that EU officials were initially concerned by the enactment of FATCA and the hasty development of the IGA network. Brussels was alarmed enough to take up the matter of data protection with their U.S. counterparts on multiple occasions. That was while Lithuania’s Algirdas Šemeta was serving as the EU commissioner for Taxation and Customs Union, Audit and Anti-Fraud.

It’s reasonable to ask why the commission didn’t step in to negotiate a single IGA with the United States. That would have required telling the member states to stand down, but there’s greater bargaining power when the EU negotiates collectively. The result would have been greater insistence that EU data protections be respected, as was then required by the directive and as required by the GDPR. The commission could also have taken the opportunity to demand reciprocity from the United States, allowing European tax administrators to obtain account information about EU residents with money stashed in U.S. banks.

If FATCA was ever going to feature a two-way flow of information, a pan-European IGA was the ideal moment to get it done. That never happened. Šemeta was eventually replaced by Pierre Moscovici, who had negotiated France’s IGA before joining the commission. To have pushed for an EU-wide IGA at that point would have called for Moscovici to trash the deal he had just inked with the United States. The commission’s desire to push back against FATCA faded as of that transition.

Reciprocity faded with it. Instead, we are left with EU officials sending meek letters to Treasury officials inquiring when (meaning “if”) the United States will voluntarily engage in reciprocal data exchange.7 Dream on, mon ami. As things stand, the IRS is obtaining bank data from Europe and the rest of the world while giving up nothing in return. What possible reason does the U.S. government have to trade away its superior position? Some commentators accuse the United States of hypocrisy or of operating as a tax haven for nonresident aliens.8 Nobody in Washington is listening. Ring-fencing is a way of life.

Hear No Evil, See No Evil, Speak No Evil

These days, the commission is quick to remind everyone that direct taxation is an area of national competence. That’s technically true, but the disclaimer sounds like an exercise in saving face. The commission won’t acknowledge its initial objections to FATCA from a decade ago. The disavowal tends to occur when the European Parliament takes up the matter of accidental Americans, which it does from time to time. Unlike the commission and those who fall under its orbit, members of the EP are far more willing to speak openly about the problems with FATCA and the suitability of intervention at the EU level.9 Attorney Filippo Noseda, a partner with Mishcon de Reya LLP, has appeared before the EP Petition Committee and documented these episodes. Noseda also advises accidental Americans who have fallen into the FATCA trap through no fault of their own.

Noseda summarized the commission’s activity on FATCA in a November 10 letter to Dolors Montserrat, the chair of the EP Petition Committee.10 A series of correspondence show the commission was actively discussing the privacy implications of FATCA with U.S. officials as early as December 2010. The dialogue was not among low-level staffers. Šemeta raised the issue directly with then-Treasury Secretary Timothy Geithner and then-IRS Commissioner Douglas Shulman in March 2011.

The primary conclusion of Noseda’s analysis is that the commission has routinely misled the EP about the depth of its involvement and the nature of its initial privacy concerns. Noseda’s secondary conclusion is that the EDPB is displaying fecklessness. The group has been sitting on one of his client’s FATCA grievances for more than a year. One might expect dilatory tactics from courtroom adversaries but not from the bodies charged with safeguarding the legal rights of EU individuals.

The head of the EDPB, Andrea Jelinek, also leads the Austrian data protection authority. The Austrian body recently dismissed a taxpayer’s petition alleging that CRS procedures were in breach of EU data privacy requirements. It concluded that:

Whether the CRS is compatible with the fundamental right to data protection is beyond the remit of the Austrian data protection authority. This is a matter for the [Austrian] Constitutional Court and the CJEU. . . . The Austrian data protection authority cannot bring a case before the Courts because there is no statutory basis for this.11

Noseda argues that that reasoning contradicts the EDPB’s own guidelines.12 He further observes that Brussels has applied “political pressure” to prevent the EDPB from following through on its mission in cases in which FATCA or CRS are involved.13 The claim is based on a working paper issued by the European Council under the German presidency on September 11.14 The document offers a legal assessment for the benefit of member states that reads, in part:

There is, in the context of the GDPR, no reason to object to the automatic exchange of information with third countries. In accordance with Article 49(1)(d) of the GDPR, the automatic exchange of information for tax purposes with third countries is “necessary for important reasons of public interest” because it is a means to combat tax avoidance and tax evasion, safeguarding tax revenues, and promoting fair taxation.

In other words, Brussels has preordained that the GDPR must never apply to FATCA because tax revenues are at stake. That wholly ignores the need for proportionality and seems to disregard CJEU case law. It also neglects challenges based on the European Convention on Human Rights or the Charter of Fundamental Rights of the European Union.

The message is clear: Taxpayers with FATCA problems should not look for support or assistance from the commission or EDPB; they should expect intransigence. Any redress will come through the courts, which I will explore in a future article.


1 See Allison Christians, “Understanding the Accidental American: Tina’s Story,” Tax Notes Int’l, Dec. 7. 2015, p. 833. See also Christians, “Could a Same-Country Exception Help Focus FATCA and FBAR?Tax Notes Int’l, July 9, 2012, p. 157.

2 John Richardson, Karen Alpert, and Laura Snyder, “A Simple Regulatory Fix for Citizenship Taxation,” Tax Notes Int’l, Oct. 12, 2020, p. 247.

3 William Hoke, “Non-FATCA Cases Bolster EU Privacy Challenges to IRS Data Demands,” Tax Notes Federal, Sept. 7, 2020, p. 1911.

4 Robert Goulder, “FATCA Turns 10 . . . And Europe Still Hates It,” Tax Notes Int’l, Apr. 20, 2020, p. 383.

5 Under a Model 1 IGA, foreign banks provide data on reportable accounts to local officials, who then forward the information to the United States. Under a Model 2 IGA, foreign banks are permitted to provide the information directly to U.S. tax officials.

6 Here, the EEA covers each of the EU member states, plus three of the four nations that comprise the European Free Trade Association (Iceland, Liechtenstein, and Norway). The fourth EFTA member, Switzerland, has signed but not ratified the EEA agreement.

7 See the December 3, 2019, letter from Terhi Järvikare, director general-taxation for Finland’s Ministry of Finance, writing on behalf of the Finnish presidency of the EU Council, to U.S. Treasury Secretary Steven T. Mnuchin. See also the March 12, 2020, response from Lafayette G. “Chip” Harter III, Treasury deputy assistant secretary for international tax affairs.

8 Lee A. Sheppard, “Will U.S. Hypocrisy on Information Sharing Continue?Tax Notes Int’l, Jan. 28, 2013, p. 320.

9 Some MEPs have become vocal advocates for the cause of accidental Americans, including Sophie in ’t Veld of the Netherlands.

10 See Nov. 10, 2020, letter from Filippo Noseda to Dolors Montserrat, chair of the European Parliament Petitions Committee (“FATCA hearing before the European Parliament — 10 November 2020”).

11 See Nov. 14, 2020, letter from Filippo Noseda to Andrea Jelinek, chair of the European Data Protection Board (“FATCA — No Mention in EDPB Recommendations Published on 10 November 2020”).

12 Noseda cites EDPB Recommendation 01/2020 and EDPB Recommendation 02/2020, to the effect that national data protection authorities “are required to” assess individual cases and either refer them to a national court or “to suspend or prohibit the [data] transfer” if the GDPR and other protections of EU law cannot be complied with.

13 See Nov. 3, 2020, letter from Filippo Noseda to Andrea Jelinek, chair of the European Data Protection Board (“FATCA — Working Paper Issued by European Council”).

14 See European Council, Discussion Paper on Automatic Exchange of Information in Tax Matters With Third Countries in the Context of the General Data Protection Regulation (Sept. 11, 2020).


Copy RID