Tax Notes logo

Does FATCA Have a Schrems Problem?

Posted on Dec. 7, 2020
Robert Goulder
Robert Goulder

Facebook’s business model has always intrigued me. There’s a brashness in assuming a large segment of the human race (2.7 billion users and counting) can be so easily convinced to give away their personal information free of charge, allowing the company to then sell the precious data to advertisers. In a more perfect world, the users of Facebook or any other social media platform would demand to be compensated for the commercial appropriation of their personal data. Most of us claim to highly value our privacy, so why not seek a reasonable price when it’s digitally harvested from us in incremental bits? Think of it as a modern-day severance fee. Otherwise, the firms that make up the digital economy are obtaining a vital business input at no cost. What other category of merchant gets away with such a windfall? Don’t bakers pay for their flour and yeast?

This will probably never come to pass. Collectively, we are far too willing to be fleeced like digital sheep. Taken in isolation, the value of any one person’s digital data may seem inconsequential and hardly worth the fuss. It’s only when the data is assembled into sufficiently large batches that it acquires value to marketers. Also, the process of charging a fee would be a hassle, which clashes with our expectations of obstacle-free digital engagement. Behaviorally speaking, the act of going on Facebook or Twitter to check out the latest internet meme doesn’t lend itself to transactional attributes. Users do not feel as though they’re giving something away, so complacency naturally follows. But rest assured, there are buckets of gold in the clicks of your cursor.

Yet every once in a while Facebook’s business model hits a bump in the road. Twice that bump has taken the shape of Maximilian Schrems, an Austrian lawyer and privacy advocate. His contribution to the legal profession has been to point out how large-scale data transfers from European entities to U.S. entities are fraught with legal complications. These difficulties are seldom rooted in U.S. law. They originate from the General Data Protection Regulation (GDPR) and other sources of EU law, such as the European Charter of Fundamental Rights (ECFR) and the European Human Rights Convention (EHRC). The litigation he has spawned has gone all the way to the Court of Justice of European Union, resulting in judgments known as Schrems I (2015) and Schrems II (2020).1

The earlier case invalidated the safe harbor framework that permitted tech companies to mine personal information from European internet users and transmit it back to ravenous U.S. data crunchers. The latter case invalidated the EU-U.S. privacy shield that functioned as a replacement for the safe harbor framework. These cases suggest a pattern in which EU and U.S. officials keep finding workarounds to the inconvenience presented by EU data protection rules, and the CJEU keeps batting them down.

The crux of the matter is that the commercial desires of the U.S.-driven digital economy clash with EU privacy protections. For all the yelling in the United States about freedom and personal liberty, in this case Europeans are more serious about affording their citizens actual privacy protections — and giving those protections actionable remedies. There is no U.S. counterpart to the GDPR, and I suspect there never will be. It would be burdensome for business.

The tax world should note the Schrems cases for their repercussions on the Foreign Account Tax Compliance Act. Automatic exchange of tax information, whether achieved via FATCA or the common reporting standard, is just another subset of big data. The difference is that the “client” happens to be tax administrators, rather than some digital marketing firm. It doesn’t take much imagination to see how the same legal arguments that Max Schrems used to invalidate the safe harbor framework and privacy shield could extend to one of the 27 intergovernmental agreements that coordinate the flow of taxpayer data from European financial institutions to the IRS.2 As previously discussed, the European Commission is content to dodge thorny questions about FATCA’s compliance with EU privacy standards.3 Thus far, the CJEU has displayed no similar reluctance. It’s only a matter of time until the Court hears a suitable test case.

So far as I know, the U.S. Treasury Department has no plan B in the event its IGA network begins to unravel. FATCA doesn’t work without IGAs.

Schrems I

Beware of academic endeavors that challenge students to think outside the box. They sometimes lead to uncomfortable outcomes that threaten the status quo.

That was the case in 2011 when Schrems, then a law student at the University of Vienna, chose to take a semester abroad in the United States. A few months later he found himself in a classroom at Santa Clara University, located near the heart of Silicon Valley. One day his professor invited Ed Palmieri, a privacy lawyer with Facebook, to address the class.

Although Schrems was just 23 years old, he latched onto a key aspect of Palmieri’s remarks to the class: Facebook’s understanding of European privacy protections was severely lacking. This left him shocked, given how savvy the social media giant was in other areas. If that was the case for Facebook, it would likely be so for other U.S. tech firms operating in the same digital space. Schrems selected the issue as his thesis topic and set about researching how Facebook compiles and retains data on individual users, especially those based in EU member states.

Schrems continued the research project after returning home from his eventful semester abroad in California. He submitted a written request to Facebook to obtain copies of the company’s records on him, pursuant to the right of access under the ECFR.4 If you look closely enough, the European version of the Facebook website contains a tucked-away feature that enables users to make these requests online.5 There’s no corresponding feature on the U.S. version of the platform.

In response, Facebook sent Schrems a compact disc containing more than 1,200 pages of personal data derived from his online activities since 2008, when he began using the website. That’s roughly 300 pages of data for each year he had been active on Facebook. The CD included information on everyone he had friended or unfriended, every event he had attended or been invited to, and everyone who had signed into a Facebook account using one of the same computers that he had used. The CD included not only the contents from his current profile page, but also things he previously posted and later deleted. It included email addresses that Schrems had never conveyed via his Facebook account. Those emails addresses were presumably gleaned from his contact lists or the contact lists of his Facebook friends.

Detailed as it was, the response didn’t contain all the personal data that Facebook possessed relating to Schrems. For instance, the company declined to include information on his biometric faceprint. Facebook regards the details of your face as its proprietary trade secret. That’s correct — the physical contour of your cheek bones is Facebook’s intellectual property. Again, something of commercial value is given away and we implicitly consent to the conveyance each time we post a photograph of ourselves online. Selfies aren’t just vain, they’re an economic forfeiture.

Next, Schrems established an activist group to promote online privacy rights, known as He published the contents of Facebook’s response to his inquiry on the group’s website to give other users a better sense of just how deep the company’s data retention practices go. If the company kept 1,200 pages of personal data on one Austrian law student, how much do they know about you and me — and with whom are they sharing that data (knowingly or otherwise)? By this time, the world was mindful of the Edward Snowden affair, which revealed the existence of mass surveillance programs operated by the U.S. National Security Agency (NSA). What Facebook sees, the NSA also sees. Americans might not care, but such cyber-snooping has consequences under EU law.

This activity was taking place several years before the GDPR was approved, but EU citizens already enjoyed privacy protections under the EU Data Protection Directive (Directive 95/46/EC, as amended by Regulation (EC) No. 1882/2003) that had been in effect since 1995. The directive establishes a default rule that prohibited transfers of personal data to third countries unless that country ensures an adequate level of protection.

In July 2000 — well before Mark Zuckerberg founded Facebook in his college dormitory — the European Commission adopted a favorable decision on the adequacy of U.S. personal data protection.6 The decision was based on a loose set of privacy principles that has come to be known as the safe harbor framework. The framework references a set of frequently asked questions released by the U.S. Department of Commerce offering voluntary guidance for private tech firms, but with no clear enforcement mechanism or legal remedy in the event of a breach. At its heart, the safe harbor framework boils down to a process of self-assessment and self-certification. The practical effect of the safe harbor framework was to permit the flow of bulk data from European affiliates to their U.S. parents without violating the directive. Approximately 5,000 companies relied on the framework.

Sensing that the safe harbor framework offered insufficient protection to EU citizens, Schrems filed a complaint with Ireland’s Data Protection Commission (DPC) in June 2013, alleging that Facebook’s business practices violated the directive. This was after the company’s initial public offering in 2012. Although Schrems lived in Austria, he filed the complaint in Ireland because Facebook’s European headquarters is based there (Facebook Ireland Ltd.). Facebook chose Ireland because of the country’s favorable corporate tax environment. The Irish subsidiary provides global web services, which include transferring data accrued from European citizens to the parent company’s servers in the United States.

Schrems’s complaint was bolstered by Snowden’s disclosures of widespread NSA surveillance, which implied that any U.S. tech company’s self-certification under the safe harbor framework was ineffectual. NSA surveillance was not something that Facebook could opt out of. Despite those concerns, the DPC rejected Schrems’s complaint. In so doing, the DPC never bothered to probe the details of the allegations about Facebook’s practices. It accepted the presence of the safe harbor framework as proof enough that the requirements of the EU law were being satisfied. In other words, U.S. data protections were deemed adequate because private companies had said so through self-assessment — with no independent oversight. That sounds laughable when you think about it.

Schrems appealed the DPC’s determination to Ireland’s High Court, which referred the matter to the CJEU in July 2014. The question before the court was whether national data protection supervisory bodies were competent to conduct their own investigations on the adequacy of third-country data protections, or whether they were bound by the commission’s determinations on those measures.

The resulting opinion, written by Advocate General Yves Bot, was issued in September 2015. It sent shock waves through the digital economy, which had come to rely heavily on the safe harbor framework. Bot’s opinion was that national data protection bodies were empowered to perform their own investigations of the adequacy of third-country protections. He added that final say as to whether third countries offered adequate data protections rested with the CJEU, not with the commission. Finally, Bot found that the data protections offered by U.S. laws and regulatory regimes failed to provide adequate protections as required by the directive and article 47 of the ECFR, contrary to the safe harbor framework. As a result, the commission decision establishing the safe harbor framework should be invalidated.

A month later the CJEU released its judgment, which largely followed the advocate general’s opinion. The Court agreed that the commission exceeded its lawful authority when it adopted article 3 of the safe harbor framework, which amounted to an impermissible shortcut around what was required by EU law. This was bad news for Facebook and the thousands of other companies that similarly collected and remitted data of EU citizens.7 The safe harbor framework was defunct.

There’s nothing about the judgment that limits its scope to social media platforms or search engines. The protections of the directive (now subsumed by the GDPR)8 apply across the board and include the financial sector. The process by which European banks transmit account information to the United States under FATCA is not so different from what Facebook was doing, except that it occurs under the authority of bilateral IGAs — and that the recipient of the data (the IRS) is a public body rather than a private corporation.

It’s become a cliché to say that digital data is the new oil. If it’s true, what the CJEU did in Schrems I was akin to shutting down the Suez Canal, and it was just getting started.

Schrems II

It didn’t take long for people to realize the CJEU had just thrown a wrench in the working of the digital economy. Days after the judgment was released, members of the European Commission met with a delegation of industry representatives to plot a response. The following day a group known as the Article 29 Working Party released a statement calling for a “robust, collective, and common position on the implementation of the judgment.”9 This was not an OECD working party, but an independent group established under article 29 of the directive and consisting of members of national data protection bodies.10

The statement didn’t mention Snowden or the NSA by name, but it observed that “massive and indiscriminate surveillance is a key element of the Court’s analysis” in Schrems I. It clarified that data transfers to the United States taking place under the safe harbor framework were now unlawful, while noting that transfers occurring under a standard contractual clause (SCC) were unaffected by the CJEU judgment and could still proceed.

Realizing that it could no longer use the safe harbor framework, Facebook began operating under an SCC as of November 2015. That allowed it to continue transferring data to the United States as it had before the CJEU judgment. It’s unclear whether Facebook halted its EU-U.S. data transmission during the month or so between the issuance of Schrems I and the execution of its SCC. The statement from the Article 29 Working Party implied that a grace period should apply through the end of January 2016, with any coordinated enforcement actions by member states’ data protection bodies being delayed until then. The effect of the grace period was to give the U.S. companies that previously relied on the safe harbor framework a bit of time to convert over to SCCs. Conveniently, the commission already had a decision in place since 2010 regarding the use of SCCs (Commission Decision 2010/87/EC).11

The decision construes these data transfers as a kind of import-export scenario between a data “controller” based in an EU member state and a data “processor” based in a third country. That’s often described as a controller-to-processor transfer. Depending on the particulars, an SCC may impose responsibilities on the controller to ensure that the processor adheres to safeguards as it handles the received data. Facebook’s SCC positions Facebook Ireland Ltd. as data controller and Facebook Inc., the U.S. parent, as the data processor.

SCCs were increasingly used after the Schrems I judgment, but the U.S. tech sector wanted a more straightforward process for remitting data derived from European internet users. By February 2016, marking the end of the grace period, U.S. and EU officials had developed a preliminary draft of a new regime intended to replace the safe harbor. This was known as the EU-U.S. privacy shield, which was soon approved by member states and implemented by July 2016 (Commission Decision 2016/1250).

The purpose of the privacy shield was to do everything the safe harbor framework had previously done, in terms of facilitating the bulk flow of personal data from EU sources to U.S. companies, but to do so in a manner that better complied with EU law. A key feature of the privacy shield was an ombudsman mechanism, which was intended to provide additional redress for EU citizens. Most of what we know about the ombudsman mechanism can be traced to a July 7, 2016, letter from John Kerry, then the U.S. secretary of state, containing a memorandum outlining the role of a “senior coordinator for international information technology diplomacy.”12

The ombudsman was to be appointed by the secretary of state and was to be nominally independent from the U.S. intelligence community, although the position remained part of the executive branch of government. The role of the ombudsman was to deal with information requests from EU citizens and to investigate their complaints by working with other U.S. government officials. The ombudsman could confirm that an EU citizen’s complaint had been investigated and whether U.S. laws and agency policies were complied with. However, the ombudsman was barred from confirming or denying whether a particular individual was the target of U.S. surveillance efforts. It’s difficult to gauge whether the ombudsman mechanism has accomplished much since its formation.

Meanwhile, the DPC had some work to do. Following the CJEU judgment, the Irish High Court issued an order quashing the DPC’s rejection of Schrems’s complaint. It offered him the opportunity to update his original complaint, which he did to reflect the company’s newly minted SCC. The revised complaint asked the DPC to suspend Facebook’s transmission of data from Europe to the United States on the grounds that it remained incompatible with the ECFR, notwithstanding the company’s use of an SCC.

The DPC initiated a two-prong investigation based on Schrems’ revised complaint. Did U.S. law ensure the adequate protection of EU citizens’ privacy rights? If not, were there adequate protections of those privacy rights stemming from Facebook’s SCC? The DPC eventually answered both those questions in the negative. First, the privacy protections available under U.S. law were found be fragmented and constrained, applying only in prescribed circumstances that left EU citizens without judicial remedies. That was insufficient for purposes of articles 7 and 8 of the ECFR. Second, the supplemental safeguards contained in Facebook’s SCC also failed to address the lack of remedies, making it incompatible with article 47 of the ECFR.13

The DPC was aware that these findings implicated EU law. It concluded that it was unable to close the investigation into Schrems’s case without obtaining judicial rulings on a number of issues, including the validity of the commission’s decision on SCCs. That meant returning to the Irish High Court for a second time and requesting a preliminary ruling under article 267 of the Treaty on the Functioning of the European Union. This time around the DPC was the plaintiff, with Schrems and Facebook Ireland joined as defendants. Amicus curie briefs were submitted by the U.S. government, DigitalEurope, the Business Software Alliance, and the Electronic Privacy Information Center.14

Facebook had a ready reply. It portrayed the dispute as a national security case that was being mischaracterized as a privacy case. As Facebook saw it, the roots of Schrems’s grievance had little to do with the company’s own actions in how it handled data, but rather with the mass surveillance activities of U.S. intelligence agencies. Those were things over which the company had no control. National security issues, the company argued, were entirely outside the scope of EU law — including the directive, the ECFR, and the EHRC. It referenced prior CJEU case law as persuasive authority, citing European Parliament v. Council, C-317/04 and C-318/04 (CJEU 2006). By implication, national security matters may also be outside the scope of the GDPR, which includes a general allowance for the transfer of data if a legitimate public interest is being served.15 The same allowance could apply to tax administration, which tends to weaken the argument for challenging FATCA under the GDPR — although it leaves ECFR and EHRC in play.16

Facebook further argued that U.S. privacy safeguards were not so bad when viewed holistically, citing oversight bodies housed within federal agencies and the Department of Justice, the ability of congressional committees to hold oversight hearings on selected matters, and the presence of the Foreign Intelligence Surveillance Court. The problem with those arguments is that none of them involve independent and impartial tribunals.

The High Court agreed with the DPC that U.S. privacy laws fell short when it came to individual remedies:

Despite the number of possible causes of action, it cannot be said that U.S. law provides the right of every person to a judicial remedy for any breach of data privacy by its intelligence agencies. On the contrary, the individual remedies are few and far between and certainly not complete or comprehensive.17

The High Court’s analysis is useful in how it outlines the multiple avenues by which international data transfers can be accomplished under EU law as of 2017 (before adoption of the GDPR). These mechanisms include:

  • a commission adequacy decision under article 25(6) of the directive (such as the now-defunct commission decision establishing the safe harbor framework);

  • an authorization by a member state under article 26(2) of the directive;

  • one of the six derogations listed under article 26(1) of the directive (such as when an EU citizen consents to the transfer of his or her personal data); or

  • a commission adequacy decision under article 26(4) of the directive (including the SCC decisions).

The Irish High Court referred 11 separate questions of law to the CJEU. For our purposes, these can be condensed into two issues: Should Commission Decision 2010/87 on SCCs be invalidated; and should Commission Decision 2016/1250 establishing the privacy shield be invalidated?

In December 2019 Advocate General Henrik Saugmandsgaard Øe delivered a detailed opinion that found no reason to toss out the SCC decision, although he provided a basis for SCCs being routinely scrutinized by national data protection authorities. That wasn’t being done, in part, because there were simply too many SCCs for authorities to deal with — but also because the commission decision was taken as an endorsement of SCCs generally legitimacy. In Facebook’s case, the Irish DPC had legitimate grounds for scrutinizing the company’s SCC and asking whether the controller and processer were adhering to their contractual responsibilities. The takeaway for companies is that they can no longer execute an SCC and assume it will operate on autopilot. The responsibilities placed on the data controller need to be taken seriously.

For the second question, the advocate general proposed that the Court refrain from considering whether the privacy shield was invalid — a gesture of judicial restraint. Øe then offered a variety of reasons that caused him to doubt whether the privacy shield conformed to the requirements of EU law, including a discussion of the shortcomings of U.S. privacy safeguards and the ombudsman mechanism. The CJEU judgment, released in July, took the additional step of invalidating the privacy shield. Commission Decision 2016/1250 violated article 45(1) of GDPR, as read in light of articles 7, 8, and 47 of the ECFR and article 8 of the EHRC. The privacy shield was now also defunct.

It may have taken the better part of a decade, but Schrems eventually convinced the CJEU to strike down both the safe harbor framework and the privacy shield. Companies like Facebook would be left to rely on SCCs, which were already in wide use, but could not regard such agreements as self-enforcing. Going forward, data exporters will be expected to actively confirm whether data importers adhere to their commitments, and national data protection authorities will be expected to scrutinize whether these contracts are taken seriously. That’s meaningful progress in advancing personal data protection, although it does not prevent governmental surveillance and does not bring Facebook’s business model to a crashing halt.

Jenny’s Case

Let’s return to our original inquiry: Does FATCA have a Schrems problem? How would things play out if the CJEU had the opportunity to critique one of the IGAs signed by the United States and an EU or European Economic Area member state?

The network of IGAs didn’t exist prior to 2010. These pseudo-treaties sprang out of nowhere once FATCA was enacted. Were they contracts of adhesion? Were member states presented with a boilerplate document and told to take it or leave it — resigning their banks to punitive withholding taxes if they chose the latter? How much forethought, if any, was given to EU data protection by the U.S. tax officials who drafted these things?

Both the safe harbor framework and privacy shield were invalidated when subjected to CJEU scrutiny. If an IGA were to meet the same fate, it’s possible that FATCA would lose cohesion — at least as to foreign financial institutions based in EU/EEA jurisdictions. If one European IGA were to fall, wouldn’t they all be left vulnerable?

This possibility raises all sorts of awkward questions. Presumably the U.S. Treasury Department and the relevant member state would hash out a new bilateral arrangement that addressed the deficiencies of the original IGA. If EU officials were wise, they would use the opportunity to seek a blanket agreement that covered FATCA-related data transfers for all member states, and in the process demanded reciprocity. Here, reciprocity means that U.S. banks would be tasked with the same burdens as FFIs. For starters, they’d be required to review their client bases for account holders with any indicia of being a European person. For those account holders, the U.S. bank would be compelled to collect a bundle of account information and remit it to the appropriate European tax administrators. Perhaps the U.S. banks would be pushed so far as to shut down the accounts of recalcitrant clients who refuse (or are unable to) provide their taxpayer identification numbers. What goes around, comes around.

This is absolutely the last thing that U.S. banks want to do — although it’s exactly what FATCA has required of foreign banks for the last 10 years. As things stand, U.S. banks are enjoying a position of privilege. They’re not subject to reciprocity under FATCA and not subject to the common reporting standard. To the rest of the world, this makes the United States a kind of tax haven for nonresident aliens. They can place deposits in U.S. banks and the income will not be subject to withholding or reporting. There’s basically no way for the tax authorities in their home countries to detect the foreign accounts or the accrued income, unless the taxpayers self-report. Tax treaties can help, offering information exchange on request. That’s useful when the treaty partners already know for whom they’re looking. The whole point of FATCA and the common reporting standard to be less reliant on treaty-based information exchange, supplementing it with automatic exchange of information.

The world needs a suitable test case to get FATCA before the CJEU. A leading candidate is “Jenny,” a U.S.-born U.K. citizen who has lived in the United Kingdom for close to 20 years. We can’t tell you Jenny’s full name, because she prefers to remain anonymous. Her case garnered international attention last year because of her novel approach to financing her litigation costs. She raised money through an online crowdfunding platform.18 Jenny is represented by Filippo Noseda of Mishcon de Reya LLP in London.

Jenny was introduced to FATCA when she received a “dear client” letter from her local U.K. bank. The letter advised that she had U.S. tax obligations and warned that her personal data would be provided to U.S. tax authorities. She filed a complaint with HM Revenue & Customs, claiming that the sharing of her personal data with the U.S. government under FATCA violated her privacy rights as an EU citizen. Ironically, she’s not liable for tax under FATCA because her earnings are under the annual income threshold. She is employed as a university research associate who works with deaf students. For thousands of people like Jenny, their lives would be better off if the United States eliminated citizenship-based taxation.19 The rest of the world does just fine taxing individuals based on residence.

The latest developments in Jenny’s case came in May, when the U.K. government’s Information Commissioner Office (ICO) sent her a letter indicating that HMRC was not obliged to consider the lawfulness of FATCA, meaning her complaint was outside the scope of the ICO’s jurisdiction.

Oh sure, blame the United States and wash your hands of the matter. FATCA was their idea, after all. But the dismissive response ignores the fact that the U.K. government is a signatory to a bilateral IGA and therefore a state actor in the external transfer of an EU citizen’s personal data. That necessarily implicates the protections of the GDPR, ECFR, and EHRC. It’s hardly exculpatory that the IGA happens to be a lousy deal for the United Kingdom; the country still signed it.

HMRC has data protection obligations that are not alleviated because of FATCA’s U.S. origins. Who knows whether the agency has complied with them? Based on the ICO letter, we will never find out because no part of the U.K. government seems to have responsibility for looking into the matter.

It’s doubtful the CJEU would pass on an opportunity to evaluate the legality of the U.K.-U.S. IGA. It remains to be seen whether that happens. The Brexit transition period expires at the end of the year, meaning Jenny has only a few more weeks to get her case on the Court’s docket. Litigation costs are an obstacle, given that U.K. law operates on a loser-pays system. If Jenny’s court challenge did not prevail, she could be personally saddled with the defendant’s costs. Her lawyers have requested that HRMC waive its right to seek adverse-party costs. That probably won’t happen because the U.K. government apparently wants these FATCA disputes to go away — as does the European Commission. That’s a pity for a number of reasons, the least of which is that the United States is the only country that gets anything out of FATCA.

The automatic exchange of tax information should be a two-way street, and it must also respect applicable data protections.


1 See Schrems v. Data Protection Commissioner (Schrems I), C-362/14 (CJEU 2015). See also Data Protection Commissioner v. Facebook Ireland Ltd. and Schrems (Schrems II), C-311/18 (CJEU 2020).

2 That would be 30 IGAs if we include the European Economic Area. Here I’m throwing in the United Kingdom for good measure, per the transition period, although Brexit raises questions about the continued applicability of EU privacy rules to U.K. citizens.

3 See Robert Goulder, “Does FATCA Have a General Data Protection Regulation Problem?Tax Notes Int’l, Nov. 30, 2020, p. 1245.

4 The right of access is also reflected in article 15 GDPR.

5 An applicant submitting a request to Facebook must provide proof of identity, such as a copy of a passport, an email address, or a home address, and a link to the Facebook profile page.

6 Commission Decision 2000/520/EC of July 26, 2000, in accordance with Directive 95/46/EC.

7 See Lee A. Sheppard, “BEPS: Appetite for Destruction,” Tax Notes Int’l, Oct. 26, 2015, p. 287.

8 The GDPR effectively repealed the directive as of May 25, 2018. Article 94(1) GDPR.

9 Statement of the Article 29 Working Party on Schrems I (Oct. 16, 2015).

10 The Article 29 Working Party has since been reestablished as the European Data Protection Board.

11 To clarify, the commission decision on SCCs (2010) is a separate instrument from the commission decision recognizing the safe harbor framework (2000), discussed earlier. For the full scope of commission decisions addressing the use of SCCs, see Commission Decision 2001/497/EC, Commission Decision 2004/915/EC, and Commission Decision 2010/87/EC, as amended by Commission Decision 2016/2297.

12 See Annex III to the European Commission’s privacy shield decision (2016/1250).

13 The DPC also noted that SCCs are binding only on their signatories, the controller and processor, having no effect on outside parties. Nothing contained in a company’s SCC would limit the U.S. government’s ability to conduct surveillance operations under the Foreign Intelligence Surveillance Act or Executive Order 12333, which authorize the interception of foreign communications.

14 Additionally, the governments of Austria, Belgium, the Czech Republic, Germany, Ireland, the Netherlands, Poland, Portugal, and the United Kingdom filed written observations with the CJEU.

15 See article 2(2) GDPR, stating that the regulation does not apply to the processing of personal data in the course of activity that falls outside the scope of EU law.

16 For related analysis, see William Hoke, “Non-FATCA Cases Bolster EU Privacy Challenges to IRS Data Demands,” Tax Notes Federal, Sept. 7, 2020, p. 1911.

17 Data Protection Commissioner v. Facebook Ireland Ltd. and Maximilian Schrems, request for a preliminary ruling, Article 267 TFEU, Irish High Court (2016 No. 4809 P.) (Apr. 12, 2016).

18 Amanda Athanasiou, “U.K. Citizen Uses Crowdsourced Funds in FATCA Challenge,” Tax Notes Int’l, Sept. 23, 2019, p. 1316.

19 For related analysis, see John Richardson, Laura Snyder, and Karen Alpert, “A Simple Regulatory Fix for Citizenship Taxation,” Tax Notes Int’l, Oct. 12, 2020, p. 247.


Copy RID