EU top court faces questions on GDPR compliance over bank data transfers to US | MLex | Specialist news and analysis on legal risk and regulation | Vincent Wellens

[💣 BREAKING - #GDPR & #FATCA] The Brussels Court of appeal refers 13 preliminary questions to the Court of Justice of the European Union (#CJEU) on the compatibility of FATCA and GDPR. 🇧🇪 After the Belgian #data #protection authority ("BDPA") had come to the conclusion - on 24 April 2025 and for a second time - that the FATCA personal data transfers (automatic exchange of data to the #US tax authority #IRS) are not compatible with the GDPR in several respect: lack of (i) sufficiently precise purpose, (ii) proportionality, (iii) transparency and sufficient information to the data subjects, (iv) data protection impact assessment, and (v) compliance with the rules on international data transfers. The BDPA had given the Belgian #tax administration a blame and ordered it to bring the situation in compliance with the GDPR within one year, so by 24 April 2026. 🇪🇺On appeal the Brussels Court of appeal has followed our argumentation and suggestion - on behalf of the Association of Accidental Americans Belgium and one physical Belgian accidental American - to raise substantial preliminary questions to the CJEU. The latter will have to answer several questions that concern not only the FATCA regime but also any mechanism that allows for a large-scale collection of tax-related data and the onwards transfer of such data to third countries. One key question is whether EU Member States may continue to rely on the "grandfathering" rule provided under the GDPR in order to avoid assessing the GDPR compliance of their international agreements concluded before the adoption. Additional questions concern the compatibility with the GDPR provisions on data transfers to non-EU countries, incl. whether the EU-US Data Privacy Framework is relevant in this context. Another question is whether large-scale collecting data for tax purposes in the absence of any indication of fraud or tax evasion complies with the principle of data minimisation. Many thanks to the whole NautaDutilh FATCA & GDPR #enforcement team - it is a truly #Benelux case & effort ! Maxime Vanderstraeten, Jill Van Overbeke, Roxane Weerts, Danique Knibbeler, Audrey Derep, Ottavio Covolo, Siebe Been and many others as well as to Fabien Lehagre ! For the decision, please read: https://lnkd.in/eu5re6_G In the meanwhile the decision also made the national and international press: https://lnkd.in/eBdkeWHp Juridictions administratives du Grand-Duché de Luxembourg Raad van State European Data Protection Board EDPS - European Data Protection Supervisor CNPD - Commission nationale pour la protection des données Autoriteit Persoonsgegevens (AP) | Dutch DPA CNIL - Commission Nationale de l'Informatique et des Libertés European Commission IAPP