On February 25, 2019, the European Data Protection Board (the “EDPB”) issued a statement regarding the transfer of personal data from Europe to the U.S. Internal Revenue Service (the “IRS”) for purposes of the U.S. Foreign Account Tax Compliance Act (“FATCA”).
Enacted in 2010, FATCA requires that foreign financial institutions report information about financial accounts and assets held by their U.S. account holders to the IRS. Such institutions are required to register directly with the IRS to comply with FATCA or comply with intergovernmental agreements signed between the foreign country and the U.S. government. FATCA was designed to combat tax evasion by U.S. persons holding accounts and other financial assets offshore.
The EDPB issued the statement in response to a July 2018 Resolution passed by the European Parliament on the adverse effects of FATCA on EU citizens and in particular “accidental Americans,” and a February 2018 letter addressed to the Article 29 Working Party on behalf of European “accidental Americans.” (The term “accidental American” refers to an individual who by “accident” of birth inherited U.S. citizenship, but who maintains no connection to the U.S. having never lived, worked or studied there, or who does not hold a U.S. Social Security number.) By its Resolution, the European Parliament calls on the EDPB to investigate any infringement of EU data protection rules by EU Member States whose legislation permits the transfer of personal data to the U.S. for purposes of FATCA, and to initiate infringement procedures against Member States that fail to adequately enforce EU data protection rules.
In its statement, the EDPB announced that it will consider Parliament’s request. The EDBP also noted that it is currently preparing guidelines on data transfer tools provided for by the EU General Data Protection Regulation (“GDPR”)—specifically, guidelines discussing transfer tools based on safeguards provided for by Articles 46(2)(a) and 46(3)(b) of the GDPR. The guidelines will also elaborate on the safeguards themselves; they will touch on minimum guarantees to be included in legally binding and enforceable instruments concluded between public authorities and bodies (per Article 46(2)(a)) and provisions to be inserted into administrative arrangements between public authorities or bodies which include enforceable and effective data subject rights (per Article 46(3)(b)).
The guidelines will provide a useful tool for evaluating the FATCA intergovernmental agreements signed between EU Member States and the U.S. government to ensure that they comply with the GDPR.