Cette page est disponible uniquement en anglais

Automatic data collection mechanisms for tax purposes and their potential violation of the GDPR – does the FATCA case undermine the Belgian datamining proposal?

Blog
29.12.2025

Where it all started: FATCA

The mother of most automatic data collection mechanisms is the so-called Foreign Account Tax Compliance Act (FATCA), adopted in 2010. The FATCA requires that non-US financial institutions, and certain other non-financial institutions, to report foreign assets held by their US account holders to fight tax evasion and fraud. These account holders include individuals whose only link to the US is their place of birth, often referred to as “accidental Americans”. If the non-US entities fail to comply, they are subject to a significant withholding rate of 30% on US-originated fund flows.

To mitigate the extraterritorial impact on non-US entities, especially on financial institutions, most countries have agreed (or better: were effectively compelled) to conclude bilateral intergovernmental agreements (IGAs) which allow the local financial institutions to transmit the relevant data to the local tax authority, which then transmits the data to the US tax authority, the IRS. The relevant data include the account holder’s name, address, and account balance at the end of a calendar year. The IGAs are framed as bilateral agreements and, in principle, oblige the US to transmit data to the local tax authority in a similar situation. However, this reciprocity is in no way equivalent, as the IRS will never transmit data on the account balance at the end of a calendar year to the local tax authority (ironically because of US banking secrecy and privacy laws, sic (!)).

Belgium has also concluded an IGA with the US. However, Belgian implementing law requires the mechanism to ensure an equivalent reciprocity for it to be effective.

How FATCA shaped global standards

FATCA served as the blueprint for a broader exchange mechanism: the Common Reporting Standard (CRS), an information standard for the Automatic Exchange Of Information (AEOI) regarding financial accounts on a global level between tax authorities, which the Organisation for Economic Co-operation and Development (OECD) developed in 2014 on the basis of FATCA. Adhering to the CRS requires reciprocity and, as US has difficulties providing such reciprocity, it is one of the only industrialised countries that is not part of the CRS.

Also, on EU level and between EU Member States, the CRS has been adopted via Directive 2014/107/EU of 9 December 2014 amending Directive 2011/16/EU as regards mandatory automatic exchange of information in the field of taxation. Progressively, the automatic exchange has been extended to information held by digital platforms (DAC7), obliging them to report on the income earned by sellers of goods and services making use of the relevant platforms, and to reporting obligations on individuals and entities facilitating transactions with crypto-assets (DAC 8).

On a purely Belgian national level, such tax transparency has been organised and requires financial institutions to transmit a FATCA-inspired data set, including information on the account balance, to the so-called Central Point of Contact (CPC). The Belgian tax authority can only access the data held by the CPC if there is a suspicion of tax fraud or evasion. Although this system has raised several data protection concerns (including by the Belgian data protection authority (BDPA)), the system is more privacy-friendly than the FATCA/CRS mechanisms which foresee for automatic exchanges of data to the tax authorities directly, so even in the absence of any indication of tax fraud or evasion.

This is about to change. A new law adopted on 11 December 2025 allows the Belgian tax authority pseudonymised access to CPC data and integration into its data warehouse for datamining and pattern detection, also often referred in the press as “moneycontrol”.

The reference of the FATCA case to the CJEU

On 26 November 2025, the Brussels Court of Appeal referred 13 preliminary questions to the Court of Justice of the European Union (CJEU) on the compatibility of the FATCA framework and GDPR. It did so after the Belgian data protection authority ("BDPA") had come to the conclusion – on 24 April 2025 and for a second time – that the FATCA personal data transfers (automatic exchange of data to the US tax authority) are not compatible with the GDPR in several respects.

The BDPA came to the conclusion that the FATCA legal framework lacks:

  1. a sufficiently precise purpose: vague references to “tax evasion”;
  2. proportionality: automatic transfer of tax related data in the absence of any indication of tax fraud or evasion;
  3. transparency and sufficient information to the data subjects;
  4. a prior data protection impact assessment; and
  5. compliance with the rules on international data transfers (whereby the Belgian tax authority, just like other tax authorities in the EU, is often itself not consistent on the basis in the GDPR allowing for such international data transfers to take place).

The BDPA formally issued a blame towards the Belgian tax administration and ordered compliance by 24 April 2026.

On appeal the Brussels Court of appeal has followed the argumentation and suggestion of the Association of Accidental Americans Belgium and one physical Belgian accidental American to raise substantial preliminary questions to the CJEU.

The latter will have to answer several questions that concern not only the FATCA regime but also any mechanism that allows for a large-scale collection of tax-related data and the onwards transfer of such data to third countries. One key question is whether EU Member States may continue to rely on the "grandfathering" rule provided under the GDPR in order to avoid assessing the GDPR compliance of their international agreements concluded before the adoption. Additional questions concern the compatibility with the GDPR provisions on data transfers to non-EU countries, including whether the EU-US Data Privacy Framework is relevant in this context.

Perhaps the most critical question is whether large-scale collection of tax data, without any indication of fraud or tax evasion complies with the principle of data minimisation. If the CJEU is consistent with its own case law and, more particularly, in case C-175/20 in the field of the collection of tax data (“the controller, including where it acts in connection with a task which it has been charged with carrying out in the public interest, may not proceed, in a general and undifferentiated manner, with the collection of personal data and it must refrain from collecting data which are not strictly necessary in relation to the purposes of the processing”), then the chances are quite high that the CJEU will answer this question negatively.

Such a ruling could have far-reaching consequences for FATCA, AEOI mechanisms, and Belgium’s new datamining (“moneycontrol”) law. Even when the Belgian tax authority would in a first phase analyse a pseudonymised dataset, questions remain as to the degree pseudonymisation and, even when pseudonymised, the data remain personal data, certainly where in case of the detection of concrete case, the tax authority will be able to identify the relevant persons.

Notification de cookies

Cette fonctionnalité utilise des cookies tiers. Modifiez votre cookie préférences pour visualiser ce contenu ou afficher plus d'informations.
Ces cookies assurent le bon fonctionnement du site. Ces cookies ne peuvent pas être désactivés.
Ces cookies peuvent être placés par des tiers, tels que YouTube ou Vimeo.
En désactivant certaines catégories, les fonctionnalités associées au sein du site risquent de ne plus fonctionner correctement. Vous pouvez modifier vos préférences ultérieurement. Voir plus d'informations.