The European Data Protection Board (EDPB) has ruled that the exchange of personal information between public authorities under existing international agreements need to comply with the General Data Protection Regulation (GDPR).
This means that all transfers of personal data to third countries, concluded before 24 May 2016, or organisations, carried out before 6 May 2016, and which complied with the applicable EU law at the time, “shall remain in force until amended, replaced or revoked”, said Andrea Jelinek, chair of the EDPB.
“The EDPB deems that, in order to ensure that the level of protection of natural persons guaranteed by the GDPR and the Law Enforcement Directive (LED) is not undermined when personal data is transferred outside the Union, consideration should be given to the aim of bringing these agreements in line with the GDPR and LED requirements for data transfers where this is not yet the case,” Jelinek added.
“The EDPB therefore invites the member states to assess and, where necessary, review their international agreements that involve international transfers of personal data, such as those relating to taxation – eg to the automatic exchange of personal data for tax purposes – social security, mutual legal assistance, police cooperation.
“This review should be done in order to determine whether, while pursuing the important public interests covered by the agreements, further alignment with current Union legislation and case law on data protection, as well as EDPB guidance might be needed.”
How this applies to Fatca
The decision was positively received by the Association of Accidental Americans (AAA) and so-called ‘accidentals’ – people who acquired US citizenship either from their parents or by being born in the US – who have been fighting the legality of the Foreign Account Tax Compliance Act (Fatca) in several EU courts.
Fatca requires any US citizen living overseas to report their financial information to the Internal Revenue Service (IRS) for taxation purposes – this is because the US is one of two countries in the world that has a citizenship-based taxation system.
Tax authorities and foreign financial institutions also fall within the Fatca net, as they are bound to report their customers’ data to the IRS, something that has forced several EU banks to turn away US citizens.
Many legal challenges in both the UK and EU argued that such transfers of data, which clients are not asked to give consent for, are in breach of data protection rules.
Vincent Wellens, one of the lawyers of the AAA, said: “[The] EDPB clearly indicates that bilateral Fatca agreements between individual EU member states and the US should be reassessed. Good news because now too many EU member rely on Art 96 GDPR, a grandfathering rule for international agreements concluded before the adoption of the GDPR – even when this rule only applies where the international agreement is in line with directive 95/46/EC, which is not the case for Fatca.
“So, the EDPB demands that individual EU member states must make this assessment on their own, whereas the latter conclude Fatca agreements on fairly similar terms and, hence, a coordination and more in-depth guidance by the EDPB would have been more adequate. If neither the EDBP nor the national data protection authorities take their responsibility, the courts will decide. No doubt about that.”