The European Parliament (EP) has criticised the current reporting requirements faced by US citizens in the EU under the Foreign Account Tax Compliance Act (Fatca).
An in-depth analysis by Carlo Garbarino, a professor at the Bocconi University in Milan, commissioned by the EP’s committee on petitions, found that the US legislation seems to “lack requirements” to fully adhere to the general data protection regulation (GDPR).
GDPR came into force across the bloc in 2018, but guidelines from the European Data Protection Board (EDPB), that should have been adopted in 2019, are yet to be released.
Garbarino also criticised the US’ lack of cooperation and reciprocity when it comes to international agreements, more specifically on the mutual transfer of data.
In the report, he said: “The US are not willing to adhere to multilateral agreements for the exchange of information in place of Fatca or to radically reform Fatca and intergovernmental agreements (IGAs) and there have been only slight indications in the direction of reciprocity for the exchange of tax data.”
The problem, however, is that the European Commission has deferred action to national data authorities, confirmed by the EDPB, which have been waiting for guidelines for three years now.
Their inherent incompatibility means the two competing regulations often clash. US citizens living in the EU argue they have not given consent under GDPR for their personal and tax information to be sent to the US, a recent example of this coming out of Belgium.
But several such cases are ongoing, and the European Union Court of Justice is yet to issue any decisions on the matter.
This, Garbarino said, does not prevent a legal analysis of the situation, considering that the GDPR has been in force since 2018, providing both a theoretical and practical framework to work with.
In order for Fatca to adhere to the data protection regulation, there are three criteria that must be met, Garbarino explained:
- The restrictions must be introduced either in EU or member state law – which in this case has been done via IGAs;
- The restrictions must respect “the essence of human rights and freedoms”; and
- The restrictions must be “necessary and proportionate measures in a democratic society”.
Garbarino said, assuming that Fatca data transfers meet the second criterion, “there are certain critical indicators of the lack of [the third criterion’s] requirements in current Fatca practice”.
“First, US expatriates generally do not use the EU financial system to engage in offshore tax evasion. Second, Fatca does not request the existence of indicia of unlawful behaviour of taxpayers, so that it raises compliance costs for persons for whom there is no evidence capable of suggesting that their conduct might have a link, even an indirect or remote, with tax evasion.
“Finally, most of the non-resident US persons falling under Fatca obligations do not effectively owe US taxes so that Fatca just expose them to onerous fines and penalties for even inadvertent filing and reporting errors.
“In conclusion, Fatca restrictions operating within the EU through IGAs at the current stage and under certain circumstances appear to be neither proportionate, nor necessary in so far they fail to narrow down the reporting obligations to individuals suspected of tax evasion.”
What needs to be done
Garbarino added that his conclusion would be proved wrong only if the US is able to provide evidence on a case-by-case basis that American expats are indeed using the EU financial system for tax evasion purposes.
“Lacking such evidence, Fatca restrictions appear to go beyond what is strictly necessary to achieve the goal of fighting against offshore tax evasion,” he said.
Otherwise, Fatca data transfers could be deemed GDPR-compliant if the controller and processor of the transfer meets the regulation conditions or if the European Commission decided that the US can ensure “an adequate level of protection” to the information being shared under the US legislation.
For the latter, the Commission is yet to issue an adequacy decision on Fatca data, while the protection adequacy safeguards have not been included in IGAs or in agreements between financial intermediaries and the Internal Revenue Service, Garbarino said.