Belgium’s Data Protection Authority ruled that sharing citizens’ financial data with the US under FATCA violates GDPR, shielding “accidental Americans” from unwanted reporting. The decision underscores tensions between US tax law and EU privacy standards, raising broader questions about international data transfers, transatlantic relations, and the balance between taxation and privacy.
Any American citizen living and working abroad knows the onerous burden of being required to file taxes in the US regardless of their residence. Due to the United States’s Foreign Account Tax Compliance Act (FATCA), financial institutions throughout the world have been subjected to equally onerous reporting burdens regarding American citizens who hold accounts and assets in their banks.
But in 2023, the Belgian Data Protection Authority (BDPA) informed the Belgian tax authority that it cannot lawfully share data with the US as FATCA demands because such data sharing violates key tenets of GDPR. A group of so-called “accidental Americans” – people born in the United States who automatically became citizens but who have perhaps never lived in the US and have no ties to the country – appealed to Belgium’s council of state to stop Belgium from sharing their data, citing the complete absence of consent, purpose limitation, data minimization, and transparency that make up the backbone of GDPR and most major global data privacy laws.
The BDPA reiterated and upheld its decision not to share data in April of 2025 after back and forth discussion.
European Union member states have discussed internal tax data transfers for a number of years, particularly in light of GDPR requirements. The Belgian DPA has been critical of EU-level inaction on this matter.
The Belgian DPA decision arrives at a moment when broader discussions about international data transfers have taken center stage. For example, the Irish Data Protection Commission has been particularly aggressive in applying penalties, fining social platform TikTok EUR 530 million and ordered corrective measures in relation to transfers of EEA user data to China.
The US Department of Justice recently prohibited and restricted transfers of bulk sensitive US personal data to specific countries ‘of concern’, such as China and Russia. While such actions are driven by national security concerns, privacy issues nevertheless come into view when users understand the scope of data privacy violations as a result of unregulated international data transfers. The Belgian case just happens to have potential additional repercussions, with very immediate and real effects for accidental Americans who are caught between the US tax system and European data protection laws. The decision could affect transatlantic data flows and the implementation of FATCA in other EU states, and even lead to political tensions.
The BDPA tug-of-war between FATCA and GDPR may not fall squarely in consent management territory, the fundamental principles of seeking and managing consent still apply.
©2025 CookieHub ehf.
