A decade ago, EU members states bent over backward to accommodate U.S. interests as they flocked to sign intergovernmental agreements that enabled the Foreign Account Tax Compliance Act to blossom to life. The Europeans weren’t alone. More than 100 governments executed these one-sided IGAs under the same coercive pressure. Sign the IGA or risk painful withholding.
The IGAs were contracts of adhesion. They differ fundamentally from treaties based on mutuality. It’s relatively easy to walk away from treaty negotiations when the proposed terms aren’t to a country’s liking. Not so much for IGAs.1 By way of example, Brazil has long balked at signing a tax treaty with the United States, but it had no real choice but to sign an IGA when presented with one.
I mention this because there’s a community of FATCA apologists out there who would lump the IGA network together with the more benign U.S. tax treaty network, nestled under the banner of happy international cooperation. I’m fine with multilateralism — the world needs more of it. But I fail to see anything in FATCA that’s cooperative in spirit.
Other than the United States, can you name a single jurisdiction that proactively wanted to sign an IGA as an expression of its political sovereignty? I didn’t think so.
Still, there’s a difference between saying IGAs are thuggish and establishing that they are illegal. The inspiration for this week’s column draws from the latter concern. On May 24 the litigation chamber of Belgium’s Data Protection Authority (BDPA) determined that the Belgium-U.S. IGA violated the EU’s General Data Protection Regulation (GDPR).2 This has been a long time coming.
The 77-page decision found multiple GDPR transgressions, the most notable of which was FATCA’s lack of proportionality regarding the treatment of accidental Americans. References to proportionality are a fancy way of saying that Congress deployed a sledgehammer when the situation called for a surgical scalpel. It would be different if FATCA’s reporting obligations hinged on the presence of some minimal indicia of tax evasion. FATCA makes no such effort, rendering it indiscriminate. A body of case law makes it clear that the Court of Justice of the European Union does not look favorably on generalized presumptions of guilt, or unnecessarily broad regulatory schemes that inflict harm on EU residents.3
A separate transgression — unrelated to proportionality — was the U.S. government’s inadequate data protection practices.4 For whatever reason, data protection has never been a congressional priority. There’s an irony in how a foreign country (Belgium) has interpreted a foreign law (GDPR) to safeguard the rights of U.S. citizens residing abroad, while U.S. lawmakers aren’t inclined to do anything of the sort for U.S. citizens residing in the homeland.
A key aspect of the BDPA decision was how it dealt with GDPR article 96 — international agreements already in place. FATCA predates the GDPR. Most of the IGA network was in place before the GDPR’s effective date of May 25, 2018. The Belgium-U.S. IGA entered into force on December 23, 2016, and is considered to have been in effect from June 30, 2014.5 The complaint would have failed if FATCA were outside the scope of the GDPR. To nobody’s surprise, the BDPA decision confirms that article 96 is not an indefinite exemption.
The BDPA’s determination is immediately effective, though it can be appealed to the country’s federal courts. The government has 90 days to confirm that it’s in compliance. The decision further calls upon the Belgian tax authorities to conduct a data protection impact assessment related to FATCA under GDPR article 35. We can anticipate what the impact assessment will conclude: There’s a glaring mismatch between the pervasive hardship the regime inflicts and the limited benefits it delivers. Hence the lack of proportionality.
To the rest of the world these flaws are obvious. Washington doesn’t perceive a problem because it has a blind spot. If you’ve been raised in a culture in which citizenship-based taxation seems normal (hint: it is the antithesis of normal), you probably suffer from the same bias. The thing about American exceptionalism is that it often mistakes warts for beauty marks — but at the end of the day they’re just warts.
Accidentally What?
The BDPA case resulted from a complaint brought by someone identified as an accidental American. That is, someone assigned U.S. citizenship by accident of birth who otherwise lacks a personal, social, or economic bond with the United States.6 You’d call them a foreigner, except for their circumstances of birth. The complainant was joined by the Accidental American Association of Belgium.
Accidentals leave the United States at such a young age they lack the cognitive capacity to make decisions about their citizenship or residence. They’re not present in the United States long enough to acquire a Social Security number, taxpayer identification number, or U.S. passport — although a parent presumably would have been assigned a U.S. birth certificate. Accidentals must not be conflated with expats. Expats leave the country consensually, as adults. A six-month-old infant does not consciously elect to flee the country; the kid just tags along with its parents when they leave our shores.
Here’s the ponderous thing. The status of being an accidental does not flow from any statutory or regulatory designation. There’s nothing in U.S. tax, immigration, or banking law that spells out a litmus test for determining who qualifies as an accidental. There’s no reason to draw those lines, because these folks are not categorically treated differently than other U.S. citizens.
“Accidental American” is not a legal concept, per se. Yet, we observe it playing a non-trivial role in the BDPA’s findings — arguably the decisive role. The BDPA issued a release on May 24 that explains its decision:
The Belgian Data Protection Authority today declared unlawful, and decided to prohibit, the transfers of personal data of Belgian “Accidental Americans” by the Belgian Federal Public Service Finance (FPS Finance) to U.S. tax authorities under the intergovernmental FATCA agreement. According to the Belgian DPA, the data processing carried out under this agreement does not comply with all the principles of the GDPR, including the rules on data transfers outside the EU.
Now that’s interesting. Belgian tax authorities have been informed they can no longer share information pertaining to accidentals with the IRS under FATCA — even though status as an accidental is not delineated by any body of law.
If the Belgian government is now obliged to treat accidentals differently than run-of-the-mill U.S. expats, how will it differentiate between the two? It’s not clear how it would pull off that trick. The most feasible solution is for the Belgians to curtail FATCA participation entirely.
There you have it. If we can’t reliably segregate the population of accidentals from the population of expats, the appropriate response is for Belgium to pull the plug on FATCA altogether — and then make nice to U.S. officials so they don’t counter with a punitive withholding response. Belgium’s choice is between adhering to the IGA or adhering to EU primary law; it can no longer do both. In that context, suspending FATCA is no act of obstinance.
Enlist the Banks
Perhaps the foreign financial institutions have a role to play in terms of identifying accidentals for FATCA purposes. On first thought, that doesn’t sound unreasonable because the banks maintain direct client relationships. It’s true that banks are in a better position to ask questions of their account holders. But even then, I’m not sure how they’d manage the task. Enlisting banks to spot accidentals does nothing to alter the fact that the status is not a recognized legal concept.
Couldn’t the United States unilaterally force FFIs to make specific determinations for each individual account holder as to whether they’re an accidental?
Let’s slow down and think about that proposition critically. It presumes there’s nothing ugly about foreign banks getting bossed by the U.S. government, which has no natural jurisdictional authority over them. What if the shoe were on the other foot? How would U.S. citizens like it if U.S. banks were forced into doing things for the sake of satisfying a foreign government — say, the Chinese Politburo? My guess is that there would be plenty of offense.
At some point, Washington needs to get the picture that not every FATCA problem can be solved by placing further demands on foreign banks — and expecting them to absorb the related costs as if it were overhead.
Beyond that, I have doubts such an effort would go very well. Recall the lack of success FFIs have experienced with the more basic chore of obtaining U.S. TINs from their account holders.
Remember this: Asking an accidental for their U.S. TIN is like asking a fish for its driver’s license. They probably don’t have one — and demanding they go out of their way to apply for one adds insult to injury. This is a design glitch in FATCA that’s been present from day 1.
Bear in mind that many accidental Americans aren’t aware of that status — at least not to start with. Many learn about being an accidental American when a third party sends a heads-up letter warning of FATCA and the possibility of U.S. tax and reporting obligations.7 The point is that FFIs could endure the tedious process of asking every client whether they’re an accidental American, and that won’t produce reliable results.
No other country has this same difficulty. You don’t hear stories in the tax press about accidental Greeks or accidental Mongolians. The rest of the world knows better; it relies on residence-based taxation.
Treaties Are Go
The BDPA decision does not affect the exchange of information that occurs outside the FATCA context. For example, if the IRS presented Belgian tax authorities with an information request made under the appropriate treaty article, that process could proceed as normal. That would be so even if the taxpayer in question were an accidental American. Information exchange conducted through the treaty process has safeguards that FATCA entirely lacks.
That’s the way things were traditionally done before the automatic exchange of information took the world by storm over the last few years. Treaty-based information exchange avoids the proportionality concerns that plague FATCA. On the other hand, treaty-based information exchange is known to be time-consuming and cumbersome; it’s clearly less efficient than automatic exchange of information. The narrative of FATCA is that Congress prioritized the efficiency of mass-scale data collection over the procedural safeguards of old school treaty requests.
Nor does the BDPA determination constrain other varieties of automatic exchange of information, such as the OECD-brokered common reporting standard or any internal EU data-sharing mechanisms. Belgian tax officials remain free to exchange taxpayer information with their French and German counterparts, for example. Other complaints from EU residents challenge the formalized data-sharing procedures under the common reporting standard, citing various GDPR violations. While they’re analogous to the FATCA challenge, they’re not addressed here — and they’re not immediately relevant to the BDPA decision. The cases against the OECD system will sink or swim on their own merit.
Next Step?
Will the BDPA decision be appealed? We’ll see. The conclusion as to GDPR article 96 could provide the basis for an appeal, but I wouldn’t expect it to be reversed.
The Belgian government could have reasons to lodge an appeal even if it doesn’t oppose the finding on the merits. An appeal would provide additional time for Belgian officials to discuss the next steps with the banking sector, EU stakeholders, and U.S. Treasury officials.
An affirming judicial decision would carry more weight than a regulatory finding. As such, it may provide stronger authoritative support for other EU member states facing similar challenges. Rest assured, there will be plenty of those. The Association of Accidental Americans announced on May 27 that it has filed 23 new complaints with the data protection regulators of other EU member states, each citing the same GDPR grievances and each referencing the BDPA decision as nonbinding precedent. I expect many of those complaints to prevail for the same reason the Belgian case succeeded.
There’s no reason for Belgium to go it alone in the pushback against FATCA. It will be useful to have two dozen EU member states in the same boat. Ideally, the full diplomatic weight of the European Union should join the effort to sort things out. The CJEU has not yet held that FATCA is incompatible with the GDPR. The member states got there first. There’s a grassroots element to the process that’s happening. The momentum is bottom-up, rather than top-down.
The experience makes you wonder why the centralized European Data Protection Board (EDPB) has been sitting on its hands. Like the European Commission, the EDPB has shown itself to be remarkably cautious in how it handles FATCA-related complaints, as if it had been handed marching orders not to disrupt the IGA network. Why a bunch of European technocrats would be so vested in upholding a U.S. data-harvesting endeavor is beyond me.
Across the continent, national-level data protection bodies are more independently minded and more directly accountable to the public they serve. The EDPB might grow less timid on FATCA once a significant number of member states have followed Belgium’s lead. The critical mass concept applies here.
Is This Like Meta?
The GDPR has been in the news for reasons unrelated to tax administration. On May 22 — just two days before the Belgian decision on FATCA — Ireland’s Data Protection Commission hit Meta (the owner of Facebook) with a €1.2 billion fine for its transgressions regarding data generated from European Facebook users and transmitted back to company headquarters in California. It was the largest GDPR fine to date.
In December 2022 the French data protection agency slapped Alphabet — the owner of Google — with a €50 million fine, citing GDPR violations. In July 2021 the Luxembourg data protection agency announced a €746 million fine against Amazon, again citing GDPR violations. Call it a trend.
Seven years into their collective GDPR experiment, Europeans are getting serious about enforcement. This confounds the U.S. mindset, which regards privacy expectations as something that gets forfeited the instant you switch on a computer and connect to the internet.
Perhaps the IRS should consider itself fortunate. If its data-harvesting activities had occurred in the private sector, it too might be facing fines from the Europeans. The odd thing is, as I read the GDPR, there’s nothing preventing the assessment of fines on public-sector bodies. If there’s meant to be one version of the GDPR for governments and another version for multinationals, I don’t see the textual basis for it.
Same-Country Exception to the Rescue?
When people talk about fixing FATCA, the discussion often turns to proposals for a same-country exception (SCE). The idea is that the scope of FATCA would be narrowed to exclude financial accounts established in the same country in which the U.S citizen resides. For example, if you retired in Tuscany, all your Italian bank accounts would be ignored for FATCA purposes — but not your bank accounts outside Italy.
It’s hoped this reform would focus scrutiny on the people who present the greatest risk of tax evasion — the stereotypical scofflaw who resides in the United States but keeps undisclosed accounts offshore to conceal income. The thrust of FATCA should be to nail that guy, but not accidentals (like the complainant in the BDPA case) and not innocent U.S. expats (like Jenny Webster8). Treasury could implement SCE through regulations, without congressional approval.
SCE would make life easier for U.S. citizens living abroad, including both expats and accidentals. For many of them, it would make FATCA a non-factor. A U.S. person living overseas could effectively opt out of FATCA by making sure all their financial accounts are in the country in which they reside.
SCE would make compliance easier for FFIs. It would make enforcement easier for the IRS, which (regrettably) is chronically underfunded. SCE would largely address the proportionality issues highlighted by the BDPA decision. It would not, however, address the general lack of adequate data protections available in the United States.
Let’s say it’s your job to advise the U.S. Treasury secretary on how best to respond to the BDPA decision. Let’s assume your objectives are to preserve the superstructure of FATCA, preserve the IGA network, and address the GDPR concerns (well, most of them) raised by our European allies. SCE checks a lot of those boxes.
If it were up to me, I’d urge the secretary to ditch citizenship-based taxation. If that’s a bridge too far, I’d settle for SCE in a heartbeat. Congressional hearings would help bring the above matters to light, affording all stakeholders the opportunity to have their say.
FOOTNOTES
1 By last count, approximately 95 countries do not have IGAs and are thus outside the scope of FATCA. These are predominantly poor countries with low GDP. Their placement outside the FATCA universe has less to do with them having a special capacity for resistance and more with Washington not caring about them.
2 See BDPA, Decision No. 61/2023 (May 24, 2023). For prior coverage, see Kiarra M. Strocko, “Belgium Prohibits Transfers of Tax Data to IRS Under FATCA,” Tax Notes Int’l, May 29, 2023, p. 1237.
3 See BDPA decision, supra note 2, at 42-47, referencing “SS” SIA IA v. Valsts ieņēmumu dienests, C-175/20 (CJEU 2023).
4 Id. at 48-55, referencing GDPR articles 45, 46, and 49.
5 The two countries signed a memorandum of understanding regarding FATCA cooperation on April 23, 2014.
6 Under the chamber’s rules of procedure, the complainant has been afforded confidentiality. We don’t know the person’s name. We’re told the complainant was born in California and now holds dual citizenship.
7 Recall the case of then-U.K. Prime Minister Boris Johnson, who obviously knew that he was born in New York state but never regarded himself as a person with continuous U.S. tax and reporting obligations.
8 For prior analysis, see Robert Goulder, “The FATCA Wars: Jenny Goes to Court,” Tax Notes Int’l, Nov. 22, 2021, p. 959.
END FOOTNOTES