updated 2:11 PM CET, Oct 31, 2023

EU Court of Justice 'Schrems II' ruling seen as potential game-changer for FATCA challenges in Europe

EU Court of Justice 'Schrems II' ruling seen as potential game-changer for FATCA challenges in Europe Court of Justice of the European Union

Lawyers and campaigners against the American tax evasion law known as FATCA say that last week's European Court of Justice (CJEU) ruling, which struck down the main mechanism used by the EU to protect the personal data of EU citizens when it's transferred to the U.S., represents a potential "game changer" – and could force Europe's courts to revisit the way FATCA compels Europe's banks and financial institutions to pass information on their U.S. citizen and Green Card-holding account-holders to the U.S. 

However, they add that as often happens with court decisions of this type, the post-judgment analysis has tended to be on its perceived impact on large and multi-national corporations rather than on individuals – who are the ones affected by FATCA.

This, they say, could mean that these anti-FATCA campaigners may struggle to link the judgment's relevance, in the minds of EU government officials and court judges going forward, to the way FATCA obliges companies to forward individuals' personal data to the U.S. 

Among those assessing the way forward for those concerned about the data protection and privacy implications of FATCA to EU citizens, who in theory are protected by the EU's General Data Protection Regulation (GDPR) – which was at issue in the Schrems II case – is Filiippo Noseda, the Mishcon de Reya law firm partner who has been overseeing a widely-publicized, crowd-funded complaint about FATCA that was filed last year  with the UK's Information Commissioner's Office.

Noseda told the American Expat Financial News Journal that the ruling was a "potential game-changer", but noted that until now, both the EU's government officials as well as its data protection guardians had "consistently refused to intervene in the debate about FATCA". 

This was also what he said  in a letter to the head of the European Data Protection Board (EDPB), Dr. Andrea Jelinek, whose organization, he concluded by noting, had been "strenuously sitting on the fence" with respect to the issues surrounding automatic information exchange. 

As reported, the ICO in May decided not to uphold the complaint brought by "Jenny", as the U.S.-born, UK-resident complainant was officially known in connection with the matter, and since then, she has been trying to raise additional funding in order to launch an appeal.

Jenny has not yet said whether she definitely will go ahead with it, but many of her supporters are urging her to, in the light of the Schrems II case. 

One of them is a French resident and citizen who, like her, was originally born in the U.S., and who has also struggled with FATCA as a result. In 2016, he filed a petition with the European Parliament in which he called on it to do more to protect EU citizens from FATCA's extra-territorial reach. The European Parliament's Petitions Committee (PETI) finally held a hearing on the matter, in response to his petition, last year.

"This is a massive slap in the face for Europe's data protection agencies (DPAs), and one that they cannot ignore," J.R. said, in a Facebook posting this week.

"The ECJ is basically saying that the EU DPAs such as the EDPB, the [UK's] Information Commissioner's Office, the CNIL (Commission nationale de l'informatique et des libertés), etc, are not doing their jobs.

"This is massively relevant to my petition – [to which] the EDPB responded to me with [nothing more than] a laconic "we don't have a view on FATCA yet" – and Jenny's claim with ICO in the UK.

"To sum up in one sentence, [everyone should] fund Jenny's lawsuit. It is not hyperbole to say that this decision leaves FATCA extremely vulnerable." 

Schrems II: 'Data Protection Shield' is 'invalid' 

In the 2015 Schrems I ruling, the ECJ struck down an arrangement known as the Safe Harbor Agreement as "invalid", because Safe Harbor failed to ensure that the standards for personal data protection that had been set out in the EU's GDPR were being met. 

In the 2020 Schrems II ruling, "Data Protection Commissioner v Facebook Ireland and Maximillian Schrems" (Case C-311/18), the CJEU said that the "adequacy of the protection" provided by the so-called EU-U.S. Data Protection Shield – (Privacy Shield) regulations were also invalid because they failed to sufficiently ensure that personal data being moved Stateside was only surveilled there under conditions "limited to what is strictly necessary" and allowed for affected persons to get judicial redress. Invasive U.S. surveilance had been implemented in response to 9/11 as was uncovered by Edward Snowden, the American computer data systems contractor who leaked  classified U.S. information he had while working for the CIA in 2013.   

"The limitations on the protection of personal data arising from the domestic law of the United States on the access and use by U.S. public authorities...are not circumscribed in a way that satisfies requirements that are essentially equivalent to those required under EU law," a summary of the judgment's key findings added.

The court did, however, find that what are known as "standard contractual clauses" (SCC) were acceptable for the transfer of personal information from the EU to a third country, so long as the country receiving the data were able to show that it was enforcing "an adequate level of data protection".

Major implications seen
for social media companies

Much of the analysis in the immediate aftermath of the Schrems II ruling focused on what many saw as its major potential implications for social media companies like Facebook. 

Many observers shared the view of three Europe-based experts with the international law firm Steptoe, who wrote that the "important" ruling "threatens to disrupt the flow of data between the EU and the United States (and possibly other countries), in a manner similar to and possibly more durable than the [original 2015 Schrems decision].

"Any entity that transfers personal data from the EU to the United States should pay careful attention to the implications of the [latest] decision."

The Steptoe piece's authors – Philip Woolfson, Maury Shenk and Paul Hughes –  noted that the scope of Europe's data protection rights is already such that it has "made it much more difficult for leading global businesses that process personal data to emerge in the EU", pointing out that there "is no European Facebook, Google, TikTok or Palantir, and the Schrems II decision is a further reason that one is unlikely to emerge".

Meanwhile, they added, even as "European residents, governments, authorities, and courts" face a continuing struggle to engage with such non-European entities within the boundaries circumscribed by the GDPR provisions, these same provisions – the ones "at issue in Schrems II"  – will continue to "restrict transfers of personal data to countries outside the EEA that do not confer an equivalent level of protection to GDPR".

The Schrems case was originally brought by a 30-something Austrian national named Maximilian Schrems, who, according to published reports, became interested in Facebook's lack of awareness of Europe's privacy laws while a student at Santa Clara University in California.

According to the CJEU's background on the case, Schrems first became a Facebook user in 2008, and a few years later lodged a complaint with the Irish authorities seeking to prohibit the transfer of his personal data "by Facebook Ireland to servers belonging to Facebook Inc that are located in the United States, where it undergoes processing", on the grounds that "the law and practices in the United States do not offer sufficient protection against access by the public authorities to data transferred to that country".

This complaint, now known as Schrems I, was originally rejected on the grounds that the United States was deemed to "ensure an adequate level of [data] protection".

To see the most recent Schrems court documents, click here.

FATCA aimed at U.S. citizen
tax evaders using overseas banks

FATCA, formally known as the Foreign Account Tax Compliance Act, was signed into law in 2010 by President Obama in an effort to put an end to the use by American citizens of overseas bank accounts and other financial instruments in order to avoid their U.S. tax obligations. It obliged non-U.S. banks and financial institutions to report to the U.S. tax authorities on all of their U.S. citizen account-holders.

Because the U.S., unlike almost every other country in the world, taxes on the basis of citizenship rather than residency, the new law immediately caused major problems for American expats around the world – almost as soon as it was signed, even though it was years before it came into force – and thus far not much has been done to address these problems. This is widely seen as the reason that the numbers of Americans renouncing their citizenships  every year since 2010 has soared. 

Editor's note: This piece was updated on July 26 to clarify details of the manner in which the CJEU ruled in Schrems I and Schrems II.