A top official at Lithuania's State Data Protection Inspectorate (SDPI) has told the founder of the main European advocacy organization representing "accidental Americans" that his department shares the Association of Accidental Americans' belief that a recent EU Court of Justice (CJEU) decision had "indeed made a change" in the way personal data transfers to third countries should be carried out.
And for this reason, he added, there was indeed a case to be made for the Lithuanian and U.S. governments to "consider revising" their agreement governing the way Lithuania transfers the data of its citizens to the U.S., in compliance with the U.S. law known as FATCA, in the manner suggested by the European Data Protection Board (EDPB), in the wake of the CJEU decision.
"It is important to note that CJEU did not forbid personal data transfers to third countries, but emphasized the possible necessity of supplementary measures to be applied as tools for such transfers, specified in Section V of [the EU's] General Data Protection Regulation (GDPR), might not be sufficient in itself," Raimondas Andrijauskas, director of the Lithuanian SDPI, told AAA founder and president Fabien Lehagre, in a letter dated July 29. (The letter has been posted online, and may be viewed by clicking here.)
However, he noted, the EDPB's comments and recommendations subsequent to the CJEU decision were such that is now clear that, going forward, "all agreements that have been concluded between pulic or private parties, when the party in a third country is involved, [will now] have to be revised to ensure their alignment with the GDPR and relevant jurisprudence of CJEU."
"Accidental American" is a term used to describe individuals whom the U.S. considers to be American citizens, usually because they were born in the U.S., but who have typically lived most if not all of their lives in another country, of which they're citizens and taxpayers. Many discovered the fact of their being considered to be American only recently, often when their banks informed them that they were, and that for this reason they risked losing their ability to maintain their bank accounts.
The exact number of such accidentals is unknown, but there are estimated to be more than 300,000 in Europe, of which French banking industry officials have said around 40,000 are thought to live in France.
Andrijauskas's letter to Lehagre was a response to a letter Lehagre, pictured left, sent Andrijauskas on June 29, detailing his concerns, as well as those of his association's members and accidental Americans in Lithuania and elsewhere in Europe, about the status of the bi-lateral FATCA agreements that EU member states currently rely on to send the personal, mostly financial, data of Americans living within their borders to the U.S.
As reported, the European Court of Justice ruling, on July 16 of last year (and a related one, on Aug. 21, 2020) effectively struck down the main mechanism used by the EU to protect the personal data of EU citizens when it's transferred to the U.S., typically but not exclusively under FATCA, known as the EU-U.S. Data Protection Shield – (Privacy Shield).
In the first of the two decisions, "Data Protection Commissioner v Facebook Ireland and Maximillian Schrems" (Case C-311/18), the CJEU said that the Privacy Shield regulations were invalid because they failed to sufficiently ensure that personal data being moved Stateside was only surveilled there under conditions "limited to what is strictly necessary," and allowed for affected persons to get judicial redress.
Invasive U.S. surveilance, it was noted, had been implemented in response to 9/11, as was uncovered by Edward Snowden, the American computer data systems contractor who leaked classified U.S. information he had while working for the CIA in 2013.
In the wake of the two CJEU cases, the European Data Protection Board in April issued a statement in which it called on all of the European Union's 27 member states to consider a "review" of their international agreements "that involve international transfers of personal data, such as those relating to taxation (e.g. to the automatic exchange of personal data for tax purposes)."
As reported, that EDPB announcement was was enthusiastically welcomed by anti-FATCA campaigners, many of whom had long called on the EDPB to take action over the way data was routinely being forwarded to the U.S., on grounds that such personal data transfers violated the EU's General Data Protection Regulation. It was also welcomed by the Association of Accidental Americans' members, who, because they consider themselves to be European citizens and not Americans, don't believe their personal data should be sent to the U.S. as though they were.
Enthusiastically welcomed today, by the AAA's Lehagre, was Andrijauskas's letter, which he called "unambiguous" in its siding with those who feel that that the recent CJEU "Schrems II" decisions, with respect specifically to the Privacy Shield, were reason enough to review the way the personal data of EU citizens is being transferred to the U.S., under FATCA.
Said Lehagre, in a LinkedIn posting, directed at the EU's justice commissioner – whom he evidently believes ought to be doing more on behalf of European citizens whose data he and fellow campaigners argue is currently at risk: "What are you waiting for Commissioner Didier Reynders?"
SDPI director Andrijauskas's letter was also welcomed by Mishcon de Reya partner Filippo Noseda, a long-time critic, on behalf of certain of his firm's clients, of the current FATCA-reporting regime, as it is currently practiced across Europe.
Upon receiving a copy of Andrijauskas's letter, Noseda immediately fired off a copy of it to EDPB chair Andrea Jelinek, copying in such other top EU officials as Dolors Montserrat, a Spanish MEP who heads up the European Parliament's Petitions Committee, where a number of FATCA critics currently have live petitions posted; European Data Protection Supervisor Wojciech Wiewiórowski; and Andreas Strub, a European Council official with the council's DG JUST operations.
Noseda told Dr. Jelinek to circulate the letter "to national data protection authorities," and noted that it showed an "urgent need for a consistency decision."
Referring to recent responses from "the German, French and Dutch national data protection authorities" to calls for action over the EDPB's call to revisit the way information is currently being forwarded to the U.S., under FATCA that described as "evasive and non-committal," as well as a response from the EDPB to a Dutch MEP he called "non-sensical," Noseda told her that the Lithuanian data protection authority, via the letter from Andrijauskas to Lehagre, had "shown the way forward."
Noseda ended his letter by urging Dr. Jelinek to ensure that the EDPB "discharge[d] its duties and carried out its functions, under Chapter 7 of the GDPR, in the context of FATCA."
- Now France-based 'accidentals' sue State Dept. over still-shuttered renunciation services around the globe
- Now 'Jenny' (Webster) takes her FATCA data-sharing case to UK's High Court
- Democrats revise proposed IRS bank account reporting plan for Stateside Americans
- Bloomberg Editorial Board: U.S. is 'hypocrite on international financial crime'
- FATCA critics warn lawmakers over plan to compel U.S. banks to report Stateside clients' account data