The Court of Justice of the European Union today officially registered case C-804/25, placing at the heart of EU judicial scrutiny a question that has haunted hundreds of thousands of European citizens for years: whether the automatic, annual transfer of their banking data to United States tax authorities can be squared with European data protection law. The case, lodged on 10 December 2025 and accepted today, 26 February 2026, stems from a referral by the Brussels Court of Appeal - Cour des marchés - which delivered its interlocutory judgment on 26 November 2025. Thirteen preliminary questions now sit before Europe's highest court.

The dispute centres on FATCA - the Foreign Account Tax Compliance Act - a piece of US legislation requiring foreign financial institutions to identify and report accounts held by US persons to the Internal Revenue Service. Belgium implemented the framework through a bilateral agreement signed with the United States on 23 April 2014 and ratified via the Law of 22 December 2016. A separate domestic implementing statute, the Law of 16 December 2015, governs how Belgian financial institutions and the Federal Public Finance Service transmit the data in practice.

What flows across the Atlantic is not trivial. According to the official case summary published by the Court of Justice, the transferred data includes the account holder's name, address, tax identification number, date of birth, account number, balance or value at the end of the relevant calendar year, and detailed income figures - interest, dividends, gross proceeds from sales - for custodial and depository accounts. The transfer occurs automatically and annually, covering all Belgian financial institutions that hold accounts for US nationals resident in Belgium, regardless of whether any specific tax avoidance suspicion exists.

The accidental Americans at the centre

The complaint originated with a specific individual, identified in court documents only as JC, who describes himself as an "accidental American" - someone who acquired US nationality solely by virtue of birth on American soil, without any other substantive tie to the United States. In 2020, JC's Belgian bank requested he complete a US tax form relating to his account data. He refused to accept this as lawful and, alongside the non-profit Association des Américains Accidentels (Accidental Americans Association of Belgium), lodged a formal complaint with the Belgian Autorité de protection des données (Data Protection Authority) on 22 December 2020.

The complainants argued that the transfer infringed multiple GDPR provisions: Articles 45, 46 and 49 on cross-border transfers; Article 5(1)(b) on purpose limitation; Article 5(1)(c) on proportionality and data minimisation; Article 5(1)(e) on storage limitation; Articles 12 to 14 on transparency; and Article 35 on the obligation to conduct a data protection impact assessment (DPIA). According to Fabien Lehagre, who leads the Association des Américains Accidentels and announced the registration on LinkedIn today, the association has been fighting this question since 2017. "Nine years of struggle," he wrote. "A starting point."

The Belgian State, represented by FPS Finance, rejected the complainants' requests on 4 October 2021. An initial challenge went before the Conseil d'État. Then, on 24 May 2023, the Litigation Chamber of the Data Protection Authority issued Decision No. 61/2023, finding infringements of multiple GDPR provisions and prohibiting FPS Finance from processing the accidental Americans' data under FATCA. The Belgian State appealed. The Brussels Court of Appeal annulled that decision on 20 December 2023, finding it inadequately reasoned, and sent it back to the Litigation Chamber with a different composition for a fresh decision.

The April 2025 decision and its aftermath

The Litigation Chamber issued a second decision on 24 April 2025. This time, rather than an outright prohibition, it imposed a compliance order - giving FPS Finance one year to bring the FATCA data transfers into line with the GDPR's proportionality principle and Chapter V requirements. It also found that FPS Finance had failed to inform Belgian accidental Americans sufficiently about the transfers, in violation of Articles 12(1) and 14(1) and (2) of the GDPR. A further infringement was found under Article 35(1), covering the obligation to carry out a DPIA - which had never been performed. The Litigation Chamber also found a breach of the accountability principle under Articles 5(2) and 24.

The Belgian State appealed again. The Brussels Court of Appeal, facing deep disagreement between the parties about how EU law applied to an international agreement signed before 24 May 2016 - the date the GDPR became applicable - decided it could not resolve the matter alone. On 26 November 2025, it referred 13 questions to the Court of Justice.

What the 13 questions actually ask

The referral is structured around three clusters of legal uncertainty, each with significant implications beyond the specific FATCA case.

The first cluster, Questions 1 to 4, asks whether the FATCA agreement complied with the EU law in force before 24 May 2016 - specifically Directive 95/46/EC. The Court of Appeal identified two core problems. First, the purposes stated in the FATCA agreement - tax purposes, implementing FATCA, improving international tax compliance - may be too vague to satisfy the directive's requirement of "specified, explicit and legitimate" purposes under Article 6(1)(b). Second, the scope of automatic annual data transfers, covering all US nationals without prior selection based on any specific tax avoidance risk, may be disproportionate under Article 6(1)(c). The FATCA agreement contains no data retention period. The USD 50,000 threshold for exempting low-balance accounts is, according to the case summary, "subject to the goodwill of financial institutions." These features animated both the Data Protection Authority's position and the referring court's reasoning.

The second cluster, Questions 5 to 8, addresses the interpretation of Article 96 of the GDPR, which provides a form of immunity for international agreements concluded before 24 May 2016 that complied with the EU law then in force. The questions probe whether, if the agreement did not comply with pre-GDPR law, national courts must disapply it of their own motion. They also ask who bears the burden of proving that the conditions of Article 96 are satisfied - the Belgian State, which has so far assumed the agreement to be valid, or the Data Protection Authority, which contests it. A further sub-question asks whether Article 96 combined with the principle of sincere cooperation requires member states to actively seek to amend or revoke non-compliant pre-GDPR agreements, rather than simply relying on the provision indefinitely.

The third cluster, Questions 9 to 13, assumes that the court will find compliance failures and asks about remedies under the GDPR itself. This includes whether Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 - the EU-US Data Privacy Framework adequacy decision - can cover FATCA-type tax transfers, given that the framework was designed primarily for commercial data flows rather than fiscal ones. It also asks about the scope of appropriate safeguards required under Article 46, and the conditions under which Article 49 derogations for important public interest reasons could justify the transfers. Question 13 concerns who must prove that the transparency obligations of Article 14 have been met.

Why France and Belgium diverge

The Belgian State's position draws heavily on French precedent. The French Conseil d'État validated an equivalent FATCA agreement in a judgment of 19 July 2019. The French CNIL rejected related complaints, and that rejection was upheld by the Conseil d'État. According to the Belgian State's argument, consistency across the European Economic Area requires alignment with those decisions.

The Brussels Court of Appeal rejected that reasoning directly. According to the case summary, the court noted that the French authorities "were unable to take subsequent factors into account, such as the judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C-175/20," which sharpened the CJEU's requirements for purpose specificity and proportionality in tax-related data processing. The court also cited the September 3, 2025 judgment in Latombe v Commission, T-553/23, which upheld the EU-US Data Privacy Framework adequacy decision but left unresolved questions about its scope for non-commercial transfers.

The court also observed that the French Conseil d'État's reasoning on purpose limitation and proportionality was, in its assessment, "succinct," largely because the appellant association had not fully developed those arguments. That gap makes the French precedent less persuasive as a basis for refusing the referral.

The GDPR provisions at stake

Several specific provisions of the GDPR form the technical backbone of the case. Article 5(1)(b) requires personal data to be collected for specified, explicit and legitimate purposes, and not further processed in ways incompatible with those purposes. Article 5(1)(c) mandates data minimisation - data must be adequate, relevant and limited to what is necessary. The FATCA system transfers data on all US nationals holding Belgian bank accounts annually and automatically, without any individual assessment of tax risk. Article 35 requires a data protection impact assessment before any processing "likely to result in a high risk to the rights and freedoms of natural persons." FPS Finance never conducted one.

Article 96 of the GDPR is the central battleground. It states that international agreements involving personal data transfers to third countries, if concluded before 24 May 2016 and in compliance with EU law as then applicable, shall remain in force until amended, replaced or revoked. The Belgian State interprets this as a shield. The Data Protection Authority, supported by the complainants, argues that this shield has conditions - and that the FATCA agreement never satisfied them.

The proportionality question has broader resonance. The CJEU's 2022 Valsts ieņēmumu dienests ruling established that even in tax administration contexts, data collectors "may not proceed, in a general and undifferentiated manner, with the collection of personal data and must refrain from collecting data which are not strictly necessary." FATCA's architecture - automatic, annual, nationality-based, without risk indicators - sits uncomfortably against that standard.

Context: a decade of EU-US data tension

The FATCA case arrives amid intense scrutiny of transatlantic data flows from multiple directions. The EU-US Data Privacy Framework, adopted via Commission Implementing Decision (EU) 2023/1795 on 10 July 2023, established the third iteration of a transfer mechanism after the invalidations of Safe Harbor in 2015 and Privacy Shield in 2020. That framework faces its own uncertainties following the Trump administration's review of Biden-era national security commitments, a review mandated within 45 days of the January 20, 2025 executive order. The Privacy and Civil Liberties Oversight Board, central to the framework's oversight architecture, saw its Democratic members asked to resign in January 2025.

Separately, the European Commission's Digital Omnibus initiative, circulated in draft form in November 2025, proposed substantial GDPR amendments including a narrower definition of personal data and new AI training exemptions. Privacy advocates argued those changes could weaken protections precisely as the CJEU is being asked to clarify them. The Belgium Data Protection Authority, meanwhile, announced a strategic enforcement plan on 23 December 2025 that shifted resources toward large-scale data processors - a category in which fiscal data transfers under FATCA squarely fall.

Questions about whether pre-2016 agreements can indefinitely exempt member states from GDPR obligations matter beyond FATCA. EU data protection enforcement has faced persistent criticism for fragmentation, slow resolution, and inconsistent application across member states. A CJEU ruling that member states must actively work to bring pre-GDPR agreements into compliance - rather than simply invoking Article 96 as a permanent shield - could affect dozens of bilateral tax information exchange agreements across the EU.

What the court will need to resolve

The 13 questions put before the CJEU require it to take positions on at least four distinct legal problems. The first is whether FATCA-style purpose specifications satisfy the specificity requirement of pre-GDPR law and the GDPR. The second is the proportionality of blanket nationality-based data transfers without retention limits. The third is the scope and conditions of Article 96's protection for pre-GDPR treaties - including who bears the proof burden and whether there is a renegotiation obligation. The fourth is whether the EU-US Data Privacy Framework adequacy decision can serve as a legal transfer mechanism for fiscal data flows between member state tax authorities and the IRS.

The case was lodged on 10 December 2025 and accepted today. Preliminary rulings of this complexity typically take 18 to 24 months at the CJEU, placing a final judgment in the 2027 to 2028 period. In the interim, FPS Finance operates under the April 2025 compliance order - with one year to bring its FATCA transfers into line with the GDPR's proportionality and transparency requirements - even as that order is itself subject to the Belgian State's latest appeal.

For marketing professionals tracking EU data governance, the case is worth monitoring beyond its immediate tax context. The answers the CJEU provides about purpose specification, proportionality, and the shelf life of pre-GDPR international agreements will shape the broader legal environment in which any cross-border data transfer - commercial or governmental - is assessed.

Timeline

  • 23 April 2014 - Belgium and the United States sign the FATCA Agreement in Brussels
  • 24 October 1995 - Directive 95/46/EC provides the pre-GDPR data protection baseline at issue in Questions 1-4
  • 16 December 2015 - Belgian Law governing communication of financial account data by Belgian financial institutions implemented, providing domestic FATCA enforcement mechanism
  • 9 March 2017 - Belgian Constitutional Court upholds the Law of 16 December 2015, finding it consistent with Article 22 of the Constitution and Article 8 of the ECHR
  • 22 December 2020 - JC and the Accidental Americans Association of Belgium lodge complaint with the Belgian Data Protection Authority
  • 4 October 2021 - Belgian State refuses the complainants' requests
  • 24 May 2023 - Litigation Chamber Decision No. 61/2023 finds multiple GDPR infringements and prohibits FPS Finance from processing accidental Americans' data under FATCA
  • 20 December 2023 - Brussels Court of Appeal annuls Decision No. 61/2023 for insufficient reasoning; case referred back to Litigation Chamber
  • 10 July 2023 - European Commission adopts Implementing Decision (EU) 2023/1795 establishing the EU-US Data Privacy Framework
  • 24 February 2022 - CJEU judgment in Valsts ieņēmumu dienests (C-175/20) sharpens proportionality requirements for tax-related data processing
  • 24 April 2025 - Litigation Chamber issues second decision; imposes one-year compliance order on FPS Finance; finds infringements of Articles 12, 14, 24, 35 and 5(2) of the GDPR
  • 3 September 2025 - General Court upholds EU-US Data Privacy Framework in Latombe v Commission, T-553/23
  • 26 November 2025 - Brussels Court of Appeal delivers interlocutory judgment referring 13 questions to the CJEU
  • 10 December 2025 - Case formally lodged with the Court of Justice
  • 26 February 2026 - CJEU today registers case C-804/25, date of acceptance confirmed

Summary

Who: The Belgian State (FPS Finance) as appellant, the Belgian Data Protection Authority as respondent, and the Accidental Americans Association of Belgium along with complainant JC as intervening parties - with the Court of Justice of the European Union receiving the referral from the Brussels Court of Appeal.

What: The CJEU today registered case C-804/25, a reference for preliminary ruling covering 13 questions about whether the Belgium-US FATCA agreement, which mandates automatic annual transfer of banking data on all Belgian residents holding US nationality to the Internal Revenue Service, complies with pre-GDPR EU data protection law and with the GDPR itself.

When: The bilateral FATCA Agreement was signed on 23 April 2014. The original complaint was filed on 22 December 2020. The Brussels Court of Appeal referred the case on 26 November 2025. The case was lodged with the CJEU on 10 December 2025 and accepted today, 26 February 2026.

Where: The case originates in Belgium, involves data transfers from Belgian financial institutions to the US Internal Revenue Service, and is now before the Court of Justice of the European Union in Luxembourg.

Why: The core dispute is whether an international agreement concluded before 24 May 2016 - when the GDPR became applicable - can indefinitely shield member states from GDPR obligations on cross-border data transfers, and whether FATCA's blanket, nationality-based, annual data transfer architecture satisfies the EU law requirements of purpose specificity, proportionality, and data minimisation that were already in force under Directive 95/46/EC.

Share this article
The link has been copied!