The Office for the Protection of Personal Data of the Slovak Republic - known by its Slovak acronym ÚOOÚ - issued a formal written opinion on 23 August 2021 concluding that existing international agreements governing FATCA data transfers to the United States do not meet the minimum safeguards required under Chapter V of the General Data Protection Regulation. Four years later, no enforcement action has followed. That gap is now the subject of renewed international pressure, as a pan-European civil society campaign escalates demands for the Slovak authority to act before the next automatic data transfer takes place.

The FATCA regime - the Foreign Account Tax Compliance Act - requires financial institutions outside the United States to identify accounts held by US nationals and report data on those accounts to the Internal Revenue Service on an annual, automatic basis. For EU member states, this creates a direct collision with GDPR obligations governing the transfer of personal data to third countries. Slovakia ratified a bilateral agreement with the United States on the improvement of international tax compliance regulations, published in the Slovak Collection of Laws under Announcement No. 48/2016 Coll., which provides the domestic legal machinery for these transfers.

The 2021 ÚOOÚ opinion, signed by Mgr. Katarina Vydarena as Director of the Department of Primary Services, was addressed to the Director of the Department of Direct Taxes at the Ministry of Finance in Bratislava. The Office received the request on 22 July 2021 and dispatched its analysis on 23 August 2021, sent on 24 August 2021 according to the dispatch stamp on the document. The analysis was triggered by a request from the Ministry of Finance asking the ÚOOÚ to assess whether the legal framework of international treaties on tax information exchange was sufficient from a data protection perspective, with specific reference to European Data Protection Board Statement No. 04/2021.

Opinion on the Agreement between the Slovak Republic and the United States of Am
1773090274721.pdf
2 MB
download-circle

What the Office actually found

The ÚOOÚ's analysis examined the Slovakia-US agreement against the requirements set out in EDPB Guidelines No. 2/2020 on Articles 46(2)(a) and 46(3)(b) of the GDPR. Those guidelines establish nine minimum safeguards that any transfer instrument must satisfy in order for a personal data transfer to a non-EEA country to be lawful. The list is precise. It covers the determination of the purpose and scope of processing, basic definitional provisions, compliance with data protection principles - purpose limitation, data minimisation, storage minimisation, security and confidentiality - individual rights protections, restrictions on onward transfers, sensitive data provisions, a remedy mechanism, a supervision mechanism, and a termination clause.

According to the opinion, the Slovak-US agreement failed on all of these counts. The ÚOOÚ found that the agreement contained no provisions addressing personal data protection at all, despite setting out extensive categories of personal data to be processed - including information listed in Article 2 and Annex 1 of the agreement. The Office concluded that "the contracts submitted to the Office do not contain even the minimum safeguards for the transfer of personal data to third countries." This is not a marginal or technical non-compliance. It is a finding that the entire transfer arrangement lacks a valid legal basis under EU law.

The opinion also addressed the domestic Slovak legislation. Act No. 359/2015 Coll. on automatic exchange of information on financial accounts contains a provision at §19(2) stating that personal data "shall be processed for the purpose of providing information on financial accounts to the Member State of tax residence of the natural person, the Contracting State of tax residence of the natural person and the United States of America." The ÚOOÚ identified a significant legal flaw: a declaration in national law that the transfer to the USA is lawful does not, by itself, satisfy the requirements of Chapter V of the GDPR. According to the opinion, "the mere declaration in the law is not sufficient to make the transfer valid under the requirements of the secondary law of the European Union."

On data retention, §19(3) of Act No. 359/2015 Coll. specifies that the data must be processed for ten years from the end of the calendar year in which it was collected. The ÚOOÚ's analysis did not directly address whether this retention period itself was proportionate under GDPR standards - but identified the absence of any equivalent provision within the bilateral agreement itself as a structural gap.

The CJEU precedent the ÚOOÚ cited against itself

Perhaps the most striking element of the 2021 opinion is the legal argument the ÚOOÚ invoked in its own analysis. The Office cited the judgment of the Court of Justice of the European Union in Case C-378/17, paragraph 38, which holds that "the obligation to maintain national provisions which are contrary to the EU law, is applicable not only to the domestic courts but also to all the national authorities, including the judicial authorities, whose task it is to apply, in the exercise of their respective powers, the European Union's farthest right." In practical terms, this means that an administrative authority - precisely the kind of body the ÚOOÚ is - may and indeed must refrain from applying a national law that conflicts with EU law, without waiting for a court to formally invalidate the national provision first.

The authority, in other words, provided itself with the legal roadmap to act. It then declined to follow it. The ÚOOÚ's conclusion was more cautious than its legal analysis warranted: the Office suggested that "the transferor" - meaning the Ministry of Finance and Slovak financial institutions - should explore alternative conditions for lawful transfer under Chapter V, and that it "reserves the right to propose to the controller to consult with other controllers in the framework of a pan-European working group." That deferral to future coordination has now extended across four calendar years.

The European dimension

Slovakia does not stand alone in its reluctance to enforce, but it stands out for the unusual combination of having issued a formal opinion acknowledging the problem and still having taken no action. Across the EU, the FATCA conflict with GDPR has been generating enforcement activity - though unevenly - since the CJEU's Schrems II judgment in July 2020 invalidated the Privacy Shield adequacy decision in Case C-311/18. That ruling removed one of the previously available grounds for transatlantic data transfers, intensifying scrutiny of all remaining mechanisms, including intergovernmental tax agreements.

The Belgian trajectory illustrates how the issue has evolved elsewhere. In April 2025, the Belgian Data Protection Authority issued its second decision in the FATCA complaint lodged on 22 December 2020 by a complainant identified as JC - an "accidental American" who acquired US nationality solely by birth - together with the Association des Américains Accidentels (AAA). Rather than an outright prohibition, the April 2025 ruling imposed a one-year compliance order on FPS Finance, finding infringements of Articles 12, 14, 24, 35 and 5(2) of the GDPR. The CJEU then took the next step in December 2025, when the Brussels Court of Appeal referred 13 preliminary questions to the Court of Justice of the EU on 26 November 2025, registered as Case C-804/25. The court is now actively examining whether the Belgium-US FATCA agreement complies with GDPR and pre-GDPR EU data protection law.

Those 13 questions cover three broad clusters. The first cluster, Questions 1 to 4, examines purpose specification, proportionality, and data minimisation under Articles 5(1)(b) and 5(1)(c) of the GDPR - the FATCA system transfers data on all US nationals without any prior assessment of individual tax risk. The second cluster, Questions 5 to 8, addresses Article 96 of the GDPR, which provides a form of limited immunity for international agreements concluded before 24 May 2016 that complied with EU law as it then stood. Questions in this group include who bears the burden of proving that Article 96 conditions are satisfied, and whether member states are actively required to amend or revoke non-compliant pre-GDPR agreements. The third cluster, Questions 9 to 13, asks about remedies and whether Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 - the EU-US Data Privacy Framework - can cover FATCA-type fiscal transfers.

The AAA pushes Slovakia to act

The Association des Américains Accidentels, which represents people who acquired US nationality involuntarily or passively, formally requested the ÚOOÚ to exercise its corrective powers under Article 58 of the GDPR in February 2026. The request asked the Slovak authority to suspend FATCA transfers pending the outcome of the CJEU proceedings in Case C-804/25. According to information shared publicly by Fabien Lehagre, who leads the AAA and posted the Slovak 2021 opinion documents on LinkedIn, the ÚOOÚ acknowledged receipt of that February 2026 letter and then remained silent.

The campaign being mounted by the AAA is simultaneously multi-jurisdictional: the association is pressing data protection authorities in several EU member states to demand effective enforcement of the GDPR against FATCA data transfers. Slovakia is highlighted as a particularly striking case because the ÚOOÚ itself documented the compliance failure as long ago as August 2021, while Belgium's authority - which reached similar conclusions - at least produced formal decisions and eventually catalysed CJEU referral.

The pressure is not entirely without precedent in how EU supervisory authorities have responded to cross-border transfer questions. Dutch authorities reprimanded Takeaway for transferring data through Google Analytics to US servers between 2020 and 2023, following post-Schrems II compliance obligations. Austrian authorities ordered YouTube to honour a data access request after more than five years of inaction on a complaint filed in 2018. Those cases involved commercial data processors, not sovereign governments. The FATCA situation is structurally different: the data controller is the state itself, and the recipient is a foreign government's tax authority.

Why this matters

The FATCA-GDPR conflict has direct relevance for the marketing and advertising technology community, not because that sector transfers fiscal data to the IRS, but because the underlying legal questions - about the durability of pre-GDPR international agreements, the conditions for lawful third-country transfers, and the enforceability of EDPB minimum safeguards - cut across the entire cross-border data transfer ecosystem.

The EDPB's Guidelines No. 2/2020, which the Slovak ÚOOÚ used as its assessment framework, apply to all transfers of personal data between EEA authorities and non-EEA entities made under Article 46(2)(a) instruments - legally binding and enforceable documents between public authorities or bodies. The nine minimum safeguards listed in those guidelines - purpose determination, basic definitions, data protection principles, data subject rights, transfer restrictions, sensitive data, remedy mechanisms, supervision, and termination clauses - form the baseline for any lawful transfer instrument of that type.

European Commission proposals published in November 2025 under the Digital Omnibus initiative included amendments to GDPR that would, among other things, narrow the definition of personal data under Article 4(1) and introduce new processing grounds for AI development. Privacy advocates warned those changes could weaken the framework at precisely the moment when the CJEU was being asked to clarify it. The Belgian market court's referral and the Slovak enforcement gap sit within that broader policy context.

For advertising technology platforms specifically, the CJEU's eventual answers to Questions 5 to 8 in Case C-804/25 - about whether pre-GDPR bilateral agreements can indefinitely shield member states from GDPR compliance obligations - will have implications beyond fiscal data. Any international data sharing arrangement concluded before 24 May 2016 that has not been updated to reflect GDPR requirements could be vulnerable to the same challenge. Several data sharing frameworks used in digital advertising to transfer audience segments or identity graphs between jurisdictions rely on instruments of similar vintage.

The question of who bears the burden of proof under Article 96 is especially consequential. If the CJEU rules that member states must actively demonstrate compliance rather than simply asserting historical validity, the audit burden on data controllers relying on pre-GDPR transfer instruments would increase substantially. The CJEU's earlier ruling in Valsts ieņēmumu dienests (C-175/20), delivered on 24 February 2022, already sharpened proportionality requirements for tax-related data processing, requiring that access to personal data by revenue authorities be limited to what is strictly necessary.

The technical architecture of the Slovak agreement

The Slovak-US agreement, Announcement No. 48/2016 Coll., specifies categories of personal data to be transferred in Article 2 and Annex 1. These include account numbers, account balances or values, gross income credited to accounts, and total gross proceeds from the sale or redemption of property. Financial institutions covered by the agreement include, at minimum, custodial institutions, depository institutions, investment entities, and certain insurance companies. The threshold below which low-balance accounts may be excluded - the USD 50,000 figure applicable under the intergovernmental agreement model - operates, according to analysis presented in the Belgian proceedings, largely at the discretion of reporting institutions rather than as a hard regulatory floor.

Under §19(3) of Act No. 359/2015 Coll., Slovak financial institutions are required to retain all data processed for the purposes of the FATCA agreement for ten years from the end of the calendar year in which it was collected. The legal basis for that retention within the bilateral agreement itself was not identified by the ÚOOÚ - a gap that directly parallels the finding in the Belgian case that "the FATCA agreement contains no data retention period."

The ÚOOÚ opinion noted that, given the nature of transfers to the United States, data subjects are "most likely to be monitored by public authorities." That observation links the FATCA transfer question to the broader Schrems II proportionality analysis, which found that US intelligence surveillance laws - particularly Section 702 of FISA and Executive Order 12333 - created structural risks for EU data subjects whose data flows to US-based entities. The US government's status as the recipient, rather than a private company, does not reduce that surveillance risk; in the context of fiscal data, it may increase it.

The ÚOOÚ concluded its 2021 opinion by proposing pan-European coordination as the path forward - suggesting that Slovak tax authorities work within a European working group to harmonise the procedure with a uniform result across all GDPR jurisdictions. No evidence has emerged publicly that such coordination produced any concrete outcome in the intervening period.

Timeline

  • 24 October 1995 - Directive 95/46/EC establishes the pre-GDPR EU data protection baseline later relevant to FATCA Article 96 analysis
  • 23 April 2014 - Belgium and the United States sign the FATCA Agreement in Brussels
  • 16 December 2015 - Belgium enacts the Law governing communication of financial account data by Belgian financial institutions
  • 2016 - Slovakia's FATCA implementation agreement published as Announcement No. 48/2016 Coll. in the Slovak Collection of Laws
  • 9 March 2017 - Belgian Constitutional Court upholds the Law of 16 December 2015
  • 25 May 2018 - GDPR enters into force across EU member states
  • 16 July 2020 - CJEU invalidates Privacy Shield adequacy decision in Case C-311/18 (Schrems II); transfers relying on Privacy Shield lose legal basis
  • 22 December 2020 - JC and the Association des Américains Accidentels file complaint with the Belgian Data Protection Authority
  • 22 July 2021 - Slovak Ministry of Finance submits request to ÚOOÚ for GDPR assessment of FATCA treaty framework
  • 23 August 2021 - ÚOOÚ issues opinion concluding FATCA transfers lack GDPR minimum safeguards; cites CJEU Case C-378/17 on obligations of administrative authorities; opinion sent 24 August 2021
  • 4 October 2021 - Belgian State formally rejects complainants' requests
  • 24 February 2022 - CJEU judgment in Valsts ieņēmumu dienests (C-175/20) sharpens proportionality requirements for tax data processing
  • 24 May 2023 - Belgian Litigation Chamber Decision No. 61/2023 finds multiple GDPR infringements; prohibits FPS Finance from processing accidental Americans' data
  • 20 December 2023 - Brussels Court of Appeal annuls Decision No. 61/2023 for insufficient reasoning; refers back to Litigation Chamber
  • 10 July 2023 - European Commission adopts Implementing Decision (EU) 2023/1795 establishing the EU-US Data Privacy Framework
  • 3 September 2025 - General Court upholds EU-US Data Privacy Framework in Latombe v Commission, T-553/23
  • 24 April 2025 - Belgian Litigation Chamber issues second decision; imposes one-year compliance order on FPS Finance; finds infringements of Articles 12, 14, 24, 35 and 5(2) GDPR
  • November 2025 - European Commission circulates draft Digital Omnibus GDPR amendments proposing narrower personal data definition and new AI processing grounds
  • 26 November 2025 - Brussels Court of Appeal refers 13 preliminary questions to CJEU on FATCA-GDPR compatibility
  • December 2025 - CJEU registers Case C-804/25 on FATCA banking data transfers to the US; CJEU now seized of 13 questions
  • February 2026 - AAA formally requests ÚOOÚ to exercise Article 58 GDPR powers and suspend FATCA transfers pending CJEU ruling; ÚOOÚ acknowledges receipt and remains silent

Summary

Who: The Office for the Protection of Personal Data of the Slovak Republic (ÚOOÚ), the Association des Américains Accidentels (AAA) led by Fabien Lehagre, the Slovak Ministry of Finance, Slovak financial institutions subject to FATCA reporting obligations, and EU citizens - particularly "accidental Americans" - whose banking data is transferred annually to the US Internal Revenue Service.

What: The ÚOOÚ issued a formal legal opinion in August 2021 concluding that the Slovakia-US FATCA agreement, and the domestic Slovak legislation implementing it, fail to meet the nine minimum safeguards required under GDPR Chapter V for lawful third-country data transfers. The opinion identified no provisions addressing personal data protection within the bilateral agreement, found that a domestic statutory declaration of lawfulness does not satisfy EU secondary law requirements, and cited CJEU Case C-378/17 to confirm that the authority itself was empowered - and obliged - to act. No enforcement action has followed. In February 2026, the AAA formally requested the ÚOOÚ to use its Article 58 GDPR corrective powers to suspend transfers pending a CJEU ruling in Case C-804/25, which covers 13 questions about FATCA's compatibility with GDPR.

When: The ÚOOÚ opinion was issued on 23 August 2021 and sent on 24 August 2021, in response to a Ministry of Finance request received on 22 July 2021. The AAA's formal enforcement request was submitted in February 2026. The CJEU case C-804/25 was registered in December 2025, following a referral by the Brussels Court of Appeal on 26 November 2025.

Where: Bratislava, Slovakia, where the ÚOOÚ and Ministry of Finance are headquartered. The broader enforcement campaign spans multiple EU member states. The Belgian proceedings originated in Brussels and are now before the Court of Justice of the European Union in Luxembourg.

Why: The FATCA system requires automatic annual transfers of personal banking data on all US nationals held in EU financial institutions to the IRS, without individual assessment of tax risk and without data protection safeguards equivalent to those mandated by GDPR Chapter V. The ÚOOÚ's own analysis confirmed the absence of minimum safeguards - purpose limitation, data subject rights, remedy mechanisms, oversight provisions, and a termination clause - in the Slovak implementation framework. Four years of inaction by the authority, despite its own findings and the growing body of European enforcement activity on the same issue, has prompted the AAA to push for suspension of transfers pending judicial resolution at EU level.

Share this article
The link has been copied!