French Bank Ordered to Pay Damages to Customer Following Inaccurate Personal Data Sharing Under FATCA

March.22.2022

A “Kafkaesque” bank customer service experience in France has led to a “Right to be Forgotten” own-goal. Following a decision handed down by the judicial tribunal of Grenoble, France, on 7 February 2022, a French bank has been ordered to pay damages and take measures vis-à-vis US tax authorities to ensure the erasure, by the United States (U.S.) authorities, of inaccurate personal data transferred by the bank under the Foreign Account Tax Compliance Act (FATCA) regime. Failure by the bank to comply with the order is subject to a daily fine.

The decision is interesting for several reasons, but in particular, because it gives an indication as to the extent of efforts that may be expected of a controller to ensure the erasure of personal data subject to an Article 17(1) General Data Protection Regulation (GDPR) request, notwithstanding the limits set out in Article 17(2).

Key Takeaways:

  • Given the international transfer of the claimant’s personal data to the US, the controller bank had an obligation to be extra vigilant regarding the accuracy of the data it transferred.
  • Since the defendant bank argued that it was not able to ensure rectification of personal data by the US tax authorities to whom personal data was transferred, the court held that it should have been additionally careful regarding the original conditions for declaration.
  • The measures ordered by the court appear to go beyond the requirements of Article 17(2) of the GDPR, which requires controllers, “taking account of available technology and the cost of implementation”, to take reasonable steps to inform controllers processing the personal data that is subject to an erasure request. The court, citing Article 17, ordered the bank to take all necessary steps, at its expense and without qualification, vis-à-vis the US tax authorities, so that these authorities may proceed to the total erasure of the FATCA declaration. This order was made notwithstanding that the original declaration was not made directly by the bank but via the French tax authorities.

The Facts:

Mr. X, a man of French nationality but born in Ottawa, Canada, opened a bank account with the Banque Rhone-Alpes in 2005. In 2014, the bank contacted Mr. X and informed him that since he satisfies the criteria of “Americaness” (americanité) as a result of being born in the U.S., the bank shared his account details with the American tax authorities, in the context of FATCA. Under FATCA, French banks will disclose to the French tax authorities (DG FIP) all clients considered taxable under US law, and the DG FIP will then transfer the information to the American tax authorities.

In 2017, Mr. X submitted a request for rectification to the French bank. He even attended an in-person meeting requested by the bank and presented his passport and national identity card (identifying his location of birth), but the bank still did not recognize that Mr. X was not born in the U.S. Mr. X sought and obtained a court order in July 2018 according to which the bank was required to erase all of Mr. X’s personal data processed in the context of FATCA before 2017 or face a penalty of €1000 per day if not complied with within 15 days. The bank was also ordered to take all necessary steps vis-à-vis the American authorities to have them erase the FATCA declarations regarding Mr. X, also subject to a daily fine of €1000.

The bank appealed the order, which was confirmed on all grounds by the Court of Appeal of Grenoble in March 2019. The bank did not execute the order: it amended its internal records in 2018 but did not erase the erroneous data relating to the FATCA registration until 2019, and it only submitted a declaration to the DG FIP requesting rectification, under court order, in 2018.

Mr. X filed a further claim in 2019 seeking substantial damages, under the Civil Code and Article 82 (Right to compensation and liability) of the GDPR.

Decision:

The court held that the bank cannot claim that the place of birth of Mr. X in Ottawa, the capital city of Canada (with a population of more than 1 million) is an unequivocal indication of a place of birth in the U.S., as required to fall within FATCA, simply because there are three cities of the same name in the U.S., the largest having a population of 19,000 people. According to the court, such an interpretation by the bank is also “worrying” given the number of cities in the U.S. that are named after cities in other countries.

Nor could the bank claim that it was "obliged" to make the FATCA declaration given that it concedes that there was a doubt as to the place of birth. Furthermore, the bank did not demonstrate or even allege that the balance or value of Mr. X's account was greater than $50,000, even though under FATCA, accounts with balances of less than $50,000 are not subject to reporting.

Citing the French national data protection act (the Loi informatique et libertés, applicable to the facts at the time the FATCA declaration was made, and which supplements the GDPR), the court held that the bank failed to comply with its legal obligations in a number of respects:

  • The bank, as controller, did not take the necessary precautions to ensure the accuracy of the personal data processed regarding Mr. X, given that his place of birth was indicated as being in the U.S. and not Canada.
  • The bank also used the personal data for wrongful purposes since they were shared with a third party when they shouldn’t have been.
  • Since the bank claimed in its pleading that it could not ensure the erasure of the FATCA registration, it should have been even more careful regarding the initial registration conditions given that, as a legal entity bound by a duty of vigilance, it would have been aware of the claimant’s right to erasure, protected under French and EU law.

The bank’s conduct, including its persistent refusal to rectify its error and erase the data, engaged its liability to compensate Mr. X for his moral and material damages, as recognized by Article 82 of the GDPR.

The court also held that the bank’s declaration to the French DG FIP requesting the rectification of the error regarding Mr. X’s birthplace was insufficient. According to the court, such a procedure (a rectification declaration FATCA 3) does not result in full erasure; rectification leaves a trace. Nothing in the FATCA regime prevents the bank from engaging directly with the US tax authorities to ensure the full erasure of the declaration of Mr. X as American.

As a consequence, the bank was ordered to pay Mr. X €15,000 in damages, €5,000 in costs and a daily fine of €1,500 starting 60 days from the decision if the bank fails to take all necessary steps vis-à-vis the US tax authorities to ensure the total erasure of the FATCA declarations before 2017. The bank was also ordered to communicate the decision to all of its group entities that might also have submitted a FATCA declaration, within a month, subject to a daily fine of €500, per entity not notified.