Answer given by Ms Johansson on behalf of the European Commission
The Commission is aware of the reported cyber intrusion. However, the Terrorist Financing Tracking Programme data is, in accordance with the safeguards required by the EU-United States (US) Agreement /1, held in a secure physical environment, stored separately from any other data and is not interconnected with any other database. According to information from the United States authorities, it was not impacted by the reported cyber intrusion.
The next joint review of the agreement is planned to be held in 2021, but due to the COVID19 pandemic and resulting restrictions for travelling and meetings, no date has been set yet. As regards data transfers under intergovernmental agreements implementing the US Foreign Account Tax Compliance Act (FATCA), the monitoring and enforcement of EU data protection rules falls under the competence of the national data protection authorities and national courts. These authorities confirmed in 2018 that there had been no occasions where they “had to prohibit the processing and transfer of personal data to the US under the FATCA regime”/2.
Likewise, the Supreme Administrative Court of France took in 2019 the view /3 that the French agreement implementing the US Foreign Account Tax Compliance Act does not violate the EU General Data Protection Regulation /4. Following further exchanges with stakeholders, the national data protection authorities are again looking into this issue at the level of the European Data Protection Board. The Commission participates in the meetings of the Board and follows any developments closely.
1 See Article 5 para 4 of the Agreement between the European Union and the United States on the transfer of financial messaging data.
3 Judgment of 19 July 2019.
4 Regulation (EU) 2016/679.