Referral C-804/25 (Autorité de protection des données, 10 Dec 2025)

Question 1

Having regard to Article 96 of Regulation (EU) 2016/679 (GDPR), does an international agreement concluded by a Member State before 24 May 2016 involving the transfer of personal data to a third country comply with EU law as applicable before 24 May 2016 and, more specifically, with Article 6(1)(b), (c) and (e) of Directive 95/46/EC, read, where appropriate, in conjunction with Articles 7, 8 and 52 of the Charter of Fundamental Rights, in so far as that agreement provides, for tax purposes and in order to ensure compliance with international tax rules and the implementation of obligations under the US FATCA, for the automatic transfer — in accordance with rules on confidentiality — of data relating to the financial accounts of all nationals of that State, without prior selection of accounts posing a risk of tax avoidance, without any time limit for data retention, and with the USD 50 000 threshold subject to the goodwill of financial institutions?

Question 2

Can such an agreement be justified on the basis of Article 26(1)(d) of Directive 95/46/EC if the third State concerned does not guarantee effective reciprocity?

Question 3

Is Article 26(2) of Directive 95/46/EC, read in conjunction with Articles 7, 8 and 52 of the Charter of Fundamental Rights, to be interpreted as meaning that the adequate safeguards mentioned in that provision:

* relate in particular to the reference to the period for which the data is kept for the purposes of Article 6(1)(e) of the directive and to the rights to information referred to in Articles 10 and 11 thereof;
* include the definition of the scope of the limitation of the right to privacy and the right to the protection of personal data; and
* must, in the case of an agreement providing for the transfer of personal data, be explicitly included in that agreement?

Question 4

If the answer to all or part of Question 3 is in the affirmative, in the light of Article 96 of the GDPR, does an international agreement concluded by a Member State before 24 May 2016 involving the transfer of personal data to a third country comply with EU law as applicable before that date, and more specifically with Article 26(2) of Directive 95/46/EC, read, where appropriate, in conjunction with Articles 7, 8 and 52 of the Charter, if it does not expressly provide for the sufficient safeguards referred to in that provision?

Question 5

If Questions 1 and/or 2 and/or 4 are answered in the affirmative, must the transfer of personal data pursuant to that international agreement nevertheless comply, from 24 May 2018, with the provisions of the GDPR as regards matters not specifically covered or excluded by that agreement, in particular Articles 5(2), 12, 14, 24 and 35 thereof?

Question 6

Does the controller bear the burden of proving that the conditions set out in Article 96 of the GDPR are met?

Question 7

(a) Must Article 96 of the GDPR, taken in isolation or read in conjunction with Article 4(3) TEU, Article 351 TFEU and Articles 7, 8 and 52 of the Charter, be interpreted as meaning that Member States are obliged to make their best efforts to amend, replace or revoke international treaties to which they are parties that do not comply with the provisions of that regulation?

(b) May a Member State which, in 2025, did not make its best efforts to amend, replace or revoke such a treaty rely on Article 96 of the GDPR to justify conduct incompatible with that regulation?

Question 8

If Questions 1, 2 or 4 are answered in the negative:
(a) must such an agreement be disapplied by the national court of its own motion?
(b) must the national court verify whether such an agreement complies with the GDPR?

Question 9

If Questions 1, 2 or 4 are answered in the negative and Question 8(b) is answered in the affirmative, does an international agreement such as that described in Question 1 comply with the GDPR and, more specifically, with Article 5(1)(b) and (c) thereof, read, where appropriate, in conjunction with Articles 7, 8 and 52 of the Charter?

Question 10

Does Implementing Decision (EU) 2023/1795 of 10 July 2023 on the adequate level of protection of personal data under the EU‑US Data Privacy Framework constitute an adequacy decision within the meaning of Article 45(3) of the GDPR as regards transfers of the data at issue carried out for tax purposes?

Question 11

If Questions 1, 2 or 4 are answered in the negative and Question 8(b) is answered in the affirmative, must Article 46 of the GDPR be interpreted as meaning that:

* the appropriate safeguards referred to include all or some of the following safeguards:
1.definitions of basic concepts;
2.basic data protection principles;
3.data subjects’ rights and procedures for exercising them;
4.limitations on onward transfer and data sharing;
5.effective remedies;
6.control mechanisms; and
7.the principle of responsibility;
* those safeguards must be explicitly included in the binding legal instrument referred to in Article 46(2)(a) GDPR; and
* where a treaty governs transfers of personal data, that binding legal instrument is only that treaty or may also include the national instrument transposing it?

Question 12

If Questions 1, 2 or 4 are answered in the negative and Question 8(b) is answered in the affirmative:
(a) must Article 49(1)(d) GDPR be interpreted as permitting or prohibiting such an international agreement?
(b) is the level of reciprocity of data exchange a relevant criterion?

Question 13

If Questions 1, 2 or 4 are answered in the negative and Question 8(b) is answered in the affirmative:
(a) can the information waiver under Article 14(5)(a) GDPR apply where the information was provided by the controllers who collected the data directly from the data subject?
(b) if so, who bears the burden of proof, having regard in particular to Article 5(1)(a) and (2) GDPR?