The Case That Could Change CRS Forever: Luxembourg Puts GDPR to the Test

The long-running tension between tax transparency and data protection in Europe has reached a new and potentially decisive stage.

On 7 January 2026, the Administrative Court of Luxembourg heard a case that could ultimately lead to the Common Reporting Standard (CRS) being brought before the Court of Justice of the European Union (CJEU).

• The case pits Philipp S, an Austrian citizen holding a modest bank account in Luxembourg, against Luxembourg’s national data protection authority, the Commission Nationale pour la Protection des Données (CNPD).
• At stake is a fundamental question: does the automatic exchange of financial account information under CRS comply with the General Data Protection Regulation (GDPR)
• This follows a recent Belgian court referral concerning FATCA, and now the Luxembourg court is openly considering whether similar questions should be referred to the CJEU in relation to CRS, which was incorporated into EU law via Directive 2014/107/EU (DAC2).
• This Luxembourg hearing marks the first serious attempt to challenge CRS at the constitutional‑EU level, not merely its national implementation.

The Luxembourg hearing on the Belgian FATCA referral, and increasing judicial scepticism toward mass data processing, signals a possible turning point in how far tax transparency can lawfully override fundamental rights to data protection in the EU.

• “Watch this space” is not hyperbole; this is one of the most consequential data‑protection cases currently unfolding in Europe.

CRS as EU Law – Not Just an OECD Standard

While often described as an OECD initiative, CRS has, within the EU, a binding legal character. DAC2 amended the original Administrative Cooperation Directive (Directive 2011/16/EU) to require Member States to implement automatic exchange of financial account information between tax authorities.

Under this framework:

• Financial institutions must collect extensive personal and financial data from account holders;
• Data must be reported to national tax authorities; and
• That data is then automatically exchanged with other jurisdictions on an annual basis.

For individuals, this process typically operates without consent, with limited transparency and only restricted access to correction or objection mechanisms.

The GDPR Conflict: Core Legal Issues

Although complete pleadings have not been made public, the legal issues raised in the Luxembourg hearing are well known from earlier CRS‑ and FATCA-related disputes.

Lawfulness and proportionality

Authorities rely on the GDPR’s “legal obligation” basis (Article 6(1)(c)) to justify CRS processing. The challenge argues that a legislative obligation itself must still meet GDPR and EU Charter standards, particularly where processing is mass-based and indiscriminate.

Data minimisation

CRS mandates the routine transmission of sensitive personal data – including account balances, investment income, and controlling person information – irrespective of any individual suspicion of wrongdoing. Critics argue that this raises serious questions under the GDPR’s data‑minimisation and proportionality principles.

Transparency and data subject rights

In practice, individuals often:

• Are only vaguely informed that reporting occurs;
• Have limited ability to access or correct information once transferred; and
• Have no effective means of preventing onward distribution to foreign authorities.

These constraints sit uneasily with the GDPR’s core promise of effective and enforceable data‑subject rights.

Why Belgium’s FATCA Referral Matters

The Luxembourg court’s hesitation does not arise in isolation. It follows a significant development in Belgium, where the Market Court has referred 13 preliminary questions to the CJEU concerning FATCA-related data transfers to the United States.

That Belgian case – driven largely by complaints from so-called “Accidental Americans” – asks whether the automatic bulk transfer of banking data for tax purposes is compatible with:

• The GDPR,
• The EU Charter of Fundamental Rights, and
• The special transitional regime under Article 96 GDPR for pre‑GDPR international agreements.

Although FATCA involves transfers to a third country and CRS mainly operates intra-EU, the underlying mechanics are strikingly similar: automatic, status-based, large-scale financial data exchanges with limited individual safeguards.

If the CJEU were to find FATCA incompatible with EU data‑protection standards, the legal foundations of CRS would inevitably come under pressure.

A Potential Turning Point for Automatic Exchange

Should the Luxembourg Administrative Court decide to refer questions on CRS to the CJEU, the implications would be far-reaching.

A future CJEU judgment could force:

• A reassessment of whether blanket automatic exchange is proportionate;
• Greater emphasis on targeted or risk-based reporting; and
• Stronger transparency and redress mechanisms for individuals.

In the most extreme scenario, it could require a material redesign of the CRS framework as applied within the EU.

What Happens Next?

For now, CRS reporting obligations remain entirely in force, and financial institutions must continue to comply. However, the legal certainty that has long underpinned automatic exchange has been shaken.

Luxembourg – as both a financial hub and the seat of powerful EU courts – finds itself at the centre of a debate that goes well beyond tax compliance. The coming months will reveal whether CRS joins FATCA on the CJEU’s docket, and whether Europe’s commitment to tax transparency can continue in its current form without recalibration.

One thing is clear: the long-assumed supremacy of automatic tax reporting over data‑protection rights is now being tested at the highest level.

Watch this space.

STRUCTURED, PRACTITIONER‑LEVEL BRIEFING

Below is a structured, practitioner-level briefing on what is known so far about the CRS vs GDPR litigation now before the Luxembourg Administrative Court, how it connects to the Belgian FATCA referral, and why this matters systemically for EU tax transparency frameworks.

1. What happened in Luxembourg (CRS vs GDPR)

On 7 January 2026 (reported “yesterday” in professional circles), the Administrative Court of Luxembourg heard a case brought by Philipp S, an Austrian citizen holding a small bank account in Luxembourg, against Luxembourg’s data protection authority, the Commission Nationale pour la Protection des Données (CNPD). [linkedin.com]

The essence of the dispute is:

• Whether Luxembourg’s implementation of the OECD Common Reporting Standard (CRS) as transposed into EU law by Council Directive 2014/107/EU (DAC2) is compatible with the GDPR, and
• Whether the systematic, automatic and bulk transfer of personal financial data to foreign tax authorities can lawfully override core GDPR principles.

Crucially, the court is considering whether to stay proceedings and refer preliminary questions to the Court of Justice of the EU (CJEU), mirroring what a Belgian appellate court has recently done in relation to FATCA. [linkedin.com]

2. Legal architecture: CRS inside the EU

2.1 CRS via EU law

Within the EU, CRS is not merely an OECD “soft law” instrument. It is binding EU law, implemented through:

• Directive 2011/16/EU (DAC); and
• Directive 2014/107/EU (DAC2), which specifically extended CRS-style Automatic Exchange of Information (AEOI) to financial accounts across Member States.

As a result:

• Financial institutions must collect and report extensive customer data;
• National tax authorities automatically exchange this data annually with foreign authorities; and
• Data subjects typically have no opt-out, no consent, and minimal information rights.

3. The GDPR tension points raised in the case

Although detailed pleadings have not yet been published, based on prior CRS challenges and the CNPD’s known positions, the core GDPR issues are likely the following.

3.1 Lawfulness and legal basis (Article 6 GDPR)

Authorities rely on legal obligation (Article 6(1)(c)).

The claimant argues that:

• A legislative obligation does not automatically legitimise indiscriminate bulk processing;
• The underlying EU directive itself must still comply with the Charter and GDPR.

This mirrors long-standing CJEU case law that EU legislation can be invalidated if it disproportionately interferes with fundamental rights.

3.2 Data minimisation and proportionality (Articles 5(1)(c) & 5(1)(a))

CRS requires the automatic transmission of data irrespective of suspicion, including:

• Account balances,
• Gross income,
• Identifying and controlling personal data.

The challenge is whether:

• Such untargeted mass reporting exceeds what is “strictly necessary” for tax compliance;
• Less intrusive alternatives (e.g. risk-based reporting) were never meaningfully considered.

Comparable concerns later proved decisive in cases like Digital Rights Ireland and Schrems.

3.3 Transparency and data subject rights (Articles 12–15 GDPR)

In practice:

• Individuals often do not meaningfully understand where their data is sent;
• Tax secrecy exemptions severely constrain access and rectification rights;
• There is no effective mechanism to contest incorrect residency classifications before transmission.

This creates friction with the GDPR’s effectiveness principle, a recurring theme in CNPD case law. [cms.law], [arendt.com]

4. Why the Belgian FATCA referral is the catalyst

The Luxembourg court’s hesitation stems directly from recent developments in Belgium.

4.1 Belgian Market Court → CJEU (FATCA)

In late 2025, the Belgian Market Court referred 13 preliminary questions to the CJEU concerning:

• FATCA‑mandated transfers of EU citizens’ banking data to the US;
• Compatibility with GDPR, the EU Charter, and pre‑GDPR law under Article 96 GDPR.

These referrals stemmed from complaints by “Accidental Americans” and were subsequently confirmed by the Belgian DPA. [mayerbrown.com], [dataprotec…thority.be], [ictrechtswijzer.be]

4.2 Why FATCA matters for CRS

Although FATCA and CRS differ structurally:

• FATCA → third‑country transfer (US);
• CRS/DAC2 → intra‑EU + global exchanges,

The legal logic is nearly identical:

• Automatic,
• Bulk,
• Status-based financial data transfers,
• With limited ex‑ante or ex‑post safeguards for individuals.

If FATCA falls, CRS becomes legally vulnerable.

5. What a Luxembourg referral would mean

If the Administrative Court of Luxembourg refers CRS questions to the CJEU:

5.1 Potential scope of the questions

Likely questions would include:

• Whether DAC2 complies with Articles 7, 8, and 52 of the EU Charter;
• Whether GDPR principles can be systematically derogated from for tax cooperation;
• Whether the automatic exchange, as designed, satisfies proportionality.

5.2 Systemic risk

A CJEU ruling adverse to CRS could:

• Force material redesign of AEOI systems;
• Require targeted or risk-based reporting;
• Undermine the EU’s current stance in OECD tax transparency negotiations.

This would be the most serious legal threat to CRS since its inception.

6. Practical implications (short‑term)

For now:

• CRS reporting continues unchanged;
• National DPAs, including the CNPD, remain bound to enforce it;
• But legal uncertainty is now real, particularly for banks, fund administrators and family offices.

Luxembourg’s position is especially sensitive given:

• Its role as a global cross-border financial hub;
• The CNPD’s already strong GDPR enforcement track record. [digitalpol…yalert.org]

7. Bottom line

This Luxembourg hearing marks the first serious attempt to challenge CRS at the constitutional‑EU level, not merely its national implementation.

Combined with:

• The Belgian FATCA referral, and
• Increasing judicial scepticism toward mass data processing,

It signals a possible turning point in how far tax transparency can lawfully override data‑protection fundamental rights in the EU.

“Watch this space” is not hyperbole. This is one of the most consequential data-protection cases currently unfolding in Europe.