EDPS supports targeted VAT data access to fight fraud at EU level but warns against blurring administrative and criminal boundaries

The European Data Protection Supervisor (EDPS) has issued its Opinion on the European Commission’s Proposal to amend Regulation (EU) No 904/2010, aimed at strengthening the fight against intra-Community value added tax (VAT) fraud by granting the European Public Prosecutor’s Office (EPPO) and the European Anti-Fraud Office (OLAF) specific direct and centralised access to VAT information at EU level.

The EDPS recognises the urgency of combatting large-scale cross-border VAT fraud, in particular Missing Trader Intra-Community (MTIC) schemes, which continue to cause significant losses to public finances across the Union. In this context, the EDPS welcomes the objectives of the Proposal and acknowledges that specific and limited direct access to certain VAT information by the EPPO and OLAF can be necessary to ensure effective investigations and enforcement.

At the same time, the EDPS underlines that the Proposal sits at a sensitive crossroads between administrative VAT cooperation and criminal law enforcement. Processing personal data for administrative purposes and for criminal enforcement purposes follows distinct legal regimes and principles, and this separation must be carefully reflected in the legal framework.

Wojciech Wiewiórowski, Supervisor, said: “Fighting VAT fraud is essential to protect public revenues and the integrity of the internal market. However, exceptional access to administrative databases for law enforcement purposes must remain precisely that ­– exceptional. It must be clearly circumscribed and carefully safeguarded, and should not become a backdoor precedent for broad or routine access.”

In its assessment, the EDPS considered the specific characteristics of MTIC fraud, the limited and targeted scope of the proposed access, and the nature of the data concerned, which primarily relates to VAT identification numbers and business-to-business transaction information. Nevertheless, the EDPS considers that the Proposal should more clearly explain and underline the exceptional nature of providing direct access to administrative databases for law enforcement purposes. Further clarification is warranted to avoid any risk that the Proposal could be misconstrued or later relied upon as precedent for more general application.

The EDPS further emphasises that robust legal, technical and organisational safeguards are indispensable. While some technical and organisational details may be specified through implementing acts, core parameters must already be defined in the basic legislative act to ensure compliance with EU data protection law principles of purpose limitation, data minimisation and accountability.