Brussels, 20 January 2026 – The European Data Protection Supervisor (EDPS) has released Opinion 1/2026, evaluating the European Commission’s proposal to amend Regulation (EU) No 904/2010 to grant the European Public Prosecutor’s Office (EPPO) and the European Anti‑Fraud Office (OLAF) broader access to value added tax (VAT) information at Union level. The proposed changes aim to strengthen the EU’s fight against cross‑border VAT fraud, a major source of revenue loss.
Strengthening the Anti‑Fraud Architecture
The Commission’s November 2025 proposal seeks to improve administrative cooperation in VAT matters by allowing EPPO and OLAF to access certain data already exchanged among Member States under Regulation 904/2010, including:
- Data from the VAT Information Exchange System (VIES)
- Information in the Customs Surveillance System
- Payments data from the Central Electronic System of Payment Information (CESOP)
- Additional datasets relevant to detecting complex, cross‑border VAT fraud schemes
The EDPS acknowledges that EPPO and OLAF rely heavily on timely and accurate information to investigate and prosecute VAT fraud—particularly carousel fraud and other large‑scale schemes that transcend national borders.
Key Concerns Raised by the EDPS
While supporting the objective of combating VAT fraud, the EDPS highlights several risks and conditions that must be addressed:
1. Clear Definition of Data Categories
The Opinion stresses that categories of personal data accessible to EPPO and OLAF must be precisely delineated and limited to what is strictly necessary for their investigations. Undefined or overly broad categories would risk disproportionate processing.
2. Safeguards Against Excessive Access
The EDPS warns that granting direct access to large EU‑level databases raises risks of unauthorized or unnecessary collection of personal data. The Opinion recommends:
- Purpose limitation
- Access controls based on investigative needs
- Logging and auditing mechanisms
- Strict retention periods
3. Indicators of Suspicious Activity Need Refinement
The proposal references “indicators of suspected cross‑border VAT fraud,” but the EDPS observes that such indicators must be objective, transparent, and proportionate. Poorly defined criteria could result in excessive screening or false positives.
4. Internal Controls for EPPO and OLAF
The Opinion urges both bodies to establish or reinforce internal governance measures to prevent misuse of accessible VAT data, including rules on:
- Role‑based access
- Staff training
- Oversight and compliance monitoring
Recommendations for Improvement
Among its specific recommendations, the EDPS calls on the Council and Commission to:
- Clarify each data category and each type of analytical access granted
- Specify when and how personal data can be used to identify individuals involved in VAT fraud
- Strengthen safeguards where risk levels are highest (e.g., databases containing payment information)
- Conduct an ex‑post evaluation of the new framework three years after entry into force
Conclusion
The EDPS concludes that the proposal has legitimate aims and can be compatible with EU data protection standards—provided that additional safeguards are introduced. In particular, the Opinion emphasizes the need to balance operational efficiency with the fundamental rights to privacy and data protection guaranteed by EU law.
The Opinion now forms part of the legislative discussion within the Council as Member States negotiate the final form of the amended regulation.
Source europa.eu
Latest Posts in "European Union"
- Advocate General’s Opinion Clarifies VAT Treatment of Transfer Pricing Adjustments in Stellantis Portugal Case
- Agenda of the ECJ/General Court VAT cases -1 Judgment, 1 Hearing till Feb 25, 2026
- The «Prefilling» headache
- The Fiscalis Programme 2021–2027: Interim Evaluation and Key Insights
- EU ViDA E-Invoicing: Key Changes and Luxembourg Implications for Cross-Border B2B Transactions
