The European Data Protection Board (EDPB) has written to the EU’s co-legislators, outlining its ongoing worries about the latest financial crime package to come out of Brussels.
This is the third letter written by the EDPB to the European Commission, Parliament and Council public, as it continues to push for the anti-money laundering/counter-terrorism financing (AML/CTF) package to be fully aligned with the General Data Protection Regulation (GDPR).
“The EDPB draws the attention of the European institutions to the important data protection issues raised by the implementation of the AML/CFT obligations, as provided by the AML legislative proposals,” the letter, signed by EDPB chair Andrea Jelinek, says.
For example, obliged entities are required to process personal data that allows them to access personal information about individuals. This can notably lead to the exclusion of legal and natural persons from a right and/or service, such as a bank account.
It is also underlined that there should be a better consistency between the AML legislative proposals and the GDPR’s principles, such as the accuracy and data minimisation principles.
This, the EDPB has said, would improve the efficiency of the implementation of the AML/CTF legal framework.
To better achieve this consistency, it has called on the European institutions to involve the EDPB in the discussions on the AML legislative proposals, while also suggesting “crucial modifications” in regards to the EU’s planned single rulebook for AML regulation, as well as the new Anti-money Laundering Authority (AMLA).
Without changes being made, the data protection authority has warned that the latest set of regulations, which the EU has touted as solving the trading bloc’s fragmented financial crime approach, could have a “disproportionate negative impact to the rights and freedoms of individuals and would lead to significant legal uncertainty”.
Cooperate and consult
In particular, the EDPB has disagreed with the proposal for guidance on compliance with the latest set of AML proposals to be compiled via a Regulatory Technical Standard (RTS).
An RTS is a type of delegated act that is drawn up by one of the European Supervisory Authorities to correspond with a piece of EU regulation. In this instance, the RTS would be developed by the new AMLA.
If rules do get specified by an RTS devised by the AMLA, then the EDPB has called for close cooperation between the two institutions.
This cooperation, the data protection body suggests, should take place in all cases where guidelines, recommendations and RTS have "a significant impact on the protection of personal data."
Given the potentially serious impact that RTS may have on the protection of personal data, the EDPB considers that it should be formally consulted on by the commission before its adoption, if it has a significant impact on the safeguarding of individuals’ rights and freedoms with regard to the processing of personal data.
The EDPB has asked EU institutions to better specify the conditions and limits of the processing of special categories of data and of personal data relating to criminal convictions.
For example, the institution has criticised Article 55 of the AML regulation as vague when it comes to what is “strictly necessary” personal data to be processed by entities that are in scope.
The EDPB argues that this falls out of line with the GDPR’s data minimisation principle, inviting the co-legislators to reflect on the relevance of the processing of each special category of personal data and, following such assessment, to define explicitly under Article 55 the special categories of data that could be strictly necessary for the purpose of AML/CTF.
Innocent to proven guilty
The letter also expresses concern about the fact that Article 55 could enable financial institutions that are in the scope of the regulation to not only process the personal data of individuals with criminal convictions, but also those that face allegations.
Considering that this could lead to individuals being exposed to negative consequences like de-risking, the EDPB has said that the term “allegation” should either be better specified or deleted.
The EDPB has also taken issue with a recital in Article 55 that expresses obliged entities may process special categories of data covered by Article 9 of the GDPR “provided that the data originate from reliable sources, are accurate and up-to-date.”
Rather, the data protection body has called for this obligation to be extended to all information processed by obliged entities, and also calls for specific safeguards to ensure that the processing of irrelevant or inaccurate information does not occur.
With the letters now delivered and in the public domain, the pressure is on for the co-legislators to deliver an effective AML package, while also ensuring that it is fully aligned with one of its most important and influential pieces of legislation.