.svg)
The European Data Protection Board (EDPB) has written to legislators to express its concerns about a perceived lack of privacy protections in a new anti-money laundering (AML) regulation.
In what is becoming an increasingly common occurrence, the EU’s legislative bodies are currently at loggerheads, struggling to reconcile their goals of leading the world in both privacy rights and AML enforcement.
Whether it is Malta being added to the Financial Action Task Force (FATF) greylist, or failures at Wirecard and Danske Bank that emerged all too slowly, the fight to prevent financial crime scandals has become a priority for Brussels.
However, as can be seen from events of the past year, the ambitions of EU legislators have often come into conflict with one another.
One of the most significant setbacks came last year in November, when the Court of Justice of the European Union (CJEU) stated that public beneficial ownership databases that had been introduced as part of the 4th Anti-Money Laundering Directive do not comply with the right to privacy.
In the latest salvo to rattle the nerves of legislators, the EDPB, the organisation tasked with overseeing the implementation of the EU’s data privacy laws, has written a strongly-worded letter critiquing the proposed provisions of the latest AML regulation.
The letter highlights what the EDPB perceives as risks to privacy and data protection that are posed by certain amendments to the regulation that have been introduced by the European Council.
These amendments, if agreed by all parties during the legislative process, would allow private entities to share personal data between each other for anti-money laundering/counter-terrorism financing (AML/CTF) purposes.
Such entities will be able to do this under certain conditions, such as data sharing related to suspicious transactions or data sharing based on information gathered from customer due diligence (CDD) obligations.
“The significant risks and impacts that the Council's mandate entails, as well as the lack of studies attesting to the effectiveness of these provisions, leads the EDPB to consider that the envisaged measures are not proportionate to the aims pursued,” said the EDPB.
The EDPB also raises “serious concerns” about the lawfulness, necessity and proportionality of the provisions, which it warns could result in “very large-scale” processing of data by private entities.
“The EDPB considers that the amendments do not adequately specify the conditions under which such processing is justified,” said the EDPB.
Further, the EDPB argues that the European Council has failed to provide sufficient safeguards, given that such processing could have a significant impact on individuals, including blacklisting and exclusion from financial services.
“The EDPB points to the warning expressed by FATF that such data sharing may exacerbate the practice of de-risking, which could ultimately increase the risk of undue exclusion from banking services,” it said in the letter.
Therefore, in practice, the impact of the pooling and sharing of data could have “serious legal consequences for the person concerned”, such as difficulties in opening or accessing a current account, using a means of payment or obtaining credit.
The EDPB concluded by saying it “stands ready” to provide advice to legislators to ensure that the policy objectives of AML/CTF are pursued in full compliance with the fundamental rights to privacy and the protection of personal data.
