In an opinion published on Monday 27 July, Wojciech Wiewiórowski, the European Data Protection Supervisor (EDPS), calls on the European Commission to make data protection a “golden standard” in the fight against money laundering and terrorist financing.
“The Commission should strike a balance between the necessary measures to take for the general interest and the goals of the AML/CFT and the respect of the fundamental rights of privacy and personal data protection. General compliance with the EU AML/CFT rules by Member States must go hand in hand with the GDPR and the data protection framework”, said Wiewiórowski.
The EDPS has scrutinised the Commission's action plan for tackling money laundering, which it presented on 7 May (see EUROPE 12482/8). Some of the measures proposed, including implementation of the interconnection of central bank account mechanisms and beneficial ownership registers, are of particular importance from a data protection perspective.
The EDPS recommends putting appropriate safeguards in place to ensure compliance with the principles of data minimisation, purpose limitation and the right of individuals to be informed when their data is collected, both for these measures and generally for any other future measures.
In the opinion, the EDPS also responds to the Commission's proposal to create the post of European supervisor in the first quarter of 2021. He stresses the importance of the future legislative proposal including a clear legal basis concerning the processing of personal data and stating the purposes and limits of such processing.
Wiewiórowski also recommends that, in its proposal for the first quarter of 2021 involving a European mechanism for coordination of national financial intelligence units (FIUs), the Commission clarify the conditions for access to and sharing of information on financial transactions by FIUs.
The EDPS also raises some concerns about public-private partnerships sharing operational information in the fight against money laundering, which the Commission would like to encourage. He is concerned that this would lead to “a high risk for the individuals’ rights to privacy and data protection”.
This type of partnership may not comply with the purpose limitation principle, according to which personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
Obliged entities participating in these partnerships might be tempted to integrate the information shared by law enforcement authorities in their global databases, so as to re-use it later, as part of their customer profiles, he explains.
According to the EDPS, the sharing of suspects’ sensitive data with the private sector, which may also have these individuals as clients, also raises concerns from a conflict of interest perspective.
The opinion can be found at: https://bit.ly/2OYB37Z (Original version in French by Marion Fontana)