In its Opinion published today, the EDPS reacted to the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final), published on 7 May 2020. The EDPS believes that the Commission should make data protection a gold standard in the context of AML/CFT compliance processes.
Wojciech Wiewiórowski, EDPS, said: “We welcome the Commission’s commitment to rely on the risk-based approach to streamline the legislative framework for the prevention of money laundering and terrorism financing, in line with the principle of proportionality. The Commission should strike a balance between the necessary measures to take for the general interest and the goals of the AML/CFT and the respect of the fundamental rights of privacy and personal data protection. General compliance with the EU AML/CFT rules by Member States must go hand in hand with the GDPR and the data protection framework”.
The EDPS highlights the importance that the new governance mechanisms establish a clear legal basis for the processing of personal data, as well as specific rules for the access to and sharing of information, particularly when personal data being processed is particularly sensitive.
Concerning future legislation on AML/CFT measures, the EDPS recommends that appropriate safeguards are in place to guarantee compliance with the principles of data minimisation, purpose limitation and data protection-by-design, as well as the right of individuals to be informed when their data is collected and the purpose(s) for which the data will be processed.
The EDPS supports the idea of structuring, through Public-Private Partnerships (PPPs), the joint efforts between law enforcement authorities, FIUs and the private sector, in relation to policy debates, discussion forums, the research and analysis of typologies and trends in AML/CFT, as long as these exchanges have a sound legal basis and comply with data protection requirements. At the same time, the EDPS is concerned that PPPs for the sharing of operational information on intelligence suspects by law enforcement authorities to obliged entities, may result in an unacceptable high risk for the individuals’ rights to privacy and data protection.
Finally, the EDPS encourages the Commission to promote data protection principles when agreeing on international standards at the Financial Action Task Force.
The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EU) 2018/1725.
The EDPS is the independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, offices and agencies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection. Our mission is also to raise awareness on risks and protect people’s rights and freedoms when their personal data is processed.
Wojciech Wiewiórowski (EDPS), was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other details, such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered as personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Processing of personal data: According to Article 3(3) of Regulation (EU) 2018/1725, processing of personal data refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction". See the glossary on the EDPS website.
About the European Commission’s action plan: On 7 May 2020, the European Commission adopted its Communication on an action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final). This Opinion expresses the views of the EDPS on selected measures of the action plan, and in particular, on their potential interference with the right to privacy and to data protection of individuals as guaranteed by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. This Opinion is without prejudice to the obligation of the Commission to consult the EDPS, in accordance with Article 42 of Regulation 2018/1725, on any legislative proposals that may be proposed within the framework of the action plan where there is an impact on the protection of individuals’ right to the protection of personal data.
The powers of the EDPS are clearly outlined in Article 58 of Regulation (EU) 2018/1725.