Print

EDPS welcomes AML package but suggests improvements to protect individuals’ personal data

24
Sep
2021

EDPS welcomes AML package but suggests improvements to protect individuals’ personal data

On 22 September 2021, the EDPS published his Opinion on the European Commission’s proposed Anti-Money Laundering legislative package (AML).

The EDPS welcomes the AML package and supports the general interest to fight money laundering and the financing of terrorism effectively. He welcomes the envisaged harmonisation of the AML/CFT framework through the enactment of a Regulation, as this will result in a more consistent application of the main rules by EU Member States. Moreover, he sees the harmonisation of the supervisory activities at EU level under the same European authority as a positive step, but calls for a clear definition of the roles, from a data protection perspective, of all stakeholders involved in the supervision model.

The EDPS notes that the proposed AML package takes a risk-based approach to the screening of banks’ clients in order to assess whether they may represent a money-laundering risk. While the EDPS appreciates the value of the risk-based approach underpinning the proposed legislative package, he considers that further clarifications are needed to minimise intrusion into individuals’ privacy and to ensure full compliance with data protection rules.

Wojciech Wiewiórowski, EDPS, said: “I recognise the importance of combatting money laundering and the financing of terrorism. At the same time, it is also important that the measures envisaged to achieve this goal are fully in line with the EU’s data protection laws and principles. In particular, the processing of individuals’ personal data must remain limited to what is necessary and proportionate in light of the specific purpose(s) set out in the proposals.”

In relation to the proposal for the coordination mechanism of Financial Intelligence Units (FIUs), the EDPS emphasises in his opinion that access to information related to criminal offences in particular, and access to administrative information and financial information about individuals should be limited to what is necessary in light of specific purposes. In this regard, he invites the legislator to reassess the necessity and proportionality of the proposed access rights.

Finally, the EDPS advises that the categories of personal data that may be processed are set out in the proposed AML legislative package. In addition, he considers that the processing of personal data relating to individuals’ sexual orientation or ethnic origin should not be allowed. Furthermore, the proposal should indicate the specific and strict conditions under which the processing of data about individuals’ criminal offences and/or convictions are allowed.

Background information

About the European Commission’s AML package: The package of legislative proposals aiming to strengthen the EU’s anti-money laundering and countering the financing of terrorism (AML/CFT) rules consists of: a Proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing; a Proposal for a Directive of the European Parliament and of the Council on the mechanisms for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing and repealing Directive (EU) 2015/849; a Proposal for a Regulation of the European Parliament and of the Council establishing the European Authority for Countering Money Laundering and Financing of Terrorism, amending Regulations (EU) No 1093/2010,  (EU) 1094/2010 and (EU) 1095/2010; and a Proposal for a Regulation of the European Parliament and of the Council on information accompanying transfers of funds and certain crypto-assets.

The legislative consultation powers of the EDPS are laid down in Article 42 of Regulation (EU) 2018/1725, which obliges the European Commission to consult the EDPS on all legislative proposals and international agreements that might have an impact on the processing of personal data. Such an obligation also applies to draft implementing and delegated acts. The statutory deadline for issuing an EDPS opinion is 8 weeks.

Wojciech Wiewiórowski (EDPS) was appointed by a joint decision of the European Parliament and the Council to serve a five-year term, beginning on 6 December 2019.

Available languages: English