The Interplay between EU Data Protection and AML legislationsThe new EU AML Legislative Package
It is a global and growingly digital world today. This is unlocking both new ways to do business and certain challenges doing so, for example, ensuring data privacy and combating illicit use of the financial system at the same time. Law plays a key part in the process as it tries to match the tech industry dynamics while providing guarantees for fundamental rights like privacy rights and the right to property.

Development of modern social relations regarding the Internet, consumer protection and now blockchain has called for intense focus on protection of personal data. Meanwhile, the Internet and innovative technologies like blockchain have opened ways for abetting and aiding the committing of serious violations and crimes like money laundering and financing terrorism.
As a young or experienced tech company or a startup, often times you might find yourself a subject with certain legal obligations under two regulatory frameworks, namely Data Protection and AML/CFT (Anti-money Laundering/Counter-terrorist financing). Thus, entities that are obliged to implement AML/CFT measures are also obliged to ensure data protection as required by data protection regulations. By all means, the EU General Data Protection Legislation (GDPR) and the EU AML Directive (AMLD), with its amendments, are legislative cornerstones strongly influencing other jurisdictions as well.
At the outset, these two regulatory regimes have different objectives. Being in conflicting terms is surely not among the objectives the legislator has pursued. However, data controllers, data processors and obliged entities alike (a single person is frequently in all three capacities) are struggling with uncertainties as to how to effectively apply them in practice and not come under unwanted scrutiny.
Data subjects when being clients to, let’s say, a payment service provider like Revolut or a cryptocurrency-service provider like a cryptocurrency exchange, for instance, are also affected with a view to their privacy rights by the stringent legal requirements of the AMLD and the respective national AML rules.

The interplay between Data Protection and AML/CFT
Is the principle of lawfulness hindered?

GDPR establishes a comprehensive regulatory and administrative regime by setting general principles for data processing as well as determining the rights and obligations of data subjects, controllers, processors and other participants. In breach of obligations under the GDPR, recourse to compensation proceedings is provided and there are severe fines for the obliged persons (controllers, processors).
The right to the protection of personal data is a fundamental right enshrined in the EU Charter of Fundamental Rights (Art. 8) which is based on and compliments the European Convention on Human Rights (ECHR). Nonetheless, it is not an absolute right and therefore can be restricted on legitimate grounds.
Interference with the right to the protection of personal data needs to have a legal basis. Article 6 GDPR provides that data processing (meaning collection, storage, use, disclosure, erasure, etc.), regardless of whether it takes place in the EU or not, is lawful when “processing is necessary for compliance with a legal obligation to which the controller is subject.” To that end, the AMLD sets out a number of legal obligations for obliged entities like applying customer due diligence measures (most commonly identification and verification of identity) when certain conditions are present. This obligation is inherently related to and requires various operations with customers’ personal data, thus interfering with the right to the protection of personal data.
When the AMLD applies, customers (data subjects) are given the EU legislator’s reassurance that their personal data shall be processed “only for the purposes of the prevention of money laundering and terrorist financing […] and shall not be further processed in a way that is incompatible with those purposes.”

In theory, the principle of lawfulness is secured.
What about in practice?

One practical concern for customers (data subjects) is what categories personal data are collected in the very first place and whether the data minimisation principle, stating that processed data should be “adequate, relevant and limited to what is necessary for the purposes for which they are processed”, is ensured by Member States as national legislators and companies and institutions as obliged entities.
Another concern arises from the practical implementation of the primacy of AML/CFT rules and whether it is effective and in line with data protection principles like purpose limitation, data minimisation, transparency of data processing, confidentiality. Albeit legally justified, the AML/CFT primacy over the right to erasure (“right to be forgotten”) enshrined in Art. 17 GDPR, specifically with respect to data retention obligations under the AMLD, raises concerns. A data subject is entitled the right to have his/her personal data erased and no longer processed where the personal data are no longer necessary in relation to the purposes for which they are collected or otherwise processed, upon the data subject’s withdrawal of consent or where the data processing does not otherwise comply with the GDPR. In the case of customer due diligence under the AML/CFT rules, corporate and other legal entities are required to “obtain and hold” personal data and information about transactions, which might and often include personal data within the meaning of the GDPR, for a period of 5 years (in the current framework), subject to extension under certain circumstances. From a practical standpoint, it seems that a legal vacuum as to guidelines and limitations for access, storage, security and disclosure of the retained data opens up.

Thus, the question, “How to strike a fair balance between an individual’s privacy rights and the public interest for combating money laundering and financing terrorism in view of practically effective AML/CFT measures?”, should be subject to enhanced scrutiny.

The new EU AML Legislative Package
We might try to search for the answer to the question above in the new AML/CFT regulatory framework across the EU.
On 20 July 2021 the European Commission presented a Package of legislative proposals to strengthen the existing EU AML/CFT rules (the so-called AML Legislative Package). A commonly put forward reason for this initiative relates to shortcomings in implementation of the current framework. The Commission’s AML/CFT Action Plan in 2020 preceded the Package with its six pillars warming up the wind of change, namely:
- Effective implementation of existing rules;
- A single EU rulebook;
- EU-level supervision;
- Support and cooperation for FIUs (Financial Intelligence Units);
- Better enforcement of criminal law;
- Strengthening the EU's role in the world.

With the new AML Legislative Package, the EU aims at increasing the effectiveness of the fight against money laundering (AML/CFT), harmonisation across Member States’ national legislations, standartisation of obligations of the obliged entities and centralisation of enforcement with the establishment of AMLA (European Authority for Countering Money Laundering and Financing of Terrorism) that shall have direct supervisory powers.

The AML Legislative Package contains four Proposals for:
1) a Regulation establishing a new EU AML Authority (“AMLA”, “the Authority”), which is to be established in 2024 and become fully operational in 2026;
2) a new Regulation on AML/CFT (a Single Rulebook incorporating part of the existing legislation), including directly applicable rules in the areas of customer due diligence, beneficial ownership and revised risks;
3) a 6th Directive on AML/CFT (AMLD 6);
4) the reform of the Funds Transfer Regulation to cover crypto-assets.

Data Protection in the new EU’s AML Framework
A highlight of the proposed framework is an extension of one of the legal grounds for lawful data processing under GDPR for the purposes of the new AML Regulation, namely:
“necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Authority”.
The Authority (AMLA) is given the competence to adopt internal rules which “may restrict the application of the rights of the data subjects where such restrictions are necessary to the performance of the tasks” of obliged entities when processing special categories of personal data and personal data relating to criminal convictions and offenses, including predicate offenses (Art. 84, Proposal for AMLA Regulation).
In this regard, it is worth mentioning Opinion 12/2021 from September 2021 of the European Data Privacy Supervisor, whose recommendations appear to be timely and adequate:
- to identify the categories of personal data to be processed by the obliged entities;
- to limit the processing of special categories of personal data;
- to reassess the extensive access powers conferred to FIUs;
- to clearly establish the necessity and proportionality of the generalised access by “any member of the general public” to the beneficial ownership registers,
- to clarify in which cases obliged entities should have recourse to the so-called ‘watch lists’;
- to elaborate on the roles of AMLA and FIUs from a data protection perspective;
- to include in the AML package a reference to data protection codes of conduct.

What about crypto-asset businesses?
The EU aims at extending the AML/CFT requirements to the entire crypto-asset sector.
The proposed framework has an intense focus on crypto-asset service providers, as it shall extend the list of obliged entities to include a wider range of crypto-asset service providers as well as unregulated crowdfunding platforms (under Regulation (EU) 2020/1503). Thus, the AML Regulation shall oblige all crypto-asset service providers to conduct due diligence on their customers. Further on, credit institutions, financial institutions and crypto-asset service providers shall be prohibited from keeping anonymous accounts and anonymous crypto-asset wallets.
Managers of AIF (Alternative Investment Funds) also fall within the scope of the upcoming AML Regulation.
In its Opinion from December 2021, the European Economic and Social Committee (EESC) proposes that NFT (marketplace) operators also be included in the list of obliged entities.
The revised Regulation on Transfers of Funds is proposed to extend its scope to traceability of transfers of crypto assets. The proposal envisages the obligation on crypto-asset service providers to accompany transfers of crypto assets with information on the originator and the beneficiary.

To conclude, it is evident that AML/CFT interests over privacy rights shall continue to prevail in the financial sector. The new realities present yet another challenge before any modern-time legislator, particularly with regards to Data Protection standards and AML/CFT rules in permissionless networks. While it is true that the anonymity of crypto assets exposes them to risks of misuse for criminal purposes and actions are needed to combat it, recourse should be made to the core nature of the underlying technological advancements. Blockchain/DLT is a privacy-focused technology. What we are witnessing today is this privacy-focused technology and its usage upgrades being harnessed by more and more stringent requirements. This may be justified so long as a fair balance is stricken between the regulatory and legislative measures taken for the general interest, namely the AML/CFT aims, and the respect for fundamental rights like the right to respect of privacy and the protection of personal data.

Pavla Tsvetkova

Legal.Net Blog © 2022

Materials published on this blog are copyrighted. No part of them can be copied or used without the express permission of the author.
Tags: Privacy