On 4 April 2023, the European Data Protection Board (EDPB) sent letters to the trilogue partners (the European Parliament, the Council, and the European Commission) concerning the envisaged rules on data sharing for anti-money laundering and countering the financing of terrorism (AML/CFT) purposes. The EDPB reacts to the Council’s negotiating position of December 2022 on the new Regulation on AML/CFT (→ eucrim 4/2022, 246), which was proposed by the Commission in July 2021 (→ eucrim 2/2021, 154-155). The new Regulation on AML/CFT features directly applicable rules on the performance of customer due diligence by obliged entities and the reporting of suspicious activities or transactions, primarily to Financial Intelligence Units (FIUs).

The EDPB stressed that some of the provisions of the draft Regulation (Arts. 54(3a), 55(5), 55(7)) obliging entities or public authorities to share with each other personal data information on ‘’suspicious transactions’’ and data collected in the course of performing their customer due diligence, pose risks to the fundamental rights to privacy and the protection of personal data. The EDPB expressed serious concerns as to the lawfulness, necessity, and proportionality of these provisions, recommending that the EU legislators not include them in the final text of the Proposal for a Regulation on AML/CFT.