In Opinion 5/2020, the European Data Protection Supervisor (EDPS) assesses the data protection implications of several measures proposed in the Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (eucrim 2/2020, 87-89). The EDPS welcomes several aspects in the action plan, e.g. the Commission’s commitment to a risk-based approach. It advises the Commission to strike a balance, however, between the interference with the fundamental rights of privacy and personal data protection and the measures that are necessary to effectively achieve the general interest goals on AML/CFT in legislation.

As regards the effective implementation of the existing AML/CFT framework, the Commission should focus on compatibility with the GDPR and the data protection framework. This concerns particularly the interconnection of central bank account mechanisms and beneficial ownership registers, which must be governed by the principles of data minimisation, accuracy and data protection-by-design and by default.

Potential legislation on customer due diligence must maintain safeguards that guarantee the right of customers to be informed when their data is collected and about the purposes of the data processing.

If the Commission tables a proposal for a central EU AML/CFT supervisor, it should provide the legal basis for the processing of personal data and the necessary data protection safeguards in accordance with the GDPR and Regulation 2018/1725, particularly as regards information sharing and international transfers of data.

A mechanism for support and coordination of FIUs must clarify the conditions for access to and sharing of information on financial transactions.

Although the EDPS generally supports the development of public-private partnerships (PPPs) for the research and analysis of typologies and trends in AML/CFT, he is critical of other aspects of PPPs. The envisaged operational information sharing on intelligence suspects would lead to a high risk for privacy and data protection rights. Under no circumstances, should a private entity be entrusted with an enforcement role. Processing operations concerning information on possible offences arising from reported suspicious transactions should be exclusively in the hands of public authorities and not shared with private entities. In this context, the EDPS also points to concerns that information sharing creates issues involving conflicts of interest, the duty of confidentiality with clients, and the purpose limitation principle in data protection law.

As regards the Commission’s vision ofstrengthening the EU’s global role, the EDPS encourages it to integrate data protection principles when setting up international standards at the Financial Action Task Force.

The EDPS ultimately stresses that the Opinion is without prejudice to further consultation on individual legislative initiatives, in accordance with Art. 42 of Regulation 2018/1725.