The European Data Protection Supervisor (EDPS) published - on 4 July 2013 - his Opinion on the European Commission's (EC) proposals on money transfers, anti-money laundering (AML) and terrorist financing (the Opinion), requesting explicit reference to applicable EU data protection law (DP Law) in both proposals.
"Data protection [should be perceived] as a basic requirement necessary [of AML]", said Giovanni Buttarelli, Assistant EDPS. "The growing trend to acknowledge the importance of data protection in proposals for legislation is a welcome one. But [
] the claims are often not supported with concrete measures and safeguards. A lack of further details will also result in undue discrepancies among Member States."
The EC adopted a Directive extending the scope and strengthening the obligations of the Third AML Directive (2005/60/EC), and a Regulation replacing the current Funds Transfers Regulation (Regulation (EC) No 1781/2006), on 5 February 2013. The proposals would implement the revised Financial Action Task Force (FATF) AML standards introduced in February 2012. FATF is an intergovernmental body with 36 members to which the EU is one of its founding members.
The EDPS recommends references to the applicable national laws implementing Directive 95/46/EC to be explicitly inserted in a 'substantive' provision in both proposals. Mere reference to general principles in recitals is insufficient.
The EDPS recommends that the applicable DP Law be explicitly mentioned in a 'substantive' provision and that the principles of purpose limitation and proportionality be included. Specific provisions should be added to provide safeguards on international transfers and avoid mass transfers of personal and sensitive information. Data subjects' right to be informed should also be clearly outlined in the proposed Directive.
The legitimate aim of [ ] countering terrorism and money laundering has to be pursued while ensuring compliance with data protection requirements.
The Opinion states: '[T]he legitimate aim of achieving transparency of payments sources, funds deposits and transfers for purpose of countering terrorism and money laundering has to be pursued while ensuring compliance with data protection requirements.'
Under the Third AML Directive, 'obliged entities' must identify and verify the identity of customers (customer due diligence) and beneficial owners, monitor customers' financial transactions, and report any suspicion of money laundering or terrorist financing to relevant Financial Intelligence Units (FIUs). Currently, obliged entities include: financial and credit institutions, lawyers, notaries, accountants, real estate agents, casinos, company service providers, and all goods providers when payments are made in cash in excess of 15,000. The proposed Directive would extend covered entities to include gambling service providers and dealers in goods with a threshold of 7,500. Beneficial ownership information must be disclosed to obliged entities and competent authorities.
Additionally, the proposed Directive contains administrative sanctions which Member States would impose for systematic breaches of key provisions in the Directive including customer due diligence, record keeping, suspicious transaction reporting and internal controls.
The current Funds Transfers Regulation ensures the payer's basic information is immediately available to law enforcement and/or prosecutorial authorities.