Out-Law News 2 min. read
05 Jul 2013, 4:23 pm
In February the Commission published a new draft Anti-Money Laundering Directive in a bid to update existing rules. Under its plans all cash payments of €7,500 or more would trigger checks into those financial transactions. The scope of existing rules would also be extended to cover "new threats and vulnerabilities", such as an explicit reference to tax crimes. It would also fully cover transactions in the gambling sector, expanding the current rules which only apply to casinos.
The Commission also published a draft Regulation governing the information that must accompany fund transfers.
However, the European Data Protection Supervisor (EDPS) has said that "safeguards" should be introduced into the new framework to ensure that personal data is processed in accordance with data protection laws. The EDPS is responsible for ensuring EU institutions comply with data protection rules.
"Achieving transparency of payments sources, funds deposits and transfers in order to counter terrorism and money laundering is a legitimate interest, but it needs to be pursued while ensuring compliance with data protection requirements," the EDPS said in a new opinion. (24-page / 137KB PDF)
The EDPS said that amendments should be made to the Commission's proposals to prevent 'function creep'. It said that, under the draft plans as they stand, it would be possible for personal data initially collected for anti money laundering and anti terrorist purposes to be further used by organisations for commercial or marketing purposes. The watchdog said that there should be a "specific prohibition to process data for commercial purposes" written into the new rules.
The EDPS also expressed concern about "very vague" rules relating to data transfers that the Commission has put forward in its draft AML Directive. It said that it envisaged personal data being transferred within organisations involved in scrutinising customer transactions.
EU data protection rules prohibit personal data being transferred outside of the European Economic Area to countries that cannot guarantee an adequate level of data protection, although there are a number of legal mechanisms available to organisations to ensure those standards are met when transferring data to 'third' countries.
However, the Commission has claimed that the data transfers would take place in the public interest and could therefore proceed in line with EU data protection rules, but the EDPS said that data transfers in this context could not, en masse, be categorised as being in the public interest.
"Transfers under a recognised important public interest ground can only be allowed after a careful assessment on a case by case basis," it said. "Considering the repeated, mass and structural transfer of personal data that will take place in the framework of the proposed Directive and Regulation, the EDPS recommends including dedicated substantive provisions on the transfer of personal data to ensure proper protection of data subjects when data are transferred."
The Commission proposals would, generally, see all sanctions imposed through the new regime made public. The EDPS said, though, that "the mandatory and automatic publication of sanctions ... does not meet the requirements of data protection law". It said that the purpose, necessity and proportionality of publication should all be assessed on a case-by-case basis in order to ensure publication is justified and individuals' privacy rights are respected.
The EPDS also called on the new anti-money laundering rules to specifically identify "the concrete content of the scrutiny and the data that should be collected on a client" by organisations when they conduct a 'customer due diligence' check. It said there was too much scope for businesses to do their own thing and warned that this could lead to "arbitrary and/or excessive processing of personal data if not to the processing of sensitive data".
Giovanni Buttarelli, Assistant EDPS, said: "The growing trend to acknowledge the importance of data protection in proposals for legislation is a welcome one. But on closer examination, the claims are often not supported with concrete measures and safeguards. A lack of further details will also result in undue discrepancies among Member States. Data protection should therefore not be perceived as an obstacle to combat money laundering but as a basic requirement necessary to achieve this purpose."
