Edited by Calogero Costa

As is well known among industry insiders, there are many points of contact between personal data protection legislation and anti-money laundering legislation.

Both regulations govern the processing of personal data, albeit from different perspectives and for different purposes: the protection of privacy and personal data, on the one hand, and the protection of the public interest of the economy, on the other.

While it is simple to understand the connections between the aforementioned regulations, coordinating them is rather complex, not only for interpreters but also for legislators at all levels (national, European, etc.).

It is therefore not surprising that the European Data Protection Board (also called “EDPB” from the English European Data Protection Board) – the independent European body established by the General Data Protection Regulation 679/2016 (GDPR), with the aim of ensuring consistent application of the GDPR and promoting cooperation between EU data protection authorities – has recently addressed a letter to the three European institutions (ie Parliament, Council and Commission) engaged in the legislative process of the so-called “AML Package”, published on 20 July 2021, to highlight some “critical issues”, from the point of view “privacy" and suggest ways to improve the texts approved by the European legislator.

Adopted in implementation of the pillars 2, 3 and 4 of the “Action Plan for an integrated Union policy on preventing money laundering and terrorist financing” launched by the European Commission on 7 May 2020 with the aim of proceeding with a comprehensive update of the anti-money laundering regulatory framework, with a view to effective and concrete “European compliance” throughout the Union, the AML package consists of four legislative proposals, namely:

1. a proposal for a regulation establishing (as of 1 January 2023) a new European anti-money laundering authority (theAnti-money laundering Authority also called "AMLA”), with coordination and assistance tasks to the national FIUs (for Italy UIF) with the aim of ensuring the adoption of uniform regulatory standards and risk assessment methods and supervisory and investigative powers (in addition to the power to impose administrative, criminal and pecuniary sanctions) against obliged entities deemed to be “higher risk”
2.  a proposed regulation containing rules directly applicable in the private sector, including in relation to customer due diligence and beneficial ownership;
3. a proposal for a Sixth Anti-Money Laundering Directive (AMLD VI), replacing the current Directive (EU) 2015/849 (AMLD IV, itself amended by AMLD V), containing provisions to be transposed into national law, such as rules on national supervisory bodies and Financial Intelligence Units in Member States. AMLD VI expands the list of predicate offences for money laundering (including certain tax crimes, environmental crime, and cybercrime) and provides for the extension of criminal liability to legal persons and corporations/partnerships;
4. a review of the 2015 EU Funds Transfer Regulation for the purpose of tracking transfers of crypto-assets (EU Regulation 2015/847).

The points of concern raised by the EDPB in the letter addressed to the three European institutions focus, in particular, on two of the measures included in the package, namely: (i) the proposal for a regulation establishing the new European anti-money laundering authority and (ii) the proposed anti-money laundering regulation for the private sector.

The purpose of the EDPB's letter is twofold: on the one hand, the Committee claims its role as "advisor" for all matters privacy arising from the new regulations and emphasizes the need for its involvement throughout the legislative process of the measures; on the other hand, the Committee suggests some amendments to specific provisions contained in the two legislative proposals cited, which are considered essential to bring them into compliance with the European legal framework on personal data protection.

The EDPB is not new to such initiatives. Already in December 2020, the Committee had expressed some concerns regarding the "Action Plan” of the European Commission. In its Statement of 15 December 2020, the Committee asked the European Commission “to be involved from the initial stages in the development of any new legislative provisions on anti-money laundering, in order to provide legal advice on some key points relating to data protection" in order to ensure "compatibility” of the new measures with the rights to privacy and data protection, enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, with the principles of necessity and proportionality, as well as with the case law of the Court of Justice of the European Union.

In May 2021, the EDPB reiterated its request to be able to provide legal advice on the new rules before their submission to Parliament, with the aim of suggesting a "fair balance" between the interest in preventing money laundering and terrorist financing, on the one hand, and the interests underlying the fundamental rights to data protection and privacy, on the other. At that time, the EDPB recommended that the Commission include specific provisions in the legislative proposals to clarify, pursuant to Article 6, paragraph 3, of the GDPR, the general conditions and limits of lawfulness of processing by obliged entities and to align the two sets of rules, minimizing potential discrepancies. Given the particular criticality of processing in the anti-money laundering field, the EDPB also suggested including within the aforementioned legislative proposals specific obligations to adopt adequate technical measures, in line with the principles of privacy by design e by default, aimed at reducing the security risks of the data processed.

In the letter sent to the three European institutions on 12 May, the Committee highlights that the recommendations it had previously formulated regarding the content of the two proposed regulations cited were only partially implemented during the legislative process.

The EDPB noted that the Commission has included specific provisions in its legislative proposals on anti-money laundering (see Article 55 of the proposed regulation for the private sector – COM(2021) 420 final) on the processing of special categories of data and personal data relating to criminal convictions and offences, as requested by the EDPB itself.

The Committee believes, however, that it is necessary to provide for provisions within the legislative texts of the additional guarantees regarding the processing of such types of personal data in order to ensure compatibility with the GDPR (and in particular with Articles 9 and 10). Furthermore, the Committee highlighted the lack of specific rules regarding the "sources" of information that must be used by obliged entities to verify the customer's identity, as well as regarding the information provided by data service providers of the so-called "watch list".

According to the EDPB, the two provisions in question would therefore contain significant data protection gaps that, if not addressed, could seriously impact the rights and freedoms of data subjects (by legitimizing data processing that violates the principles of accuracy and data minimization) as well as creating legal uncertainty for the obliged entities. This is also due to the fact that the obliged entities are required to process personal data that allows inferences to be drawn about individuals and that could lead, in particular, to the exclusion of individuals and legal entities from a right and/or service (e.g., a banking service).

In this regard, the EDPB therefore suggests some important changes to the two provisions mentioned above to address the aforementioned shortcomings. The Committee's suggestions focus in particular on four aspects:

(i) the need for greater involvement of the EDPB (through the "prior consultation" tool) by the EU institutions and the newly established European AML Authority, in the context of the drafting and adoption of regulatory technical standards (RTS), guidelines and recommendations relating to the fulfillment of AML/CFT obligations.

First, the Committee expresses some concerns regarding Article 38 of the proposed regulation establishing the AMLA. This provision assigns to the said authority the task of defining and subsequently proposing to the European Commission the adoption of: regulatory technical standard (also known as "RTS"), guidelines and recommendations aimed at defining detailed rules, with particular regard to the categories of personal data and information to be collected for the purposes of carrying out various forms of customer due diligence or for the ongoing monitoring of a business relationship/transaction, or to issue specific criteria for identifying the beneficial owners of legal entities; in effect, these bodies have the power to shape the "core" of anti-money laundering regulations.

In the opinion of the Committee, the categories of personal data that must be processed by the obliged entities and the additional rules that could affect their processing immense should be specified in the RTS, guidelines and recommendations, but be identified directly in the legislative proposals on anti-money laundering.

Second, the EDPB criticizes the current wording of Article 77, paragraph 2, of the proposed regulation establishing the AMLA, in that it provides that the "obligation of cooperation" between the Authority and the Board applies only to the adoption of guidelines and recommendations, without any reference to the RTS. A similar criticism is leveled at the provision contained in Article 84, paragraph 1, of the aforementioned proposed regulation, which states that the AMLA "may" invite national data protection authorities as mere "observers" when drafting such guidelines and recommendations (once again omitting any reference to the RTS).

The Committee believes, however, that the obligation to cooperate closely with the AMLA must apply not only to the drafting of guidelines or recommendations, but also to the RTS. Such cooperation should take place in all cases where the aforementioned guidelines, recommendations, and RTS have "a significant impact on the protection of personal dataFurthermore, the Committee's involvement in the RTS adoption process should not be limited to the initial drafting phase of the technical rules, but should also extend to the subsequent implementation phase through the delegated measures adopted by the European Commission pursuant to Article 290 TFEU. The Committee therefore hopes that the European institutions responsible for issuing RTS, guidelines, and recommendations will formally involve it before their adoption, when these could have a significant impact on the protection of individuals' rights and freedoms.

(ii) the need to better specify the conditions and limits of the processing of special categories of data and personal data relating to criminal convictions by obliged entities.

In particular, the Committee called on the co-legislators to explicitly define the special categories of data whose processing would be “strictly necessary for the purpose of preventing money laundering and terrorist financing" pursuant to Article 55(1) of the Proposal for a Regulation applicable to the private sector. Furthermore, to prevent decisions from being made on the basis of discriminatory factors, the Committee also recommended clarifying Article 55 that the assessment carried out by obliged entities should never be based exclusively on the processing of special categories of personal data and that state-of-the-art security measures, such as access restrictions, obfuscation, encryption, pseudonymization, or opt-out, should be adopted.

With regard to data relating to criminal convictions, the EDPB's focus is on Article 55, paragraph 3, letter b), of the proposed regulation applicable to the private sector. This provision establishes that obliged entities may process not only data relating to criminal convictions, but also the so-called "allegations” (i.e., accusations). The article also requires, as a specific safeguard, that obliged entities adopt procedures that allow, when processing such data, a distinction to be made between accusations, investigations, proceedings, and convictions, taking into account the fundamental rights to a fair trial and defense, as well as the presumption of innocence. The problem, the Committee emphasizes, is that this term is not defined in the text of the proposed regulation, nor is there a precise reference to the “sources” from which information on such “allegations” may be gathered. This is a significant inaccuracy given the high level of risk of the processing and the potentially significant impact on the data subject (such as, for example, the bank's refusal to enter into a business relationship with the person against whom the accusation relates), despite the fact that in some cases the accusation may not be substantiated.

With reference to Article 55, paragraph 3, the Committee therefore suggests clarifying the meaning of the term “accusation” (or deleting the term altogether) and specifying that “accusations” (like ongoing judicial proceedings) should not have the same impact on a person's risk assessment as a criminal conviction.

(iii) the need to provide additional provisions in relation to the “sources” of information.

The Committee asked the European legislator to clarify the scope of Article 55, paragraph 2, letter b) of the proposed regulation applicable to the private sector, according to which obliged entities may process special categories of data “provided that the data comes from reliable sources, is accurate and up-to-date".

In particular, in order to ensure compliance with the principles of "accuracy" and "minimization", as well as the principle of "accountability" pursuant to Article 5, paragraph 2, GDPR, the Committee recommended: (i) add specific safeguard measures to the legislative text regarding the sources that must be used by the obliged entities; (ii) insert an express reference to the obligation for obliged entities to use only accurate and reliable sources and (iii) add a specific obligation for obliged entities to document their assessment of the reliability and accuracy of each information source used;

(iv) the need to provide specific provisions for the processing of personal data by the providers of the so-called "watch lists""

Finally, the Committee recognizes the need for obliged entities to rely on "watch list" service providers (qualified as "Data Controllers") to fulfill their anti-money laundering obligations. However, it suggests including specific rules in legislative proposals to specify the nature of personal data (and in particular special categories of data and data relating to criminal convictions) that can be processed by such providers, in accordance with the principles of accuracy and data minimization (Article 5, paragraph 1, letter c), of the GDPR). Strong and specific measures should also be established to safeguard the fundamental rights and interests of data subjects.

The EDPB warns that if such provisions are not in place, national supervisory authorities will be responsible for enforcing data protection legislation in the event of breaches by providers and obliged entities, particularly with regard to the processing of special categories of personal data and personal data relating to criminal convictions and offences.

Finally, should specific rules be envisaged for such providers, the EDPB also calls on the co-legislators to include in their anti-money laundering legislative proposals a reference to the codes of conduct referred to in Article 40 GDPR and the certifications referred to in Article 42 GDPR for "watch list" providers, to be developed taking into account the specificities of this sector.

During the AML/CTF Master's program at the Italian School of Anti-Money Laundering and Compliance, considerable attention was paid to both the contents of the AML Package and the regulations governing personal data protection, which are most relevant from an AML perspective, according to an integrated and multidisciplinary perspective. This allowed me to accurately grasp the scope of the concerns raised by the EDPB in the aforementioned letter and appreciate their institutional implications.