Money laundering and terrorist financing: CNIL and its counterparts address European legislators

24 April 2023

On 28 March 2023, the European Data Protection Board (EDPB) wrote to the European legislators about the proposed Regulation on combating money laundering and terrorist financing (AML/CFT). It expresses its concerns on the possibility for private organisations to share customers data on a very large scale.

The context

On 20 July 2021, the European Commission presented a proposal for an EU AML/CFT Regulation aimed at better detecting transactions that could constitute the criminal offences of money laundering and terrorist financing.

On 5 December 2022, the Council of the European Union adopted its position on the text by including provisions allowing private organisations subject to this regulation (banks, insurance companies, etc.) to share with each other information collected on their customers, with the aim of detecting possible criminal offences. They also introduce the possibility of reciprocal exchange of data between these private bodies and the competent public authorities (in particular, the financial intelligence units ).

The concerns of data protection authorities

On 28 March 2023, the CNIL and its counterparts in the EDPB sent a public letter to the European Parliament, the European Commission and the Council of the European Union.

In this letter, the EDPB acknowledges that the AML/CFT has an important public interest, which requires appropriate policies and measures. He nevertheless expresses concerns about the compliance of the provisions allowing data sharing with the Charter of Fundamental Rights of the European Union, and questions the proportionality, necessity and legality of these measures.

First of all, it notes that the effectiveness of such data sharing on AML/CFT has not been evaluated, even though the risks for the rights and freedoms of individuals are significant.

The letter also highlights the risk that these provisions will contribute to the establishment of mass surveillance by private entities that would be allowed to share data on their customers.

The EDPB also underlines that these provisions may lead to an exchange of information that may be related to ongoing criminal investigations between private actors and law enforcement authorities, whereas the fight against crime is in essence a task for public authorities.

Moreover, data sharing multiplies the risk for people wrongly suspected by private organisations to be excluded from access to banking services (opening a current account, using means of payment, obtaining credit, etc.).

Finally, such sharing would result in the sharing of sensitive data. Information on religious beliefs and political opinions could, for instance, be shared for the purpose of detecting terrorist financing. The EDPB recalls that this type of data benefits from a reinforced protection regime because of the risks that their use raises, in particular of discrimination. In this respect, it considers that the proposed regulation does not provide for appropriate safeguards to ensure the protection of data subjects' data, and therefore does not allow lifting the prohibition in principle of sharing such data.

The EDPB therefore calls for the withdrawal of these provisions from the proposed Regulation.