By Samantha Sheen, AML Director Europe, ACAMS
1 March, 2017

The European Data Protection Supervisor’s Opinion on
the 4th Anti-Money Laundering Directive (“4AMLD”)
Hell hath no fury like a data protection requirement ignored
(Apologies to William Shakespeare)

At one point in my compliance career I was the designated Data Protection Officer (“DPO”) for a financial institution. If you’re responsible for data protection (“DP”) compliance, you’ll appreciate how difficult it can sometimes be to ensure that those requirements are understood and complied with.

The company I worked for was undertaking an outsourcing project in which some information was transferred to a non-EU country, without the knowledge or consent of the individuals to whom the data belonged. The country to which it was sent had a not-so great reputation for personal data theft. It turned out that I happened to be one of the individuals whose personal information had been sent. Nothing makes you pay attention to DP requirements more than when it’s your own personal information that’s involved. Especially when you’re the DPO and you’ve not been consulted beforehand.

After a lot of headache and meetings, the matter was resolved. But this all could have been avoided if someone had asked early on whether DP requirements might apply and if so, how.

Which leads me to the 2 February 2017 Opinion (“Opinion”) issued by the European Data Protection Supervisor (“EDPS”) on the revisions proposed in July 2016 to the 4AMLD (“July Amendments”), and the compromise text incorporating the European Council’s amendments published on 19 December 2016 (“Compromise Text”).

Practitioner’s Note
Aspects of DP are almost always present in AML-related projects, including outsourcing of remediation activities or CDD-related checks, and the centralisation of screening and monitoring activities. It should never be assumed that DP requirements are superseded by AML requirements.

In short, The EDPS is not happy.

As I read the Opinion, it made me think of another AML project I worked on, but this time I wasn’t the DPO. Yet again, the DP requirements were not considered during the project planning stage. The result – months of delays, fruitless arguing and more seriously, unforeseen costs incurred to implement the necessary DP controls.

You know that things are not off to a good start when the Opinion begins with the EDPS taking umbrage with the suggestion that it knew about the proposed amendments, reporting that, “contrary to recital 4(2) the EDPS was not consulted prior to the adoption of the [July Amendments] Proposal”.

I thought I would share with you the EDPS’ comments about the beneficial ownership registers being proposed for both legal entities (e.g. companies) and legal arrangements (e.g. trusts) (collectively, “Registers”).

The basic principles that underlie Europe’s DP requirements include the idea that the processing of personal data must serve a legitimate, specific and well identified purpose. Other concepts such as necessity and proportionality come into play.

One of the EDPS’ main concerns about the Registers relates to the proposal that access to information about beneficial owners should be extended beyond law enforcement and supervisory authorities (“Authorities”) to include members of the press and general public.

The EDPS is concerned that the idea behind giving these two groups access is to, essentially, allow them to act as a sort of quasi-enforcement body to help in the fight against financial crime, especially in relation to tax evasion. And here is one of the problems.

One of the DP provisions requires that controls be applied to protect personal (and sensitive) information. So this means that those who “control” this information have to put measures in place to ensure that it is not misused, stolen etc. But these requirements do not apply to personal information process or controlled by individuals. So, the question asked by the EDPS is: if individuals (e.g. freelance journalists or a member of the public) are not required to apply these controls, what’s to stop them from misusing the personal information about a beneficial owner they’ve obtained from one of the Registers?

The main control proposed in the July Amendments and the Compromise Text to try and address to this concern is that parties, other than the Authorities, would have to show that they have a “legitimate interest” in order to access this information.

The problem? It has been proposed that Member States should decide for themselves what a “legitimate interest” is. Even though Member States will be expected to balance the public interest in combatting money laundering and terrorist financing with protecting fundamental individual rights, such as the right to privacy, the EDPS sees a potential unintended consequence arising here.

The EDPS explains there a possible risk of “regulatory arbitrage” – that some Member States could make it far more difficult to establish a “legitimate interest” as compared to others. Not only would that defeat the transparency aims of establishing the Registers, but it could mean that for some beneficiaries, they receive less protection over their personal information, than is otherwise expected under the DP requirements.

The EDPS’ overall conclusion in the Opinion is that the changes proposed in the July Amendments and Compromise Text are not proportionate and appear to create significant and unnecessary risk exposure to individuals’ rights to privacy and data protection.

Post Script

The EDPS has now sent the message, “you have our attention”. In its recent publication summarising its 2017 priorities, it plans to have close involvement in the discussions around the 4AMLD revisions, and in particular, the DP aspects of the publication of beneficial ownership information.

Conclusion

For me, the Opinion is another example of the risks that can arise when we treat DP requirements as an afterthought, wrongly assuming that they don’t apply to AML projects or presume that AML concerns automatically override them. If you have ever felt perplexed about DP, take the time and read the Opinion. It might just help you to identify possible DP concerns in an AML-related project, and more importantly, operational matters that may need to be tackled to address them.

Because while DP requirements can be, at times, confounding and frustrating, we should all remember that they are there to protect and prevent the misuse of individuals’ personal information, including our own.

The Opinion can be found here:
https://secure.edps.europa.eu/

The EDPS paper on its 2017 priorities can be found here:
https://secure.edps.europa.eu/