The European Data Protection Supervisor has concluded that proposed amendments to the EU Anti-Money Laundering Directive and efforts to widely share beneficial ownership data are not proportionate in their current form.
In an opinion released on Feb. 1, the data protection watchdog criticized that the proposals do not strictly define the policy objectives of the new anti-money laundering measures and fail to assess whether they are not too wide.
The data protection supervisor, which advises EU institutions on the processing of personal data, took aim at measures designed to curb tax evasion and said it is concerned that the amendments introduce policy purposes other than countering anti-money laundering and terrorism financing “that do not seem clearly identified.”
In July 2016, the EU Commission published several proposed amendments to the Anti-Money Laundering Directive as part of a coordinated action with the G-20 and the OECD to tackle tax evasion and to establish a fairer tax system.
The EU Council responded in December 2016 with a compromise text which focuses predominantly on anti-money laundering and terrorism financing. Although this proposal no longer mentions the goal of fighting tax evasion, tools to achieve that aim, such as public access to beneficial ownership information and access by tax authorities to anti-money laundering information, remain in place.
This raises the question why certain forms of invasive personal data processing, that are acceptable to fight money laundering and terrorism financing, are necessary out of those contexts and whether they are proportionate, the EDPS said in the document, signed by the watchdog’s Wojciech Wiewiórowski.
“The amendments significantly broaden access to beneficial ownership information by both competent authorities and the public, as a policy tool to facilitate and optimize enforcement of tax obligations. We see, in the way such solution is implemented, a lack of proportionality, with significant and unnecessary risks for the individual rights to privacy and data protection.”
Under EU law, personal data can only be collected for a specified, explicit and legitimate purpose and processed, or shared with third countries, in a way that is compatible with that purpose.
In 2014, the European Court of Justice shocked European legislators when it shot down the EU Data Retention Directive. In the Digital Rights Ireland case, the court established that the fight against international terrorism and serious crime constitutes an objective of general interest that allows the interference with fundamental privacy and data protection rights, but it concluded that the measures must be proportionate.
The court adopted a two-pronged proportionality test, by considering whether a measure was appropriate to achieve its objective and if did not go beyond what was necessary to achieve this goal. The ruling suggested that general and blanket data retention is no longer possible under EU law.
In its opinion, the EDPS said the EU Commission, which made tax evasion a primary concern of the Directive rather than a mere predicated crime, “seems to have foregone a proper proportionality assessment and have opted for blanket measures.”
The EU Council position, in contrast, attempts to link access to beneficial ownership information to the purpose of fighting money laundering by stating that beneficial ownership transparency is needed to trace criminals who could otherwise hide behind a corporate structure.
The data protection supervisor said this explains why competent authorities should have access to the information, but it questioned the proportionality of granting wider access to beneficial ownership data to “any person with legitimate interest.”
EU member states will define what legitimate interest means but, the EDPS said, they must balance the public interest of combating money laundering and terrorist financing and the protection of fundamental rights of individuals, in particular the right to privacy and protection of personal data.
The supervisor recommended that access to beneficial ownership information should be designed in compliance with the principle of proportionality, and that access is only granted “to entities who are in charge of enforcing the law.”