Opinion of the European Data Protection Supervisor on a proposal for a
Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing.
On 5 February 2013, the Commission adopted two proposals: this proposal for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing and the parallel proposal for a Regulation of the European Parliament and of the Council on information on the payer accompanying transfers of funds. The proposals were sent to the EDPS for consultation on 12 February 2013.
The EDPS underlines that the legitimate aim of achieving transparency of payments sources, funds deposits and transfers for purpose of countering terrorism and money laundering has to be pursued while ensuring compliance with data protection requirements.
The following issues should be addressed in both proposals:
· an explicit reference to applicable EU data protection law should be inserted in a substantive and dedicated provision, mentioning in particular Directive 95/46/EC and the national laws implementing Directive 95/46/EC, and Regulation (EC) No 45/2001;
· a definition of ‘competent authorities’ and ‘financial intelligence units (FIUs)’ should be added in the proposed Directive;
· it should be clarified that the legal ground for the processing would be the necessity to comply with a legal obligation by the obliged entities, competent authorities and FIUs;
· it should be recalled that the sole purpose of the processing must be the prevention of money laundering and terrorist financing, and that data must not be further processed for incompatible purposes;
· the specific prohibition to process data for commercial purposes should be laid down in a substantive provision;
· a dedicated recital should be added to clarify that the fight against tax evasion is only inserted as predicate offences;
· substantive provisions on the transfers of personal data should be introduced which provide for an appropriate legal basis for the intra-group/PSP to PSP transfers that would respect the text and interpretation of Directive 95/46/EC; the proportionality of requiring the mass transfer of personal and sensitive information to foreign countries for the purpose of fighting AML/TF should be re-assessed
· an evaluation of alternative and less intrusive options to the general publication obligation should be undertaken and, in any case, specification in the proposed Directive the purpose of such a publication as well as the personal data that should be published;
· a substantive provision should be added that sets forth a maximum data retention period that must be respected by Member States.
In respect of the proposed Directive, the EDPS further recommends to:
· add a specific provision to recall the principle of providing data subjects with information about the processing of their personal data and to specify who will be responsible for such data subjects' information;
· add a specific provision to specify the conditions under which the data subjects' rights may be limited;
· add a precise list of the information that should and should not be taken into account in carrying out the Customer Due Diligence;
· limit more clearly the situations in which the risks are so substantial that they justify enhanced due diligence and to provide for procedural safeguards against abuse;
· include a reference to confidentiality, which should be respected by all employees involved in the CDD procedures;
· list in a substantive provision the types of identification data to be collected on the beneficial owner, also when no trust is involved.
·