On 22 September 2021, the European Data Protection Supervisor (EDPS) published its opinion on the European Commission’s proposed Anti-Money Laundering (AML) legislative package (Opinion).

The European Commission adopted, on 20 July 2021, a package of four legislative proposals aiming to strengthen the EU’s anti-money laundering and countering the financing of terrorism rules.

In its Opinion, the EDPS generally welcomes the objectives pursued by the AML legislative package however raises the following considerations from a data protection perspective:

• While the risk-based approach that is at the core of the AML legislative package is welcome, it still needs further specifications and clarifications, in particular with a view to ensure compliance with the principles of necessity and proportionality, as well as to enhance legal certainty for obliged entities as to their duties.
• More specifically, the EDPS considers that the AML legislative package should identify the categories of personal data to be processed by the obliged entities, instead of leaving this to be determined under RTS. Similarly, the conditions and limits of the processing of special categories of personal data and personal data relating to criminal convictions and offences should be better described.
• The EDPS states that it considers that the processing of personal data related to sexual orientation or ethnic origin should not be allowed.
• As relevant to beneficial ownership registers:
  • The EDPS welcomes the obligation on Member States to notify to the Commission a closed list of competent authorities and self-regulatory bodies and the categories of obliged entities, which in each case are granted access to the beneficial ownership registers.
  • It further invites the regulator to specify that access by tax authorities and other self-regulatory bodies should be limited to the purpose of the fight against money-laundering and financing of terrorism and their access therefore authorised only for this purpose.
  • As concerns access to the beneficial ownership registers by “any member of the general public”, the EDPS reiterates its prior position that the necessity and proportionality of such generalised access as relevant to the prevention of ML/TF has not been clearly established so far. In principle, such access should be limited to competent authorities who are in charge of enforcing the law and to obliged entities when taking customer due diligence measures.
  • The EDPS considers that the public access is rather a matter of other objectives of public interest, such as transparency or the right to obtain information. This type of access should be subject to a separate assessment for necessity and proportionality as well as a separate set of rules laying down the necessary safeguards. This assessment would be distinct from any assessment made for access granted to the competent authority.
  • The EDPS recommends establishing a reporting mechanism as part of the AML legislative package, in order to gather fact-based evidence as to the effectiveness of the beneficial ownership registers.
• Finally, the EDPS notes the excessive access powers conferred on financial intelligence units and invites the legislator to reassess the necessity and proportionality of the access rights granted.

The press release can be found here.

The EDPS Opinion can be found here.

Our detailed blog post on the EU Commission’s AML legislative package can be found here.