The European Data Protection Board (EDPB) in a statement of 15 December 2020 warns the European Commission that data protection principles apply to legislation in regard of the prevention of money laundering and terrorist financing.
EDPB considers the legislation regarding anti-money laundering (AML) and countering terrorist financing (CFT) far reaching, with intrusive obligations (KYC, transaction monitoring) and with long retention periods.
The board stresses that updating of the AML-framework shall not be undertaken without a review of the relationship between the AML-measures and the rights to privacy and data protection.
The EDPB therefore calls on the European Commission to be associated to the drafting process of any new AML legislation in its early stages, with a view to provide legal advice on some key points from a data protection perspective, without prejudice to the formal consultation by the European Commission in line at a later stage. The EDPB declares itself to be ready to contribute to discussions within the Council of the EU and the European Parliament during the legislative process.
The full statement:
This statement follows the adoption by the European Commission of an Action Plan  for a comprehensive Union policy on preventing money laundering and terrorist financing and the launch of a public consultation  in May 2020.
According to the Action Plan, the Commission aims to present new legislative proposals in the first quarter of 2021, inter alia, establishing a single rulebook on these topics (i.e. a Regulation or a more detailed revised Directive), ensuring EU level supervision (either by granting new powers to an existing EU Agency or by establishing a new dedicated body), and creating a support and coordination mechanism for Financial Intelligence Units.
The applicable anti-money laundering measures  include very broad and far-reaching obligations on financial services providers and other obliged entities to identify and know their customers, to monitor transactions undertaken using their services, and to report any suspicious transactions. Furthermore, the legislation stipulates long retention periods . These measures cover the entire European financial services industry, and therefore affect, in a comprehensive manner, all persons using financial services, each time that they use these services.
The EDPB, and before it the Article 29 Working Party, has repeatedly noted the privacy and data protection challenges related to these measures in the past . The upcoming update to the legislation is an opportunity to address the interplay between the protection of privacy and personal data and the anti-money laundering measures, as well as their concrete application on the ground.
In this context, the EDPB stresses that the intended update to the anti-money laundering framework shall not be undertaken without a review of the relationship between the anti-money laundering measures and the rights to privacy and data protection. In this discussion, relevance and accuracy of the data collected plays a paramount role. The EDPB is indeed convinced that a closer articulation between the two sets of rules would benefit both the protection of personal data and the efficiency of the AML framework. In this respect, the EDPB would like to reiterate the need for a clear legal basis for the processing of personal data and stating the purposes and the limits of such processing, in line with Article 5(1) GDPR, in particular regarding information sharing and international transfers of data, as noted by the EDPS in its opinion on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing .
The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the Court of Justice of the European Union.
The EDPB therefore calls on the European Commission to be associated to the drafting process of any new anti-money laundering legislation in its early stages, with a view to provide legal advice on some key points from a data protection perspective, without prejudice to the consultation by the European Commission in line with Article 42 of Regulation 2018/1725 at a later stage. The EDPB is also ready to contribute to discussions within the Council of the EU and the European Parliament during the legislative process.
Going forward, the EDPB stands ready to be involved and consulted in a timely manner by any European or international regulatory bodies or standard-setters, such as the Financial Action Task Force, currently chaired by an EU Member state, before issuance of the revision of their recommendations.
 Action plan for a comprehensive Union policy on preventing money laundering and terrorism financing, 7 May 2020, available at https://ec.europa.eu/info/publications/200507-anti-money-laundering-terrorism-financing-action-plan_en.
 The consultation can be accessed at https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12176-Action-Plan-on-anti-money-laundering/public-consultation.
 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, as amended by Directive (EU) 2018/843 of the European Parliament and of the Council of 30 May 2018.
 The retention period is the business relationship plus five years (article 40 of Directive (EU) 2015/849). Where the business relationship only covers a single transaction, the retention period is five years. Where there is a long-term business relationship, such as a bank has with its customers, the retention period will often extend over several decennia. Retention periods can be extended by Member States with an additional five years.
 See for instance Article 29 WP Opinion 14/2011 on data protection issues related to the prevention of money laundering and terrorist financing, available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2011/wp186_en.pdf.
 EDPS Opinion 5/2020 on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing, point 26, 23 July 2020.
Other posts on this blog on the Action Plan of the European Commission and harmonisation of AML-/CFT-legislation are to be found under the tag Anti-Money Laundering Regulation.