Violation of data protection principles and discrimination | part 1 of Horrors of European legislation against crime (AML/CFT)

In certain areas European legislation is gaining importance. One of these areas is the legislation against crime, also known as ‘anti-money laundering’ (AML) and ‘combating terrorist financing’ (CFT). In reality, it is a form of privatisation of government tasks, to the detriment of citizens and society.

Under these regulations, private companies like banks (‘obliged entities’) must fight crime. One of the main elements of the AML/CFT regulations is that obliged entities have to conduct a client due diligence (CDD) under threat of high penalties and personal liability of directors when they do not comply. The dark shadows of AML/CFT legislation are becoming very clear, especially banks are showing that future will be dark, with discriminatory de-risking practices and increasing tariffs due to high CDD costs.

Currently Europe is working on new AML/CFT legislation that will increase the negative effects of privatisation of government tasks. One of the main elements of the new legislation is the Anti-Money Laundering Regulation (‘AMLR’), which contains a complete overhaul of the AML/CFT regulations.

It is disconcerting to see that Europe through AMLR wants to undermine fundamental European legal principles in order to fight crime. The European Commission is creating a surveillance society through AML/CFT legislation.

Some examples are given in this article.

Undermining GDPR
[a] Current regulation is already threatening the data protection rights of European citizens, due to the large amount of data obliged entities have to collect, due to the unnecessary and unjustifiably public register of ‘beneficial owners’ (with a too broad definition of ‘beneficial owner’) and due to other problematic obligations.

[b] The European Commission proposes to undermine the data protection principles of GDPR further by allowing obliged entities through the first paragraph of article 55 AMLR to collect personal data on political opinions, sexual orientation etcetera. In the amended version of the LIBE ECON commission the paragraph will be as follows (mark-up by me):

1. To the extent that it is strictly  necessary for the purposes of preventing  money laundering and terrorist financing,  obliged entities may process special  categories of personal data on a case-by-case basis relating to racial or ethnic  origin, political opinions, religious or  philosophical beliefs, or trade union  membership and genetic data, biometric  data for the purpose of uniquely  identifying a natural person, data  concerning health or data concerning a  natural person’s sex life or sexual  orientation referred to in Article 9(1) of  Regulation (EU) 2016/679 and personal  data relating to criminal convictions and  offences referred to in Article 10 of that  Regulation subject to the safeguards  provided for in paragraphs 2 and 3.

Of course obliged entities like banks will use this as a pretext to collect unnecessary personal data.
To my opinion collecting this type of data should be forbidden, unless – after a strict procedure in which data protection authorities are involved – the necessity of collecting such data is proven.

[c] Without any explanation or justification the Commission proposes that all obliged entities have to collect extra personal information on their customers:

  • Article 18, first section, (a)(iii): nationality or nationalities.
  • Article 18, first section, (a)(iv): the occupation, profession or employment status.

Nationality is also included in article 44 on beneficial owners.
No explanation is given why this information is relevant for AML/CFT.

[d] Without any explanation or justification the Commission proposes (article 20) that all obliged entities have to obtain information of their customers on:

(b) the estimated amount and economic rationale of the envisaged transactions or activities;
(c) the source of funds;
(d) the destination of funds.

No attention is paid to the type of activity the entity is doing for the customer and no attention is paid to the type of customer and the type of transaction.  It will lead to unnecessary collection of personal information, with all the data protections risks attached. If data minimisation principles are respected, such an obligation is limited to certain obliged entities and to situations in which such information is necessary.

[e] Article 42 of the Commission’s proposal includes “links with family members of managers or directors/those owning or controlling the corporate entity” as ‘control via other means’ over a corporate entity. The meaning of ‘links’ is not explained. This will lead to unnecessary inclusion of family members in the definition of ‘beneficial owner’ and their registration in the register of beneficial owners.
Also the consequence is that obliged entities will require information regarding family members of all managers, directors, owners and controllers; compliance providers will start collecting that information also. Unnecessary violation of the data protection rights of family members is the consequence of this unnecessary and unfounded way of broadening the definition of beneficial owner.

[f] The new text of Annex I (indicative list of risk variables) proposed by the Commission will lead to additional data protection risks, as the Commission requests the obliged entities to determine the risks of their customers based on the following personal data (mark-up by me):

(i) the customer’s and the customer’s beneficial owner’s business or professional activity;
(ii) the customer’s and the customer’s beneficial owner’s reputation;
(iii) the customer’s and the customer’s beneficial owner’s nature and behaviour; (…)
(vi) the jurisdictions to which the customer and the customer’s beneficial owner have relevant personal links;

Of course no explanation or justification is provided by the European Commission. The consequence will be that obliged entities and their compliance information providers will start collecting extra personal data to be able to do the requested judgment (possibly through analysis with artificial intelligence). Highly dangerous!

Discrimination based on nationality
The ECON / LIBE draft report on AMLR proposes to add nationality as a high risk factor in annex III of AMLR (replacing annex III of the current AML/CFT regulation). It is an important principle that discrimination on the basis of nationality is prohibited.

This is the proposal of the committee:


It means that all people with the nationality of a state that is considered to be high risk [1], will be discriminated against by obliged entities.
Example: all Iranians in the Netherlands – even when they live here almost all of their life – are considered to be a probable high risk; obliged entities have to take extra compliance measures to mitigate the risks (so they will try to terminate the relationship). Note: Iran is one of the countries that has made it impossible to terminate the nationality.

Final remarks
Europe is moving in the wrong direction. It is preparing us for a surveillance society. Hopefully organisations in the area of fundamental rights will be alert and point out to the European Commission that proposals that harm data protection or other fundamental rights are undesirable.



[1] According to point (3) of the draft most countries of the world are areas of higher risk:

There are many lists of high(er) risk countries, not only FATF but also the list of the European Commission and the list of the Dutch AMLC.


More information:


This is part 1 of the series Horrors of European legislation against crime (AML/CFT) that describes the European plans to fundamentally change AML/CFT legislation.


Amendment 27 June 2022
The quotation on Article 55 AMLR was from the committee’s proposal, so I have amended that paragraph. The European Commission refers in the first paragraph to Articles 9 and 10 GDPR.

Addition of 27 June 2022
EDPB commented on the AMLA package, see my blog post and the EDPB page of 20 May 2022. Unfortunately, the EDPB’s criticism is limited to, inter alia, Article 55(1) and does not address other points that I mention in my blog.

Over Ellen Timmer

Weblog: ||| Microblog: ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in English - posts in English on this blog, Europa, Financieel recht, onder meer Wft, Wtt, Fraude, witwasbestrijding, Wwft, Grondrechten, ICT, privacy, e-commerce en getagged met , , , , , , , , , . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen. logo

Je reageert onder je account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s