The Commission proposals on money transfers, prevention of money laundering and terrorist financing need to do more than make mere references to data protection, said the European Data Protection Supervisor (EDPS) today.
Specific safeguards, such as the right of individuals to be informed and the respect of the principles of proportionality and purpose limitation are essential to prevent ordinary citizens from being excessively profiled by service providers on dubious grounds with potentially damaging effects.
Giovanni Buttarelli, Assistant EDPS, said: "The growing trend to acknowledge the importance of data protection in proposals for legislation is a welcome one. But on closer examination, the claims are often not supported with concrete measures and safeguards. A lack of further details will also result in undue discrepancies among Member States. Data protection should therefore not be perceived as an obstacle to combat money laundering but as a basic requirement necessary to achieve this purpose".
In his Opinion, published today, the EDPS acknowledges that these proposals are in principle a legitimate exercise in combating specific illegal activities in which the collection and analysis of personal information is a crucial instrument. However, the proposals oblige professionals, without appropriate guidance or training, to profile clients or potential clients and analyse large amounts of personal information. Any suspicions must be reported to the relevant authorities and failure to do so will result in sanctions against these professionals. This surreptitious collection of information and reporting is likely to result in a combination of over-reporting, under-reporting and mistakes.
The implications of possible mistakes are serious since anyone suspected of money laundering is likely to be ineligible for a number of important services. As the proposals currently stand, those wrongly suspected of money laundering or terrorist financing will have little right to recourse.
Furthermore, the personal information of clients and potential clients will sometimes be transferred to organisations or subsidiaries in third countries, where the data protection standards are not e are not equivalent to those found in the EU.
The EDPS recommends that:
the applicability of EU data protection law be made more explicit in these proposals, as a mere reference in the recitals is not sufficient;
The sole purpose of the processing must be the prevention of money laundering and terrorist financing and personal information should not to be further processed for incompatible purposes;
specific provisions on international transfers need to be added which also take into account the principle of proportionality, especially to avoid the mass transfer of personal and sensitive information;
given the potentially highly intrusive nature of the anti-money laundering obligations, the right of data subjects to be informed of the analysis or transfer of their personal information should be clearly outlined in the proposed Directive;
any restrictions to the fundamental rights of individuals should be fully justified and be subject to specific conditions and safeguards.
On 5 February 2013, the Commission adopted two proposals: one for a Directive of the European Parliament and of the Council on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing and one for a Regulation of the European Parliament and of the Council on information on the payer accompanying transfers of funds. The purpose of these proposals is to achieve greater transparency and traceability of payment sources, fund deposits and transfers. The Proposals were sent to the EDPS for consultation on 12 February 2013.
Money laundering: broadly means the conversion of the proceeds of criminal activity into apparently clean funds, usually via the financial system.
Terrorist financing: is the provision or collection of funds, by any means, directly or indirectly, with the intention or knowledge that they are to be used in order to carry out terrorist offences.
Privacy and data protection are fundamental rights in the EU. Under the Data Protection Regulation (EC) No 45/2001, one of the duties of the EDPS is to advise the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues that have an impact on data protection. Furthermore, EU institutions and bodies processing personal data presenting specific risks to the rights and freedoms of individuals ('data subjects') are subject to prior-checking by the EDPS. If in the opinion of the EDPS, the notified processing may involve a breach of any provision of the Regulation, he shall make proposals to avoid such a breach.
Personal information or data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.
Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).
Purpose limitation: personal information may only be collected for specified, explicit and legitimate purposes. Once it is collected, it may not be further processed in a way that is incompatible with those purposes. The principle is designed to protect individuals by limiting the use of their information to pre-defined purposes, except under strict conditions and with appropriate safeguards.
Profiling: inferring information about a person by gathering existing data - known traits or tendencies, personal characteristics or behaviour patterns.
Proportionality: personal information should only be collected and processed insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed
Function or mission creep: When the use of a technology or system is expanded or changed beyond the purpose for which it was originally intended, often leading to an invasion of privacy.