1 Introduction

Terrorist and organized crime networks such as drug cartels or human traffickers operate across borders and rely on financial assets that are transferred from one country to another.Footnote 1 The interconnectivity of the financial system and modern technologies allow those criminal groups to shift money between several bank accounts in a matter of hours in order to launder that money.Footnote 2 In the European Union (EU), all recent major money laundering cases that were reported had a cross-border dimension.Footnote 3 Financial information, including personal data, is therefore a crucial tool for the identification of criminal networks and for the prevention, detection, investigation and prosecution of serious crime and terrorism.

Such information can play a key role in tackling money laundering, terrorist financing, and combatting serious crime in more general terms. This is one of the reasons why the fight against money laundering and the financing of terrorism were top priorities in the EU’s Security Union Strategy for 2020-2025.Footnote 4 It might also explain the fast developments regarding the regulation of Anti-Money Laundering (AML) and Counter Terrorism Financing (CTF) legislation and the European Commission’s (Commission) Action Plan to establish a Union policy on combatting money laundering from May 2020,Footnote 5 eventually leading to the proposal of an Anti-Money Laundering Package (‘AML Package’) on 20 July 2021.Footnote 6

The proposed AML Package is the most recent legislative endeavour by the Commission to reform the AML/CTF framework and in order to react to recent scandals around unnoticed illicit transactions.Footnote 7 The package seeks to enhance the effective implementation of the existing EU AML/CFT framework, inter alia, by facilitating timely access to financial data, fostering an enhanced information exchange between the relevant authorities, and by establishing a new EU Authority for supervision. The latter authority is supposed to indirectly monitor obliged entities that operate on national level through the supervision of so-called Financial Intelligence Units (FIUs).

Obliged entities such as banks and other private bodiesFootnote 8 are required to compile unusual financial transactionsFootnote 9 that are suspected to facilitate money laundering or terrorist financing in suspicious transaction reports (STRs).Footnote 10 The abovementioned FIUs play a crucial role in analysing and exchanging information concerning suspicious transactions, serving as intermediaries between the private sector and law enforcement authorities (LEAs).Footnote 11 Because of the abovementioned international nature of financial crime, cooperation between national FIUs is of paramount importance. Yet, FIUs are not always able to exchange data effectively, which generates information gaps that are often caused by the different organizational structure according to which national FIUs are established. Apart from the structure that may be decisive when determining which information FIUs are able to use for their analyses, their tasks and relationship towards the national LEA may differ, which can lead to divergences in terms of data protection rules that apply to FIUs when processing personal data.Footnote 12 Where data protection rules are applied differently, this may lead to incoherencies with regard to transparency obligations for controllers, data subject rights or the restrictions thereof.

Whereas some FIUs apply Regulation (EU) 2016/679Footnote 13 (General Data Protection Regulation, ‘GDPR’) to their processing activities, others apply Directive (EU) 2016/680Footnote 14 (Law Enforcement Directive, ‘LED’) that applies where competent authorities process personal data for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security. Because, the LED neither clearly defines what constitutes a competent authority nor what is to be included within the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, the scope of the Directive is broadened where national legislators decided to apply the LED not only to traditional criminal LEAs, but also to other authorities that may contribute to the prevention, detection or investigation of crime, such as FIUs. The application of the LED may lead to a lower level of data protection standards, as in the law enforcement context, data protection principles are more resilient, data subject rights may be restricted more flexibly and obligations for controllers are not as stringent as under the GDPR.Footnote 15

In addition, the line between administrative sanctions and criminal law measures seems to become increasingly blurred, as some of the legislative measures in the area of AML/CTF are no longer based on internal market provisions,Footnote 16 but also on police and judicial cooperation legal bases.Footnote 17 Although the most recent legislative proposals within the AML Package are exclusively based on the internal market legal basis under Article 114 of the Treaty on the Functioning of the European Union (TFEU), the wording regarding the nature and tasks of national FIUs in those proposals seems ambiguous and could, in certain instances, be interpreted as allowing them to apply the LED.

The following sections of this article will briefly illustrate EU legislation on AML and CT measures that has been introduced in the past years, as well as the recently proposed legislative texts. Section 2 will present the different organizational structures according to which FIUs are set up in the Member States and the tasks that they carry out. Thereafter, Sect. 3 will give a short overview of the different data protection instruments, namely the GDPR and the LED, and provide arguments in favour and against the application of the LED to processing activities carried out by national FIUs. Finally, Sect. 5 will reflect on data retention and access measures to personal data in the area of AML and CTF and compare such measures to those that apply in the area of data retention by telecommunication providers.

2 EU Legislation on Anti Money Laundering and Counter Terrorist Financing

The EU legal regime on AML and CTF has been developed since the 1990s and has progressively strengthened the role of FIUs.Footnote 18 The First AML Directive was adopted in 1991Footnote 19 to provide the initial stage for setting up a harmonized framework in the EU Single Market, establishing key preventative measures such as customer identification, record-keeping and central methods of reporting suspicious transactions.Footnote 20 The provisions of that Directive were refined in the SecondFootnote 21 and the Third AML Directives,Footnote 22 which were adopted in 2001 and in 2006 respectively. The Second AML Directive established a broader definition of money laundering and included underlying offences within its scope.Footnote 23 Five years later, the Third AML Directive introduced a so-called risk-based-approach,Footnote 24 which required businesses falling within its scope to carry out a risk-assessment of their customers, based on a variety of factors.Footnote 25 In accordance to the risk attributed to a particular customer, the obliged entity had to apply Customer Due Diligence measures along the ‘Know Your Customer’ concept.Footnote 26 All these additional obligations required an increased processing of personal data, also by FIUs.

In May 2015, the Fourth AML DirectiveFootnote 27 was adopted, further regulating the processing of personal data by FIUsFootnote 28 and increasing their capacity to cooperate.Footnote 29 For instance, the Directive sought to ensure timely and unrestricted access by FIUs to relevant financial data,Footnote 30 to empower FIUs to take urgent actionFootnote 31 and to improve coordination and cooperation between FIUs.Footnote 32 Furthermore, the Directive required obliged entities to provide FIUs with all necessary informationFootnote 33 and to hold a central register on their beneficial ownership to which FIUs and other competent authorities had access.Footnote 34 In addition, the Directive suggested that FIUs should exchange information freely, spontaneously or upon request, with third-country entities.Footnote 35

Only one year after the adoption of the Fourth AML Directive the Commission published, in response to the terrorist attacks in Paris and Brussels, and due to the ‘Panama Papers’ scandal,Footnote 36 amendments to that Directive in a proposal for a Fifth AML Directive.Footnote 37 The Fifth AML Directive,Footnote 38 which was adopted in May 2018,Footnote 39 seeks to strengthen the previous requirements concerning cooperation between national authorities and to improve cross-border cooperation.Footnote 40 This includes a further enhancement of the effectiveness and efficiency of FIUs, for instance, by seeking to clarify the powers of and cooperation between them, as well as the abolishment of obstacles that may hinder the exchange of information between FIUs or the forwarding thereof.Footnote 41 Under the Fifth AML Directive, FIUs are able to obtain information from any obliged entity, even where no prior STRs are filed.Footnote 42 The amendments reinforce the preventive framework against money laundering, inter alia, by broadening the capacity of FIUs to access and exchange information.Footnote 43

In October 2018, a Directive on countering money laundering by criminal lawFootnote 44 was adopted to complement the Fifth AML Directive.Footnote 45 Being based on Article 83(1) TFEU, that DirectiveFootnote 46 seeks to improve judicial cooperation in criminal matters and to reinforce the application of the Fifth AML Directive in order to tackle AML/CTF by means of criminal law.Footnote 47 In addition, a Directive laying down rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences entered into force on 31 July 2019.Footnote 48 Besides new procedures for LEAs to obtain information from registered entities, the Directive seeks to extend the exchange of (financial) information to the broader scope of serious crime and provides for measures to facilitate access by FIUs to law enforcement information.Footnote 49 Being based on Article 87(2) TFEU,Footnote 50 the Directive seeks to enhance FIU cooperation by allowing FIUs of different Member States to exchange related to terrorism or organised crime with their counterparts Footnote 51 and to reply to requests for information by Europol, either through the national units or directly.Footnote 52

In December 2020, the European Data Protection Board (EDPB) issued a statementFootnote 53 on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing, in which it emphasised the importance of AML measures to comply with the rights to privacy and data protection. Specifically, the Board referred to the rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (EU Charter), the principles of necessity and proportionality, as well as the case law of the Court of Justice of the European Union (CJEU).Footnote 54

Finally, in July 2021, the Commission proposed a legislative package to strengthen the EU’s AML and CFT rules, which consists of four proposals. A proposalFootnote 55 to revise the Fifth AML Directive into a Sixth AML Directive, a proposalFootnote 56 for a Regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, a proposalFootnote 57 on the revision of the 2015 Regulation on Transfers of FundsFootnote 58 and a proposal to establish an EU AML authority tasked with supervising and coordinating national authorities and private sector entities.Footnote 59

All instruments mentioned above, including the new AML Package, seek to contribute to the fight against money laundering and terrorist financing by establishing rules on better access to financial information and by facilitating the exchange of such information between different bodies.Footnote 60 However, while both the Fifth AML Directive as well as the proposed AML Package are based on Article 114 TFEU and solely address preventive efforts to support AML and CTF measures, both the Directive on countering money laundering by criminal law and the Directive on measures to facilitate law enforcement access to financial information find their legal bases under Title V TFEU.Footnote 61

Hence, the wider regulatory AML framework shifted away from a predominantly single market focus to also include AML/CTF within the criminal law sphere.Footnote 62 This may also imply consequences regarding the way in which personal data may be collected and exchanged. Thus, where AML/CTF legislative measures that also refer to FIUs find their legal bases under Article 87(2) TFEU, this might serve as an argument that FIUs may apply law enforcement data protection rules to their processing activities, namely the LED. The following sections will briefly present the different legal frameworks under the GDPR and the LED and subsequently propose arguments for and against the application of the LED to FIU processing operations.

3 Data Protection rules applicable to Financial Intelligence Units

FIUs are operationally independent and autonomous entities established in all EU Member States and are tasked with receiving (and, as permitted, requesting), analysing, and disseminating financial information, including personal data, via STRs.Footnote 63 Positioned between the private sector and LEAs, FIUs, acting as intermediaries, serve as the central reception point for receiving financial disclosuresFootnote 64 from obliged entities.Footnote 65 Where, after the FIU analyses the material, there is a suspicion of money laundering or terrorist financing, the FIU shall forward the result of its analysis to the national authority responsible for prosecution.Footnote 66

In a nutshell, FIUs collect and process information for the purpose of analysing and identifying grounds to suspect money laundering, associated predicate offences or terrorist financing. At a later stage, the results of their analyses and relevant information are disseminated to the competent LEAs.Footnote 67 Whereas EU AML legislation establishes the conditions and competence of FIUs to access the information needed for their analyses, details on collection and subsequent processing of that information are defined by the FIUs themselves.Footnote 68 This is supposed to guarantee the operational independence and autonomy of FIUs.Footnote 69

During the process of information gathering, FIUs may request information from their counterparts in other EU Member States. Since EU legislation does not require Member States to adopt specific structures according to which FIUs shall be organized, different national models have developed depending on the FIUs’ functions, tasks, independence and domestic statuses.Footnote 70 These different models may be separated into administrative FIUs, law enforcement FIUs and mixed or hybrid FIUs.Footnote 71 Although FIUs should exchange information with their foreign counterparts regardless of their respective model,Footnote 72 obstacles regarding the access to, exchange and use of information as well as the operational cooperation exist due to the different national structures. While law enforcement FIUs normally obtain law enforcement competences, including the power to freeze transactions and seize assets,Footnote 73 administrative FIUs may be more restricted when processing personal data for their analyses. This leads to an information gap between different types of FIUs,Footnote 74 since law enforcement FIUs, on average, have better access to national police and judicial dataFootnote 75 and may face limitations when cooperating with administrative FIUs in cross-border investigations.Footnote 76 The absence of a common structure to underpin this cooperation leads to situations where joint analyses are not performed for lack of common tools or resources. These divergences hamper cross-border cooperation, and thereby reduce the capacity to detect money laundering and terrorism financing early and effectively.Footnote 77

Hence, the distinction into different FIU models may have an impact on the way in which the different FIUs may process information for their analyses.Footnote 78 Since the analysis by FIUs involves the processing of personal data, such processing operations must comply with the EU data protection acquis. While the GDPR is applicable to general processing activities by both public and private entities, the LED solely applies when both, its personal and material scope are satisfied, namely where a competent authority within the definition of Article 3(7) LEDFootnote 79 (personal scope) processes personal data for law enforcement purposes (material scope).Footnote 80 In the law enforcement context, competent authorities may generally process personal data more flexibly, as transparency obligations of controllers are less rigid and data subject rights to information and access may be restricted more easily in order not to jeopardize ongoing investigations.

Whereas the FIU model might not be the predominant factor in determining the applicable data protection framework, it influences the way in which FIUs may process and exchange information and the types of analyses that they are authorized to carry out. Hence, where law enforcement FIUs are permitted to process law enforcement information, it could be argued that such processing falls within the material scope of the LED. On the other hand, administrative FIUs that do not have access to such types of information fulfil neither the personal nor the material scope of the Directive. Whereas the processing by administrative FIUs of non-law enforcement information is governed by the rules under the GDPR’s data protection regime, FIUs that may process law enforcement information could in many occasions process personal apply the LED, as in many Member States, the material scope of the Directive defines its personal scope.

4 GDPR or LED?

Whereas some authors as well as many of the FIUs themselves naturally assume the applicability of the LED to their processing activities,Footnote 81 other scholars – particularly those coming from the data protection field – are more careful in such assumptions.Footnote 82 The following section shall first provide examples in favour of an application of the LED to the processing of personal data by FIUs and subsequently propose arguments against such application.

4.1 Arguments in favour of an application of the LED to FIU processing

FIUs often do not merely provide expertise to LEAs but rather analyse complex patterns of transactions on their own and thereby add value to the collected information.Footnote 83 Furthermore, the EU legislator left it to the national level to determine the exact functions and reporting systems of FIUs,Footnote 84 which led to divergences regarding the relationship between obliged entities, FIUs and LEAs in the different EU Member States.Footnote 85 Where Member States opted to confer real investigative and prosecutorial powers to their national FIUs, those could be seen as forming part of the LEAs themselves and therefore, eligible to apply the data protection rules under the LED.

FIUs are established pursuant to Article 32 of the Fifth AML Directive (EU) and, for the time being, Article 17 of the proposed Sixth AML Directive.Footnote 86 The main tasks of the FIU under paragraph one of both the current and the proposed provision are to prevent, detect and effectively combat money laundering and terrorist financing. Under Article 18(1)(c) of the proposed Directive, FIUs, for the purpose of their operational analyses, shall have direct or indirect access law enforcement information.Footnote 87 Hence, FIUs would have direct access to the databases held by the national police and/or intelligence agencies in order to subsequently use those data for their analyses.Footnote 88 Such analytical processing of law enforcement information for the purpose of preventing, detecting and effectively combating money laundering and terrorist financing should suffice to satisfy the material scope of the LED. As mentioned above, in many Member States, the material scope may define the personal scope of the LED, and hence, where FIUs – even if they would not be regarded as competent authorities under the LED – would process personal data for the above purposes, this could lead to the application of the LED.

In numerous Member States FIUs are regarded as competent authorities, which in return means that both personal scope and material scope of the LED are satisfied. In those Member States where the FIUs are law enforcement-type FIUs, they normally also have law enforcement powers and are positioned within the structure of the national LEA. In those countries, the FIU commonly applies the LED to its processing activities. This is, for instance, the case in Denmark or Luxembourg where the FIU is part of the State Prosecutor’s office, or in Finland, where the FIU is located within the overall structure of the Finnish Police. In Germany, the FIU is of law enforcement type, although it forms part of the Federal Customs office. This classification might be due to the fact that initially, the FIU was established in the Federal Criminal Police Office.Footnote 89 Similarly, the FIUs in Belgium, Estonia and the Netherlands, which are nowadays self-standing authorities, but nevertheless classified as law enforcement type FIUs, were previously established within the structure of the national Police. This might explain why all of the above FIUs apply the LED to their processing activities.

In addition, both the current as well as the proposed legal framework on AML/CTF measures are anything but unambiguous when it comes to a clear definition of whether or not FIUs may apply the LED. Although FIUs are currently established and regulated under the Fifth AML Directive,Footnote 90 which derives from an internal market legal basis, that Directive ultimately refers to the processing of personal data by obliged entities, which are subject to the rules under the GDPR, as recognized in Article 41 of the Directive. Hence, while that provision does state that the GDPR generally applies to processing carried out under the Fifth AML Directive, it only refers to obliged entities, while not mentioning FIUs.

The Directive on rules to facilitate access by competent authorities to financial and other information is supposed to compensate for the limitations of the internal market legal basis and to tackle existing problems in the area of police cooperation.Footnote 91 That Directive repeals a Council DecisionFootnote 92 on cooperation between FIUs, which was adopted at a time when the domestic processing of personal data by competent authorities within the Member States was not regulated by EU law. That Council Decision makes reference to CoE instruments, namely Convention 108Footnote 93 and Recommendation R (87) 15 on regulating the use of personal data in the police sector.Footnote 94 It could, therefore, be argued that, since the Council Decision does not mention the Directive 95/46/EC,Footnote 95 processing by FIUs was considered law enforcement processing.

Under Article 18 of the Directive on rules to facilitate access by competent authorities to financial and other information, data subject rights may be restricted in accordance with the respective rules under the GDPR and the LED. It is, however, unclear under which of both instruments FIUs are allowed to process personal data for the performance of their tasks. On that background, Articles 8Footnote 96 and 9Footnote 97 of the Directive clearly refer to law enforcement data that are to be exchanged between FIUs and competent authorities, as well as among the FIUs in different Member States. Although both Articles explicitly differentiate between ‘FIUs’ and ‘competent authorities’, the exchange of information for the prevention, detection and combating of money laundering and associate predicate offences or the analysis of information related to terrorism or organised crime associated with terrorism could be seen as processing carried out for law enforcement purposes. In those situations where FIUs would process such law enforcement information, they could apply the LED, even if they do not satisfy the personal scope, simply by extending the latter via the material scope.

Another provision under the Directive on law enforcement access to financial and other information that could support the argument that FIUs might be considered competent authorities under the LED, is Article 7(5).Footnote 98 While that provision distinguishes competent authorities from FIUs, the second part of that paragraph could nevertheless be interpreted as including FIUs within the definition of competent authorities within the personal scope of the LED. That section refers to the processing of personal data for law enforcement purposes ‘other than those for which the personal data are collected in accordance with Article 4(2) [of the Directive]’. Article 4(2) LED thus regulates the subsequent processing of personal data under the Directive, which can only take place where these data have previously been processed by a competent authority within the scope of Article 4(1). Because of the ambiguous wording of Article 7(5) of the Directive on law enforcement access to financial information, FIUs could represent competent authorities within the meaning of Article 4(1) LED and would thus, fall within the personal scope of the Directive.Footnote 99

It is regrettable that the proposed AML Package does little to nothing to provide some clarity on the data protection framework applicable to FIU processing. It could even be argued that some of the legislative proposals might lead to even more ambiguity. For instance, Article 2(31)(a) of the proposed Regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing defines FIUs as competent authorities.Footnote 100 Furthermore that article defines supervisory authorities, public authorities with designated responsibilities for combating money laundering or terrorist financing and public authorities that have the function of investigating or prosecuting money laundering, its predicate offences or terrorist financing, or that has the function of tracing, seizing or freezing and confiscating criminal assets as competent authorities. Thus, the provision neither includes traditional LEAs within the definition of competent authorities, nor does it use the wording under Article 3(7) LED. This might not only lead to textual inconsistencies, but also trigger confusion with regard to the question what/who constitutes a competent authority and may ultimately apply the LED.

Finally, some rules under the LED itself could serve to argue in favour of an application of the Directive to the processing of personal data by FIUs, as providing more suitable safeguards. This might, for instance, be the case with regard to the categorization of data subjects, the requirement to classify personal data into information based on facts and information based on personal assessments under Articles 6 and 7 of the LED, or the obligation to keep logs of certain processing operations pursuant to Article 25 LED. Those provisions are non-existent under the GDPR and might, in fact, contribute to higher protection standards in certain processing situations.Footnote 101 In addition, it could be argued that the system on the restriction of data subject rights under the LED is more developed than the one under the GDPR, despite the latter’s strong transparency obligations:

Article 39(1) of the Fifth AML Directive includes a rather broad non-disclosure clause that applies where obliged entities shall refrain from informing their customers if money laundering or terrorist financing analyses are being carried out. The non-disclosure obligation also applies to guarantee that inquiries, analyses, investigations or procedures for AML purposes are not obstructed and to ensure that the prevention, investigation and detection of money laundering and terrorist financing is not jeopardised.Footnote 102 In those cases, obliged entities would rely on Article 23 GDPR, which allows for the restriction of data subject rights and corresponding data protection principles by way of legislative measure.

Article 23 GDPR represents a horizontal limitation clause on the restriction of data subject rights for a number of grounds.Footnote 103 The LED on the other hand incorporates a structure pursuant to which the restriction of each right requires a specific legal basis. Hence, while Article 23 GDPR could be regarded as general limitation clause, the system allowing for restrictions of data subject rights under the LED is laid down in individual derogation clauses that follow each right enshrined in the Directive. Under the LED, the national legislator may adopt legislative measures to restrict the individual data subject rights laid down in Article 13 LED (right to information), Article 14 LED (right of access) and Article 16 LED (right to rectification and erasure). Article 13(3) LED, Article 15 LED and Article 16(4) LED each include an option to restrict these rights separately for as long as necessary and proportionate. In addition, these provisions entail clear instructions for the controller to inform data subjects of any restriction as well as the corresponding processing that was carried out about them as soon as such notification may no longer jeopardize ongoing investigations. Although the GDPR is based on strong transparency obligations towards data subject, its system on the restriction of data subject rights lacks such specific provisions that would compel controllers to inform data subjects after a restriction has taken place. Admittedly, the provisions under the LED includes qualifiers such as the wording for as long as such a […] restriction constitutes a necessary and proportionate measure.Footnote 104 Yet, the accountability obligation that also applies under the Directive would require any restriction to be justifiable before the supervisory authority.

In addition, the Directive provides, under its Article 17, for an important administrative remedy by availing individuals the possibility to have their rights exercised by the national data protection supervisory authority on their behalf. In those circumstances, the LED might in fact constitute a more suitable instrument in order to allow for both, effective cooperation between obliged entities, FIUs and other LEAs, while at the same time, ensure the notification or indirect access rights for data subjects.

The EU legislator, by leaving the LED’s scope extremely broad, assigned the task of determining which authorities may apply the Directive to the national level. Consequently, it is left to the national legislators to define whether FIUs fall within the personal scope of the LED. In addition, under many national transposition acts, the Directive’s material scope may define its personal scope, so that authorities which process personal data for law enforcement purposes may apply the LED to their processing operations, albeit not being LEAs per se.Footnote 105

In addition, numerous Member States include a wide range of processing activities within the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This often means that the Directive may apply to processing activities that are by far less of a law enforcement nature than the processing of personal data by FIUs. This is, for instance, the case in the field of migration management or border control. When comparing these two areas, the application of the LED to FIU processing when countering money laundering or terrorist financing might be more justifiable than the Directive’s application where border guards check the identity of so-called third country nationals. Such argument might not provide a legal ground for the LED’s application to FIUs, but it demonstrates that in reality, Member States included more authorities within the Directive’s scope than initially anticipated.Footnote 106 In order to prevent such broad application of the LED’s scope, legislative amendments might prove necessary.

4.2 Arguments against the application of the LED to FIU processing

Both the current AML/CTF legal framework as well as the proposed AML Package are not only established on an internal market legal basis, but also explicitly refer to the GDPRFootnote 107 as applicable instrument to the processing of personal dataFootnote 108 and distinguish between FIUs and competent authorities.Footnote 109 Notice should also be taken of Article 95 GDPR, which states that Directive 95/46/EC is repealed by the GDPR, but all the references to the repealed Directive will be interpreted as references to the GDPR. With regard to FIUs, this means that all references to Directive 95/46/EC in the previous AML regime became references to the GDPR.

In addition, the fact that the Directive on law enforcement access to financial information makes a difference between FIUs and LEAs should be taken into account. The separation between administrative and law enforcement authorities should be put into a wider perspective, also considering existing structures. Such differentiation is, for instance, the case with regard to EU Agencies, where the law distinguishes between Agencies that are competent for administrative offences and Agencies that are competent for criminal offences, as is the case for Olaf (the European Anti-Fraud Office) and the EPPO (the European Public Prosecutor’s Office).

In addition, FIUs have a different applicable legal regime than so-called Passenger Information Units (PIUs), which collect passenger name record (PNR) dataFootnote 110 from air carriers, to store, process and transfer those data or the result of their processing to the competent authorities.Footnote 111 PIUs are generally established within the organizational structure of the competent LEAs in the Member States and themselves competent for the prevention, detection, investigation or prosecution of terrorist offences and of serious crime.Footnote 112 Under the PNR Directive,Footnote 113 PIUs are subject to the rules of the LED.Footnote 114

Against that background, Article 17(4) of the proposed Sixth AML Directive states that in cases where a FIU is located within the existing structure of another authority, the FIU’s core functions shall be independent and operationally separated from the functions of the host authority. Hence, the provision not only differentiates between FIUs and other (law enforcement) authorities, but also between their tasks and thus, processing activities, which should have an impact on the applicable data protection regime. In that vein, it needs to be noted that some FIUs do not even analyse the data that they receive and only operate databases that are directly accessible for LEAs. In such cases, it can hardly be argued that the FIU itself processes personal data for law enforcement purposes and would be capable of applying the LED to manage a police database.

In addition, even where law enforcement FIUs may apply the Directive to their processing operations, Article 9 LED stipulates that where competent authorities process personal data for non-law enforcement purposes, the GDPR applies to their processing activities. Paragraphs 1 and 2 of that Article clearly state that the GDPR is applicable whenever competent authorities process personal data for purposes other than for the prevention, investigation, detection or prosecution of criminal offences, unless such processing is not regulated by EU law.Footnote 115 In those Member States where FIUs may process personal data within the scope of the LED, their tasks should be explicitly clarified in order to prevent grey zones between the GDPR and the LED and to ensure that their FIU’s non-law enforcement processing falls within the scope of the GDPR.

5 Data retention and data retention: comparing standards

One area that has not (yet) been taken into consideration, but which nevertheless deserves to be taken into account for the sake of this analysis is the area of data retention. With financial data, it is possible to accurately conclude on the shopping behavior of a purchaser, his or her personal choices, to determine time of a purchase and his or her exact location, as payments are easily traceable. Due to the long retention periods and the potential re-use of financial information for law enforcement purposes, this aspect should play an important role in the discussion on data retention schemes, also considering the CJEU’s case law on that matter.

In the area of data retention, access to personal data by law enforcement authorities and the issue of mass surveillance by intelligence agencies, there important cases have been decided especially during the last couple of years.Footnote 116 On EU level, the CJEU has progressively strengthened data subjects’ rights through its case law,Footnote 117 in particular, since the Lisbon Treaty of 2009 converted the EU Charter into a legally binding instrument of EU primary law, progressively serving as basis for the CJEU’s interpretation of fundamental rights. Previously, the Court had been dependent on referring to fundamental rights as general principles of EU law and Article 8 European Convention on Human Rights (ECHR) in its jurisprudence.Footnote 118

However, until recently, the most prominent CJEU cases on data retention measures by private entities almost exclusively dealt with the retention of telecommunications data. Hence, there is a need to evaluate the CJEU judgments on data retention not solely in relation to the retention of telecommunications data, but to apply the Court’s findings also to other data retention regimes on EU level. In that regard, the regime on the retention of financial data should be assessed concerning its (in)compatibility with the standards set by the jurisprudence of the CJEU and the European Court of Human Rights (ECtHR).

Under the Fifth AML Directive, Member State law shall determine the period in which financial data should be retained by obliged entities.Footnote 119 Generally, that retention period should be fixed at five years after the end of a business relationship or of an occasional transaction. When justified and where deemed useful for the purposes of prevention, detection or investigation of money laundering and terrorist financing, such information may be retained for an additional five years, in line with the necessity and proportionality requirements.Footnote 120

Similarly, under the proposed Sixth AML Directive, obliged entities would have to retain a copy of the documents and information obtained in the performance of the customer due diligence and supporting evidence obligations as well as records of transactions for five years.Footnote 121 In addition, Member States could allow or require the retention of such information or documents for a further period of five years.Footnote 122

While the ECtHR has, on several occasions,Footnote 123 decided on the retention of financial data, CJEU case law on that matter is overdue, despite the Court’s rich case law on data retention measures applicable in the case of telecommunication data. Three years after the entry into application of the GDPR and seven years after the Court’s first landmark judgment on the retention of telecommunications data,Footnote 124 a case on the long storage times of financial data is still lacking.

On 19 October 2021, the Grand Chamber of the CJEU deliberated whether the public register of beneficial owners under the current AML framework would be in conformity with the rights to privacy and data protection. The case is about the requirement for Member States to set up a central register containing information on the beneficial ownership of corporate and other legal entities under the Fifth AML Directive. In the case that was brought by a Luxembourgish court, it was argued that the requirement to make this register accessible to any member of the public is too excessive.Footnote 125 Unfortunately, the question on data retention periods applicable to financial data was not a matter in this case. However, it will be interesting to see how the Court will decide on that matter in the future.

6 Further outlook and concluding remarks

Ultimately, the harmonized rules under the LED could ensure an adequate level of data protection while, at the same time, ensuring smooth cooperation between FIUs and (other) competent authorities. Allowing FIUs to gather, analyse and exchange information more flexibly might improve the effectiveness of their cooperation and could help maintaining their role as intermediary between the private sector and LEAs. In addition, an enhanced effectiveness of FIUs might serve as an argument against further possibilities of LEAs to directly access personal data.

It is important to repeat that, in many Member States, the LED is being applied in situations that seem by far less of a law enforcement nature than the processing of personal data by FIUs. For instance, in the context of border control and the irregular entry of so-called third country nationals, many national legislators allowed, by criminalizing such irregular entry, the application of the LED in such situations. This is even the case where authorities such as border guards would otherwise not be competent authorities within the scope of the Directive. It could, therefore, be argued that if the LED applies in such situations, it should also be applicable with regard to AML/CTF processing carried out by FIUs.

The processing of personal data by FIUs within the scope of the LED might, in the future even bring certain data protection benefits. With regard to the recently proposed AI Act,Footnote 126 the latter excludes from its scope certain high-risk processing operations carried out by LEAs. Banks and non-law enforcement authorities on the other hand might have more possibilities to engage in such AI-enabled processing operations. Evidently, there will be many loopholes to also allow LEAs to circumvent the abovementioned exceptions. Nevertheless, the threshold might be more difficult to establish.

The recently proposed AML Package, consisting of two new regulations, a new AML Directive, and a proposal for the revision of an already existing Regulation on the transfer of funds, will need to be assessed in more detail, also with regard to the data protection rules applicable to FIUs. As it stands now, the proposed framework adds little to clarify whether FIUs could apply the LED to their processing activities. Therefore, it would be welcome if the negotiations would further clarify this issue.

In addition, the reform proposes a Regulation establishing an Authority on AML and CTF measures (AMLA). The new Authority would be responsible for both directly supervising some of the Union’s largest financial players as well as aiding and monitoring national FIUs. In addition, AMLA would assume some of the tasks carried out by already existing EU agencies.Footnote 127 This would include taking over the management of the secure communication network between FIUs, previously maintained by Europol.Footnote 128 Which data protection rules would apply to this new EU Agency where it will process law enforcement information remains to be seen. Yet, there is a risk that AMLA will be able to argue that it should fall within the scope of Chapter IX of Regulation (EU) 2018/1725 that governs the processing of so-called operational personal data (law enforcement personal data). This would be problematic, as Chapter IX remained unfinished with regard to rules on international transfers and supervision by the European Data Protection Supervisor.Footnote 129