Skip to main content
SpringerLink
Log in
Book cover

Annual Privacy Forum

APF 2022: Privacy Technologies and Policy pp 37–49Cite as

The Data Protection Implications of the EU AML Framework: A Critical Overview & the Case of AI

  • 717 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 13279)

Abstract

The tension and the need for alignment between the data protection and AML/CFT framework has been pointed out by scholars and authorities since the first AMLD, over thirty years ago. Despite the criticism, none of the competent authorities has issued a pragmatic guidance aiming at consolidating the two regimes. This lack of regulatory clarity together with the fragmented implementation and interpretation of the AMLD across the EU are aggravating the challenges of the obliged entities. At the same time, the adoption of emerging technologies, such as AI for AML/CFT purposes, is further highlighting the need for harmonising the various conflicting obligations to avoid duplication and gold-plating practices. Following a doctrinal approach of primary sources, the present aims to contribute to the discussion towards a reconciliation between the data protection and AML/CFT framework from the perspective of the obliged entities, considering the recent regulatory developments, namely the AML Package and the AIA Proposal, the relevant case law of the EUCJ, and the current literature.

Keywords

  • AML
  • Data protection
  • AI

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    Without prejudice to the data identified in relation to beneficiary owners in Article 30 AMLD (i.e. date of birth and contact details) and the information contained in central registries by the Member States, pursuant to Article 32a AMLD.

  2. 2.

    Interestingly so, aside from a general reference to complying with the data protection requirements, such as data localisation and security, FATF in its AML/CFT Guidance and Methodologies, when it comes to data protection it only expressly refers to the confidentiality and data protection obligations of competent authorities [18, p. 111; 19, p. 93].

  3. 3.

    Similar observation has been made by FATF in its Methodology for Assessing Technical Compliance with FATF Recommendations and the Effectiveness of AML/CFT Systems [18, p. 22].

  4. 4.

    See Sect. 3 below regarding processing of certain categories of data and Sect. 4 regarding outsourcing.

  5. 5.

    C-311/18 - Facebook Ireland and Schrems, available https://curia.europa.eu/juris/liste.jsf?num=C-311/18.

  6. 6.

    The same conclusion is drawn by the EDPB regarding silent party data. In this regard, note that PSD2 states that data collected should only be used for the purpose of providing the requested services.

  7. 7.

    See Sect. 3 below.

  8. 8.

    See among others, Case C-136/17, C.G, CURIA - Documents (europa.eu).

  9. 9.

    Watchlists as refereed in the Letter of the EBPD [14, p. 5].

  10. 10.

    See Sect. 4 below.

  11. 11.

    Similarly, in the AML Proposal (Recital 62 and Article 40(1).

References

  1. Article 29 Data Protection Working Party: Opinion 14/2011 on data protection issues related to the prevention on money laundering and terrorist financing, adopted on 13 June 2011 (2011)

    Google Scholar 

  2. Article 29 Data Protection Working Party: Guidelines on Automated individual decision-making and Profiling for the purposes of Regulation 2016/679, adopted on 3 October 2017, as last revised and adopted on 6 February 2018 (2018)

    Google Scholar 

  3. Article 29 Data Protection Working Party: Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679, adopted on 4 April 2017, as last revised and adopted on 4 October 2017 (2017)

    Google Scholar 

  4. Bertrand, A., Maxwell, W., Vamparys, X.: Are AI-based anti-money laundering (AML) systems compatible with european fundamental rights?. In: Telecom Paris Research Paper Series (2020). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3647420

  5. Brewczynska, M.: Financial intelligence units: reflections on the applicable data protection legal framework. Comput. Law Secur. Rev. (2021). https://doi.org/10.1016/j.clsr.2021.105612

  6. European Banking Authority: Final Report on EBA Guidelines on Outsourcing Arrangements (2019). https://www.eba.europa.eu/sites/default/documents/files/documents/10180/2551996/38c80601-f5d7-4855-8ba3-702423665479/EBA%20revised%20Guidelines%20on%20outsourcing%20arrangements.pdf?retry=1

  7. European Banking Authority: Final Report on Guidelines on the characteristics of a Risk‐based Supervision under Article 48(10) of Directive (EU) 2015/849 (2021). https://www.eba.europa.eu/sites/default/documents/files/document_library/Publications/Guidelines/2021/EBA-GL-2021-16%20GL%20on%20RBA%20to%20AML%20CFT/1025507/EBA%20Final%20Report%20on%20GL%20on%20RBA%20AML%20CFT.pdf

  8. European Commission: Communication from the Commission on an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing (2020/C 164/06) (2021)

    Google Scholar 

  9. European Commission: Proposal for a Directive of the European Parliament and of the Council on the mechanisms to be put in place by the Member States for the prevention of the use of the financial system for the purposes of money laundering or terrorist financing COM (2021) 423 (2021)

    Google Scholar 

  10. European Commission: Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts, COM/2021/206 final (2021). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A52021PC0206

  11. European Commission: Proposal for a Regulation of the European Parliament and of the Council on European Data Governance (Data Governance Act) COM (2020) 767 final (2020). file:///C:/Users/IMK/Downloads/090166e5d6411f89.pdf

    Google Scholar 

  12. European Commission: Proposal for a Regulation of the European Parliament and of the Council on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing COM (2021) 420 final (2021)

    Google Scholar 

  13. European Data Protection Board: Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR, version 2.0, adopted, 15 October 2020 (2020). https://edpb.europa.eu/sites/default/files/files/file1/edpb_guidelines_202006_psd2_afterpublicconsultation_en.pdf

  14. Letter of Andrea Jelinek, Chair of the EDPB to Ms. Mairead McGuiness, European Commissioner for Financial services, financial stability and Capital Markets Union and Mr. Didier Reynders, European Commissioner for Justice, on 19 May 2021 (2021). https://edpb.europa.eu/system/files/2021-05/letter_to_ec_on_proposals_on_aml-cft_en.pdf

  15. European Data Protection Board: Statement on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing, adopted on 15 December 2020 (2020)

    Google Scholar 

  16. European Data Protection Supervisor: Opinion 12/2021 on the anti-money laundering and countering the financing of terrorism (AML/CFT) package of legislative proposals, 22 September 2021 (2021)

    Google Scholar 

  17. European Data Protection Supervisor: Opinion 5/2020 on the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (2020). https://edps.europa.eu/sites/edp/files/publication/20-07-23_edps_aml_opinion_en.pdf

  18. Financial Action Task Force: International Standards on Combating Money Laundering and the Financing of Terrorism & Proliferation. (2012–2021). www.fatf-gafi.org/recommendations.html

  19. Financial Action Task Force: Methodology for Assessing Technical Compliance with FATF Recommendations and the Effectiveness of AML/CFT Systems, adopted in February 2013, updated in November 2020 (2013). https://www.fatf-gafi.org/media/fatf/documents/methodology/FATF%20Methodology%2022%20Feb%202013.pdf

  20. Koster, H.: Towards better implementation of the European Union’s anti-money laundering and countering the financing of terrorism framework. J. Money Laundering Control 23(2), 379–386 (2020). https://doi.org/10.1108/JMLC-09-2019-0073

    CrossRef  Google Scholar 

  21. Maglieri, G., Comandé, G.: Why a right to legibility of automated decision-making exists in the general data protection regulation. Int. Data Priv. Law 7(3), 243 (2017). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3088976

  22. Maxwell, W.: The GDPR and private sector measures to detect criminal activity. Revue des Affaires européennes - Law & European Affairs (2021). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3964066

  23. Milaj, J., Kaiser, C.: Retention of data in the new anti-money laundering directive—‘need to know’ versus ‘nice to know’. Int. Data Priv. Law 7(2), 115–125 (2017). https://doi.org/10.1093/idpl/ipx002

    CrossRef  Google Scholar 

  24. Quintel, T.: Follow the Moneym if you can: possible solutions for enhanced FIU cooperation under improved data protection rules. Law Working Paper Series, Paper number 2019–001 (2019). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3318299

  25. Wachter, S., Brent M., Floridi, L.: Why a right to explanation of automated decision-making does not exist in the general data protection regulation. Int. Data Priv. Law 7(3), 47 (2017). https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2903469

Download references

Author information

Authors and Affiliations

  1. NOVA School of Law, 1099-032, Lisbon, Portugal

    Iakovina Kindylidi

  2. Vieira de Almeida & Associados, 1200-151, Lisbon, Portugal

    Iakovina Kindylidi

Authors
  1. Iakovina Kindylidi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Iakovina Kindylidi .

Editor information

Editors and Affiliations

  1. Cardinal Stefan Wyszyński University in Warsaw, Warsaw, Poland

    Agnieszka Gryszczyńska

  2. Koźmiński University, Warsaw, Poland

    Przemysław Polański

  3. University of Oslo, Oslo, Norway

    Nils Gruschka

  4. Goethe University Frankfurt, Frankfurt, Germany

    Prof. Dr. Kai Rannenberg

  5. ENISA, Athens, Greece

    Monika Adamczyk

Rights and permissions

Reprints and Permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Kindylidi, I. (2022). The Data Protection Implications of the EU AML Framework: A Critical Overview & the Case of AI. In: Gryszczyńska, A., Polański, P., Gruschka, N., Rannenberg, K., Adamczyk, M. (eds) Privacy Technologies and Policy. APF 2022. Lecture Notes in Computer Science(), vol 13279. Springer, Cham. https://doi.org/10.1007/978-3-031-07315-1_3

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-07315-1_3

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-07314-4

  • Online ISBN: 978-3-031-07315-1

  • eBook Packages: Computer ScienceComputer Science (R0)

search

Navigation