Data protection rules applicable to Financial Intelligence Units: still no clarity in sight

Financial information can play a key role in tackling money laundering, terrorist financing and combatting serious crime more generally. Preventing and fighting money laundering and the financing of terrorism were top priorities of the European Union’s (EU) Security Strategy for 2020-2025, which might explain the fast developments regarding legislative measures to further regulate anti-money laundering (AML) and counter terrorism financing (CTF). In May 2020, the European Commission put forward an Action Plan to establish a Union policy on combatting money laundering and shortly afterwards, proposed a new AML Package. Financial Intelligence Units (FIUs) play a crucial role in analysing and exchanging information concerning unusual and suspicious transactions, serving as intermediaries between the private sector and law enforcement authorities (LEAs). Such information includes personal data, which is protected under the EU data protection acquis. The latter is constituted of two main laws, the General Data Protection Regulation (GDPR), which applies to general processing and the so-called Law Enforcement Directive (LED) that is applicable when competent law enforcement authorities process personal data for law enforcement purposes. This Article argues that the current legal framework on AML and CTF legislation is unclear on the data protection regime that applies to the processing of personal data by FIUs and that the proposed AML Package does little or nothing to clarify this dilemma. In order to contribute to the discussion on the applicable data protection framework for FIUs, the assessment puts forward arguments for and against the application of the LED to such processing, taking into account the relevant legal texts on AML and data protection.


Introduction
Terrorist and organized crime networks such as drug cartels or human traffickers operate across borders and rely on financial assets that are transferred from one country to another. 1 The interconnectivity of the financial system and modern technologies allow those criminal groups to shift money between several bank accounts in a matter of hours in order to launder that money. 2 In the European Union (EU), all recent major money laundering cases that were reported had a cross-border dimension. 3 Financial information, including personal data, is therefore a crucial tool for the identification of criminal networks and for the prevention, detection, investigation and prosecution of serious crime and terrorism.
Such information can play a key role in tackling money laundering, terrorist financing, and combatting serious crime in more general terms. This is one of the reasons why the fight against money laundering and the financing of terrorism were top priorities in the EU's Security Union Strategy for 2020-2025. 4 It might also explain the fast developments regarding the regulation of Anti-Money Laundering (AML) and Counter Terrorism Financing (CTF) legislation and the European Commission's (Commission) Action Plan to establish a Union policy on combatting money laundering from May 2020, 5 eventually leading to the proposal of an Anti-Money Laundering Package ('AML Package') on 20 July 2021. 6 The proposed AML Package is the most recent legislative endeavour by the Commission to reform the AML/CTF framework and in order to react to recent scan-  4 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on the EU Security Union Strategy COM(2020) 605 final, Brussels, 24 July 2020. 5 Communication from the Commission on an Action Plan for a comprehensive Union policy on preventing money laundering and terrorist financing [2020] OJ C 164/21. 6 European Commission, 'Anti-money laundering and countering the financing of terrorism legislative package', https://ec.europa.eu/info/publications/210720-anti-money-laundering-counteringfinancing-terrorism_en. For a first analysis, see: Sotiris Paphitis, 'The EU's AML Package: an examination', European Law Blog (October 2021); https://europeanlawblog.eu/2021/10/12/7922/. dals around unnoticed illicit transactions. 7 The package seeks to enhance the effective implementation of the existing EU AML/CFT framework, inter alia, by facilitating timely access to financial data, fostering an enhanced information exchange between the relevant authorities, and by establishing a new EU Authority for supervision. The latter authority is supposed to indirectly monitor obliged entities that operate on national level through the supervision of so-called Financial Intelligence Units (FIUs).
Obliged entities such as banks and other private bodies 8 are required to compile unusual financial transactions 9 that are suspected to facilitate money laundering or terrorist financing in suspicious transaction reports (STRs). 10 The abovementioned FIUs play a crucial role in analysing and exchanging information concerning suspicious transactions, serving as intermediaries between the private sector and law enforcement authorities (LEAs). 11 Because of the abovementioned international nature of financial crime, cooperation between national FIUs is of paramount importance. Yet, FIUs are not always able to exchange data effectively, which generates information gaps that are often caused by the different organizational structure according to which national FIUs are established. Apart from the structure that may be decisive when determining which information FIUs are able to use for their analyses, their tasks and relationship towards the national LEA may differ, which can lead to divergences in terms of data protection rules that apply to FIUs when processing personal data. 12 Where data protection rules are applied differently, this may lead to incoherencies with regard to transparency obligations for controllers, data subject rights or the restrictions thereof.
Whereas some FIUs apply Regulation (EU) 2016/679 13 (General Data Protection Regulation, 'GDPR') to their processing activities, others apply Directive (EU) 2016/680 14 (Law Enforcement Directive, 'LED') that applies where competent au-7 Richard Milne and Daniel Winter, 'Danske: anatomy of a money laundering scandal: How the Danish bank found itself at the centre of a e200bn money laundering scandal, Financial Times, 19 December 2018; https://www.ft.com/content/519ad6ae-bcd8-11e8-94b2-17176fbf93f5. 8 For instance, auditors, real estate agents, tax advisors, trusts or casinos. 9 The annual report of the Dutch FIU differentiated between unusual and suspicious transactions, see: Financial Intelligence Unit -the Netherlands, 'annual review FIU -the Netherlands' (2020) 7 ff.; https://www.fiu-nederland.nl/sites/www.fiu-nederland.nl/files/documenten/5324-fiu_jaaroverzicht_ 2020-eng-web_v1.pdf. 10  thorities process personal data for the prevention, investigation, detection or prosecution of criminal offences, including the safeguarding against and the prevention of threats to public security. Because, the LED neither clearly defines what constitutes a competent authority nor what is to be included within the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security, the scope of the Directive is broadened where national legislators decided to apply the LED not only to traditional criminal LEAs, but also to other authorities that may contribute to the prevention, detection or investigation of crime, such as FIUs. The application of the LED may lead to a lower level of data protection standards, as in the law enforcement context, data protection principles are more resilient, data subject rights may be restricted more flexibly and obligations for controllers are not as stringent as under the GDPR. 15 In addition, the line between administrative sanctions and criminal law measures seems to become increasingly blurred, as some of the legislative measures in the area of AML/CTF are no longer based on internal market provisions, 16 but also on police and judicial cooperation legal bases. 17 Although the most recent legislative proposals within the AML Package are exclusively based on the internal market legal basis under Article 114 of the Treaty on the Functioning of the European Union (TFEU), the wording regarding the nature and tasks of national FIUs in those proposals seems ambiguous and could, in certain instances, be interpreted as allowing them to apply the LED.
The following sections of this article will briefly illustrate EU legislation on AML and CT measures that has been introduced in the past years, as well as the recently proposed legislative texts. Section 2 will present the different organizational structures according to which FIUs are set up in the Member States and the tasks that they carry out. Thereafter, Sect. 3 will give a short overview of the different data protection instruments, namely the GDPR and the LED, and provide arguments in favour and against the application of the LED to processing activities carried out by national FIUs. Finally, Sect. 5 will reflect on data retention and access measures to personal 15  The legal texts referred to in this contribution are based on Article 83(1) (Judicial cooperation in criminal matters) and Article 87(2) TFEU (police cooperation and, inter alia, collection, storage, processing, analysis and exchange of relevant information). data in the area of AML and CTF and compare such measures to those that apply in the area of data retention by telecommunication providers.

EU Legislation on Anti Money Laundering and Counter Terrorist Financing
The EU legal regime on AML and CTF has been developed since the 1990s and has progressively strengthened the role of FIUs. 18 The First AML Directive was adopted in 1991 19 to provide the initial stage for setting up a harmonized framework in the EU Single Market, establishing key preventative measures such as customer identification, record-keeping and central methods of reporting suspicious transactions. 20 The provisions of that Directive were refined in the Second 21 and the Third AML Directives, 22 which were adopted in 2001 and in 2006 respectively. The Second AML Directive established a broader definition of money laundering and included underlying offences within its scope. 23 Five years later, the Third AML Directive introduced a so-called risk-based-approach, 24 which required businesses falling within its scope to carry out a risk-assessment of their customers, based on a variety of factors. 25 In accordance to the risk attributed to a particular customer, the obliged entity had to apply Customer Due Diligence measures along the 'Know Your Customer' concept. 26 All these additional obligations required an increased processing of personal data, also by FIUs. In May 2015, the Fourth AML Directive 27 was adopted, further regulating the processing of personal data by FIUs 28 and increasing their capacity to cooperate. 29 For instance, the Directive sought to ensure timely and unrestricted access by FIUs to relevant financial data, 30 to empower FIUs to take urgent action 31 and to improve coordination and cooperation between FIUs. 32 Furthermore, the Directive required obliged entities to provide FIUs with all necessary information 33 and to hold a central register on their beneficial ownership to which FIUs and other competent authorities had access. 34 In addition, the Directive suggested that FIUs should exchange information freely, spontaneously or upon request, with third-country entities. 35 Only one year after the adoption of the Fourth AML Directive the Commission published, in response to the terrorist attacks in Paris and Brussels, and due to the 'Panama Papers' scandal, 36 amendments to that Directive in a proposal for a Fifth AML Directive. 37 The Fifth AML Directive, 38 which was adopted in May 2018, 39 seeks to strengthen the previous requirements concerning cooperation between na- tional authorities and to improve cross-border cooperation. 40 This includes a further enhancement of the effectiveness and efficiency of FIUs, for instance, by seeking to clarify the powers of and cooperation between them, as well as the abolishment of obstacles that may hinder the exchange of information between FIUs or the forwarding thereof. 41 Under the Fifth AML Directive, FIUs are able to obtain information from any obliged entity, even where no prior STRs are filed. 42 The amendments reinforce the preventive framework against money laundering, inter alia, by broadening the capacity of FIUs to access and exchange information. 43 In October 2018, a Directive on countering money laundering by criminal law 44 was adopted to complement the Fifth AML Directive. 45 Being based on Article 83(1) TFEU, that Directive 46 seeks to improve judicial cooperation in criminal matters and to reinforce the application of the Fifth AML Directive in order to tackle AML/CTF by means of criminal law. 47 In addition, a Directive laying down rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences entered into force on 31 July 2019. 48 Besides new procedures for LEAs to obtain information from registered entities, the Directive seeks to extend the exchange of (financial) information to the broader scope of serious crime and provides for measures to facilitate access by FIUs to law enforcement information. 49  terrorism or organised crime with their counterparts 51 and to reply to requests for information by Europol, either through the national units or directly. 52 In December 2020, the European Data Protection Board (EDPB) issued a statement 53 on the protection of personal data processed in relation with the prevention of money laundering and terrorist financing, in which it emphasised the importance of AML measures to comply with the rights to privacy and data protection. Specifically, the Board referred to the rights enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union (EU Charter), the principles of necessity and proportionality, as well as the case law of the Court of Justice of the European Union (CJEU). 54 Finally, in July 2021, the Commission proposed a legislative package to strengthen the EU's AML and CFT rules, which consists of four proposals. A proposal 55 to revise the Fifth AML Directive into a Sixth AML Directive, a proposal 56 for a Regulation on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, a proposal 57 on the revision of the 2015 Regulation on Transfers of Funds 58 and a proposal to establish an EU AML authority tasked with supervising and coordinating national authorities and private sector entities. 59 All instruments mentioned above, including the new AML Package, seek to contribute to the fight against money laundering and terrorist financing by establishing rules on better access to financial information and by facilitating the exchange of such information between different bodies. 60 However, while both the Fifth AML Directive as well as the proposed AML Package are based on Article 114 TFEU and solely address preventive efforts to support AML and CTF measures, both the Directive on countering money laundering by criminal law and the Directive on measures to facilitate law enforcement access to financial information find their legal bases under Title V TFEU. 61 Hence, the wider regulatory AML framework shifted away from a predominantly single market focus to also include AML/CTF within the criminal law sphere. 62 This may also imply consequences regarding the way in which personal data may be collected and exchanged. Thus, where AML/CTF legislative measures that also refer to FIUs find their legal bases under Article 87(2) TFEU, this might serve as an argument that FIUs may apply law enforcement data protection rules to their processing activities, namely the LED. The following sections will briefly present the different legal frameworks under the GDPR and the LED and subsequently propose arguments for and against the application of the LED to FIU processing operations.

Data Protection rules applicable to Financial Intelligence Units
FIUs are operationally independent and autonomous entities established in all EU Member States and are tasked with receiving (and, as permitted, requesting), analysing, and disseminating financial information, including personal data, via STRs. 63 Positioned between the private sector and LEAs, FIUs, acting as intermediaries, serve as the central reception point for receiving financial disclosures 64 from obliged entities. 65 Where, after the FIU analyses the material, there is a suspicion of money laundering or terrorist financing, the FIU shall forward the result of its analysis to the national authority responsible for prosecution. 66 In a nutshell, FIUs collect and process information for the purpose of analysing and identifying grounds to suspect money laundering, associated predicate offences 60 EPRS, 'Prevention of the use of the financial system for the purposes of money laundering or terrorist financing', PE 587.354, October 2016, 4. The first few financial intelligence units (FIUs) were established in the early 1990s. or terrorist financing. At a later stage, the results of their analyses and relevant information are disseminated to the competent LEAs. 67 Whereas EU AML legislation establishes the conditions and competence of FIUs to access the information needed for their analyses, details on collection and subsequent processing of that information are defined by the FIUs themselves. 68 This is supposed to guarantee the operational independence and autonomy of FIUs. 69 During the process of information gathering, FIUs may request information from their counterparts in other EU Member States. Since EU legislation does not require Member States to adopt specific structures according to which FIUs shall be organized, different national models have developed depending on the FIUs' functions, tasks, independence and domestic statuses. 70 These different models may be separated into administrative FIUs, law enforcement FIUs and mixed or hybrid FIUs. 71 Although FIUs should exchange information with their foreign counterparts regardless of their respective model, 72 obstacles regarding the access to, exchange and use of information as well as the operational cooperation exist due to the different national structures. While law enforcement FIUs normally obtain law enforcement competences, including the power to freeze transactions and seize assets, 73 administrative FIUs may be more restricted when processing personal data for their analyses. This leads to an information gap between different types of FIUs, 74 since law enforcement FIUs, on average, have better access to national police and judicial data 75 and may face limitations when cooperating with administrative FIUs in cross-border investigations. 76 The absence of a common structure to underpin this cooperation leads to situations where joint analyses are not performed for lack of common tools or resources. These divergences hamper cross-border cooperation, and thereby reduce the capacity to detect money laundering and terrorism financing early and effectively. 77 Hence, the distinction into different FIU models may have an impact on the way in which the different FIUs may process information for their analyses. 78 Since the analysis by FIUs involves the processing of personal data, such processing operations must comply with the EU data protection acquis. While the GDPR is applicable to general processing activities by both public and private entities, the LED solely applies when both, its personal and material scope are satisfied, namely where a competent authority within the definition of Article 3(7) LED 79 (personal scope) processes personal data for law enforcement purposes (material scope). 80 In the law enforcement context, competent authorities may generally process personal data more flexibly, as transparency obligations of controllers are less rigid and data subject rights to information and access may be restricted more easily in order not to jeopardize ongoing investigations.
Whereas the FIU model might not be the predominant factor in determining the applicable data protection framework, it influences the way in which FIUs may process and exchange information and the types of analyses that they are authorized to carry out. Hence, where law enforcement FIUs are permitted to process law enforcement information, it could be argued that such processing falls within the material scope of the LED. On the other hand, administrative FIUs that do not have access to such types of information fulfil neither the personal nor the material scope of the Directive. Whereas the processing by administrative FIUs of non-law enforcement information is governed by the rules under the GDPR's data protection regime, FIUs that may process law enforcement information could in many occasions process personal apply the LED, as in many Member States, the material scope of the Directive defines its personal scope.

GDPR or LED?
Whereas some authors as well as many of the FIUs themselves naturally assume the applicability of the LED to their processing activities, 81 other scholars -particularly those coming from the data protection field -are more careful in such assumptions.  82 Eleni Kosta writes that '[. . . ] when it comes to processing of data carried out by the FIUs, the lawful basis can be 6(1)(c) GDPR, i.e. that the data processing is necessary for compliance with a legal obligation The following section shall first provide examples in favour of an application of the LED to the processing of personal data by FIUs and subsequently propose arguments against such application.

Arguments in favour of an application of the LED to FIU processing
FIUs often do not merely provide expertise to LEAs but rather analyse complex patterns of transactions on their own and thereby add value to the collected information. 83 Furthermore, the EU legislator left it to the national level to determine the exact functions and reporting systems of FIUs, 84 which led to divergences regarding the relationship between obliged entities, FIUs and LEAs in the different EU Member States. 85 Where Member States opted to confer real investigative and prosecutorial powers to their national FIUs, those could be seen as forming part of the LEAs themselves and therefore, eligible to apply the data protection rules under the LED.
FIUs are established pursuant to Article 32 of the Fifth AML Directive (EU) and, for the time being, Article 17 of the proposed Sixth AML Directive. 86 The main tasks of the FIU under paragraph one of both the current and the proposed provision are to prevent, detect and effectively combat money laundering and terrorist financing. Under Article 18(1)(c) of the proposed Directive, FIUs, for the purpose of their operational analyses, shall have direct or indirect access law enforcement information. 87 Hence, FIUs would have direct access to the databases held by the national police and/or intelligence agencies in order to subsequently use those data for their analyses. 88 Such analytical processing of law enforcement information for the purpose of preventing, detecting and effectively combating money laundering and terrorist financing should suffice to satisfy the material scope of the LED. As mentioned above, in many Member States, the material scope may define the personal scope of the LED, and hence, where FIUs -even if they would not be regarded as competent authorities under the LED -would process personal data for the above purposes, this could lead to the application of the LED. of the FIUs. Alternatively, FIUs can process personal data on the basis on Article 6(1)(e) GDPR, i.e. the processing is necessary for the performance of a task carried out in the exercise of official authority vested in the controller, the FIUs in this case'. See: Kosta (n. 83). 83 87 Such information includes any type of information or data which is already held by competent authorities in the context of preventing, detecting, investigating or prosecuting criminal offences and any type of information or data which is held by public authorities or by private entities in the context of preventing, detecting, investigating or prosecuting criminal offences and which is available to competent authorities without the taking of coercive measures under national law. 88 The AML/CFT framework entails complex exchanges of data between customers, obliged entities, Financial Intelligence Units (FIUs) and law enforcement authorities, as well as intelligence services in some cases. See Kosta, (n.68) 6.
In numerous Member States FIUs are regarded as competent authorities, which in return means that both personal scope and material scope of the LED are satisfied. In those Member States where the FIUs are law enforcement-type FIUs, they normally also have law enforcement powers and are positioned within the structure of the national LEA. In those countries, the FIU commonly applies the LED to its processing activities. This is, for instance, the case in Denmark or Luxembourg where the FIU is part of the State Prosecutor's office, or in Finland, where the FIU is located within the overall structure of the Finnish Police. In Germany, the FIU is of law enforcement type, although it forms part of the Federal Customs office. This classification might be due to the fact that initially, the FIU was established in the Federal Criminal Police Office. 89 Similarly, the FIUs in Belgium, Estonia and the Netherlands, which are nowadays self-standing authorities, but nevertheless classified as law enforcement type FIUs, were previously established within the structure of the national Police. This might explain why all of the above FIUs apply the LED to their processing activities.
In addition, both the current as well as the proposed legal framework on AML/CTF measures are anything but unambiguous when it comes to a clear definition of whether or not FIUs may apply the LED. Although FIUs are currently established and regulated under the Fifth AML Directive, 90 which derives from an internal market legal basis, that Directive ultimately refers to the processing of personal data by obliged entities, which are subject to the rules under the GDPR, as recognized in Article 41 of the Directive. Hence, while that provision does state that the GDPR generally applies to processing carried out under the Fifth AML Directive, it only refers to obliged entities, while not mentioning FIUs.
The Directive on rules to facilitate access by competent authorities to financial and other information is supposed to compensate for the limitations of the internal market legal basis and to tackle existing problems in the area of police cooperation. 91 That Directive repeals a Council Decision 92 on cooperation between FIUs, which was adopted at a time when the domestic processing of personal data by competent authorities within the Member States was not regulated by EU law. Directive 95/46/EC, 95 processing by FIUs was considered law enforcement processing.
Under Article 18 of the Directive on rules to facilitate access by competent authorities to financial and other information, data subject rights may be restricted in accordance with the respective rules under the GDPR and the LED. It is, however, unclear under which of both instruments FIUs are allowed to process personal data for the performance of their tasks. On that background, Articles 8 96 and 9 97 of the Directive clearly refer to law enforcement data that are to be exchanged between FIUs and competent authorities, as well as among the FIUs in different Member States. Although both Articles explicitly differentiate between 'FIUs' and 'competent authorities', the exchange of information for the prevention, detection and combating of money laundering and associate predicate offences or the analysis of information related to terrorism or organised crime associated with terrorism could be seen as processing carried out for law enforcement purposes. In those situations where FIUs would process such law enforcement information, they could apply the LED, even if they do not satisfy the personal scope, simply by extending the latter via the material scope.
Another provision under the Directive on law enforcement access to financial and other information that could support the argument that FIUs might be considered competent authorities under the LED, is Article 7(5). 98 While that provision distinguishes competent authorities from FIUs, the second part of that paragraph could nevertheless be interpreted as including FIUs within the definition of competent authorities within the personal scope of the LED. That section refers to the processing of personal data for law enforcement purposes 'other than those for which the personal data are collected in accordance with Article 4(2) [of the Directive]'. Article 4(2) LED thus regulates the subsequent processing of personal data under the Directive, which can only take place where these data have previously been processed by a competent authority within the scope of Article 4(1). Because of the ambiguous wording of Article 7(5) of the Directive on law enforcement access to financial information, FIUs could represent competent authorities within the meaning of Article 4(1) LED and would thus, fall within the personal scope of the Directive. 99 It is regrettable that the proposed AML Package does little to nothing to provide some clarity on the data protection framework applicable to FIU processing. It could even be argued that some of the legislative proposals might lead to even more ambiguity. For instance, Article 2(31)(a) of the proposed Regulation on the prevention 95 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L 281/31. 96 Requests of information by a FIU to competent authorities. 97 Exchange of information between FIUs in different EU Member States. 98 Requests for information by competent authorities to an FIU. 99 It must, however be noted that this provision has been interpreted in a way that Article 4(2) should be seen as subsequent processing of GDPR data. Hence, where data that has previously been processed by an FIU within the scope of the GDPR, Article 4(2) LED would be the legal basis for the subsequent use of GDPR data for law enforcement purposes. See of the use of the financial system for the purposes of money laundering or terrorist financing defines FIUs as competent authorities. 100 Furthermore that article defines supervisory authorities, public authorities with designated responsibilities for combating money laundering or terrorist financing and public authorities that have the function of investigating or prosecuting money laundering, its predicate offences or terrorist financing, or that has the function of tracing, seizing or freezing and confiscating criminal assets as competent authorities. Thus, the provision neither includes traditional LEAs within the definition of competent authorities, nor does it use the wording under Article 3(7) LED. This might not only lead to textual inconsistencies, but also trigger confusion with regard to the question what/who constitutes a competent authority and may ultimately apply the LED.
Finally, some rules under the LED itself could serve to argue in favour of an application of the Directive to the processing of personal data by FIUs, as providing more suitable safeguards. This might, for instance, be the case with regard to the categorization of data subjects, the requirement to classify personal data into information based on facts and information based on personal assessments under Articles 6 and 7 of the LED, or the obligation to keep logs of certain processing operations pursuant to Article 25 LED. Those provisions are non-existent under the GDPR and might, in fact, contribute to higher protection standards in certain processing situations. 101 In addition, it could be argued that the system on the restriction of data subject rights under the LED is more developed than the one under the GDPR, despite the latter's strong transparency obligations: Article 39(1) of the Fifth AML Directive includes a rather broad non-disclosure clause that applies where obliged entities shall refrain from informing their customers if money laundering or terrorist financing analyses are being carried out. The nondisclosure obligation also applies to guarantee that inquiries, analyses, investigations or procedures for AML purposes are not obstructed and to ensure that the prevention, investigation and detection of money laundering and terrorist financing is not jeopardised. 102 In those cases, obliged entities would rely on Article 23 GDPR, which allows for the restriction of data subject rights and corresponding data protection principles by way of legislative measure.
Article 23 GDPR represents a horizontal limitation clause on the restriction of data subject rights for a number of grounds. 103 The LED on the other hand incorporates a structure pursuant to which the restriction of each right requires a specific legal basis. Hence, while Article 23 GDPR could be regarded as general limitation clause, the system allowing for restrictions of data subject rights under the LED is laid down in individual derogation clauses that follow each right enshrined in the Directive. Under the LED, the national legislator may adopt legislative measures to restrict the individual data subject rights laid down in Article 13 LED (right to information), Article 14 LED (right of access) and Article 16 LED (right to rectification and erasure). Article 13(3) LED, Article 15 LED and Article 16(4) LED each include an option to restrict these rights separately for as long as necessary and proportionate. In addition, these provisions entail clear instructions for the controller to inform data subjects of any restriction as well as the corresponding processing that was carried out about them as soon as such notification may no longer jeopardize ongoing investigations. Although the GDPR is based on strong transparency obligations towards data subject, its system on the restriction of data subject rights lacks such specific provisions that would compel controllers to inform data subjects after a restriction has taken place. Admittedly, the provisions under the LED includes qualifiers such as the wording for as long as such a [. . . ] restriction constitutes a necessary and proportionate measure. 104 Yet, the accountability obligation that also applies under the Directive would require any restriction to be justifiable before the supervisory authority.
In addition, the Directive provides, under its Article 17, for an important administrative remedy by availing individuals the possibility to have their rights exercised by the national data protection supervisory authority on their behalf. In those circumstances, the LED might in fact constitute a more suitable instrument in order to allow for both, effective cooperation between obliged entities, FIUs and other LEAs, while at the same time, ensure the notification or indirect access rights for data subjects.
The EU legislator, by leaving the LED's scope extremely broad, assigned the task of determining which authorities may apply the Directive to the national level. Consequently, it is left to the national legislators to define whether FIUs fall within the personal scope of the LED. In addition, under many national transposition acts, the Directive's material scope may define its personal scope, so that authorities which process personal data for law enforcement purposes may apply the LED to their processing operations, albeit not being LEAs per se. 105 In addition, numerous Member States include a wide range of processing activities within the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This often means that the Directive may apply to processing activities that are by far less of a law enforcement nature than the processing of personal data by FIUs. This is, for instance, the case in the field of migration management or border control. When comparing these two areas, the application of and (g); (i) the protection of the data subject or the rights and freedoms of others; (j) the enforcement of civil law claims. 104 Under Article 13(3) LED, information to the data subject in specific cases may be delayed, restricted or omitted, under Article 15 LED the right of access may be restricted and under Article 16(4) LED, information to the data subject about refusals for rectification or erasure may be restricted for as long as, such a measure constitutes a necessary and proportionate measure in a democratic society with due regard for the fundamental rights and the legitimate interests of the natural person concerned. the LED to FIU processing when countering money laundering or terrorist financing might be more justifiable than the Directive's application where border guards check the identity of so-called third country nationals. Such argument might not provide a legal ground for the LED's application to FIUs, but it demonstrates that in reality, Member States included more authorities within the Directive's scope than initially anticipated. 106 In order to prevent such broad application of the LED's scope, legislative amendments might prove necessary.

Arguments against the application of the LED to FIU processing
Both the current AML/CTF legal framework as well as the proposed AML Package are not only established on an internal market legal basis, but also explicitly refer to the GDPR 107 as applicable instrument to the processing of personal data 108 and distinguish between FIUs and competent authorities. 109 Notice should also be taken of Article 95 GDPR, which states that Directive 95/46/EC is repealed by the GDPR, but all the references to the repealed Directive will be interpreted as references to the GDPR. With regard to FIUs, this means that all references to Directive 95/46/EC in the previous AML regime became references to the GDPR.
In addition, the fact that the Directive on law enforcement access to financial information makes a difference between FIUs and LEAs should be taken into account. The separation between administrative and law enforcement authorities should be put into a wider perspective, also considering existing structures. Such differentiation is, for instance, the case with regard to EU Agencies, where the law distinguishes between Agencies that are competent for administrative offences and Agencies that are competent for criminal offences, as is the case for Olaf (the European Anti-Fraud Office) and the EPPO (the European Public Prosecutor's Office).
In addition, FIUs have a different applicable legal regime than so-called Passenger Information Units (PIUs), which collect passenger name record (PNR) data 110 from air carriers, to store, process and transfer those data or the result of their processing to the competent authorities. 111 PIUs are generally established within the organizational structure of the competent LEAs in the Member States and themselves competent for the prevention, detection, investigation or prosecution of terrorist offences and of 106 Declaration 21 attached to the Lisbon Treaty only refers to particular rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation that may prove necessary because of the specific nature of these fields. 107 It refers to Directive 95/46/EC, the predecessor of the GDPR. 108 Recital 38 of the Fifth AML Directive puts forward that data subjects should be informed in accordance with the provisions of the GDPR. Yet, that recital also makes reference to the LED, without clarifying in which circumstances it would apply and whether it could also be used by FIUs. 109 113 PIUs are subject to the rules of the LED. 114 Against that background, Article 17(4) of the proposed Sixth AML Directive states that in cases where a FIU is located within the existing structure of another authority, the FIU's core functions shall be independent and operationally separated from the functions of the host authority. Hence, the provision not only differentiates between FIUs and other (law enforcement) authorities, but also between their tasks and thus, processing activities, which should have an impact on the applicable data protection regime. In that vein, it needs to be noted that some FIUs do not even analyse the data that they receive and only operate databases that are directly accessible for LEAs. In such cases, it can hardly be argued that the FIU itself processes personal data for law enforcement purposes and would be capable of applying the LED to manage a police database.
In addition, even where law enforcement FIUs may apply the Directive to their processing operations, Article 9 LED stipulates that where competent authorities process personal data for non-law enforcement purposes, the GDPR applies to their processing activities. Paragraphs 1 and 2 of that Article clearly state that the GDPR is applicable whenever competent authorities process personal data for purposes other than for the prevention, investigation, detection or prosecution of criminal offences, unless such processing is not regulated by EU law. 115 In those Member States where FIUs may process personal data within the scope of the LED, their tasks should be explicitly clarified in order to prevent grey zones between the GDPR and the LED and to ensure that their FIU's non-law enforcement processing falls within the scope of the GDPR.

Data retention and data retention: comparing standards
One area that has not (yet) been taken into consideration, but which nevertheless deserves to be taken into account for the sake of this analysis is the area of data retention. With financial data, it is possible to accurately conclude on the shopping behavior of a purchaser, his or her personal choices, to determine time of a purchase and his or her exact location, as payments are easily traceable. Due to the long retention periods and the potential re-use of financial information for law enforcement purposes, this aspect should play an important role in the discussion on data retention schemes, also considering the CJEU's case law on that matter. In the area of data retention, access to personal data by law enforcement authorities and the issue of mass surveillance by intelligence agencies, there important cases have been decided especially during the last couple of years. 116 On EU level, the CJEU has progressively strengthened data subjects' rights through its case law, 117 in particular, since the Lisbon Treaty of 2009 converted the EU Charter into a legally binding instrument of EU primary law, progressively serving as basis for the CJEU's interpretation of fundamental rights. Previously, the Court had been dependent on referring to fundamental rights as general principles of EU law and Article 8 European Convention on Human Rights (ECHR) in its jurisprudence. 118 However, until recently, the most prominent CJEU cases on data retention measures by private entities almost exclusively dealt with the retention of telecommunications data. Hence, there is a need to evaluate the CJEU judgments on data retention not solely in relation to the retention of telecommunications data, but to apply the Court's findings also to other data retention regimes on EU level. In that regard, the regime on the retention of financial data should be assessed concerning its (in)compatibility with the standards set by the jurisprudence of the CJEU and the European Court of Human Rights (ECtHR).
Under the Fifth AML Directive, Member State law shall determine the period in which financial data should be retained by obliged entities. 119 Generally, that retention period should be fixed at five years after the end of a business relationship or of an occasional transaction. When justified and where deemed useful for the purposes of prevention, detection or investigation of money laundering and terrorist financing, such information may be retained for an additional five years, in line with the necessity and proportionality requirements. 120 Similarly, under the proposed Sixth AML Directive, obliged entities would have to retain a copy of the documents and information obtained in the performance of the customer due diligence and supporting evidence obligations as well as records of transactions for five years. 121 In addition, Member States could allow or require the retention of such information or documents for a further period of five years. 122 While the ECtHR has, on several occasions, 123 decided on the retention of financial data, CJEU case law on that matter is overdue, despite the Court's rich case law on data retention measures applicable in the case of telecommunication data. Three years after the entry into application of the GDPR and seven years after the Court's first landmark judgment on the retention of telecommunications data, 124 a case on the long storage times of financial data is still lacking.
On 19 October 2021, the Grand Chamber of the CJEU deliberated whether the public register of beneficial owners under the current AML framework would be in conformity with the rights to privacy and data protection. The case is about the requirement for Member States to set up a central register containing information on the beneficial ownership of corporate and other legal entities under the Fifth AML Directive. In the case that was brought by a Luxembourgish court, it was argued that the requirement to make this register accessible to any member of the public is too excessive. 125 Unfortunately, the question on data retention periods applicable to financial data was not a matter in this case. However, it will be interesting to see how the Court will decide on that matter in the future.

Further outlook and concluding remarks
Ultimately, the harmonized rules under the LED could ensure an adequate level of data protection while, at the same time, ensuring smooth cooperation between FIUs and (other) competent authorities. Allowing FIUs to gather, analyse and exchange information more flexibly might improve the effectiveness of their cooperation and could help maintaining their role as intermediary between the private sector and LEAs. In addition, an enhanced effectiveness of FIUs might serve as an argument against further possibilities of LEAs to directly access personal data.
It is important to repeat that, in many Member States, the LED is being applied in situations that seem by far less of a law enforcement nature than the processing of personal data by FIUs. For instance, in the context of border control and the irregular entry of so-called third country nationals, many national legislators allowed, by criminalizing such irregular entry, the application of the LED in such situations. This is even the case where authorities such as border guards would otherwise not be competent authorities within the scope of the Directive. It could, therefore, be argued that if the LED applies in such situations, it should also be applicable with regard to AML/CTF processing carried out by FIUs.
The processing of personal data by FIUs within the scope of the LED might, in the future even bring certain data protection benefits. With regard to the recently proposed AI Act, 126 the latter excludes from its scope certain high-risk processing operations carried out by LEAs. Banks and non-law enforcement authorities on the other hand might have more possibilities to engage in such AI-enabled processing operations. Evidently, there will be many loopholes to also allow LEAs to circumvent the abovementioned exceptions. Nevertheless, the threshold might be more difficult to establish.
The recently proposed AML Package, consisting of two new regulations, a new AML Directive, and a proposal for the revision of an already existing Regulation on the transfer of funds, will need to be assessed in more detail, also with regard to the data protection rules applicable to FIUs. As it stands now, the proposed framework adds little to clarify whether FIUs could apply the LED to their processing activities. Therefore, it would be welcome if the negotiations would further clarify this issue.
In addition, the reform proposes a Regulation establishing an Authority on AML and CTF measures (AMLA). The new Authority would be responsible for both directly supervising some of the Union's largest financial players as well as aiding and monitoring national FIUs. In addition, AMLA would assume some of the tasks carried out by already existing EU agencies. 127 This would include taking over the management of the secure communication network between FIUs, previously maintained by Europol. 128 Which data protection rules would apply to this new EU Agency where it will process law enforcement information remains to be seen. Yet, there is a risk that AMLA will be able to argue that it should fall within the scope of Chapter IX of Regulation (EU) 2018/1725 that governs the processing of so-called operational personal data (law enforcement personal data). This would be problematic, as Chapter IX remained unfinished with regard to rules on international transfers and supervision by the European Data Protection Supervisor. 129 Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/ 4.0/.