Anti-Money Laundering Directives and the Right to Privacy and Data Protection

(1)

Anti-Money

Laundering Directives and the Right to Privacy and Data Protection

Is the Tension between the Anti-Money Laundering Directives and the Right to Privacy and Data Protection sensibly resolved?

Candidate number: 6003.

Submission deadline: 31.05.2021 23:59 Number of words: 17974

(2)

i

1 Introduction

1.1 Background

“We are rapidly entering the age of no privacy, where everyone is open to surveillance at all times; where there are no secrets from government".¹

Money laundering-related activities can be traced back as far as 2000 years.² Today it is one of the critical instruments of crime, nourishing international criminal operations, such as drugs, arms, and human trafficking, smuggling, corruption, cybercrime, and terrorism. It is worth billions of euros; it is estimated that it accounts for about 1.2 percent of the European Union's annual GDP or up to 197.2bn euros.³

To fight money laundering and, in turn, the aforementioned crimes, the EU has created different systems and measures. On the forefront are the anti-money laundering directives. The most recent one being the 6^th AMLD which came into effect on December 3, 2020, and must be implemented by June 3. 2021. It is amending its predecessors the 5^th and 4^th AMLD, which will stay in effect simultaneously. In the wake of September 11, the fight against terrorist financing was elevated as a primary objective of the directives. It was first incorporated in the 3^rd AMLD.

The rationale behind the inclusion was that terrorist financing exploits the same vulnerabilities in financial markets as money laundering activities, for example, opacity and lack of transparency; hence, the argument is that measures to fight money laundering should work for the fight against terrorist financing as well.⁴

The AML directives follow the FATF Recommendations, which are internationally recognized standards for anti-money laundering.⁵ These standards are developed in a collaboration of various states as well as international organizations and expert groups. The measures oblige financial service providers such as banks and gambling service providers, real estate agents,

1William O. Douglas , Osborn v. United States, 385 U.S. 323, 341 (1966) (dissenting).

2 Seagrave (1995).

3 Europol (SOCTA 2017).

4 Mitsilegas (2007): 119-140; International Monetary Fund 2021.

5 FATF (2012).

(5)

2

and lawyers. The objective of the measures is to create transparency by obliging these entities to know their customers, especially what they do with their money and whom they do business with. To comply with these measures', bulks of information about the customers must be processed. If an entity comes across a suspicious transaction, it must report it to the authorities.

This allows the authority to ‘follow the money’ to expose the operation and the individuals involved.⁶

1.2 Existing Critique

The AML directives measures are not without critique; there is some dispute around the viability of the chosen measures. It has been criticized that the frequent increase of the extent of the anti-money laundering and terrorist financing measures in its scope as well as in its severity has not led to a rise in success. One outspoken critic about the international anti-money laundering practice is Ronald F. Pol, who, in the span of the last years, published books, articles, and papers about this subject. The heart of his research is the intersection of anti-money laundering practice, policy effectiveness, and outcome science. He describes money laundering regulations as almost entirely ineffective and as a failed experiment that countries must follow to stay in the global financial system.⁷ Another scholar who criticizes the effectiveness of anti- money laundering and terrorist financing measures is Michael Brzoska. His focus lies on the effectiveness of counter-terrorist financing policies. He criticizes in his work that assessments of counter-terrorism measures tend to focus on how well the measures are implemented, without assessing if these measures are, in fact, effective tools to fight terrorism. He fears that this can lead to the promotion of ineffective measures and policies.⁸ More European-centric critics are amongst other Maria Bergström and Carolin Kaiser.

Bergström researches legal concerns that arise from the AML directives. Her main focus areas are the line between administrative and criminal law, which the AML regime seems to blur,

6 Bergström (2018 a), p 1151.

7 Pol (2018a); Pol (2018b); Pol (2019a); Pol (2019b); Pol (2019c); Pol (2020a); Pol (2020b).

8 Brzoska,(2016); Brzoska, (2009).

(6)

3

and protection and privacy issues in an administrative and criminal law context.⁹ Concerning the second issue, she concluded that more research is needed. Kaiser fulfilled this request. She did an in-depth evaluation of the proportionality of the anti-money laundering and financing of terrorism measures, examining the relationship of the measures with the GDPR¹⁰, LED¹¹, and the fundamental rights to privacy and data protection enshrined in articles 7 and 8 of the EU Charter of Fundamental Rights (Charter), taking the judgment of the CJEU especially the Data Retention Directive (DRD) into consideration.¹² However, although there is ample literature on privacy and data protection as well as some literature on the AML directives, the combination of both areas and their relationship has not received much attention this far. This thesis intends to explore this area and add a new view to the existing literature in this field.

1.3 Research Question

The AML directives' measures to prevent money laundering and terrorist financing revolve around the processing of information on individuals. It can be challenging to balance the processing of these kinds of data with the individual's rights to privacy and data protection. The thesis aims to examine the tensions arising from the opposing interests between the 4th, 5^th, and 6^th AML Directive and the fundamental rights to privacy¹³ and data protection¹⁴ granted by the Charter and if these tensions are sensibly resolved. To answer this overarching question, a series of sub-questions must be considered first.

The first sub-question will look at the AML directives. What is the directive's background, and which measures do they contain? The second sub-question concerns the fundamental rights to privacy and data protection and will answer what the content and proper protection of these rights are. In a third sub-question, the requirements laid down in article 52 (1) of the Charter

9 Bergström (2018a); Bergström, (Lain Cameron ed., 2013); Bergström (2016); Bergström (2018b); Bergström (2018c).

10 Regulation (EU) 2016/679 (General Data Protection Regulation).

11 Directive (EU) 2016/680 (LED).

12 Kaiser (2018); Milaj, Kaiser (2017).

13 EU Charter [2007] OJ C 326/391, Article 7.

14 EU Charter, Article 8.

(7)

4

will be analyzed, with an emphasis on the principle of proportionality. What is the proportionality principle's content, how do different courts and entities apply it, and how did the principle evolve with the current case law? And is the existing case law transferable to the AML directives' situation? A fourth and final set of sub-questions will build on the previous questions and analyze the anti-money laundering and terrorist financing measures' relationship with the fundamental rights to privacy and data protection. Do the measures interfere with these rights, and if yes, in which ways? What objectives do these measures pursue, and are the objectives legitimate? What privacy and data protection concerns do the AML directives measures raise considering the current case law of the CJEU? Finally, in a last section, the main research question will be answered: Is the tension between the 4^th -6^th AML directives sensibly resolved?

1.4 Method Section

This thesis will focus on EU Law, namely on the Charter and the 4^th, 5^th, and 6^th AML directives.

The Charter and the AML directives represent two different levels of EU Law. The Charter is a so-called primary law, and the AML directives are part of secondary law, which must comply with primary law or otherwise it might get annulled.¹⁵

Directives are not immediately applicable in the Member States; they must be implemented into national law to come into effect. However, the directives' results are binding, and these are often so detailed that Member States' margins of maneuver are rather limited.¹⁶

The thesis's primary focus is the AML directive's potential conflicts with the EU Charter. Since the AML directives could get annulled when not complying with the Charter, they should be interpreted in the most compliant way with the Charter.¹⁷ Following the effet utile-doctrine, the interpretation of the law will focus on the purpose of the act and its context.¹⁸ To understand the meaning of an act, the thesis will analyze the recitals and the provisions' wording.¹⁹ The

15 Barnard, Peers (2017), p 104; Riesenhuber (2017), p 153.

16 Article 288 subpara 3 of the TFEU; Barnard, Peers (2017), p 100.

17 Riesenhuber (2017), p 256.

18 Ibid, pp. 252, 256-257.

19 Ibid, p. 249.

(8)

5

thesis further examines CJEU case law to interpret and apply EU law.²⁰ Because of a lack of case law regarding the AML directives from the CJEU, the thesis will focus on case law that approaches comparable circumstances.

The thesis focus does not lay on the ECtHR and its interpretation of Council of Europe law.

However, their jurisprudence is of huge relevance and is frequently cited by the CJEU.²¹ Thus, their case law will contribute to the analyses of the CJEU case law and support arguments.

Moreover, the opinion of the European Data Protection Supervisor (EDPS) will be considered.

The EDPS is an independent authority in the EU. Its purpose is to govern compliance with the Union's data protection laws by the EU institutions.²² To fulfill this task, the EDPS has a variety of influential powers. This includes the capability to investigate, correct, and sanction.

Moreover, they have authorization and advisory powers, particularly regarding cases of complaint from natural persons. They can participate in legal proceedings and bring complaints to the attention of the CJEU.²³ Concerning the AML directives, the EDPS stated non-binding opinions for the 4^th and 5^th AML directives and mentioned the 6^th AMLD in its Opinion 5/2020 on the European Commission’s action plan regarding the fight against money laundering.²⁴ However, because of their non-binding nature, these opinions will only be used to support other arguments in this thesis.²⁵

1.5 Delimitations

The thesis emphasis is on the AML directives compatibility with the Charter. It will only take the EU/ EEA area into account and not investigate third-country effects or applicability. It will further not take other EU Laws such as the GDPR or the LED into account. Though both

20 Article 19.1 of the TEU.

21 Krommendijk (2015) p 10.

22 Articles 52.2 and 52.3 of Regulation (EU) 2018/1725.

23 Articles 57 and 58 of the Regulation (EU) No 20181725

24 EDPS 2013 Opinion, on the draft AML D4; EDPS Opinion, 1/2017; EDPS, Opinion 5/2020.

25 Article 288 sub-para 5 of the TEUF.

(9)

6

provisions are relevant, as they cast light on how Charter rights are to be construed, and the CJEU case law often considers them in conjunction with considering Charter rights.

However, there is unfortunately not enough room for an analysis of the provision's relationships with the AML directives in this thesis.

1.6 Outline

The following section will contain descriptive elements to provide the necessary background information and definitions and will lead into answering the sub-questions of this research. It will deliver definitions for money laundering, terrorist financing, and tax crimes and offer a brief introduction to the fundamental rights of privacy and data protection in articles 7, 8 and the derogation clause in article 52 (1) of the Charter. The third chapter will focus on the first sub-question and introduce the AML directives and their relevant provisions. The fourth chapter's attention is on sub-question two and three. It will present the current CJEU case law and discuss the fundamental rights to privacy and data protection. How far does the protection go, and under which circumstances can they be limited? Chapter five examines the fourth and final sub-question. It investigates the relationship between anti-money laundering and terrorist financing measures with the fundamental rights to privacy and data protection. Finally, in the sixth and last chapter, the overarching research question, if the tension between the anti-money laundering and terrorist financing measures and the fundamental rights to privacy and data protection is sensibly resolved, will be answered.

2 Definitions and Contextual Information

This chapter provides definitions of basic terms and processes and other background information concerning money laundering, terrorist financing, tax crimes, and the rights to privacy and data protection.

(10)

7

2.1 Money Laundering

Money laundering is a process used by criminals to disguise the origin of profit earned from illegal activities. This enables criminals to use the profit without putting the source at risk.²⁶ The 5^th AML defines money laundering in a broad way. Their definition reads:

For this directive, the following conduct, when committed intentionally, shall be regarded as money laundering:

(a) the conversion or transfer of property, knowing that such property is derived from criminal activity or an act of participation in such activity, to conceal or disguise the illicit origin of the property or of assisting any person who is involved in the Commission of such an activity to evade the legal consequences of that person's action;

(b) the concealment or disguise of the true nature, source, location, disposition, movement, rights with respect to, or ownership of, property, knowing that such property is derived from criminal activity or an act of participation in such an activity;

(c) the acquisition, possession or use of property, knowing, at the time of receipt, that such property was derived from criminal activity or an act of participation in such an activity;

(d) participation in, association to commit, attempts to commit and to aid, to abet, facilitating and counseling the Commission of any of the actions referred to in points (a), (b), and (c).

Money laundering shall be regarded as such even where the activities that generated the property to be laundered were carried out in another Member State or a third country.²⁷

The AML directives, therefore, not just cover money but also property. Property is understood

"as assets of any kind, whether corporeal or incorporeal, movable or immovable, tangible or intangible, and legal documents or instruments in any form including electronic or digital, evidencing title to or an interest in such assets."²⁸

26 FATF, What is Money Laundering?, accessed 15.07.2020, https://www.fatf-gafi.org/faq/moneylaundering/.

27 Article 1 (1-4) 5^th AMLD.

28 Article 3 (3) 5^th AMLD.

(11)

8

Money laundering usually happens in three steps. In the first step, the criminals channel the money into the conventional financial system. The most frequently used method is to break up a large amount of money that would give rise to suspicion into smaller amounts that they directly deposit into a bank account.

In a second step called ‘layering’, that money is then channeled through the financial system.

It gets transferred through different accounts worldwide or used first to purchase investment instruments to subsequently sell them again in order to cloud the origin of the money.

In a last step, the money is re-entered into the legitimate economy, for example, by buying real estate, business ventures, or luxury assets.²⁹

2.2 Terrorist Financing

Terrorist financing describes the known but also unknown support towards terrorist organizations. Terrorist organizations need support to sustain themselves, maintain their networks, recruit new members to buy supplies, plan, and commit attacks.³⁰

The measures to fight money laundering are also used to fight terrorist financing. The idea is to cut off the organization's finances by detecting their funds using information from the financing process.³¹

2.3 Tax Crime

The fight against tax crime, including the prevention of tax avoidance, became another focus in addition to the fight against money laundering and terrorist financing with the 4th and even more elaborate with the 5^th AML directive, granting tax authorities access to data collected for

29 Ibid.

30 Roberge (2007), p. 197; COM (2016) 50 final, p 2.

31 Ibid.

(12)

9

the purpose of money laundering and terrorist financing.³² What constitutes a tax crime differs from Member State to Member State. There is no homogenous definition of tax crime throughout the Member States.³³ However, it tends to revolve around the concealment of income or tax-related information through methods such as underreporting income and falsifying deductions from the authorities.³⁴

Tax avoidance refers to activities that exploit loopholes in the law in order to avoid taxation.

This practice is mainly assumed to be legal but includes a large gray zone.³⁵

2.4 The EU Charter and the Fundamental Rights to Privacy and Data Protection

The fundamental rights to privacy and data protection are enshrined in articles 7 and 8 in the EU Charter. The Charter is a collection of the most important freedoms and rights of individuals in the EU. It contains the rights and freedoms in the European Convention on Human Rights, rights embedded in the Court of Justices case law, rights, and principles derived from the EU's constitutional traditions and other international instruments; it is equivalently binding as EU Treaties.³⁶ Hence all Member States and all EU institutions, offices, bodies, and agencies must respect the right to privacy and data protection at all times.³⁷

Article 7 protects private and family life; it reads: "Everyone has the right to respect for his or her private and family life, home and communication." Article. 8 protects personal data and reads as follows: "1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the

32 Recitals 11,14 4th AMLD; Recital 35 5^th AMLD; Articles 30(6) (d), 31 (4) (d), 44 5^th AMLD.

33 Recital 18 5^th AMLD.

34 Unger, 2017.

35 Ibid.

36 Article 6 TEU.

37 Article 51(1) EU Charter; Hustinx, (2013), 20.

(13)

10

consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority".

Article 8 does not just explicitly protect the right to data protection; it also includes key principles of data protection, such as lawful processing, purpose limitation, and the right to access and rectification.

2.5 Article 52 (1) of the EU Charter

Fundamental rights, including the right to privacy and data protection, are not absolute. They are subject to the general derogation clause codified in article 52 (1) of the Charter, which allows for the limitation of fundamental rights when four conditions laid down in the article are met. The limitation must i) be based on law, ii) respect the essence of the fundamental rights and freedoms, iii) be subject to the principle of proportionality, and iv) follow an objective of general interest recognized by the Union or protect the rights and freedoms of others.

2.5.1 Based on Law and Essence

The first sentence of Article 52 (1) contains the first two limitations i) based on law and ii) respect the essence of fundamental rights. There is some controversy if these requirements are entirely independent of the proportionality principle or are inextricably linked.³⁸ However, both requirements are examined by the CJEU and the ECtHR without discussing their relationship with the proportionality principle.³⁹ The thesis will follow this example since a discussion would not further the subject of the thesis; both prongs must be considered either way when assessing if the anti-money laundering directives interference with articles 7 and 8 is lawful.

The first prong, ‘legal bases,’ must conform to the rule of law. However, agreements between member States and even the ne bis in idem principle are considered to be sufficient legal bases.⁴⁰ The second prong, the essence of fundamental rights, limits the degree to which a right can be

38 Brkan (2019).

39 Lenaerts (2019)

40 Samardzic (2017), pp 13,14; CJEU, C-129/14 PPU, Spasic, 2014, para 57.

(14)

11

limited in guaranteeing that a minimum content of each fundamental right is untouchable and cannot be interfered with.⁴¹

2.5.2 Proportionality and Objective of General Interest

The third and fourth prong, objectives of general interest and the principle of proportionality, are anchored in sentence two of article 52 (1). Article 52 (1) (2) reads as follows: "Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognized by the Union or the need to protect the rights and freedoms of others."

The principle of proportionality is a fundamental principle in European Community law and was applied by the CJEU and the ECtHR before the EU Charter's codification in 2009.

Before its codification in the EU Charter, the principle of proportionality was derived from either the rule of law or fundamental rights.⁴²

Its function can be seen in restricting limitations of rights and principles. It assesses if the restriction of a right or principle to the benefit of another right or principle is 'justified' and thrives on finding a balance between the rights or principles.⁴³ However, defining the exact content or scope of the proportionality principle can be trying. For example, the CJEU and ECtHR both use the proportionality principle, yet, the content and range vary. Moreover, the EDPS has its own guidelines on assessing proportionality⁴⁴ , which again differs from both the CJEUs and ECtHR's application of the proportionality principle.

Between the ECtHR and the CJEU, there seems to be consent on what constitutes the essential elements of proportionality.⁴⁵ However, the courts' terminology is divergent and, at times confusing through a transposable and blurred use of vocabulary. Moreover, where the ECtHR

41 Tridimas (2019).

42 Peers et al (2014), Article 52. pp 15; Kalir, Barak (2012) p. 213.

43 Sauter (2013); Samardzic (2017), p 16.

44 European Data Protection Supervisor, EDPS Guidelines on assessing the proportionality of measures that limit the fundamental rights to privacy and to the protection of personal data, 19 December 2019 (EDPS Guidelines).

45 Samardzic (2017) p. 16.

(15)

12

usually reviews all elements in one bloc without an inherent structure, the CJEU follows a three to four-step test, (i) legitimate objectives, (ii) appropriateness, (iii) necessity, and (iv) proportionality sensu stricto. However, the first prong is not part of the core proportionality test but can be seen as an initiator to the core proportionality test, which is why it is listed as its own prong above.⁴⁶ The EDPS focus on the other side lies primarily on the necessity and proportionality prong. They developed a necessity and a proportionality test, each with four sub-prongs that must be fulfilled.⁴⁷

The ECtHR further tends to focus on the subject's viewpoint under concrete conditions, whereas the CJEU follows a more abstract and objective examination of the fundamental rights.⁴⁸ However, since this thesis's analysis will center around the AML directives compatibility with the fundamental rights as interpreted by the CJEU, this section will also focus on the proportionality scope of the CJEU. It will follow its three-prong test plus the initiator prong 'legitimate objects'.

i) Legitimate Objectives

Before the start of the core proportionality test, the legitimate objective prong must be assessed.

Article 52 (1) (2) specifies that limitations are only allowed if they meet the objectives of the general interest recognized by the Union or the need to protect the rights and freedoms of others.

A wide variety of objectives and rights can serve as legitimate objectives. Article 3 TEU contains a non-exhaustive catalog of important legitimate objectives.⁴⁹

ii) Appropriateness

The criteria of appropriateness could be derived from the phrasing "…genuinely meet objectives

…" in article 52 (1) (2).⁵⁰ The measures or resources used by the limiting law must be able to

46 Ibid;

47 EDPS Guidelines, p. 5, 12-14.

48 Samardzic (2017), p. 30; Ehlers (2014) p 572.

49 Peers (2014) pp 1455; Grabenwarte,(2016) pp 145; Grote, Marauhn (2013).

50 Holoubek, Lienbacher (ed.) (2014), Article 52, para 16.

(16)

13

realize or at least promote the perused objectives of the limiting law.⁵¹ The CJEU often uses the phrases that the means are not inappropriate and unsuitable when examining this prong.⁵²

iii) Necessity

Necessity requires that there are no milder, less invasive means regarding the fundamental rights available that would have the same level of success as the means used by the limiting law.⁵³

(iv) Proportionality Sensu Stricto

The CJEU often speaks of an appropriate or fair balance that must be achieved between the conflicting rights or freedoms.⁵⁴ The court tends to examine proportionality sensu stricto and the necessity requirement in one bloc; therefore, these two requirements are often so entangled that it can be hard to separate them.⁵⁵ The thesis will follow the same structure and assess the proportionality sensu stricto prong together with the necessity prong in its proportionality evaluation of the AML directives.

3 Anti-Money Laundering Directives

3.1 5

^th

AMLD

51 Kalir, Barak (2012), p. 303.

52 CJEU, C-453/03, ABNA, 2005 para 69; CJEU, C-101/12, Schaible, 2013 para 41.

53 Kalir, Barak (2012), p. 317.

54 CJEU, C-92/09 and C-93/09, Schecke Eifert, 2010 para 77, 86; CJEU, C-283/11, Sky Österreich, 2013 para. 58, 60; CJEU, C-468/10 and C-469/10, ASNEF, 2011 para 43, 47, 48.

55 Samardzic (2017), 24; Kingreen, (2016), Art 52. GRC para 71; Jarass, (2016) Article 52 para 36.

(17)

14

The 5th AML Directive builds upon its predecessors and is designed to advance the measures used to fight terrorist financing and money laundering in the EU.⁵⁶ Money laundering threatens the stability, integrity, and reputation of the EU's internal market and the financial sector.⁵⁷ One of the main amendments in the 5th AML directive towards its predecessor is the increase in transparency rules as well as the inclusion of extended means to target terrorist financing.⁵⁸ The 5^th AMLD is, however, not just a response to the atrocious terrorist attacks that occurred in the European Union during the last years but is also an answer to the Panama Paper scandal in the revelations of April 2016.⁵⁹ Therefore, the 5^th AMLD incorporated and expanded measures to enhance 'tax transparency' and fight 'tax abuse'.⁶⁰ Formally the main objectives of the 5^th AMLD are still only the fight against money laundering and terrorist financing.⁶¹ However, by continuously mentioning the fight against tax evasion and granting tax authorities access to all data the same way as FIUs, it might seem as they are indirectly incorporating the fight against tax crimes as a new purpose.⁶²

3.1.1 Relevant Entities

The Directive outsources many duties to the private sector. It addresses all institutions and services that focus on money transfer or other values that handle vast amounts of cash or other high-end items in commerce. For example, it applies to financial institutions, accountants, gambling operators, tax advisors, and other legal and natural persons when trading goods that include cash transactions in the amount of Euro 10. 000 either in a single transaction or in series of transactions.⁶³ To keep the thesis focused and not too broad, it will mainly focus on the banking sector.

56 4th AML Directive, Article 1(1); 5th AML Directive, Article 1(1).

57 Ibid.

58 Commission Press release 2016 on 5th AML Directive.

59 COM(2016) 451 final, 5.

60 Commission Press release 2016 on 5th AML Directive.

61 Recital 1 of the 5^th AMLD.

62 Articles 30 (6) (d); 31 (4) (d); 44 5^th AMLD.

63 Milaj, Kaiser, (2017).

(18)

15

3.1.2 Financial Intelligence Units

FIUs are independent agencies established in every Member State and lead the investigations and preventive actions in money laundering, terrorist financing cases. If one of the entities that the AML directive addresses notice a suspicious transaction, they are obliged to forward it to their responsible Financial Intelligence Unit (FIU).⁶⁴ Upon request, FIUs can obtain further information from the addressed entities and need to be granted access to administrative and law enforcement information. With the 5^th AMLD, the FIUs have been given the competence to make such requests based on their own intelligence and independent of a report for a suspicious transaction.⁶⁵

The powers of FIUs vary from country to country. In general, three broad categories of FIUs can be distinguished. Firstly, FIUs that have purely administrative powers. Their primary function is to analyze the reports of suspicious transactions and, upon confirmation of suspicion, forward the findings to the law enforcement authorities. Secondly, FIUs with law enforcement powers that can lead their own investigations, and thirdly, a broad spectrum of FIUs with in- between models neither entirely fitting the first nor the second category.⁶⁶

All FIUs are supposed to share relevant information with one another since money laundering and terrorist financing are global crimes committed usually in more than one country.⁶⁷

3.1.3 Main Obligations

64 Article 33 (1) (a) 5th AMLD.

65Article 33 (1) (b) 5^th AMLD; COM (2016) p. 13,14.

66 EDPS, Opinion 5/2020, p 13.

67 Recital 56 of the 4^th AMLD.

(19)

16 3.1.3.1 Customer Identification

One of the main instruments to tackle illegitimate money flows is the identification of customers. All credit institutions and financial institutions need to ensure that both parties, the sender and the recipient, are fully identified in any financial transaction. To verify a customer's identity, information must be acquired from an independent and reliable source such as an ID card or passport.⁶⁸

However, next to collecting information on a customer's identity, they might also need to collect additional information on the profession, income, or assets. These provide information about the usual and expected payment behavior of customers.⁶⁹

If one party of the transaction should be a legal person, then the natural person, also called beneficial owner, behind the legal person, and the control structure and the details of the beneficial interest held must be identified. The 5^th AMLD defines a beneficial owner as "any natural person who ultimately owns or controls the customer or the natural person on whose behalf a transaction or activity is being conducted."⁷⁰

The directive further expects the EU Member States to prohibit their credit institutions and financial institutions from keeping anonymous accounts or anonymous passbooks.⁷¹

3.1.3.2 Monitoring of Transactions

Obliged entities must constantly monitor transactions and report those who are suspicious to their responsible FIU. Entities need to "conduct[ing] ongoing monitoring business relationship including scrutiny of transactions undertaken throughout the course of that relationship to ensure that the transactions being conducted are consistent with the obliged entity's knowledge of the customer, the business and risk profile, including where necessary the source of funds and ensuring that the documents, data or information held are kept up-to-date."⁷²

68 Article 13 (1) (a) 5^th AMLD.

69 Tracfin, (2015).

71 Article 10 (1) 5 AML

72 Article 13 (1 (d) 5^th AMLD.

(20)

17

However, not all transactions bear the same risk for money laundering or terrorist financing.

Therefore, the AMLD follows a risk-based approach where transactions of a higher risk for money laundering or terrorist financing must be monitored more closely. The risk assessment of transactions is based on typologies compiled and published on different levels and is codified in articles 6 to 8 in the 5^th AMLD. Risk factors are, among other things, the parties and countries involved and the type of channel chosen for a transaction. ⁷³

3.1.3.3 Reporting of Transactions

As a third obligation, entities must report suspicious transactions to their responsible FIU, as aforementioned.⁷⁴

However, what constitutes a suspicious transaction is not defined in the AML directive. The specification is up to the entity and thus can differ from entity to entity.⁷⁵

Next to filing a report, they also must supply FIUs with all necessary information upon the FIUs request,⁷⁶ and are prohibited from disclosing to the customer that a report has been filed.⁷⁷

3.1.3.4 Retention Obligation

Lastly, entities should retain certain data sets for five years after the business relationship has ended, or if there was no such business relationship, then five years after the transaction took place. First, according to article 40(1) (a), 5^th AMLD entities must keep the identification records used to identify the customer when a business relationship was introduced. Second, according to article 40 (1), (b) 5th AMLD entities must retain all collected data about transactions between identified customers in the second category.

73 Kaiser (2018) p. 106 f.

75 Ibid. p. 100.

76 Article 33 (1) (b) 5^th AMLD.

(21)

18

Moreover, Member States can prolong this retention period up to 5 additional years if a thorough assessment of the necessity and proportionality deems it justified.⁷⁸

3.1.3.5 Bank Register

Information on bank customers, who hold or control a payment or bank account, needs to be saved in a central register or central electronic data retrieval system. This shall allow national FIUs to retrace all accounts held by a person, even if held at different banks.⁷⁹

The 4^th and 5^th AML directives lay down the requirement for Member State to put in place a centralized, automated mechanism by September 10, 2020, in the form of a register, an electronic data retrieval system, or a similar system.⁸⁰ It shall include any person's identification, natural or legal, holding or controlling a bank, payment account, or safe deposit boxes in a Member State. For the payment and bank accounts, the registers shall include the International Bank Account Number (IBAN), the holder and controller, the beneficial owner, the data of opening and closing the account, and other identification data, for example, personal identifications numbers. The safe deposit boxes must also contain the lessee's name, identification number, and the duration date of the lease.⁸¹

The registers are supposed to be interconnected on a European level since March 10, 2021.⁸²

Concerning beneficial owner's information in the central register, the directive grants access not just to FIUs and other obliged entities but also to the general public. However, the general public’s access is limited to only a certain kind of data.⁸³

79 Article 32 (1), (2) 5th AMLD; COM 2016, p.6.

80 Articles 32a and 67 (1) 5^th AMLD.

81 Articles 32a, 67 and Recital 21 of the 5^th AMLD; Recital 14 of the 4^th AMLD.

82 Article 67 (1) (1) 5^th AMLD.

83 Article 30 (4), (5) 5^th AMLD.

(22)

19

The general public "shall be permitted to access at least the name, the month and year of birth and the country of residence and nationality of the beneficial owner as well as the nature and extent of the beneficial interest held."⁸⁴

3.2 6

^th

AML Directive

The sixth Anti-Money Laundering Directive came into effect on December 3, 2020, and has to be implemented by financial institutions by June 3, 2021.⁸⁵

The goal of the 6^th AMLD is to harmonize the definition of money laundering throughout the EU. The directive contains a list of offenses considered money laundering, which for the first time includes cyber-crimes.⁸⁶

The Directive further widens the definition of money-laundering, including ‘aiding, abetting, inciting and attempting’ into the definition, thus making ‘enablers’ criminally liable as well.⁸⁷ The Directive further raises the minimum prison sentence from one to four years ⁸⁸ and extends its criminal liability towards legal persons. Legal persons will become culpable when money laundering crimes are committed for their benefit either by an individual person or as part of an organ of the legal person. The Directive places responsibility on management employees as well as separately acting employees.⁸⁹

Lastly, the directive ensures that the Member States cooperate if the offense is accruing in more than one Member State at the time.⁹⁰ In the predecessors, the Member States were only encouraged but not obliged to cooperate.

84 Article 30 (5) (c) 5^th AMLD.

85 Directive (EU) 2018/1673, article 13 6^th AMLD.

87 Ibid, article 4.

88 Ibid, article 5 (2).

89 Ibid, article 7.

90 Ibid, article 10 (3).

(23)

20

4 Fundamental Rights to Privacy and Data Protection

4.1 Relevant Case Law of the CJEU

This first section will discuss the facts, reasoning, and conclusions of CJEU court decisions. It focuses on case law that is particularly relevant to the kind of processing of personal data that the AML directives require—starting with the most important one, the Digital Rights Ireland decision.⁹¹

4.1.1 Digital Rights Ireland

In the digital rights Ireland ruling, the CJEU declared the Data Retention Directive⁹² invalid.

The court ruled that even though the fight against serious crimes is a legitimate purpose, the retention measures are not compatible with the principle of proportionality. Furthermore, the directive lacks safeguards for the protection of personal data and respect for private life.⁹³

4.1.1.1 The Data Retention Directive (DRD)

The DRD aimed to harmonize a diverse field of national provisions concerning the retention of telecommunication data' by providers of publicly available electronic communication services and public communication networks. The directive ensured data availability to prevent, investigate, detect, and prosecute serious crimes, especially for organized crime and terrorism.⁹⁴ The DRD aimed at a more straightforward investigation for 'serious' crimes. The directive mandated that telecommunication service providers retain their customers' connection data

91 CJEU Joined Cases C-293/12 and C-594/12, Digital Rights Ireland Ltd (C-293/12) v Minister for Communications.

92 Directive 2006/24/EC.

93 Digital Rights Ireland.

94 CJEU, Press Release No 54/14.

(24)

21

between six months and two years and enable excess for law enforcement agencies in an investigation.⁹⁵

However, the High Court of Ireland and the Verfassungsgerichtshof (Constitutional Court of Austria) challenged the directives justifiability in the light of the fundamental rights, in particular Article 7, 8, and 11 of the Charter, the fundamental rights to privacy, data protection, and freedom of expression.

The CJEU followed their view and declared the directive invalid.⁹⁶

The CJEU deemed the retention obligations in the directive disproportionate to the aim of fighting 'serious' crimes.⁹⁷ As they put it: "Those data, taken as a whole, may allow almost exact conclusions to be drawn concerning the private lives of the persons whose data has been retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, the activities carried out, the social relationships of those persons and the social environments frequented by them."⁹⁸

4.1.1.2 Court Ruling

The CJEU ruled that the DRD interferes with articles 7 and 8 of the Charter. However, they specified that it is not crucial for interference with article 7 if the information concerning customers' private lives is sensitive or if they have experienced inconvenience in any way.⁹⁹ With regard to article 8 of the Charter, an interference accurse as soon as personal data is being processed.¹⁰⁰

In the following, the court examined if the interference is justified since the protection of articles 7 and 8 of the Charter is not absolute. Article 52 (1) of the Charter contains a general exception clause that the court referred to. For an exception to be made, the four proportionality prongs

95 Article 29 Working Party, Opinion 4/2014, p. 4.

96 Digital Rights Ireland Case, para 73.

97 Digital Rights Ireland, para 27.

98 Ibid.

99 Ibid, para 33.

100 Ibid, para 34-37.

(25)

22

(i) legitimate objectives, (ii) appropriateness, (iii) necessity, and (iv) proportionality sensu stricto must be met. The CJEU ruled that combating serious crimes constitutes an objective of general interest, but the measures were not proportionate for the perused goals.

For this purpose, the court emphasized two prongs of the proportionality test; firstly, if the measures of the directive are appropriate for attaining the legitimate objectives pursued (necessity), which the CJEU affirmed. Secondly, if the data retention measures exceed the limit of what is strictly necessary regarding the purpose pursued. ¹⁰¹ The court found that the discretion had to be reduced due to the seriousness of the interference caused by the combination of the fundamental rights at stake. 'Strictly necessary' therefore must be interpreted narrowly.¹⁰²

The CJEU ruled that the DRD does not meet this criterion.¹⁰³ The court emphasized that the DRD lacks safeguards and clear and precise rules concerning the scope and application for processing the data.¹⁰⁴

They put a particular emphasis on the absence of limitations for data processing. The court ruled the lack of constraints emerges in three different instances. The First incident concerns the initial phase of data collection and retention. In this respect, the DRD targets too generalized and without any differentiation, exceptions, or limitations all individuals, all the traffic data, and all means of electronic data.¹⁰⁵

The court particularly criticized the absence of the necessity for a link. The DRD does not even call for an indirect or remote connection between the data to be retained and a threat to public security. According to the CJEU, this absence clearly exceeds the limits of what is strictly necessary.¹⁰⁶ In consequence, they ruled that for the retention of data to be strictly necessary, it needs to be restricted to "(i) data about a particular time period and/or a particular geographical zone and/or to a circle of particular persons likely to be involved in a serious

101 Ibid, para 46.

102 Ibid, para 48.

103 Ibid, para 65.

104 Ibid, para 54.

105 Ibid. para 56.57.

106 Ibid, para 58, 59.

(26)

23

crime, or (ii) to persons who could, for other reasons, contribute to the prevention, detection or prosecution of serious offenses."¹⁰⁷

Further, the CJEU critiqued the failure to lay down any objective criteria concerning the limits of access by the competent national authorities as well as the subsequent use of the data to a level that can be seen as strictly necessary for the prevention, detection, or criminal prosecutions of serious offenses.¹⁰⁸ The court highlighted the absence of a mandatory review by a court or an independent administrative body prior to the competent authorities access.¹⁰⁹

Another point of critique was the data retention period between six and twenty-four months as exceeding the limit of what is strictly necessary. However, the critique does not lie directly in the length of the period itself but in the lack of differentiations considering the possible usefulness of the data in the objective pursued or the persons concerned. It was further critiqued that it lacks objective criteria to ensure that the retention period is limited to what is strictly necessary.¹¹⁰

Finally, the CJEU critiqued the absence of a sufficient level of safeguards that could ensure the protection of personal data against abuse and unlawful access.¹¹¹ The court's primary critique was the lack of a provision that ensures that the data is retained in the EU. As a result, adequate controls of compliance with data protection requirements by an independent authority cannot be guaranteed.¹¹²

Concluding, the CJEU ruled that the EU legislature exceeded the limits derived from the proportionality principle concerning articles 7, 8, and 52 (1) of the Charter.¹¹³

107 Ibid, para 59.

108 Ibid, para 60, 61.

109 Ibid. para 62.

110 Ibid, para 63, 64.

111 Ibid, para, 66, 67.

112 Ibid, para 68.

113 Ibid, para 69.

(27)

24

4.1.2 Tele2 Sverige Case

The Tele2 Sverige Case¹¹⁴ is a preliminary ruling about national provisions adopted after the CJEU declared the DRD invalid. Those provisions contained far-reaching data retention obligations combined with broad access rights. Therefore, the CJEU analyzed and examined the provisions' compatibility with articles 7, 8, and 11 of the Charter again.

The ruling builds up upon the Digital Rights Ireland case. The CJEU confirmed and highlighted the incompatibility of surveillance measures in a generalized and indiscriminate way with the Charter, especially with articles 7 and 8. However, what makes this case interesting for the following analysis is that the court ruled that the targeted retention of data can be necessary for some circumstances. The court further specified the conditions and circumstances under which the targeted retention of data is proportionate.¹¹⁵

In the first part of the ruling, the CJEU reiterated the Digital Rights Ireland case's reasoning and once again examined if the data retention measures were strictly necessary for the pursued goals of fighting serious crimes, which will not be repeated here.¹¹⁶

However, in the second part of the ruling, the CJEU went beyond the Digital Rights Ireland judgment. The court laid down specifications under which data retention is consistent with articles 7, 8, and 52(1) of the Charter. The CJEU ruled that provisions must exhibit clear limitations to what is strictly necessary concerning the persons concerned, the means of communication affected, the categories of data to be retained, and the retention period adopted.¹¹⁷ Notably, the court stated that these criteria must be cumulative in contrast to the Digital Rights Ireland case. In the Digital Rights Ireland case, the court used the wording

"and/or" and thus left the door open for data retention that is not targeted in terms of the public affected or the person concerned.¹¹⁸To guarantee that the requirements are met, the court

114 Joined Cases C-203/15 and C-698/15 Tele2 Sverige AB v Post- och telestyrelsen and Secretary of State for the Home Department v Tom Watson and Others (‘Tele2 Sverige Case’).

115 Ibid, para 46, 112.

116 Ibid, para 94 – 107.

117 Ibid, para. 108.

118 Vermeulen (2017), pp 3,4.

(28)

25

stresses once again the importance of laying down rules that are clear and precise concerning the scope and application of the retention measures and provide sufficient safeguards to establish adequate protection against misuse.¹¹⁹ The CJEU clarified that there must be a connection between the data to be retained and the provisions' objective. Further, there must be a link between the data subject and serious criminal offenses, whereby an indirect link suffices.

As an example, the court mentions geographical criteria.¹²⁰

The next section of the Tele2 Sverige Case focused on the access of the data. The CJEU ruled that the right to access a person's data necessitates a link between the objective to fight serious crimes and the retained data. The link must specifically exist with the person whose data is to be accessed. Moreover, the CJEU clarified that access to an individual's information always necessitates that the individual is (i) suspected of planning, committing, or having committed a serious crime or of being implicated in such a crime or (ii) in a particular situation if there is objective evidence that the data might effectively contribute to the combat of such crimes.¹²¹ Moreover, the court emphasized that access should only be granted after a preliminary review by a court or another independent administrative body, with the possibility of an exception in cases of validly established urgency.¹²² And as soon as a notification does no longer jeopardizes the investigation, the competent national authorities must notify the persons affected.¹²³ Furthermore, the data must be retained in the EU and be irreversibly destroyed at the end of the retention period.¹²⁴

As in the Digital Rights Ireland case, the CJEU concluded that the provisions exceed the limits derived from the proportionality principle regarding articles 7, 8, 11, and 52 (1) of the Charter.¹²⁵

119 Ibid. para. 109.

120 Ibid, para 108, 109.

121 Tele2 Sverige Case, para 118, 119.

122 Ibid, para 120.

123 Ibid, para 121.

124 Ibid. para 122.

125 Ibid, para 112, 125.

(29)

26

4.1.3 PNR Canada Agreement (Opinion 1/15)

In 2017 the CJEU issued an Opinion about the PNR Canada Agreement, an agreement between the EU and Canada concerning the transfer, retention, and use of Passenger Name Record Data (PNR data) from the EU to Canada. Canada and the EU signed the agreement in 2014. However, before giving its approval, the EU Parliament requested the CJEUs opinion on the agreement's compatibility with EU law, especially with articles 7 and 8 of the Charter.¹²⁶ Accordingly, the CJEU issued its opinion. In it, the CJEU laid down data protection requirements that the Union must adhere to and declared the agreement to be incompatible with the EU Charter.

The agreement included a multitude of personal data, even sensitive data. Regarding the former CJEU case law, the CJEU found the agreement clearly interferes with the fundamental rights to private life and data protection.¹²⁷

The CJEU judged that some of the provisions were not clear and precise enough¹²⁸ and that permitting the transfer of sensitive data on the grounds of its possible usefulness to combat terrorism and other severe transnational crimes does not justify an interference with articles 7 and 8 of the Charter. Such a transfer shall only be possible when there is a substantial purpose based on additional reasons.¹²⁹

What is particularly interesting for this thesis is that the CJEU, in contrast to its previous case law, stated that the transfer of PNR data from every person traveling to Canada is within the limits of what is strictly necessary.¹³⁰ Thus, they distanced themselves from the requirement of an immediate link between the data and the objective perused.¹³¹

126 TFEU, 218(11).

127 Opinion 1/15 paras. 124-126.

128 Ibid, para 155.

129 Ibid, 165.

130 Ibid, para 189.

131 Ibid, para 186.

(30)

27

The CJEU justified this based on two arguments. The first argument is that all persons entering or leaving Canada are subject to border controls, including the passenger's identification with PNR data.¹³² The second argument the CJEU follows is that the information is collected in bulk.

When the data is transferred, it is unclear which persons could pose a risk, and only those passengers posing a risk are then exposed to further inspections.¹³³ If the data were sorted beforehand with categories such as geography, automated processing would not be successful.¹³⁴

However, it could be that the relaxed requirements just arose from the circumstances of the situation of the case and cannot be generalized.

The CJEU further established that only specific, reliable, and non-discriminatory criteria can be used for the automated data processing to only target individuals suspected to be involved in or otherwise have a link to terrorist offenses or other serious transnational crimes.¹³⁵ Moreover, because of an unavoidable margin of error that accrues using automated processing, the results must always be checked by a natural person before introducing any measures against an individual.¹³⁶

This indicates that the court is of the opinion that it fulfills the strict requirement when sorting of information to get the required link between the data and the objectives perused, appears at a later stage.

Moreover, the use of the PNR data during a person's stay in Canada is only permitted in the case of new circumstances.¹³⁷ The circumstances under which access is allowed have not been changed in the agreement and thus are the same as in the aforementioned decisions from the CJEU.¹³⁸

132 Ibid, para 188.

133 Ibid, para 187.

134 Ibid, para 197.

135 Ibid, para 172.

136 Ibid, paras 169, 197.

137 Ibid, para 200.

138 Ibid, paras, 190 -192, 197, 200, 202.

(31)

28

After a person leaves Canada, the further retention of data is in general prohibited, except for the circumstance that an individual will continue to pose a risk for the objectives perused even after they left the country.¹³⁹

The CJEU further criticized that the agreement permitted the data's exposer to other authorities besides the competent Canadian authorities.¹⁴⁰ They found that the agreement does not sufficiently define (i) the categories of data that are permitted to be disclosed; (ii) to whom the data can be made available; (iii) in which way or for what purposes the data can be used;¹⁴¹ (iv) legal requirements, legitimate interests of the person concerned and the limitations.¹⁴² The agreement did not even call for a link between the disclosure and the fight against terrorism or other serious transnational crimes.

The CJEU accordingly declared the agreement to be incompatible with the data protection legislation of the EU.

4.1.4 Privacy International and La Quadrature du Net and Others

¹⁴³

The CJEU issued two new judgments in three cases in France, the UK, and Belgian concerning the retention of communication data to fight serious crimes and safeguard national security on October 6, 2020.

139 Ibid, paras 205-207.

140 Ibid, paras 212, 215.

141 Ibid, para 216.

142 Ibid, para 217.

143 Case C-623/17 Privacy International, Joined Cases C-511/18 La Quadrature du Net and Others and C- 512/18 French Data Network and Others, and Case C-520/18 Ordre des barreaux francophones et germanophone and Others.