The relationship between the Fifth Directive on Money Laundering (2018/843) and the GDPR (EU 2016/679) has not ceased to be thorny since the promulgation of the first directives of the previous legislation. The need to access and share identifiable information of certain natural persons must be limited and comply with the Directive and the basic principles of the GDPR Regulation.
The real point to wield in the present analysis tries to focus on the impact and scope that Data Protection legislation can effectively have, both at the European level (GDPR) and at the Spanish national level (LOPDgdd), and their relationship with the anti-money laundering regulations. With clearly established limits and obligations, it would be easier to determine the effective scope of the legitimate interest that could exist from the public powers to enable the processing of personal information, and thus be able to ensure respect for Fundamental Rights of Privacy and Protection of Personal Data, widely recognized and agreed by European regulation.
Certainly, the start of a possible (and surely necessary) investigation in terms of anti-money laundering cannot, or should not, in any case, violate or diminish the particular rights recognized at the highest possible level; that of Fundamental Rights.
On January 10, 2020, the deadline for the transposition of the Fifth Directive on Anti-Money Laundering ended. In November 2018, the Ministry of Economy and Commerce (current Ministry of Economic Affairs and Digital Transformation) already published the mandatory public consultation. This document indicated that it was the right time to make other precise changes to Law 10/2010 and included the review and update of the data protection regulations. After the European Commission warned Spain and some other countries to transpose the Fifth Directive and threatened to initiate a sanctioning procedure on April 28th of 2021 the new Law 10/2010 was finally published.
Since the enactment of the previous Directive (EU) 2015/849 related to the prevention of the use of the financial system for money laundering or terrorist financing, various updates have occurred in the catalog of original objectives from European regulation against money laundering.
After the entry into force of the Fifth Directive of the Union (2018/843), there has been an enlargement of this numerus clausus of objectives, which does not seem to be able to be clearly identified currently. Due to its impact on Privacy and respect for the principle of Limitation of the processing of personal data and the principle of Proportionality, this raises serious doubts about the specific limits that both disciplines must find in their interrelation.
One of the key points, regarding the General Data Protection Regulation (GDPR) with the forecast made by Directive 2018/843 and which generates deep and controversial doubts about the level of compliance required of actors, public or private, that request within an investigation, has to do precisely with the access that they may have to certain personal information of the beneficial owners.
There are other issues that generate possible conflicts between European (and national) regulations for the prevention of money laundering and terrorist financing and data protection: destruction within the correct period of documentation obtained in the application of due diligence measures, complaint channels, the prohibition of disclosure between the obliged person and the client and the now good old, professional secret of lawyers. However, now we would like to focus on access to information from the registry of beneficial owners of commercial companies and other legal persons.
As the past has shown us (both successes and failures), having access to beneficial owner information is key to effectively fighting money laundering and terrorist financing.
According to its article 30.5 c), in conjunction with introductory note 14 (EU Directive, 2018/843), there is an obligation for the Member States to ensure “those persons who are capable of demonstrating a legitimate interest regarding money laundering, terrorist financing […] corruption, tax evasion and fraud, access to beneficially owned information, in accordance with data protection regulations”.
The next question raised by this empowerment should be what type of specific information does the Money Laundering Prevention Directive refer to?
This same precept gives us the answer establishing that “The persons referred to in letter c)* will be allowed access, at least, to the name and surname, month and year of birth, country of residence and nationality of the beneficial owner, as well as the nature and scope of the real interest held.”
- The competent authorities and the Financial Investigation Units (FIU), without any restriction.
- Obliged entities, within the framework of due diligence regarding the client.
- Any member of the general public*.
*The general public was not covered by the Fourth Money Laundering Prevention Directive.
In particular, a new and specific objective appears in that catalog of enabling grounds of a possible treatment and more specifically of a transfer of personal data to other actors, not always public bodies, of personal information: the so-called fight against tax evasion (which was not contemplated in the 2015 Directive) and that it was mentioned merely as relevant as it was a possible source of illicit financing, without being explicitly determined or identified as mandatory.
Other previously not included purposes are:
- The generically mentioned “fight against financial crime”.
- “Improved corporate transparency”, with the aim of protecting minority shareholders of private companies, as well as third parties who may carry out operations with them.
- The fight against tax evasion and avoidance.
- Prevention of financial crimes and/or abuse of financial markets.
- Provide governments and regulators with a rapid response mechanism against alternative investment techniques (crypto assets, etc.)
- Allow public examination of the functioning of financial markets, in relation to investors and tax evaders.
What is truly interesting from the point of view of privacy is not just going to be this inclusion of the new objectives, but the reduction of the safeguarding of privacy standards regarding the proportionality between the processing of personal information and the purpose for which it serves.
To explain it more clearly, it is necessary to point out that, in addition to the above-named purposes, there may be several Data Controllers of personal data depending on the possible data transfers that can be made:
- Of course, the Financial Investigation Units, regardless of the legal form they have, and in accordance with the national law of each Member State.
- Obligated subjects under Directive 2018/843 (banks, financial institutions, crypto-asset providers, etc.)
- Other competent authorities to carry out investigations related to tax evasion: NGOs with investigative powers, other public agents, etc.
In accordance with the principle of Limitation of Treatment of the GDPR (art. 5.1 b), any processing of personal information must serve a specific and concrete purpose identified and delimited, directly related to the principle of Proportionality (art. 52 of the Charter of Fundamental Rights of the European Union). In this sense, the Fifth Directive allows member states the possibility of exempting the obligation to authorize access to all or part of the information on beneficial ownership in specific cases and in exceptional circumstances that must be established in national law, if such access may expose the beneficial owner to disproportionate risk, a risk of fraud, kidnapping, extortion, harassment, violence or intimidation, or if the beneficial owner is a minor or otherwise legally incapacitated.
Another relevant point from the point of view of privacy has to do with the mandatory nature of the appointment of a Data Protection Officer (DPO).
The rule that will shine some light on the question of whether the incorporation of this figure is necessary for those entities responsible for common files for the assessment of capital and credit solvency or shared files for fraud management and prevention, is Spanish Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights, better known as LOPDgdd, by its art. 34.1 j).
In this catalog of obliged persons, the rule includes an express mention of those responsible for files regulated by the legislation on money laundering and terrorist financing. If we interpret the rule literally and also follow the criteria set by the Spanish Data Protection Agency according to which, they would only be required to make that DPD / DPO designation “the common file managers detailed in art. 33 of Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing”.
However, the issue does not seem to be clear since in another statement the AEPD itself openly declared that “as a consequence of the activity that is generally carried out, many subjects should have a Data Protection Delegate”.
Indeed, there does not seem to be a consensus regarding this question and we had to wait for the effective transposition of the Fifth Directive, as well as the inclusion of the possible novelties marked by the Sixth Directive still in the process of being incorporated into our legal system.
The final transposition of the Fifth Directive in Spain in April 2021 does not resolve a lot of the points discussed so far, as it has been limited to a literal transposition of the Directive. The main changes are in article 32 of the Spanish Law 10/2010. It established that in order to comply with Organic Law 3/2018, of December 5 and Regulation (EU) 2016/679 clients must be informed of the obligations of obligated subjects. The data collected by the obliged subjects for the fulfillment of the due diligence obligations may not be used for different purposes.
Obligated subjects must also carry out a Data Protection Impact Assessment (DPIA) of the treatments in order to adopt reinforced technical and organizational measures to guarantee the integrity, confidentiality, and availability of personal data. Said measures must in any case guarantee the traceability of data accesses and communications.
Finally, it should be remarked that the future will bring us other thorny issues to resolve between the fight against money laundering and appropriate data protection. Besides the clear need for obliged persons to share much more information between them (currently there is very limited communication, which is a weakness), there is the increasing use of Osint (Open source intelligence). Through “web scraping” and searches carried out by analysts, the obliged persons will incorporate information from open sources (social networks, blogs, payment databases, “deep web” etc.) to identify risks of money laundering and financing of terrorism. It will surely be one of the new “friction” points that will have to be resolved. Another friction point is sure how to comply with GDPR regulation in relation to public blockchains which can include personal information, but this can be discussed in another article (or two…).