KM_C554e-20171214131714
Dieses Dokument ist Teil der Anfrage „Akte zum Transparenzregister“
EUROPEAN DATA PROTECTION SUPERVISOR Opinion 1/2017 EDPS Opinion on a Commission Proposal amending Directive (EU) 2015/849 and Directive 2009/1 01/EC Access to beneficial owne�ship information and data protection implicati�ns �DP *** * * * * * * *•* 2 February 2017
The Europeon Data Profeetion Supervisor (EDPS) is an independent institution of the EU. The Supervisor is responsible under Article 41.2 of Regulation 45/2001 'With respect to the processing of personal data ... for ensuring that the fundamental rights and freedoms of natural persons, and in particular their right to privacy, are respected by the Community institulians and bodies ", and " ...for advising Community institutions and bodies and data subjects on all matters concerning the processing of personal data '. The Supervisor and Assistant Supervisor were appointed in December 2014 with the specific remit of being more constructive and proactive, and they published in March 2015 a jive-year strategy setting out how they intended to implement this remit, and to be accountable for doing so. This Opinion relates to the EDPS' mission to advise the EU institulians on the data protection implications of their policies and foster accountable policymaking - in line with Action 9 of the EDPS Strategy: 'Facilitating responsible and informed policymaking '. 2jPagc
Executive Summary On 5 July 2016, the Commission published a set of proposed amendments to the AML Directive and to Directive 2009/101/EC that aim at tackling directly and incisively tax evasion, in addition to anti-money lauodering practices, in order to establish a fairer and more effective tax system. This Opinion assesses the data protection implications of such amendments. In general, they seem to take a stricter approach than before to the problern of effectively countering anti-money lauodering and terrorism financing. In this respect, among other measures proposed, they focus on new channels and modalities used to transfer illegal funds to the legal economy (e.g. virtual currencies, money exchange platforms, etc.). While we do not express any merit judgment on the policy purposes pursued by the law, in this specific case, we are concerned with the fact that the amendments also introduce other policy purposes -other than countering anti-money lauodering and terrorism financing- that do not seem clearly identified. Processing personal data coUected for one purpose for another, completely unrelated purpose infringes the data protection principle of purpose Iimitation and threatens the implementation of the principle of proportionality. The amendments, in particular, raise questions as to why certain forms of invasive personal data processing, acceptable in relation to anti-money lauodering and fight against terrorism, are necessary out of those contexts and on whether they are proportionate. As far as proportionality is concerned, in fact, the amendments depart from the risk-based approach adopted by the current version of the AML Directive, on the basis that the higher risk for anti-money laundering, terrorism financing and associated predicate offences would not aUow its timely detection and assessment. They also remove existing safeguards that would have granted a certain degree of proportionality, for example, in setting the conditions for access to information on financial transactions by Financial Intelligence Units. Last, and most importantly, the amendments significantly broaden access to beneficial ownership information by both competent authorities and the public, as a policy tool to facilitate and optimise enforcement of tax obligations. We see, in the way such solution is implemented, a Iack of proportionality, with significant and unnecessary risks for the individual rights to privacy and data protection. 3IPage
TABLE OF CONTENTS Contents 1 INTRODUCTION .............................................•......................................... ..•...........•.....•.......•.......•.•..•...•.. 5 1.1 BACKGROUND ON THE ANTI-MONEY LAUNDERING DIRECTIVE ... ....................................... 5 . 1.2 THE PROPOSAL: ADDRESSING TAX EVASJON AND TERRORJSM FINANCING .. ....... ....... .. 5 . . . . 1.3 SCOPE OFTHIS OPINION ................... ............................................... .. ..... ................ . . . . ... .. .... . . . . .. 6 . .... . . . 2 THE DRAFT COMMISSION PROPOSAL .............................................................................................. 7 2.1 THE POLICY APPROACH UND ER THE CURRENT VERSION OFTHE AML DIRECTIVE ...... .. 7 . 2.2 PROPOSED AMENDMENTS TO THE AML DIRECTIVE AND DIRECTIVE 2009/101/EC WITH AN IMPACT ON THE RJGHT TO DATA PROTECTION . .. . .. . . .. .. .... . ...... ..... . ... .. . . . . .. ..... . ... .......... .. .... ... . 7 .. .. . . . . 3 MAIN DATA PROTECTION IMPLICATIONS OF THE COMMISSION PROPOSAL ................... 8 3.1 PRINCIPLE OF PURPOSE LIMITATION ........ .. .. .. .. ..... ......... . .. . ... .... ...... ... ...... ....... ... ....... 8 .. . . . . . . . .. . . . . . . .. . The principle ofpurpose Iimitation in the Proposal ...... .. . . . . .. . ........... .. . . .... .. ............ ... ... . . . ..... 8 . . . ... . . The compromise solution in the Council Position . ..... .... ..... ...... .... ...... ............. . .. . ....... JO . .. . . . . . . ... .. . . 3.2 PROPORTIONALITY ........................................................................................................................... 11 The principle ofproportionality in the Proposa/. ... . . .. . . . .. .. . .... ..... ... . ... ... . ... .. .. ...... .... .. . .. .. 12 . . . . . . .. .. . . . 4 CONCLUSION .......................................................................................................................................... 14 NOTES ........................................................................................... ..................................................................... 16 41Pagc
THE EUROPEAN DATA PROTECTION SUPERVISOR, Having regard to the Treaty of the Functioning of the European Union, and in particular its Article 16, Having regard to the Charter of Fundamental Rights of the European Uruon, and in particular Articles 7 and 8 thereof, Having regard to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Having regard to Regulation (EC) No 45/2001 of the European Parliament and ofthe Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, and in particular Articles 28(2), 41(2) and 46(d) thereof, HAS ADOPTED THE FOLLOWING OPINION: I INTRODUCTION 1.1 Background on the anti-money lauodering Directive I . In May 2015 a new EU directive against anti-money laundering ("AML Directive") 1 was adopted. The stated objective of the new Iegislation is to improve the tools to counter money laundering, as flows of illicit money threaten to darnage the integrity, stability and reputation of the financial sector, as weil as the internal market of the Union and international development. 2. The protection of the soundness, integrity and stability of credit institutions and financial institutions and the confidence in the financial system are not the only policy goals pursued by the AML Directive. Indeed, in June 2003, the Financial Action Task Force (FATF2) revised its Recommendations to cover terrorist fmancing, and provided more detailed requirements in relation to customer identification and verification. lt pointed to the situations where a higher risk of money laundering or terrorist financing might justify enhanced policy measures and also to situations where a reduced risk might justify less rigorous controls. 3. The AML Directive, as a consequence, provides an articulated set of rules designed to prevent both anti-money laundering and terrorism financing through illicit fmancial flows. It enacts a risk-based application of customer due diligence to suspicious transactions. 1t , relies on the acquisition and analysis of beneficial ownership information and on the coordinated investigative activities of FIUs (Financial Intelligence Units) established in Member States. 1.2 The Proposal: addressing tax evasion and terrorism financing 4. On 2 February 2016, the European Commission published a Communication laying down an Action Plan for strengthening the fight against terrorism financing, including amendments to the AML Directive to target anti-money Iaundering through transfer platforms and virtual currencies and re-designing the roJe of FIUs3.
5. Also, financial scandals4 and an increased risk of tax evasion seem to have drawn the attention of the Commission to the need to re-calibrate the action of the AML Directive and aim it more directly towards tax evasion, which, under the current version of the Directive, is just seen as a source of illicit funds, but not directly targeted. 6. On 5 July 2016, the Commission published a set of proposed amendments (the "Proposal") to the AML Directive and to Directive 2009/101 /EC that, in the context of a coordinated action with the 020 and the OECD, aim at tackling directly and incisively tax evasion by both legal and natural persons with the purpose of establishing a fairer and more effective tax system5. We note in this context that, contrary to recital (42), the EDPS was not consulted prior to the adoption of the Proposal6• 7. The Opinion of the EDPS was later solicited by the Council of the European Union, which, on 19 December adopted a compromise text on the Proposal ("Council Position"7). The Council Position aims at amending only the AML Directive (and not Directive 2009/101/EC) and focuses mainly on anti-money laundering and terrorism fmancing. While the purpose of fighting tax evasion is no Ionger explicitly mentioned, tools that, in the Proposal, were designed to achieve that purpose ( e.g. public access to beneficial ownership information and access by tax authorities to anti-money laundering information) remain in place, although modified to a certain extent. 1.3 Scope of this Opinion 8. This Opinion analyses the impact of the Proposal on the fundamental rights to privacy and data protection. We also give account on how such impact changes, following the adoption of the Council Position. 9. The Opinion also assesses the necessity and proportionality of personal data processing taking place under the proposed amendments to the AML Directive in the light of the policy purposes identified by the law. When we refer to the Proposal, although it proposes amendments to two distinct directives, we treat it as a single, integrated policy tool. 10. The interaction of public policy with fundamental rights has already come to the attention of the courts. In its Digital Rights Ireland case8, the Court of Justice recognises that the fight agairrst international terrorism and serious crime constitutes an objective of generat interest9. Since, however, the legal tools enacted to pursue that objective interfere with the fundamental rights to privacy and data protection, it is necessary, according to the Court, 10 to assess the proportionality of such measures . 11. The purpose of this Opinion, therefore, is not to express any merit judgment on the choice of the policy objectives the legislator decides to pursue. Our attention, instead, focuses, in the tools and modes of action that the law adopts. lt is our purpose to ensure that legitimate policy goals are effectively and timely pursued, with the minimurn interference with the exercise of fundamental rights and in full respect to the requirements of Art. 52(1) of the Charter ofFundamental Rights of the EU. 6IPage
2 TUE DRAFT COMMISSION PROPOSAL 2.1 The policy approach under the current version of the AML Directive 12. The AML Directive aims at detecting illegal anti-money laundering, both in cases where the financia1 system is used to introduce in the legal economy resources originating from illegal activities and where such resources are destined to finance terrorist organisations. Tax crimes are relevant, but only to the extent that they are capable of generating illegal resources that later are injected in the legal economy11• 13. The approach to anti-money laundering is risk based: less risky situations justify less intrusive procedures12• lt is clear, therefore, that a risk-based approach is more in line with the essential princip1e of proportionality and tends to determine a positive outcome also in terms of personal data processing. 14. The AML Directive provides for the processing of information concerning beneficiary information, in order to allow a more incisive action against anti-money laundering. Also, it provides that Member States should ensure that persons who are able to demonstrate a legitimate interest with respect to money laundering, terrorist financing, and the associated predicate offences, such as corruption, tax crimes and fraud, are granted access to beneficial ownership information, in accordance with data protection rules13. 15. The AML Directive, also recognises tax crimes - as defined by national legislation - as criminal activity capable of generating financial proceeds that enter the illegal circuit of money laundering. However, the Directive, as it currently stands, does not identify the fight against "tax evasion" as one of its public policy purposes. Indeed, other legislative instruments at EU level, such as Directive 2011/16/EU, already perform this function. 16. The AML Directive reserves the investigation and enforcement of criminal activities to the public competent authorities. In this respect, private parties active in the financial markets (whether financial institutions or trustees) are merely requested to provide information to the competent authorities in charge. Under no circumstance, a private subject or entity is, either formally or informally, directly or indirectly, entrusted with an enforcement ro1e. 2.2 Proposed amendments to the AML Directive and Directive 2009/101/EC with an impact on the right to data protection 17. Observing that terrorism is able to receive financial support through multiple channels, including virtual currencies and money transfer platforms, the Commission has opted for revising the AML Directive, taking a stricter approach to due di1igence. Also, prompted by the "Panama papers" scanda1, the Commission proposed measures to increase the transparency of the financia1 system and made tax evasion a primary concem of the Directive (as opposed to being a mere predicated crime)14. 18. The Council Position does not exp1icitly refer to tax evasion as a purpose for the amendments to the AML Directive. Nonetheless, tax authorities are given extensive access to information collected for anti-money laundering purposes. Also, provisions on access to beneficia1 ownership information remain in the text, with modifications we will further discuss in the paragraphs be1ow. ?!Page
19. Without questioning the merits of such policy choices, we need, at the same time, to Iook at the amendments from a data protection perspective and assess how the Proposal (and the Council Position) would affect, in particular, purpose Iimitation and proportionality. 3 MAIN DATA PROTECTION IMPLICATIONS OF THE COMMISSION PROPOSAL 3.1 Principle of purpose Iimitation 20. According to the purpose Iimitation principle, personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes15• We consider such provision particularly important for public policies interfering with personal data protection, because the proportionality of the processing will have to be measured against the policy purpose selected by the legislator16. 21. We consider, in that respect, that legislative instruments that allow multiple andlor simultaneous personal data processing by different data controllers and for incompatible purposes, without specifying the purpose each data processing is designed for, risk introducing significant confusion as to the implementation of the proportionality principle. 22. Therefore, the respect of the principle of purpose Iimitation is essential, particularly in cases where the law allows two categories of data Controllers to process data and they do not necessarily process data for the same purpose17• 23. In cases where the purposes for data processing are defmed in broad or vague tenns, where the data controllers have a completely different relation with the purpose pursued, both in terms of structure, resources and ability of each controller to comply with the rules in certain specific circumstances, the principle of purpose Iimitation is formally and substantially undermined, with the consequence that also the principle of proportionality will not be duly implemented. The principle o[purpose Iimitation in the Proposal 24. The draft Proposal clearly targets anti-money laundering, with a focus on new channels and modalities used to transfer illegal funds to the legal economy (e.g. virtual currencies, money exchange platforms, etc.). In general, it seems to take a stricter approach than before to the problern of effectively countering anti-money laundering and terrorism financing, but this does not affect our assessment on whether the amendments comply with the principle of purpose Iimitation. 25. We are concemed, instead, with the fact that the Proposal introduces other policy purposes -other than countering anti-money laundering and terrorism financing- that do not seem clearly identified and, therefore, raises questions as to why certain forms of invasive personal data processing, acceptable in relation to anti-money laundering and fight against terrorism, are necessary out of those contexts and on whether they are proportionate. 26. We refer, in particular, to the fight against tax evasion as a specific goal of the new legislation (in the original AML Directive, tax crimes were relevant merely as source of illicit funds, but not directly targeted and enforced). 81Pagc
27. The Proposal also generically mentions the "fight againstfinancial crime" and "enhanced corporate transparency" as policy goals18• With respect to the latter, public access to beneficiary information is foreseen, in order to protect minority shareholders19 and third parties20. 28. We observe, in this respect, that, as the description of the purpose for processing personal data progressively departs from the original anti-money lauodering objective, it also becomes less determinate. At one point, for example, the Proposal indicates that "the disclosure of beneficial ownership information should be designed to give governments and regulators the opportunity to respond quickly to alternative investment techniques, such as cash-settled equity derivatives"2 • 1 29. If we observe, at this point, the composite scenario designed by the Proposal, we notice that under the new provisions, personal data would be processed for a number of purposes: countering anti-money lauodering and terrorism fmancing; countering tax evasion (and elusion); preventing financial crimes and/or abuses of the financial markets; enhancing corporate transparency (necessary, in turn, to protect minority shareholders of corporations as well as any third party doing business with such corporations); give governments and regulators the opportunity to respond quickly to alternative investrnent techniques; allow public scrutiny on the functioning of financial markets, on investors and on tax evaders. 30. Processing personal data collected for one purpose for another, completely unrelated purpose infringes the data protection principle of purpose Iimitation and threatens the implementation of the principle of proportionality. 3 1. In addition, in relation to the purposes mentioned above, we observe that various controllers are foreseen to process personal data: competent authorities in charge of investigating anti-money laundering; obliged entities under the AML Directive (e.g. banks, fmancial institutions, virtual currency providers, etc.); competent authorities investigating terrorism; FIUs (whatever their legal form and status under national law); competent authorities in charge of tax evasion; NGOs carrying out investigative activities in relation to the functioning of fmancial markets and tax evasion; the press and the public at !arge. In this respect, the problern is that these controllers significantly differ from each other. If they act for different purposes, these, as seen, do not appear sufficiently specified. lf, on the contrary, they pursue the same purpose, they might do so according to different "standards", in terms of ability to comply with data protection rules, or may carry out data processing which is not proportional to the purpose sought. 32. In relation to the preceding paragraphs, we note that, in expanding the purpose of data processing beyond the initial anti-money lauodering purpose, the Proposal introduces a significant degree of uncertainty as to the purposes pursued and on the controllers entrusted with them22• This uncertainty reduces data protection safeguards, such as the proportionality between personal data processing and the purpose that processing serves. As mentioned, we do not express any merit judgment on the policy purposes identified by the legislator, nor on the legislative tools designed to pursue such goals. What we are concerned about is that any processing of personal data shall serve a legitimate, specific and weil identified purpose and be linked to it by necessity and proportionality. The data controller performing personal data processing shall be identified and accountable for the compliance with data protection rules. 91Pagc
The compromise solution in the Council Position 33. The Council Position, probably as a consequence of the debate stirred by the Proposal, seems to define purpose with slightly more clarity, shift the focus from the fight to tax evasion back to anti-money laundering. 34. We also note, however, that certain data processing operations remain in the law, which cannot be precisely linked to a specific purpose. We refer, in particular, to access to beneficial ownership information. 35. In fact, the Council Position provides, in the recitals, that information on beneficial ownership of trusts and similar legal arrangements should be made available to any person demonstrating a legitimate interest. Such information is also expected to contribute to "increased trust in the integrity of the financial system by enabling those who are in a position to dernonstrafe Iegitimale interest to become aware of the identity of the beneficial owners". In addition, access to this information would help investigations on money laundering, associated predicate offences and terrorist financing23. 36. Member States are entrusted with the task to define the concept of legitimate interest. In addition, "with a view to further enhance transparency of business transactions and financial system", Member States may grant wider public access in their national legislation to information on beneficial ownership. lf they do so, they shall have due regard to the right balance between the public interest to combat the money laundering and terrorist financing and the protection of fundamental rights of individuals in particular the right to privacy and protection of personal data24. 37. We observe that this new approach materialises in the amendment of Articles 30 and 31 of the AML Directive. The former confmns the (already existing) right of any person with legitimate interest to access beneficial information of corporations and Article 31 introduces such right in relation to trusts. Both articles leave to Member States the possibility to grant even wider access (to entities without legitimate interest, perhaps?). Both provisions mandate cooperation with the Commission (and Article 30 also between Member States) to implement this kind of access. 38. The Council Position also makes an effort to link access to beneficial ownership infonnation to the purpose of fighting money laundering. In recital (35), in fact, it is stated that "the need for accurate and up-to-date information on the beneficial owner is a key factor in tracing criminals who might otherwise be able to hide their identity behind a corporate structure". If such a Statement clarifies the purpose of personal data processing by competent authorities, it does not say much as to the purpose for "access by any person with Iegitimale interest" and possible "wider access" granted to Member States and, even considering as valid the transparency purposes stated in other recitals (see above), serious doubts arise in connection to the proportionality of such access provisions. 39. If we Iook at the compromise solution ernerging from the Council discussions, we do not see substantial changes compared to the Commission Proposal. The Council Position does not mention the fight to tax evasion as a purpose any more. Nonetheless, access to beneficial ownership information is confirmed (for purposes such as fighting anti-money laundering and increasing transparency of financial markets), giving to Member States the power to define the notion of legitimate interest and to grant even wider access. lOIPage