FIU cooperation - at what cost for the rights to privacy and data protection?

It is not, of course, possible to carry out here an exhaustive assessment of the privacy and data protection challenges that emerge out of the cooperation between EU FIUs. Instead, this section highlights the areas that are cause for concern.

The first point of concern arises from the fact that FIUs in the EU reflect different institutional models. In the case of administrative (and sometimes hybrid) FIUs, the agency that receives STRs is kept separate from the agency that investigates on the basis of these reports (hence their comparison to a ‘buffer’).^[1] This separation sends the message that the suspicious transactions reporting system is not directly linked to criminal investigations and proceedings.^[2] This institutional setting is particularly beneficial for individuals, as it better safeguards the rights to privacy and data protection.^[3] This is because the information included in a STRs is governed by different sets of data protection safeguards during the analysis (by the FIU) and investigation (by, say, law enforcement) stages, respectively;^[4] after all, the purpose of the analytical stage is to determine if a transaction merits further investigation. If the reported transaction is declared suspect by the FIU, the information is from then on governed by a separate data protection regime, which allows the FIU to share it with a series of national authorities in the sphere of law enforcement and beyond.^[5] By contrast, some police FIUs^[6]

do not maintain a strict separation between the analysis of STRs and criminal investigations.^[7] In Austria, for instance, STRs are not pre-sorted (to determine whether the suspicion is, indeed, substantiated), but the full range of investigative powers available to law enforcement authorities may be employed in response to each and every report.^[8] The merging of the two activities not only is in contrast to the Fourth AML Directive (investigation is not amongst the FIU functions)^[9] but also against the data protection principle of purpose limitation.^[10] Thus, a strong argument can be made that, by calling upon FIUs to ‘cooperate with each other to the greatest extent possible, regardless of their organisational status,’^[11] the EU legislator undermines the privacy and data protection safeguards guaranteed by the establishment of an administrative FIU since the latter is called upon to routinely share personal data that is kept outside the criminal justice system with EU FIUs that do not maintain the same strict separation.

The further use and dissemination of the transmitted information is also problematic.^[12] In the previous section, it was revealed that if the receiving EU FIU wishes to share information received from another FIU with, say, a local police authority, it needs to obtain the prior consent of the providing FIU.^[13] Yet, in a recent meeting of the EU FIUs Platform, ‘two FIUs indicated a challenge within their national legislation that the prosecutors arc not bound by the FIU prior consent rules.’^[14] Therefore, a contradiction arises between the EU provisions on FIU cooperation and some national laws, a contradiction that may give rise to the use of information for purposes other than those authorised by the providing FIU (such as evidentiary purposes). In these circumstances, the data protection principle of purpose limitation is, once again, at stake. This observation leads to another interesting point - the potential loss of control of the exchanged information. How can an FIU that disseminates information to its EU counterpart be realistically expected to ensure that the information’s subsequent uses take place within the parameters of its authorisation? The EU legislator has not touched upon this issue, but it raises a real practical problem given the large amounts of data exchanged between FIUs.^[15]

Moving on, and as noted earlier, Article 53( 1) of the Fourth Directive requires EU FIUs to promptly forward a STR that concerns another Member State to the FIU of that Member State. This provision was introduced to address the conundrum whereby certain companies, established in one Member State but operating under the freedom to provide services, had to file a report on suspicious transactions to the FIU of the Member State of their establishment, even when the suspicious transaction took place in a different Member State. For instance, Amazon is registered in Luxembourg but operates throughout the EU. If Amazon becomes aware of a suspicious transaction, say, in Germany, it still has to file the STR with Luxembourg’s FIU.^[16] But Luxembourg’s FIU cannot effectively investigate suspicious transactions taking place in Germany. Article 53(1) found a way around this, by requiring the FIU of Luxembourg to share the STR with the German FIU. This provision applies irrespective of whether the STR involves (in the FIU’s opinion) substantiated suspicion or not; the mere fact that there is a link to another Member State is enough to trigger the obligation to share it. Clearly, this requirement is underpinned by a ‘data sharing by default’ attitude which begs the question whether the routine transfer of information that involves unsubstantiated suspicion to another EU FIU constitutes a necessary and proportionate interference with the rights to privacy and data protection.^[17]

The possibility for ‘joint analysis’ amongst EU FIUs presents further challenges. The Fifth AML Directive cursorily mentions ‘joint analysis,’^[18] but its far-reaching potential has been nonetheless noticed by FIUs. In fact, they have been working intensely, under the umbrella of the EU FIUs Platform, to develop ‘new ways for FIUs to work together to have a common output at the end - with actionable outcome.’ Thus, the platform has been coordinating pilot projects on joint analysis as a kind of a trial run, aiming to uncover legal and operational obstacles to joint analysis and to search for solutions. The first such project, led by the FlU-thc Netherlands, focused on the joint analysis of financial

⁵

EU FIUs Platform, ‘29th Meeting of the EU FIUs Platform’ (, June

2016) para. 3.

flows related to EU-wide migration erimes.^[19] The idea was to identify ‘red flag indicators’ of financial transactions relating to these crimes, which would serve as a basis for reporting suspicious activities to the competent authorities. The FIU.net comes into play here; the participating FIUs created ‘MaStch’ filters, which contained 2,000 subjects. The results of the project revealed several legal, IT, and operational obstacles. Leaving the practical issues aside, the participating FIUs notably observed that some national legal frameworks did not allow FIUs to create ‘Ma3tch’ filters by using law enforcement and tax data (alongside FIU data).^[20] But, according to the platform, cross-matching solely between FIU data is not enough for joint analysis to be effective.^[3] But whilst FIUs are looking to ‘open up databases as much as possible,’^[3]' the Fifth AML Directive provides no guidance as to what constitutes joint analysis, what type of data can be shared for those purposes, and under what data protection safeguards. These are important questions for the EU legislator, not least because a lack of legal clarity is breeding ground for disproportionate data processing by FIUs that remain free to determine the answer to those questions themselves.

A final problem is that information exchanges between FIUs do not take place under a clear legal environment - and the same applies to the applicable data protection framework too. On the one hand, FIU cooperation is governed (simultaneously) by the Fifth AML Directive and by the 2000 Council Decision (terrorist financing excluded). On the other hand, the data protection framework applicable to EU FIUs remains uncertain.^[23] Under the reformed EU data protection framework, the General Data Protection Regulation (GDPR) governs general data processing, but a different instrument, which replaced the Council Framework Decision 2008/977/JHA, governs law enforcement processing - the Data Protection Law Enforcement Directive (‘the Directive’).^[24] So, which of the two instruments applies to the processing of data by FIUs? In short, the Member States can decide, in accordance with their legal framework. In the Commission’s view, FIUs, as a public administration, are subject to the GDPR.^[25] Still, in a recent meeting of the EU FIUs Platform, ‘concerns were raised with regards to the applicability of the GDPR versus the Directive in general and more specifically

Cooperation between FIUs in the EU 51 to administrative FIUs.’^[26] In fact, FIUs in the EU continue to be subject to different data protection frameworks, which in turn translates into uneven data protection safeguards. For instance, the UK FIU applies the GDPR, whereas the Luxembourg FIU applies the Directive.^[27] This divergence will give rise to challenges for FIU cooperation, since the information exchanged between them will be protected in different ways. The question also arises whether it is lawful, from a privacy and data protection perspective, to require an EU FIU that maintains stricter data protection safeguards (for instance, short data retention periods) to provide STR information to an EU counterpart with lower safeguards in place.

Concluding remarks

This chapter has followed the evolution of the EU’s legal framework on FIU cooperation. For the most part, the EU legislator refrained from introducing detailed provisions on FIUs, even more so when it came to the exchange of information between them. Eventually, however, the pressure for more effective and widespread sharing of financial information altered this laconic stance. The series of sporadic legislative interventions that followed aimed to facilitate FIU cooperation and, indeed, they did so. However, the existing patchwork of loosely defined transnational FIU functions raises several challenges for the rights to privacy and data protection.

Policymakers tend to treat information sharing amongst EU FIUs as an operational issue, but there is also a fundamental rights dimension to it which must not be overlooked. Highlighting this dimension is even more important at a time when FIUs are seeking to increase their engagement with IT tools, such as the FIU.net and the accompanying ‘Ma3tch’ tools, which automate part of their information-sharing functions, extend their capabilities,^[28] and give them the opportunity ‘to act as one, without the necessity to become one.’^[29]

• [1] However, the FIU of Cyprus, for instance (which is located in the Attorney General’s Office but classifies itself as a hybrid FIU), does not adhere to this logic. Though an investigation is generally only initiated after the conclusion of the analysis stage, the practices of the Cypriot FIU reveals that such separation does not always exist; in certain instances, the two functions may be undertaken simultaneously, or investigatory tools may be employed during the analysis stage. See Council of Europe, Moneyval, Anti - Money Laundering and Combatting the Financing of Terrorism, Report on Fourth Assessment Visit of Cyprus (2011) 52.
• [2] Mitsilegas and Vavoula (fn 50).
• [3] Ibid.
• [4] De Goede (fn 9) 12-13.
• [5] The Dutch FIU, for instance, receives ‘unusual transaction reports’ (UTR), which are stored in the UTR database. It then proceeds to analyse them, and only those who are declared ‘suspicious transaction reports’ are included in the STR database, which is accessible to law enforcement. The data included in the UTR database are classified as 'personal data,’ whereas those in the STR database are classified as ‘police data’ and are governed by a different legal framework. See FATF, Anti-Money Laundering and Counter-Terrorist Financing Measures: Mutual Evaluation Report of the Netherlands (25 February 2011) 91-95.
• [6] Similar observations apply to some judicial FIUs: EU FIUs Platform, ‘Mapping Exercise’ (fn 13) 123; FATF, Anti-Money Laundering and Counter-Terrorist Financing Measures: Mutual Evaluation Report of Luxembourg, Executive Summary (19 February 2010) 7.
• [7] EU FIUs Platform, ‘Mapping Exercise’ (fn 13) 8, 116.
• [8] FATF, Anti-Money Laundering and Counter-Terrorist Financing Measures: Mutual Evaluation Report of Austria (26 lune 2009) 73.
• [9] Fourth AML Directive, art.32(3).
• [10] General Data Protection Regulation, art.5( l)(b); art.8(2) of the Charter of Fundamental Rights.
• [11] Fourth AML Directive, art.52.
• [12] Article 29 Working Party, Opinion 14/2011 on Data Protection Issues Related to Money Laundering and Terrorist Financing (01008/2011 /EN WP186, 13 June 2011), Annex at 17.
• [13] Fourth AML Directive, art.55(l). Refusal of prior consent is possible under art.55(2).
• [14] EU FIUs Platform, ‘35th Meeting of the EU FIUs Platform’ (, 2018) para. 9.
• [15] This problem has been acknowledged by the Commission: European Commission (SWD (2017) 275 final) (fn 15) 6. See also Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd v. Ireland (08.04.2014) para. 60-62.
• [16] EU FIUs Platform, ‘26th Meeting of the EU FIUs Platform’ (, 2015) para. 3. 2 EU FIUs Platform, ‘Mapping Exercise’ (th 13) 172 and ‘27th Meeting of the EU FIUs Platform’ (, January 2016) para. 5.
• [17] According to art.52(1) of the Charter of Fundamental Rights, any limitation on the exercise of the rights and freedoms laid down by the Charter must be provided for by law, respect their essence and, subject to the principle of proportionality, limitations may be made to those rights and freedoms only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others. See also Joined Cases C-293/12 and C-594/12 Digital Rights Ireland Ltd i>. Ireland (08.04.2014) para. 52.
• [18] Fourth AML Directive, art.51.
• [19] Ibid, at para. 2.
• [20] Ibid., para. 3.
• [21] Ibid.
• [22] Ibid.
• [23] For an overview of the European Data Protection Supervisor’s (EDPS) opinion on this issue, see Buttarelli, G., ‘EDPS opinion on the proposal for the fourth anti-money laundering Directive,’ (, 4 July 2013).
• [24] Directive (EU) 2016/680 of the European Parliament and of the Council of April 27,2016, on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA OJ L 119/89.
• [25] EU FIUs Platform, ‘35th Meeting’ (fn 77) para. 8.
• [26] Ibid., para. 8.
• [27] Interview with UK FIU (August 2018); Interview with Luxembourg FIU (January 2019).
• [28] Schweighofer, E., Heussler, V. and Kieseberg, P., ‘Privacy by design data exchange between CSIRTs’ in Schweighofer, E., Leitold, H., Mitrakas, A., and Rannenberg, K. (eds.), Privacy Technologies and Policy (Springer International Publishing, 2017) 104. They note that ‘Ma3tch can also generate knowledge, recognise profiles, predict behaviour patterns, and (in the future) analyse social networks.
• [29] European Commission - Migration and Home Affairs, ‘FIU.net: Empowering the FIUs and Partners in Their Cross-Border Cooperation’ (), where the FIU.net project is described as a platform ‘for FIUs, that enables them to act as one, without the necessity to become one.’