Strasbourg, 17 May / mai 2022                                                                        T-PD(2021)8rev2Mos

Compilation of Comments

 on Draft guidelines on mechanisms for inter-state exchanges of data

for Anti-Money Laundering/Countering Financing of Terrorism, tax purposes and Data protection

Compilation des commentaires

sur le Projet de lignes directrices

sur des mécanismes d'échanges interétatiques de données pour la lutte

contre le blanchiment de capitaux et le financement du terrorisme et la protection des données personnelles à des fins fiscales

REVISED VERSION OF THE ONE SENT FOR COMMENTS ON 12.04.2022

TABLE OF CONTENT / TABLE DES MATIERES

ITALY / Italie.. 3

ITALY / Italie

(…)

Draft guidelines on data protection in the context of

 mechanisms for inter-state exchanges of data

for Anti-Money Laundering/Countering Financing of Terrorism, and tax purposes [A1]

CHAPTER I

Draft guidelines on data protection in the context of mechanisms for inter-state exchanges of data for Anti-Money Laundering/Countering Financing of Terrorism

Section I. Data protection rules and principles

1     Introduction

1.1  Background

Money Laundering and Financing of Terrorism (ML/FT) often involves cross-border schemes and multiple institutions through which criminal proceeds are transferred and/or laundered. [A2]Data sharing is crucial for combatting ML/FT, which becomes increasingly complex to tackle. The Anti-Money Laundering/Countering Financing of Terrorism (AML/CFT) framework entails complex processing and exchanges of data between customers, obliged entities (OE), financial intelligence units (FIUs) and law enforcement authorities (LEAs).

These exchanges must be considered in the light of the provisions of multilateral data protection frameworks such as Convention 108+ and specifically its Article 14 on transborder data flows both by states Parties and other cooperating countries[A3], as illustrated in the following sections.

(...)

In the AML/CFT area, the public interest is the main element regulating data protection issues. The legislation on the prevention of money laundering and terrorist financing (AML/CFT regime) is based on the objective of public interest of protecting the financial system from being used for those purposes. The AML/CFT regime provides for several contexts of processing of personal data, which are essentially based on that public interest, setting out detailed obligations on data controllers. This extends to processing of personal data by government authorities which are entrusted with the mandate to combat AML/CFT and are granted sovereign powers in this specific area. Nevertheless, the same does not extend to private sector institutions, which are OEs lacking the same legal status and mandate. As a result, data processing by private sector entities should be considered with caution on the legal basis of public interest,[A4]  notably in the context of data pooling emerging initiatives which entail data sharing between private sector entities (which are outside of the same financial group). In any event, public interest needs to be specifically defined and limited to the circumstances where measures benefit and increase the effectiveness of the AML/CFT regime. This entails, for instance, that excessive collection and processing of personal data should be prevented also because over data collection may not always serve operational objectives and generate additional legal and technical challenges (data quality/ update, data security, etc) for key stakeholders, including LEAs.  

(...)

1.2 Scope

(...)

2     Terminology and context used for the purpose of the Guidelines

(...)

Data controller

(...)

The AML/CFT framework provides for different situations of information sharing, including between OEs; between legal persons and controllers of beneficial ownership registers; between OEs and FIUs or OE and other competent authorities (“public-private partnerships/PPP); between the FIU of different countries; and between the FIUs and other competent authorities. In this scenario, if different controllers shared the same purpose and means of data processing and there is personal data involved[A5] , they should be considered to be joint-controllers^[4]. Joint controllership leads to joint responsibility for a processing activity. For the purpose of catering for increasingly complex data processing realities, the joint controllership may take different forms and the participation of different controllers may be unequal. Therefore, joint controllers must determine their respective responsibilities for compliance with the obligations under the regulation of a specific agreement^[5]. However, joint controllership is rare in the AML/CFT regime.

(...)

Data processor – A processor is the natural or legal person who processes personal data on behalf and under the instructions of a controller. The activities entrusted to a processor may be limited to a very specific task or may, on the contrary, be quite general. Legal or natural persons applying CDD measures on behalf of financial institutions and other Designated Non-Financial Businesses and Professions are deemed to be data processors if they process the same sets of data[A6]. The main differentiation from data controllers relates to having decision-making power with respect to the data processing at issue (in AML/CFT, to comply with the CDD measures). However, processors could also become controllers whenever the data processing is done for their own purposes or whenever the conditions for data processing as prescribed by the controllers are breached.

(...)

3. Basic principles for the protection of personal data

3.1 The lawfulness of processing – legal basis

General principle

(...)

AML/CFT contextualization

(...)

·         For AML/CFT purposes, consent could not [always/in some cases] be used as a legal basis. First, while CDD data are to a large extent collected from customers and the customer has right of access to that data[A7], the processing by OE of such data is based on legal obligations to which the controllers are subject. Failure by OE to comply with those obligations would entail risks of measure by supervisory authorities, including administrative and criminal law sanctions.[A8]Failure by customers to provide the requested data could, in turn, result in that the customer relationship is either not concluded or in the restriction of services. Second the AML/CFT framework provides for situations where the customer (data subject) is not informed of the processing, particularly in relation to so-called enhanced diligence and suspicion transaction report by the OE. That would imply prior information to the customer, which would contravene to AML/CFT prohibitions, in particular to tipping-off. Further, the right of access of customers to the data processed by competent authorities, including FIUs, is typically restricted. [A9][A10]

·         Data processing in the AML/CFT context could be based when data are processed by public authorities either on the lawful ground of public interest or if the data is processed by a private entity on its legal obligations or the overriding legitimate interest of the controller or a third person provided that the rights and interest of the data subjects have been duly balanced against the rights and interest of the controller or a third person and that appropriate guarantees have been put in place.

[A11]

(…)

3.2 The fairness and transparency of processing principles

General principle

·         According to Article 5(4) of the Convention, personal data shall be processed in a fair manner by both the controller and the processor. This principle requires the provision of information to the data subject regarding the modalities of [A12]processing of his/her data, including any risks which may have been identified by the controller or the processor. Articles 5 (4)(a) and 8 of the Convention 108+ require data processing to be performed “in a transparent manner in relation to the data subject”. In this regard, data subjects must be informed before processing their data, inter alia, about the categories of personal data processed, the purpose of processing and about the identity and address of the controller. Information on the data processing must be provided in clear and plain language (unless an exception according to Article 11 applies) to allow data subjects to easily understand the risks, safeguards and rights at stake. Moreover, the data subject should be informed about his/her rights, according to which a request can be made to the controller on whether personal data is being processed and if so, which data is subject to such processing (Article 9(1)(b) of the Convention)).

AML/CFT contextualization

·         OEs collect personal data from their customers, primarily  when establishing a business (customer) relationship and, in the case of occasional customers, before executing transactions or providing services outside of an established business relationship. FIs, particularly banks, typically inform the customer on the purpose for which data will be processed and may be eventually shared with third parties. The OEs may also require their consent, particularly for the provision of certain services or on the occasion for the disclosure of customer data to third parties, although this is not an FATF requirement and practice may vary from country, depending on local laws about data protection and other laws. However, consent is less typically necessary for the processing of personal data as such. [A13]Personal information is also collected from the customer when the OE is updating de CDD data.[A14]

(…)

3.3 The principle of purpose limitation

(…)

3.4 The data minimization principle

(...)

AML/CFT contextualization

·         The AML/CFT [A15]laws may provide for different levels of processing of personal data (CDD data) by the OEs, including simplified, normal and enhanced customer due diligence. In principle, enhanced due diligence requires a larger amount of personal data to be processed, including verification of that data from various sources available for the OE. Enhanced due diligence may be required on the basis of risks for certain types of customers (e.g. politically exposed persons) or for certain types of services or transfers (e.g. money transfers to high risk countries), or even for individual customers in situations where risks or suspicious transactions have been identified. The AML/CFT laws may provide for different data retention periods for different types of personal data.

(…)

3.5 The data accuracy principle

(...)

3.6 The storage limitation principle

(...)

3.7 The data security principle

(...)

4. Types of data which are subject to the processing of personal data in the context of AML/CFT obligations

(…)

5.    Rights of data subjects, exceptions and restrictions in the context of AML/CFT

(…)

Recommendation

(…)

Where the data subject rights are restricted for AML/CFT purposes, those restrictions should be based on the AML/CFT legislation, they should respect the essence of fundamental rights and freedoms and be strictly limited to what is necessary and proportionate in a democratic society. In any case they should not be too broad or serve as a blanket exception? and could only apply to areas covered by Article 11. of the modernised Convention 108.  [A16]

·         In the case of the right to object, the Explanatory report (para. 80) indicates that even when this right is limited for the purpose of the investigation or prosecution of criminal offences, the data subject can challenge the lawfulness of the processing[A17].

(…)

6.    Exceptions and restrictions (Article 11)

(…)

7.    The role of Data Protection Authorities (DPAs) and their relationship with authorities monitoring AML/CFT

General principle

(...)

·         Data Protection Authorities (DPAs) are usually cooperating with authorities monitoring AML/CFT as well when issues related to the processing of personal data so require.

·         In addition, DPAs should be tasked and empowered to ensure compliance with applicable data protection regulations[A18]

AML/CFT contextualization

·         The activities necessary to comply with AML/CFT regulations involve the activity of multiple actors in multiple jurisdictions, and the processing of large volumes of personal data. The [A19]Convention articles concerning the powers of the supervisory authorities apply to any processing of personal data, including AML/CFT purposes, while only specific restrictions are possible under Article 11(3) with reference to processing activities for national security and defense purposes. Even in those cases, the Convention requires that processing activities for national security and defense purposes are subject to independent and effective review and supervision under the domestic legislation of the respective Party.[A20]

Recommendation

(...)

·         As a general recommendation the necessity of dialogue and cooperation between DPAs and finance/insurance supervisory authorities (at national and international levels possibly) should be emphasised in order to  develop effective guidance tools, including for the private sector and to develop specific training modules. In the AML/CFT field, DPAs shall have coordinated activities with the OEs in order to supervise the processing of data and to suggest effective tools and modus operandi for effective supervision[A21].

(...)

·         DPAs should engage with other national authorities that oversee AML/CFT issues for joint activities in the enforcement area.[A22]

8.    International data transfers in the AML/CFT field

(...)

[Section [A23]II. Blind spots in AML/CFT related issues requiring enhanced data protection

    I.          DATA PROCESSING BY FINANCIAL INSTITUTIONS (FIs) AND FINANCIAL INTELLIGENCE UNITS (FIUs)

(...)

    II.        PARTNERSHIPS

(...)

   III.        CONSISTENCY BETWEEN AML/CFT AND DATA PROTECTION LEGAL FRAMEWORKS

A.    Collaboration between supervisory bodies: dialogue & collaboration

Supervisory authorities [A24]include: Data Protection Authorities, Financial/Insurance supervisory bodies and Financial ombudspersons.

(…)

   IV.        RELATIONSHIP BETWEEN DATA PROTECTION AND OTHER LEGAL FRAMEWORKS IN THE CONTEXT OF AML/CFT

(...)

C.    International human rights law

(...)

Section III. Compilation of recommendations[A25]

For Obliged Entities

(…)

·         Registers holding information on criminal convictions may be subject to the control of competent authorities.  [A26]

·         Measures shall be put in place by controllers to facilitate the exercise of data subjects’ rights, in principle free of charge. In case of automated decision making[A27], the information on the decision and the logic underpinning the processing of the data should be available upon request of the data subject. Intellectual property law should not be an excuse for data controllers not providing data subjects with the logic and training of the algorithms applied in the specific processing operation.

(…)

For governments

·         There must be a clear legal definition of the cases in which secrecy –were applicable- can be waived.[A28]

(…)

·         FIUs from state Parties should exchange information complying with the requirements of the data protection legislation of the data-provider and of the data-recipient countries notably with the ones foreseen in Article 14 of the Convention. In the AML/CFT field the exchange should also be consistent with Egmont Group principles[A29].

(…)

·         And in regard to the above, the DPA shall reinforce the OEs and data subjects [A30]with internal training.

(…)

CHAPTER [A31]II

Draft guidelines on mechanisms for inter-state exchanges of data for tax purposes
and Data protection