Cooperation between Financial Intelligence Units in the European Union: Stuck in the middle between the General Data Protection Regulation and the Police Data Protection Directive

The evolution of the legal framework on FIU cooperation

When the First AML Directive was adopted, criminal matters were beyond the scope of Community competence, so the EU legislator refrained from prescribing any details about the ‘authorities responsible for combatting money laundering’ ¹¹ (as FIUs were described at the time) and there was no mention of their cooperation. The FATF Recommendations were also silent on the matter. Be that as it may, the initial indifference of the FATF towards FIUs did not last for long; it eventually broke its silence over FIUs when it updated its Recommendations in 2003 ¹² and has been engaged with them ever since. ¹³ The EU legislator followed suit. Article 21 of the Third AML Directive mirrored the FATF Recommendation almost to the letter: Member States should establish an FIU

responsible for receiving (and to the extent permitted, requesting), analysing and disseminating to the competent authorities, disclosures of information which concern potential money laundering, potential terrorist financing or are required by national legislation or regulation. ¹⁴

That said, the Third Directive hardly dealt with the issue of FIU cooperation – with the exception of Art 38, which placed the Commission under a duty to facilitate the coordination efforts of FIUs. ¹⁵ This light-touch approach was similar to that of the FATF at the time: Recommendation 31 merely called upon countries to ensure that their FIUs have effective mechanisms of cooperation in place. ¹⁶

In the absence of detailed EU – or international – rules on FIUs for the better part of the regime’s first decade, the Member States enjoyed ample discretion in choosing the model and powers of their respective FIUs. ¹⁷ As a result, when one looks at FIUs in the EU, a picture of diversity emerges: a series of administrative, police, judicial and ‘hybrid’ authorities, all sharing a common mandate, make up the EU’s financial intelligence infrastructure. Most FIUs (twenty-one in total) have been established under an administrative or police model. ¹⁸ Five (those of Cyprus, Denmark, Greece, Hungary and the Netherlands) ¹⁹ blend characteristics from multiple models and so are classified as hybrid, whereas only one (Luxembourg) belongs to the judicial-type category. ²⁰ Yet this diversity initially created significant difficulties for the exchange of information between FIUs. ²¹ In the course of the ‘90s, administrative FIUs could not share data with law enforcement or judicial FIUs, and vice versa. ²²

This problem was not unique to the EU, so it was not long before FIUs took the matter into their hands. The first coordinated attempt to overcome these obstacles took place in 1995, while the AML regime was still in its infancy. In the summer of that year, a number of FIUs from around the world came together at the Egmont-Arenberg Palace in Brussels and formed what became known as the Egmont Group – a trans-governmental network, whose priority was to stimulate cross-border cooperation between FIUs. ²³ Over the past 25 years, this network (which currently numbers 164 FIU members) developed numerous standards aiming to facilitate the exchange of information between FIUs worldwide. ²⁴ I mention this development because the Egmont Group’s standards have influenced the EU’s legal framework on FIUs to a significant degree (and continue to do so), much like the FATF has influenced the EU’s anti money laundering regime as a whole.

By the time the Egmont Group was established, it had become apparent that only an EU-wide legal framework on FIU cooperation could address the obstacles to information sharing. Provisions on cross-border cooperation between FIUs, however, could not be incorporated into the existing AML Directive; this was a ‘first pillar’ measure and the EU could not regulate FIUs via the ‘first pillar’, because their conduct was viewed as a penal matter. ²⁵ The solution came about in 2000, in the form of a ‘third pillar’ Council Decision on FIU cooperation. ²⁶ This Decision, which covered information exchanges solely for the purposes of AML and not counterterrorist financing, called for FIU cooperation regardless of the differences in their institutional model. ²⁷ As the Commission observed, it was designed to reflect the principles developed by the Egmont Group. ²⁸ Despite its reduced scope, this Council Decision (which was recently repealed) ²⁹ governed the cooperation between EU FIUs for two decades. It also provided the incentive ³⁰ for the creation of the FIU.net, a decentralized computer network that enables the exchange of information between FIUs in the EU to this day. ³¹

Even after the adoption of the Council Decision, information exchanges between FIUs in the EU continued to suffer from numerous shortcomings. ³² Advocate General Bot aptly summarized those in the Jyske Bank Gibraltar case. As he observed, while the intention of the Council Decision was to harmonize FIU cooperation in the Union, the rules nonetheless remained ‘minimal in nature’ and allowed Member States ‘a significant degree of discretion as regards the extent of their cooperation’. ³³ In response to the repeated calls at the EU level to strengthen FIU cooperation ³⁴ and propelled by the FATF’s reviewed Recommendations of 2012 which expanded the FIU-related provision significantly, ³⁵ the Fourth Directive was the first in the long line of AML Directives to deal with FIU cooperation in detail. ³⁶

A few months later, however, FIU cooperation came once more to the forefront of the legislative agendas – where it was to stay for years to come. The circumstances that led up to this development are particularly sad. In 2016, a series of terrorist attacks sent shockwaves through the European Union. Inevitably, these events resuscitated EU policymakers’ interest in counterterrorist financing. It was not long before the Council called on the Commission to present proposals to ‘strengthen, harmonise and improve the powers of, and the cooperation between Financial Intelligence Units (FIUs), notably through the proper embedment of the FIU.net network for information exchange in Europol (…)’. The Council was not alone in this; the Commission made similar calls, both through the European Agenda on Security and the Action Plan against terrorist financing. ³⁷ In the light of this, it should not come as a surprise that the Commission tabled a proposal to amend the Fourth AML Directive in 2016. ³⁸ And so there were Five.

The evolution of the European Union’s legal framework on FIU cooperation did not stop there. It seems that, after all those years of inactivity, the EU legislator’s decision to deal with this complex issue opened a can of worms; cooperation between FIUs in the EU always seemed to fall short in the eyes of policymakers. ³⁹ In fact, while these developments were unfolding, the EU FIUs Platform was conducting a study of the obstacles to FIUs’ access to and exchange of information. ⁴⁰ In response to this study, the Commission published in 2018 a proposal for a Directive which aimed, among other matters, to facilitate FIU cooperation. ⁴¹

This Directive, which lays down rules ‘facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences’, was adopted in June 2019 and repealed the above-mentioned 2000 Council Decision on FIU cooperation. ⁴² What is more interesting, however, is that the Directive was adopted under the legal basis provided for by Art 87(2) of the Treaty on the Functioning of the European Union (TFEU), which enables the EU to put forward measures regarding the collection, storage and exchange of information and common investigative techniques in relation to the detection of serious forms of organized crime, with the aim of establishing police cooperation between the Member States’ competent authorities in relation to the prevention, detection and investigation of criminal offences. The Commission considered this legal basis to be appropriate, despite the fact that not all Member States have given police status to their FIUs. ⁴³ Of further interest, however, is that the Preamble of the Directive calls on the Commission to assess ‘in the near future’ whether the establishment of a coordination mechanism, such as an overarching ‘EU FIU’ would be an appropriate measure to strengthen the cooperation of FIUs within the European Union. ⁴⁴ The latest Action Plan ‘for a comprehensive Union policy on preventing money laundering and terrorist financing’ indeed considers the establishment of such a mechanism and indicates that the Commission will table a proposal to that end in 2021. ⁴⁵ With that in mind, let us take a closer look at the current legal framework on the cooperation between EU FIUs.

The current legal framework on FIU cooperation

The Fourth AML Directive calls on Member States to ensure that ‘FIUs cooperate with each other to the greatest extent possible, regardless of their organisational status’. ⁴⁶ In particular, they must ‘exchange, spontaneously or upon request, any information that may be relevant for the processing or analysis of information by the FIU related to money laundering or terrorist financing (…)’. ⁴⁷ Importantly, this article gives effect to the data protection principle of purpose limitation in the specific context of FIU cooperation, and it does so in a twofold manner. ⁴⁸

First, personal data between EU FIUs must be exchanged only if the purpose of the exchange is the analysis of that information by the recipient FIU. This means that the data cannot be used in support of an investigation or prosecution – unless, as we will see, the recipient FIU obtains the prior consent of its counterpart. Maintaining this distinction sounds simple enough but, alas, there is a fly in the ointment. Some EU FIUs tend to blur the lines between analysis and investigation; a blurring which clearly undermines the principle of purpose limitation. ⁴⁹

Second, personal data are to be exchanged only if the analysis focuses on possible money laundering or terrorist financing cases – and no other criminality. In practice, this means that, when filing a request, the FIU must demonstrate that it needs this information to pursue a potential money laundering or terrorist financing case. This requirement, however, was recently relaxed with the adoption of the Directive in respect of law enforcement access to financial information. ⁵⁰ This Directive, which includes a limited number of provisions on FIU cooperation, calls on Member States to ensure ‘that in exceptional and urgent cases, their FIUs are entitled to exchange financial information or financial analysis that may be relevant for the processing or analysis of information related to terrorism or organised crime associated with terrorism’. ⁵¹ We see, therefore, two further categories added here: terrorism and organized crime associated with terrorism.

Aside from the possibility of spontaneous dissemination described above (where FIUs enjoy a certain level of discretion), there is one instance where they are obliged to share information with their EU counterparts, even in the absence of a specific request. This is when they receive a suspicious transaction report that is relevant to another Member State. In this case, they must promptly share it with the FIU of that other Member State. ⁵² The justification behind this newly introduced requirement is that, at times, a suspicious transaction report may contain information that concerns a Member State other than the one which receives it.

Let us take the companies that operate under the freedom to provide services as an example: these companies are established in one Member State but operate throughout the EU. Pursuant to the territorial principle that underpins reporting obligations, obliged entities must file a report to ‘the FIU of the Member State in whose territory the obliged entity transmitting the information is established’. ⁵³ This sometimes leads to a situation where the FIU of the Member State in which the suspicious activity takes place does not receive the information, whereas the FIU that does receive it cannot do much about it, since it concerns events that occurred in a different Member State. Article 53(1) of the Directive seeks to rectify this loophole, although it is important to note that it represents a move towards a ‘data sharing by default’ attitude.

In line with the FATF and Egmont Group standards, ⁵⁴ the Directive also provides that, when responding to requests from their EU counterparts, FIUs may employ the whole range of powers that are available to them domestically. ⁵⁵ For instance, an FIU may contact a national bank to request an individual’s financial records to respond to an EU counterpart’s request. It does not have to be an obliged entity; the FIU may consult one of the many domestic databases at its disposal. This means that the (very wide) range of powers that FIUs enjoy at the national level can now be activated for the benefit of their EU counterparts. More importantly, it also means that the pool of information available to EU FIUs has been expanded significantly. Operationally that might sound optimal but this broadly framed obligation raises significant questions about the content of the requests. Article 53(1) of the Directive provides limited guidance in that regard: ‘[A] request shall contain the relevant facts, background information, reasons for the request and how the information sought will be used’.

Several issues remain unanswered. What constitutes sufficient justification in the context of a request? Should such requests be based on corroborated suspicion or should a lower threshold of suspicion suffice? Should the receiving FIU assess the validity of its counterparts’ suspicion? What happens if a request is not sufficiently justified? These are valid questions – the answers to which engage significant consequences for the rights to privacy and data protection. Perhaps unsurprisingly, the EU FIUs Platform ⁵⁶ has suggested that assessing the validity of their counterparts’ suspicion before FIUs activates their domestic powers on their behalf ‘may go against the principle of “mutual recognition” of suspicions among EU FIUs’. ⁵⁷ Indeed, a recent survey revealed that, while some EU FIUs require ‘adequately motivated requests’ before they activate their domestic powers, they nonetheless do not second-guess their EU counterparts’ suspicion. ⁵⁸

In all forms of FIU cooperation highlighted above, the EU legislator has ensured that the obstacles to information exchange are kept to a minimum. The instances where an EU FIU may refuse to cooperate with its EU counterpart also reflect this approach; according to Art 53(3) of the Directive,

[A]n FIU may refuse to exchange information only in exceptional circumstances where the exchange could be contrary to fundamental principles of its national law. Those exceptions shall be specified in a way which prevents misuse of, and undue limitations on, the free exchange of information for analytical purposes.

Last but not least, the Fourth AML Directive introduced a form of FIU cooperation that far exceeds information exchange. Pursuant to Art 51, the EU FIUs Platform shall assist FIUs with the joint analysis of cross-border cases. The Directive does not provide any guidance on what constitutes joint analysis or how it should be conducted, but its potential has not gone unobserved. On the contrary, FIUs have been working intensely, under the umbrella of the EU FIUs Platform, to develop ‘new ways for FIUs to work together to have a common output at the end – with actionable outcome’. ⁶⁴

The FIU.net

In the previous section, we saw that, pursuant to the AML Directive, FIUs in the EU cooperate by

But how do they actually communicate with each other?

Article 56 of the Directive calls on FIUs to use ‘protected channels of communication’ ⁶⁵ and, to that end, encourages them to rely on FIU.net. This is a decentralized computer network which

shapes a virtual information cloud between the FIUs and their (over 550) distributed government, commercial and public information sources and it enables real time analysis of distributed dynamic information and knowledge otherwise legally, organisationally, technically, and/or financially impossible to achieve. ⁶⁶

Without getting into much technical detail, let us gain a better insight into the main features of FIU.net. Perhaps, the most important feature of the network is its decentralized nature. This means that all EU FIUs have their own database, where they store suspicious transaction reports. To become a member of the FIU.net, each of those FIUs had to connect its internal database to FIU.net. This connection is achieved through an in-house (FIU.net) server. So, 27 EU FIUs participating in the network translates into 27 FIU.net servers – which explains why FIU.net is described as a decentralized mechanism for data exchange. ⁶⁷ In other words, there is no central database and no centralized storage of data. Instead, all data connected to FIU.net are stored at an FIU.net database located in the premises of individual FIUs. ⁶⁸ This structure guarantees that individual FIUs maintain control over their data (i.e. no other FIU can access it without their consent) but also a certain level of flexibility when it comes to their data governance practices. ⁶⁹

The most well-known feature of FIU.net, however, is the technology that comes with it – known as ‘Ma³tch’ (‘Match three’). This is an analysis tool, promoted as enabling ‘FIUs to identify information that before would have remained undetected and there is no need to expose any privacy sensitive data’. ⁷⁰ Ma3tch (as its name suggests) enables FIUs to match their data with the data of their EU counterparts, to determine whether they hold information that is of interest to them. ⁷¹ If there is a positive hit, the FIUs involved will be alerted and may follow-up on the hit, by sharing the actual personal data. ⁷² As Balboni and Macenaite argue, this ‘privacy by design’ solution leads to improved privacy and data protection in the context of FIU cooperation, because it ensures that FIUs exchange only that data which is absolutely necessary – thereby respecting the data protection principle of data minimization. ⁷³ By bringing the information of FIUs together, Ma³tch enables EU FIUs to act ‘as one’, at least in the virtual sphere. ⁷⁴

This account may have given the impression that FIU.net and Ma³tch are an integral part of all EU FIUs’ daily routines. That, however, has not been the case ⁷⁵ although the latest AML Directives are bound to change that. ⁷⁶ To comply with the newly introduced forms of FIU cooperation explored above, FIUs will have to participate routinely in this virtual network. The requirements for joint analysis and cross-border dissemination of STRs are already occupying a series of pilot projects under the umbrella of the EU FIUs Platform. ⁷⁷ Given that these new forms of cooperation – and especially the requirement to forward reports that concern another Member State to the FIU of that Member State – ⁷⁸ impose a heavy workload on FIUs, they are keen to exploit the functionalities of FIU.net to comply with these obligations. ⁷⁹ Despite ongoing efforts to standardize cross-border dissemination of those reports via FIU.net, this functionality is not widely used yet. ⁸⁰ The Commission, who in the summer of 2019 reviewed the status of FIU cooperation in the EU, concluded that ‘few Member States today comply with their legal obligation to forward or disseminate cross-border reports’. ⁸¹

The far-reaching potential of Ma³tch does not end with cross-border reports or joint analysis. ⁸² FIUs can, for instance, use this technology to amalgamate their collective knowledge over risks or patterns of behaviour. ⁸³ They can also use it for social network analysis, to identify relationships between entities. ⁸⁴ All these possible additional uses of Ma³tch have not gone unnoticed by EU policymakers, who have big plans for FIU.net’s future. In fact, the Commission recently noted that:

The FIU.net should be developed so that the system can be used to extract information and statistics on flows of information, activities and the outcomes of analysis. Having relevant, reliable, and comparable quantitative data at EU level will contribute to a better understanding of the risks and also help the Commission and the Member States to identify sectors that transmit few reports on suspected activities or transactions and analyse the reasons why. ⁸⁵

For most of its lifespan, FIU.net was managed by the Dutch Ministry of Interior, ⁸⁶ with the support of a series of grants by the Commission. ⁸⁷ In search for a long-term solution, it was decided that FIU.net should be embedded in Europol and a Common Understanding was signed to that effect in 2013. ⁸⁸ FIU.net was officially integrated into Europol 3 years later. ⁸⁹ FIUs are connected to Europol through the Europol National Units. ⁹⁰ This embedment, high on the list of political priorities, ⁹¹ was promoted as ‘an opportunity for greater operational cooperation between FIUs and law enforcement’ ⁹² which will benefit investigations into organized crime by increasing the ‘synergies between financial and criminal intelligence’. ⁹³

Keen to examine how these synergies might translate into operational terms, in 2017 Europol launched a pilot project which involved the matching (via FIU.net and Ma³tch) of lists of high value targets within EMPACT priority areas ⁹⁴ against the data of seven FIUs. ⁹⁵ There were high hopes for FIU.net’s contribution to the ‘fight’ against terrorist financing as well; ⁹⁶ according to official statements, the network was set to support the work of Europol’s European Counter Terrorism Centre, ⁹⁷ while FIUs would be able to request Europol to conduct searches with the Terrorist Finance Tracking Programme on their behalf. ⁹⁸ A pilot was launched to that effect and in 2016 23 Member States gave approval for their FIUs to have direct contact with Europol for this purpose. ⁹⁹ These are just some of the pilot projects that were introduced following the embedment of FIU.net into Europol to explore possible data-driven synergies. As we will see in the following section, however, all these aspirations came abruptly to an end, in the face of data protection considerations.

In this section, we examined the evolution of the European Union’s legal framework on FIU cooperation. We saw that, for the most part, FIU cooperation in the EU was governed by a patchy legal framework, which developed spasmodically and largely in response to the FATF and Egmont Group’s standards, and that it took a very long time until the EU legislator eventually decided to incorporate a series of substantive provisions in respect of FIU cooperation, within the fourth (and fifth) AML Directives. These provisions, which introduced several new forms of FIU cooperation, are supported by FIU.net and Ma³tch technology, although they are not exploited as much as EU policymakers would have liked. All this, however, comes at a cost – an invisible cost – for the protection of personal data, which has always been an afterthought throughout this evolution. In the following sections, we shall focus on that.

Uncertainty over the applicable data protection framework

It would not be an overstatement to claim that 2018 was the year of data protection in the EU. In the spring of that year, the GDPR ¹⁰⁰ became applicable and the deadline for the national transposition of its police and law enforcement counterpart – the Police Data Protection Directive ¹⁰¹ – expired. So, how does this recent reform affect FIU cooperation within the EU? Since FIUs were established, there has been a prevailing uncertainty over the data protection framework that governs their cross-border activities. ¹⁰² Unfortunately, the recent data protection reform did not bring about any clarity on that front; if anything, it has complicated matters.

As FIUs in the EU are so diverse, it is not clear whether their domestic data processing activities are governed by the GDPR or by the Police Data Protection Directive. The answer to this question is not easy. To begin with, Art 41 of the Fourth AML Directive states that Directive 95/46 (the GDPR’s predecessor) applies to the processing of personal data for the purposes of that Directive. ¹⁰³ It also states, however, that the Directive ‘is without prejudice to the protection of personal data processed in the framework of police and judicial cooperation in criminal matters’. ¹⁰⁴ This caveat leaves us with no conclusive answer as to which data protection framework applies to FIUs. This has not gone unnoticed; when the European Data Protection Supervisor (EDPS) published his Opinion on the proposed Fourth AML Directive, he suggested that

[i]n order to ensure seamless and effective data protection, and in view of the legal basis chosen for the Proposals, there should be no doubt that the activities of the competent authorities and the FIUs under the proposed Directive will only be subject to national provisions implementing Directive 95/46/EC. ¹⁰⁵

The EU legislator, however, did not follow up on the EDPS’ suggestion at the time – which might prompt us to conclude that the activities of FIUs were, in the EU legislator’s view, subject to the (now repealed) Framework Decision 2008/977 ‘on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters’. ¹⁰⁶ There is, however, another plausible explanation for the EU legislator’s reluctance to take a stance on this matter. As FIUs come in different models, it is debatable whether the EU legislator can determine which data protection framework should apply to FIUs of a law enforcement, judicial or even hybrid nature through a Directive that has been adopted under an internal market legal basis. The above-mentioned Framework Decision has now been repealed and replaced by the Police Data Protection Directive, but this does not affect our discussion. As the following analysis demonstrates, FIUs have struggled on this point for some time.

In March of 2018, two months before the new data protection rules became applicable, the EU FIUs Platform raised the matter of the applicable data protection framework in a discussion that revealed the divergence of viewpoints between stakeholders. ¹⁰⁷ For its part, the Commission emphasized that ‘as a public administration’ FIUs fall under the GDPR. ¹⁰⁸ FIUs were not convinced; instead, they expressed concerns as to ‘the applicability of the GDPR versus the directive in general and more specifically to administrative FIUs (…)’. ¹⁰⁹ A few months later, the Platform revisited this issue. ¹¹⁰ The Commission noted that pursuant to Art 94 of the GDPR, ¹¹¹ all references to the (repealed) Data Protection Directive within the AML Directive are to be read as references to the GDPR. That means, the Commission continued, that Art 41 of the AML Directive, which provides that ‘[t]he processing of personal data under this Directive is subject to Directive 95/46/EC’, is henceforth to be read as that the processing is subject to the GDPR. Clearly, the Commission is of the view that Art 41 covers the processing of data by FIUs. ¹¹² Some Member States, however, disagreed with this interpretation:

One member reminded that according to AMLD 32(1) prevention and detection of criminal offences is a core responsibility of FIUs, furthermore they use on a very large scale police etc. data derived from criminal investigations. Another member referred to that several FIUs are actually law enforcement authorities and that their core business are covered by the Data Protection Police Directive. ¹¹³

However, the Commission did not embrace the view that the processing of data by FIUs falls within the law enforcement sphere. In its opinion, the fact that some of them have law enforcement status is not enough for the Police Data Protection Directive to be applicable. ¹¹⁴ For the latter to apply, both the personal and material scope must be fulfilled – and even if an FIU satisfies the personal scope (i.e. if it qualifies as a ‘competent authority’ for the purposes of the Police Data Protection Directive), the Commission believes that carrying out analysis of suspicious transaction reports does not satisfy the material scope of the Directive. The requirement is that the data are processed for the purposes of preventing, detecting or suppressing crime. ¹¹⁵

Clearly, this issue calls for some debate. Just as with the EDPS before it, the Commission seems determined to steer Member States towards applying the GDPR to their FIUs – but is this really the appropriate legal framework for them? First of all, not all of them qualify as ‘public administration’ as the Commission described them. Second, even the FIUs that do qualify as administration might not necessarily fall under the GDPR’s scope, and vice versa. For instance, the Greek FIU (which is a hybrid FIU) ¹¹⁶ applies the GDPR. ¹¹⁷ However, the UK FIU also applies the GDPR – even through it is a law enforcement-type FIU. ¹¹⁸ Not all FIUs have opted for the GDPR; Luxembourg’s (judicial) FIU applies the Police Data Protection Directive. ¹¹⁹ This serves to illustrate that not all EU FIUs abide by the same data protection instrument. When it comes to information exchanges between them, this complicates matters significantly.

This is because the GDPR and the Police Data Protection Directive offer different degrees of protection when it comes to the processing of personal data. So when an EU FIU that applies the GDPR shares personal data with an EU counterpart that applies the Police Data Protection Directive instead, the data in question are transferred to an environment that offers, at least to some extent, watered down protections compared to those offered where the data were collected in the first place. A detailed overview of the differences between the two legal instruments is beyond the scope of this article, but it is important that we highlight some of the differences that are relevant for the purposes of our analysis. ¹²⁰

With regards to data protection principles, the Police Data Protection Directive does not require the processing of personal data to be transparent, whereas the GDPR does. ¹²¹ It also does not prohibit ‘further processing’ of data in the same way that the GDPR does. Whereas the latter prohibits further processing of data for purposes other than those they were collected, ¹²² the Police Data Protection Directive permits subsequent processing (by the same or another controller) if the controller is authorized do so and the processing is necessary and proportionate. ¹²³ The Police Data Protection Directive’s take on the principle of data minimization also diverges from its ‘first pillar’ counterpart, so as to provide law enforcement authorities with more flexibility. According to the Police Data Protection Directive, personal data must be ‘adequate, relevant and not excessive’, ¹²⁴ whereas, under the GDPR, such data must be ‘adequate, relevant and limited to what is necessary’. ¹²⁵

Principles aside, there are also important differences when it comes to the data subjects’ rights. First of all, the Police Data Protection Directive does not provide for a right to be forgotten or the right to data portability. Second, the rights to information, ¹²⁶ access, ¹²⁷ and rectification or erasure ¹²⁸ are considerably limited under the Police Data Protection Directive when compared to the GDPR. In particular, the Police Data Protection Directive allows Member States to restrict them to

Those rights can, of course, also be limited under the GDPR, but in the Police Data Protection Directive’s case, there is understandably more room for limitations. For example, if a person is under investigation and files a subject access request with a law enforcement authority, they are likely to receive a ‘neither confirm nor deny’ type of response.

That said, we must also keep in mind that the Police Data Protection Directive only provides a minimum level of harmonization. The chances are, therefore, that additional divergences exist, depending on how Member States have chosen to implement it. All things considered, it seems clear that a Member State’s choice to apply one or the other of the data protection instruments has real consequences for data subjects. If we take into account that EU FIUs exchange large amounts of personal data on a routine basis, it is difficult to escape the conclusion that their cooperation continues to takes place – despite the recent data protection reform – under an uneven legal framework that undermines the protection of personal data.

To resolve this, I would argue that Member States should subject their FIUs to the same data protection framework, despite their institutional differences. This inevitably raises the question as to which is the most appropriate framework for FIUs: the GDPR or the Police Data Protection Directive. In the following section, I will argue that, in contrast to the Commission’s view, Member States should subject their FIUs to the Police Data Protection Directive.

The case for subjecting FIUs to the Police Data Protection Directive

In order for the Police Data Protection Directive to be applicable, two requirements must be met. The first is the material scope: the processing of personal data must take place for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. ¹³⁰ However, the presence of the material scope alone is not enough; for the Police Data Protection Directive to apply, the processing in question must be carried out by a competent authority (personal scope). A competent authority is, according to the Police Data Protection Directive,

The question before us, therefore, is whether the processing of data by EU FIUs satisfies those two requirements.

Let us begin our analysis with the material scope – the prevention, investigation, detection and suppression of crime. The purpose of an FIU, according to the latest AML Directive,

is to collect and analyse the information which they receive with the aim of establishing links between suspicious transactions and underlying criminal activity in order to prevent and combat money laundering and terrorist financing, and to disseminate the results of its analysis as well as additional information to the competent authorities where there are grounds to suspect money laundering, associated predicate offences or financing of terrorism. ¹³²

In the light of this, it is difficult to argue that the processing of data by FIUs does not satisfy the material scope of the Police Data Protection Directive. ¹³³ For the Commission, however, this is not a clear-cut matter. As I mentioned earlier, in a recent meeting of the EU FIUs platform, its representatives argued that FIU analysis does not necessarily satisfy the material scope of preventing, detecting or supressing crime. ¹³⁴ Given that the sole purpose of analysis is to identify connections between suspicious financial flows, money laundering and terrorist financing, I find the Commission’s argument hard to sustain. Earlier Commission documents even contradict its current stance; the 2010 Communication on information management in the area of freedom, security and justice mentions the Council Framework Decision 2008/977/JHA (now replaced by the Police Data Protection Directive), the Council of Europe Convention 108 and the Council of Europe Police Recommendation R87 as the applicable data protection framework to FIU cooperation, including FIU.net. ¹³⁵ Nonetheless, in its latest report on FIU cooperation, the Commission clearly stated that FIUs must abide by the GDPR’s requirements. ¹³⁶ At the same time, however, it acknowledged that ‘[d]espite this clear obligation, most FIUs apply the Police Data Protection Directive (…) instead or both the General Data Protection Regulation and the Police Data Protection Directive’. ¹³⁷ Clearly, there is some controversy as to the appropriate framework for FIUs, and not all Member States see eye to eye with the Commission.

What complicates matters further, however, is whether FIUs satisfy the personal scope requirement; can we convincingly argue that all EU FIUs, irrespective of their status, satisfy the definition of competent authorities under the Directive? ¹³⁸ In short, this is for the Member States to decide – and clearly the majority of these Member States have decided that indeed they do. However, their decision is not necessarily linked to the status of the FIU; the United Kingdom, for instance, decided to subject its FIU to the GDPR despite the fact that the UK FIU is a police-type FIU, housed under the National Crime Agency. In a 2014 report about the UK’s block opt-out of pre-Lisbon criminal law and policing measures, the European Scrutiny Committee examined (among other matters) under which data protection framework the UK FIU would exchange information with its counterparts if they opted out of the Council Decision 2000/642/JHA (on FIU cooperation). ¹³⁹ During this discussion, it was suggested that the UK FIU could perhaps continue to exchange information under a police-to-police framework, applying the so-called Swedish initiative ¹⁴⁰ that governs information exchanges between law enforcement authorities. The government noted, however, that while the UK FIU would fit within the definition of a law enforcement authority, other FIUs would not. ¹⁴¹ Nonetheless, a few years later, the UK government decided that its FIU is more akin to administration and that the GDPR is the appropriate instrument to regulate its activities.

These inconsistencies serve to demonstrate that EU FIUs sit in the grey zone between administration and law enforcement. In other words, they sit in the zone between the former first and third pillar; neither the Member States nor the EU legislator seems to be able to agree as to where their nature lies. This ambivalence comes at the expense of legal certainty, because it is not clear which data protection framework governs their cooperation – at a time when, as we have seen, they become more and more interconnected. This dilemma raises a broader question: in cases where the lines between law enforcement and the administrative (or private) sector are blurred, how should the applicable data protection framework be determined? Should it be determined by reference to the nature of the data controller (are they a ‘competent authority’ or not?) or by reference to the (law enforcement) purpose of the data processing?

Similar dilemmas have been raised when private entities are called upon to transfer data to public authorities for law enforcement and public security purposes or to retain data so that the authorities can access them. In 2006, the Court of Justice of the European Union (CJEU) dealt with the legal basis of the Council Decision on the Passenger Name Records (PNR) Agreement between the EU and the United States, ¹⁴² a post 9/11 measure which required airline companies to transfer passenger data to the US Bureau of Customs and Border Protection. ¹⁴³ In this context, the Commission adopted a data protection adequacy decision under the (now repealed) Data Protection Directive. The CJEU held that the (‘first-pillar’) legal bases (current Art 114 TFEU and the Data Protection Directive) under which those two decisions were adopted were not appropriate, because the data processing operations related to matters of public security and law enforcement. ¹⁴⁴ According to the CJEU, the transfers of data by private entities to public authorities for law enforcement purposes fell outside the scope of the (former) Data Protection Directive. ¹⁴⁵ Even though the data were initially collected in a commercial context and the data controller was a private entity, it was the purpose of the processing (public security and law enforcement) that determined the applicable data protection framework. ¹⁴⁶

That criterion does not always prevail. Soon after the PNR judgement, the Data Retention Directive, a first-pillar measure that obliged electronic communication service providers to retain data ‘in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime’, ¹⁴⁷ was challenged on the ground that it was not adopted under the appropriate legal basis. ¹⁴⁸ In this instance, the CJEU did not follow the PNR judgment’s logic. Instead, it held that the data retention obligations imposed by this Directive, even though they served crime-fighting purposes, were rightly based on the first pillar, because they covered the activities of service providers in the internal market. ¹⁴⁹ The decision of the court in this instance has been criticized for creating an artificial distinction between the storage of data for law enforcement purposes on the one hand and the access and further processing of that data by the (law enforcement) authorities. ¹⁵⁰

To complicate matters further, in Tele2/Sverige, the court decided that national law, which was based on Art 15(1) of the E-privacy Directive (which allows Member States to restrict some of the rights provided by the Directive for crime fighting purposes by, among other matters, adopting data retention rules) and provided for the retention and access to data by public authorities for law enforcement purposes, fell within the scope of the E-privacy Directive. ¹⁵¹ In this instance, the CJEU did not separate between retention and access:

since data is retained only for the purpose, when necessary, of making that data accessible to the competent national authorities, national legislation that imposes the retention of data necessarily entails, in principle, the existence of provisions relating to access by the competent national authorities to the data retained by the providers of electronic communications services. ¹⁵²

As Advocate General Saugmandsgaard Øe remarked in his Opinion on the so-called Schrems II case, these two approaches are somewhat conflicting. ¹⁵³ This illustrates the dilemmas which arise when attempting to determine the data protection framework that governs transfers of data from ‘first pillar’ to ‘third pillar’ entities – or even beyond, in the realm of national security. The case of FIU cooperation is no exception, since, as we saw earlier, some FIUs are subject to the GDPR. If we take into account the PNR case, which mostly concerned data transfers, and bear in mind that the recent Directive on law enforcement access to financial information, which includes (limited) provisions on FIU cooperation, was adopted under Art 87(2) TFEU (which enables the European Union to adopt measures on, amongst other matters, the exchange of information to facilitate police cooperation among Member States’ competent authorities, including police, customs, and other specialized law enforcement services in relation to the prevention, detection, and investigation of criminal offences) I would argue that the more appropriate data protection framework to govern the exchange of information between FIUs is the Police Data Protection Directive – and not its internal market counterpart.

The integration of FIU.net into Europol: Data protection challenges

The lack of clarity over the data protection framework that regulates information exchanges between EU FIUs is not the only issue that creates problems from a data protection perspective. In the previous section, I mentioned that, despite the aspiring synergies between criminal and financial intelligence which would be developed by FIU.net’s embedment into Europol, the curtain on that fell too soon. This happened in December of 2019, when the EDPS put an abrupt end to the embedment of FIU.net in Europol. ¹⁵⁴ To understand why this happened, we need to take a closer look into the details of this arrangement. I will endeavour to do so without going into much technical detail.

In 2013, EU FIUs and Europol agreed upon a Common Understanding on the embedment of FIU.net into Europol. ¹⁵⁵ As Europol noted at the time,

in order to realise the full potential of operational synergies between Europol and FIUs, the network facilitating information exchange between FIUs (FIU.NET) will be replaced by SIENA and the services of the FIU.NET Bureau will be fully embedded within Europol (including the staff of the FIU.NET Bureau). Remaining details around governance, data processing and FIU activities will be addressed with view to achieving more operational added value from linking general money flows to criminal activities and following up to identified links. ¹⁵⁶

The embedment process took effect in January 2016 and a Service Level Agreement, outlining how Europol was to sustain the FIU.net, was concluded in October of the same year. ¹⁵⁷ FIUs are connected to Europol through the Europol National Units. ¹⁵⁸ Needless to say, the embedment process proved both legally and technically complicated and a lot of obstacles emerged along the way – even before the EDPS delivered the final blow. More specifically, the FIU.net’s full integration with SIENA (i.e. replacing the network by SIENA), which was referred to in the Common Understanding, proved very challenging – which is why the FIUs Platform and Europol agreed to proceed in smaller steps and considered whether interoperability between FIU.net and SIENA might be a more appropriate first step. ¹⁵⁹

In any event, and given that FIU.net had to be upgraded as a system, Europol presented in 2017 a proposed Roadmap for the network’s future. ¹⁶⁰ The proposal envisaged a move towards a centralized system (it will be recalled that FIU.net is a decentralized network) and in particular towards centralized sharing but decentralized matching of information. ¹⁶¹ On that note, some participants within the Platform raised concerns about retaining control of their own data. ¹⁶² In response to that, Europol remarked that it is a cooperation partner (which meant that it was up to FIUs to choose whether to share information with Europol) but also a service provider at the same time – and that the proposed Roadmap ‘does not suggest that FIUs give access to each other’s databases (even if FIU at some point in time would like to share more information) or act against their national data protection rules’. ¹⁶³

Some FIUs, however, did not view the proposal positively and raised a series of data protection concerns, mainly around storage of data, noting that the Fourth AML Directive ‘does not provide the legal basis to transfer STR data to a database other than an FIU one’. ¹⁶⁴ In other words, some FIUs stressed that, during the ‘analysis’ phase, data from suspicious transaction reports can only be shared between FIUs. In their view, unless the FIU decides (following its analysis) that the suspicion is indeed substantiated and that the information must be shared with law enforcement, data can only travel from FIU to FIU and cannot be stored at a law enforcement database (such as Europol’s). ¹⁶⁵

In the light of those objections, Europol and FIUs begun working towards a revised Roadmap, but they also sought the advice of the EDPS and the Europol Cooperation Board ¹⁶⁶ on the data protection issues that were raised. ¹⁶⁷ Interestingly, it was not the processing of data by Europol in its capacity as a cooperation partner that raised concerns for the EDPS; rather, it was the processing of data in its capacity as a service provider and technical administrator of the FIU.net. More specifically, the issue was whether the processing of FIU data that accompanied the maintenance of FIU.net complied with the data processing requirements of the Europol Regulation.

According to that Regulation, Europol may process personal data for the purposes of

Annex II of the Europol Regulation further lists the specific categories of personal data that may be processed for the above purposes. ¹⁶⁹ The maintenance of FIU.net arguably falls under (d) – that is, facilitating information exchanges. The key question, therefore, is whether the processing of FIU data in this context falls within the categories of data that may be collected and processed for the purposes of facilitating information exchange, as listed by Annex II of the Regulation. ¹⁷⁰ According to this list, such personal data must relate to (among others)

persons who, pursuant to the national law of the Member State concerned, are suspected of having committed or having taken part in a criminal offence in respect of which Europol is competent, or who have been convicted of such an offence. ¹⁷¹

It is the word ‘suspected’ that brings us to the heart of the matter. FIUs deal with suspicious transaction reports – but that does not necessarily mean that they deal with suspects. According to the EDPS, for Europol to comply with the aforementioned requirements, the individuals involved in suspicious transactions would have to qualify as ‘suspects’. ¹⁷² However, as he rightly pointed out, FIUs ‘act before the start of any criminal proceeding or investigation has begun’. ¹⁷³ The Europol Regulation does not define ‘suspect’ – this is a matter of national law. In the light of this, the Europol Cooperation Board issued an opinion in September 2019, which advised that FIU.net could not benefit from Europol’s technical infrastructure because the categories of data processed ‘do not seem consistent with Europol’s mandate’. ¹⁷⁴ Following that, the EDPS published its decision in December of the same year; he concluded that the data processing carried out by Europol in the context of the technical operation of the FIU.net breached the Europol Regulation and, therefore, he imposed a ban on those processing operations. ¹⁷⁵ Given the importance of FIU.net for information exchanges between EU FIUs, the ban was suspended until December 2020, to allow time for moving FIU.net to another host organization. ¹⁷⁶

In other words, Europol, in its capacity as a technical administrator of FIU.net, has been processing FIU data in the absence of a legal basis that enabled it to do so and in breach of the Europol Regulation. This is one more instance where the need to secure an operationally convenient arrangement for information exchanges side-lined data protection considerations.