Law enforcement agency Europol has been banned by the European Union's own data protection watchdog from hosting the computer network that links EU member states' agencies that fight financial crime.
The decision, outlined in a document seen by S&P Global Market Intelligence, has not been made public for "security" reasons, said the European Data Protection Supervisor, which acknowledged in the document that the computer network plays a "crucial role in the fight against money laundering and terrorist financing."
Europol, on behalf of the EU, has been administering the Financial Intelligence Unit network, or FIU.net, since 2016.
The platform allows financial intelligence units, state-run bodies that operate between private firms and law enforcement agencies to report across borders, exchange case-building data and match names to data held by other units.
However, Europol has been in breach of EU rules when handling data gathered on individuals who are not suspects in a financial investigation. As a result, the EU banned the agency from involvement in FIU.net on Dec. 19, 2019, which it subsequently suspended for one year.
Wim Mijs, CEO of industry body the European Banking Federation, said he was "shocked" to read the decision, which would "make FIU.net unable to function."
"If we kill an organization like FIU.net, if you can't trust Europol with personal data, who can you trust?" he said, speaking at an anti-money-laundering event in Brussels on Feb. 19.
According to the EDPS, however, the decision was not an assessment of FIU.net itself, but concerned the legal grounds for Europol to host it. The one-year suspension will allow time for Europol to transfer the administration of the network to another entity, Wojciech Wiewiórowski, who leads the EDPS, told S&P Global Market Intelligence.
He said Europol to date has only been a transmitter of data on FIU.net, and that the decision as such will not leave Europe worse off when it comes to combating money laundering.
AML vs GDPR
The ban comes as the European Commission is tightening enforcement of anti-money-laundering procedures in the wake of scandals that enveloped banks including Denmark's Danske Bank A/S.
EU members were due to put into law the bloc's Fifth Anti-Money Laundering Directive on Jan. 10, but the commission was forced to send formal notice to eight member states, including Spain and the Netherlands, that had failed to meet the deadline to implement the act. A critical part of the directive is the introduction of publicly accessible registers for beneficial owners of companies.
The EDPS, which is the EU's data protection authority, is charged with enforcing the General Data Protection Regulation, or GDPR, which became fully applicable across the bloc in May 2018. GDPR applies to organizations both inside and outside the EU that provide goods or services to individuals in the EU or monitor the behavior of individuals.
According to the EDPS, Europol is not allowed to process data on individuals not classed as "suspects" under national criminal laws. The Europol Cooperation Board, asked by the supervisor to provide an opinion after Europol requested clarification of its powers, determined that there is no harmonized legal definition of the term "suspect" under EU or national law.
The EDPS as such said there was no assurance that all information and personal data needed to be processed in a case would fall under the remit of Europol. The supervisor also said it would not propose additional measures such as end-to-end encryption to enable Europol's administration, since the EU has previously decided that such methods qualify as processing pseudonymous data which, unlike anonymous data, still allows for some form of re-identification even if indirectly.
Europol is currently in discussions with other parties about the transfer of FIU.net, according to Wiewiórowski. He said it could be taken over by a national intelligence unit that currently uses the platform and that does not face the same legal barriers that Europol does.
Alternatively, the EU could decide to change the mandate of Europol.
"If the legislators of the European Union wants to give Europol the role of being a general transmitter of the data between the member state police forces, that's a political decision," Wiewiórowski said, adding that so far "such a decision has not been taken" and that, even if Europol is only a transmitter of data, as a public authority it "cannot invent its [own] tasks."
The head of Denmark's anti-money laundering task force, Linda Nielsen, has told S&P Global Market Intelligence that implementing data protection rules too rigidly could hamper anti-money-laundering efforts.
"Across the EU, we are very strong on GDPR and the protection of personal data," she said. "That's fine. But we also want efficient AML mechanisms. And the two will sometimes conflict with each other."