Regulatory Case Law, March 2016: Data Protection and Terrorist Financing

This request for a preliminary ruling, dealing among other issues with data protection and terrorist financing, concerned the interpretation of Article 11(1) of Directive 2005/60/EC on the prevention of the use of the financial system for the purpose of money laundering and terrorist financing (‘the Money Laundering Directive’).

DSC01180

The request has been made in proceedings between Safe Interenvíos SA (Safe), a payment institution, and Liberbank SA , Banco de Sabadell and Banco Bilbao Vizcaya Argentaria SA concerning the closure by the banks of the accounts held by Safe because they suspected money laundering.

Safe challenged BBVA’s decision to close its account and similar decisions by the other two banks before the Juzgado de lo Mercantil No 5 de Barcelona (Commercial Court No 5, Barcelona), on the ground that closure of the accounts was an act of unfair competition which prevented it from operating normally by transferring funds to States other than the State in which it is established.

Safe submitted that it was legally required to have an account with a banking institution in order to be able to carry out such transfers of funds — operations which it performed at the banks — and that it competed with the banks in the market. It also contended that the banks had asked it to provide data relating to its customers and the origin and destination of the funds, on the pretext of the provisions of Law 10/2010, a contention which the banks dispute, and that providing the banks with that information was contrary to national data protection legislation.

Article 79 of the Payment Services Directive, headed ‘Data protection’, provides that ‘Member States shall permit the processing of personal data by payment systems and payment service providers when this is necessary to safeguard the prevention, investigation and detection of payment fraud. The processing of such personal data shall be carried out in accordance with [the Personal Data Directive]’. Article 11(1) of the Money Laundering Directive states that ‘the institutions and persons covered by the Directive shall not be subject to the requirements provided for in those Articles where the customer is a credit or financial institution covered by this Directive, or a credit or financial institution situated in a third country which imposes requirements equivalent to those laid down in this Directive and supervised for compliance with those requirements.’

According to the European Court of Justice, Article 11(1) of the Money Laundering Directive is intended solely to derogate from the standard customer due diligence measures. Since that provision does not refer to Article 13 of the Money Laundering Directive, it has no bearing on the customer due diligence (potentially affecting personal data protection) that is required where there is a higher risk. Furthermore, the institutions and persons covered by the directive are authorised to apply simplified due diligence measures ‘in line with a risk-based approach’, in appropriate cases only. It is apparent from recital 24 of the directive that, although the identity and business profile of all customers should be established, there are cases where particularly rigorous customer identification and verification procedures are required on account of a greater risk of money laundering or terrorist financing.

Consequently, if there is a higher risk of money laundering or terrorist financing as envisaged in Article 13 of the Money Laundering Directive, the fact that the customer is itself an institution or person covered by the directive does not preclude a Member State from being able to require the application in respect of that customer of enhanced due diligence measures within the meaning of Article 13, such as exceptions to data protection.

However, the Court ruled that, whilst national legislation designed to combat money laundering or terrorist financing pursues a legitimate aim capable of justifying a restriction on the fundamental freedoms (such as in case of personal data / privacy checks), to presume that transfers of funds by an institution covered by the Directive to States other than the State in which the institution is established always present a higher risk of money laundering or terrorist financing, exceeds what is necessary for the purpose of achieving the legitimate aim. This is so because the presumption which it establishes applies to any transfer of funds, without providing for the possibility of rebutting the presumption in the case of transfers of funds not objectively presenting such a risk.

Bostjan Makarovic

Bostjan Makarovic

Bostjan Makarovic is Aphaia's Founder. In addition to 14 years of industry experience, he holds Queen Mary, University of London PhD in legal regulation of NGN, London School of Economics and Political Science MSc in Environmental Policy and Regulation, and is IAPP-certified international privacy professional (CIPP/E).
Bostjan Makarovic

Leave a Reply

Your email address will not be published. Required fields are marked *