Item

Abstract

Early in its development, the EU’s anti-money laundering (AML) scheme was already criticized for its interference with the fundamental rights to privacy. Quite recently, some scholars have highlighted that customer due diligence obligations constitute a massive retention of financial data. Consequently, they have tried to apply the ECJ’s findings on data retention of telecommunication traffic data to the AML framework. Financial data is quite legitimately seen as a honeypot for law enforcement authorities, which makes a comparison between retention of financial data and retention of telecommunication traffic data readily apparent. Surprisingly, not much attention is paid to the AML framework in this context, compared to the pile of comments telecommunication data. Not even the EDPS mentioned data retention as a problem in his opinion of the EU’s action plan on money laundering in 2020. It is thus also not surprising that no alterations to the retention obligations can be found in the recently proposed AML Regulation. The question arises: does the AML scheme really compare as easily to the prominent data retention of telecommunication meta data after all? As yet another AML package lies ahead of us, it is time to have a look at why the EU legislator does not seem to be intimated by the ECJ’s case law regarding its AML framework. The author argues that the definition of data retention, which the scholars who wish to apply the ECJ’s case law to the AML framework have in mind, is too broad. It does not capture why the ECJ has so strictly ruled on the retention of telecommunication traffic data. The AML scheme deviates from the retention of telecommunication traffic data in several ways. These differences make it difficult to test the lawfulness of the Union’s AML law in its new guise by applying the ECJ’s jurisprudence on data retention. In light of the ECJ’s case law, it is the access permissions whose legitimacy seems questionable, not the obligation clauses.