Financial Intelligence Units: Reflections on the applicable data protection legal framework

Financial Intelligence Units (FIUs) are key players in the current Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) legal system. FIUs are specialised bodies positioned between private financial institutions and states’ law enforcement authorities, what renders them a crucial middle link in the chain of information exchange between the private and public sectors. Considering that a large share of this information is personal data, its processing must meet the minimum data protection standards. Yet, the EU data protection legal framework is composed of two main instruments, i.e. the General Data Protection Regulation (GDPR) and the Law Enforcement Directive (LED), which provide different thresholds for the protection of personal data. The aim of this paper is to clarify the applicable data protection legal regime for the processing of personal data by FIUs for AML/CFT purposes. To that end, the paper provides an overview of the nature and goals of AML/CFT policy and discusses the problem of the diversity of existing FIU models. Further, it proposes a number of arguments in favour of and against the possibility of applying either the GDPR or LED to the processing of personal data by the FIUs and reflects on how convincingly these arguments can be used depending on the specificities of a given FIU model.