On 24 August 2021, the Belgian Data Protection Authority (DPA) published its advice n° 136/2021 regarding a draft resolution against cyberfraud particularly through ‘money mules’. The advice follows from a request made by the President of the Belgian Chamber of Representatives as the draft resolution’s subject matter involves processing personal data. The resolution aims at developing a legal framework that allows financial institutions to share (personal) data of suspicious accounts and transactions when there is a presumption of money laundering. From a personal data protection viewpoint, our experts Sarah van den Brande, Counsel and Matthias Bruynseraede, Associate, summarise the concerns voiced by the DPA in the present document.
1. COMMERCIAL ATMOSPHERE
The DPA questions whether commercially competing institutions should have the competence to launch money laundering investigations on their clients and share the obtained (personal) data, given that such competence usually belongs to mandated governmental institutions (also see consid. 31 GDPR). The risk indeed arises that the obtained data are subsequently used for commercial purposes, which should be prevented at all costs. Hence, if financial institutions are to receive an investigative role, privacy-enhancing technologies should be used optimally to ensure a minimal set of data processing, e.g. through limited blacklists excluding data only occurring once.
2. NECESSARY AND PROPORTIONATE
Another question that arises is whether the envisaged legislative measure is necessary to achieve a legitimate purpose. This necessity test implicates conducting a prior analysis of the facts justifying the measure and the efficiency level in light of the anticipated purpose. At the same time, it should be verified whether an alternative measure is available that offers the same outcome but is less intrusive from a data protection perspective. In principle, such a measure should take precedence.
3. PREDICTABLE LEGAL BASIS
Each processing of personal data must be founded on a legal basis provided by the GDPR, e.g., complying with a legal obligation – which should be framed by clear and accurate Belgian legislation. In addition, the application of the legislation itself must be predictable for the data subjects as it should contain all required information, such as the identification of the data controller, the processing purpose, the retention period, the personal data recipients, etc.
4. SENSITIVE PERSONAL DATA
Processing personal data that are either sensitive or relate to criminal convictions and offences is principally prohibited by the GDPR. In its advice, the DPA highlights that the exceptions allowing the processing of the aforementioned personal data must be fully complied with. For example, processing personal data concerning a criminal offence may only be carried out under the control of the official authority or when the processing is authorised by EU or Belgian legislation with appropriate safeguards for the data subjects’ rights and freedoms.
5. SOCIAL SECURITY NUMBER
Lastly, the DPA reminds us that several prescriptions and precautions must be considered when processing social security numbers (see Act of 8 August 1983 on the scheme of a National Register for natural persons). The financial institutions must be granted proper processing powers by the Belgian Minister of the Interior amongst others, unless the processing is explicitly foreseen in the legislative text directly.
To conclude, we note that the DPA has taken a rather cautious stance on the draft resolution to combat ‘money mules’ by setting up a network to share (personal) data between financial institutions. However, although the DPA does express several data protection concerns in its advice, it has not formulated an overall negative decision, probably taking into account a balance of interests.