Support for cancellation request EU Regulation 2023/1113: export of customer data is unnecessary

How was it again?

At May 2019 the plan was already on the table internationally. Privacy First immediately called then-Minister Hoekstra by letter on to require no data export in the new digital crypto-asset traffic. Indeed, the plan was to add the name, residential address and passport number to each transaction even in crypto-assets (digitally tradable commodities such as bitcoins, real estate but potentially also purchases in computer games).

The Finance Ministry's response at the time was evasive. The proposed rules would only be "recommendations" and they would be really looked at properly in Europe, with all the legal safety valves involved. Meanwhile, 9 June 2023 revealed that this was not the case. The rule had actually been further tightened and fast-tracked, without proper substantive analysis by the European Data Protection Supervisor.

This motivated the new Human Rights in Finance.EU (HRIF.EU) foundation to launch a cancellation procedure at the European Court of Justice in Luxembourg. Privacy First supported this new foundation in this regard. This is an action for annulment under Article 263 EU Working Treaty. If the request of the Human Rights in Finance.EU foundation is granted, the challenged European Regulation will immediately become inoperative and thus the unnecessary privacy infringements will end immediately. This also means that in future rules, the European Commission will be able to go much further and will have to do a much better privacy test beforehand.

The first step in the proceedings was taken on 4 September 2023 and it now remains to be seen whether the foundation will be admitted to the proceedings.

What are the proceedings about?

The first key argument in the case is that unbridled data export is an unnecessary and disproportionate infringement of the right to privacy, because on request, the same data should easily be made available to the police on a case-by-case basis:

'Logic dictates that a generic mass personal data distribution obligation for all customers and transactions is not necessary when focused information for suspected citizens is readily available at request of law enforcement.'

The second argument is that governments can agree all sorts of things internationally, but this does not relieve them of the duty to think carefully about legitimacy, necessity and proportionality themselves. In 2008 judged Indeed, the Court of Justice stated as follows:

"The obligations imposed by an international agreement cannot have the effect of prejudicing the constitutional principles of the EC Treaty, which include the principle that all Community acts must respect fundamental rights, that respect constituting a condition of their lawfulness which it is for the Court to review in the framework of the complete system of legal remedies established by the Treaty."

How next?

It is expected to become clear in about three to six months whether the new Human Rights in Finance.EU foundation will be allowed to hear the case. Privacy First hopes this will be so, and that the case will have a much wider impact. After all, there are more national and international anti-money laundering provisions that are at odds with human rights, and it is important that these fundamental rights are higher on the regulator's agenda.