Cooperation Between Financial Intelligence Units in the EU: Stuck in the Middle Between the GDPR and the Police Data Protection Directive

Financial Intelligence Units (FIUs) hold a central position in the chain of actors responsible for the monitoring of money movements in the European Union. In support of their role, which is to receive, analyse and disseminate suspicious transaction reports, they have been furnished with significant information processing powers. At present, FIUs feature prominently in the EU’s anti-money laundering and counterterrorist financing agendas and plans to further enhance their powers of information exchange are underway. At the same time, however, the legal challenges that arise from their constant empowerment, particularly for the protection of personal data, are being overlooked.

This article focuses on the cooperation between FIUs in the EU and argues that the latter takes place under a complex legal framework, which raises significant challenges for data protection. In particular, it highlights the present-day uncertainty over the data protection framework that governs their operations and discusses whether FIUs should be subject to the General Data Protection Regulation or to its law enforcement counterpart, the Police Data Protection Directive. The remaining of the article focuses on the ‘FIU.net’ – the decentralized network for information exchanges between EU FIUs – and on the data protection challenges that emerged from the recent integration of this network into Europol.