FATF-standards are not valid laws: Dutch Data Protection Authority explained it in 2019 already! In Dutch the supervisor on the GDPR is the AP: as in Authority PersonalData. And in 2019 the AP said FATF standards and recommendations are political, not legal. Only national or EU law is binding, and even those must respect privacy rights.
The explicit comments of the Dutch DPA, the AP, which they made in 2019 were uncovered only last month, as part of Freedom of Information requests done by the investigative platform Follow the Money. And considering the upcoming panel-contribution of our chairman Simon Lelieveldt at the Bitcoin Amsterdam event 2025, we are providing guidance and translation on this matter.
It’s a very brief recap of how the Dutch DPA explains that FATF-rules carry less legal weight than often invoked. And those interested in the big read – do check our contribution to the FATF-consultation on the travel rule (we explained in this doc that it should be revoked out as unlawful bulk surveillence mechanisms without sufficient due process involved).
Who are the FATF- Financial Action Task Force ?
Anyone in banking, crypto or fintech circles has heard about the FATF—the ‘Financial Action Task Force, founded in 1989, as a global ‘body’ setting anti-money laundering (AML) standards. The FATF is a group of states, the European Commission, and additional mulitnational players . It suggests ‘standards’ against money laundering and terrorism financing. Countries are encouraged to adopt those standards into their own laws and regulations. Important, but not legally binding.
Due to extensive government pressure it’s common to think of “FATF rules” as global law, but that’s not true. The FATF is a self-organised external group, that is invoked as an external authoritative body but effectively is the collected states themselves. They try to fool parliaments, banks and governments in the world that they are independently set up, but even since 1989 it’s been a project and remained a project ever since. And the Dutch DPA has been calling this set up out as political bluff in 2019.
Dutch DPA says: FATF is not law, it’s politics, disguised as law, but doesn’t count under the GDPR
The Dutch Data Protection Authority has made it clear in their 2019 advice: FATF rules don’t have the force of law. They can’t justify collecting or processing sensitive personal data under the strict General Data Protection Regulation (GDPR). For things like religious or political beliefs, data processing is only legal if a specific law says so, and all EU privacy safeguards are in place. And given that so far no such laws exist (until the new EU AMLR regulation is in place) all intensified bank monitoring and data processing of sensitive personal data is illegal and forbidden under the GDPR.
What the heck – this is immense, did the DPA act on it then?
Well. the bummer of this story is: The Dutch DPA did issue the advice below, advising strongly against using transaction monitoring for sensitive personal data but they never acted on it. The Dutch banks are co-aligned with Ministry of Finance in kneekapping the AP and intimidating them into condoning the GDPR violations. As a result Dutch banks still pursue intensive monitoring of personal data. In fact, from 2021-2024 they even had a 3 year long dragnet monitoring on those data in place and the AP did nothing. It was only rthat our foundation: Human Rights in Finance, acted, and that stopped the Dutch banking dragnet – as the bank monitoring was also illegal under penal law.
OK, show me the goods: what did the Dutch DPA write exactly?
We figured that, in preparation of a session at Bitcoin Amsterdam 2025 (Reforming FATF: Mission Impossible?), we would provide the literal translation of the Dutch DPA parts on FATF-role below. It completely aligns with the prior actions of HRIF.EU which was an action to annull the EU application of the Travel Rule (2023- we were too early and EU General Court did not want to act on the legal action) and the comments on the FATF consultation on INR 16 (we said: revoke it entirely).
And do note: new EU rules will not trump the EU Charter !
Now, of course, the AML-regulators know the position of the European Data Protection Authority so, when in the last years all the pushback came on the EU new legislation with respect to setting up a AML-authority and AML Regulation and sixth AML directives, they AML regulators wrote: AML-rules trump the GDPR and all the sensitive monitoring in the world is allowed, invoking some side-wording in the GDPR to make it happen.
But that does not really work under EU rules. We have precedent were the highest EU Court of Justice explained (look up Kadi case) that even a UN freeze order on funds of individuals does not have direct legal effect by itself in Europe. Any rule, whether from inside or outside the EU, still needs to have a balance weighing of human rights. And if the balance is not there, the rule is not valid.
Annex – Literal translation of the AP’s reasoning (section 5.5) dating back to October 2019
A. The AP considers that the FATF is a cooperative body of 37 states, the European Commission, and the Gulf Cooperation Council, established in 1989 by the G7. The FATF recommendations form the basis for the European directives aimed at preventing the use of the financial system for money laundering and terrorist financing. From the FATF Mandate of 12 April 2019, it follows that member jurisdictions, including the Netherlands, undertake a “commitment” to fully implement the recommendations, but the Mandate was not intended to create legal rights or obligations.
B. The AP considers that the entity requesting our advice, a commercial bank, does not qualify as an addressee of the FATF recommendations.
C. The AP considers that the FATF explicitly did not intend to attach legally binding consequences to its recommendations. The FATF recommendations therefore cannot create enforceable rights or obligations and thus do not constitute an obligation as meant in Article 23(a) UAVG.
D. The AP considers that the FATF recommendations—whether or not in combination with Article 23(a) UAVG—do not meet the cumulative requirements set by Article 9(2)(g) GDPR for exceptions to the prohibition of processing special categories of personal data: proportionality to the aim pursued, respect for the essence of the right to data protection, and adequate and specific safeguards for the rights and freedoms of data subjects.
E. The AP therefore finds that FATF recommendations do not qualify as an “obligation under international law” under Article 23(a) UAVG and do not satisfy the cumulative conditions set by Article 9(2)(g) GDPR.
F. The AP acknowledges the importance of preventing terrorism and agrees that combatting terrorist financing is a compelling public interest, as the EU legislator also states in Directive (EU) 2015/849 (AMLD4).
G. The AP further notes that any processing of personal data for this purpose must comply with the GDPR and UAVG. The AP refers to recitals in AMLD4 stressing that alignment with FATF recommendations must occur in full conformity with Union law, especially data protection and fundamental rights in the Charter.
H. The AP finds that neither AMLD4 nor the Dutch Wwft provide an explicit legal ground for processing special categories of personal data, such as data revealing religious or philosophical beliefs. A general duty to report suspicious transactions is insufficient to justify such processing.
I. The same applies to general or subjective indicators used to assess whether a transaction is unusual.
J. The AP finds that no consideration has been given in either EU or national law to proportionality, respect for the essence of data protection, or adequate and specific safeguards. This responsibility, the AP states, lies with the national legislator.
K. The AP concludes that neither EU nor national law meets the conditions required for an exception under Article 9(2)(g) GDPR. The absence of such a basis means that the prohibition on processing special categories of personal data under Article 9(1) GDPR remains in effect. The AP recalls that it had already advised, during the implementation of AMLD4 and AMLD5, that proportionality and explicit safeguards must be guaranteed. Should it prove necessary to process data revealing religious or philosophical beliefs in order to meet counter‑terrorist financing duties, the legislator should create a clear legal basis for this in line with Article 9(2)(g) GDPR.