In the United Kingdom, a highly disputed obligation will come into effect next week for businesses engaged in cryptocurrency-related transfers and trading. They will be required, under the so-called Travel Rule for crypto, to transmit a substantial amount of individual customer data to recipients in various countries, with no discernible added value.
To prevent the infringement on these fundamental rights, HRIF.EU sent this urgent letter to the Prime Minister of the United Kingdom today, urging the removal of the implementation of the travel rule for cryptocurrency, as well as its current application to other financial institutions.
Why this call to the UK Government ?
This rule places companies in the United Kingdom in a dilemma where they are forced to either violate this new rule or deviate from the principle of data minimization outlined in their own UK-GDPR. All the additional information, in fact, is not necessary for their internal control purposes but solely serves to facilitate the work of foreign law enforcement authorities.
However, the data must be sent for all transactions above a certain threshold, regardless of whether the customer is suspected of any crime. Yet, the police can easily obtain this data with a single phone call or email, in cases where they can demonstrate suspicion of money laundering or terrorism financing.
As a consequence, British companies are now compelled to process data of European citizens and businesses and forward it to other companies, without genuine necessity. This is solely due to the obligation to do so and the fear of penalties.
What’s the idea here?
Most often, companies opt for the easiest route. And then they compromise privacy because it’s simpler and cheaper than violating anti-money laundering laws, which incur hefty fines. However, this practice must cease, which is why HRIF.EU has also clearly stated in the letter that, if necessary, legal actions will be taken to seek restitution for consumers and businesses. The objective is to provide compliance officers and legal experts within these companies with an additional compelling argument to convince their leadership not to enforce the rule any longer.
There is substantial evidence indicating the insufficient legal foundation of these rules. Numerous scholars and privacy authorities have previously cautioned that the disclosure of customer data must be grounded in sound considerations and regulations. See, for instance, the warning from the European Data Protection Board:
The EDPB considers it as a matter of the utmost importance that the anti-money laundering measures are compatible with the rights to privacy and data protection enshrined in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union, the principles of necessity of such measures in a democratic society and their proportionality, and the case law of the Court of Justice of the European Union.
Will this have an effect?
Yes and no. The British government is probably not going to stop abruptly with their plan. They will continue on their course. However, British companies with a sense of honor and an understanding of data minimization have now been given legal support by our foundation. They can refuse to implement the rule and refer to our letter as evidence. For this reason, the letter has elaborated the argument with referral to historical background of the rules.
But what they may not realize in the UK, and what we haven’t explained to the PM, is that in the Netherlands, we have new regulations that enable mass damage claims. So, if there’s a serious hack or significant harm to European citizens or companies in the future, our foundation could well be one of the parties involved in this legal process.
Is my data still adequately protected internationally?
No, it’s evident that the obligation to transmit private data to other companies, competitors, and entities in countries where data protection is not up to standard is simply not a sound idea. However, read the letter for more details and also take a look at the website of Noyb, the foundation led by Max Schrems, which has been striving for data protection reform for years, consistently winning in court but with progress remaining insufficient.
As a foundation, we refuse to accept the current state of affairs. It’s clear that mere discussions and polite letters aren’t effective, and that liability and timely legal action prompt parties to take action. It begins with a polite request to refrain from certain actions. This is followed by further steps. And then we document these actions on this blog.
Isn’t all of this a bit far-fetched?
Smoking causes cancer. Insiders knew this for years, but didn’t disclose it. Eventually, it came to light and had to be printed on cigarette packs.
Similarly, these extensive anti-money laundering regulations are detrimental to consumers and businesses. You don’t need to realize it overnight, but one day your data might end up in the wrong place, and an Artificial Intelligent Monitoring system could just block your account. Good luck in finding out how and why, but don’t look surprised if part of the data was fetched due to this legal obligation.
As a foundation, we aim to prevent this scenario and ensure that parties won’t later claim, “We didn’t know that data disclosure was harmful.” Those who cause harm should be responsible for compensation, and the same principle applies here.