Legitimacy of the practices of sharing information

Technological developments and an increase in the amount of information, including personal data, collected and processed by private companies, make state authorities ever more interested in, if not dependent on, the non-public sources of data. This results in the intertwining of state- and non-state surveillance capacities and a gradual spread of responsibility for crime control onto actors outside the public criminal justice system. Such a trend is exemplified by the Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) policy.

The AML/CFT system involves financial institutions, especially banks, in ‘policing’ by requiring them to scrupulously monitor their customers’ transactions, and report any instances identified as suspicions of crime. To fulfil these tasks, banks need input from the state criminal law enforcement bodies. To facilitate the multidirectional exchange of information, in several countries, including the Netherlands, voluntary public-private partnerships (PPPs) for financial information sharing have been established. While the circle of public-private collaboration tightens to enhance the joint investigatory capacities of public and private actors, important questions about the rights to privacy and the protection of personal data arise.
The citizens subject to the AML/CFT measures are no longer confronted only with the surveillance power of the state but with a network of joint public-private powers. Taking the perspective of two fundamental rights, namely the right to privacy and personal data protection, the thesis seeks an answer to the question of the legitimacy of the practices of sharing information about individuals between the state and non-state actors in modern democratic societies with a specific focus on the AML/CFT policy.

Magdalena Brewczyńska defended her thesis on januari 19th 2024. She argues that the requirement, which demands any privacy-intrusive power to be exercised when ‘provided for by law’, must not be limited to the simple enactment of laws which establish formal legal grounds for the processing of personal data as demanded by the secondary data protection legislation.

Importantly, such laws need to meet several standards such as clarity, consistency or transparency to form an acceptable legal system, which is not just legal, meaning correctly imposed by the lawgiver, but rather reflects the reciprocal relationship between the lawgiver and people subject to the law, what renders it legitimate.

The thesis is predominantly a legal investigation focused on European human rights law and especially data protection law. The doctrinal legal research is supplemented with the arguments from legal philosophy, which i.a. yields tools for distinguishing legality from
legitimacy and allows for explaining how the latter can serve as a useful lens for the evaluation of policing in the new network of power.

The thesis concludes that the simple insertion of provisions laying down explicit legal grounds for the processing of personal data in the AML/CFT context would not solve the problem of the legitimacy of public-private collaboration through information sharing. Instead, an open democratic dialogue might be needed to ensure that the laws which deputise non-state actors to contribute to crime control are not mere projections of authority but means of enhancing human dignity that underlies human rights.

Supervisors: prof. dr. Eleni Kosta and prof. dr. Esther Keymolen.

Policing via banks: the question of legitimacy of personal data sharing

Over de auteur(s)