Do the New Powers of the Financial Intelligence Unit Endanger Personal Data Protection?

In Estonia, the central institution for preventing money laundering and terrorist financing is the Financial Intelligence Unit (FIU). The FIU is mainly responsible for verifying information indicating money laundering, conducting strategic analysis, and supervising obligated entities to assess their compliance with obligations related to managing the risks of money laundering and terrorism financing.

Over the past year, the FIU’s authority has been a topic several times. In March, the Supreme Court discussed the FIU's ability to confiscate assets in cases of suspected money laundering. The Court pointed out contradictions in the current law that may make administrative confiscation of assets impossible in cases of self-laundering (where the same person commits both the predicate offense and the laundering). The Court noted that the current regulation might conflict with the FIU’s objectives and therefore requires legislative intervention.

Last month, the Estonian Parliament approved amendments to the Money Laundering and Terrorist Financing Prevention Act. These amendments do not concern asset confiscation but instead grant the FIU more freedom to process personal data. The FIU will get access to 11 different databases and the right to analyse mass data. Analysis is no longer conducted solely by humans but will also be carried out using data mining and machine learning tools to optimise resources. The President of Estonia did not promulgate the law but instead sent it back to the parliament.

Previous Operations of the FIU

Until now, the FIU had to cooperate directly with other state institutions to fulfil its duties. Anti-money laundering efforts have relied on suspicious activity reports, international cooperation, and data requests submitted by the FIU. Necessary data has been obtained from other state institutions and, if needed, from third parties to confirm or refute doubts.

This system has been slow, as criminals tend to be faster than the FIU’s ability to respond. The explanatory memorandum highlights that delays in data access limit specialists’ efficiency. Analyses could only be conducted based on data collected during FIU operations or expert assessments, sometimes taking several months and failing to provide a real-time overview of the risk. Therefore, system improvements were deemed necessary.

Updates in the Anti-Money Laundering System

Improvements are needed to address the alleged inability of the FIU to perform its current tasks effectively. The original draft bill allowed the FIU to use the same data for both suspicious transaction analysis and strategic analysis. However, this approach was specified during the legislative process, and a clearer distinction was made regarding the scope of data use for different purposes. According to the law, data may only be used to the extent necessary for the specific task, not indiscriminately.

When money laundering is suspected, the FIU may process various personal and financial data of individuals and legal entities, including identity, relationships, education, employment, and potential criminal records. Data also includes information about transactions, accounts, real estate, vehicles, tax returns and customs declarations. Furthermore, the FIU may use data collected via suspicious activity reports, from obligated persons and information obtained in the compliance with international sanctions.

For strategic analysis, data from suspicious activity reports, obligated persons’ reports, and oversight conducted under the International Sanctions Act may be used. For individuals, data is limited to the business register, beneficial ownership register, and the register of economic activities. For legal persons, tax and customs declarations may also be used.

Special types of personal data, such as political beliefs and religious views, may only be processed by the FIU if submitted by an obligated entity (e.g. a bank via a suspicion activity report). The FIU cannot obtain such data directly from registries.

However, the FIU may conduct profile analysis within its data system, meaning the system may assess the likelihood that a person is or is not involved in money laundering, terrorist financing or related crimes.

The FIU processes personal data on individuals whose data have already been processed, such as those flagged in suspicion reports. It may also, for strategic purposes, process data of individuals listed in national registries or information channels concerning their economic activity and assets. Such sources include the business register and beneficial ownership database.

System Security

The FIU's data system will contain a vast and diverse set of data. Therefore, strategic analysis of mass data, such as pattern and anomaly detection, will be carried out using pseudonymised data. Initially, the data is pseudonymised and then sent to the FIU’s data system.

Pseudonymisation means that personal identifiers (name and personal ID code) are replaced with codes that do not allow identification of individuals during analysis. However, if the system identifies circumstances that may indicate money laundering, an FIU official, with the FIU data protection officer's permission, may re-identify the data and perform case-based analysis.

Although mass data processing is presented as a tool, it also involves considerable risks. For instance, in 2021, a cyber-attack against the ISA database exposed more than 286 000 Estonians' document photo through a photo-sharing service. The leaked data included photos, full names, and personal ID codes. The FIU’s database is even more extensive, including data from multiple fields. Any potential leak could pose an even bigger threat.

The explanatory memorandum estimates the data leak risk as medium and states that the database will be created in accordance with existing information security and cybersecurity standards. However, since Estonia has generally avoided creating such mass databases and this is a rather new approach for the state, the risk cannot be underestimated. Both Finance Committee member Andrei Korobeinik and former Prosecutor General Lavly Perling have pointed out concerns related to data leaks, cybersecurity, and national security threats. Perling underlined that the impact assessment does not address cybersecurity or the resulting security risks.

The memorandum clarifies that a leak of pseudonymised data does not automatically result in personal data exposure. Still, pseudonymised data remains personal data under protection laws. Even if pseudonymised data falls into the hands of third parties, and the data cannot be linked to a specific individual without further information, it may cause unknown extent of harm to individuals and national security. However, it is not possible to estimate the actual amount of damage as no analysis has been carried out.

Public Concerns and Response

According to FATF recommendations, Estonia cannot be considered a money laundering paradise. Nevertheless, the creation of the database has sparked debate and controversy over whether it is truly necessary or rather a tool for intruding on citizens’ privacy and increase control.

In 2024, the FIU received over 14 000 reports, 10 366 of which involved suspicious or unusual transactions. In Estonia, obligated entities have extensive reporting duties and are under close supervision. As a result, a large amount of information on suspected illegal activities is collected and can be effectively analysed.

Thus, the need for further analysis of individuals who are listed in public registries raises questions. The FIU’s new database undoubtedly increases effectiveness and speed of the fight against money laundering but also challenges the principles of data protection and privacy. Therefore, the legislative changes could have granted the FIU more limited powers. For example, allowing automated control of individuals already flagged via reports could adequately fulfil the objectives of the FIU. Especially since the memorandum notes that the estimated number of individuals requiring de-pseudonymisation annually is fewer than 200. As it stands, the public may perceive that all individuals engaged in business are treated as potential criminals, which justifies the tracking of behaviours even for those who are not suspected.

The amendments also raised concerns for the President of the Republic. In particular, the fact that restrictions on obtaining information about the processing of one’s personal data depend on the decision of the FIU. The President noted that granting such discretion to an authority excessively limits the constitutional right to informational self-determination. Therefore, the President justifiably returned the law to the parliament for further deliberation.

Our attorneys at Lepmets & Nõges are available to assist with any questions related to anti-money laundering and counter-terrorism regulation. Don’t hesitate to get in touch.