The draft amendments to the Money Laundering and Terrorist Financing Prevention Act and the International Sanctions Act concern how, for what purpose and which personal data the FIU may process.

The bill drew criticism last summer from Chancellor of Justice Ülle Madise and the president declined to promulgate it. Since then, the Ministry of Finance has made a number of changes. Among other things, the ministry, together with the FIU, proposed that after a certain period, it would be possible to see the FIU's bank account inquiries in the data tracker.

Evelyn Liivamägi, deputy secretary general for financial and tax policy at the Ministry of Finance, told ERR that the aim of the amendment is, on the one hand, to ensure that the FIU can carry out its statutory duties and to avoid situations where notifying an individual could undermine the prevention of money laundering and terrorist financing.

"On the other hand, it is important to ensure a person's right to be informed later that their data has been collected through the enforcement register. Therefore, the law will be supplemented with a provision that the FIU will notify a person five years after a query has been made via the enforcement register, provided that disclosing the data no longer jeopardizes any potential criminal proceedings," Liivamägi added.

In practice, she said, this means notification is possible if the data is no longer used or usable in criminal proceedings in Estonia or abroad and if disclosure does not infringe on the rights and freedoms of third parties.

At the same time, it is not excluded that a person may contact the FIU with a request for information even before the five-year period has passed, for example if they learn during criminal proceedings that their data has been processed.

"In such cases, the FIU will assess each request individually to determine whether the information can be released earlier. If the need for access restrictions has ceased, the information can be provided to the individual before the general deadline," the deputy secretary general explained.

The Ministry of Finance has also proposed reducing the retention period for data processing logs from 15 years to 10 years from the time of entry. In addition, a provision will be added under which the Data Protection Inspectorate will carry out regular supervision over the legality of the FIU's activities.

Interest groups still unhappy

Despite the amendments, several organizations remain dissatisfied with the draft law. For example, the Chamber of Commerce and Industry finds that the bill has not been sufficiently developed and does not support its adoption in its current form.

According to the chamber's head, Mait Palts, the changes added to the draft do not significantly affect the scope of the restrictions planned for the core activities of the Financial Intelligence Unit (FIU). As a result, the FIU may in practice retain a similarly broad margin of discretion to limit individuals' rights.

Palts also pointed out that the FIU's use of profiling analysis and data mining likely qualifies as a high-risk artificial intelligence system, which entails separate obligations such as conducting an impact assessment and ensuring transparency. However, no such assessment has been prepared to date.

The Estonian Leasing Association also criticized the Ministry of Finance, saying that stakeholder feedback has so far been insufficiently taken into account. The association's executive director, Reet Hääl, noted that Estonian law does not allow for preventive criminal proceedings, which initiating proceedings based on profiling would undoubtedly constitute.

Given the FIU's legal status, Hääl said there is reason to consider at what point data processing amounts to activity resembling surveillance, which is permitted only for investigative authorities.

Raido Saar, chairman of the Estonian Web3 Chamber, said that if the state creates a technical interface enabling rapid and centralized access to individuals' bank account data, it may help combat money laundering, but would also be an ideal tool for criminals, extortionists and hostile intelligence services.

Saar added that Estonia's current problem is not large-scale money laundering but rather widespread cyber fraud and there is no overriding public interest in granting the FIU "superpowers." Therefore, it is questionable whether the Estonian state should build a system that, on the one hand, significantly interferes with fundamental rights and, on the other, creates a centralized, high-value target for attacks.

However, Saar emphasized that if such access exists at all, it must be subject to very clear safeguards and transparent external oversight.

MP: Many critics seem unfamiliar with the bill

On Tuesday, the Riigikogu Finance Committee again discussed the draft law. Committee member Maris Lauri (Reform Party) told ERR that they had listened to stakeholders' opinions on the proposed amendments, but said that both these views and statements made in public often do not correspond to the amendments and, in some cases, not even to the content of the bill. Many of the critics' claims, she added, have been taken out of context.

"This bill does not deal with obtaining bank statements. Nor will the database, which is a key part of the draft, contain bank statements," Lauri stressed. "What is being presented is completely incorrect. All the materials are available on the bill's proceedings page and if someone claims to find something else there, I have to question whether they have actually reviewed the materials or are acting in bad faith."

According to Lauri, several critical statements have conflated multiple draft laws — one being the current bill and another still under preparation at the Ministry of Finance. She noted that the bill recently discussed in the Finance Committee is, in a sense, aimed at formalizing data already accessible to the Financial Intelligence Unit (FIU), so that its use would be regulated at the level of law rather than by regulation.

Lauri said that each provision has been carefully assessed for necessity and that elements whose need could be questioned have been extensively removed from the draft.

Addressing database security, Lauri said the Finance Committee has visited the FIU and reviewed how data protection and access controls are organized there.

She said both that visit and a meeting with a representative of the Ministry of Finance's IT center showed that cyber risks have been mitigated very extensively. The FIU's security and internal control measures are also very strong and multilayered, effectively ruling out the possibility of unauthorized access to the data.

"These security systems can probably be compared to those used by banks — they are certainly on a similar level," Lauri said. "To claim that the database is somehow easily accessible is either a deliberate falsehood or a lack of knowledge."

According to the committee member, they have also thoroughly analyzed the criticism of the bill from the chancellor of justice.

Lauri said that ultimately, the issue can be viewed from the perspective — also expressed by Ülle Madise and several legal scholars — that certain questions may need to be resolved in the Supreme Court. She added that all of Madise's comments have been taken into account as far as possible and it remains to be seen where disagreements may persist.

"It seems to me that there are now very few of them left, but it cannot be ruled out that some differences still remain. Perhaps those are precisely the issues that need to be argued through," Lauri said. "If someone says something is unconstitutional, that does not mean all of our top judges share that view. It needs to be debated whether any infringement is proportionate in specific cases."

The Ministry of Finance will now review the proposals submitted by the parties and determine whether any aspects of the draft require revision. The Finance Committee will then discuss the bill again and, according to Lauri, aims to proceed as quickly as possible. She noted that the bill has undergone a lengthy process precisely because there have been extensive discussions.

A separate draft law related to bank secrecy — the amendment to the Credit Institutions Act — is currently being prepared at the Ministry of Finance. Evelyn Liivamägi said it is expected to be sent for public consultation in April.

--

Follow ERR News on Facebook and X and never miss an update!