Why the EU’s Rushed ‘Travel Rule’ for Crypto Should Be Struck Down

Originally published by Coindesk on 25 July 2022 (also republished by Yahoo).

We appear to be reaching an end stage in negotiations between the European Parliament and the Council of the European Union on a plan to extend the EU’s financial-surveillance regime over the cryptocurrency industry. Alas, lawmakers were in such a rush that they appear not to have noticed that the hastily crafted legislative package violates fundamental tenets of the EU’s founding treaties.

Prominent within the package are new anti-money laundering and terrorism-financing rules for the crypto space.

Most notably, the EU would extend the so-called travel rule, which currently applies to wire transfers managed by global banks, to require crypto-asset service providers to collect and report data about the originators and beneficiaries of crypto-asset transfers.

But the Court of Justice of the European Union (CJEU), the EU’s highest court, is likely to find that the travel rule constitutes a broad and indiscriminate surveillance regime for personal data.

The CJEU has previously established strict conditions that such legally mandated invasions of privacy must satisfy to be considered valid under the EU Charter of Fundamental Rights. Barring some fundamental changes to the proposal, the court would likely impose significant limitations on the travel rule, much as it struck down a controversial data retention directive in 2014.

The EU’s existing travel rule dates to a 2015 wire transfer regulation designed to prevent, detect and investigate money laundering and terrorist financing. The wire transfer rule is likely to be replaced by a new transfer-of-funds regulation (TFR) on which EU lawmakers reached a tentative deal in late June.

In addition to the existing obligations on payment-system providers, the TFR would require providers of crypto-asset transfers to collect information that would allow state authorities to personally identify both sides of a transfer and to link those identities with a blockchain address.

These obligations are general and indiscriminate, in that the rule would not make distinctions based on the likelihood that a given transaction is connected with criminal activity.

The TFR also obligates service providers to verify the accuracy of the identifying information “on the basis of documents, data or information obtained from a reliable and independent source.”

The scope of this obligation is vague, but based on the requirements already spelled out in the EU’s anti-money laundering directive, service providers are likely to require customers to provide copies of passports, national ID documents, bank or payment-account statements and utility bills.

Such data is overwhelmingly likely to go beyond just customers’ civil identity and will almost always allow for sensitive personal data to be inferred.

Meanwhile, Article 7 of the EU Charter grants that everyone has “the right to respect for his or her private and family life, home and communications” and Article 8 stipulates “the right to the protection of personal data.”

A pressing question is whether the TFR’s far-reaching restrictions of the rights established in Articles 7-8 are strictly necessary and proportionate.

Defenders of the current regime focus on evidence that it contributes to preventing or prosecuting some crime.

However, there’s a basic problem in that there is no reliable data on the relative effectiveness of measures like the travel rule. Are these measures as or more effective than alternative, less costly and more privacy-preserving alternatives?

One conservative estimate holds that compliance costs with the EU’s anti-money laundering regime were 120 times the amount successfully recovered from criminals.

The fact is that the travel rule has been imported to EU law from U.S. law, where the standards of constitutional protection of privacy are much different – a fact that would likely be noticed by European courts in any putative challenge to the TFR. This is why the court may be likely to find that the TFR lacks the precision required under CJEU case law.

But legal arguments about the financial surveillance regime’s incompatibility with the EU Charter should be accompanied with concrete alternatives to achieve the goals of preventing and combating serious crime that, according to the best evidence, the regime does ineffectively.

We need more regulatory imagination, rather than just mount a clumsy attempt to do “something” about crypto and crime without a serious, evidence-based reflection on how best to do it.