Amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act Are in Conflict with Both the Constitution and EU Law

The Estonian Bar Association and the Estonian Chamber of Commerce and Industry have jointly addressed the President of the Republic of Estonia, expressing concerns that the recently adopted amendments to the Anti-Money Laundering and Counter-Terrorism Financing Act contain significant shortcomings—from insufficient involvement of stakeholders to, in their view, being incompatible with both the Constitution and European Union law in their current form.

Mait Palts, Director General of the Estonian Chamber of Commerce and Industry, stated that the legislative process was rushed and skipped important steps. "No concept paper was prepared for the law, and relevant individuals and organizations were not sufficiently involved. Although the planned amendments affect both individuals engaged in business and companies, the Estonian Chamber of Commerce and Industry and other umbrella organizations were not among those consulted," he said, adding that the urgency was justified by the need to access EU recovery funds. "That cannot be a sufficient justification when the law impacts the whole of society," Palts emphasized.

Imbi Jürgen, President of the Estonian Bar Association, explained that the lack of involvement and the rush in processing the draft law led to significant errors in both the content of the law and its impact assessment. "In the Bar Association’s opinion, the proportionality analysis of fundamental rights infringements is insufficient, the data protection impact assessment is non-existent, and the requirements of the EU Artificial Intelligence Act have been completely ignored," Jürgen stated. "While the planned data processing may indeed make it more effective to prevent money laundering, this goal alone does not justify such an intense infringement of individuals' fundamental rights or the imposition of extensive obligations on entrepreneurs," she added.

The organizations also point out that the explanatory memorandum lacks substantive analysis on whether the planned changes align with the Constitution. For example, there is no evaluation of whether the same goals could be achieved through less intrusive data processing measures.

The data protection impact assessment is also deemed inadequate and, according to the organizations, does not meet the requirements of the EU General Data Protection Regulation (GDPR) or the EU Artificial Intelligence Act. Furthermore, the statement lacks an assessment of how the rights of data subjects will be ensured in cases of automated decision-making and how these decisions can be challenged.

The Estonian Chamber of Commerce and Industry and the Estonian Bar Association believe the law requires thorough review before promulgation, as it may be in conflict with both the Constitution and European Union law.

Palts also pointed out that Estonia, as a digital society, has long collected a vast amount of different data, and new technologies, including artificial intelligence, now allow us to analyze this data more effectively than ever. "However, as a society, we must consider how much and to what extent we want such data processing. Just because we have the technical capability doesn't mean we should use it indiscriminately — it is crucial to find a balance where the benefits of data processing outweigh the potential impacts on privacy and fundamental rights," he said.