The Unbreakable Right to Be Forgotten
The conflict becomes immediate and catastrophic: GDPR demands deletion, AML demands retention, and no compliance system in the world is built to reconcile both simultaneously.
By a C-Suite Exec at a tier 1 bank
A landmark ruling in the European Court of Justice (ECJ), following a class-action lawsuit, reinterprets key articles of the General Data Protection Regulation (GDPR). The court finds that the data subject’s "Right to Erasure" is near-absolute and legally overrides the traditional five-to-seven-year minimum retention period for records held under Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) statutes. The only exceptions are when the data is directly linked to an active, substantiated criminal investigation or a legally enforced freezing order.
This creates an immediate, catastrophic conflict for financial institutions. A client can now legally demand that all their transaction history, KYC documents, and risk profiles be permanently deleted 24 months after closing their account — a period far shorter than what is required for effective AML look-backs and pattern analysis.
A global bank is hit with a massive fine because its automated AML system failed to delete the records of 100,000 former customers after they exercised their Right to Erasure, even though the bank argued the historical data was vital for preventing market-wide fraud.
