5 Years of GDPR | Navigating the Bermuda Triangle of Compliance
One of the main ethical and legal conundrums of a democratic society is the inherent conflict between the right of privacy on one hand and the interest to combat crime on the other.
It is a delicate balancing act weighing different rights and other interests with far reaching consequences. With the advent of the fourth AML Directive and the General Data Protection Regulation something has changed. What used to be a conundrum for the state has trickled down to obliged entities. Privacy is no longer a concern only for the government or the legislature. Privacy today relates to data and the risks associated with the collection, storage, and use of data. Consequently, this inherent conflict of rights and interests is on the agenda for obliged entities.
In this article, we will take a closer look at the balancing act between privacy and the interest to counter money laundering and terror financing from the point of view of obliged entities. We have identified three main problems of anti-money laundering (AML) and General Data Protection Regulation (GDPR) compliance. We will further explore and elaborate on each problem as a frame for our analysis. Our intent is to present policy recommendations on how the regulators and other stakeholders should approach and mitigate these problems to ensure sustainable AML measures and sustainable privacy.
The Three Main Problems of AML and GDPR Compliance
The three main problems are:
- First, the bureaucratization of compliance without benefit for neither anti-money laundering nor data protection and privacy.
- Second, a lack of legal predictability for obliged entities and a lack of harmonization of legal provisions of the different Member States.
- Third, an almost unilateral focus on data protection and privacy by the Data Protection Authorities (DPA).
We are hardly alone in drawing these conclusions. For example, the Confederation of Swedish Enterprise (sw: Svenskt näringsliv) has published a couple of reports identifying the same general-level problems in the context of GDPR compliance. However, we aim to provide another perspective on the navigation of the intersection of AML and GDPR compliance.
The Bureaucratization of Compliance
There are two main reasons for bureaucratization in this context. The first is two legal acts that at their core are vague, thus leaving ample room for interpretation. The second is onerous requirements of written documentation.
Vague Concepts and Room for Interpretation
The EU AML Directive is designed based on a risk-based concept, i.e. all measures to prevent money laundering and terrorist financing (ML/TF) taken by an obliged entity shall be commensurate with the risk for ML/TF, “risk for ML/TF” being an intrinsically vague concept. As a prime example of this, the AML Directive does not explicitly state how the customer’s risk profile should be performed or assessed, only that it shall take place in broad terms. The Swedish DPA, as well as the Administrative Court of Stockholm, have issued decisions stating that the obligation to perform a customer risk profile does not constitute a legal obligation to process personal data under the GDPR. It might seem counter-intuitive that a legal obligation does not constitute a legal obligation to process data under the GDPR. A legal obligation must be sufficiently clear and precise in its application to constitute an obligation to process data under the GDPR.
In the context of the customer’s risk profile, the collection of data from sanction lists (such as the U.S. OFAC lists) is often a particular issue. For example, in the European Banking Agency’s (EBA) guidelines and the Swedish AML Act there are no explicit requirements to collect data from sanctions lists for AML compliance, therefore it is not certain if such collection is strictly necessary from a data privacy perspective.
The GDPR is likewise based on a risk-based concept from the point of view of a natural person. The GDPR is by design filled with vague concepts and principles, leaving amble room for interpretation. The balancing act weighing anti-money laundering and privacy by default is controversial, and consensus is seldom possible. These are only two examples of how the intersection of two principle based and vague legal acts create room for interpretation, risking achievement of sustainable processes within both areas.
It is the data controller – as a rule the obliged entity – that is liable to demonstrate compliance with the GDPR. This entails an onerous requirement of documentation and written assessments regardless of the risk associated with the data or the type of data used.
It is often implicitly assumed that the higher level of risk associated with processing of data, the higher level of requirements applies to the written documentation and vice versa. With the exception of performing Data Protection Impact Assessment (DPIA) for higher-risk processing – not necessarily implying that the data per se is more sensitive – the same basic obligations apply.
There is a hint of this concept in the Swedish DPA’s so-called Danske Bank-decision. The Swedish DPA concluded that the more sensitive the processing, the more necessary is a precise legal basis. However, this statement was based on Swedish preparatory work. For this reasoning, the statement of the Swedish DPA cannot easily be transposed to other Member States.
A conflict between the AML Directives and the GDPR to a certain extent is unavoidable. As they are positioned at the intersection of two opposing interests of a democratic society, i.e., the protection of privacy and the protection from crime, it is clear that if both regulatory texts are vague and leave ample room for interpretation, such conflicts cannot be resolved. Instead, we would propose that national authorities work to establish the necessary clarity.
In practice, this would mean the following: the Swedish Financial Supervisory Authority (FSA) and Swedish DPA both have the mandate to lay down decree and general guidance (sw: förordning och allmänna råd). Thus, our first recommendation is twofold.
- The Swedish FSA should issue a decree and general guidance clarifying the types of data that an obliged entity should be required to collect. For example, what factors are always necessary to determine customer risk or when should the collection of data form public and none-public sanction lists be required or recommended and in which context.
- The Swedish DPA should issue a decree on the collection of personal data from sanction lists and when personal data relating to criminal convictions and offences may be processed for AML purposes.
We do not harbor any illusion that the two regulators would agree on everything. The purpose is rather to highlight the discrepancy of how to construe and apply these legal acts.
In addition, the Swedish DPA should clarify in its decisions that a risk-based approach should apply to the requirements of written documentation. I.e. the higher risk associated with a processing operation, the higher level of documentation should be required and vice versa.
Legal Predictability and Harmonization of Legal Provisions
It is the obligation of each Member State to transpose the AML Directives into national legal provisions. The GDPR, unlike the AML Directives, are in the form of a regulation. Unlike a directive, a regulation applies directly in all Member States and cannot be transposed into national legal provisions.
As an added level of complexity, the GDPR contains 60 roughly so-called opening clauses. An opening clause – as the name implies – opens the possibility or requirement for a Member State to enact national legal provisions on the processing of personal data. Consequently, the GDPR can be likened with a quasi-directive in the sense that the Member States are required to, or have options, on how to transpose provisions.
Possibly the most complex opening clause is Article 10 of the GDPR – processing of personal data relating to criminal convictions and offences. The processing of such data shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law.
As the Swedish DPA has concluded in its guidance, the different Member States interpret this clause differently. There is no coherent interpretation of what constitutes personal data relating to criminal convictions and offences. There is no coherent interpretation of when the processing of such data is carried out under the control of an official authority.
Since personal data relating to criminal convictions and offences – including suspected offences – lies at the heart of AML, this causes an unnecessary level of complexity. Resources that would otherwise be spent on anti-money laundering on privacy enhancing measures must be redirected on country-level legal assessments. The GDPR was in part created to alleviate the fragmentation in the application of the previous Data Protection Directive of 1995.
The EU Commission has the power to enact delegated acts. A delegated act is a non-legislative act adopted by the Commission to supplement or amend certain non-essential elements of a legislative act. Through implementing acts the Commission intends to ensure that EU laws are applied in a uniform way.
In our assessment, a delegated act is a preferable option to guidance by the European Data Protection Board (the EDPB). As will be further elaborated in the section below, the EDPB is not required to consider other rights and interests, such as the interest to combat money laundering when issuing guidance. Further, the EDPB’s guidance tends to favor semi-academic embellishment rather than hands-on advice. For this reason, and to provide predictability for the FSA’s, a delegated act is our recommendation:
- The Commission should implement a delegated act on the processing of personal data relating to criminal convictions and offences for the purpose of a harmonized and predictable application for obliged entities. The Commission should clarify which personal data in relation to criminal convictions and offences are relevant for AML purposes and how severe of an impact a certain conviction should have in principle, while allowing for the application of the risk-based approach.
Unilateral Focus on Privacy
The Data Protection Authorities often weigh different rights and interests in the context of data protection audits and decisions. It might come as a surprise, but the GDPR does not state an explicit requirement of the DPAs to consider other rights or interests than the right of privacy. Although it might be argued that it is an implicit requirement, for example in the context of a legitimate interest assessment, it is noteworthy none the less.
To further elaborate on this theme, a DPA is a privacy regulator first and foremost just like an FSA is a financial regulator first and foremost. The DPAs are unique amongst Union regulators in that the DPA’s independence is protected in the EU Charter of Fundamental Rights. The independence of the DPAs can be compared to the independence of the courts. Consequently, even though the DPAs have smaller budgets than their FSA brethren and usually lack the latter’s power of withdrawing a license, their independence are an ace up their sleeve enabling them to be powerful regulators. With the added possibility to issue hefty administrative fines – the highest administrative fine so far at € 740 million (SEK 7,4 billion) – the DPAs constitute powerful regulators.
To give an example. The Dutch DPA issued guidance on the performance of legitimate interest assessments. In its guidance, the Dutch DPA concluded that a pure commercial interest does not qualify as a legitimate interest in the context of the GDPR. It has to be borne in mind that the freedom to conduct a business, including pursuing pure commercial interests such as profit maximization, is a human right enshrined in the Charter of Fundamental Rights. Based on this interpretation, the Dutch DPA issued an administrative fine to a local television channel broadcasting amateur football. Even though the Dutch Courts overruled the Dutch DPA, the harm was already done, and the television channel filed for bankruptcy.
The explicit requirement to consider other rights and interests would entail an amendment to the GDPR. Such an assessment is probably not realistic in the near term.
The interest to combat crime constitutes a so-called objective of general interests. Other examples of objectives of general interest include serious crime, such as drug trafficking, money-laundering activities, fraud, trafficking in human beings, kidnapping, illegal restraint and hostage-taking, crime against the financial interests of the European Union, counterfeiting and product piracy, computer crime, corruption, and environmental crime.
Consequently, even though money laundering activities constitute a serious – and potentially criminal – offence, it does not hold a unique status in relation to the fundamental rights of natural persons, in this case the rights of privacy and data protection. This entails the requirement on all firms to evaluate their compliance arrangements in the light of the requirements of the GDPR.
To alleviate the problem in the near term, it is preferrable for the Swedish FSA to clarify what the requirements on the collection, use, and storage of data are. If these requirements are unclear or unprecise, the DPAs will have a hard time to find basis to take into account.
As explained in the section above, the Swedish DPA has concluded that the processing of data relating to criminal convictions of offences require a clear and precise basis. For this reason, the decisions of the Swedish FSA should be clear and precise when possible to provide such a basis for obliged entities.
- The Swedish FSA should clarify in its decisions the explicit requirement on what data that should be collected, used, and stored. For example, the FSA should publish a guideline that clearly sets out Know Your Customer (KYC) data points, split between need-to-have and nice-to-have data points, the former being in principle a legal obligation while the latter in principle should qualify as a legitimate interest in the context of the GDPR. In FSA and industry practice, such lists already exist but have not been formalized.
- The Swedish DPA should evaluate the possibilities for creating a cooperative forum with the various AML regulators, or at least the Swedish FSA, where the regulators and stakeholder could collaborate to bring harmonized guidelines on how to balance between AML and privacy to the industries they supervise.
Concluding Remarks on Sustainable Privacy and AML Measures
When navigating the treacherous waters of AML and GDPR compliance, an obliged entity can in this context be likened with being caught between Scylla and Charybdis. As we have explained in this article, this is for the benefit of neither AML nor GDPR. Rather, it is at the expense of both.
Our recommendations in this article do not constitute a silver bullet. The inherent friction between the right of privacy and the interest to combat crime will always be present and should be the topic for analysis and reflection.
Our purpose is rather to place emphasis on how to create a better understanding of the need for both privacy and anti-money laundering. Because both privacy and anti-money laundering are essential and will increase in importance.
Consequently, it is not the question of AML versus GDPR. AML compliance without regard for sustainable privacy would likely end up as a PR nightmare on the scale of Cambridge Analytica. GDPR compliance without regard for society’s need for anti-money laundering measures would likewise be perceived as tactless against a backdrop of Russian oligarchs. Rather, modern AML and GDPR compliance is about sustainability in the long term.
Join our upcoming webinar on the 18th of April where we continue to discuss the topic of AML and GDPR compliance. Register you participation here (Webinar is held in Swedish).
5 Years of GDPR
May 25th, 2023, marks the five-year anniversary of the enforcement of GDPR. This spring we reflect and review on the first comprehensive privacy regulation in a series of publications and events. Stay tuned for insights and perspectives on expectations vs. realties of a sustainable privacy arena, the legal ecosystem of GDPR, the future role of tech and much more.