Share it with your network!
Help your friends to new knowledge
Companies are being forced to choose between risking hefty fines for violating sanction laws or risking equally hefty fines for GDPR breaches. The solution is simple. Make sanction lists exempt!
The US and the EU have lists of countries, companies, organizations, and individuals with which it is illegal to do business. These lists are called sanction lists. Laws and lists are important tools in the fight against money laundering, terrorism, and other international crime.
Anyone who breaks international sanction law risks hefty fines. Yet those who want to ensure that they are doing the right thing and who store and process data on people on the sanction lists risk breaching the GDPR and incurring huge fines. Companies are being forced to weigh the risk of violating sanction lists against the risk of breaching the GDPR.
Exemption from GDPR
Last year GE Health Care Group asked the Swedish Data Protection Authority for an exemption from the GDPR in order to process sanction lists. However, since sanction lists can contain personal data from criminal records, the answer was “no” as the processing of such data is prohibited. The matter was raised with the administrative court of Stockholm, which also said “no”.
It is not as though personal data in the sanction lists remains secret or even difficult to access if companies are forbidden from processing it. The lists are published online for anyone to look at. From a legislator’s perspective, the problem is that the personal data in the lists will have been processed without the consent of those to whom it relates.
Impossible to do the right thing
Companies are clearly faced with an unreasonable choice. It’s impossible to do the right thing without some sort of manual reconciliation. You have to sit and check off your potential business contacts against a list as long as a telephone directory. In what way this benefits the privacy of the people on the list is unclear.
The consequence of this is that companies are discouraged from doing business outside of the EU and the US. This is especially true for small and medium-sized businesses offering products and skills that are in demand in developing countries.
What is worth protecting the most
Recital 4 of the GDPR clearly states that the right to privacy is not an “absolute right”. It must be weighed against other fundamental rights and obligations, and the central functions of a functioning constitutional state. Ultimately we reach the point where we have to decide, based on risk, what is worth protecting the most – the privacy of an individual in terms of data on crime, or the company’s interests in its obligations to assist in the fight against terrorism and money laundering.
Something has to be done. Although there’s no doubting that personal privacy must be taken into account in addressing money laundering, my view is that the fight against terrorism and serious crime outweighs the terrorists’ need for privacy.
In my opinion, the solution is simple. Legislators must make a clearer exemption in the GDPR so that companies can legally store and process the content of sanction lists without running the risk of breaching the GDPR. They can rely on data and analysis companies like Bisnode to ensure that any such processing is done securely.