Borderlines of Unlawfulness?
The General Data Protection Regulation (GDPR) requires organizations to protect privacy. On the opposite side of the spectrum is Anti-Money Laundering (AML), where compliance requires a substantial use of personal data. How can financial institutions and others adhere to the regulatory conflicts of AML & GDPR?
The Swedish Authority for Privacy Protection (IMY) recently granted a major Nordic bank the permission to process personal data relating to criminal convictions and offences. According to the bank’s application, the purpose was to ensure that suspicious and previously rejected clients do not become customers in the future.
IMY acknowledged the legitimate interest of the bank to allow processing of personal data and that it, in this case, outweighs the interest of the data subjects. However, IMY also noted that such processing in accordance with the Swedish Anti-Money Laundering Act (AML Act) could not constitute a legal obligation under the GDPR.
According to Section 2 § 3 of the AML Act, an actor shall assess the risk of money laundering or terrorist financing that may be associated with the customer relationship (the customer’s risk profile). IMY reasoned that if an obligation is too vague it gives the actor too much discretion as how to comply with it. IMY concluded that the obligation in section 2 § 3 of the AML Act is too unclear and imprecise to be interpreted as a legal obligation of such precision and clarity that it may form the basis for the current processing of personal data. There are borderlines for unlawfulness under both AML and GDPR, but they do not necessarily align.
The Principles for Processing of Personal Data
It follows from the basic principles of the GDPR that personal data must be processed in a lawful, fair and transparent manner in relation to the data subject. The principle of lawfulness means, among other things, that the processing must be supported by a legal basis. The principle of fairness involves a balancing of interests or proportionality assessment, meaning the processing must not be unreasonable in relationship to the data subject.
The basic principles further state that personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. The personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed, and that the personal data are not kept in a form which permits identification of the data subjects for longer than is necessary for the purposes for which the personal data are processed.
Referring to article 5 of the GDPR, any organization should demonstrate the following:
Lawfulness, Fairness and Transparency
We have a valid purpose for processing the data. It is transparent what that purpose is and how the data is being used.
Purpose Limitation
We only process the data with a clear and explicit purpose. We do not use the data for purposes other than what has been communicated.
Data Minimisation
We only process data that is necessary in order to meet the set purpose and not a “nice to have” basis.
Accuracy
We only process data that is accurate and up to date.
Storage Limitation
We do not store data because it might be useful in the future. If we do not have a legal ground for storing it, we do not keep it.
Integrity and Confidentiality
We process the data in a secure manner to avoid data leakage or unauthorized or unlawful processing.
Lawfulness of Processing
Processing should be lawful only if, and to the extent that at least one of the below lawful grounds apply. One lawful ground permits processing of personal data if the processing is necessary for compliance with a legal obligation to which the organization is subject. Another lawful ground is if the processing is necessary for purposes of the legitimate interests pursued by the organization or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.
Any organization must therefore be able to apply one of the following lawful grounds:
Consent
Freely given by the data subject.
Specific, informed and unambiguous.
Vital Interest
Valid in order to protect the data subject’s vital interests.
Performance of a Contract
Necessary to process personal data for the performance of a specific contract.
Public Interest
An authority or other organization acting in the public interest can process personal data without consent if it is necessary for the task.
Legal Obligation
Valid in order to comply with certain legal obligations.
Must be able to identify the legal provision(s) obligating the controller to process personal data.
Legitimate Interest
The legitimate interest pursued by the controller or by a third party and those interests outweigh those of the data subject.
Organizations processing personal data shall be responsible and able to demonstrate compliance with the basic principles of GDPR. This is the accountability requirement under GDPR and one way of doing so is to assess the processing in a Data Protection Impact Assessment (DPIA).
Interpretations of IMY’s Decision
Certain violations identified by Data Protection Authorities are more common. ‘Insufficient legal basis for processing of personal data’ is to date qualifying as the most common violation, just ahead of ‘non-compliance with general data processing principles’.
Non-compliance with general data processing principles may have rendered the largest fines in total, followed by insufficient legal basis as second.
Putting this in the context of IMY’s recent decision, we can conclude that anyone who bases a processing activity on a legal obligation must make sure that such legal obligation is specific enough to be lawful. The purpose for processing certain data should be interpreted together with the type of personal data and the assessment of choice of legal basis, considering the lawfulness (ref. art. 5.1.a, 6 and 10) in this recent decision.
Johan Bocander, Director Data Privacy
An assumed legal obligation does not automatically necessarily suggest that it can be relied upon for lawful processing.
Further, in line with the accountability requirement, the assessment should be properly documented. If the processing is likely to result in a high risk for the data subjects, such processing shall additionally undergo a DPIA before it is launched.
The above and similar activities are increasingly becoming a common practice as organizations review their personal data processing and identify gaps in lawful processing. These activities constitute key parts of the adequate governance of data processing.
Collectively, they are also a prerequisite for being able to fully achieve goals and utilize opportunities regarding digitization and innovation. If not yet in place, now is the time to get it done so that your organization is prepared and properly equipped to handle coming regulations such as the AI Act.
FCG has supported several clients performing data processing impact assessments (DPIA) and has also reviewed many records of processing activities (ROPA). At this juncture, expertise and experience from practical applications of financial crime prevention and anti-money laundering in particular should be considered directly in conjunction with the assessment of data privacy protection.
Given the growing concerns around organized crime and escalating fraud, IMY´s decision is a welcome step forward. The reasoning of IMY is clearly of great interest to the financial services sector at large. At this juncture, it is also clear that the ability to scope and assess the right legal ground for processing is vital.
Johan Bocander
It may be expected that other banks will now follow suite, which puts the focus on what may be considered in the permit application process.
For further information about data privacy protection in conjunction with financial crime prevention, please contact: