aml en gegevensbewaring: een 12 moeilijk huwelijk ... · art 65 belgian aml act : “de persoon op...
TRANSCRIPT
AML en Gegevensbewaring: een moeilijk huwelijk ? 12 oktober 2017
1. Data protection – current regime
2. GDPR – overview & key novelties
3. GDPR and AML
4. In practice: points of attention regarding implementation
Outline
2
The Data Protection Directive
Richtlijn 95/46/EG van het Europees Parlement en de Raad van 24 oktober 1995 betreffende de
bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens en
betreffende het vrije verkeer van die gegevens
Transposed into Belgian law by the Belgian Privacy Act
Wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de
verwerking van persoonsgegevens
1. Data Protection – current regime
3
Core principles for data processing
1) Legitimacy
2) Purpose limitation
3) Proportionality
4) Transparency
Rule of thumb
What is the reasonable privacy expectation of the data
subject?
1. Data Protection – current regime
4
Core concepts
• Data subject: natural person whose data is being processed
• Personal data: information relating to an identified or identifiable
natural person
• Processing: collection, recording, organization, storage, adaptation or
alteration, retrieval, consultation, use, disclosure by transmission,
dissemination or otherwise making available, alignment or combination,
blocking, erasure or destruction
• Data controller: determines the purposes and means of the processing
• Data processor: processing personal data on behalf of the controller
1. Data Protection – current regime
5
Data subject
Data controller
Data processor
1. Data Protection – current regime
6
Role based approach
What is it about?
• General Data Protection Regulation 2016/679 Verordening (EU) 2016/679 van het Europees Parlement en de Raad van 27 april 2016
betreffende de bescherming van natuurlijke personen in verband met de verwerking van
persoonsgegevens en betreffende het vrije verkeer van die gegevens en tot intrekking van
Richtlijn 95/46/EG (algemene verordening gegevensbescherming)
• Why a new Regulation?
Need to adapt to the digital age
Direct applicability + uniformity
Penalties not effective enough
Need to enhance harmonization
2. GDPR - overview
7
By when?
• Regulation adopted 27 April 2016
• Entry into force 24 May 2016
• 2-year transition period: applicable from 25 May 2018
27 April 2016 24 May 2016 25 May 2018
Adopted Entry into force Applicable
2. GDPR – overview
8
2. GDPR – key novelties
9
1) New privacy rights for the data subject:
• Transparency (Art. 12 – 13)
• Right to erasure / Right to be forgotten (Art. 17)
Google Spain, ECJ C-131/12
• Right to data portability (Art. 20)
“Right to receive the personal data, which they have provided to a controller, in a
structured, commonly used and machine-readable format, and to transmit them to
another data controller”
- If the processing is based on (i) consent of (ii) a contract
- Supports user choice, user control and consumer empowerment
- Facilitate switching between service providers
Recent guidance of the Article 29 Working Party
2) Enhanced responsibilities for the data controller and processor
• Accountability principle (Art. 5.2)
• Data protection by design and by default (Art. 25)
e.g. data minimisation, pseudonymisation
• More responsibilities for the processor (Art. 28)
Implementation of security measures: DC/DP
Record of processing activities : DC/DP
Notification of any data breach to the DC
2. GDPR: key novelties
10
2. GDPR: key novelties
11
3) Additional operational obligations:
• Records of processing activities (Art. 30) : DC/DP
• Data Protection Impact Assessment (DPIA) (Art. 35) for high risk
processing : DC
“Processing in particular using new technologies, and taking into account the nature, scope,
context and purposes of the processing, is likely to result in a high risk to the rights and
freedoms of natural persons”
Concept is not yet clear
‒ Supervisory authority must establish and make public a list of the kind of
processing operations which are subject to the DPIA requirement
Also prior consultation of supervisory authority (art. 36)
• Appointment of a Data Protection Officer (“DPO”) (Art. 37-39)
Compulsory
‒ Processing carried out by a public authority or body
‒ Processing operations which require regular and systematic monitoring of data
subjects on a large scale
‒ Processing on a large scale of special categories of sensitive data
Voluntary
Recent guidance from the 29 Article WP
• Notification of personal data breaches (Art. 33-34)
GDPR = very process-driven
2. GDPR: key novelties
12
2. GDPR: key novelties
13
• Significant fines and enforcement:
• Up to 4% of total worldwide annual turnover
• New powers to national DPA’s
• Cooperation and consistency mechanisms between DPA’s
• New European Data Protection Board
• Need for additional guidance by national DPA’s
Introduction
• Balancing different interests
Respect of fundamental rights BUT “escape-clause”
Private (“data subject’s”) rights versus general (“public”) interest
3. GDPR & AML
14
Introduction
• AML 4
Chapter V on Data Protection, Record-Retention (and Statistical Data)
Art. 40 – 43
• Belgian AML Act of 6 July 2017 implementing AML 4 (“Belgian AML Act”)
Art. 60 -65
3. GDPR & AML
15
Attempt for peaceful coexistence
• Art. 41 Directive AML 4
Point 1: “The processing of personal data under this Directive is subject to Directive
95/46/EC, as transposed into national law. […]”
Point 2: “Personal data shall be processed by obliged entities on the basis of this
Directive only for the purposes of the prevention of money laundering and terrorist
financing as referred to in Article 1 and shall not be further processed in a way that is
incompatible with those purposes. The processing of personal data on the basis of this
Directive for any other purposes, such as commercial purposes, shall be prohibited.”
Respect of purpose principle?
3. GDPR & AML
16
Attempt for peaceful coexistence
• Art. 41 Directive AML 4
Point 3: “Obliged entities shall provide new clients with the information required
pursuant to Article 10 of Directive 95/46/EC before establishing a business relationship or
carrying out an occasional transaction. That information shall, in particular, include a
general notice concerning the legal obligations of obliged entities under this Directive to
process personal data for the purposes of the prevention of money laundering and terrorist
financing […]”
Respect of transparency principle?
3. GDPR & AML
17
Attempt for peaceful coexistence
• Art. 41 Directive AML 4
Point 4: “In applying the prohibition of disclosure laid down in Article 39(1), Member
States shall adopt legislative measures restricting, in whole or in part, the data subject's
right of access to personal data relating to him or her to the extent that such partial or
complete restriction constitutes a necessary and proportionate measure in a
democratic society with due regard for the legitimate interests of the person concerned to:
(a) enable the obliged entity or competent national authority to fulfil its tasks
properly for the purposes of this Directive; or
(b) avoid obstructing official or legal inquiries, analyses, investigations or
procedures for the purposes of this Directive and to ensure that the prevention,
investigation and detection of money laundering and terrorist financing is not jeopardised.”
Indirect control by the authority as a remedy
Respect of transparency principle?
3. GDPR & AML
18
Attempt for peaceful coexistence
• Art. 43 Directive AML 4
“The processing of personal data on the basis of this Directive for the purposes of the
prevention of money laundering and terrorist financing as referred to in Article 1 shall be
considered to be a matter of public interest under Directive 95/46/EC.”
Respect of legitimacy and purpose principles ?
3. GDPR & AML
19
Potential frictions and conflicting areas
1) Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and not
further processed in a manner which is incompatible with those purposes (art 5.1.b) GDPR)
• AML 4:
‒ the policy purpose defined is the “fight against money laundering and terrorist financing”
‒ and there are various controllers: authorities in charge of investigating anti-money
laundering, tax evasion, authorities investigating terrorism, FIUs, press and public at
large
• AML 5 : also new policy purpose of “fighting against tax evasion” to be introduced?
There is uncertainty as to the purpose(s) pursued
Are these purposes specific and explicit enough?
3. GDPR & AML
20
BUT
Potential frictions and conflicting areas
2) Proportionality
Digital Right Ireland, ECJ C-293/12 : “Fight against terrorism = public interest”
BUT measure must be proportionate
Data retention
‒ Data retention period of 5 + 5 years after end of business relationship and
obligation to delete data after retention period
‒ Data cannot be kept for longer than necessary for the purposes for which personal
data are processed (art 5.1.e) GDPR)
Access right to the UBO register
‒ Legitimate interest? Necessity to implement differentiated access
3. GDPR & AML
21
BUT
BUT
Potential frictions and conflicting areas
3) Data subjects’ rights
Information obligation / transparency obligation: Art 13 GDPR
Art 65 Belgian AML Act : “De persoon op wie krachtens deze wet de verwerking van de
persoonsgegevens van toepassing is, geniet niet van het recht op […].”
Access right (art 15 GDPR), right to rectification (art 16 GDPR), right to erasure (art 17
GDPR), right to data portability(art 20 GDPR), right to object (art 21 GDPR),
communication of a personal data breach to the data subject (art 34 GDPR)
“Het recht op toegang van de betrokken persoon tot de persoonsgegevens die hem betreffen, wordt
onrechtstreeks uitgeoefend, krachtens artikel 13 van de voornoemde wet van 8 december 1992, bij
de Commissie voor de Bescherming van de Persoonlijke Levenssfeer zoals ingesteld door artikel 23
van dezelfde wet.”
Are the conditions of Art. 23 GDPR on restrictions to data protection rights
met?
3. GDPR & AML
22
BUT
Potential frictions and conflicting areas
4) High risk processing
Art. 35.1 GDPR: “Processing in particular using new technologies, and taking into account
the nature, scope, context and purposes of the processing, is likely to result in a high risk
to the rights and freedoms of natural persons”
Concept is not yet clear
• Art. 35.3 GDPR provides some examples?
• Supervisory authority must establish and make public a list of the kind of processing
operations which are subject to the DPIA requirement
• Advice 24/2017 by the Belgian Privacy Commission (§27): processing for AML/TF
purposes already identified as high risk processing
3. GDPR & AML
23
BUT
Potential frictions and conflicting areas
4) High risk processing
Stricter obligations under the GDPR:
• Appropriate technical and organisational security measures
• Notification of data breaches
• Data Protection Impact Assessment & Prior consultation
• Data Protection Officer
3. GDPR & AML
24
Potential frictions and conflicting areas
5) International intra-group data transfers
Art. 13 § 1 Belgian AML Act: “De onderworpen entiteiten die deel uitmaken van een
groep moeten de op groepsniveau geldende gedragslijnen en procedures ter
voorkoming van WG/FT toepassen, daaronder met name begrepen de gedragslijnen
inzake gegevensbescherming […]”
When transfering of personal data to third countries or international organisations, the
DC and DP must ensure that the level of protection of natural persons guaranteed by
the GDPR is not undermined
– Transfers on the basis of an adequacy decision
– Transfers subject to appropriate safeguards such as approved binding corporate rules and
standard data protection clauses
– Avis n°12/2017 Commission pour la protection de la vie privé
Contested data transfer decision before the ECJ
3. GDPR & AML
25
BUT
• Some examples from practice
• Compliance challenges and opportunities
Being compliant offers a competitive advantage
Increasing enforcement and attention
Corporate reputation is at stake
AML and GDPR compliance & legal teams
‒ have to combine readings of several “transversal” regulations
‒ need to work in close collaboration with other teams (joint AML – GDPR working groups)
‒ AND also take the intersection of Human Rights and Financial Regulations in mind…
4. In practice: points of attention
26
Questions?
27
Sarah De Dijn
Associate – Corporate & Finance
T +32 2 533 53 28
Carolien Michielsen
Associate – TMT & IP
T +32 2 533 54 56
Contact details
St ibbe .com
Thank you
29