INTERNATIONAL SCREENING REQUIREMENTS MEET DATA PRIVACY IN THE NORDICS
Caroline Olstedt Carlström, Klarna
Christian Pardieu, GE
Nils Arne Grønlie, DLA Piper
US SCREENING REQUIREMENTS
• US entities are obliged not to engage in any form of activities with certain designated nationals, named individuals and corporations.
• Economic and trade sanctions are imposed by the US government.
• Financial institutions and companies in the US statutorily obligated to implement these sanctions.
OFAC
• OFAC SDN, non-SDN Lists
• Sanctions for non-compliance; - Civil penalty - Criminal penalty
• Business perspective – must show compliance in order to be regarded as accepted business partners
EU SCREENING REQUIREMENTS
• EU sanction list
- Directly based on EU regulation
• Local subsidiaries statutorily obligated to
implement adequate routines to ensure
sufficient customer due diligence
• Contractual requirements
DATA PROTECTION DIRECTIVE
• Article 8.5 of the directive: ”Processing of data relating to offences, criminal convictions or security measures may be carried out only under the control of official authority, or if suitable specific safeguards are provided under national law, subject to derogations which may be granted by the Member State under national provisions providing suitable specific safeguards. However, a complete register of criminal convictions may be kept only under the control of official authority.”
• Has not been consistently implemented in the Nordic countries.
SWEDEN
• Screening deemed to constitute processing of personal data concerning legal offences by the DPA.
• General prohibition for other than public authorities to process personal datal concerning legal offences (Sec 21).
• May apply for an exemption.
• Members of the Swedish Banker’s Association exemption until further notice (limitations)
• Three other decisions - February; Limited exemption to screen customers
• Unclear situation for other categories of data, such as employee data.
NORWAY
• DPA has deemed screening against OFAC lists to constitute processing of sensitive personal data.
• Prior approval is required.
• ConocoPhilips decision by the Appeal Board (Jan 2012). - Transfer of personal data from Norwegian branch office to US entity permissible. - Appeal Board did not comment on whether screening against OFAC lists is permissible or not under Norwegian regulation.
• Unclear situation for US controlled companies.
DENMARK
• Danish DPA’s prior approval possibly required in
order to screen against the OFAC lists (Sec 8.4
and 50.1).
• However, unclear legal situation since the DPA
in an opinion previously has deemed screening
against EU Sanctions Lists not to constitute
processing of sensitive personal data which
would be subject to approval requirement.
FINLAND
• Processing of personal data involving criminal
offences constitutes processing of sensitive data
(Sec 11-12).
• May be processed subject to prior DPA approval
(Sec 43).
• No statements or decisions from the DPA
regarding OFAC screening. However, likely that
the DPA would deem OFAC screening to
constitute processing of personal sensitive
data, thus requiring prior approval.
SANCTIONS
• Liability to pay damages to data subjects.
• Fines and imprisonment of up to 4 months or 2 years (depending on jurisdiction).
PROPOSED NEW DATA PROTECTION REGULATION
• Screening feasible in the Nordics?
• Swedish prohibition to remain?
• Administrative sanctions of 0,5-2 % of the
annual turnover alternatively EUR 250,000
-1,000,000.
SUMMARY – A CONFLICT OF LAW
• Clear conflict of law for international groups with US parent and subsidiaries in the Nordics. - US parent could face serious penalties for non- compliance.
• Caution; local Nordic representatives could face criminal penalties.
• Unclear and unsatisfactory legal situation. - Few decisions and statements – almost no guidance - The Swedish legislator has rejected legislation allowing OFAC screening.
SUMMARY – CONT.
• Also reputational aspects to consider.
• ”Sweden’s financial institutions would find it difficult to cooperate with US banks, which in turn would lead to severe disruptions in the financial system and ultimately could affect the relationship to another state. The consequences of a decision to reject an application would therefore be unacceptable.”
• Cooperation with US companies, incl banks, would be made impossible.
• However, still a priority question in order to mitigate risk for OFAC non-compliance.
• Business risk not to screen!
THANK YOU!
• Caroline Olstedt Carlström
Chief Counsel Global Data Protection
Klarna AB, Sweden
• Christian Pardieu
Executive counsel, Privacy & Regulatory Affairs
General Electric, Europe
• Nils Arne Grønlie
Partner, Location Head of IP & Technology
DLA Piper, Norway