popi vs fica the practice of privacy and anti money ... taylorpopi vs aml 1 6.pdf · • consultant...

1

POPI vs FICA The Practice of Privacy and Anti Money Laundering for global companies and their South African subsidiaries.

David Taylor 0845440044 [email protected] [email protected]

10/2/2012 David Taylor 0845440044 [email protected] [email protected]

2 10/2/2012 David Taylor 0845440044 [email protected] [email protected]

• WHO AM I?

• A Lawyer • Good News – No FEE!

• Legal Disclaimer – This is not legal Advice! NO LIABILITY

• COPYRIGHT – David Taylor

• Not View of T-Systems

• WHO AM I REALLY? • ICT Lawyer – since 1999 • Admitted Attorney – 1996

• Consultant to various national and international business, government and parastatals, smme’s NCR, NGB, SAIPA, T-systems, Vericred, Bankserv, PopCru, PSA , Gijima etc

• Taught IT law at Unisa 14 years: Ass Prof

• Awards for research and teaching

• Conducted research and a visiting Prof at overseas universities where I taught IT Law

• Visiting professor in IT law Sweden (2010)

• I have published many articles and presented many times at conferences

Government Task team develop ISuth African Pv6 strategy

NGO Director -

CyCaD (Cyberwar Civialian Defence)

Citizen Coalition Against Internet Crime

Steering Committee - Association of Certified Fraud Examiners -Forensic Science Forum (ACFE (SA))

Steering Committee - IT Profession Body (IT Board (SA))

IT Committee (IT Risk and Audit) member (SAIPA)

David Taylor, BA (Wits), BA Hons (Unisa), LLB (Wits), LLM (Unisa), LLM (Stockholm Sweden)

Legal Disclaimer – Not view of T-Systems


• WHO AM I REALLY? - PRIVACY

• NOW – Corporate Lawyer T-Systems • D a t a P r o t e c t i o n l e a d o n l a r g e i n t e r n a t i o n a l C o n t r a c t N e g o t i a t i o n s ( R 2 . 5 8 b i l l i o n )

• E s t a b l i s h , m a n a g e a n d c o n d u c t c r i m i n a l a n d m i s c o n d u c t i n v e s t i g a t i o n s r e l a t i n g t o e m p l o y e e , c u s t o m e r , c o n t r a c t s , i n p a r t i c u l a r I T f o r e n s i c , f r a u d i n v e s t i g a t i o n , e n s u r i n g t h e l e g a l s e c u r i n g a n d p r o t e c t i o n o f e v i d e n c e

• D e s i g n i n g a n d i m p l e m e n t i n g C y b e r w a r f a r e t r a i n i n g a n d e x e r c i s e s

• E s t a b l i s h a n d e n s u r e D a t a P r o t e c t i o n m e c h a n i s m s i n t h e i n s t i t u t i o n

• A l i g n P r i v a c y w i t h i n t e r n a t i o n a l o p e r a t i o n s

• A n a l y s e , a s s e s s a n d e v a l u a t e c o m p u t e r s y s t e m s a n d b u s i n e s s a c t i v i t y f o r l e g a l r i s k i n p a r t i c u l a r f o r D a t a P r o t e c t i o n

• D e v e l o p s t r a t e g y a n d p o l i c i e s i n r e l a t i o n t o D a t a P r o t e c t i o n

• N e g o t i a t e I n t e r n a t i o n a l c o n t r a c t s

• S e l e c t a n d i m p l e m e n t t e c h n o l o g i e s t h a t e n s u r e D a t a P r o t e c t i o n

• D r a f t p o l i c i e s a n d c o n t r a c t s i n c l u d i n g f o r o p e r a t i o n s i n c o u n t r i e s o u t s i d e S o u t h A f r i c a

• C o n d u c t a n d C o m p l y w i t h I n t e r n a t i o n a l P r i v a c y A u d i t s a n d i m p l e m e n t S o u t h A f r i c a n a u d i t s

• D e s i g n a n d i m p l e m e n t t r a i n i n g

• 2 0 0 0 – I n v o l v e d w i t h t h e C r e a t i o n o f E U D a t a P r i v a c y L a w D a t a b a s e

• C o n s u l t e d l o c a l l y a n d a b r o a d

• L e g a l i s s u e s , a n d I T s y s t e m d e s i g n a n d B u s i n e s s m o d e l a d j u s t m e n t f o r l e g a l c o m p l i a n c e

• I n t e r n a t i o n a l a n d m u l t i n a t i o n a l c o n s u l t a t i o n e . g T h e i n t e g r a t i o n o f 7 g l o b a l S A P H R s y s t e m s i n t o o n e , e n s u r i n g l e g a l a n d P r i v a c y C o m p l i a n c e

• T r a i n i n g m a t e r i a l s d e s i g n

David Taylor, BA (Wits), BA Hons (Unisa), LLB (Wits), LLM (Unisa), LLM (Stockholm Sweden)

10/2/2012 David Taylor 0845440044 [email protected] [email protected] 4

Outline

Background to AML

The relationship between AML and DP in the South African Consitutional context

Some issues

CDD

Transborder flows

Tipping off

What does this mean for AML and DP?

David Taylor 0845440044 [email protected] [email protected] 10/2/2012 5

Background to AML

Mid 1980s - Growing concern of international community to deprive criminal elements of the proceeds of their crimes.

Money laundering is a process of concealing or disguising the illegality of the origin, nature, source and ownership of funds.

1989 – Financial Action Taskforce (FATF) set up to ensure global action to combat money laundering.

Forty Recommendations - Complete set of counter-measures against money laundering

FATF consist of 33 member countries two regional organisations

Secrecy laws should not prohibit sharing of information by financial institutions (FI)-(R4)


Background to AML


anti-money laundering measures require certain disclosures of customer information, data or documents to be made.

Q U E S T I O N : d o e s a s t r i c t a d h e r e n c e t o a n t i - m o n e y l a u n d e r i n g m e a s u r e s v i o l a t e c u s t o m e r s ’ r i g h t s t o n o n -d i s c l o s u r e o f i n f o r m a t i o n , d a t a o r d o c u m e n t s ?

Data Protection rules and the requirements imposed by AML.

The European Commission’s objectives - a high standard of protection of personal data while preserving the flow of information within the internal market


Constitution of the Republic of South Africa, 1996


14. Privacy

Everyone has the right to privacy, which includes the right not to have

their person or home searched;

their property searched;

their possessions seized; or

the privacy of their communications infringed.




36. Limitation of rights

The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including

the nature of the right;

the importance of the purpose of the limitation;

the nature and extent of the limitation;

the relation between the limitation and its purpose; and

less restrictive means to achieve the purpose.

Except as provided in subsection (1) or in any other provision of the Constitution, no law may limit any right entrenched in the Bill of Rights.



PROTECTION OF PERSONAL INFORMATION BILL

PREAMBLE

RECOGNISING THAT—

● section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;

● the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;

● the State must respect, protect, promote and fulfil the rights in the Bill of Rights;




Saving

5. (1) This Act does not affect the operation of any other legislation that regulates the processing of personal information and is capable of operating concurrently with this Act.

(2) If any other legislation provides for safeguards for the protection of personal information that are more extensive than those set out in the information protection principles, the extensive safeguards prevail.




Exclusions

4. This Act does not apply to the processing of personal information—

(a) in the course of a purely personal or household activity;

(b) that has been de-identified to the extent that it cannot be re-identified again;

(c) by or on behalf of the State and—

(i) which involves national security, defence or public safety; or

(ii) the purpose of which is the prevention, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in specific legislation for the protection of such personal information;




Exclusions


(d) for exclusively journalistic purposes by responsible parties who are subject to, by virtue of office, employment or profession, a code of ethics that provides adequate safeguards for the protection of personal information;

(e) by Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality;

(f) relating to the judicial functions of a court referred to in section 166 of the Constitution; or

(g) that has been exempted from the application of the information protection principles in terms of section 34.




Exclusions


(g) that has been exempted from the application of the information protection principles in terms of section 34.

section 34

the Regulator may authorise a responsible party to process personal information, even if that processing is in breach of an information protection principle if the Regulator is satisfied that, in the circumstances of the case—

(i) the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from the processing; or

(ii) the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from the processing.


DOES AML FIT IN?

Financial Intelligence Centre Act, 2001 (FICA)

Section 1A. Application of Act when in conflict with other laws

If any conflict, relating to the matters dealt with this Act, arises between this Act and the provisions of any other law existing at the commencement of this Act, save the Constitution, the provisions of this Act prevail.

PROTECTION OF PERSONAL INFORMATION BILL so does not exist at the commencement of FICA.

But FICA is ” Exclusions [4] 6. (1) This Act does not apply to the processing of personal information— (c) by or on behalf of [the State] a public body and—

the purpose of which is the prevention, detection, including activities that are aimed at assisting in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in [specific] legislation for the protection of such personal information

—

10/2/2012 David Taylor 0845440044 [email protected] [email protected] 16


What are the safeguards?

FICA 40 Access to information held by Centre

written authority of an authorized officer; or

Centre reasonably believes such information is required to investigate suspected unlawful activity;

FIC entity outside the Republic



FICA 40 Access to information held by Centre

(1) No person is entitled to information held by the Centre, except-

(c) an accountable institution or reporting institution which or any other person who may, at the initiative of the Centre or on written request, be provided with information regarding the steps taken by the Centre in connection with transactions reported by such accountable institution, reporting institution or person, unless the Centre reasonably believes that disclosure to such accountable institution, reporting institution or person of the information requested could-

(i) inhibit the achievement of the Centre's objectives or the performance of its functions, or the achievement of the objectives or the performance of the functions of another organ of state; or

(ii) prejudice the rights of any person;

(d) a supervisory body, which may at the initiative of the Centre or on written request be provided with information which the Centre reasonably believes is relevant to the exercise by that supervisory body of its powers or performance by it of its functions in relation to an accountable institution;

(e) in terms of an order of a court; or

(f) in terms of other national legislation.

Other requirements e.g. requests in writing, safeguards must be in pace, agreement



FICA S41 Protection of confidential information

No person may disclose confidential information held by or obtained from the Centre except-

(a) within the scope of that person's powers and duties in terms of any legislation;

(b) for the purpose of carrying out the provisions of this Act;

(c) with the permission of the Centre;

(d) for the purpose of legal proceedings, including any proceedings before a judge in chambers; or

(e) in terms of an order of court.


AML are broad uncertainty on the latitude of obligations

inconsistency at the EU level.

E.G. As an example, CDD - customer identification and registration must ensure that only relevant data is processed and not data that is excessive with respect to the “processing” purpose.

proportionality, need and relevance.

There must be compliance with these principles when carrying out its antimoney laundering obligations. Thus processing of data not expressly indicated in the anti-money laundering legislation remains an open problem.

But AML risk based approach requires


Cross border data flows

Parent companies in other countries, intra-group communications are regulated differently in different countries – some only is suspicious transaction, others in ordinary course of business, with or without customers consent. Those where only allowed when there is a suspicious transaction then consent not needed

So can communicate personal data if

a) done to comply with AML law;

b) data subjects are informed that there is a “possibility that the information concerning the transactions requested by the data subjects, if deemed «suspicious» may be communicated to other intermediaries belonging to the same group”.



PROBLEM: foreign correspondent banks eg from U.S.A or Liberia request personal data on clients or on their transactions within the banking group. U.S.A bank indicate there is a suspicion of ML. But personal data law requires consent of data subject or a ground for exemption exists. One ground is consent is not required when the processing “is necessary to fulfill an obligation imposed by law, a regulation or Community legislation”.

But AML creates an exception to data protection allowing departure only to report suspicious transactions



So, clarification is needed:

Does AML require/permit communication to third parties (even if located abroad, and provided it is a country meeting the criteria of customer information when the underlying reason is for countering money laundering;

In particular must or can this information be given in any circumstance, or only if a report of a suspicious transaction has been made by the bank addressee (European) of the request for information

or by the bank requesting the information.

What if the country does not have adequate data protection laws?


FICA 29 Suspicious and unusual transactions

(3) No person who made or must make …. otherwise than-

(a) within the scope of the powers and duties of that person in terms of any legislation;


TIPP OFF

Notification to Regulator and to data subject

17. (6) It is not necessary for a responsible party to comply with subsection (2) [i.e. Openness] if—

(c) non-compliance is necessary—

(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;

Data protection

Not give data if tip off does not provide a blanket exemption to subject access obligations for Suspicious Transaction report; each request for information must be considered on its merits. Institutions must consider whether, in the particular case, disclosure of the STR would be likely to prejudice the prevention or detection of crime


• P O P I v s F I CA

• Solut ion??

• DP complex

• Pr inciples not just posi t ive law approach

• Exper ts need to be Real Exper ts

• Terr i tor ia l Sovereignty

• Global Context – under ly ing economics

27

Thank you for your attention.

10/2/2012 David Taylor 0845440044 [email protected] [email protected]

popi vs fica the practice of privacy and anti money ... taylorpopi vs aml 1 6.pdf · • consultant...

Documents