AML en Gegevensbewaring: een moeilijk huwelijk ? 12 oktober 2017

1. Data protection – current regime

2. GDPR – overview & key novelties

3. GDPR and AML

4. In practice: points of attention regarding implementation

Outline

2

The Data Protection Directive

Richtlijn 95/46/EG van het Europees Parlement en de Raad van 24 oktober 1995 betreffende de

bescherming van natuurlijke personen in verband met de verwerking van persoonsgegevens en

betreffende het vrije verkeer van die gegevens

Transposed into Belgian law by the Belgian Privacy Act

Wet van 8 december 1992 tot bescherming van de persoonlijke levenssfeer ten opzichte van de

verwerking van persoonsgegevens

1. Data Protection – current regime

3

Core principles for data processing

1) Legitimacy

2) Purpose limitation

3) Proportionality

4) Transparency

Rule of thumb

What is the reasonable privacy expectation of the data

subject?

1. Data Protection – current regime

4

Core concepts

• Data subject: natural person whose data is being processed

• Personal data: information relating to an identified or identifiable

natural person

• Processing: collection, recording, organization, storage, adaptation or

alteration, retrieval, consultation, use, disclosure by transmission,

dissemination or otherwise making available, alignment or combination,

blocking, erasure or destruction

• Data controller: determines the purposes and means of the processing

• Data processor: processing personal data on behalf of the controller

1. Data Protection – current regime

5

Data subject

Data controller

Data processor

1. Data Protection – current regime

6

Role based approach

What is it about?

• General Data Protection Regulation 2016/679 Verordening (EU) 2016/679 van het Europees Parlement en de Raad van 27 april 2016

betreffende de bescherming van natuurlijke personen in verband met de verwerking van

persoonsgegevens en betreffende het vrije verkeer van die gegevens en tot intrekking van

Richtlijn 95/46/EG (algemene verordening gegevensbescherming)

• Why a new Regulation?

Need to adapt to the digital age

Direct applicability + uniformity

Penalties not effective enough

Need to enhance harmonization

2. GDPR - overview

7

By when?

• Regulation adopted 27 April 2016

• Entry into force 24 May 2016

• 2-year transition period: applicable from 25 May 2018

27 April 2016 24 May 2016 25 May 2018

Adopted Entry into force Applicable

2. GDPR – overview

8

2. GDPR – key novelties

9

1) New privacy rights for the data subject:

• Transparency (Art. 12 – 13)

• Right to erasure / Right to be forgotten (Art. 17)

Google Spain, ECJ C-131/12

• Right to data portability (Art. 20)

“Right to receive the personal data, which they have provided to a controller, in a

structured, commonly used and machine-readable format, and to transmit them to

another data controller”

- If the processing is based on (i) consent of (ii) a contract

- Supports user choice, user control and consumer empowerment

- Facilitate switching between service providers

Recent guidance of the Article 29 Working Party

2) Enhanced responsibilities for the data controller and processor

• Accountability principle (Art. 5.2)

• Data protection by design and by default (Art. 25)

e.g. data minimisation, pseudonymisation

• More responsibilities for the processor (Art. 28)

Implementation of security measures: DC/DP

Record of processing activities : DC/DP

Notification of any data breach to the DC

2. GDPR: key novelties

10

2. GDPR: key novelties

11

3) Additional operational obligations:

• Records of processing activities (Art. 30) : DC/DP

• Data Protection Impact Assessment (DPIA) (Art. 35) for high risk

processing : DC

“Processing in particular using new technologies, and taking into account the nature, scope,

context and purposes of the processing, is likely to result in a high risk to the rights and

freedoms of natural persons”

Concept is not yet clear

‒ Supervisory authority must establish and make public a list of the kind of

processing operations which are subject to the DPIA requirement

Also prior consultation of supervisory authority (art. 36)

• Appointment of a Data Protection Officer (“DPO”) (Art. 37-39)

Compulsory

‒ Processing carried out by a public authority or body

‒ Processing operations which require regular and systematic monitoring of data

subjects on a large scale

‒ Processing on a large scale of special categories of sensitive data

Voluntary

Recent guidance from the 29 Article WP

• Notification of personal data breaches (Art. 33-34)

GDPR = very process-driven

2. GDPR: key novelties

12

2. GDPR: key novelties

13

• Significant fines and enforcement:

• Up to 4% of total worldwide annual turnover

• New powers to national DPA’s

• Cooperation and consistency mechanisms between DPA’s

• New European Data Protection Board

• Need for additional guidance by national DPA’s

Introduction

• Balancing different interests

Respect of fundamental rights BUT “escape-clause”

Private (“data subject’s”) rights versus general (“public”) interest

3. GDPR & AML

14

Introduction

• AML 4

Chapter V on Data Protection, Record-Retention (and Statistical Data)

Art. 40 – 43

• Belgian AML Act of 6 July 2017 implementing AML 4 (“Belgian AML Act”)

Art. 60 -65

3. GDPR & AML

15

Attempt for peaceful coexistence

• Art. 41 Directive AML 4

Point 1: “The processing of personal data under this Directive is subject to Directive

95/46/EC, as transposed into national law. […]”

Point 2: “Personal data shall be processed by obliged entities on the basis of this

Directive only for the purposes of the prevention of money laundering and terrorist

financing as referred to in Article 1 and shall not be further processed in a way that is

incompatible with those purposes. The processing of personal data on the basis of this

Directive for any other purposes, such as commercial purposes, shall be prohibited.”

Respect of purpose principle?

3. GDPR & AML

16

Attempt for peaceful coexistence

• Art. 41 Directive AML 4

Point 3: “Obliged entities shall provide new clients with the information required

pursuant to Article 10 of Directive 95/46/EC before establishing a business relationship or

carrying out an occasional transaction. That information shall, in particular, include a

general notice concerning the legal obligations of obliged entities under this Directive to

process personal data for the purposes of the prevention of money laundering and terrorist

financing […]”

Respect of transparency principle?

3. GDPR & AML

17

Attempt for peaceful coexistence

• Art. 41 Directive AML 4

Point 4: “In applying the prohibition of disclosure laid down in Article 39(1), Member

States shall adopt legislative measures restricting, in whole or in part, the data subject's

right of access to personal data relating to him or her to the extent that such partial or

complete restriction constitutes a necessary and proportionate measure in a

democratic society with due regard for the legitimate interests of the person concerned to:

(a) enable the obliged entity or competent national authority to fulfil its tasks

properly for the purposes of this Directive; or

(b) avoid obstructing official or legal inquiries, analyses, investigations or

procedures for the purposes of this Directive and to ensure that the prevention,

investigation and detection of money laundering and terrorist financing is not jeopardised.”

Indirect control by the authority as a remedy

Respect of transparency principle?

3. GDPR & AML

18

Attempt for peaceful coexistence

• Art. 43 Directive AML 4

“The processing of personal data on the basis of this Directive for the purposes of the

prevention of money laundering and terrorist financing as referred to in Article 1 shall be

considered to be a matter of public interest under Directive 95/46/EC.”

Respect of legitimacy and purpose principles ?

3. GDPR & AML

19

Potential frictions and conflicting areas

1) Purpose limitation

Personal data may only be collected for specified, explicit and legitimate purposes and not

further processed in a manner which is incompatible with those purposes (art 5.1.b) GDPR)

• AML 4:

‒ the policy purpose defined is the “fight against money laundering and terrorist financing”

‒ and there are various controllers: authorities in charge of investigating anti-money

laundering, tax evasion, authorities investigating terrorism, FIUs, press and public at

large

• AML 5 : also new policy purpose of “fighting against tax evasion” to be introduced?

There is uncertainty as to the purpose(s) pursued

Are these purposes specific and explicit enough?

3. GDPR & AML

20

BUT

Potential frictions and conflicting areas

2) Proportionality

Digital Right Ireland, ECJ C-293/12 : “Fight against terrorism = public interest”

BUT measure must be proportionate

Data retention

‒ Data retention period of 5 + 5 years after end of business relationship and

obligation to delete data after retention period

‒ Data cannot be kept for longer than necessary for the purposes for which personal

data are processed (art 5.1.e) GDPR)

Access right to the UBO register

‒ Legitimate interest? Necessity to implement differentiated access

3. GDPR & AML

21

BUT

BUT

Potential frictions and conflicting areas

3) Data subjects’ rights

Information obligation / transparency obligation: Art 13 GDPR

Art 65 Belgian AML Act : “De persoon op wie krachtens deze wet de verwerking van de

persoonsgegevens van toepassing is, geniet niet van het recht op […].”

Access right (art 15 GDPR), right to rectification (art 16 GDPR), right to erasure (art 17

GDPR), right to data portability(art 20 GDPR), right to object (art 21 GDPR),

communication of a personal data breach to the data subject (art 34 GDPR)

“Het recht op toegang van de betrokken persoon tot de persoonsgegevens die hem betreffen, wordt

onrechtstreeks uitgeoefend, krachtens artikel 13 van de voornoemde wet van 8 december 1992, bij

de Commissie voor de Bescherming van de Persoonlijke Levenssfeer zoals ingesteld door artikel 23

van dezelfde wet.”

Are the conditions of Art. 23 GDPR on restrictions to data protection rights

met?

3. GDPR & AML

22

BUT

Potential frictions and conflicting areas

4) High risk processing

Art. 35.1 GDPR: “Processing in particular using new technologies, and taking into account

the nature, scope, context and purposes of the processing, is likely to result in a high risk

to the rights and freedoms of natural persons”

Concept is not yet clear

• Art. 35.3 GDPR provides some examples?

• Supervisory authority must establish and make public a list of the kind of processing

operations which are subject to the DPIA requirement

• Advice 24/2017 by the Belgian Privacy Commission (§27): processing for AML/TF

purposes already identified as high risk processing

3. GDPR & AML

23

BUT

Potential frictions and conflicting areas

4) High risk processing

Stricter obligations under the GDPR:

• Appropriate technical and organisational security measures

• Notification of data breaches

• Data Protection Impact Assessment & Prior consultation

• Data Protection Officer

3. GDPR & AML

24

Potential frictions and conflicting areas

5) International intra-group data transfers

Art. 13 § 1 Belgian AML Act: “De onderworpen entiteiten die deel uitmaken van een

groep moeten de op groepsniveau geldende gedragslijnen en procedures ter

voorkoming van WG/FT toepassen, daaronder met name begrepen de gedragslijnen

inzake gegevensbescherming […]”

When transfering of personal data to third countries or international organisations, the

DC and DP must ensure that the level of protection of natural persons guaranteed by

the GDPR is not undermined

– Transfers on the basis of an adequacy decision

– Transfers subject to appropriate safeguards such as approved binding corporate rules and

standard data protection clauses

– Avis n°12/2017 Commission pour la protection de la vie privé

Contested data transfer decision before the ECJ

3. GDPR & AML

25

BUT

• Some examples from practice

• Compliance challenges and opportunities

Being compliant offers a competitive advantage

Increasing enforcement and attention

Corporate reputation is at stake

AML and GDPR compliance & legal teams

‒ have to combine readings of several “transversal” regulations

‒ need to work in close collaboration with other teams (joint AML – GDPR working groups)

‒ AND also take the intersection of Human Rights and Financial Regulations in mind…

4. In practice: points of attention

26

Questions?

27

Sarah De Dijn

Associate – Corporate & Finance

T +32 2 533 53 28

Sarah.DeDijn@Stibbe.com

Carolien Michielsen

Associate – TMT & IP

T +32 2 533 54 56

Carolien.Michielsen@Stibbe.com

Contact details

St ibbe .com

Thank you

29