According to Magnus Silfverberg, CEO Bisnode Group, Companies Risk Hefty Fines, No Matter What They Do:
Companies are being forced to choose between risking hefty fines for violating sanction laws or risking equally hefty fines for GDPR breaches. The solution is simple. Make sanction lists exempt! The US and the EU have lists of countries, companies, organizations, and individuals with which it is illegal to do business. These lists are called sanction lists. Laws and lists are important tools in the fight against money laundering, terrorism, and other international crime.
Anyone who breaks international sanction law risks hefty fines. Yet those who want to ensure that they are doing the right thing and who store and process data on people on the sanction lists risk breaching the GDPR and incurring huge fines. Companies are being forced to weigh the risk of violating sanction lists against the risk of breaching the GDPR.
Exemption from GDPR
Last year GE Health Care Group asked the Swedish Data Protection Authority for an exemption from the GDPR in order to process sanction lists. However, since sanction lists can contain personal data from criminal records, the answer was “no” as the processing of such data is prohibited. The matter was raised with the administrative court of Stockholm, which also said “no”.
It is not as though personal data in the sanction lists remains secret or even difficult to access if companies are forbidden from processing it. The lists are published online for anyone to look at. From a legislator’s perspective, the problem is that the personal data in the lists will have been processed without the consent of those to whom it relates.
Impossible to do the right thing
Companies are clearly faced with an unreasonable choice. It’s impossible to do the right thing without some sort of manual reconciliation. You have to sit and check off your potential business contacts against a list as long as a telephone directory. In what way this benefits the privacy of the people on the list is unclear.
The consequence of this is that companies are discouraged from doing business outside of the EU and the US. This is especially true for small and medium-sized businesses offering products and skills that are in demand in developing countries.
What is worth protecting the most
Recital 4 of the GDPR clearly states that the right to privacy is not an “absolute right”. It must be weighed against other fundamental rights and obligations, and the central functions of a functioning constitutional state. Ultimately, we reach the point where we have to decide, based on risk, what is worth protecting the most – the privacy of an individual in terms of data on crime, or the company’s interests in its obligations to assist in the fight against terrorism and money laundering.
Something has to be done. Although there’s no doubting that personal privacy must be taken into account in addressing money laundering, my view is that the fight against terrorism and serious crime outweighs the terrorists’ need for privacy.
In my opinion, the solution is simple. Legislators must make a clearer exemption in the GDPR so that companies can legally store and process the content of sanction lists without running the risk of breaching the GDPR. They can rely on data and analysis companies like Bisnode to ensure that any such processing is done securely.
Magnus took over as CEO of Bisnode Group in the summer of 2015. Most recently he had worked at the Betsson Group, where he led a huge period of growth and increased the company’s market share significantly. The betting industry is heavily data-driven, which gives Magnus a unique insight into the possibilities of Bisnode’s offering. In addition to a long career in sales, management and business development, he has a Master of Science in Economics from the Stockholm School of Economics and an MBA from INSEAD Business School in France.
Source: Bisnode Group
BIIA Editorial Comment: Bravo! We applaud Magnus Silfverber for raising this ‘Catch-22’ situation in public.