AML et Protection des données : un mariage difficile? 26 September 2017
Outline 1. Data protection current regime 2. GDPR overview & key novelties 3. GDPR and AML Attempt for peaceful coexistence Potential frictions and conflicting areas 4. In practice: points of attention regarding implementation 2
1. Data Protection current regime v Core principles 1) Legitimacy 2) Purpose limitation 3) Proportionality 4) Transparency v Rule of thumb What is the reasonable privacy expectation of the data subject? 3
1. Data Protection current regime v Core concepts Data subject: natural person whose data is being processed Personal data: information relating to an identified or identifiable natural person Processing: collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction Data controller: determines the purposes and means of the processing Data processor: processing personal data on behalf of the controller 4
1. Data Protection current regime v Role based approach Data subject Data controller Data processor 5
2. GDPR - overview v What is it about? General Data Protection Regulation 2016/679 Règlement relatif à la protection des personnes physiques à l égard du traitement des données à caractère personnel et à la libre circulation de ces données, et abrogeant la Directive 95/46/CE Why a new Regulation? o Need to adapt to the digital age o Direct applicability + uniformity o Penalties not effective enough o Need to enhance harmonization 6
2. GDPR overview v By when? o Regulation adopted 27 April 2016 o Entry into force 24 May 2016 o 2-year transition period: applicable from 25 May 2018 27 April 2016 24 May 2016 25 May 2018 Adopted Entry into force Applicable 7
2. GDPR key novelties 1) New privacy rights for the data subject: Transparency (art. 12 13) Right to erasure / Right to be forgotten (art. 17) à Google Spain case Right to data portability (art. 20) Right to receive the personal data, which they have provided to a controller, in a structured, commonly used and machine-readable format, and to transmit them to another data controller - If the processing is based on (i) consent of (ii) a contract - Supports user choice, user control and consumer empowerment - Facilitate switching between service providers Recent guidance of the Article 29 Working Party 8
2. GDPR: key novelties 2) Enhanced responsibilities for the data controller and processor Accountability principle (art. 5.2) Data protection by design and by default (art. 25) e.g. data minimisation, pseudonymisation More responsibilities for the processor (art. 28) Implementation of security measures: DC/DP Record of processing activities : DC/DP Notification of any data breach to the DC 9
2. GDPR: key novelties 3) Additional operational obligations: Records of processing activities (art. 30) : DC/DP Data Protection Impact Assessment (art. 35) o o o High risk processing: Processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons Supervisory authority shall establish and make public a list of the kind of processing operations which are subject to the PIA requirement High risk à Prior consultation of supervisory authority 10
2. GDPR: key novelties Appointment of a Data Protection Officer ( DPO ) (art. 37-39) Compulsory a. Processing carried out by a public authority or body b. Processing operations which require regular and systematic monitoring of data subjects on a large scale c. Processing on a large scale of special categories of sensitive data Voluntary Recent guidance from the 29 Article WP Notification of personal data breaches (art. 33-34) è GDPR = very process-driven 11
2. GDPR: key novelties Significant fines and enforcement: Up to 4% of total worldwide annual turnover New powers to national DPA s Cooperation and consistency mechanisms between DPA s New European Data Protection Board Need for additional guidance by national DPA s 12
3. GDPR & AML Attempt for peaceful coexistence Directive AML 4 Recital (42): Directive 95/46/EC of the European Parliament and of the Council, as transposed into national law, applies to the processing of personal data for the purposes of this Directive [ ] Belgian AML Act of 6 July 2017 implementing AML 4 ( Belgian AML Act ) Article 64 : Le traitement des données à caractère personnel en vertu de la présente loi est soumis aux dispositions à (sic) la loi du 8 décembre 1992 relative à la protection de la vie privée à l égard des traitements de données à caractère personnel, ainsi qu à celles des règlements européens directement applicables. 13
3. GDPR & AML Attempt for peaceful coexistence Proposal Directive AML 5 Explanatory memorandum - [ ] balancing the need to increase security with the need to protect fundamental rights, including data protection [ ] - Consistency with other Union policies: the proposed amendments to the 4 AMLD are in line with [ ] the GDPR Preamble - (40) This Directive respects the fundamental rights and observes the principles recognised by the Charter of Fundamental Rights of the European Union, in particular the rights to respect for private and family life (Article 7 of the Charter), the right to the protection of personal data (Article 8 of the Charter) [ ] 14
3. GDPR & AML Potential frictions and conflicting areas 1) Purpose limitation Personal data may only be collected for specified, explicit and legitimate purposes and not further processed in a manner which is incompatible with those purposes (art 5.1.b) GDPR) Art 64 2 Belgian AML Act: les données à caractère personnel ne sont traitées en application de la présente loi, par des entités assujetties, qu aux fins de la prévention du BC/FT et ne font pas l objet d un traitement ultérieur d une manière incompatible avec lesdites finalités. Le traitement des données à caractère personnel recueillies sur la base de la présente loi pour toute autre finalité que celle prévue par cette loi, notamment à des fins commerciales, est interdit. BUT AML 5 : new policy purposes : fights against tax evasion Various controllers: authorities in charge of investigating anti-money laundering, tax evasion, authorities investigating terrorism, FIUs, press and public at large Uncertainty as to the purpose(s) pursued 15
3. GDPR & AML Potential frictions and conflicting areas 2) Proportionality Digital Right Ireland case : Fight against terrorism = public interest BUT measure must be proportionate Data retention : data cannot be kept for longer than necessary for the purposes for which personal data are processed (art 5.1.e) GDPR) // EU : 10 y (art. 60 Belgian AML Act) Access right to the UBO register: legitimate interest? Necessity to implement differentiated access 16
3. GDPR & AML Potential frictions and conflicting areas 3) Data subjects rights Information obligation / transparency obligation: Art 13 GDPR Art 64 3 Belgian AML Act : les entités assujetties communiques à leurs clients les informations [...] Access right (art 15 GDPR), right to rectification (art 16 GDPR), right to erasure (art 17 GDPR), right to data portability(art 20 GDPR), right to object (art 21 GDPR), communication of a personal data breach to the data subject (art 34 GDPR) Art 65 Belgian AML Act Art 23 GDPR : Are the conditions met? 17
3. GDPR & AML Potential frictions and conflicting areas 4) High risk processing Processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons Stricter obligations under the GDPR: Appropriate technical and organisational security measures Notification of data breaches Data Protection Impact Assessment & Prior consultation Data Protection Officer Avis 24/2017 Commission vie privée: obligation pour les entités assujetties de procéder à une analyse d impact relative à la protection des données de leur risk-based approach 18
3. GDPR & AML Potential frictions and conflicting areas 5) International (intra-group) data transfers Article 13 1 Belgian AML Act: Les entités assujetties qui font partie d un groupe sont tenues de mettre en oeuvre des politiques et des procédures de prévention du BC/FT à l échelle du groupe, qui incluent, notamment, des politiques de protection des données [ ] ECJ Schrems case, C-362, 6 October 2015 Avis n 12/2017 Commission pour la protection de la vie privée 19
4. In practice: points of attention Compliance Being compliant offers a competitive advantage Increasing enforcement Corporate reputation is at stake Increased attention Privacy by design AML and GDPR compliance / legal teams need to work in close collaboration 20
Questions? 21
Contact details Carol Evrard Associate TMT/IP T +32 2 533 57 42 M +32 470 90 81 02 carol.evrard@stibbe.com Sarah De Dijn Associate Corporate/Finance T +32 2 533 53 28 M +32 470 90 60 93 sarah.dedijn@stibbe.com
Thank you Stibbe.com 23