Multinational organizations subject to privacy laws, such as the EU General Data Protection Regulation, are sometimes also subject to seemingly conflicting trade law.
One area of U.S. trade law requires that before exporting certain products or technologies, companies screen against U.S. sanctions lists to prevent the goods from being available to states or individuals deemed bad actors. The lists often contain sensitive information, including personal data relating to suspected or confirmed criminal liability.
It can be challenging to justify the screenings under the GDPR, which furthers a historical tension between EU privacy law and U.S. export control law. This tension has received little attention in practice, but a decision by the Swedish data protection authority (link in Swedish) offers a path to complying with both the U.S. screening requirements and Swedish privacy law.
Key GDPR provisions relevant to screenings and supplemental Swedish law
Under frank mckenna on Unsplash
