Multinational organizations subject to privacy laws, such as the EU General Data Protection Regulation, are sometimes also subject to seemingly conflicting trade law.
One area of U.S. trade law requires that before exporting certain products or technologies, companies screen against U.S. sanctions lists to prevent the goods from being available to states or individuals deemed bad actors. The lists often contain sensitive information, including personal data relating to suspected or confirmed criminal liability.
It can be challenging to justify the screenings under the GDPR, which furthers a historical tension between EU privacy law and U.S. export control law. This tension has received little attention in practice, but a decision by the Swedish data protection authority (link in Swedish) offers a path to complying with both the U.S. screening requirements and Swedish privacy law.
Key GDPR provisions relevant to screenings and supplemental Swedish law
Under Article 10 of the GDPR, processing personal data relating to criminal convictions and offenses or related security measures based on Article 6(1) of the GDPR shall be carried out only under the control of official authority or when the processing is authorized by EU or EU member state law providing for appropriate safeguards for the rights and freedoms of data subjects. This is one example of where the GDPR contains a so-called opener clause, allowing for supplemental national legislation by authorizing processing of personal data when authorized by member state law. And under Swedish law, it is possible for private companies to apply to the Swedish data protection authority, the Datainspektionen, for a permit to process personal data relating to criminal convictions and offenses — a key type of personal data processed in connection with sanctions screenings. For private companies to process such personal data (if not required to do so under EU or Swedish law), they must have a permit to not be in breach of the GDPR and Swedish supplementary Data Protection Act.
The Swedish Security and Defence Industry Association decision
The Datainspektionen granted such a permit to the Swedish Security and Defence Industry Association, which applied for it on behalf of its member companies. The decision identifies which of the sanction lists — such as the Specially Designated Nationals and Blocked Persons List and the Consolidated Sanctions List — the permit covers and which members are free to screen against without breaching the GDPR, which was in line with the application.
In its decision, the Swedish DPA considered the sizable fines Swedish companies would face in case of noncompliance with U.S. requirements, the risk of losing export licenses and risk of the company itself becoming listed on a sanctions list. If a company loses its export licenses and consequently, the right to buy American products and technology, it may not be able to fulfill its contractual obligations, which, in the long-term, could result in a lack of supply to the Swedish military, and the Swedish government can no longer secure access to certain products.
Against this background, the companies were considered to have a legitimate interest under Article 6(1)(f) of the GDPR to conduct the processing necessary in connection with the screenings. The privacy concerns of the individuals were deemed limited because the lists are published by U.S. authorities and publicly accessible on the internet, and the companies were considered to have methods in place to prevent conflating individuals with the same or similar name as a name appearing on a list. The decision presumes the companies will otherwise comply with applicable data protection law and, for example, provide advance notice to the data subject that their personal data will be processed in connection with the screenings and could be recalled if it turns out the companies are not otherwise processing the personal data in accordance with the GDPR.
There is no prescribed form for applying for this kind of permit from the Swedish DPA, but it is safe to say it should be thoroughly elaborated and motivated. It should also be noted that under Swedish law public documents, which the application materials would constitute, can generally be accessed by anyone who requests them unless they are subject to secrecy, which is decided on a case-by-case basis by the authority at hand.
It remains to be seen if the tension between U.S. export control law and EU privacy law will receive the same attention in the way that it has in Sweden in other EU member states and if more companies in Sweden will use this path of applying for a permit for screening practices.
If you want to comment on this post, you need to login.