Practicality Drives Compliance with US Sanctions
20.11.2017
Caught between Sanctions and Data Protection— What is a Company to Do?
Many companies have found themselves in an awkward position with respect to compliance with trade sanctions and data protection legislation. Specifically, I’m talking about US trade sanctions, which companies operating in the EU are not generally obligated to comply with under EU or national law. However, the US has set such a wide scope of application for the sanctions that even if a foreign company has only the slightest link to the US, it may find itself subject to the regulations set in the sanctions. A company is typically subject to US sanctions if its parent company is from the US or it has US employees.
The serious consequences of violating sanctions are a real source of concern in the international business community. When faced with this risk, many companies have decided it’s better to just comply with the sanctions lists. However, this raises another issue—namely are companies violating privacy and data protection norms by doing so?
Swedish Data Protection Authorities Take a Stand
In Sweden, it looks like the balance between corporate interests and the rights of individuals is tipping in favour of individuals, in other words, privacy considerations are winning out. GE Healthcare Group applied to the Swedish data protection authority for special permission to comply with US sanctions lists. Following the authority’s negative decision, the matter went to trial, and the court also found that the company had no right to comply with the sanctions listings in question, which were partially deemed to include also sensitive personal data.[1] Both the authority and the court acknowledged that the company had a legitimate interest to comply with the US OFAC sanctions, but this interest was not enough to override the protection of the privacy of the individuals put on the list.
Status Unclear in Finland
We haven’t yet seen any comparable cases in Finland. In its national legislation, Finland has committed to the UN’s and EU’s sanctions, so complying with the EU’s sanctions list is compulsory for Finnish companies, but Finnish legislation is silent on compliance with US sanctions. The point of departure for Finnish data protection legislation is that compliance with sanctions should be based on Finnish or EU legislation, not US legislation. Even just processing personal data on the basis of US sanctions legislation could, thus, be deemed to be unjustified and constitute a violation of Finnish data protection regulation.
Companies Caught in the Cross-Current
A quick recap of this regulatory maze is probably in order. Compliance with US sanctions is based only on compliance with US legislation. Through the lens of data protection, the processing of personal data has to be based on proper grounds under Finnish data protection rules, which in the case of sanctions data can be either Finnish or EU legislation. Of course, in the absence of legislative grounds, personal data can also be processed with the explicit consent of the data subject, but this is rarely a practical solution in the case of sanctions checks. Lacking legislative grounds or consent, could there still be a back door that would make compliance with US sanctions possible.
Legitimate Interest?
The new Data Protection Regulation, which will enter into force in May 2018, will make it possible for companies to process personal data in situations where they have a legitimate interest.[2] This is the argument GE Healthcare Group used in its application for an exceptional permit in Sweden. However, at least in Sweden, the decision was that an individual’s privacy is a weightier interest than a company’s obligation to comply with foreign trade sanctions. This being the case, Finnish companies will not be able to automatically rely on ‘legitimate interest’ being magic words giving them the right to comply with US sanctions. The search for a solution must continue.
Statutory Obligation to Identify Business Partners
When even legitimate interest is no help, it’s time to go back to assessing legislative grounds and look for a solution in special legislation. The financial sector applies the Act on the Prevention of Money Laundering and Terrorist Financing, which sets an obligation on companies to identify their clients. The Finnish Financial Supervisory Authority also requires the organisations it supervises to comply with US sanctions. This allows financial sector companies to navigate their way out of the conflict described above. However, the vast majority of companies in Finland do not fall within the scope of this act. Where could we find a similar legal route for them?
In Search of Solutions
For companies that are not subject to the Act on the Prevention of Money Laundering and Terrorist Financing, there is no easy answer at this point, and they will have to keep looking for a way out of the dangerous seas they are in. I would recommend reviewing industry-specific legislation to see if it might provide a solution. The situation would also be made easier by authority guidelines or even a legislative amendment.
To Starboard or Port?
Finnish and other EU companies have found themselves in a thankless position. As things stand now, they have to choose between limiting their business geographically or possibly violating data protection requirements.
Due to the heavy consequences of violating US OFAC sanctions, it is likely that many companies will see breaching data protection rules as the lesser of two evils. However, this state of affairs could be reversed in the near future. The new EU Data Protection Regulation is entering into force next May. It will make it possible for administrative sanctions to be imposed for data protection violations. It would be very important for the authorities to do something to ease the cross-current that companies are facing before May of 2018.
[1] Judgement available in Swedish at http://www.kammarrattenistockholm.domstol.se/Domstolar/kammarrattenistockholm/Domar/Domar%202016/Dom%20i%20m%c3%a5l%20nr%203946–3958-15.pdf.
Latest insights
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Article published 3.3.2026 – Employment
The threshold for dismissal is lowered: what should be taken into account in practice?
Article published 2.3.2026 – Environment, Energy & Green Transition
Energy security is a matter of investment and competitiveness
Article published 6.2.2026 – Tax & Structuring
Electricity sector Profit Tax Act in conflict with EU law – SAC denied leave to appeal
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Aleksandra Särkelä
Samuli Tarkiainen & Marius af Schultén
Janne Juusela & Mikko Alakare
Latest references
NATO Innovation Fund – Kelluu’s EUR 15 million Series A funding round
We advised the NATO Innovation Fund as lead investor on Kelluu’s EUR 15 million Series A funding round, with participation from Keen Venture Partners, Gungnir Capital, and Tesi. Kelluu is a Finnish deep tech company operating the world’s largest autonomous airship fleet. We advised NIF on this transaction alongside global law firm Latham & Watkins.
Case published 17.4.2026
Nscale – Data centre project
Castrén & Snellman advised Nscale, a European AI infrastructure company, in connection with its planned data centre project in Harjavalta, Finland. The facility will be located in the Sievari industrial area. Castrén & Snellman’s advisory role encompassed the negotiation and execution of a site securing and development agreement (SSDA) with Fortum, as well as the preliminary land sale process for the Sievari site with the Town of Harjavalta. Under the SSDA, Fortum supports the advancement of Nscale’s project development, including grid connection design and permitting.
Case published 15.4.2026
Taaleri – Acquisition of a majority stake in Nordic Science Investments
We are acting as legal adviser to Taaleri Plc on its acquisition of a 51 per cent ownership stake in Nordic Science Investments Oy (NSI), marking Taaleri’s expansion into deeptech-driven venture capital. Through the transaction, Taaleri broadens its private equity offering into early-stage venture capital funds as well as the commercialisation and scaling of research-driven innovations. NSI is a Finnish venture capital fund manager operating across the Nordic and Baltic regions, focusing on early-stage investments in research- and science-based technologies. Its portfolio companies develop, among other things, health technologies, life sciences, advanced materials and AI-driven solutions. In addition to providing growth capital, NSI supports spin-out companies with strategic guidance, access to networks and assistance in building teams during the early phases of business development. NSI’s first fund, the EUR 45 million NSI Nordic Science I Ky, was established in 2024 and has to date invested in 22 early-stage companies in Finland, Sweden and the Baltic countries. Taaleri is a specialist in investments, private asset management and non-life insurance, with a strong position in renewable energy, bioindustry and housing investments as well as credit risk insurance. Taaleri has EUR 2.7 billion of assets under management in its private equity funds, co-investments and single-asset vehicles, employs approximately 130 people and is listed on Nasdaq Helsinki. The founders of NSI will continue in their operational roles following the transaction. The completion of the transaction is subject to approval by the FIN-FSA.
Case published 13.4.2026
Finnish Centre for Pensions – Information design workshop
We delivered two information design workshops for the legal department of the Finnish Centre for Pensions, with participants from both legal and other professional backgrounds. In the sessions, we applied the principles of legal design thinking to the Finnish Centre for Pensions’ field of operation and background materials, also utilising AI as a design tool. The participants found the tailored training highly useful and commended the trainers for their in-depth familiarisation with the Centre’s opinion drafting process and operating environment. As a result of the workshops, our experts proposed a new structural and linguistic model for the legal department of the Finnish Centre for Pensions for drafting opinions and guidelines. The proposal was well received as clear and applicable to the participants’ everyday work. In addition, we presented tailored AI use cases to support experts, allowing for a more efficient AI-assisted way of working. Our experts who delivered the workshops combined their legal expertise with their leading experience in legal design. The participants appreciated this versatile expertise, which enabled a knowledgeable, creative and applied approach to legal writing. ‘C&S created a well-structured training tailored to our needs, providing clear direction for our organisation and concrete takeaways for our experts in their day-to-day work,’ says Mari Kuunvalo, Head Of the Legal Department at the Finnish Centre for Pensions.
Case published 10.4.2026