Practicality Drives Compliance with US Sanctions
20.11.2017
Caught between Sanctions and Data Protection— What is a Company to Do?
Many companies have found themselves in an awkward position with respect to compliance with trade sanctions and data protection legislation. Specifically, I’m talking about US trade sanctions, which companies operating in the EU are not generally obligated to comply with under EU or national law. However, the US has set such a wide scope of application for the sanctions that even if a foreign company has only the slightest link to the US, it may find itself subject to the regulations set in the sanctions. A company is typically subject to US sanctions if its parent company is from the US or it has US employees.
The serious consequences of violating sanctions are a real source of concern in the international business community. When faced with this risk, many companies have decided it’s better to just comply with the sanctions lists. However, this raises another issue—namely are companies violating privacy and data protection norms by doing so?
Swedish Data Protection Authorities Take a Stand
In Sweden, it looks like the balance between corporate interests and the rights of individuals is tipping in favour of individuals, in other words, privacy considerations are winning out. GE Healthcare Group applied to the Swedish data protection authority for special permission to comply with US sanctions lists. Following the authority’s negative decision, the matter went to trial, and the court also found that the company had no right to comply with the sanctions listings in question, which were partially deemed to include also sensitive personal data.[1] Both the authority and the court acknowledged that the company had a legitimate interest to comply with the US OFAC sanctions, but this interest was not enough to override the protection of the privacy of the individuals put on the list.
Status Unclear in Finland
We haven’t yet seen any comparable cases in Finland. In its national legislation, Finland has committed to the UN’s and EU’s sanctions, so complying with the EU’s sanctions list is compulsory for Finnish companies, but Finnish legislation is silent on compliance with US sanctions. The point of departure for Finnish data protection legislation is that compliance with sanctions should be based on Finnish or EU legislation, not US legislation. Even just processing personal data on the basis of US sanctions legislation could, thus, be deemed to be unjustified and constitute a violation of Finnish data protection regulation.
Companies Caught in the Cross-Current
A quick recap of this regulatory maze is probably in order. Compliance with US sanctions is based only on compliance with US legislation. Through the lens of data protection, the processing of personal data has to be based on proper grounds under Finnish data protection rules, which in the case of sanctions data can be either Finnish or EU legislation. Of course, in the absence of legislative grounds, personal data can also be processed with the explicit consent of the data subject, but this is rarely a practical solution in the case of sanctions checks. Lacking legislative grounds or consent, could there still be a back door that would make compliance with US sanctions possible.
Legitimate Interest?
The new Data Protection Regulation, which will enter into force in May 2018, will make it possible for companies to process personal data in situations where they have a legitimate interest.[2] This is the argument GE Healthcare Group used in its application for an exceptional permit in Sweden. However, at least in Sweden, the decision was that an individual’s privacy is a weightier interest than a company’s obligation to comply with foreign trade sanctions. This being the case, Finnish companies will not be able to automatically rely on ‘legitimate interest’ being magic words giving them the right to comply with US sanctions. The search for a solution must continue.
Statutory Obligation to Identify Business Partners
When even legitimate interest is no help, it’s time to go back to assessing legislative grounds and look for a solution in special legislation. The financial sector applies the Act on the Prevention of Money Laundering and Terrorist Financing, which sets an obligation on companies to identify their clients. The Finnish Financial Supervisory Authority also requires the organisations it supervises to comply with US sanctions. This allows financial sector companies to navigate their way out of the conflict described above. However, the vast majority of companies in Finland do not fall within the scope of this act. Where could we find a similar legal route for them?
In Search of Solutions
For companies that are not subject to the Act on the Prevention of Money Laundering and Terrorist Financing, there is no easy answer at this point, and they will have to keep looking for a way out of the dangerous seas they are in. I would recommend reviewing industry-specific legislation to see if it might provide a solution. The situation would also be made easier by authority guidelines or even a legislative amendment.
To Starboard or Port?
Finnish and other EU companies have found themselves in a thankless position. As things stand now, they have to choose between limiting their business geographically or possibly violating data protection requirements.
Due to the heavy consequences of violating US OFAC sanctions, it is likely that many companies will see breaching data protection rules as the lesser of two evils. However, this state of affairs could be reversed in the near future. The new EU Data Protection Regulation is entering into force next May. It will make it possible for administrative sanctions to be imposed for data protection violations. It would be very important for the authorities to do something to ease the cross-current that companies are facing before May of 2018.
[1] Judgement available in Swedish at http://www.kammarrattenistockholm.domstol.se/Domstolar/kammarrattenistockholm/Domar/Domar%202016/Dom%20i%20m%c3%a5l%20nr%203946–3958-15.pdf.
Latest insights
Article published 13.5.2026 – Venture Capital & Minority Investments
Newly launched Series Seed 4.0 is a comprehensive standard seed financing documentation for the Finnish market
Article published 8.5.2026 – Environment, Energy & Green Transition
Reform of Finland’s land use legislation – key takeaways for project developers
Article published 28.4.2026 – Private M&A
Unlocking value in carve-outs – Why integration planning deserves top priority in every carve-out
Article published 30.3.2026 – Competition & Procurement
Finnish FDI screening under reform — Update following the stakeholder consultation
Jarno Tanhuanpää, Tuomas Honkinen & Jussi Mäkikangas
Tarja Pirinen, Marius af Schultén & Joel Aartolahti
Benjamin Bade, Maiju Mäkinen & Samuli Salminen
Kiti Karvinen, Johanna Kyllöinen & Joachim Wik
Latest references
Finnish Construction Management Consultancy — District Court Dismisses charge in occupational safety offence case concerning a safety coordinator
We successfully represented a Finnish construction management consultancy and a safety coordinator employed by the company in criminal proceedings concerning an alleged occupational safety and health offence. The prosecutor sought a penalty for an alleged breach of occupational safety regulations. The charge arose from a fall accident at a construction site where our client acted as the safety coordinator appointed by the developer. We assessed the scope of the safety coordinator’s duties in relation to the responsibilities of the main contractor, as well as how our client had fulfilled their obligations in practice. We demonstrated that our client had acted with due care and in full compliance with their duties throughout the planning, preparation and execution of the construction project. The District Court of Eastern Uusimaa dismissed the charge against our client. The Court held that our client, in their capacity as safety coordinator, had duly fulfilled the occupational safety obligations incumbent on the developer during the planning and preparation phases of the construction project and had not been aware of the fall protection deficiency identified at the site. The judgment is final insofar as our client is concerned.
Case published 22.6.2026
Efima – Sale of financial management services business
We advised Efima Oyj on the sale of its financial management services business to Rantalainen as part of its strategic focus on fully concentrating on the delivery of business applications as well as data and AI solutions. As a result of the transaction, customer contracts related to financial management services and 65 experts working in these services will transfer to Rantalainen. The transaction will be carried out as a transfer of business, and the experts will move to the new owner as existing employees. Efima is a Finnish digital company that supports the sustainable growth of large and mid-sized companies by streamlining their business processes and by creating competitive advantage through the innovative use of artificial intelligence and data. The company has nearly 200 experts based in Helsinki and Tampere.
Case published 12.6.2026
Ugly Duckling Ventures – EUR 6.5 million funding round of Skyfora
We advised lead investor Ugly Duckling Ventures on the EUR 6.5 million funding round of Skyfora. The round also included Eviny Ventures, LUMO Labs and EIC Fund, alongside non-dilutive funding from Business Finland. The investment will support the commercial scale-up of Skyfora’s weather intelligence solutions, the expansion of partnerships with telecom operators, forecasting providers and meteorological institutions, and the continued growth of the team. Skyfora is a Finnish company developing high-resolution weather data solutions using patented technology that extracts atmospheric data from GNSS receivers embedded in existing infrastructure, such as telecom networks. By unlocking previously untapped data sources, Skyfora enables the next generation of AI-driven weather forecasting and supports improved decision-making across weather-sensitive industries. Ugly Duckling Ventures is a Copenhagen-based venture capital firm focused on early-stage Nordic B2B technology companies, with an emphasis on medtech, resilience tech and business services.
Case published 10.6.2026
General Atlantic – ICEYE’s EUR 1 Billion Series F Funding Round
We advised General Atlantic as the lead investor on ICEYE’s EUR 1 billion series F funding round, valuing the company at over EUR 10 billion. ICEYE raised EUR 450 million (USD 520 million) in a primary Series F funding round led by General Atlantic. Additional investors included Solidium, Tesi, Varma, Ilmarinen, Lifeline Ventures, Nokia, Qatar Investment Authority (QIA) and TCV. Together with a secondary placement, the total fundraising exceeds EUR 1 billion. ICEYE is the world leader in sovereign intelligence from space, providing continuous monitoring capabilities to detect and respond to changes in any location on Earth. The company operates the world’s largest and most advanced Synthetic Aperture Radar satellite constellation. General Atlantic is a leading global investor with more than four and a half decades of experience providing capital and strategic support for over 885 companies throughout its history. As of March 31, 2026, General Atlantic manages approximately USD 126 billion in assets across its investment strategies. We advised General Atlantic on this transaction in collaboration with the international law firm Paul, Weiss, Rifkind, Wharton & Garrison.
Case published 9.6.2026