20.11.2017

Caught between Sanctions and Data Protection— What is a Company to Do?

Practicality Drives Compliance with US Sanctions

Many companies have found themselves in an awkward position with respect to compliance with trade sanctions and data protection legislation. Specifically, I’m talking about US trade sanctions, which companies operating in the EU are not generally obligated to comply with under EU or national law. However, the US has set such a wide scope of application for the sanctions that even if a foreign company has only the slightest link to the US, it may find itself subject to the regulations set in the sanctions. A company is typically subject to US sanctions if its parent company is from the US or it has US employees.

The serious consequences of violating sanctions are a real source of concern in the international business community. When faced with this risk, many companies have decided it’s better to just comply with the sanctions lists. However, this raises another issue—namely are companies violating privacy and data protection norms by doing so?

Swedish Data Protection Authorities Take a Stand

In Sweden, it looks like the balance between corporate interests and the rights of individuals is tipping in favour of individuals, in other words, privacy considerations are winning out. GE Healthcare Group applied to the Swedish data protection authority for special permission to comply with US sanctions lists. Following the authority’s negative decision, the matter went to trial, and the court also found that the company had no right to comply with the sanctions listings in question, which were partially deemed to include also sensitive personal data.[1] Both the authority and the court acknowledged that the company had a legitimate interest to comply with the US OFAC sanctions, but this interest was not enough to override the protection of the privacy of the individuals put on the list.

Status Unclear in Finland

We haven’t yet seen any comparable cases in Finland. In its national legislation, Finland has committed to the UN’s and EU’s sanctions, so complying with the EU’s sanctions list is compulsory for Finnish companies, but Finnish legislation is silent on compliance with US sanctions. The point of departure for Finnish data protection legislation is that compliance with sanctions should be based on Finnish or EU legislation, not US legislation. Even just processing personal data on the basis of US sanctions legislation could, thus, be deemed to be unjustified and constitute a violation of Finnish data protection regulation.

Companies Caught in the Cross-Current

A quick recap of this regulatory maze is probably in order. Compliance with US sanctions is based only on compliance with US legislation. Through the lens of data protection, the processing of personal data has to be based on proper grounds under Finnish data protection rules, which in the case of sanctions data can be either Finnish or EU legislation. Of course, in the absence of legislative grounds, personal data can also be processed with the explicit consent of the data subject, but this is rarely a practical solution in the case of sanctions checks. Lacking legislative grounds or consent, could there still be a back door that would make compliance with US sanctions possible.

Legitimate Interest?

The new Data Protection Regulation, which will enter into force in May 2018, will make it possible for companies to process personal data in situations where they have a legitimate interest.[2] This is the argument GE Healthcare Group used in its application for an exceptional permit in Sweden. However, at least in Sweden, the decision was that an individual’s privacy is a weightier interest than a company’s obligation to comply with foreign trade sanctions. This being the case, Finnish companies will not be able to automatically rely on ‘legitimate interest’ being magic words giving them the right to comply with US sanctions. The search for a solution must continue.

Statutory Obligation to Identify Business Partners

When even legitimate interest is no help, it’s time to go back to assessing legislative grounds and look for a solution in special legislation. The financial sector applies the Act on the Prevention of Money Laundering and Terrorist Financing, which sets an obligation on companies to identify their clients. The Finnish Financial Supervisory Authority also requires the organisations it supervises to comply with US sanctions. This allows financial sector companies to navigate their way out of the conflict described above. However, the vast majority of companies in Finland do not fall within the scope of this act. Where could we find a similar legal route for them?

In Search of Solutions

For companies that are not subject to the Act on the Prevention of Money Laundering and Terrorist Financing, there is no easy answer at this point, and they will have to keep looking for a way out of the dangerous seas they are in. I would recommend reviewing industry-specific legislation to see if it might provide a solution. The situation would also be made easier by authority guidelines or even a legislative amendment.

To Starboard or Port?

Finnish and other EU companies have found themselves in a thankless position. As things stand now, they have to choose between limiting their business geographically or possibly violating data protection requirements.

Due to the heavy consequences of violating US OFAC sanctions, it is likely that many companies will see breaching data protection rules as the lesser of two evils. However, this state of affairs could be reversed in the near future. The new EU Data Protection Regulation is entering into force next May. It will make it possible for administrative sanctions to be imposed for data protection violations. It would be very important for the authorities to do something to ease the cross-current that companies are facing before May of 2018.

[1] Judgement available in Swedish at http://www.kammarrattenistockholm.domstol.se/Domstolar/kammarrattenistockholm/Domar/Domar%202016/Dom%20i%20m%c3%a5l%20nr%203946–3958-15.pdf.

Latest references

We advised WithSecure Oyj in the sale of its open source data collection product and business to Patria Oyj. The divested business combining software and services falls outside WithSecure’s current strategy. Through the sale, WithSecure sharpens its focus on the Elements portfolio. WithSecure is a global cyber security company (listed on NASDAQ OMX Helsinki) with more than 35 years of industry experience. WithSecure offers partners flexible commercial models, ensuring mutual success across the dynamic cyber security landscape. Patria is an international company in the defence and security industry offering defence, security and aviation life cycle support services and technology solutions. As a result of the transaction, Patria will open a new office in Oulu and 10 WithSecure experts currently working in the business area will join Patria. 
Case published 30.9.2024
We advised A. Ahlström in establishing a corporate sustainability due diligence process plan which incorporates best practices and tailored solutions based on our expertise within relevant business sectors. Our comprehensive ESG offering also included tailored training for members of the investment team and management team and the board of directors of several portfolio companies. ‘The ESG team at Castrén & Snellman provided us with legal and practical advice around the ESG regulatory tsunami that we need to incorporate in our ESG work,’ comments Camilla Sågbom, Director, Sustainability and Communications, at A. Ahlström Oy. A. Ahlström is a family-owned industrial company, developing leading global specialist positions in Forest & Fiber and Environmental technology sectors.
Case published 5.9.2024
We represented Vapaus Bikes Finland Oy, a company offering employee benefit bikes, in its international EUR 10 million Series A funding round. The investors behind the funding are private equity investors Shift4Good and Superhero Capital Ltd as well as Tesi together with the European Guarantee Fund of the European Investment Bank. The equity-based funding will support the company’s international expansion, software development, platform automation, and the growth of its concept for the second-hand market of bikes. Vapaus Bikes Finland is at the forefront of sustainable mobility services and has been a pioneer in the Employee Benefit Bikes sector since late 2020. It has been ranked among Finland’s fastest growing companies. Shift4Good is an impact venture capital fund focused on the decarbonisation of the transportation sector. Tesi (officially Finnish Industry Investment Ltd) is a state-owned, market-driven investment company that invests in venture capital and private equity funds and directly in Finnish startups and growth companies.
Case published 21.8.2024
We successfully acted for the City of Rovaniemi in a matter concerning offence in public office and damages claims in relation to a significant investment decision made by the city. The defendants were the city’s former municipal corporate officer, who was in an employment relationship, and a city treasurer, who was in a public-service employment relationship and acted as the supervisor of the municipal corporate officer. The criminal matter related to the City Board’s decision to invest EUR 2 million of the city’s funds in bonds offered by a newly established investment company in accordance with a decision prepared by the defendants. A significant part of the company’s operations involved quick loan business. The main legal question in the matter was whether the investment of public funds constitutes an exercise of public authority and whether regulation on offences in public office therefore becomes applicable even to a person in an employment relationship. The municipal corporate officer in an employment relationship was charged with aggravated abuse of public office based on her negligence in the preparation and presentation of the investment decision as well as based on a conflict of interest due to the fact that she had invested her own money in a company that received funding from the investment target presented to the City Board. The charges of an offence in public office against the city treasurer concerned his position as the supervisor and reporter of the city’s investment activities. He was also involved in the preparation and presentation of the City Board’s decision. The processing of the matter started in the District Court of Lapland in June 2022. In its judgment given in August 2022, the District Court stated, based among other things on our argumentation, that the investment of public funds constitutes an exercise of public authority and that regulation on offences in public office can therefore be applied to the municipal corporate officer. The District Court deemed that the conduct of the former municipal corporate officer fulfils the characteristics of abuse of public office and that the conduct of the former city treasurer fulfils the characteristics of violation of official duty with respect to the preparation of the investment decision, but the right to bring charges had become time-barred. Punishments could therefore not be imposed on the defendants, but the defendants were ordered to jointly and severally pay the city approximately EUR 114,000 in damages plus interest for late payment. The city treasurer’s share of the amount was 10%. The prosecutor accepted the judgment but the other parties appealed it to the Court of Appeal. Acting for the city, we pursued claims for both punishment and damages in the Court of Appeal. The Rovaniemi Court of Appeal processed the matter in November and December 2023. In its judgment given in June 2024, the Court of Appeal upheld the District Court’s judgment with respect to the abuse of public office and violation of official duty. The Court of Appeal deemed that the municipal corporate officer had failed in her duty to declare the conflict of interest. In addition, she had failed in her duty to ensure that the prepared decision was in compliance with the city’s investment guidelines and that it had been properly put out to tender. The Court of Appeal also found that the text of the investment proposal was insufficient and misleading and that the municipal corporate officer’s conduct was intentional. As regards the city treasurer, the Court of Appeal held that he had failed in his duty to ensure that the investment proposal to the City Board complied with the investment guidelines, that the presentation was not misleading and that risks were taken into account as required by the investment guidelines. With the judgement, the Court of Appeal took a clear position that abuse in public offices and when exercising public authority is not acceptable. The judgment is also significant as it declares that investing public funds constitutes an exercise of public authority and that the liability for acts in office therefore becomes applicable even to persons in employment relationships. In addition, a key question for the Court of Appeal to assess was defining the amount of economic damage in a matter related to investment activities. The Court of Appeal held based on our arguments that the conduct of the municipal corporate officer and the city treasurer had caused damage to the city. The Court of Appeal increased the amount of damages to EUR 210,000 with the city treasurer’s share limited to 10%. The amount was increased because the Court of Appeal deemed that the city had suffered damage not only in terms of the loss of capital but also in terms of the loss of estimated return on investment. The judgement is not final.
Case published 21.8.2024