Practicality Drives Compliance with US Sanctions
20.11.2017
Caught between Sanctions and Data Protection— What is a Company to Do?
Many companies have found themselves in an awkward position with respect to compliance with trade sanctions and data protection legislation. Specifically, I’m talking about US trade sanctions, which companies operating in the EU are not generally obligated to comply with under EU or national law. However, the US has set such a wide scope of application for the sanctions that even if a foreign company has only the slightest link to the US, it may find itself subject to the regulations set in the sanctions. A company is typically subject to US sanctions if its parent company is from the US or it has US employees.
The serious consequences of violating sanctions are a real source of concern in the international business community. When faced with this risk, many companies have decided it’s better to just comply with the sanctions lists. However, this raises another issue—namely are companies violating privacy and data protection norms by doing so?
Swedish Data Protection Authorities Take a Stand
In Sweden, it looks like the balance between corporate interests and the rights of individuals is tipping in favour of individuals, in other words, privacy considerations are winning out. GE Healthcare Group applied to the Swedish data protection authority for special permission to comply with US sanctions lists. Following the authority’s negative decision, the matter went to trial, and the court also found that the company had no right to comply with the sanctions listings in question, which were partially deemed to include also sensitive personal data.[1] Both the authority and the court acknowledged that the company had a legitimate interest to comply with the US OFAC sanctions, but this interest was not enough to override the protection of the privacy of the individuals put on the list.
Status Unclear in Finland
We haven’t yet seen any comparable cases in Finland. In its national legislation, Finland has committed to the UN’s and EU’s sanctions, so complying with the EU’s sanctions list is compulsory for Finnish companies, but Finnish legislation is silent on compliance with US sanctions. The point of departure for Finnish data protection legislation is that compliance with sanctions should be based on Finnish or EU legislation, not US legislation. Even just processing personal data on the basis of US sanctions legislation could, thus, be deemed to be unjustified and constitute a violation of Finnish data protection regulation.
Companies Caught in the Cross-Current
A quick recap of this regulatory maze is probably in order. Compliance with US sanctions is based only on compliance with US legislation. Through the lens of data protection, the processing of personal data has to be based on proper grounds under Finnish data protection rules, which in the case of sanctions data can be either Finnish or EU legislation. Of course, in the absence of legislative grounds, personal data can also be processed with the explicit consent of the data subject, but this is rarely a practical solution in the case of sanctions checks. Lacking legislative grounds or consent, could there still be a back door that would make compliance with US sanctions possible.
Legitimate Interest?
The new Data Protection Regulation, which will enter into force in May 2018, will make it possible for companies to process personal data in situations where they have a legitimate interest.[2] This is the argument GE Healthcare Group used in its application for an exceptional permit in Sweden. However, at least in Sweden, the decision was that an individual’s privacy is a weightier interest than a company’s obligation to comply with foreign trade sanctions. This being the case, Finnish companies will not be able to automatically rely on ‘legitimate interest’ being magic words giving them the right to comply with US sanctions. The search for a solution must continue.
Statutory Obligation to Identify Business Partners
When even legitimate interest is no help, it’s time to go back to assessing legislative grounds and look for a solution in special legislation. The financial sector applies the Act on the Prevention of Money Laundering and Terrorist Financing, which sets an obligation on companies to identify their clients. The Finnish Financial Supervisory Authority also requires the organisations it supervises to comply with US sanctions. This allows financial sector companies to navigate their way out of the conflict described above. However, the vast majority of companies in Finland do not fall within the scope of this act. Where could we find a similar legal route for them?
In Search of Solutions
For companies that are not subject to the Act on the Prevention of Money Laundering and Terrorist Financing, there is no easy answer at this point, and they will have to keep looking for a way out of the dangerous seas they are in. I would recommend reviewing industry-specific legislation to see if it might provide a solution. The situation would also be made easier by authority guidelines or even a legislative amendment.
To Starboard or Port?
Finnish and other EU companies have found themselves in a thankless position. As things stand now, they have to choose between limiting their business geographically or possibly violating data protection requirements.
Due to the heavy consequences of violating US OFAC sanctions, it is likely that many companies will see breaching data protection rules as the lesser of two evils. However, this state of affairs could be reversed in the near future. The new EU Data Protection Regulation is entering into force next May. It will make it possible for administrative sanctions to be imposed for data protection violations. It would be very important for the authorities to do something to ease the cross-current that companies are facing before May of 2018.
[1] Judgement available in Swedish at http://www.kammarrattenistockholm.domstol.se/Domstolar/kammarrattenistockholm/Domar/Domar%202016/Dom%20i%20m%c3%a5l%20nr%203946–3958-15.pdf.
Latest insights
Article published 2.12.2025 – Competition & Procurement
Sustainable Procurement: Legislative requirements and practical challenges
Article published 25.11.2025 – Equity Capital Markets
The IPO window is open – How to identify the right time for listing?
Article published 7.11.2025
Stricter penalties under new sanctions violation regulation – corporate fines of up to EUR 40 million
Article published 7.11.2025 – Capital Markets & Public M&A
AIFMD II – implications for alternative investment fund managers in Finland
Laura Vuorinen & Johanna Lähde
Karin Hentunen & Sakari Sedbom
Eveliina Tammela, Janina Ketola & Touko Hakahuhta
Hannu Huotilainen & Freja Väyrynen
Latest references
Ålandsbanken – Consent solicitation process regarding T2 instruments and issue of SEK 350 million AT1 notes
We advised Ålandsbanken Abp in the consent solicitation process regarding its SEK 150,000,000 Tier 2 notes due December 2041 and SEK 200,000,000 Tier 2 notes due March 2043. The terms and conditions of the aforementioned instruments were amended by removing the write-down mechanisms in the consent solicitation process. In addition, we advised Ålandsbanken Abp on the issue of SEK 350 million Additional Tier 1 notes. The notes bear floating interest at the rate of STIBOR three months plus a margin of 3.35 per cent per annum. The AT1 notes were issued on 20 November 2025, and admitted to trading on the official list of Nasdaq Helsinki Ltd. The instrument has no maturity date and qualifies as Additional Tier 1 capital in accordance with the EU Capital Requirements Regulation. The issue strengthens Ålandsbanken’s capital structure by taking advantage of favourable market conditions.
Case published 10.12.2025
SuperOffice – Acquisition of Lyyti
We acted as Finnish counsel to SuperOffice AS, backed by Axcel, in its acquisition of Lyyti Oy from Finnish private equity firm Vaaka Partners and other sellers. Lyyti is a leading event management software company for physical, digital and hybrid events with a strong customer base in Finland, Sweden and France. SuperOffice is a leading provider of customer relationship management (CRM) software for small and medium-sized businesses across Northern Europe. Axcel is a Nordic private equity firm with a focus on technology, business services and industrials, healthcare, and consumer sectors.
Case published 9.12.2025
Life Finland – Administration of bankruptcy estate
Life Finland Oy, a retailer of natural products, other health-related products and cosmetics, filed for bankruptcy on its own initiative in June 2025, and our attorney, counsel Elina Pesonen was appointed administrator of the bankruptcy estate. Life Finland Oy was part of the international Life Group, and its parent company Life Europe AB was declared bankrupt in Sweden in June 2025. When declared bankrupt, Life Finland Oy had over 30 operational stores and almost 170 employees across Finland. In addition to the premises of the operational stores, the company had several other leased premises, such as retail premises it was vacating as well as office and warehouse spaces. The bankruptcy estate organised clearance sales in all of the company’s stores. The shutdown of the stores and the clearance sales were efficiently carried out in approximately two weeks in cooperation with the company’s country manager, regional managers and sales staff. The clearance sales yielded a significant liquidation result, and consumers bought nearly the entire inventory. The administration of the bankruptcy estate has required expertise in many areas. The proceedings have dealt with specialised issues such as cash pooling arrangements, intellectual property, franchising agreements, employment relationships and consumer creditors. In addition, the proceedings are notably international, as the estate administrator has organised the shutdown of operations and the liquidation of assets in close cooperation with the estate administrators of the Swedish Group companies. The cooperation has included, among other things, exploring opportunities for selling the business, the sale of intangible rights and the coordination of intra-group agreements.
Case published 9.12.2025
General Catalyst – ICEYE’s USD 150 Million Series E Funding Round
We advised General Catalyst as lead investor on ICEYE’s EUR 150 million series E funding round, valuing the company at EUR 2.4 billion. ICEYE is the world leader in synthetic aperture radar (SAR) satellite systems and operates the largest SAR constellation globally. Its technology delivers objective, near real-time Earth observation in any weather or light conditions, enabling governments and institutions to manage risks and respond faster. General Catalyst is a global investment and transformation company, partnering with leading entrepreneurs to build toward global resiliency and applied AI. Its portfolio includes companies such as Airbnb, Snap, Stripe, Mistral AI, Hubspot, Anduril, Helsing and Legora. We advised General Catalyst on this transaction in collaboration with the US law firm Goodwin.
Case published 8.12.2025