Disclosing personal data – new protections for regulated sector firms?
New protections are being proposed in the UK to allow regulated sector firms to share information regarding suspicions relating to money laundering and terrorist financing, in circumstances where law enforcement has been notified. Regulated sector firms are financial gatekeepers and greater sharing of information between these firms and law enforcement should bolster the existing anti-money laundering and counter-terrorist financing regime. The fact that this change is necessary also highlights the problems that exist for regulated sector firms when a law enforcement agency makes a non-binding request for personal data to be shared, and calls into question the legality of disclosures falling outside the new proposed measures.
On 13 October 2016, the Criminal Finances Bill 2016 (the "Bill" ) had its first reading in the House of Commons. According to a Home Office announcement, the aim of the Bill is to "significantly improve the government's ability to: tackle money laundering and corruption; recover the proceeds of crime; and counter terrorist financing". The government intends to achieve these aims by "transforming the relationship between public and private sectors" by making it easier for financial gatekeepers, in the form of regulated sector firms, to share information surrounding suspicious activities.
The Bill makes a number of proposals, including allowing the sharing of information within the regulated sector, regarding suspicions of money laundering or in relation to terrorist financing, where a notification has been made to law enforcement.
The proposals to improve information sharing between the public and private sectors build on the success of the Joint Money Laundering Intelligence Taskforce ("JMLIT"), which is a partnership between law enforcement and financial institutions. JMLIT is designed to provide a collaborative response to ensure the cleanliness of UK financial markets. The operations group of JMLIT is intended to assist both banks and law enforcement in filling intelligence gaps where suspected money laundering crosses multiple financial institutions.
The proposals could allow the submission of suspicious activity reports ("SARs") which bring together information from multiple reporters into a single "super SAR" which provides consolidated intelligence to law enforcement.
Existing restrictions on disclosures of personal data
A key difficulty in disclosing information about any suspected unlawful activity is that, to the extent that the information relates to any identifiable individuals, that information will be "personal data", and will be subject to the Data Protection Act 1998 (the "1998 Act"). Under the 1998 Act, it is unlawful to disclose personal data to third parties without a valid legal basis for doing so. There are additional restrictions on the disclosure of "sensitive personal data" (a category that includes information about actual or alleged criminal offences).
If a business is subject to a binding legal obligation to disclose personal data (e.g., a warrant, a court order or an information notice), that obligation may provide a legal basis for the disclosure (on the grounds that the disclosure is necessary for compliance with applicable law). However, where a law enforcement agency or another regulated sector firm asks a firm to disclose personal data, and that request does not have the force of law, the "compliance with law" legal basis clearly does not apply, and often there is no other legal basis available. Guidance from the UK Information Commissioner's Office suggests that in some cases exemptions may cover disclosures to law enforcement agencies that are necessary for the detection and prevention of crime, or the administration of justice, but those exemptions only apply in certain cases. Regulated sector firms that receive an informal request from law enforcement, or from another firm, are often placed in the difficult position of having to either comply with the request, comply with the 1998 Act, or ask law enforcement to seek a court order or use any applicable compulsory powers.
In terms of disclosing information to the National Crime Agency ("NCA") beyond a SAR, a business can seek to rely on the existing information sharing gateway under the Crime and Courts Act 2013. Similarly, this Act provides the NCA with a gateway to disclose information. These gateways underpin JMLIT's current operations. However, strictly speaking, the information sharing gateway under the Crime and Courts Act 2013 does not impose a legal obligation to share information (and therefore does not give rise to the "compliance with law" legal basis for processing personal data). Some of the regulated sector firms which are members of JMLIT appear to have been concerned that the use of these gateways requires a constructive reading and use of the Crime and Courts Act 2013. While the explanatory notes to the Bill assert that existing data protection legislation allows for the sharing of information for the prevention and detection of crime (noted above), the explanatory notes also state that "regulated companies are concerned that there should be express legal cover that is directly related to the anti-money laundering regime, in order to reduce the risk of civil litigation for breach of confidentiality." The Bill is intended to address these concerns and facilitate the exchange of information between the private regulated sector and the public sector.
Changes proposed in the Bill
The Bill will, among other things, create a new legal basis under the 1998 Act, to permit businesses to lawfully disclose personal data (including sensitive personal data) in connection with changes that the Bill introduces to the Proceeds of Crime Act 2002 ("POCA"), and the Terrorism Act 2000 ("TACT"). This will enable businesses to disclose personal data in response to requests made under the relevant sections of POCA and TACT. These new provisions would apply to cases in which regulated sector businesses are asked by the NCA or another regulated sector firm to provide information in connection with suspicions that a person is engaged in money laundering or terrorist financing.
Impact on businesses
The amendments set out in the Bill are a positive development for any business that receives a request to share information under the relevant sections of POCA or TACT, because, in relevant circumstances, the changes will permit such a business to disclose personal data (including sensitive personal data) without breaching the 1998 Act.
However, the changes proposed in the Bill raise two interesting points:
- First, the fact that the government has included in the Bill specific amendments to the 1998 Act indicates that it has conceded that those amendments are necessary, and the existing regime may be lacking. This emphasises the fact that there is currently no express general legal basis for the sharing of personal data in response to an informal request from law enforcement or another regulated sector firm.
- Second, the changes to the 1998 Act that are introduced by the Bill are extremely narrow – they cover only a very limited category of disclosures that are made under the new provisions inserted into POCA and TACT by the Bill. The new legal basis created by the Bill does not cover requests made by law enforcement in general to share personal data. This strongly suggests that, for informal requests from law enforcement that fall outside these narrow grounds, businesses may continue to be faced with a choice between complying with such informal requests, complying with the 1998 Act, or requesting that they are served with a court order or compulsory information notice.
It is also important to note that the 1998 Act has a fixed shelf-life. On 25 May 2018, the 1998 Act will in effect be replaced by Regulation (EU) 2016/679 (the "General Data Protection Regulation" or "GDPR"). It remains to be seen what precise steps the UK will take to implement the GDPR, and how that implementation will account for the changes proposed in the Bill. Regulated sector firms should continue to keep a close eye on developments in this area. Additional guidance on the GDPR is available in the form of White & Case's in-depth GDPR Handbook.
Victoria Speers, a Trainee Solicitor at White & Case, assisted in the development of this publication.
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2016 White & Case LLP