Conflict & Challenges between GDPR and Travel Rule:
In the previous article, we have highlighted the likely impact of Travel Rule and specifically, the serious issues and challenges, which the implementation of Travel Rule poses to VASPs. To recap, some of the issues include:-
- owner/controller identification and screening of wallet addresses;
- how to associate customers’ personally identifiable information (“PII”) with each value transfer or virtual asset transfer (“VA transfers”), i.e. form, standards and method used;
- identification of VASP recipient of VA transfers, if regulated or foreign VASP from third country; and
- how to share such PII, immediately and securely with the identified VASP.
In the circumstances, it is difficult to see how VASPs can implement Travel Rule, without affecting the VA transfer process and adding significantly to the costs associated with regulatory compliance of having to navigate through, potentially, the vast array of AML/CFT approaches in different countries.
In recent years, concerns about digital threats to individual privacy have been growing more acute. From high-profile data breaches to hacks and intrusion of security systems (e.g. hijacked security cameras), there has been a steady increase in the scale and volume of privacy-related incidents. Driven by a global pandemic, this concern is now, exacerbated by the surveillance powers exercised by governments, worldwide. Evident from the news of data breaches worldwide, it’s clear that not even, governments nor financial institutions, are immune from such threats and risks.
These further increases the clamour from the public growing louder, for more privacy and better protection of personal data. This is now, juxtaposed, against the Travel Rule requirement for the sharing of PII with counterparts or VASP, located in countries across the globe, where data protection may not be as robust, nor as stringent.
EU’s General Data Protection Regulation (“GDPR”)
The GDPR is considered to be the toughest privacy and data protection law in the world. Notwithstanding that it was passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
Failure to comply with GDPR can result in a fine. In May 2019, a fine of €50m was issued to Google, after French data protection watchdog, CNIL, decided that the search engine giant was breaking GDPR rules around transparency and not having a valid legal basis when processing people’s data for advertising purposes. Prior to Google’s fine, the largest GDPR penalty stood at €400,000 when a Portuguese hospital was fined for ‘deficient’ account management practices.
Accordingly, given the extra territorial application of the GDPR, any VASPs that market their services to EU data subjects, even if without the company’s presence in the EU, will be required to comply with GDPR. Given harsh fines against violators of GDPR privacy standards, it’s important for any VASP to consider if complying with Travel Rule can potentially cause a breach of any of the GDPR or any other countries’ data protection legislation.
Luniverse 'Trace' Service Launching Event!
Areas of potential conflict
For VASPs who collect or process EU citizens’ data and accordingly are bound by GDPR, it is imperative to have a GDPR compliance strategy, to ensure that PII is gathered under valid legal bases, under strict conditions and that the data collected is managed, protected from misuse and exploitation, as well as respecting the rights of the data owners or data subjects.
As Travel Rule requires the sharing of PII with other VASPs, pursuant to VA transfer, who may be located cross border, the primary concern relates to the sharing of such personal data with such foreign VASPs, as they may have varying levels of security standards, as well as different levels of AML/CFT requirements, enforceability and data protection. VASPs should be mindful of the risks that can result from the sharing of its customers’ PII with VASPs who are located in countries that have weak privacy and data protection rules.
Additionally, there are no assurance that the PII transferred, will be fully protected, especially where the VASP may not be subject to the same stringent, strong privacy and data protection laws. With divergent standards and potential for jurisdictional arbitrage, potential weak links provide the perfect opportunities for bad actors to exploit. Some of the other problematic areas can be summed up, below.
1. Data Controller/Processor Categorization
Any entity responsible for the sending or receiving PII will be considered data controllers under GDPR. In the context of the Travel Rule, will the service providers facilitating the data sharing be considered the data controller or joint controller with the VASP?
This question depends on the respective roles and responsibilities of VASPs and the Travel Rule service providers. Where the service providers merely provide transmission service without collecting, accessing or retaining any of the VASPs’ customers data, a cogent argument can be made that the service provider is not a controller because it does not exercise control over the purpose for which the personal data is used, nor has it any control over the content of the personal data, it facilitates. In this context, the VASP sending the PII will be the data controller responsible for the data being transmitted, and the service provider would be considered a processor. Clearly, the determination of whether the Travel Rule service provider is a data controller or data processor is a question of fact and once established, should be made transparent and clear to the public, as this important distinction entails a different set of obligations and responsibilities for the respective role holders.
Under Singapore’s PDPA, similar analysis as to the above, can also be made. Unless the service provider retains, access or collects personal data of the ultimate originator and beneficiary, the service provider cannot be said to be processing data on behalf of the sending VASP. However, if it does, then the service provider is required to take measures to protect those personal data retained, as a data intermediary.
2. Requirement for Lawful Basis when processing Personal Data
It is important to note that even if a foreign law validates VASPs’ obligation to collect, transfer personal data under Travel Rule, if EU law has not implemented such a rule, then the foreign law requirement, by itself will not provide a valid legal requirement under GDPR (Article 6(1)(a)-(f).
Processing under GDPR is generally only lawful if and to the extent that at least one lawful basis under the above Art. 6 (1)(a)-(f), applies. In particular, the most relevant of the bases are; consent of the data subject and necessity in the performance of a contract to which the data subject is a party of. Legal compliance in Art.6(1)© only extends to compliance obligations within EU law, and even if regulatory obligations under foreign law, may constitute ‘legitimate interest’ under Art.(6)(1)(f), other factors such as the competing interest of VASP versus data subject, merit consideration and weighed on a case-by-case, before a lawful basis determined and relied upon.
In the circumstances and as long as the EU or Member States have not implemented FATF’s Travel Rule, it is unlikely that the data controllers can justify processing as a basis, to comply with their own local travel rule requirements. VASPS as controllers under GDPR may therefore be well advised to carefully consider which legal basis applies to their processing of PII, e.g. if they are able to rationalize such processing, on legitimate interests, consent or contractual fulfillment.
Considering the ‘teething’ or ‘sunrise’ problems prevalent when establishing compliance with Travel Rule and that countries have yet to adopt FATF’s Travel Rule Recommendations into national laws, establishing legal basis for the data transfer with VA transfer, may pose a serious challenge. Without legal justification, the sending or receiving VASP may not have sufficient legal basis for the processing of personal data and face significant difficulties to effect data transfer, without inviting possible sanctions.
3. Transfer of Personal Data to Foreign VASPs Based In Third-Countries
Given the borderless nature of VA transfers, Article 44 of the GDPR, prohibits cross-border personal data transfers, unless measures are in place to secure the personal data. Controllers who are responsible for personal data, do not need to implement any other measures, where such transfers are made to a country that the EU Commission considers to have a level of data protection similar to GDPR (Adequacy Decision, Article 45 GDPR). Controllers can also rely on appropriate safeguards, as defined in Article 46 of GDPR. One such safeguard is standard data protection clauses (SCCs) adopted by the EU Commission, which would require VASPs to agree to be contractually bound to specific obligations, even though these foreign VASPs may not be legally required to do so in their relevant domestic laws.
In July 16, 2020, EU’s Court of Justice (“CJEU”), delivered its landmark ruling in the Schrems II case, which essentially invalidated the EU-US Privacy Shield data transfer mechanism that used to be a valid Adequacy Decision under Art. 45 GDPR. The complainant, Mr. Max Schrems, argued that Facebook Ireland Ltd. transferred his personal data to US-based Facebook Inc and his data was processed without his consent. He further alleged that the jurisdiction his data was transferred to, had broad surveillance laws that conflicts, with EU privacy laws.
The CJEU also examined the EU Commission’s SCCs and agreed that it provides an effective mechanism to ensure the level of protection required by GDPR. The court came to this result, as the SCCs impose an obligation on the data exporter/data sender and data importer/data recipient, to assess and verify, prior to any cross-border transfer, if the level of protection dictated in GDPR, is respected in the third country concerned. The contractual obligation further requires the data importer to inform the data exporter of any inability to comply with the SCCs. If informed of such inability, the data exporter is obliged to suspend the transfer of data and/or terminate the contract with data importer. Thereby, the CJEU held that there can be cases in which the SCCs alone, will not grant an adequate level of protection and accordingly, do not provide a valid basis for a data transfer. Naturally, SCCs do not affect the surveillance competencies of the third country intelligence agencies. Thus, Schrems II gave rise to uncertainty and suggest that mere incorporation of SCCs, without equivalent jurisdictional assessment, will not provide sufficient basis for the transferring of data to third countries.
Transferring data to third countries may still be possible under Article 49 of the GDPR, which stipulates that for cross-border data transfers of PII, in the performance of the contract between the VASP and its customers, risk must be explained and consent obtained from individual data subject. Article 49, Paragraph 1 (a) and (g) of GDPR prescribes some of the derogations or bases pursuant to which the data may be transferred. However, the European Data Protection Board (“EDPB”) in their Schrems II-FAQ have stated that the derogations may only be effective when the transfer of personal data is occasional or objectively necessary for the performance of the contract. Consequently, data transfers cannot take place on a large scale and in systematic fashion. Ultimately, the derogations provided in Article 49 of GDPR are unlikely to become the default ‘rule’ in practice. It needs to be restricted to specific situations and any cross-border transfer of personal data must meet the strict necessity test.
With the Schrems II ruling and EU Commission pronouncement, any VASP complying with the Travel Rule, may find themselves in a very difficult situation. They must not only establish a legal basis for data transfer, but also undertake a daunting legal exercise to determine whether the local laws in a third country afford a level of data protection equivalent to the level of protection under GDPR. Additionally, whether the EU data subjects have enforceable rights and effective legal remedies available. Should the GDPR-bound VASP as data exporter, find that the third country or the country where the foreign VASP is resident at, outside of the EU, does not provide equivalent level of protection as afforded by GDPR, they are subsequently prohibited from such transfers.
This leaves such GDPR-bound VASPs in an impossible predicament of having to comply with FATF’s Travel Rule while simultaneously violating GDPR, or vice versa.
Similar to Article 44 of the GDPR, Section 26(1) of Singapore’s PDPA 2012 equally restricts an organization to the transfer any personal data to a country outside of Singapore except that foreign VASPs are willing to be bound by the standard of protection that is comparable to the protection prescribed and requires individual consent to be obtained under Regulation 9 and 10 of the Personal Data Protection Regulations 2014.
Accordingly, both Article 44 GDPR and Section 26 (1) PDPA are examples of legislation, which could potentially challenge the validity of cross border transfers of personal data to a third-country, raising challenges for VASPs who are bound by GDPR and PDPA, to implement Travel Rule. Other countries may adopt differing privacy and data protection rules, creating further challenges for VASPs as the data security measures adopted by a foreign VASPs may not be ‘appropriate’ or ‘comparable’ to GDPR or PDPA.
Conclusion — Striking a Balance
It’s clear that the requirements of GDPR and Travel Rule are at odds and huge challenges exist in overcoming this obstacle. A case by case analysis is necessary that weighs the interests of the VASP in processing the data on the one hand and the data subject’s interest in privacy, on the other hand.
With all VASPs requiring to collaborate with one another on a predetermined global rules and level of data security & privacy measures to be agreed by all VASPs and met by all stakeholders, these obstacles can only be overcome with even more open dialogues between FATF, regulatory authorities and VASPs. A pragmatic compromise is necessary in finding feasible solutions for striking a balance between these competing interest of guarded disclosure to mitigate AML/CFT risk and the privacy rights of citizens.
It will take some work to ensure that we have a lawful basis for processing personal data without compromising the revolutionary benefits that make virtual assets so attractive, to so many. The battle over the future of online privacy — and therefore the nature of the internet itself — is coming to a head and will be contested in the spheres of law and programming processes. Technological innovation could form part of the solution as strengthening the data processes with robust and resilient privacy solution, via end-to-end encryption and decentralization, will enhance data protection and accordingly, privacy.
As demand for privacy, protection of personal data increases, and the debate between regulatory disclosure and individual privacy rages on, the answer may lie in the balancing of such competing interest, specifically, at the intersection of law and technology.
In the words of Andrus Ansip, vice-president for the Digital Single Market, speaking when the reforms were agreed in December 2015:
The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information
Such a statement of trust and dialogue may prove true, not only in the context of Europe, but also the world. Only through effective engagement amongst stakeholders, can we find a viable solution which can achieve the objective of the various legislations and build a platform of transparency and trust.