popi vs fica the practice of privacy and anti money ... taylorpopi vs aml 1 6.pdf · • consultant...
TRANSCRIPT
1
POPI vs FICA The Practice of Privacy and Anti Money Laundering for global companies and their South African subsidiaries.
David Taylor 0845440044 [email protected] [email protected]
10/2/2012 David Taylor 0845440044 [email protected] [email protected]
2 10/2/2012 David Taylor 0845440044 [email protected] [email protected]
• WHO AM I?
• A Lawyer • Good News – No FEE!
• Legal Disclaimer – This is not legal Advice! NO LIABILITY
• COPYRIGHT – David Taylor
• Not View of T-Systems
• WHO AM I REALLY? • ICT Lawyer – since 1999 • Admitted Attorney – 1996
• Consultant to various national and international business, government and parastatals, smme’s NCR, NGB, SAIPA, T-systems, Vericred, Bankserv, PopCru, PSA , Gijima etc
• Taught IT law at Unisa 14 years: Ass Prof
• Awards for research and teaching
• Conducted research and a visiting Prof at overseas universities where I taught IT Law
• Visiting professor in IT law Sweden (2010)
• I have published many articles and presented many times at conferences
Government Task team develop ISuth African Pv6 strategy
NGO Director -
CyCaD (Cyberwar Civialian Defence)
Citizen Coalition Against Internet Crime
Steering Committee - Association of Certified Fraud Examiners -Forensic Science Forum (ACFE (SA))
Steering Committee - IT Profession Body (IT Board (SA))
IT Committee (IT Risk and Audit) member (SAIPA)
David Taylor, BA (Wits), BA Hons (Unisa), LLB (Wits), LLM (Unisa), LLM (Stockholm Sweden)
Legal Disclaimer – Not view of T-Systems
3 10/2/2012 David Taylor 0845440044 [email protected] [email protected]
• WHO AM I REALLY? - PRIVACY
• NOW – Corporate Lawyer T-Systems • D a t a P r o t e c t i o n l e a d o n l a r g e i n t e r n a t i o n a l C o n t r a c t N e g o t i a t i o n s ( R 2 . 5 8 b i l l i o n )
• E s t a b l i s h , m a n a g e a n d c o n d u c t c r i m i n a l a n d m i s c o n d u c t i n v e s t i g a t i o n s r e l a t i n g t o e m p l o y e e , c u s t o m e r , c o n t r a c t s , i n p a r t i c u l a r I T f o r e n s i c , f r a u d i n v e s t i g a t i o n , e n s u r i n g t h e l e g a l s e c u r i n g a n d p r o t e c t i o n o f e v i d e n c e
• D e s i g n i n g a n d i m p l e m e n t i n g C y b e r w a r f a r e t r a i n i n g a n d e x e r c i s e s
• E s t a b l i s h a n d e n s u r e D a t a P r o t e c t i o n m e c h a n i s m s i n t h e i n s t i t u t i o n
• A l i g n P r i v a c y w i t h i n t e r n a t i o n a l o p e r a t i o n s
• A n a l y s e , a s s e s s a n d e v a l u a t e c o m p u t e r s y s t e m s a n d b u s i n e s s a c t i v i t y f o r l e g a l r i s k i n p a r t i c u l a r f o r D a t a P r o t e c t i o n
• D e v e l o p s t r a t e g y a n d p o l i c i e s i n r e l a t i o n t o D a t a P r o t e c t i o n
• N e g o t i a t e I n t e r n a t i o n a l c o n t r a c t s
• S e l e c t a n d i m p l e m e n t t e c h n o l o g i e s t h a t e n s u r e D a t a P r o t e c t i o n
• D r a f t p o l i c i e s a n d c o n t r a c t s i n c l u d i n g f o r o p e r a t i o n s i n c o u n t r i e s o u t s i d e S o u t h A f r i c a
• C o n d u c t a n d C o m p l y w i t h I n t e r n a t i o n a l P r i v a c y A u d i t s a n d i m p l e m e n t S o u t h A f r i c a n a u d i t s
• D e s i g n a n d i m p l e m e n t t r a i n i n g
• 2 0 0 0 – I n v o l v e d w i t h t h e C r e a t i o n o f E U D a t a P r i v a c y L a w D a t a b a s e
• C o n s u l t e d l o c a l l y a n d a b r o a d
• L e g a l i s s u e s , a n d I T s y s t e m d e s i g n a n d B u s i n e s s m o d e l a d j u s t m e n t f o r l e g a l c o m p l i a n c e
• I n t e r n a t i o n a l a n d m u l t i n a t i o n a l c o n s u l t a t i o n e . g T h e i n t e g r a t i o n o f 7 g l o b a l S A P H R s y s t e m s i n t o o n e , e n s u r i n g l e g a l a n d P r i v a c y C o m p l i a n c e
• T r a i n i n g m a t e r i a l s d e s i g n
David Taylor, BA (Wits), BA Hons (Unisa), LLB (Wits), LLM (Unisa), LLM (Stockholm Sweden)
10/2/2012 David Taylor 0845440044 [email protected] [email protected] 4
Outline
Background to AML
The relationship between AML and DP in the South African Consitutional context
Some issues
CDD
Transborder flows
Tipping off
What does this mean for AML and DP?
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 5
Background to AML
Mid 1980s - Growing concern of international community to deprive criminal elements of the proceeds of their crimes.
Money laundering is a process of concealing or disguising the illegality of the origin, nature, source and ownership of funds.
1989 – Financial Action Taskforce (FATF) set up to ensure global action to combat money laundering.
Forty Recommendations - Complete set of counter-measures against money laundering
FATF consist of 33 member countries two regional organisations
Secrecy laws should not prohibit sharing of information by financial institutions (FI)-(R4)
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 6
Background to AML
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 7
anti-money laundering measures require certain disclosures of customer information, data or documents to be made.
Q U E S T I O N : d o e s a s t r i c t a d h e r e n c e t o a n t i - m o n e y l a u n d e r i n g m e a s u r e s v i o l a t e c u s t o m e r s ’ r i g h t s t o n o n -d i s c l o s u r e o f i n f o r m a t i o n , d a t a o r d o c u m e n t s ?
Data Protection rules and the requirements imposed by AML.
The European Commission’s objectives - a high standard of protection of personal data while preserving the flow of information within the internal market
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 8
Constitution of the Republic of South Africa, 1996
Constitution of the Republic of South Africa, 1996
14. Privacy
Everyone has the right to privacy, which includes the right not to have
their person or home searched;
their property searched;
their possessions seized; or
the privacy of their communications infringed.
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 9
Constitution of the Republic of South Africa, 1996
Constitution of the Republic of South Africa, 1996
36. Limitation of rights
The rights in the Bill of Rights may be limited only in terms of law of general application to the extent that the limitation is reasonable and justifiable in an open and democratic society based on human dignity, equality and freedom, taking into account all relevant factors, including
the nature of the right;
the importance of the purpose of the limitation;
the nature and extent of the limitation;
the relation between the limitation and its purpose; and
less restrictive means to achieve the purpose.
Except as provided in subsection (1) or in any other provision of the Constitution, no law may limit any right entrenched in the Bill of Rights.
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 10
Constitution of the Republic of South Africa, 1996
PROTECTION OF PERSONAL INFORMATION BILL
PREAMBLE
RECOGNISING THAT—
● section 14 of the Constitution of the Republic of South Africa, 1996, provides that everyone has the right to privacy;
● the right to privacy includes a right to protection against the unlawful collection, retention, dissemination and use of personal information;
● the State must respect, protect, promote and fulfil the rights in the Bill of Rights;
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 11
Constitution of the Republic of South Africa, 1996
PROTECTION OF PERSONAL INFORMATION BILL
Saving
5. (1) This Act does not affect the operation of any other legislation that regulates the processing of personal information and is capable of operating concurrently with this Act.
(2) If any other legislation provides for safeguards for the protection of personal information that are more extensive than those set out in the information protection principles, the extensive safeguards prevail.
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 12
Constitution of the Republic of South Africa, 1996
PROTECTION OF PERSONAL INFORMATION BILL
Exclusions
4. This Act does not apply to the processing of personal information—
(a) in the course of a purely personal or household activity;
(b) that has been de-identified to the extent that it cannot be re-identified again;
(c) by or on behalf of the State and—
(i) which involves national security, defence or public safety; or
(ii) the purpose of which is the prevention, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in specific legislation for the protection of such personal information;
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 13
Constitution of the Republic of South Africa, 1996
PROTECTION OF PERSONAL INFORMATION BILL
Exclusions
4. This Act does not apply to the processing of personal information—
(d) for exclusively journalistic purposes by responsible parties who are subject to, by virtue of office, employment or profession, a code of ethics that provides adequate safeguards for the protection of personal information;
(e) by Cabinet and its committees, the Executive Council of a province and a Municipal Council of a municipality;
(f) relating to the judicial functions of a court referred to in section 166 of the Constitution; or
(g) that has been exempted from the application of the information protection principles in terms of section 34.
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 14
Constitution of the Republic of South Africa, 1996
PROTECTION OF PERSONAL INFORMATION BILL
Exclusions
4. This Act does not apply to the processing of personal information—
(g) that has been exempted from the application of the information protection principles in terms of section 34.
section 34
the Regulator may authorise a responsible party to process personal information, even if that processing is in breach of an information protection principle if the Regulator is satisfied that, in the circumstances of the case—
(i) the public interest in the processing outweighs, to a substantial degree, any interference with the privacy of the data subject that could result from the processing; or
(ii) the processing involves a clear benefit to the data subject or a third party that outweighs, to a substantial degree, any interference with the privacy of the data subject or third party that could result from the processing.
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 15
DOES AML FIT IN?
Financial Intelligence Centre Act, 2001 (FICA)
Section 1A. Application of Act when in conflict with other laws
If any conflict, relating to the matters dealt with this Act, arises between this Act and the provisions of any other law existing at the commencement of this Act, save the Constitution, the provisions of this Act prevail.
PROTECTION OF PERSONAL INFORMATION BILL so does not exist at the commencement of FICA.
But FICA is ” Exclusions [4] 6. (1) This Act does not apply to the processing of personal information— (c) by or on behalf of [the State] a public body and—
the purpose of which is the prevention, detection, including activities that are aimed at assisting in the identification of the proceeds of unlawful activities and the combating of money laundering activities, investigation or proof of offences, the prosecution of offenders or the execution of sentences or security measures, to the extent that adequate safeguards have been established in [specific] legislation for the protection of such personal information
—
10/2/2012 David Taylor 0845440044 [email protected] [email protected] 16
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 17
What are the safeguards?
FICA 40 Access to information held by Centre
written authority of an authorized officer; or
Centre reasonably believes such information is required to investigate suspected unlawful activity;
FIC entity outside the Republic
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 18
What are the safeguards?
FICA 40 Access to information held by Centre
(1) No person is entitled to information held by the Centre, except-
(c) an accountable institution or reporting institution which or any other person who may, at the initiative of the Centre or on written request, be provided with information regarding the steps taken by the Centre in connection with transactions reported by such accountable institution, reporting institution or person, unless the Centre reasonably believes that disclosure to such accountable institution, reporting institution or person of the information requested could-
(i) inhibit the achievement of the Centre's objectives or the performance of its functions, or the achievement of the objectives or the performance of the functions of another organ of state; or
(ii) prejudice the rights of any person;
(d) a supervisory body, which may at the initiative of the Centre or on written request be provided with information which the Centre reasonably believes is relevant to the exercise by that supervisory body of its powers or performance by it of its functions in relation to an accountable institution;
(e) in terms of an order of a court; or
(f) in terms of other national legislation.
Other requirements e.g. requests in writing, safeguards must be in pace, agreement
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 19
What are the safeguards?
FICA S41 Protection of confidential information
No person may disclose confidential information held by or obtained from the Centre except-
(a) within the scope of that person's powers and duties in terms of any legislation;
(b) for the purpose of carrying out the provisions of this Act;
(c) with the permission of the Centre;
(d) for the purpose of legal proceedings, including any proceedings before a judge in chambers; or
(e) in terms of an order of court.
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 20
AML are broad uncertainty on the latitude of obligations
inconsistency at the EU level.
E.G. As an example, CDD - customer identification and registration must ensure that only relevant data is processed and not data that is excessive with respect to the “processing” purpose.
proportionality, need and relevance.
There must be compliance with these principles when carrying out its antimoney laundering obligations. Thus processing of data not expressly indicated in the anti-money laundering legislation remains an open problem.
But AML risk based approach requires
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 21
Cross border data flows
Parent companies in other countries, intra-group communications are regulated differently in different countries – some only is suspicious transaction, others in ordinary course of business, with or without customers consent. Those where only allowed when there is a suspicious transaction then consent not needed
So can communicate personal data if
a) done to comply with AML law;
b) data subjects are informed that there is a “possibility that the information concerning the transactions requested by the data subjects, if deemed «suspicious» may be communicated to other intermediaries belonging to the same group”.
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 22
Cross border data flows
PROBLEM: foreign correspondent banks eg from U.S.A or Liberia request personal data on clients or on their transactions within the banking group. U.S.A bank indicate there is a suspicion of ML. But personal data law requires consent of data subject or a ground for exemption exists. One ground is consent is not required when the processing “is necessary to fulfill an obligation imposed by law, a regulation or Community legislation”.
But AML creates an exception to data protection allowing departure only to report suspicious transactions
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 23
Cross border data flows
So, clarification is needed:
Does AML require/permit communication to third parties (even if located abroad, and provided it is a country meeting the criteria of customer information when the underlying reason is for countering money laundering;
In particular must or can this information be given in any circumstance, or only if a report of a suspicious transaction has been made by the bank addressee (European) of the request for information
or by the bank requesting the information.
What if the country does not have adequate data protection laws?
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 24
FICA 29 Suspicious and unusual transactions
(3) No person who made or must make …. otherwise than-
(a) within the scope of the powers and duties of that person in terms of any legislation;
David Taylor 0845440044 [email protected] [email protected] 10/2/2012 25
TIPP OFF
Notification to Regulator and to data subject
17. (6) It is not necessary for a responsible party to comply with subsection (2) [i.e. Openness] if—
(c) non-compliance is necessary—
(i) to avoid prejudice to the maintenance of the law by any public body, including the prevention, detection, investigation, prosecution and punishment of offences;
Data protection
Not give data if tip off does not provide a blanket exemption to subject access obligations for Suspicious Transaction report; each request for information must be considered on its merits. Institutions must consider whether, in the particular case, disclosure of the STR would be likely to prejudice the prevention or detection of crime
26 10/2/2012 David Taylor 0845440044 [email protected] [email protected]
• P O P I v s F I CA
• Solut ion??
• DP complex
• Pr inciples not just posi t ive law approach
• Exper ts need to be Real Exper ts
• Terr i tor ia l Sovereignty
• Global Context – under ly ing economics
27
Thank you for your attention.
10/2/2012 David Taylor 0845440044 [email protected] [email protected]