ABSTRACT
The General Data Protection Regulation (GDPR) imposes customer-centric regulatory requirements for financial institutions and law firms. This chapter explores the challenges financial crime investigators and litigators alike must navigate to successfully access and process and transfer data subject to GDPR regulations, as well as the opportunities and limitations presented by available technology. Combating financial crime is undeniably predicated on global interconnectedness and the ability of financial institutions to process GDPR-regulated information. Similarly, litigation often requires sharing personal data subject to GDPR. Practitioners in both disciplines face certain implications. For instance, in the financial crime context, Article 23 suspends the application of data privacy principles when the essence of fundamental rights and freedoms is implicated and when it is necessary to prevent threats to public security. In the discovery context, litigators grapple with the subject’s right to erasure under Article 17, and when the U.S.-based duty to preserve data is triggered by a reasonable expectation of litigation. The technology implications are universal: using artificial intelligence and machine learning, single data points such as a customer’s name can be automatically scrubbed against hundreds of international watch lists, court cases and other publicly available information and used to build complex connections and profiles. Within the context of GDPR, it begs the following question: does an individual’s consent to sharing name, and other GDPR protected personal identifiers also extend to having that information amplified in an algorithm to populate, parse and predict potential criminal behavior? This chapter considers when an individual’s right to access may be restricted if a public threat or financial crime nexus is present (i.e. money laundering, fraud, terrorist financing) and how technology can further facilitate the appropriate level of information sharing while still complying with GDPR principles. It also explores conflicts between U.S. discovery rules, Article 15 (Right of Access) and Article 17 (Right to be Forgotten), and finally it reflects upon recent court decisions in the European Union (EU) and U.S. to illustrate how GDPR and increased individual data protection will affect financial crime practitioners and litigators.
