Today is “Data Protection Day” (or for friends outside the EU, “Data Privacy Day”).
And before you think - great, that sounds about as exciting as “National Toothache Day” or “International Observe the Moon Night” - let me tell you why I really feel this matters.
In an increasingly digital world, people have never had so much of their personally identifiable information (PII) collected and stored. When it’s stored insecurely the results can be disastrous. Just ask over 500m customers of Chinese tech giant Sina Weibo who had their names, locations - and in many cases mobile phone numbers - hacked and sold on the dark web; or 50,000 Australians whose driver’s licenses are probably now being used to open fraudulent online bank accounts across a host of financial institutions.
Data storage is one thing, but it also matters immensely what people do with your data: what rights they have to access it, and for what reasons they do so. And that’s where it can really get messy.
In Europe, data protection is an area of particular recent focus - hence the 2018 implementation of the landmark General Data Protection Regulation (GDPR). A really important body of regulation, the GDPR effectively standardises data protection practices across the EU, replacing a patchwork quilt of national level measures that offered citizens inconsistent protections.
“Hurray, more regulation. And more headaches for my company.” Sadly, this is the response that, even in the world of crime-fighting, you hear too often. For many focused on anti-money laundering and counter-terrorism financing (AML/CTF) the attitude can be that this is “more important work”, and that the GDPR is just another fresh obstacle - something you put up with, but only because you have to.
But why should crime-fighting and data protection be seen as some kind of “either/or”?
The legal complexities
Taking off my data protection enthusiast’s hat and pulling out my lawyer’s magnifying glass, if we look at EU legislation, then yes: there can be a tension between a citizen’s “right” to the protection of personal data (Article 8 of the EU Charter), and the “objective of general interest” of AML/CTF legislation (as recognised by the European Court of Justice) to help prioritise the pursuit of criminals. But to conclude that this means the two sets of regulations are incompatible, or worse irreconcilable, is a big mistake.
As is so often the case with law, interpretation becomes critical. Put very simply: if you’re looking for roadblocks, you’ll find them. But if you are determined to find a way to successfully achieve both outcomes, you absolutely can.
At Salv, we did some loong thinking about this. How to flip a negative into a positive. How to shift from the current paradigm of thinking - data protection as an obstacle in the way of crime-fighting - to something much better. So we started wondering: is there a way in which GDPR regulation can actively help us to more effectively meet our AML/CTF goals?
And the good news is: there is! Without bombarding you with all the law books again - it all hinges on my old friend, Article 52 of the EU Charter, and the concept of “proportionality”. Proportionality gives us the legal basis to reconcile seemingly contradictory legislations - a way to strike a balance between a citizen’s rights to data protection, and a financial institution’s obligations to pursue financial crime.
As anyone working in data protection will tell you, lawyers love to find objections. And treating PII as an inalienable right is a pretty good argument. But by pleading the case of “proportionality”, as long as you can demonstrate that the secure sharing of PII is necessary in the pursuit of criminals (and you work proactively with your customers to encourage informed consent), then Article 52 gives you the sound legal basis to do so.
Using GDPR as a positive tool for crime-fighting
In just two years since the GDPR came into force, major data-collecting companies are feeling its effect. Tech giant, Google has been fined over $200m alone for failing to protect its customers. For breaches such as “insufficient transparency, control and consent over the processing of personal data”; for “tracking cookies without consent”; and for “failure to respect a citizen’s right to be respected”.
This tells us that regulators are serious about enforcing the GDPR, but perhaps some companies have not quite navigated the way to get onboard.
Which is why I’m super excited about our new project, AML Bridge.
The real beauty of the GDPR is in its consistency, across all of Europe. As we at Salv look to build a communications and data-sharing platform that enables banks to better collaborate in the sharing of vital investigative information, instead of navigating a hodge-podge of national legislations, we can anchor one, gold-standard approach as the bedrock of everything we build.
Successfully marrying best-practice data protection with pioneering crime-fighting technology is bold new uncharted territory. And while the devil will still be in the details, I am so proud to be working as part of a team that doesn’t try to put its head in the sand over data protection, but instead proactively uses the GDPR as a way to drive better pan-European crime-fighting collaboration.
I haven’t even got to talking about new privacy-enhancing technologies (PETs), where again at Salv our team is looking into some truly exciting possibilities. But I might have to get one of our engineers to explain all that in a separate blog!
So, whether you work in crime-fighting, as a data protection officer in a financial institute, or like me, are just passionate about protecting PII, from us at Salv to you - I wish you a very happy Data Protection Day!
And next time somebody complains to tell you that data security is either boring, or a massive pain-in-the-neck - I hope you can point them to this humble blog to remind them: this is important; and some really cool thinking and innovation is happening in this space.