Data protection and 5MLD

5MLD presents particular issues in relation to data protection law. This is because 5MLD calls for the collection and retention of greater amounts of personal data, whereas EU and UK data protection law essentially aims at eliminating unnecessary or excessive personal data collection and use.

There are also specific data protection obligations in the UK legislation implementing 5MLD, the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 and the Money Laundering and Terrorist Financing (Amendment) Regulations 2019 (together, the MLRs). The MLRs mandate specific steps in relation to data protection disclosures and safeguards, which art market participants must fulfil or risk falling foul of data protection law, with all the potential for fines, claims and reputational damage that this entails.

These issues have been made more problematic due to the stress that the Covid-19 pandemic has placed on data protection compliance. The pandemic may have had a significant effect on staff availability (including those staff who would monitor and enforce data protection compliance) and remote working increased distance selling may result in personal data being sent electronically for AML purposes, rendering it vulnerable to cyber attacks.

With effect from 10 January 2020, the Fifth Money Laundering Directive (5MLD) requires art market participants to carry out customer due diligence in all cases where the value of a transaction, or several linked transactions, is €10,000 or more. This will involve collecting information on individuals who are customers, officers or beneficial owners of a corporate customer, or connected to customers. In some circumstances, individual employees of an art market participant may also need to be screened. For detailed information on the requirements to carry out customer due diligence and employee checks, please see our articles on this topic from May 2019 and the follow up from January 2020.

Personal data and AML art market checks

Personal data is information that relates to an individual who is, or who can be, identified from it. The anti-money laundering/terrorist financing (AML) checks required under 5MLD will necessarily involve the collection of significantly greater amounts of personal data of customers and employees than was previously the case. The types of information that art dealers and auction houses may need to collect and use for these AML checks may also be more sensitive or private than the types of information traditionally collected, involving a greater need for, or expectation of, confidentiality and security. For example, instead of just names and addresses, dealers may now have to obtain and store peoples’ passport details in order to verify their identity. Passport details would clearly carry a significant risk of identity theft or fraud were they to fall into the wrong hands. Where enhanced due diligence is required, even more intrusive searches will be necessary, including in relation to a potential customer’s source of wealth. There would be a higher risk of financial loss or distress to the individual if this type of information were to fall into the wrong hands, and the security measures taken should be proportionate to the risk and types of personal data involved.

When AML checks are carried out, the results of those checks may also result in the creation and collection of additional personal data – for example, screening may uncover the fact that an employee has a criminal record, which information would be passed back into the care of the dealer or auction house that requested the check. Such sensitive information requires even more stringent safeguards.

The collection and handling of personal data is regulated by the General Data Protection Regulation (EU GDPR), plus, in the UK, the Data Protection Act 2018 (DPA) and, from 1 January 2021, the GDPR as it is implemented into UK law (UK GDPR). For the purposes of this article we shall refer to both the EU GDPR and the UK GDPR as the “GDPR”, as there are no relevant material differences between them at this stage. The GDPR and DPA limit the ways in which organisations may collect, keep and use their clients’ and employees’ personal data.

The requirements of the GDPR and DPA, and the associated data protection obligations in the MLRs, may pose a challenge to art dealers and auction houses subject to the new AML obligations, since they impose restrictions and requirements around how personal data collected for AML purposes (or otherwise) may be used.

There are significant consequences for institutions with AML obligations that do not comply with data protection rules when carrying out their AML due diligence – the well-publicised maximum fines of 20 million Euros or up to 4% of total worldwide turnover for the previous year provide a strong incentive, not to mention the possible reputational damage. Data subjects are also becoming increasingly active in bringing legal claims for damages against organisations where their personal data has been misused. They do not need to prove financial loss in order to be awarded compensation – distress or unjustified “loss of control” over their personal data may be sufficient for a claim to succeed.

So what are the key data protection responsibilities that dealers and auction houses need to bear in mind when conducting AML checks?

GDPR and DPA data protection requirements

Firstly, there are general requirements applicable to all personal data, which will be even more relevant now that greater amounts of it will rest in the hands of those subject to 5MLD. Some of the key requirements mean that art market participants must:

1. ensure that they have grounds to process the personal data that they are collecting, keeping and obtaining in the process of carrying out their due diligence and checks on individuals. For the regular personal data that is necessary for AML checks then the ground is likely to be that its processing is necessary for compliance with a legal obligation. For more sensitive information – such as criminal convictions data or data on ethnic origin – additional grounds must apply, for example, that the use of this data is necessary for the purpose of preventing unlawful acts or making an AML report;
2. provide, in their policies and procedures, for individuals to exercise their rights and give information about the scope of these rights – it should be made clear that individuals’ rights cannot override a conflicting legal obligation, so a person cannot exercise their right to have their data deleted if there is an overriding legal obligation to give that information in a suspicious activity report;
3. make sure that their contracts with service providers cover certain prescribed areas as mandated by the GDPR, for example providing that the participant has a right to object to the appointment of a sub-contractor by the service provider;
4. provide for safeguards where transferring any personal data abroad, or making it available to persons overseas. If the recipient is in the EEA or a country deemed to be “adequate” (such as Japan or Switzerland) then no further safeguards will be needed. However, if the recipient is in a non-adequate country, then a safeguard such as entering into standard contractual clauses (SCCs) with the recipient will be required. As a result of the decision in Data Protection Commissioner v Facebook Ireland Limited & Maximillian Schrems, when relying on safeguards such as SCCs, it is also important to assess whether the recipient country can protect the personal data to a standard that is essentially equivalent to the protection given under EU law. For detailed information on this decision, in particular in relation to transfers of personal data to the United States, please see our article on this topic from July 2020;
5. provide appropriate transparency information to data subjects about what is being done with their data, for example making sure that their privacy notice refers to the fact that their data will be used to make checks required by law and may be passed to law enforcement. Privacy notices should be drawn to individuals’ attention at the time that they give their information to the art market participant;
6. keep all personal data secure using “technical and organisational measures” that are appropriate to the context and risk. This includes ensuring that internal access to due diligence documents is limited to those staff members who need them for their role, as well as the more obvious measures to secure information against loss or cyber attack, particularly in relation to higher risk and more sensitive or private information. One simple security measure that could be considered is encrypting personal data both when it is in use and at rest. However it is important to note that the GDPR does not mandate specific security measures – these will be context and risk-specific in each case; and
7. comply with the requirement to store the personal data collected for the purpose of AML checks for no longer than necessary to fulfil that purpose. Where there is a legally-prescribed storage period (for example, the MLR prescription that the results of certain searches must be kept for five years), then this provides sufficient legal grounds to do so. However, if and when there is no legal requirement to keep personal data collected for AML purposes (or otherwise), such as once those five years have elapsed, then art market participants must consider whether it is still necessary to retain it for the purposes for which it was collected. If not, it must be securely deleted. There is often reluctance to delete historical records, but records of past business may usually be retained, if there still is a good business reason to keep them. Those in the art market should note that the longer they keep personal data, the greater the risk of a data breach or of accidental loss or misuse, so regular deletion of papers that are no longer needed should be seen as part of good housekeeping and risk mitigation.

MLRs data protection requirements

Secondly, the MLRs impose specific data protection requirements on art dealers and auction houses, above and beyond the standard GDPR/DPA obligations outlined above.

In particular, the MLRs state that personal data that is obtained by dealers or auction houses for AML purposes may only be processed to prevent money laundering or terrorist financing, unless another law permits this or the affected individual has consented. So a dealer cannot use information obtained in order to carry out AML checks on a person, or as a result of such checks, to then profile that person, for example. So a dealer whose searches had uncovered the fact that a client has Italian connections cannot then use this information to mark them as potentially being interested in Italian art. AML checks and information should be kept separate from a business’ other activities.

The MLRs also require that, before establishing a business relationship or entering into an occasional transaction with a new customer, dealers and auction houses must provide the customer with a statement that any personal data received from the customer will be processed only as set out above – i.e. for AML purposes, as permitted by another law or as consented to by the customer. This statement is in addition to the normal transparency information that is required under the GDPR as set out in point 5 above. The statement would be likely to appear in the same place as the rest of the GDPR’s transparency information, which is normally a dealer or auction house’s privacy notice.

The timing requirement to give this statement before a business relationship is established (and the need to give the general GDPR transparency information at the time personal data is obtained) means that it is particularly important that dealers and auction houses ensure that privacy information is given early on in interactions with a potential new customer. It will be crucial to do so before any transaction is carried out - i.e., before any work is handed over to the customer.

The reliance regime in the MLRs may also have data protection implications. Put simply, this is where an art market participant (“Receiving Participant”) may rely on the AML checks carried out by another regulated participant in the EU with whom it is working (“Disclosing Participant”), rather than the Receiving Participant carrying out its own checks. The Disclosing Participant must agree to provide the Receiving Participant with the customer’s AML results upon request. Sharing the results of AML checks in this way would necessarily involve sharing personal data, which would carry an element of risk for the Disclosing Participant. The Disclosing Participant would therefore be likely to request some assurances from the Receiving Participant: for example, that it will only use the data for AML purposes, that it will keep it securely and delete it once no longer needed. These data protection risks may make market participants reluctant to use the reliance regime, although the risks are not insurmountable with an appropriate data sharing agreement.

There are straightforward ways of making the 5MLD and data protection regimes work side by side. However, it is true to say that the increased amounts, and riskier types, of personal data that art dealers and auction houses will have to handle under 5MLD will make it more important than ever for them to focus on complying with their data protection responsibilities.