A landmark EU data protection judgment in 2014 on the ‘right to be forgotten’, has affected the ability to use Google and other well-known search engines to carry out anti-money laundering (AML) due diligence.
On its own, Google is not a sufficient anti-money laundering (AML) risk screening tool, as some search results could be incorrect or out of date. But now considering the 2014 ‘right to be forgotten’ case (see more below), Google may no longer reliably tell you if your customer is a known criminal, who could pose a risk to your business.
If your customer is determined to find a way round due diligence checks, they can easily do so. With websites like www.replaceyourdoc.com where fake ID may be purchased, at least the same amount of resources need focused on ongoing monitoring, and on training staff to recognise ‘red flags’, as you do on initial AML screening.
The ‘right to be forgotten’ case relates to Mario Costeja González, a Spanish citizen who in 2010, lodged a complaint against Catalonia’s leading daily La Vanguardia. In 1998 the paper printed an auction notice relating to the forced repossesion of his home. González argued that since the issue had been completely resolved in the intervening twelve years, the information was now irrelevant and should be removed, both from the paper’s digital archives and from the search results of Google Spain or Google Inc. The ruling by the European Court of Justice (ECJ) followed a referral from the Spanish courts.
The judgement found that even if the physical server of a company processing the data is located outside Europe, EU data protection rules apply to search engine operators if they have a branch or a subsidiary in a Member State. Search engines are deemed to be controllers of ‘personal data’ (data about living human beings).
Following this judgement, individuals have the right, based on certain conditions, to ask search engines to remove links with personal information about them. This applies where the information is inaccurate, inadequate, irrelevant, or excessive for the purposes of the data processing.
In this case, the court found that González’s right to data protection was not trumped by Google’s economic interests, and so the ‘right to be forgotten’ (or, technically, ‘the right to erasure’) was born in its modern form. (It should be noted that the court also stressed that the right to be forgotten is not absolute and must be balanced against other rights like the freedom of expression.)
This has obvious implications for entities conducting adverse media searches as part of their AML customer due diligence process, although the rules don’t apply to politically exposed person (PEP), sanctions and watch lists, where they are maintained by independent providers and authorities.
Most AML legislation relating to customer due diligence, allows entities the defence of have followed proper procedures and lack of reasonable grounds for suspicion. There is no case law yet, but the likelihood is that if an entity found itself under investigation by a regulator for providing services to a money launderer, but could demonstrate that it had conducted thorough due diligence and missed information only because it had been removed from search results under the right to be forgotten, this would be sufficient to avoid prosecution.
To hear more about the latest in AML legislation and procedures and to benefit from our up to date training, come to our next CPD Seminar on Anti-Money Laundering at the Talbot Hotel Stillorgan, County Dublin on Tuesday 28 November 2017.
More details of all our courses are on Ticket Tailor here.