Artikel | 28 Nov 2024
The Swedish Dilemma: Balancing Data Protection and Background Checks in the Financial Sector
The fulfilling of employee due diligence and know-your-customer obligations in the financial sector is a cumbersome exercise that needs to be reconciled with data protection, individual privacy and local legislation. In Sweden, third-party providers of background checks have been a convenient solution for many, but one that looks set to be restricted. This article aims to navigate this complex issue and explores recent Swedish legal developments.
Trust and Compliance in Financial Due Diligence
In the rigorously scrutinised finance sector, maintaining trust and integrity is paramount. Sector-specific regulations place high demands on the overall risk management and soundness of financial institutions. In addition, the last decade has been characterised by stricter requirements to verify the identity, suitability, and risks of current or potential customers under KYC and AML obligations. Such customer due diligence as well as employee due diligence is essential to prevent fraudulent transactions and maintain a reliable financial sector, with background checks being a key component for managing risks and compliance.
As high standards are set for background screening, financial actors also need to cope with complex and far-reaching data protection regulations that emphasise the privacy of the individual. How to walk this tightrope is not always addressed with the necessary clarity, not least because customer and employee due diligence and data protection requirements are governed and monitored by different regulations and supervisory authorities.
Background checks tend to be complex, time-consuming, and expensive. They necessitate expertise, dedicated internal functions, and access to pertinent information. In Sweden, financial institutions often outsource these services or use external databases for research on individuals or entities. Outsourcing has a Sweden specific benefit of leveraging a constitutional exception to the GDPR[1], which service providers can exploit. This has fostered a robust, though controversial, market for such services.
Legal Background: The Swedish Principle of Public Access
The Swedish constitutional laws provide for a principle of public access to information, which in essence means that the public has statutory access to all public documents, judgements, and decisions unless specific confidentiality applies. This provides for transparency in public affairs and decision-making, but also means that private information about most individuals is accessible. Before digitalisation, even if such accessibility was ensured by constitutional law, the accessing of substantial physical documentation was still inconvenient in practice as it required interaction with the relevant authorities in relation to virtually every document. However, now, the highly digitised government combined with the easy dissemination of information online has created a business opportunity in providing comprehensive databases of public information. At the same time, the GDPR imposes strict restraints on the processing of the personal data such documents include, especially in relation to information on criminal offences which is restricted to public authorities or as exempted by national law. However, the GDPR’s impact is not as straightforward as one might think.
The Swedish Exception: Balancing GDPR with Constitutional Rights
EU legislation typically supersedes national laws. Yet, the GDPR allows member states some leeway, notably in balancing data protection with freedom of expression and information. Based on this authorisation, Swedish law exempts application of the GDPR when it conflicts with the Swedish constitutional Freedom of the Press Act or Freedom of Expression Act. Under these laws, Sweden also offers voluntary constitutional protection through a formal application for a so-called publishing certificate. Established in 2003 to accommodate new media forms and – according to its purpose – typically applying to newspapers and journalists, the obtaining of such a certificate does not require demonstrating journalistic intent and must be described as rather easily accessible.
The leeway from the application of the GDPR by way of applying for and obtaining a publishing certificate has been widely adopted by background check companies, sparking intense debate. These companies typically offer searchable online databases containing extensive personal data, such as addresses, family links, tax information, and information on criminal offences. Furthermore, their services are generally available to anyone willing to pay, leading to misuse by criminals and indiscriminate and unwarranted screening by employers. This has raised privacy concerns whilst at the same time the Swedish Data Protection Authority (IMY) has dismissed, referring to the same certificates, the flood of complaints from individuals who has felt their privacy violated by the databases.
New Developments: Shifting Legal Perspectives
Swedish courts and authorities have traditionally prioritized the freedom of the press, and thus operations protected by publishing certificates, over data protection laws. However, against the background of the rather non-journalistic purpose of several of the online databases protected accordingly, this view has recently been challenged and recent developments suggest that this position may be reversed. This year, several district courts and law enforcement authorities have refused document requests from background check companies citing a recent ruling from the European Court of Justice (CJEU), according to which public access must be balanced against individual privacy on a case-by-case basis.[2] The requesting party is thus required to display a particular interest in acquiring the information in order for its request to be considered legitimate.
IMY has now decided to investigate these new cases’ implications for the handling of complaints against service providers enjoying publishing certificates.[3] The authority also presented a proposal last year for new regulations to enable financial institutions to check their customers against various sanction lists.[4] Furthermore, The Swedish government finalized an investigation concluding that the voluntary constitutional protection through publication certificates should be amended — a topic previously examined but postponed by legislatures.[5] The new investigation proposes direct restrictions on searchable online databases of personal data.
Summarising these developments, the winds now seem to be shifting on an issue that boils down to the principle of the primacy of EU law and the fundamental tension between freedom of expression and privacy. While investigations are underway and statutory amendments loom, a preliminary ruling from the CJEU could in itself overturn Sweden’s voluntary publishing certificate system.[6] Needless to say, the future is uncertain.
Preparing for the Future: Adapting to a Changing Compliance Landscape
The potentially shifting legal landscape in Sweden is set to reshape background checks, affecting among others the financial sector. Potential legislative amendments and scrutiny of the system of voluntary publishing certificates, both internally and from the CJEU, indicate a future where financial institutions face an even more complex compliance environment. Such institutions may thus find their reliance on certain third-party providers more restricted, necessitating a reassessment of their internal capabilities and compliance strategies. This could burden small entities lacking the necessary resources and expertise to meet both regulatory and data protection standards. Nonetheless, the demand for third-party background check providers will persist, meaning that providers that have adapted to the new regulatory reality are likely to emerge shortly.
Financial institutions must brace for increased scrutiny of due diligence practices and a smaller margin for error in managing sensitive data, requiring a thorough understanding of e.g. the GDPR. Balancing interests for background checks is tricky and identifying legal support for processing criminal data pose a particular challenge. In this context, IMY plays a crucial role as they are competent to issue authorisations for processing of such data, ensuring the financial sector’s ability to perform due diligence without falling afoul of data protection laws. The IMY itself is calling for more legal clarity and has requested the government to set up an enquiry to review the need for further regulation of background checks.[7]
Conclusion: Navigating the Future of Financial Background Checks
The future of background checks in the financial sector stands at a crossroad, with sector specific regulatory compliance and data protection aspects converging. Financial institutions must be proactive in adapting to these changes, ensuring that their practices are legally compliant, ethically sound and respectful of individual privacy. By ensuring compliant internal background check functions, investigating which service providers can be relied upon, and monitoring legal developments and guidelines from regulatory authorities, financial institutions can get a flying start in the new legal environment. The financial sector’s ability to navigate this new reality will demonstrate its resilience and commitment to upholding the highest standards of trust and integrity.
[1] General Data Protection Regulation (EU) 2016/679.
[2] Court of Justice of the European Union, C-439/19, B v. Latvijas Republikas Saeima.
[3] Swedish Data Protection Authority (IMY), press release 14 May 2024, IMY competent to review search services with publishing certificates, https://www.imy.se/nyheter/imy-har-behorighet-att-granska-soktjanster-med-utgivningsbevis/.
[4] Swedish Data Protection Authority (IMY), press release 18 September 2023, New rules to make it easier for some companies to handle data on offences, https://www.imy.se/nyheter/nya-foreskrifter-ska-forenkla-for-vissa-bolag-att-hantera-uppgifter-om-lagovertradelser/
[5] Swedish Government, Ministry of Justice, press release 21 October 2023, Protection of personal data to be strengthened, https://www.regeringen.se/pressmeddelanden/2023/10/skyddet-for-personuppgifter-ska-forstarkas/, see also Swedish Government bill 2021/22:59, Effective protection of freedom of the press and freedom of expression.
[6] Attunda District Court in case T 3743-23, decision of 1 March 2024.
[7] Swedish Data Protection Authority (IMY), press release 13 June 2024, IMY calls for an inquiry on background checks, https://www.imy.se/nyheter/imy-vill-att-det-tillsatts-en-utredning-om-bakgrundskontroller/.