Risk & Compliance monthly highlights - August 2020

Risk & Compliance monthly highlights - August 2020

In this issue:

GDPR & data protection

AML & counter-terrorist financing

Sanctions & export controls

Crime prevention

Health & safety



GDPR & data protection

Schrems II

Information Law analysis: The judgment of the Court of Justice in the case of Facebook Ireland and Schrems (commonly known as Schrems II) has been published. The judgment relates to two key mechanisms used to legitimise transfers to third countries under the General Data Protection Regulation, Regulation (EU) 2016/679 (the GDPR). In summary, the Court of Justice has invalidated the EU-US Privacy Shield mechanism and specified that any use of standard contractual clauses (SCCs) must offer an adequate level of protection of personal data in practice (based on a case by case assessment of the circumstances of the transfer). See News Analysis: Privacy Shield invalidated and use of appropriate safeguards (including Standard Contractual Clauses) require case by case assessments (Facebook Ireland and Schrems), written by Bridget Treacy, partner, and James Henderson, associate, at Hunton Andrews Kurth.

The European Data Protection Supervisor (EDPS) has welcomed the Schrems II judgment and highlighted that it is the second time in five years ‘that a European Commission adequacy decision concerning the United States is invalidated by the Court’. The EDPS had previously shared criticisms regarding the Privacy Shield by emphasising the importance of ensuring a high level of protection of personal data once transferred from the EU to third countries. The EDPS has also welcomed the clarifications provided by the Court of Justice of the European Union in confirming the validity of Standard Contractual Clauses. See: LNB News 17/07/2020 61 and LNB News 20/07/2020 13.

The EDPB also published Frequently Asked Questions regarding the judgment. See: LNB News 01/01/0001 2635.

The ICO has released a number of statements on the Schrems II judgment. It says it is considering the judgment and its impact on international data transfers, which are vital for the global economy. It stands ready to support UK organisations and will be working with UK government and international agencies to ensure that global data flows may continue and that people’s personal data is protected. See: LNB News 16/07/2020 87.

It is reviewing its Privacy Shield and Standard SCC guidance. See: LNB News 17/07/2020 44.

The ICO states that ‘this judgment has wider implications than just the invalidation of the EU-US Privacy Shield. It is a judgment that confirms the importance of safeguards for personal data transferred out of the UK.’ In its statement, it also confirmed that the FAQs, issued by the European Data Protection Board (EDPB), on the invalidation of the Privacy Shield and its effect on SCCs, still apply to UK controllers and processors. As such, a risk assessment should be conducted to determine ‘whether SCCs provide enough protection within the local legal framework’ for international transfers. In addition, the ICO is taking time to consider the role of supervisory authorities in the oversight of international transfers and are continuing to provide ‘practical and pragmatic advice and support’ alongside a ‘risk-based and proportionate approach in accordance with our Regulatory Action Policy.’ See: LNB News 28/07/2020 2.

You can expect your organisation’s privacy notices to be more closely scrutinised in relation to transfers of personal data outside the UK/EEA. See updated Precedents: Privacy policy—general commercial organisation—customer-facing and Privacy policy—law firms and professional services.

See further Law360, London News Analysis: Court of Justice leaves US data transfers on shaky ground and Transferring personal data to the US after Court of Justice ruling.

Coronavirus (COVID-19)

The ICO has updated its regulatory approach during the coronavirus (COVID-19) public health emergency. UK Information Commissioner, Elizabeth Denham, has reiterated the importance for the ICO to respond ‘pragmatically and empathetically’ to the crisis. The regulatory approach has been updated with small additions, notably by reflecting the ability to conduct audit work remotely. See: LNB News 15/07/2020 13.

MLex: UK businesses must resume their data protection obligations now that the coronavirus pandemic is no longer causing the same impact on their operations, a senior official at the ICO has said. Simon McDougall, the ICO’s executive director, also said that an investigation into the adtech industry would resume, after being put on hold during the crisis. See News Analysis: Data protection enforcement moving back to normal, UK regulator says as coronavirus (COVID-19) ebbs.

Binding corporate rules and Brexit

The EDPB has published an information note on BCRs for organisations which have the ICO as the competent supervisory authority, explaining steps they need to take if they wish to rely on their BCRs as a valid transfer mechanism for transfers of personal data outside the EEA after the end of the Brexit transition period. See: LNB News 23/07/2020 65.

ICO annual report

The ICO has published its annual report for 2019–20. The activity period covered has been described by the Information Commissioner, Elizabeth Denham, as a ‘transformative period for privacy and data protection and broader information rights’. See: LNB News 21/07/2020 37.

EDPS Opinion on money laundering and terrorism financing policy

The EDPS has published a press release on its Opinion, which reacts to the European Commission’s action plan for a comprehensive Union policy on preventing money laundering and terrorism financing (C(2020)2800 final). See: LNB News 28/07/2020 50.



AML & counter-terrorist financing

Review of revised FATF standards on virtual assets published

The Financial Action Task Force (FATF) has published a 12-month review of the revised FATF standards on virtual assets, as well as their service providers. See: LNB News 07/07/2020 78.

EU anti-money laundering

In a resolution adopted on 10 July 2020, EU MEPs have welcomed the European Commission’s Action Plan on how to fight effectively against money laundering and terrorist financing, including giving the European Central Bank (ECB) more powers and creating an improved asset-freezing regime. See: LNB News 13/07/2020 89, and News Analysis: European Commission takes AML agency plans to the European Parliament, and EU Parliament endorses new anti-money laundering plans.

The Global Legal Entity Identifier Foundation (GLEIF) has published a blog on the role of legal entity identifiers (LEIs) in the European Commission’s anti-money laundering (AML) and counter-terrorist financing (CTF) legislative reforms. See: LNB News 21/07/2020 95.

The European Commission has extended the feedback period for its AML and CTF action plan to 26 August 2020. See: LNB News 10/07/2020 57.

5MLD Trust Registration Service consultation

HMRC has announced the outcome of its technical consultation on the Fifth Money Laundering Directive and Trust Registration Service. The Money Laundering and Terrorist Financing (Amendment) (EU Exit) Regulations 2020, SI 2020/628 have now been laid for consideration by the European Statutory Instruments Committee in the House of Commons and the Secondary Legislation Scrutiny Committee in the House of Lords. See: LNB News 15/07/2020 100.

Beneficial ownership registers

The Foreign & Commonwealth Office has announced that eight Overseas Territories are to introduce publicly accessible registers detailing who owns the companies in their territory. See: LNB News 15/07/2020 99.

JMLSG guidance

The Joint Money Laundering Steering Group (JMLSG) has published new guidance on pooled client accounts and cryptoassets. There is also a minor amendment to paragraph 5.3.53 within Part I of the JMLSG guidancce. See: LNB News 29/07/2020 37.

FCA Register

The Financial Conduct Authority (FCA) has launched its updated Financial Services Register. See: LNB News 27/07/2020 85.

Gambling Commission coronavirus (COVID-19) emerging risks bulletin

The Gambling Commission has published its third coronavirus (COVID-19) emerging risks bulletin. See: LNB News 13/07/2020 80.



Sanctions & export controls

Global Human Rights

The UK has launched the Global Human Rights regime, the UK's first sanctions regime operating under the Sanctions and Anti-Money Laundering Act 2018, through the Global Human Rights Sanctions Regulations 2020 (GHRSR), SI 2020/680 which came into force on 6 July 2020. The regime ensures that UK sanctions relating to serious human rights violations are effectively implemented through asset freezes and entry bans on the listed individuals and entities. So far, 47 individuals and two entities are on the list, a majority of those being individuals involved in the deaths of Sergei Magnitsky and Jamal Khashoggi. See: LNB News 07/07/2020 12. The Foreign & Commonwealth Office has published guidance to help with the implementation of and compliance with the new regime. See: LNB News 07/07/2020 19.

John Binns, partner at BCL Solicitors LLP and member of the Lexis®PSL Corporate Crime Consulting Editorial Board, discusses the new Global Human Rights Sanctions Regulations 2020, popularly referred to as ‘Magnitsky’ sanctions, and offers advice on the practical steps businesses and lawyers can take to comply with the sanctions. See News Analysis: Global human rights sanctions. See also News Analysis: UK’s first post-Brexit sanctions, written by Ben Smith, researcher at the House of Commons Library.

The US Department of State has released a response statement, written by the US Secretary of State Michael Pompeo, on the UK’s establishment of a Global Human Rights Sanctions Regime ‘commending’ the UK for its ‘continued global leadership on the promotion and protection of human rights’. See: LNB News 07/07/2020 57.

OFSI guidance

The Office of Financial Sanctions Implementation (OFSI) has published the Sanctions Act licence application form. See: LNB News 07/07/2020 30.

OFSI has also published new guidance for the maritime sector. See: LNB News 27/07/2020 76.



Crime prevention

Tax evasion

The Organisation for Economic Co-operation and Development (OECD) has issued a press release stating that the international community continues making tremendous progress in the fight against offshore tax evasion. See: LNB News 02/07/2020 3.

Law360: The European Commission has begun a competition to build a think tank that would help the EU fight tax evasion, drawing on the expertise of tax professionals and non-governmental organisations. See News Analysis: EU plans building think tank to fight tax evasion.

Criminal records disclosure regime

The government has laid a Statutory Instrument to amend the filtering rules under the Police Act 1997 that govern what is automatically disclosed through standard and enhanced criminal records certificates issued by the Disclosure and Barring Service. This will amend current legislation to ‘remove the requirement for automatic disclosure of youth cautions, reprimands and warnings and remove the ‘multiple conviction’ rule, which requires the automatic disclosure of all convictions where a person has more than one conviction, regardless of the nature of their offence or sentence’. See: LNB News 09/07/2020 106.

Cyber incidents

UK Finance has published a white paper intended to help financial services firms as they reflect on their cyber incident response plans. See: LNB News 02/07/2020 20.

Deferred prosecution agreements

The Serious Fraud Office has announced that it has received final approval to enter into a deferred prosecution agreement (DPA) with G4S Case and Justice Services (UK) Ltd, which attempted to defraud the Ministry of Justice by concealing the true extent of profits from the provision of electronic monitoring of offenders services. See: LNB News 17/07/2020 94, News Analysis: G4S settlement hints at looser co-operation burden but tougher compliance trend and, written by Quinton Newcomb, barrister, and Lucia Cabello, Spanish qualified lawyer, at Fulcrum Chambers, News Analysis: Court approves £44m DPA in G4S fraud case (SFO v G4S Care and Justice Services (UK) Ltd).


The Serious Fraud Office (SFO) has convicted two former Unaoil executives for giving corrupt payments to public officials for oil contracts in Iraq. See: LNB News 14/07/2020 25 and News Analysis: US swoop on UK Unaoil probe suspect risked rift in DOJ—SFO relations.

The Home Office has released its year two update to its anti-corruption strategy. See: LNB News 23/07/2020 93.

Economic crime levy

HM Treasury has opened a consultation on the subject of the economic crime levy, which the government intends to introduce to fund new government action to combat money laundering, and help deliver the reforms committed to in the 2019 Economic Crime Plan. The consultation closes on 14 October 2020. See: LNB News 21/07/2020 71.



Health & safety

Coronavirus (COVID-19)

The Health and Safety Executive (HSE) has published five practical steps to be used by businesses in Great Britain to ensure they are 'COVID-19 secure'. See: LNB News 03/07/2020 46.

Employment analysis: The ’Working safely during coronavirus (COVID-19)’ guidance published originally by BEIS has been updated three times in the last month, with updates variously across all workplace sectors that it covers to add advice on areas including local lockdowns, discouraging shouting, ventilation, use and disposal of face covering and PPE, keeping records of staff, customers and visitors, keeping records of staff shift patterns, opening customer restaurants and cafes and what to do in the event of a COVID-19 outbreak in the workplace. Two additional guides have also been published covering performing arts and providers of grassroots sports and gym/leisure facilities. See (in chronological order) News Analysis:

The Department of Health and Social Care has released guidance on the subject of how to recognise, contain and report incidents of coronavirus (COVID-19). See: LNB News 28/07/2020 52.

Related Articles:
Latest Articles:
About the author:
Allison is a former partner of Shoosmiths, with extensive experience of legal management and practice compliance.