Risk & Compliance monthly highlights - March 2020

Risk & Compliance monthly highlights - March 2020

In our March edition of Risk and Compliance highlights includes: GDPR & data protection; anti-bribery & corruption; AML & CTF; sanctions & export controls; information management & security; a selection of other news and updates; and all the latest new and updated content.

In this issue:


GDPR & data protection

Anti-bribery & corruption

AML & counter-terrorist financing

Sanctions & export controls

Information management & security


The European Data Protection Supervisor (EDPS) has issued its opinion on the opening of negotiations for a new partnership between the EU and the UK. The EDPS recommends that the envisaged partnership ensures security and economic partnerships are underpinned by adequate protection of personal data, defines priorities for institutional co-operation and assesses onward transfers of personal data. See: LNB News 25/02/2020 77.

UK data protection rules could be tweaked after Brexit if the government sees benefits and there is no impact on a data-transfer deal with the EU. See: LNB News 04/02/2020 77 and News Analysis: UK may tweak privacy rules if EU data-transfer deal isn’t affected, UK parliamentarian says.



The European Data Protection Board (EDPB) has addressed various topics related to the General Data Protection Regulation, Regulation (EU) 2016/679​ (GDPR), during its eighteenth plenary session held on 18 and 19 February 2020. It has qualified the implementation of the GDPR in the last 20 months as successful. Despite lingering concerns such as the harmonisation of national procedures, the EDPB concluded that it was premature to conduct a revision of the GDPR. See: LNB News 20/02/2020 61.

Article 97 of the GDPR​ requires that by 25 May 2020 (and every four years thereafter), the European Commission submits a public evaluation and review of the GDPR to the European Parliament and to the Council. The EDPB has published its contribution to this evaluation of the GDPR. See: LNB News 25/02/2020 19.

Europe’s formidable new data protection laws have created challenges for companies facing demands for employee communications as part of fraud investigations, leaving lawyers to balance the risk of privacy fines against the potential ire of government enforcers. See News Analysis: EU data privacy laws pose disclosure risks in fraud probes.

The Data Protection Intelligence Group has begun work on a guide to the negotiation of data protection provisions in commercial agreements between controllers and processors. See News Analysis: Data Protection Intelligence Group begins work on GDPR negotiation guide.


Anti-bribery & corruption
Regulatory regime

After a big drop in the number of investigations opened last year, the SFO will need some big wins like the recent Airbus settlement to convince doubters that it is doing enough to fight corruption and fraud. The plunge in new casework doesn't make for good reading for an agency that has been criticised by campaigners and lawyers for its failure to grasp the financial-crime nettle. See News Analysis: Drop in UK's SFO cases causes concern despite major Airbus win.

In a letter addressed to SFO Director Lisa Osofsky, civil society groups Transparency International UK and Spotlight on Corruption have urged the SFO to toughen its stance on corporate criminality, by demanding the UK’s DPA regime be consolidated. The organisations have urged for greater consistency and fairness in how DPAs are applied, particularly with regard to reducing the gap between companies’ self-reporting and cooperation. See: LNB News 18/02/2020 54.

Prosecutors received a boost in their fight against corruption after the first use of new powers to target suspected criminal assets survived a concerted legal challenge. See News Analysis: UWO appeal ruling gives boost to UK's new anti-fraud law.



Southwark Crown Court has approved a deferred prosecution agreement (DPA) requiring Airbus SE to pay a total financial sanction of €983,974,311 to the SFO after it was charged with five counts under section 7 of the Bribery Act 2010 (BA 2010) of failing to prevent persons associated with it from bribing third parties in order to secure the purchase of its aircraft. Pam Shearing, solicitor and director at Fulcrum Chambers Ltd, Farheen Ishtiaq, solicitor, and Emily Lewis, solicitor, examine the judgment and the DPA. See News Analysis: Court approves €1bn DPA in Airbus bribery case (SFO v Airbus SE).

The €3.6bn (US $4bn) penalty Airbus SE paid to three global enforcers after admitting to a string of bribery and corruption offences is not only one of the largest ever corporate fines for bribery, it represents a milestone for international anti-corruption cooperation. See News Analysis: Co-operation is more than just a buzzword in Airbus case.


AML & counter-terrorist financing

The Law Society has responded to the Fifth Money Laundering Directive (5MLD) and Trust Registration Service Technical consultation. In its response, the Law Society declared that it is concerned that current proposals would require ‘enormous numbers of low risk trusts to be registered’. It has therefore urged the government to ‘transpose the Directive in a way which proportionate to the UK context, where trusts arise in many different types of ordinary arrangements’. The new proposals are to come into effect 10 March 2020. See: LNB News 24/02/2020 65.



Global anti-money laundering watchdog, the Financial Action Task Force (FATF), told countries on Friday 21 February 2020 to protect their financial systems from dealing with Iran, as it blacklisted the country for failing to improve its safeguards against terrorist financing. See News Analysis: Iran categorised as ‘high-risk’ by global money laundering watchdog.


Sanctions & export controls
EU sanctions

The government has published guidance on the UK sanctions regime under the Sanctions and Anti-Money Laundering Act 2018. This guidance confirms that EU sanctions will continue to apply in the UK until 11pm on 31 December 2020. See: LNB News 03/02/2020 44.


Information management & security
ePrivacy regulation

MLex: Deutsche Telekom, Orange, Vodafone and other telecoms and Internet platforms will face a revised, slimmed-down draft of EU rules in the coming weeks aimed at protecting privacy and security over communication networks, MLex understands. See News Analysis: Telecoms and big tech face revised, slimmed-down EU draft ePrivacy regulation.



MLex: National data-protection authorities will discuss revised guidelines next month on how to enforce EU rules that require websites to ask users for consent for cookies that are used to track web activity, after several authorities adopted conflicting approaches, said an official at a group of data privacy enforcers. See News Analysis: EU data-protection authorities to discuss cookie-consent guidelines in March.


Cyber security

The National Cyber Security Centre has issued guidance to help private and public sector organisations deal with the effects of malware (which includes ransomware). It recommends steps to take before a malware infection has occurred and also suggests steps to take if the organisation is already infected. See: LNB News 17/02/2020 19.

Related Articles:
Latest Articles:
About the author:
Allison is a former partner of Shoosmiths, with extensive experience of legal management and practice compliance.