Globally, at any given time, there are international, economic or trade sanctions in place that directly affect countries, sectors, businesses, organisations and individuals. The world is interconnected in terms of trade, investment, financial flows, debt repayments and just-in-time supply chains. Sanctions are often underpinned by laws with criminal and civil penalties. Russia’s annexation of Crimea in 2014 and its subsequent invasion and war in Ukraine in 2022, has led to an unprecedented level of international, coordinated and punishing sanctions against Russia. Its political system, leaders, parliament, central bank, key sectors, businesses, influential individuals and its uber-rich citizens called oligarchs have all been targeted. Currently, significant sanctions are in place against Russia, Belarus, Iran, North Korea, Syria, Myanmar, Venezuela and Cuba. The European Union, China and the United States have imposed a range of unilateral trade sanctions between themselves, in recent years, to protect several of their strategic sectors. Sanctions directly affect confidence, investment, trade and international data flows. After sanctions are imposed, the data flows to and from sanctioned parties must be scrutinised for lawfulness, human rights compliance and for fit with an organisation’s Environmental, Social and Governance (ESG) position.

Types of Sanctions

International sanctions are political and economic decisions, made through diplomatic efforts by countries, multilateral or regional entities against states and organisations to protect international law, national security and to defend against threats to international peace and security. These sanctions are normally put in place by the United Nations (UN), or by countries working in consultation with the UN. These decisions include temporary restrictions or blocks on economic, trade, diplomatic, cultural, environmental and other restrictions. Sanction measures are lifted when the issues that led to the restrictions ends or the situation changes. Often, sanctions are given their primary functional title, such as diplomatic sanctions or economic sanctions. Sanctions remain the international community’s most powerful peaceful actions to prevent or respond to threats to international peace and security. Increasingly, unilateral sanctions can be imposed by a country on another nation to further its strategic interests via strong economic pressure through economic, trade or diplomatic activities.  Breaching sanctions deliberately or inadvertently can lead to criminal or civil penalties. Assisting a sanctioned entity or an individual to evade sanctions can also lead to severe consequences for all involved.

Lawfulness and Fairness in Data Flows

A key principle in international data governance, data protection laws and in modern data privacy analysis is that the processing of personal data, personal information and personally identifiable information must always be done lawfully and fairly. Lawful means that the activity should not breach civil or criminal laws, directly or indirectly. Fairness is a wide concept and includes, equity between the parties, respect for natural law, upholding fundamental rights, human rights protection, substantive fairness and fairness in processes. The principle of fairness discourages the sharing of personal data and personal information for covert purposes, or by tricks, deception, obfuscation, online dark patterns or via the misuse of language. Fairness considerations can also protect individuals with special or protected characteristics such as age (young and old), disability, ethnic origins or nationality.

The EU’s General Data Protection Regulation (GDPR) requires transparency and accountability in data flows. China’s Personal Information Protection Law (PIPL) and Brazil’s Data Protection Law (LGPD) contains a fundamental principle that all parties should act in “good faith” when they collect, use, share or store personal information. The flow of personal data to sanctioned countries, sectors, businesses, organisations, groups or individuals can conflict with lawfulness, fairness, transparency, accountability and good faith requirements. Companies and organisations should ensure that they do not breach these principles when dealing with sanctioned entities and individuals. These breaches of data protection and data privacy rules could lead to investigations, reprimands, administrative fines, third-party actions, other enforcement action or legal (court) action.

International Personal Data Transfer Risk Assessments

Aware that the transfer and sharing of personal data to some foreign countries can put individuals at risk, breach national laws and cause other harms, European regulators such as the European Data Protection Board (EDPB) and the European Commission have led the way in developing data Transfer Impact Assessments (TIAs). In the UK, these are often called Transfer Risk Assessments (TRAs). These assessments seek to evaluate a wide range of information to assess the risks to individuals and personal data flows. These also assess the level of compliance with the GDPR and other laws, in recipient countries or organisations. Considerations includes the types of data, types of data subjects (individuals), the sectors, the purpose of the data transfer and the transfer methods proposed. The technical and organisational systems in place to secure the data transfers, the list of countries the personal data will pass through and the possibility of onward transfers to third or fourth countries are also crucial considerations.  In this process, identifying sanctioned countries, organisations and individuals could be crucial to the sender’s corporate risk, insurance cover, legal compliance and liability.

Crucially, these data transfer assessments also aim to evaluate the receiving country’s human rights record, its legal system, its courts and how foreign judgments are recognised. The laws relating to third-party access to data, including by government bodies and the security and intelligence services are also reviewed.  

For a sanctioned country, organisation, sector or individual, these assessed factors will be influenced by the existence of sanctions. A country’s human rights record that led to international sanctions could make in-coming international data transfers high risk, unlawful or unfair. Both the human rights record and the specific sanctions restrictions could prove to be problematic or prohibitive. If a country’s political system requires that all data centres and internet traffic are scanned for political purposes, this could make the data transfer high-risk, needing additional technological safeguards such as data minimisation, pseudonymisation or anonymisation to reduce the data protection risks. Sanctions may also prohibit certain economic activities or sector-specific trading, and so the sharing of personal data to facilitate these activities, directly or indirectly could breach the sanction measures. Sanctions could target government or military organisations. This is the case in the sanction measures against Myanmar. Identifying true beneficial ownership is crucial. However, it is often difficult to clearly identify all government-directed, military-supported, government owned and backed organisations. The work of transferring personal data to sanctioned countries, entities or individuals is difficult and it can be a dynamic fast-moving environment.

Steps to Better Environmental, Social, Governance (ESG) and Compliance

The following steps will help businesses, organisations, governments and public sector bodies to better navigate the international personal data flows affected by sanctions regimes.

(A) Monitoring Sanctions Lists, in all relevant territories, should be a high priority. This should be done regularly, part of business as usual processes. These lists should also be consulted during supplier and partner due diligence and when a key organisation, in the existing supply chain, changes its ownership, size or composition. Experts that understand the full intent, meaning and implications of sanctions on data and personal data flows should be consulted.

(B) Registers of Processing Activities (ROPAs) should be properly maintained, reviewed and updated by companies and organisationsthat fall within the scope of the EU’s GDPR or similar laws in the UK, Brazil, China and the UAE. A ROPA can help to answer important preliminary questions such as the level of exposure to a sanctioned country, company, organisation, sector or individual. It can also be used to highlight, at least broadly, which countries sends and receives which types of personal data and the intended purposes.

(C) Contractual agreements are important governance tools when dealing with sanctions. Contracts are widely used to facilitate trade and transfer personal data around the world. These include international data transfer agreements, data protection Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs) and various types of data processing agreements. Sanctions could make these agreements voidable, void or otherwise untenable. Parties could be forced to trigger the frustration or force majeure clauses, which could lead to contract termination and remove existing duties to perform the contract. Signing agreements that undermine or conflict with sanctions, after sanctions have been imposed, could breach criminal and civil laws. Detailed legal advice and care should be taken when parties seek to deliberately contract in ways that aim to stay within the legal limits of transferring personal data to sanctioned countries, businesses, entities and individuals.

(D) Systematic Supply Chain Reviews are important, especially detailed periodic reviews. Companies and organisations could be subject to criminal and civil liability if they take steps to evade or help other parties to avoid sanctions. Work should be done to ensure that substitute suppliers and third parties are not simply re-routing goods, services and data to sanctioned countries, businesses, organisations and individuals.Mergers and acquisition activity should be monitored as well as the unusual creation of offshore companies, holding companies, subsidiaries, branches and other formalised attempts to disguise the true beneficial owners of legal entities and assets.

(E) Anti-Money Laundering (AML) and Know Your Customer (KYC) Procedures should be upgraded. This is crucial in order to respond to the personal data risks associated with sanctioned countries, businesses, organisations and individuals. The use of cryptocurrencies, speciality blockchains, non-fungible tokens (NFTs), unexplained venture capital funds, aggressive modern art market investments, cybercrime and any involvement in the ransomware ecosystem, should be fully investigated.

PrivacySolved has many years of expertise in global data protection, data privacy, international data transfers and Environmental, Social and Governance (ESG) activities, including work with key regulators. For advice, support, projects and programmes, contact PrivacySolved:

Telephone:  +44 (0) 207 175 9771 (London)

Telephone:  +353 1 960 9370 (Dublin)