Data Privacy Laws May Create Dilemma for Sanctions Compliance
The advent of data privacy laws, such as Europe's General Data Protection Regulation, creates a "potential tension" with trade sanctions compliance, said Ramsey Kazem of Spark Compliance Consulting while at the American Association of Exporters and Importers Annual Conference on June 27. GDPR and other laws in various stages of implementation in U.S. states "tend to be very protective and restrictive on how you use personal data," he said. This may often conflict with sanctions laws, which require companies to do "more with the personal data that they possess in terms of screening their third-parties, screening their business partners, screening their customers," Kazem said. "So it's not difficult to see how the GDPR" and other data privacy restrictions "could conflict with, for example, U.S. sanctions laws." Further complicating the issue for companies is that "neither the U.S. nor the EU recognize the other's laws as a legitimate basis" for not complying, he said. Companies will therefore need to examine the potential risks created by such a conflict, Kazem said. "In some instances there may not be an easy answer and a company may be forced to choose between the lesser of two evils." As a result, data privacy considerations "must be at the table" while a company is developing a sanctions law compliance program, Kazem said.