Lawsuit by BitMEX co-founder could test GDPR’s reach over SARs

Delo lodged his complaint against Wise, made public this month, after the company allegedly refused his requests under the General Data Protection Regulation (GDPR) to provide him with the personal information it had submitted to the U.K.’s National Crime Agency concerning three suspicious activity reports (SARs) it filed. The SARs related to two transactions Delo made in November 2020 worth a total 300,000 pounds (U.S. $402,000).

SARs are usually triggered when a financial institution believes the money being transferred might be connected to economic or organized crime and that it might be facilitating money laundering as a result.

Delo believes Wise should have shown him the SARs in full as per his data subject access request and provided him an explanation as to why it closed his account. Delo claims Wise has not provided any documents to justify either the SARs or on what grounds under the GDPR the company felt it could withhold his access to the documents.

In monetary terms, Delo wants £948.94 (U.S. $1,272) for the interest he lost on his cash that the company held on to for 135 days in addition to the potential for further relief. In legal terms, a lot more is potentially at stake for financial institutions over the way they submit SARs and justify denying individuals access to the information contained within them.

Peter Galdies, senior consultant at specialist data protection and privacy consultancy DQM GRC, said the onus will now be “down to Wise to be able to demonstrate a reasonable basis for withholding the data.”

Rachel Easton, employment solicitor at law firm Vedder Price, said while U.K. data protection law enables a data subject’s right to access his or her personal data—the concept of which is “extremely wide”—it does not mean whole documents can or should be disclosed, even if the documents contain the personal data of the individual requesting them.

“It will be interesting to see how this case plays out and the impact it could have on the potential conflict between firms’ responsibilities under the U.K. Data Protection Act and any obligations they may have under the Proceeds of Crime Act, which governs money laundering responsibilities.”

Jayne Newton, Director of Regulatory Expertise, Efficient Frontiers International

“Most, if not all, documentation relating to an investigation carried out by a regulator or enforcement authority will contain some personal data about an individual,” she said. “This is undoubtedly true in respect of a suspicious activity report disclosing purported wrongdoing.”

Under the GDPR, data subjects can request access to SARs. However, financial institutions can limit or withhold information altogether where compliance with a request for personal data would reasonably prejudice an official or legal inquiry, investigation, or procedure or contribute to other risks, such as tipping the person off so he or she becomes a flight risk or attempts to destroy other evidence.

Darren Wray, a security and data privacy expert at risk and compliance software vendor DFIN, believes Delo should have been granted access to the SARs for two key reasons: The evidence contained within them was used to risk profile him, and that risk profile subsequently informed Wise’s decision-making processes to close his account.

Wray believes Delo’s claim is justified under Article 22 of the GDPR, which says data subjects “shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

“It is difficult to see such a standard procedure as creating SARs could fall under an exception in this case unless the data controller could demonstrate the SARs were produced as part of a pre-existing law enforcement investigation,” said Wray.

Jayne Newton, director of regulatory expertise at financial crime specialists Efficient Frontiers International, said of interest will be “the impact [the case] could have on the potential conflict between firms’ responsibilities under the U.K. Data Protection Act and any obligations they may have under the Proceeds of Crime Act, which governs money laundering responsibilities.”

Newton said this case will be a reminder that nominated officers within regulated firms must ensure procedures are in place to prevent information relating to SARs being released unless explicitly authorized.

But she added a degree of uncertainty remains; for example, there is no statutory definition of what constitutes “suspicion,” so a firm’s decision on whether to file a SAR is dependent on judgment.

“No doubt, this case highlights the need for firms to have well-trained teams that generate well-written SARs with effective processes, procedures, and controls that are robust enough to withstand regulatory and potentially external scrutiny,” said Newton.