Inaccurate information on due diligence databases
If inaccurate, defamatory, unfair and/or outdated information is recorded against your name on a so-called 'due diligence' 'risk' or 'compliance' database we can help you seek its removal.
We are frequently instructed by UHNWIs, HNWIs, public figures and 'Politically Exposed Persons' (PEPs) to complain about the content held on such databases. In an number of instances we have issued High Court proceedings to compel databases to remove offending content.
The inception of the General Data Protection Regulation (GDPR) in May 2018 and subsequent UK GDPR has made it easier for individuals to assert their data protection rights to object to the inclusion of false or outdated information about them in risk/compliance databases. The inclusion of inaccurate information on databases may also give rise to claims for defamation.
The prevalence of due diligence/risk/compliance databases
In most jurisdictions, businesses operating in regulated industries – including financial institutions, banks and many professional services firms – are required to carry out checks, including anti-money laundering (‘AML’) checks, on those who use their services. Most businesses which carry out these checks on a regular basis utilise subscription databases. These products, sometimes referred to as ‘risk management, ‘intelligence’ or ‘compliance monitoring’ databases, are commonly marketed as a ‘one stop shop’ for their users’ risk and compliance obligations, enabling users to assess current and potential customers and to avoid those individuals and businesses who may pose a risk.
Risk management databases vary enormously in scope, detail and intelligence. Some merely aggregate data that is (or was) publicly available (typically on the internet). Others also include data obtained from non-public (usually governmental) sources, such as worldwide sanctions lists and PEP monitoring. Most comprise very large datasets compiled over a number of years. Whilst this may be attractive to users – who want to use a database containing as much information as possible – herein also lies the problem. Broadly speaking, this is manifest in two ways, which are set out below.
Data that should not be included in the database
Many risk management databases contain information that simply should not be included, either because its inclusion is unlawful, and/or because the data itself is inaccurate or irrelevant (in other words, it is ‘bad’ data).
In many instances, those operating risk management databases (who are ‘data controllers’ under the UK GDPR) fail to comply with their data protection obligations in respect of personal data at the point at which that data is first included in the database.
Pursuant to the UK GDPR, data must always be processed (i.e., used, or communicated to others) “lawfully, fairly and in a transparent manner in relation to the data subject” (Article 5(1)(a)). Just because the particular data may appear relevant and/or it might be useful to the database’s users, does not in and of itself justify the inclusion of that data in the database. Rather, the processing must be done in accordance with the ‘principles’ set out in Article 5 of the UK GDPR. It must also be done ‘lawfully’, which means the specific processing must fall within one of the categories (a) to (f) listed in Article 6(1) of the UK GDPR. It seems that data controllers operating risk management databases commonly fail to consider their obligations under these principles and select data for inclusion solely based on whether it appears it could be relevant.
Where data about an individual is added to a database, that is usually done without the knowledge or consent of that person (who is referred to as the ‘data subject’). In such circumstances (i.e. where the data has been obtained from another source), the data controller must also comply with the requirements of Article 14 of the UK GDPR, which obliges them to notify the data subject and provide the data subject with certain information about the processing. Data controllers operating risk management databases rarely, if ever, comply with this obligation.
Insufficient review mechanisms
Naturally, the data controller’s obligations do not end once the data has been added to the risk management database. Pursuant to Article 5 of the UK GDPR, they are obliged to ensure, inter alia, that personal data is kept up to date and that inaccurate data is erased or rectified without delay. In practical terms, this means that risk management databases should have sufficient mechanisms to perform ongoing review of the data contained within them.
Data continually goes out of date. Certain categories of data are prone to become out of date relatively quickly – such as addresses, PEP status, list of associates and corporate connections etc. Other types of data, such as news stories that mention the individual concerned, will become old but may remain relevant and it may be in the public interest for them to continue to be published, although this must always be balanced against the data subject’s rights. In some instances, however, outdated reports will create a misleading impression if they are presented without context and/or an account of subsequent events. If an individual was accused of a crime, for instance, for which they were subsequently exonerated, a press report detailing the original charge – without any other information – would present a grossly misleading impression. Reviewing this sort of data is more complex and requires a more nuanced and considered approach, and the obligation to perform it on an ongoing basis is a burdensome one for risk management databases with very large datasets. Unsurprisingly, risk management databases are not generally good at carrying it out.
Repercussions for data subjects
There are many ways that ‘bad data’ may end up in a risk management database. Databases which aggregate ‘adverse’ media reports pick up and republish negative news stories about an individual, often without considering context or bias. For example, it is common for high profile individuals living in exile to be subject to false negative propaganda by a hostile regime (e.g. Russian dissidents living in London). Risk management databases may republish those reports having failed to consider their source. Similarly, it is common for risk management databases to republish reports of unfair or politically motivated allegations. In those instances, the mere fact that allegations have been made might be correct, but publishing it to those who do not understand the political context (and, in doing so, endorsing it) will nevertheless be inherently unfair to the data subject. This is before one considers that the imputation drawn from repeating such allegations will often be one that imputes guilt (or something approaching that) and thus also amount to inaccurate data processing.
Fully complying with their obligations under Articles 5, 6 and 14 of the UK GDPR would of course place a significant burden on those operating risk management databases and increase their costs. It is not difficult to understand why they might cut corners. Unfortunately, this results in incorrect and irrelevant data making their way into these databases, often remaining there for many years. Such data is then relied upon by the databases’ users, often to the detriment of the data subject.
So, what, in practical terms, does this mean for those about whom bad data is included in a risk management database? Of course, many high-net-worth individuals and (current, or former) PEPs will be used to appearing in risk management databases. Others will be unaware that they are included. Either way, in many instances an individual will not know that one or more of the risk management databases contains inaccurate or unfair data relating to them until funds are frozen and/or they are refused banking or other services. At best this will be inconvenient and embarrassing; at worst it could cause significant financial loss.
Data subjects are not without recourse. Under the UK GDPR, proceedings can be brought to compensate an individual who has suffered damage and/or distress. The Court also has the power to require data controllers to erase or amend personal data. In certain circumstances, there may be an additional claim for libel. An alternative to civil litigation is a complaint to the Information Commissioner's Office (ICO), which can compel a data controller to cease processing personal data where it determines there has likely been a breach of data protection legislation.
How to take action
If you are concerned that a database may be publishing inaccurate, unfair and/or outdated information that amounts to defamation, the first step will be to ascertain precisely what data is being published in the relevant database(s) by making a data subject access request (DSAR). We can assist you with this. An assessment can then be carried out of the legal merits of the processing and any objection that should be raised.
Why should I instruct Brett Wilson LLP?
In short, to ensure that you have the best team fighting for you and to maximise your prospects of success. Data protection and defamation law is notoriously complex and it is generally ill-advised to instruct non-specialist lawyers. Our work and client care is of the highest standard. All cases are run by a specialist media and communications law solicitor. Every matter has partner involvement. If there is a good settlement to be negotiated, we are confident we are well placed to achieve it. If there is a case to be litigated, we are confident we can help you seek the best result.
When your claim is asserted on Brett Wilson LLP's letterhead, you can be sure it will be taken seriously. We have advanced many defamation and data protection claims against such databases and are well-respected by defendant lawyers. Where a database has made a mistake it will often be possible to reach a relatively prompt resolution. Where this is not possible and it is necessary to go to court, we have long-standing working relationships with the best media law QCs and junior barristers and can draft them into your team.
As well as being listed in the prestigious Legal 500 and Chambers and Partners directories as a leading firm in the fields of defamation, privacy and reputation management law, partners Iain Wilson, Max Campbell and Tom Double, together with solicitor Elisabeth Mason, are all individually recognised as leading individuals. Most importantly, we receive excellent feedback from our clients and contemporaries.
Litigation can be stressful, time consuming and costly. Therefore at the outset of your case we will conduct a cost benefit analysis with you. We will talk you through this process. We offer honest and pragmatic advice to our clients. We will always consider alternative options, including asserting other causes of action, approaching intermediaries or PR work.
How do I instruct Brett Wilson LLP?
To contact ourdefamation solicitors please send us an email, complete our online enquiry form or call us on 020 7183 8950. If emailing or using the online form, please provide a short outline of your situation.