The Panama Papers – Reconsidering Privacy vs. Transparency

Luise Hasse, Regent’s University London

17 December 2018

In 2015, a historical leak shook the world – An anonymous source, calling itself “John Doe”, leaked over 11.5 million documents by the Panamanian law firm Mossack Fonseca which contained confidential, private, and financial information, of almost 215,000 offshore entities. It has been the biggest data leak in human history. Various legal investigations and trials were initiated against Mossack Fonseca, the Panamanian government, the entities revealed in the papers, the publishers of the papers – but none for the source of the leak. “John Doe” cooperated with its Prosecutors to be legally protected from any trials in exchange for helping investigations against Mossack Fonseca. However, according to international law, leaking would be considered a criminal activity and be subject to substantial trials. What is even more important – the crime initiated various debates related to transparency and privacy, two concepts that conflict heavily on both a legal as well as ethical, basis. This essay intends to discuss what should have been considered within the complexity of such a case and shed light on what actions should be taken in future cases.

Legal Considerations

By definition, a cybercrime is a “crime that involves a computer” (Moore, 2005). Furthermore, we can characterise such crime as an offence “that [is] committed against individuals or groups of individuals with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as Internet […] and mobile phones […]” (Halder & Jaishankar, 2011). Since in this case the intention was to actively harm the law firm and its clients, the source would be subject to mens rea, accompanied by a wrongful state of mind.

Leaking is illegal in the Panamanian state, according to the Budapest Convention on Cybercrime Act which was signed in November 2001. As the Criminal Code of Panama states, consequences apply when “publicly disclosing correspondence, recording or private documents and personal information without the corresponding authorisation and not intended for marketing purposes and resulting in damages”. (Art. 166 of the Criminal Code)

Equally, other types of crime have been conducted in this context: “hacking” as unlawful access to a computer system by the source (Art. 289), data interference as a violation of the integrity and interference of data (Art. 290, 291), and identity theft as a way of stealing private data such as Social Security Numbers (SSN), passport numbers, Date of birth, addresses, phone numbers, and passwords for non-financial and financial accounts (Art. 292). Furthermore, the disclosure of business secrets through data has been part of the activity as well. (Art. 288 of the Criminal Code)

Even though financial and private information had been revealed for more than 214,000 offshore entities by the journalists, and while the German state was paying large sums for unlawfully obtained data, it has been ruled legal by Germany’s constitutional court, which remains controversial. (BBC, 2017)

However, cybercrime is “international” or “transnational” – meaning that there are “no cyber-borders between countries” and therefore the leak should not have been upheld as legal and been unconsidered in the first place. (Telecommunication Development Sector, 2009)

Ethical Considerations

However, the source “John Doe” could not be traced, as the German newspaper “Süddeutsche Zeitung” and other Prosecutors protected its source, or at least claimed not to have had information about the identity. Hence, all legal trials involved in this case have only been put forward in relation to the victims of the Panama Paper leak – some of the Mossack Fonseca shell corporations were used for illegal purposes, including fraud, tax evasion, and evading international sanctions.

Furthermore, if we see the situation from an ethical, utilitarian point of view, we would be considering the greater good for the greater number of entities, to be the right action to take. We will have a closer look at the individual participants’ roles and weigh them against each other.

Fraguela Alfonso, President of the Panama’s Lawyers Movement had called the leak a direct attack on the country’s financial system. The Panama Papers leak was seen as a case of “cyber bullying” and labelled as an attack on the “Panama brand” in a press conference. Samid Dan Sandoval, the former candidate for Mayor of Santiago de Veraguas in 2014, filed the legal action against the journalists and all those who had participated. He said that the project’s name damaged the dignity, integrity, and sovereignty of Panama. More than that, the consortium would have to undertake legal responsibility for all damage caused to the Panamanian state.

However, it could be argued that the interference was a positive step towards providing transparent information for the general public and to counteract illicit acts conducted in relation to the Panama Papers – at least this was perceived as being the intention of the leak.

However, the privacy and data of Mossack Fonseca as well as their clients has been invaded and revealed in this leak, and this needs to be taken into consideration.

In addition to this discussion, we need to consider International Law that lacks an ethical understanding in relation to cybercrime.

Conclusion

We come to the conclusion that, to some extent, international law should find broader solutions in such complex cases.

As the European Commission Proposal on AMLD4 stated: “Anonymous companies and trusts have an impact on everyone in society, and we believe that the Panama Papers demonstrate that everyone should be able to access this kind of information. The Court of Justice of the European Union ruled in 2012 that the right to protect personal data should be considered in relation to other societal interests and balanced with other fundamental rights […]”. In other words, people possess the right to keep their financial affairs a secret as long as financial crimes are prevented. Hence, personal data should only be made public when it is justified or necessary for a legitimate purpose.

As a result of this, the GDPR on data protection was enforced in 2016 after the Panama paper leak which had a positive impact on data privacy and data transparency from a user perspective. Additionally, cyber security budgets have been increased in many major institutions to protect data privacy even further.

It still remains a major burden to weigh these two conflicting concepts against each other. In the case of the Panama Papers, the leak could even be legitimised using the consideration of a lack of transparency where criminal activities were involved. However, it remains difficult to measure if or how, the positive impacts on society outweigh the harm caused to those affected individuals or the Panamanian state and whether or not it can be justified. No trial has been conducted due to a lack of information and international protection of the source. Future legal concepts should allow transparency under certain conditions that do not cross privacy borders.

References

  • BBC News. (2017). Germany ‘pays millions’ for Panama Papers. [online] Available at: BBC – World Latin America [Accessed 30 Oct. 2018].
  • Guillaume Lovet Fortinet, Fighting Cybercrime: Technical, Juridical and Ethical Challenges,VIRUS BULLETIN CONFERENCE, 2009.
  • Halder, D., & Jaishankar, K. (2011) Cyber crime and the Victimization of Women: Laws, Rights, and Regulations. Hershey, PA, USA: IGI Global.
  • Moore, R. (2005) “Cyber crime: Investigating High-Technology Computer Crime,” Cleveland, Mississippi: Anderson Publishing.
  • Pastoral.at. (2016). European Commission Proposal on AMLD4. [online] Available at: Pastoral website [Accessed 30 Oct. 2018].
  • Understanding Cybercrime: A Guide for Developing Countries,ITU Telecommunication Development Sector, 2009.
  • Warren G. Kruse, Jay G. Heiser (2002). Computer forensics: incident response essentials. Addison-Wesley. p. 392.