Beginning May 25, 2018, the European Union (EU) and the European Economic Area (“EEA”) will enforce the General Data Protection Regulations (“GDPR”) as part of a comprehensive scheme to regulate the collection and processing of data for EU residents. An essential part of the banking industry is to collect and process personal information of future, existing and former customers, i.e. data subjects, in order to provide financial services. U.S. banks based outside the EU but which provides services or goods to EU residents or monitor their online behavior will now have to fulfill certain duties under the GDPR, in addition to those mandated by the U. S. federal laws and regulations. Banks and their third-party vendors can be data collectors and processors and therefore understanding their rights and obligations while operating in Europe is important to reduce their risks. In this article, we will highlight the GDPR articles that will impact US banks processing data related to EU residents.
Territorial Scope. The GDPR extends its coverage to persons and organizations that are based outside of the EU but process data related to EU residents either for purpose of providing services, goods, or monitoring behavior within the EU, regardless whether the bank has an establishment within EU. Receiving payment for the provision of services or goods is not required. Under the GDPR, monitoring includes profiling, in particular to make decisions regarding individuals for analyzing or predicting their personal preferences, behaviors and attitudes. Factors to determine the territorial scope include, but not limited to, the use of language or currency used in one of the Member state with the possibility of ordering goods or services in that language or monitoring of customers who reside in the EU. However, the mere accessibility of the bank’s, or its data processor’s, website in the EU, or of an e-mail address or other contact details or the use of a language generally used in third country where the bank is established are insufficient for the determination. Covered banks are now required, under the GDPR, to appoint, in writing, a representative in the EU. Data Controllers and processors are subject to that regulation.
Grounds for Data Processing. Data processing should be relevant, adequate and limited to what is necessary for its purpose. In order to lawfully process data about EU residents, banks must have one of the six grounds which are consent, legitimate interest, necessity for fulfilling of a contractual or legal obligation required under the EU or its member state laws, protecting the vital interests of data subject, and performing of a task in the public interest or official authority. The compliance with legal obligation and performance of task in the public interest will be laid down by the law of the EU or the Member state to which the data controller is subject.
- Consent and Notices. The GDPR expands the Directive’s definition of consent. As a result, financial institutions will need to obtain and preserve proof of consumers’ unambiguous, informed, affirmative, specific and freely-given consent from data subjects. Before banks based outside the EU collect, process or share any personal data related to EU residents, they must first ensure it has a separate consent from that customer for each processing operation. As a practical matter, it means that before an EU resident can open an account, be verified by a credit reference bureau or third-party verification provider, she or he must consent. Consent can be an oral, written statement, e.g. electronic form, or clear affirmative action. Explicit consent is required in certain activities, e.g. profiling data received by consent or sensitive data. Banks should inform the customers on the purpose of processing. When the data processing has multiple purposes, consent should be given for all of them. Institutions may not condition the provision of services on customers’ consent to processing. The GDPR adds new conditions to consent such as the individual’s right to withdraw their consent at any time and with easiness.
The GDPR adds to, and in some cases contradicts, financial institutions’ existing obligations under the Gramm-Leach-Bliley Act, 15 U.S.C., Subchapter I, §§ 6801-6809 (1999) - (“GLBA”). The GLBA regulates financial institutions’ management of consumers’ non-public “personally identifiable financial” information (PIF). While GLBA requires banks to provide U.S. customers the right to opt-out of having non-public PIF information shared with nonaffiliated third-parties, absent exceptions (i.e. marketing, processing, or legally required), U.S. banks operating in Europe need an express opt-in from EU residents when consent is the only available lawful ground for processing. Banks should avoid the pre-ticked boxes on their websites as it is no longer a valid form of consent. Notably, decisions based solely on automated processing, including profiling, that produce legal effects or significantly affect individuals (e.g. automated refusal of online credit), are only allowed if suitable safeguards are implemented (i.e., right to obtain human intervention and right to express his or her point of view), and if based on one of the following legal grounds: (1) the individual's explicit consent; (2) Member State law or EU law; or (3) a contract with the individual.
When profiling is used for research, data collectors need to implement appropriate safeguards.
Furthermore, banks must provide customers with a clear and conspicuous notice of their information-shared policies. In addition to the notice contents required by the Directive, banks are now required by the GDPR to include additional information. That includes: the contact details of the controller, its EU representative and data protection officer (if any); the legal basis for the processing; explanation of the legitimate interest where relevant, specific information on cross-border data transfers, source of data when not received directly from customers; customer’s rights including the right to withdraw consent, the right to lodge a complaint and information on profiling and processors where relevant. However, unlike the Directive, the contents of notice required by the GDPR will likely be sufficient in all member states.
- Legitimate Interest. Banks shall have a justification for all data they collect on EU residents. That may create a direct conflict with the banks’ obligations to sift through large amount of customer data (such as for financial crime purposes, client suitability, and regulatory reporting purposes). However, banks can rely on any of the above-mentioned six grounds for lawful processing including the legitimate interest. A legitimate interest exists when there is a relevant and appropriate connection between the individual and the bank in situations such as the individual being a client of the bank. (Recital 38) The GDPR makes clear that the marketing-related interests of the online industry constitute “legitimate interests” as long as the interests or the fundamental rights and freedoms of the data subject are not overriding. In the financial service industry, legitimate interest may include the fraud prevention, stability of the financial system, transparency, preventing market abuse, increasing market integrity, investor protection, combating money laundering. As examples, the intra-group data disclosures for internal administrative purposes, ensuring network and information security; fraud prevention; and communicating possible criminal acts or threats to public security to a competent authority (subject to the secrecy obligation).
Individual’s Rights. The GDPR maintains and strengthens existing, and creates additional consumer’s rights. First, consumers have the right to data portability to request business export the consumer’s individual data to them or the consumer’s new service provider in a structured, commonly used, machine-readable and interoperable format. Consumers may exercise this right when processing is based on consent or necessary for performance of a contractual obligation and it is carried out by automated means. Banks may be able to collect charges only when the request for copy is “manifestly unfounded or excessive”. Portability is intended to facilitate consumers understanding of their own financial circumstances, for instance by allowing personal financial advisors access to banking data, and also protect consumers being locked into banking relationships.
Second, EU consumers have the right to object the processing of their data, e.g., consumers can elect to make selected data unavailable to users, and object to direct marketing, processing based on legitimate interests or performance of a task in the public interest/exercise of official authority; and processing for scientific, historical research or statistical purposes.
Third, in addition to the existing right to have their data erased, EU residents have now the right to be forgotten which is limited to circumstances where (1) the data is no longer necessary in relation to the purposes for which it was collected or processed; (2) individuals withdraw their consent for the data processing; (3) individuals object to the processing; (4) the data were unlawfully processed; or (5) a law requires the controller to erase the data. if personal data have been made public by banks, banks shall notify data processors that EU customers request their data to be erased. Both of data collectors and processors are mandated to comply. The obligation to delete data, however, is not absolute. To continue retention of consumer data, banks may be able to rely on the following legitimate grounds: freedom of expression, fulfilling a legal or contractual obligation, reasons of public interest, archiving purposes or to exercise or defense of legal claims.
Accountability. The GDPR integrates accountability into compliance. Banks are required to conduct a Privacy Impact Assessment and maintain a comprehensive data protection compliance program that meets the GDPR requirements. Banks need to consult with applicable supervisory authority with regard to their obligations when processing involves high-risk activities. Banks need to consult with applicable supervisory authority with regard to their obligations when processing involves high-risk activities. Banks are required to demonstrate data protection compliance by adhering to an approved mechanism.
A Data Protection Officer should be appointed if it is required by the member state law or the bank’s activity involve, on a large scale, regular or systematic monitoring of data subjects or processing of sensitive personal data.
Banks have to consider the data security as part of their system design and testing process. The GDPR has created a new concept called Pseudonymisation, i.e. a privacy enhancing technique where the identifiable information is held separately and subject to technical and organizational measures to ensure non-attribution. Using such safeguard when processing personal data for statistical purposes will show compliance.
Banks are prohibited from storing the personal data longer than necessary for its intended purpose unless it is encrypted. Although that may seem to create a conflict with banks’ existing obligation, as financial institutions, under the Anti-Money-Laundering laws, to retain certain categories of records for a specific period of time. For example, the Bank Secrecy Act requires banks to keep records of “high degree of usefulness” for use in investigation or enforcement actions, and those related to credit in excess of $10000 for 5 years. Such data should include the borrower’s name, address, credit amount, purpose and date of credit. Banks do not need to receive consumer’s consent because their legitimate interest in complying with the law.
Banks will have a duty to maintain records of processing activities detailing the purposes of processing the data of EU residents; the process of selecting their processors, categories of individuals; potential data recipients within and outside the EU; appropriate safeguards for transfers; expected time limit for erasure of data; and security measures. Such records must be provided to EU Data Protection Authorities (DPA) upon request.
Data Transfer outside EU. The GDPR makes lawful as long as a qualified mechanism and appropriate safeguards were used, e.g., the use of approved codes of conduct or certification mechanism in combination with binding and enforceable commitments of the controller or processor in the recipient country to apply the safeguards. Not only the GDPR recognizes the Binding Corporate rules and Model Clauses, but it also gives a significant role to codes of conduct and certification mechanisms to prove compliance. The need for prior authorization for data transfer based on an approved safeguard is no longer required. U.S. banking institutions operating in Europe are responsible for ensuring confidentiality and compliance with GDPR. In drafting contracts with data processors, consider requiring data processors to obtain the bank’s prior written consent before retaining any sub-processor. The bank’s consent can be specific or general, e.g., a general authorization for sub-processing in the data processing agreement may be sufficient. Banks can retain their rights to audit their data processors. Banks are now obligated to appoint only processors providing sufficient guarantees of compliance.
Data Breach Notification. Data breach means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. When consumers’ personal data is compromised, banks must notify the DPA without undue delay and, where feasible, within 72 hours after the bank becomes aware of the breach. There is no obligation to report the breach if it is unlikely to result in a risk.
On the other hand, if the breach is likely to result in a high-risk to the rights and freedoms of individuals, banks must also notify the individuals affected by the breach without undue delay, unless certain exceptions apply (e.g., the data are protected by security measures such as encryption, the controller has taken measures to reduce the risk for individuals or notifying would involve disproportionate effort and individuals have been informed via public communications). Although the GDPR does not define the 2 level of risk to the rights and freedoms of individuals, it is advisable to treat such breach as high risk to the customer’s rights including right to privacy. The third-party processor should notify the bank, for which the data was processed, without undue delay and upon discovery of data breach, if the data were compromised while in its possession. That means all breaches have to be reported. The EDPB is expected to issue guidance on data breach.
Liability and Fines. Unlike the Directive where data controllers are the sole responsible for the acts of their data processors, liability is placed directly on data processors when they are responsible for the damage. Data processors may only be liable to an EU consumer if it did not comply with the processor-specific GDPR obligations or with the bank’s lawful instructions. Joint liability is only imposed if two organizations jointly determine the purpose and the mean of processing data. In drafting their agreements with data processors, banks should address each party’s obligations in terms compliance.
The GDPR imposes substantial fines for the violation of its provisions and non-compliance with certain orders of the DPA. Banks’ non-compliance may be sanctioned up to € 20 million or 4% of the total worldwide annual turnover of the bank for the preceding financial year. For certain violations can result in fines up to €10 million or 2% of the annual turnover, whichever is higher. Fines will depend on various criteria, including the severity and duration of the violation, the intentional character of the violation, any mitigation measures, the categories of personal data affected, the degree of cooperation with the DPAs and previous violations by the same controller or processor.
One-Stop Shop. Unless specified national law considerations apply, if the bank’s activities in the EU substantially affect consumers in more than one Member state, the supervisory authority of the member state where the bank has its main establishment will act as the lead authority for all data processing that impact those consumers. The location of management functions relevant to data processing, e.g., one company controls the operation of a group, is a factor to be considered in determining the “main” establishment.
In conclusion, banks must consult with the EU Member state law’s special rules which may particularize or liberalize the GDPR in areas such as the specific criteria for the controller nomination may be designated by those laws if the purposes and means of processing are determined by the EU law or member state law, additional restrictions with respect to the individual rights, data breach obligations, the automated decision making, and the definition of legitimate interest.
Contributed to Gulfoilandgas.com by
The author is a Gulfoilandgas.com contributor. The opinions expressed are those of the writer.