The European Parliament has voted for an overhaul of outdated data protection laws, but banks are grappling with some uncertain implications
What’s happening?
On March 12, 2014, a plenary session of the European Parliament voted through a new data protection directive and regulation. This would replace EU legislation that dates from 1995, well before the era of mass internet usage, as well as harmonising a patchwork of 28 national codes. The EU estimates the savings at €2.3bn per year. Although the legislation is partly targeted at the use of personal data by social media websites, retail financial institutions also store considerable amounts of very sensitive data including salary details.
Under the directive, citizens would be given what the European Commission (EC) called a “right to be forgotten”, and companies will need explicit consent before processing customer data. The EC's proposal was one of the most heavily amended ever at the European Parliamentary stage, highlighting the contentious and complex nature of the legislation.
Forgotten something?
Just one day earlier, the European Parliament had also approved the fourth anti-money-laundering directive (AMLD IV). That requires financial institutions to keep customer details for up to five years in case they are needed for criminal investigation into money laundering.
“The data protection directive might have received much more attention from banks and finance ministers if it had not been for so much other legislation going through, such as banking union. This directive reverses the commercial priority for banks onto consumer protection. Normally banks have received a prudential carve-out from data protection rules, but not this time,” says a government affairs specialist at one international banking group.
However, Brian Dilley, global head of AML services at KPMG in London, believes AMLD IV still holds sway. The draft AMLD specifically states that the EU or national legislation is empowered to “restrict the scope of the obligations and rights provided for in the draft regulation [on data protection] on a number of specified grounds, including the prevention, investigation, detection and prosecution of criminal offences.”
“AMLD IV seeks to dispel the myth that data protection rules prevent banks from fulfilling AML obligations – it makes clear they are required to manage financial crime risks first and foremost. Relevant data must be kept for the duration of the customer relationship and five years beyond, even if the customer requests the deletion of information during that period,” says Mr Dilley.
Management headache
Even so, Mr Dilley says many banks are undertaking remediation exercises so that their data storage and management processes can handle the twin demands of AMLD IV and data protection rules. Many have struggled, he says, to ensure that the data they have is up to date, so knowing when to retain or delete it is even more of a challenge.
Banks may have a head start over other sectors, however. This is especially true in countries that have established robust conduct enforcers, such as the UK’s Financial Conduct Authority (FCA).
“The data protection directive may not be such a big step for retail banks in the UK, because they already have to comply with the FCA’s regulatory regime for ring-fencing and securing private customer data. The FCA has generally been more rigorous than the Information Commissioner about investigating and fining banks for poor controls over customer data,” says Dan Reavill, head of the technology practice at law firm Travers Smith.
Mr Reavill is unsure how far customers will make use of the “right to be forgotten” in the new EU legislation. The UK’s data protection act already allows customers to request the deletion of their personal information, but customer awareness of this appears to be low. However, he thinks the need to ask for explicit consent to share data could be more problematic.
"From time to time, banks may find themselves legally compelled to provide protected data to regulators or the police, for instance in the context of a live criminal investigation or in the face of a court order. But this can sometimes be a fine line to walk and of course the banks cannot request customer consent as this could constitute aiding an alleged criminal," says Mr Reavill.
What happens next?
The European Commission described the data protection directive as “irreversible” following the parliamentary vote. But this is partly a rhetorical flourish. EU legislation must be agreed with the European Council, where member state governments are represented. Normally, this would happen before the parliamentary vote, but with European elections due in May 2014, the European Parliament short-circuited the process.
“Compared with the parliament’s strongly pro-consumer stance, the council’s draft was much more pragmatic, and member state governments are concerned about a law that is too bureaucratic to be workable. That means the two positions are still a long way apart, so a lot of compromise is needed before this will be written into national laws,” says Mr Reavill.
