Privacy Laws from Across the Pond: Scoping Out the GDPR; No Further Delay of DOL Fiduciary Duty Rule, But Limited Enforcement Until 2018
The internet has made the world both smaller and more complex. The opportunity that mobile and online banking can offer credit unions and their members is powerful, but as Spiderman (the absolute lamest of all superheroes) once said -- with great power comes great responsibility. The NAFCU Regulatory Compliance Team has had a handful of credit unions reach out to ask what, if any, responsibility they might have under the European Union's new General Data Protection Regulation (GDPR). Today we're going to take a very high-level look at the scope of the GDPR, so credit unions can begin to figure out whether they will be affected.
Background
In 1995, the European Union adopted the Data Protection Directive 95/46/EC, ominously referred to as "the Directive" in many publications, establishing the right to privacy of one's personal data. Each member state in the EU adopted its own laws and regulations to implement the Directive, creating a patchwork of privacy laws across Europe. In 2012, the EU sought to harmonize and update European privacy regulations and proposed the GDPR. The GDPR was finalized on May 24, 2016, and the deadline for compliance will be May 25, 2018.
Scope
The Directive applied mostly to organizations that had an establishment or "means of processing" physically located within the EU. The GDPR, however, expands the application of EU privacy law to organizations not located in the EU, but doing certain business in the EU.
For entities that do not have an establishment in the EU, the GDPR applies to any organization that processes the personal data of natural persons in the EU under two circumstances: 1) when offering them goods or services, even if it's not in return for payment, or 2) in monitoring their behavior which takes place within the EU. See, EU Regulation 2016/679, Ch. 1, Art. 3(2).
Definitions
The GDPR defines "personal data" as any information relating to an identifiable natural person. It does not cover anonymized data. "Processing" means any operation (or set of operations) performed on personal data, whether automated or not. This can include collection, storage, disclosure, use erasure or destruction. The GDPR contains requirements for both entities that "control" or "process" personal data. A controller is the entity that determines the purpose and means of the processing of the data. The processor is the entity that actually does the processing. So if a vendor processes data on behalf of the credit union, both the credit union and the vendor might be subject to the GDPR. See, EU Regulation 2016/679, Ch. 1, Art. 4(1)-(2) and (7)-(8).
Regarding what constitutes offering goods or services, the GDPR states that this is a case-by-case determination. Merely offering website accessibility of a service in the EU does not necessarily trigger the GDPR. However, offering a service or product in EU languages (other than those generally used in the US) or currency, or marketing the availability of goods or services to those in the EU are factors indicating the GDPR may be triggered. See, EU Regulation 2016/679, Rec. 23. The question boils down to whether the factors indicate that the credit union envisions offering goods or services to persons in the EU or not.
As with offering goods or services, what constitutes monitoring behavior is also determined on a case-by-case basis. Examples of monitoring behavior can include tracking an EU resident on the internet or using data processing techniques to profile an individual in the EU. See, EU Regulation 2016/679, Rec. 24. This could include lots of e-commerce trackers, cookies and other tools credit unions might use in website analytics.
The GDPR throws a pretty wide net, but there are lots of wrinkles involving various kinds of data processing, consent, and international jurisdictions and enforcement. Credit unions who think they may fall within the scope of the GDPR may want to consult with counsel or a consultant experienced with international privacy law to determine whether their activities might fall within the GDPR and compliance would be appropriate.
In the meantime, here are some resources on the GDPR:
- Full-text, English language version of the GDPR
- KattenMuchinRosenman's Client Advisory on the GDPR
- White & Case's Unlocking the EU General Data Protection Regulation: A Practical Handbook on the EU's New Data Protection Law
- DigitalGuardian's GDPR Infographic
- PwC's Safe Harbor and GDPR Action Plan one-sheet
No Further Delay of DOL Fiduciary Duty Rule, But Limited Enforcement Until 2018
In a Wall Street Journal op-ed, Labor Secretary Acosta stated that there was no legal basis to further delay the first implementation phase of the Fiduciary Duty Rule, and that it would go into effect on June 9th. The DOL will continue to review the rule as required by President Trump. However, the DOL also issued a Field Assistance Bulletin describing its temporary enforcement policy for the rest of the year: "the Department will not pursue claims against fiduciaries who are working diligently and in good faith to comply with the fiduciary duty rule and exemptions, or treat those fiduciaries as being in violation of the fiduciary duty rule and exemptions."