Data protection: the next Y2K?
Transatlantic friction over data protection isn’t exactly a new problem – the industry has been faced with pending regulations for over a decade, but the conflicting demands of European data privacy and US intelligence gathering legislation are coming together to make the issue a serious problem for banking technologists
Until recently it has been possible to ignore these developments, or at least wish that they did not apply to the banking industry or their data providers. However, new proposals from the EU may well bring the long-simmering pot to boil over and it’s time to take these issues seriously.
With EU fines of up to 2% of global financial turnover for breaches, professionals should examine the changes, costs and upgrades to their operating models and supplier contracts today.
The heat began to rise again in December of last year when the Obama administration gave everyone a quiet Christmas present, in the renewal of the Foreign Intelligence Surveillance Act. FISA gives US authorities, including the National Security Agency, FBI and CIA, the ability to delve deep into the data mines of cloud and data providers containing the files of non-US citizens without any public warrant for, broadly defined, ‘political purposes.’ This means that, if you live outside the US but use US based companies, your data can be freely inspected by US-authorities. If the data centre provider is incorporated in the USA, your data can be turned over to the US authorities, even if the server is physically based elsewhere. The plot thickened when it was publicised by Microsoft that loopholes in the current EU data protection rule offer no protection.
In mid-February, Brussels let it be known that its data privacy gloves were off, and that it was going to take a bold new direction. Viviane Reding, the EU Commissioner for Justice, reiterated that “data protection is a fundamental right in Europe” and asserted that “exempting non-EU companies from our data protection regulation is not on the table.” Recent European legislative developments certainly support this statement, explicitly stating loopholes will be closed. In other words, a big step up for data protection is in the works.
The Directive, ‘to ensure a high common level of network and information security’, and the Cybersecurity Strategy of the European Union released in February, aim to complement and supplement the pre-existing Data Protection Regulation. Taken together, this data privacy ‘suite’ has not only a purpose in Europe, but also globally to “promote the fundamental rights and EU core values abroad”.
The Directive outlines onerous requirements for “market operators”, defined “non-exhaustively” as banking/credit institutions, financial market infrastructures, e-commerce platforms, cloud computing services and application stores. They must report breaches to the national authorities, at the same time providing documented security policies on how their networks and information systems are secure. If firms get this wrong, as with the data protection regulation, they may be fined up to 2% of their global turnover for breaches and potentially have their transgressions made public.
As if this wasn’t enough, firms still have the looming Data Protection Regulation to implement. Due to commence from 2014, but more likely to take hold in 2015, it defines data protection as a “human right” and includes the “right to be forgotten”. These aren’t small asks, requiring firms to inform clients, or ‘data subjects’ of the legal reasons for their data processing, and to appoint a data protection officer to oversee the process.
The bottom line is that this is very different from previous data protection BAU and firms need to re-examine how the business controls not only email, social media and personal computing, but also payroll, sales and marketing, AML and, yes, even regulatory reporting.
What is likely to change? Firstly, data management controls, monitoring and record keeping strategies will need to be revisited.
On top of this, firms are going to have to assess the impact of notifying these data subjects of what exactly is being done with their data, and the burdens on their systems – not only to report this, but also to maintain it. Most importantly, firms will have to ensure the integrity and security of data transfer to foreign jurisdictions, including maintaining appropriate data for required periods, and instituting rectification and blocking procedures.
Europe’s regime is by no means settled yet, but it will quickly become a reality. Though politics, lobbying and transatlantic friction will undoubtedly still shift this landscape, firms need to figure out what the implications of EU data protection regulation might mean for their suppliers, contractors and customers, especially when their data is maintained by a US supplier, crosses a US border or is held by a US subsidiary in the EU.
If you haven’t started looking at this one yet, it’s time to put your antennae up and start scoping the size of what could be as big as another Y2K. Stay tuned …
This article will appear in the February edition of RegTech, a regular section in Banking Technology magazine produced in partnership with regulatory think-tank JWG.