Current proposals will bring a wave of unmeritorious claims
The U.S. government has said that the European Commission’s standard contractual clause (SCC) proposal could have “a chilling effect” on the regulatory oversight of financial institutions, but experts are less convinced.
In July, the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield, which means that companies can no longer rely on the framework when transferring data between the EU and the United States. However, the European court ruled that companies can use SCCs to ensure data protection when transatlantic data transfer takes place.
Last November, the European Data Protection Board (EDPB) and the European Commission opened public consultations on draft recommendations on supplementary transfer tools and on a proposed decision on SCCs, respectively.
In its submissions to the consultations, the U.S. government argues that the proposals “could have a chilling effect on regulatory oversight of many U.S. and EU institutions, such as the oversight of financial sector enterprises and the safety of financial markets”, which plays a critical role “in identifying money laundering, terrorist financing, and other financial crimes.”
In essence, the U.S. government’s submissions ask to modify a requirement that obliges data importers to challenge any government agency requests whenever there are grounds or the country’s law allows.
According to the U.S. government, the requirement would put an enormous litigation burden on companies, ultimately resulting in “a relentless wave of unmeritorious challenges.”
As companies have contractual liability to bring these requests to court and contest them, the proposals may be read as a rejection of all requests for voluntary cooperation in emergency situations.
In addition, once the legality of a government disclosure order is confirmed, companies are allowed to share only the minimum amount permissible. Facing the risk of being sued for breach of contract, companies may decide to withhold information, the U.S. submission adds.
Although the U.S. government alleges these obligations relating to voluntary information requests may hinder the oversight of the financial sector, Gary LaFever, CEO at Anonos, reminds that Article 49.1(d) of the General Data Protection Regulation (GDPR) allows the transfer of personal data if it is necessary for important reasons of public interest.
“Financial institutions can perform many of these actions within the EU,” but if the data processing needs to take place outside the EU, “such processing could then occur separately under the derogation of Article 49.1(d) without reliance on SCCs,” LaFever said, adding that “preventing money laundering is generally recognised under Union and Member State law as required under Article 49.4.”
Recital 112 of the GDPR also acknowledges that “derogations should apply to data transfers required and necessary for important reasons of public interest, for example in cases of international data exchange … between financial supervisory authorities.”
Even if such a data transfer takes place, “all transfers and processing are still subject to obligations of Data Protection by Design and by Default,” according to LaFever.
Data minimization and purpose limitation are basic GDPR principles that existed regardless of the Schrems II decision, which invalidated the EU-U.S. Privacy Shield. “The implementation of ‘technically-enforced’ controls is still required to carry out obligations of Data Protection by Design and by Default under the GDPR, and financial institutions should have already been doing this prior to the Schrems II decision,” he continued.
Should there be any chilling effects, “this is due to current non-compliance with GDPR provisions, not any change in the law under Schrems II.”
In contrast to that, Peter Swire, a privacy scholar, believes the EDPB guidance may have that chilling effect on the oversight of financial institutions, including on the fight against money laundering, terrorism financing, and cross-border crime in general.
According to Swire, the Bank of Credit and Commerce International (BCCI) scandal in the 1990s “showed that it is essential to have a unified supervisory system, or else those committing fraud can shuffle money between jurisdictions without effective oversight.”
BCCI was a bank registered in Luxembourg with head offices in Pakistan and London. The bank had a very complicated corporate structure, with many layers of affiliated entities that were set up with the view of deliberately avoiding centralized regulatory review, as well as recordkeeping and reporting obligations.
Following the bank’s closure in 1991, investigators revealed various criminal activities, including money laundering, bribery, terrorism financing and massive financial fraud.
“The EDPB guidance would appear to have a chilling effect on the oversight of financial institutions,” and it “appears to undermine that unified supervisory system,” Swire concluded.
This article originally appeared in VIXIO. All trademarks are the property of their respective owners. All rights reserved by the respective owners.
CLICK TO VIEW CURRENT NEWS
