Out-Law News | 26 Nov 2014 | 2:53 pm | 2 min. read
Data protection law specialist Kathryn Wynn of Pinsent Masons, the law firm behind Out-Law.com, said that gaps between data protection rules and financial regulations that mandate the disclosure of personal information do not provide sufficient precision around how the data protection laws apply to certain disclosures of financial information creating "grey" areas where it is unclear whether a disclosure would be compliant with the data protection rules.
Wynn was commenting after EU data protection watchdog the European Data Protection Supervisor (EDPS) issued new data protection guidelines for legislators and regulators in the financial services market (30-page / 304KB PDF). The guidance identified a number of areas of financial regulation where the EDPS has felt that policy makers have given insufficient attention to data protection and privacy issues.
"Data protection laws apply to all organisations processing personal data and are not sector specific, but they often overlap with sector specific regulations, and especially so in the financial services industry," Wynn said.
"The problem for organisations operating in financial services is that there can often be a lack of clarity about how data protection laws and regulations, such as those designed to help combat financial crime, interact. Often financial regulations will make vague references to the application of data protection rules and point businesses to provisions contained in legal instruments such as the EU's Data Protection Directive, or Data Protection Act in the UK, without being specific about how those rules apply," she said.
"This can create problems for businesses when trying to determine whether a disclosure would be compliant with the data protection rules," Wynn said.
"For example, data protection laws demand that personal data processing is fair and lawful. In the context of a criminal investigation, the disclosure by a financial institution about one of its customers to, for example, a law enforcement agency, would be compliant with data protection rules where it has a legal obligation to disclose that information or it is necessary for the prevention or detection of crime. However, if it is not absolutely clear that the threshold for that legal obligation has been met or that it cannot be shown to be necessary for the prevention or detection of a crime, that financial institution would run the risk of breaching data protection rules by disclosing financial information about that customer," she said.
Wynn said, though, that where data protection laws do not get in the way of disclosure obligations, there are still data protection issues that businesses in financial services have to consider when determining what information they are permitted to disclose.
"Using the legal obligation example again, the fact that disclosure may be mandated under statute and permitted under data protection laws does not mean financial services businesses can automatically disclose any and all the personal information they hold about that individual to law enforcement agencies," Wynn said. "There needs to be an assessment of what information is necessary and proportionate to disclose as mandated by the legal requirement. Principles of data protection law, including on data minimisation, are relevant to this assessment."
"Organisations that disclose too much personal information could be found to have acted in breach of data protection rules, and hit with a fine and the reputational damage that can arise in those cases. This may seem like a remote risk but it is not unknown for individuals under investigation to make claims of breaches of data protection laws in order to upset the investigation process. Initiatives that encourage policy makers to provide more detail about what businesses need to do to stay on the right side of data protection law when making disclosures under financial regulations, such as the guidance issued by the EDPS which encourages the use of impact assessments, are therefore to be welcomed," Wynn said.