The Effects of GDPR on US Financial Institutions
In May 2018, the European Union General Data Protection Regulation (GDPR) finally went into effect. While GDPR is generally more evolution than revolution for EU businesses, the reach of the new regulation means substantial new compliance burdens for many US businesses. In particular, even though the financial services industry is one of the most heavily regulated under US law, GDPR means significant changes for data protection compliance at US financial institutions that trigger GDPR’s expansive extra-territorial scope (which we discuss below)
This article addresses some key issues for US financial institutions as they adapt to GDPR. It focuses on the differences from, and interaction with, the US data protection laws that apply to the financial services sector, especially the Gramm-Leach Bliley Act and its implementing regulations (GLBA).
Overview of GDPR and extra-territoriality
The EU and US take fundamentally different approaches to data protection. The EU views personal privacy as a fundamental right of the individual and applies a comprehensive, cross-sector approach to data protection. In contrast, the US follows a sectoral approach, with laws tailored to specific industries. That said, multiple proposed bills in Congress seek to move the US to a more European-style approach. While these bills are unlikely to become law in the short-term, it is possible that the US and EU approaches may converge in the future. In the meantime, along with the health care and marketing sectors, financial institutions are subject to some of the strictest regulations in the US.
GDPR changes a number of the obligations that apply to data controllers and processors. Financial institutions are usually controllers of personal data, and their service providers are processors. Some of the provisions under GDPR that will impose obligations on US financial institutions, not otherwise imposed by US law, include quicker data breach notification obligations, increased consent requirements for data sharing and use, and much larger penalties, which for certain violations can reach up to four percent of a business’s global annual revenue.
The most significant change from a US perspective is GDPR’s extra-territorial scope. GDPR applies both to: (1) entities having establishments in the EU and processing data “in the context of ” these establishments, and: (2) entities that do not have establishments in EU, if their processing activities relate either to offering goods or services to data subjects in the EU, or monitoring the behavior of data subjects in the EU. For example, a US financial institution that advertises and provides products and services to EU customers is likely to be subject to GDPR.
This does not mean that GDPR applies to all EU citizens’ or residents’ data, or that an organization is subject to GDPR simply by virtue of hosting a website accessible in the EU. Further, GDPR only applies to the extent that the processing is “related to” the activity that triggered extra-territorial application. In other words, a US financial institution does not need to revamp its privacy program for US customers just because some of its activity is subject to GDPR. Nonetheless, many US financial institutions will need to make changes in light of GDPR’s extra-territorial scope.
Comparison of GDPR to US financial institution privacy requirements
In the US, financial privacy is regulated primarily under GLBA and the Fair Credit Reporting Act (FCRA). GLBA generally requires financial institutions to provide consumers with notice and an opportunity to opt out before they share personal information with non-affiliated third parties, particularly for marketing purposes.
That said, in practice, most of financial institutions’ data sharing is made pursuant to the exceptions to GLBA’s privacy restrictions, such as sharing with other financial institutions to process a payment, or with an information technology service provider. Financial institutions are also subject to the FCRA as both users and furnishers of consumer report information. Among other things, the FCRA requires financial institutions to conduct reinvestigations when consumers dispute the accuracy of information furnished to consumer reporting agencies, and imposes certain restrictions on the sharing of information between affiliates.
GLBA requires financial institutions to provide customers with a privacy notice. Many financial institutions use the model privacy notice found in GLBA’s implementing regulations, which provide a legal safe harbor to claims that the presentation is not “clear and conspicuous” as required under GLBA.
GDPR imposes more prescriptive notice requirements on controllers. Controllers must provide, for example, information about how long data will be stored, whether the controller uses automated decision-making with respect to that data, and, if so, “meaningful information about the logic involved” and the significance of such automated processing. It is not clear that notice tailored to GDPR will meet the GLBA safe harbor requirements.
Consent for sharing
As noted above, GLBA and FCRA generally allow sharing with third parties if consumers have consented to such sharing, including by not opting out, though California’s Financial Information Privacy Act (or S.B. 1) requires opt-in consent for California residents.
GDPR imposes stricter consent requirement for processing data, which includes sharing with third parties for marketing purposes. While, as discussed below, many forms of processing may be conducted without obtaining explicit consent, in general a US financial institution dealing with an EU data subject will likely need to obtain “clear affirmative” consent before sharing with third parties, especially for advertising purposes. In addition, a service must not be made conditional on such consent unless the processing is essential to the service.
Legitimate bases for processing
When information is shared or used for a US financial institution’s everyday business purposes, a broadly similar analysis applies under both GLBA and GDPR. As already noted, GLBA permits financial institutions to share personal information without providing notice and opt-out rights for most legitimate purposes other than marketing. US financial institutions generally understand these exceptions to permit them to share for many purposes, including payment processing, furnishing information to consumer reporting agencies, and aggregation by personal financial management services, such as Mint or Yodlee through APIs.
GDPR permits the processing of data without specific consent (but with notice) for reasons such as when necessary: (a) to perform a contract with the data subject; (b) to comply with a legal obligation or task carried out in the public interest; (c) to protect the vital interests of an individual; or (d) to further the legitimate interests of the data controller or another third party so long as there is no contradiction with the data subject’s fundamental rights. For the most part, financial institutions’ sharing under GLBA exceptions, such as for processing payments, should also be permissible under GDPR, unless the data subject has asked to restrict such processing or financial service laws that explicitly impose additional consent requirements, such as, for example, under the EU PSD2 Directive.
Correction and access rights
The FCRA requires US financial institutions that furnish information to consumer reporting agencies to conduct reasonable reinvestigations if a consumer disputes the accuracy of the information. GDPR similarly provides data subjects with the right to have inaccurate information corrected by data controllers, though GDPR has different timeline and notification requirements.
The FCRA further gives consumers access to the information in their consumer reports, and the right to restrict the use of such reports, such as, for example, with a “credit freeze.” These latter provisions, however, only apply to consumer reporting agencies, not to most financial institutions. By contrast, GDPR requires all data controllers to provide data subjects with access to information about any personal data they process. It also gives data subjects broad rights to restrict or oppose processing of their data, and to withdraw consent.
Comparison to US cybersecurity requirements
US financial institutions are also subject to cybersecurity requirements under GLBA’s Safeguards Rule, as implemented either by the Federal Trade Commission (FTC) or the relevant federal prudential regulator (such as the Office of the Comptroller of the Currency), depending on the nature of the financial institution. The Safeguards Rule generally eschews detailed requirements, but follows a technology-neutral approach that requires financial institutions to implement “reasonable” or “appropriate” cybersecurity programs. In addition, financial institutions subject to the jurisdiction of the New York Department of Financial Services (NYDFS), now must comply with the NYDFS Cybersecurity Rule, which imposes somewhat more prescriptive cybersecurity requirements.
GDPR also requires both data controllers and processors to implement appropriate technical and organizational measures to protect the data. While it describes some examples of such appropriate measures – such as pseudonymization and encryption – it does follow a similar approach to US federal regulators in not imposing prescriptive technical requirements. That said, more prescriptive rules can be found in EU financial service regulations.
Data breach response
US financial institutions regulated by the federal prudential regulators are subject to general breach response guidance issued by those agencies. This guidance requires regulated institutions to develop appropriate breach response programs, and to notify their regulator “as soon as possible” upon the discovery of unauthorized access or use of sensitive customer information. Further, if the institution discovers that misuse of this information “has occurred or is reasonably possible”, they should notify the affected consumers “as soon as possible.” This is a flexible standard that allows for the financial institution to exercise judgment about when it must notify its regulator, based on the circumstances. Financial institutions within the FTC’s jurisdiction, by contrast, are not subject to any federal breach response requirements. All US financial institutions, however, must also comply with many state data breach laws.
GDPR creates a more rigid standard. In the case of a personal data breach, GDPR requires notification to the institution’s supervisory authority unless the breach is “unlikely to result in a risk for the rights and freedoms of individuals.” This notification must generally be made within 72 hours of becoming aware of the breach. In addition, consumers must be notified of the breach if it is “likely to result in a high risk to the rights and freedoms of the natural person.” In addition, dedicated financial service regulations may impose additional reporting obligations, as do regulations on so-called “essential facilities,” which includes certain financial services.
In summary, financial data protection laws in the US follow many of the same broad principles as GDPR, even though GDPR is more restrictive in several circumstances. Further, while many US financial institutions will need to adapt to GDPR, they already comply with substantial regulatory requirements in the US.
Carlo Kostka is a member of Covington’s global corporate finance practice in London, focusing especially on the financial services sector. In advising clients, Mr. Kostka draws on a career spanning over twenty years in the finance sector in both private practice, and subsequently in-house, at one of Europe’s leading banks.
Sam Adriance is an associate in Covington’s Washington office where he assists clients with financial regulatory and data protection issues, including financial privacy, consumer financial services, safety and soundness, and anti-money laundering.
* This article is for general information purposes and is not intended to be taken as legal advice.