InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.S. Treasury concerned with European Commission's identification of AML/CFT-deficient U.S. territories
On February 13, the U.S. Treasury Department issued a statement responding to a list of jurisdictions published by the European Commission as having strategic deficiencies related to anti-money laundering and countering the financing of terrorism (AML/CFT). The list—which includes certain jurisdictions with strategic deficiencies that were already identified by the Financial Action Task Force (FATF) (see previous InfoBytes coverage here)—also identifies 11 additional jurisdictions, including the U.S. territories of American Samoa, Guam, Puerto Rico, and the U.S. Virgin Islands. According to the European Commission, the “banks and other entities covered by EU anti-money laundering rules will be required to apply increased checks (due diligence) on financial operations involving customers and financial institutions from these high-risk third countries to better identify any suspicious money flows.”
EU Releases First Guidance on New Privacy Regulation
On December 16, the European Union’s (EU) data protection regulator, the Article 29 Working Party (WP29), released its first official guidance on the General Data Protection Regulation (GDPR), EU’s new privacy regime. Composed of three sets of guidelines and FAQs, the guidance covers a range of issues, including the qualification, appointment, and personal liability of data protection officers (DPOs). Links to the six guidance documents follow:
- (i) Guidelines & FAQs on the right to data portability;
- (ii) Guidelines & FAQs on DPOs; and
- (iii) Guidelines & FAQs on identifying the “lead supervisory authority” for cross-border activity.
The WP29 also announced that it is accepting additional comments on this guidance through the end of January 2017, and that it will release guidelines on Data Protection Impact Assessments and Certifications in 2017. The GDPR is set to take effect in May 2018.
Implementation of New EU Regulation Establishes Uniform Legal Framework for e-Signatures Across All EU Member States
Recently, the EU adopted a new EU Electronic Signature Regulation 910/2014/EU, which established a new, comprehensive, legal framework for e-signatures, as well as e-identification, e-seals, e-timestamp, e-documents, e-delivery services, and website authentication. The new regulation applies to transactions dating back to July 1, replacing the prior Directive on Electronic Signatures (1999/93/EC). Among other things, the new regulation defines three levels of e-Signatures: (i) e-Signature, (ii) advanced e-Signature, and (iii) qualified e-Signature. “E-Signature” is defined as data in electronic form which are attached to, or logically associated with, other electronic data, which are used by the signatory to sign. “Advanced electronic signature” is defined as uniquely linked to the signatory, capable of identifying the signatory, and created using e-signature creation data that the signatory can, with a high level of confidence, use under his sole control. And finally, a “qualified electronic signature” is defined as an advanced electronic signature created by a qualified electronic signature creation device.
Notably, and in contrast to previous EU directives on e-signatures, the new regulation is directly applicable in all 28 EU Member States without any requirement that it be formally adopted into national law. Specifically, Article 25 of the New Regulation provides that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. Rather, a qualified electronic signature in one EU Member State shall now be recognized as a qualified electronic signature in all other Member States.
European Union Approves Cybersecurity Rules
On July 6, the European Union (EU) approved cybersecurity rules that will require certain businesses, including those in financial service and digital service providers, to maintain security and report cybersecurity incidents. The new laws, referred to as the Network and Information Security (NIS) Directive, are intended to establish “harmonized” security and reporting requirements for “operators of essential services,” which EU member states will identify based on certain criteria, such as whether the service is “critical for society and the economy and whether an incident would have significant disruptive effects on the provision of that service.” Certain digital service providers, such as online marketplaces, search engines, and cloud services, will also have to maintain security measures and report major incidents. The requirements are “lighter for these providers.” The NIS Directive will become effective on the twentieth day after publication in the EU Official Journal; member states “will have 21 months to transpose the directive into their national laws and six additional months to identify operators of essential services.”
European Commission Celebrates Data Protection Day; Deadline for US-EU Data Protection Framework Approaches
On January 28, the European Commission issued a statement in observance of its 10th European Data Protection Day. Vice President Ansip and Commissioner Jourová commented on the December 2015 agreement on EU data protection reform, noting that “[w]ith one streamlined set of rules across the European Union, we will cut red tape and ensure legal certainty, so that both citizens and companies can benefit from the Digital Single Market.” The United States and the European Union are scheduled to reach an agreement on the “Safe Harbor” data transfer program in the upcoming week, to which Ansip and Jourová commented: “These flows are essential, between EU countries, but also between the EU and its closest partners. The European Commission is currently working on a renewed and safe framework on transfers of personal data with the United States. We need an arrangement that protects fundamental rights of Europeans and ensures legal certainty for businesses.”
European Commission Announces Agreement on New Cybersecurity Rules
On December 8, the European Commission announced that European Union lawmakers reached an agreement regarding cybersecurity and breach reporting legislation. The rules are intended to improve cybersecurity capabilities in Member States as well as their cooperation on cybersecurity, and will “require operators of essential services in the energy, transport, banking and healthcare sectors, and providers of key digital services like search engines and cloud computing, to take appropriate security measures and report incidents to national authorities.” The text of the agreement is subject to formal approval by the European Parliament and the EU Council of Ministers; once officially published in the EU Official Journal, Member States will have 21 months to adopt the directive into their national laws and an additional 6 months to identify which internet providers it will affect.
European Union Reaches Agreement Regarding New Data Protection Law
On June 15, the 28 governments of the European Union agreed to a draft Data Protection Regulation that would establish tighter privacy provisions for users of online services – including those provided by U.S. tech companies – in a majority of European countries. The draft Regulation advances a single set of data protection rules for the EU, which include data breach notification obligations, within 24 hours if feasible, a strengthened “right to be forgotten,” and additional enforcement power for Europe’s data protection authorities, including penalties of up to €1 million or up to 2% of global annual turnover of a company. While EU Commissioners say the proposed law would cut costs for businesses, critics argue that its provision requiring data processors to delete individuals’ personal data upon request would inevitably increase costs for European-based internet companies. For the past three and a half years, the EU has tried to reach an agreement to merge the countries’ rules on personal data protection into one set of regulations. If this most recent proposal passes the next phase of European Parliament negotiations, the law will have a 2016 effective date, with a two year transitional period for companies and data protection authorities to adapt to the new regulations.
Consumer Protection Organization Petitions FTC To Enforce U.S.-EU Safe Harbor Framework
On August 14, the Center for Digital Democracy (CDD) announced that it filed a complaint with the FTC claiming that 30 U.S. companies are compiling, using, and sharing EU consumers’ personal information without their awareness and meaningful consent, in violation the U.S.-EU Safe Harbor Framework. The U.S.-EU Safe Harbor Framework established a self-certification program that allows a company to collect information from European consumers without strictly following the EU’s more stringent data protection standards, provided the company (i) provides clear notice of their data-collection practices and data uses; and (ii) allows consumers to “opt-out” of data collection practices to which they did not previously agree. According to its press release, the CDD wants the FTC to investigate the companies for “relying on exceedingly brief, vague, or obtuse descriptions of their data collection practices, even though [U.S.-EU] Safe Harbor requires meaningful transparency and candor.” The complaint identifies several broad concerns that the CDD claims illustrate the inadequacy of the U.S.-EU Safe Harbor Framework, including: (i) the failure of U.S.-EU Safe Harbor declarations and required privacy policies to provide accurate and meaningful information to EU consumers; (ii) a lack of transparency by companies about their data collection; and (iii) the failure of companies to provide meaningful opt-out mechanisms. The FTC has already taken more than a dozen actions this year to enforce the U.S.-EU Safe Harbor Framework.
European Banking Authority Potential Virtual Currency Regulatory Responses
On July 4, the European Banking Authority (EBA) released an Opinion that outlines for the EU Council, the European Commission, and the European Parliament requirements that would be needed to regulate virtual currencies. The EBA identified more than 70 risks across several categories and numerous causal drivers for those risks, including that (i) a virtual currency scheme can be created, and then its function subsequently changed, by anyone, and in the case of decentralized schemes, by anyone with a sufficient share of computational power; (ii) payer and payee can remain anonymous; (iii) virtual currency schemes do not respect jurisdictional boundaries and may therefore undermine financial sanctions and seizure of assets; and (iv) market participants lack sound corporate governance arrangements. To address those drivers, the EBA believes a regulatory framework would need to comprise, among other elements: (i) governance requirements for certain market participants; (ii) segregation of client accounts; (iii) capital requirements; and (iv) the creation of “scheme governing authorities” accountable for the integrity of a virtual currency scheme and its key components, including its protocol and transaction ledge. Given that the creation of such a regulatory framework will take time, the EBA recommends that European national prudential regulators take action in the immediate term to discourage financial institutions from buying, holding or selling virtual currencies while no regulatory regime is in place. In addition, the EBA recommends that EU legislators consider declaring market participants at the direct interface between conventional and virtual currencies, such as virtual currency exchanges, to become “obliged entities” under the EU Anti Money Laundering Directive and thus subject to its anti-money laundering and counter terrorist financing requirements. The EBA report follows a recent reportby the inter-governmental Financial Action Task Force (FATF) that provides an overview of virtual currency terms, markets, risks, and law enforcement actions announced to date.
EU Parliament Committee Approves Data Protection Overhaul
On October 21, the EU Parliament civil liberties committee voted overwhelmingly to adopt amendments to EU data protection rules and to require stiffer fines for non-compliance. The rules are designed to increase individual control over personal data while at the same time making it easier for companies to move across Europe, the committee explained. Under the adopted amendments, if a third country requests a company (e.g., a search engine, social network, or cloud provider) to disclose personal information processed in the EU, the firm would have to seek authorization from the national data protection authority before transferring any data and would have to inform the individual of the request. The amendments would grant any person the right to have their personal data erased if he/she requests it. It also would require that, where processing of personal information is based on consent, an organization or company could process the information only after obtaining clear permission from the data subject, who could withdraw his/her consent at any time. Finally, the amendments would increase the cap for penalties for violations to $136.7 million or up to 5 percent of the violating company’s annual worldwide turnover, whichever is greater. The committee directed the EU Parliament to start negotiations with national governments in the European Council, which would be followed by inter-institutional talks. According to the committee release, Parliament aims to reach an agreement on this major legislative reform before the May 2014 European elections. The 91 amendments are available in two parts, here and here.