InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
European Union Advocate General Calls For High Court to Rule U.S.-EU Data Sharing Program Invalid
In an opinion that has the potential to seriously disrupt how U.S. companies can share data from Europe, on September 23, Advocate General (AG) Yves Bot of the Court of Justice of the European Union (CJEU) declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union.” This is because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolutions have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies.
The EU’s 1995 Data Protection Directive (“Directive”) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the European Commission, U.S. companies participating in the U.S.-EU Safe Harbor Framework for personal data protection have been deemed to be compliant with that requirement. AG Bot’s opinion, however, calls that 2000 decision invalid. “To my mind, the existence of a [Commission] decision” on the sufficiency of a country’s personal data protection regime “cannot eliminate or even reduce” the powers of each EU member state’s Data Protection Authority, under Article 28 of the Directive, to independently assess the sufficiency of that country’s personal data protection regime. This opinion thus turns the power back over to individual EU countries to assess U.S. companies’ personal data protections, potentially leading to a fractured and technologically daunting state of digital commerce in Europe.
Negotiations are underway for a new U.S.-EU Safe Harbor Framework, but if AG Bot’s opinion is followed, no Framework would prevent country-by-country determinations of the sufficiency of a U.S. company’s personal data protections.
NYDFS Reaches Agreements with Four Banks on New Symphony Chat & Messaging Platform
On September 14, the New York State Department of Financial Services (NYDFS) announced that it had reached agreements with four financial institutions on record-keeping requirements and other protections intended to help ensure the institutions’ responsible use of the new Symphony Communications LLC (Symphony) chat and messaging platform. NYDFS had recently expressed concerns that certain Symphony features, such as its promise of “Guaranteed Data Deletion,” could hinder regulatory investigations on Wall Street. Under the agreements, Symphony will retain for seven years a copy of all electronic communications sent through its platforms to or from the four banks, and the banks will store duplicate copies of the decryption keys for their messages with independent custodians.
GAO Report On CFPB Data Collection And Privacy Practices Finds Room For Improvement
On September 22, the GAO issued a report regarding the privacy and data security implications of the CFPB’s data collection practices. The report, performed in part based on a request by Senator Crapo, notes the CFPB’s data includes three one-time collections of data that contain information that directly identifies individuals: arbitration case records, deposit account data regarding deposit advance products, and borrower-level activity regarding storefront payday loans. The report highlights several areas for improvement: (i) development of written procedures and documentation regarding data intake and information security risk assessments; (ii) implementation of privacy control steps and information security practices; and (iii) Paperwork Reduction Act compliance regarding credit card data. In a comment appended to the report, the CFPB outlines the reasons for its data collection efforts and concurs with the GAO’s recommendations addressed to the CFPB.
FTC Report Calls For Increased Data Broker Transparency
On May 27, the FTC released a report that claims—based on a study of nine data brokers—that data brokers generally operate with a “fundamental lack of transparency.” The FTC describes data brokers as companies that collect personal information about consumers from a wide range of sources and then provide that data for purposes of verifying an individual’s identity, marketing products, and detecting fraud or otherwise mitigating risk. The report is based in part on the nine brokers’ responses to FTC orders that required the brokers to provide information about: (i) the nature and sources of the consumer information the data brokers collect; (ii) how they use, maintain, and disseminate the information; and (iii) the extent to which the data brokers allow consumers to access and correct their information or to opt out of having their personal information sold or shared. The report summarizes the companies’ data acquisition processes, their product development and the types of products they provide, the quality of the data collected and sold, the types of clients to whom the data is sold, and consumer controls over the information. The FTC recommends that Congress consider enacting data broker legislation that would, among other things: (i) require data brokers to give consumers access to their data and the ability to opt out of having it shared for marketing purposes; (ii) require data brokers to clearly disclose that they not only use raw data, but that they also derive certain inferences from the data; (iii) address gaps in FCRA to provide consumers with transparency when a company uses a data broker’s risk mitigation product that limits a consumer’s ability to complete a transaction; and (iv) require brokers who offer people search products to allow consumers to access their own information and opt out of the use of that information, and to disclose the sources of the information and any limitations of the opt out.
Senate Commerce Committee Expands Data Broker Inquiry
On February 3, Senate Commerce Committee Chairman Jay Rockefeller (D-WV) again expanded his investigation of data brokers when he asked six brokers for information on the compilation and sale of products that identify consumers based on their financial vulnerability or health status. The issue was raised recently in a majority staff report, which was released in connection with a December 2013 committee hearing. The Chairman cited “serious concerns regarding the sale and dissemination of lists identifying a consumer’s fragile health or financial circumstances without the consumer’s knowledge or permission,” which Mr. Rockefeller believes can be used by businesses seeking to target vulnerable customers for financially risky lending products or fraud schemes. The Chairman seeks a broad range of information about the companies’ data collection and sales practices conducted over a five year period. The letters are the latest in an ongoing review by the Committee, which previously expanded the scope of the review in September 2013.
Senator Expands Data Broker Investigation
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.
CFPB, FTC Announce Roundtable on Data Integrity in Debt Collection
On May 1, the FTC and the CFPB announced a roundtable to “examine the flow of consumer data throughout the debt collection process” and discuss (i) the amount of documentation and other information currently available to different types of collectors and at different points in the debt collection process, (ii) the information needed to verify and substantiate debts, (iii) the costs and benefits of providing consumers with additional disclosures about their debts and debt-related rights, and (iv) information issues relating to pleading and judgment in debt collection litigation. The event will be held on June 6, 2013 in Washington, DC and is open to the public.
Pages
- « first
- ‹ previous
- 1
- 2
- 3
- 4