Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
U.S. and EU enter bilateral sanctions partnership
On May 16, the United States and the European Union entered into a bilateral partnership to strengthen working relationships and share sanctions expertise to address foreign policy goals. The U.S.-EU partnership’s foundation is premised on a collaborative approach for financial sanctions, in which the U.S. Treasury Department’s Office of Foreign Assets Control, the European External Action Service, and the European Commission Directorate-General for Financial Stability, Financial Services and Capital Markets Union will continue to work closely with partners around the world to ensure financial sanctions are fully contributing to member countries’ policy goals. Emphasizing that “[s]anctions are most effective when coordinated with a broad range of international partners who can magnify the economic and political impact,” Treasury stressed the importance of multilateral implementation to maximize the effectiveness of sanctions while minimizing unintended costs and compliance burdens.
France fines facial recognition company additional €5.2 million for noncompliance
On May 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), fined a facial recognition company an overdue penalty payment in the amount of €5.2 million for failing to comply with an October order. As previously covered by InfoBytes, last fall CNIL imposed a €20 million penalty against the company for allegedly violating the EU’s General Data Protection Regulation (GDPR) after investigations found that the company allegedly processed personal biometric data without a legal basis (a breach of article 6 of the GDPR), and failed to take into account an individual’s rights in an “effective and satisfactory way”—particularly with respect to requests for access to their data (a breach of articles 12, 15 and 17 of the GDPR). CNIL reported that the company had two months after receiving the October order to stop collecting and processing data on individuals located in France “without any legal basis, and to delete the data of these individuals, after responding to requests for access it received.” Because the company did not submit proof of compliance within this time frame, CNIL imposed an additional fine on top of the original penalty.
EU court says non-material damages in unlawful data processing may be eligible for compensation
On May 4, the Court of Justice of the European Union (CJEU) issued a judgment concluding that while not every infringement of the EU’s data protection law gives rise, by itself, to a right to compensation, non-material damage resulting from unlawful processing of data can be eligible for compensation. The CJEU reviewed questions posed by the Austrian Supreme Court on whether a mere infringement of the GDPR is sufficient to confer the right to compensation for individuals suffering non-material damages, and whether such compensation is possible only if the non-material damage suffered reaches a certain degree of seriousness. The Austrian Supreme Court also asked the CJEU to clarify what the EU-law requirements are when determining the amount of damages.
The CJEU clarified that the General Data Protection Regulation (GDPR) does not set thresholds for the “seriousness” of damages needed to confer a right to compensation. “[I]t is clear that the right to compensation provided for by the GDPR is subject to three cumulative conditions: infringement of the GDPR, material or non-material damage resulting from that infringement and a causal link between the damage and the infringement,” the court said in the announcement. Limiting the right to compensation to non-material damage that reaches a certain threshold requirement would be contrary to the broad conception of “damage” outlined in EU law, the CJEU explained, pointing out that obtaining compensation based on a certain threshold would result in different outcomes depending on a court’s assessment. Moreover, the CJEU emphasized that because the GDPR does not contain any rules governing the assessment of damages, it is up to the each member state’s legal system to prescribe detailed rules for actions intended to safeguard individual’s rights under the GDPR, as well as the criteria for determining the amount of compensation, provided the determination complies with the principles of equivalence and effectiveness. The CJEU explained in its ruling that “an infringement of the GDPR does not necessarily result in damage, and  that there must be a causal link between the infringement in question and the damage suffered by the data subject in order to establish a right to compensation.”
EU says EU-US Data Privacy Framework lacks adequate protections
On February 14, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs released a draft motion for a resolution concerning the adequacy of protections afforded under the EU-US Data Privacy Framework. As previously covered by InfoBytes, last October President Biden signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities (E.O.) to address the facilitation of transatlantic data flows between the EU and the U.S. The E.O. also outlined bolstered commitments that the U.S. will take under the EU-U.S. Data Privacy Framework (a replacement for the EU-U.S. Privacy Shield). In 2020, the Court of Justice of the EU (CJEU) annulled the EU-U.S. Privacy Shield after determining that, because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the EU’s General Data Protection Regulation (GDPR).
In the draft resolution, the Committee urged the European Commission not to adopt any new adequacy decisions needed for the EU-U.S. Data Privacy Framework to officially take effect. According to the Committee, the framework “fails to create actual equivalence in the level of protection” provided to EU residents’ transferred data. Among other things, the Committee found that the government surveillance backstops outlined in the E.O. “are not in line” with “long-standing key elements of the EU data protection regime as related to principles of proportionality and necessity.” The Committee also expressed concerns that “these principles will be interpreted solely in light of [U.S.] law and legal traditions” and appear to take a “broad interpretation” to proportionality. The Committee also flagged concerns that the framework does not establish an obligation to notify EU residents that their personal data has been processed, “thereby undermining their right to access or rectify their data.” Additionally, “the proposed redress process does not provide for an avenue for appeal in a federal court,” thereby removing the possibility for EU residents to claim damages. Moreover, “remedies available for commercial matters” are “largely left to the discretion of companies, which can select alternative remedy avenues such as dispute resolution mechanisms or the use of companies’ privacy [programs],” the Committee said.
The Committee called on the Commission “to continue negotiations with its [U.S.] counterparts with the aim of creating a mechanism that would ensure such equivalence and which would provide the adequate level of protection required by Union data protection law and the Charter as interpreted by the CJEU,” and urged the Commission “not to adopt the adequacy finding.”
U.S.-EU release statement on Joint Financial Regulatory Forum
On February 7-8, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S.-EU Joint Financial Regulatory Forum to continue their ongoing financial regulatory dialogue. According to a joint statement issued by the participants, the matters discussed focused on six themes: “(1) market developments and financial stability risks; (2) sustainable finance and climate-related financial risks; (3) regulatory developments in banking and insurance; (4) operational resilience and digital finance; (5) regulatory and supervisory cooperation in capital markets; and (6) anti-money laundering and countering the financing of terrorism (AML/CFT).”
The joint statement acknowledged that the Russia/Ukraine conflict, coupled with global economic uncertainty and inflationary pressures, have exposed “the financial system to downside risk both in the EU and in the U.S,” with participants stressing the importance of international coordination in monitoring vulnerabilities and building resilience against stability risks. During the forum, participants discussed recent developments related to sustainability-related financial disclosures, climate-related financial risks, cross-border bank resolution coordination, the transition away from LIBOR, digital finance operational resilience, and progress made in strengthening their respective AML/CFT frameworks.
U.S. messaging service fined €5.5 million for GDPR violations
On January 19, the Irish Data Protection Commission (DPC) announced the conclusion of an inquiry into the data processing practices of a U.S.-based messaging service’s Ireland operations and fined the messaging service €5.5 million. The investigation was part of a broader GDPR compliance inquiry prompted by a May 25, 2018 complaint from a German data subject.
The DPC noted that in advance of the date on which the GDPR became effective (May 25, 2018), the U.S. company updated its terms of service and notified users that, to continue accessing the messaging service, they would need to accept the updated terms by clicking “agree and continue.” The complainant asserted that, in doing so, the messaging service forced users to consent to the processing of their personal data for service improvement and security.
The company claimed that when a user accepted the updated terms of service, the user entered into a contract with the company. The company therefore maintained that “the processing of users’ data in connection with the delivery of its service was necessary for the performance of that contract, to include the provision of service improvement and security features, so that such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the ‘contract’ legal basis for processing).” The complainant argued that, contrary to the company’s stated intention, the company was “seeking to rely on consent to provide a lawful basis for its processing of users’ data.”
The DPC issued a draft decision that was submitted to its EU peer regulators (Concerned Supervisory Authorities or “CSAs”). The DPC concluded that the company was in breach of its GDPR transparency obligations under Articles 12 and 13(1)(c), and stated that users had “insufficient clarity as to what processing operations were being carried out on their personal data.” With respect to whether the company was obliged to rely on consent as its legal basis in connection with the delivery of the service (including for service improvement and security purposes), the DPC disagreed with the complainant’s “forced consent” argument, finding that the company was not required to rely on user consent as providing a lawful basis for its processing of their personal data.
Noting that DPC had previously imposed a €225 million fine against the company last September for breaching its transparency obligations to users about how their information was being disclosed over the same time period (covered by InfoBytes here), the DPC did not propose an additional fine. Six of the 47 CSAs, however, objected to the DPC’s conclusion as to the “forced consent” aspect of its decision, arguing that the company “should not be permitted to rely on the contract legal basis on the basis that the delivery of service improvement and security could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.”
The dispute was referred to the European Data Protection Board (EDPB), which issued a final decision on January 12, where it found that, “as a matter of principle, [the company] was not entitled to rely on the contract legal basis as providing a lawful basis for its processing of personal data for the purposes of service improvement and security,” and that in doing so, the company contravened Article 6(1) of the GDPR.
The DPC handed down a €5.5 million administrative fine and ordered the company to bring its processing operations into compliance with the GDPR within a six-month period. Separately, the EDPB instructed the DPC “to conduct a fresh investigation” that would span all of the company’s processing operations to determine whether the company is in compliance with relevant GDPR obligations regarding the processing of personal data for behavioral advertising, marketing purposes, the provisions of metrics to third parties, and the exchange of data with affiliated companies for the purpose of service improvements.
The DPC challenged the EDPB’s decision, stating that the board “does not have a general supervision role akin to national courts in respect of national independent authorities, and it is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.” The DPC suggested that it is considering bringing an action before the Court of Justice of the European Union to “seek the setting aside of the EDPB’s direction.”
Irish DPC fines global social media company €390 million over targeted ads
On January 4, the Irish Data Protection Commission (DPC) announced the conclusion of two inquiries into the data processing practices of a global social media company’s European operations. Collectively, the DPC imposed fines totaling €390 million against the company for allegedly requiring users to accept targeted ads when accepting the company’s social media platform terms of service. Complaints were raised in 2018 by data subjects in Austria and Belgium, claiming that the company violated the GDPR by conditioning access to its services on users’ acceptance of the company’s updated terms of service, thereby “forcing” them to consent to the processing of their personal data for behavioral advertising and other personalized services. The company maintained that once a user accepted the updated terms of service, a contract was formed, and that processing user data in connection with the delivery of its social media services was necessary for the performance of that contract (including the provision of personalized services and behavioral advertising). According to the company, “such processing operations were lawful by reference to Article 6(1)(b) of the GDPR (the ‘contract’ legal basis for processing).”
The DPC issued draft decisions, finding that (i) the company breached its transparency obligations because the “contract” legal basis for processing was not clearly disclosed to users, but that, (ii) in principle, the GDPR did not preclude the company’s reliance on such basis.
In accordance with the GDPR, the draft decisions were submitted to DPC’s EU peer regulators (Concerned Supervisory Authorities or “CSAs”). Regarding the question of whether the company had acted in contravention of its transparency obligations, the CSAs agreed with the DPC’s decisions but concluded that higher fines should be imposed. Ten of the 47 CSAs, however, concluded that the company “should not be permitted to rely on the contract legal basis on the grounds that the delivery of personalized advertising . . . could not be said to be necessary to perform the core elements of what was said to be a much more limited form of contract.” The DPC disagreed, arguing that personalized advertising is “central to the bargain struck between users and their chosen service provider” as part of the contract that is established when a user accepts the terms of service. The dispute was referred to the European Data Protection Board (EDPB) after the regulators were unable to reach a consensus.
The EDPC determined that, “as a matter of principle,” the company “is not entitled to rely on the ‘contract’ legal basis as providing a lawful basis for its processing of personal data for the purpose of behavioral advertising.” The DPC adopted the EDPC’s determination and issued final decisions, finding, among other things, that the company’s processing of users’ data in purported reliance on the “contract” legal basis amounts to a contravention of Article 6 of the GDPR. The decisions require the company to bring its processing operations into compliance with the GDPR within a three-month period and impose administrative fines higher than those originally proposed, in line with the EDPC’s direction to increase the fines.
The company released a statement following the decisions. According to the company, “[t]here has been a lack of regulatory clarity on this issue, and the debate among regulators and policymakers around which legal bases are most appropriate in a given situation has been ongoing for some time. This issue is also currently being debated by the highest courts in the EU, who may yet reach a different conclusion altogether.” The company added that “we strongly disagree with the DPC’s final decision, and believe we fully comply with GDPR by relying on Contractual Necessity for behavioural ads given the nature of our services. As a result, we will appeal the substance of the decision. Given that regulators themselves disagreed with each other on this issue up until the final stage of these processes in December, it is hard to understand how we can be criticised for the approach we have taken to date, and therefore we also plan to challenge the size of the fines imposed.”
Irish DPC fines global social media company €265 million over data scraping claims
On November 28, the Irish Data Protection Commission (DPC) announced the conclusion of a “data scraping” inquiry into the practices of a global social media company’s European operations. The inquiry, which included cooperation from all of the other data protection supervisory authorities in the EU, was commenced in April 2021 following media reports that personal data for which the company was responsible was available on the internet. According to the DPC, the inquiry focused on questions related to the company’s compliance with the GDPR’s obligation for “Data Protection by Design and Default.” Specifically, the DPC “examined the implementation of technical and organizational measures pursuant to Article 25 GDPR (which deals with this concept).” The decision, adopted on November 25, and agreed upon by all the other EU supervisory authorities, found that the company violated Articles 25(1) and 25(2) of the GDPR. The decision imposes a reprimand and requires the company to bring its processing into compliance by implementing several specific remedial actions within a particular timeframe. In addition, the company must pay an administrative fine of €265 million.
EU increases financial sector cybersecurity
On November 28, the Council of the European Union (EU) announced that it adopted legislation for a new cybersecurity directive intended to improve resilience and incident response capacities across the EU by replacing the NIS, the current directive on the security of network and information systems. According to the announcement, the new directive, called NIS2, is intended “to harmonise cybersecurity requirements and implementation of cybersecurity measures in different member states.” Among other things, the directive establishes minimum rules for a regulatory framework and mechanisms for effective cooperation among relevant authorities in each member state, according to the EU. Additionally, the directive updates the list of sectors and activities subject to cybersecurity obligations and provides for remedies and sanctions to ensure enforcement. The new directive has been aligned with sector-specific legislation, in particular the regulation on digital operational resilience for the financial sector (DORA) and the directive on the resilience of critical entities (CER), to provide legal clarity and ensure coherence between NIS2 and these acts. Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law.
ECJ invalidates AML directive granting public access to beneficial ownership information
On November 22, the European Court of Justice (ECJ) announced a ruling invalidating a provision of the 2018 amended EU anti-money laundering directive that guaranteed public access to the beneficial ownership information of legal entities incorporated within member states. The case was referred to the ECJ by a Luxembourg court following two actions that disputed the compatibility of this directive with the beneficial owners’ fundamental right to privacy. The ECJ was asked to issue a preliminary ruling on a series of questions concerning the interpretation of “exceptional circumstances” and “disproportionate risk,” as well as the directive’s compatibility with the Charter of Fundamental Rights of the European Union (Charter) and the GDPR. Under the directive, member states are required to enter and maintain beneficial ownership information in registers that are accessible to the general public. The directive is intended to prevent the financial system from being exploited for the purposes of money laundering or terrorist financing, and requires, with limited exemptions, that member states provide information on “the beneficial owner’s name, month and year of birth, nationality and country of residence, as well as the nature and extent of his or her beneficial interests.”
In its announcement, the ECJ said that public access to beneficial ownership information “constitutes a serious interference with the fundamental rights to respect for private life and the protection of personal data” provided in Articles 7 and 8 of the Charter. “[T]he potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated,” the ECJ wrote in the judgment, adding that “in the event of such successive processing, it becomes increasingly difficult, or even illusory, for those data subjects to defend themselves effectively against abuse.”
While the ECJ found that, by the measure at issue, the EU legislature is pursuing “an objective of general interest capable of justifying even serious interferences with the fundamental rights enshrined in Articles 7 and 8 of the Charter, and that the general public’s access to information on beneficial ownership is appropriate for contributing to the attainment of that objective,” the “interference entailed by that measure is neither limited to what is strictly necessary nor proportionate to the objective pursued.” Additionally, the ECJ held that the amended “directive amounts to a considerably more serious interference with the fundamental rights guaranteed in Articles 7 and 8 of the Charter” without being offset by any benefits that may result from the amended directive as compared to the previous version in terms of combating money laundering and terrorist financing. However, the ECJ did recognize that civil society and the press have a legitimate interest in accessing such information, given their role in the fight against money laundering.