Skip to main content
Menu Icon Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

Filter

Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.

  • U.S.-EU release statement on Joint Financial Regulatory Forum

    Financial Crimes

    On July 20, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S. – EU Joint Financial Regulatory Forum to continue their ongoing financial regulatory dialogue. Matters discussed focused on six themes: “(1) market developments and financial stability risks, (2) sustainable finance and climate-related financial risks, (3) regulatory developments in banking and insurance, (4) regulatory and supervisory cooperation in capital markets, (5) operational resilience and digital finance, and (6) anti-money laundering and countering the financing of terrorism (AML/CFT).”

    The statement acknowledged that the Russia/Ukraine conflict, as well as “inflationary pressures”, exposes “a series of downside risks to financial markets both in the EU and in the U.S.” The statement notes that financial markets have so far proven to be “resilient” and stressed that “[i]nternational cooperation in monitoring and mitigating financial stability risks remains essential in the current global environment in light of the negative impacts on global energy and commodities markets.” During the Forum, participants also discussed recent developments related to digital finance and crypto-assets, including so-called stablecoins, as well as potential central bank digital currencies. Additionally, participants discussed various issues related to third-party providers; climate-related financial risks and challenges, including sustainability reporting standards; the transition away from LIBOR; and progress made in strengthening their respective AML/CFT frameworks.

    Financial Crimes Digital Assets Of Interest to Non-US Persons Department of Treasury EU Central Bank Digital Currency Stablecoins Anti-Money Laundering Combating the Financing of Terrorism Fintech Climate-Related Financial Risks LIBOR

    Share page with AddThis
  • U.S. and EU collaborate to combat ransomware attacks

    Privacy, Cyber Risk & Data Security

    On June 16, the DOJ announced that representatives from the U.S. and EU met at a recent workshop in the Hague to share best practices and to plan enhanced collaboration efforts to confront ransomware attacks. According to the DOJ, attorneys from the DOJ’s Computer Crime and Intellectual Property Section, along with representatives from the FBI, the U.S. Secret Service, the U.S. Homeland Security Investigations, European Judicial Cybercrime Network, Eurojust’s Cybercrime Team, and Europol’s European Cybercrime Centre shared “experiences, best practices, and lessons learned in directing an investigation to a successful outcome including collaborating with the tech and private sector.” Participants also discussed “relevant changes in the law, including issues related to electronic evidence, charging options, and cross-border considerations."

    Privacy/Cyber Risk & Data Security DOJ EU Of Interest to Non-US Persons Ransomware

    Share page with AddThis
  • EU Court of Justice rules consumer protection agencies can sue companies for GDPR violations

    Privacy, Cyber Risk & Data Security

    On April 28, the Court of Justice of the European Union (CJEU) issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection “independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect.” According to the judgment, Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against a global social media company’s Ireland division for allegedly infringing on General Data Protection Regulation (GDPR) rules governing the protection of personal data, the combat of unfair commercial practices, and consumer protection when offering users free games provided by third parties. Germany’s Federal Court of Justice called into question whether a consumer protection association has standing to bring proceedings in the civil courts against infringements of the GDPR without obtaining a mandate from users whose data was misused. Germany’s Federal Court of Justice also observed that the GDPR could be inferred to read that “it is principally for the supervisory authorities to verify the application of the provisions of that regulation.”

    In its ruling, CJEU concluded that consumer protection associations in the EU can bring representative actions against the social media company for alleged violations of the GDPR, writing that the GDPR “does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data . . . where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” Permitting associations to bring representative actions is “consistent with the objective pursued by the GDPR . . . in particular, ensuring a high level of protection of personal data,” CJEU stated.

    Privacy/Cyber Risk & Data Security Courts Germany EU Of Interest to Non-US Persons GDPR Consumer Protection

    Share page with AddThis
  • EU and U.S. agree in principle on new Trans-Atlantic Data Privacy Framework

    Privacy, Cyber Risk & Data Security

    On March 25, the U.S. and the European Commission announced their agreement in principle on a new Trans-Atlantic Data Privacy Framework (Framework) to foster cross-border transfers of personal data from the EU to the U.S. (See also White House and European Commission fact sheets here and here.) Under the Framework, the U.S. has committed to implementing reforms and safeguards to “strengthen the privacy and civil liberties protections applicable to U.S. signals intelligence activities.” The announcement follows negotiations that began after the Court of Justice of the EU (CJEU) issued an opinion in the Schrems II case (Case C-311/18) in July 2020, holding that the EU-U.S. Privacy Shield did not satisfy EU legal requirements.

    As previously covered by InfoBytes, the CJEU’s ruling (which could not be appealed) concluded that the Standard Contractual Clauses issued by the European Commission for the transfer of personal data to data processors established outside of the EU are valid. However, the Court invalidated the EU-U.S. Privacy Shield. In annulling the EU-U.S. Privacy Shield, the CJEU determined that because the requirements of U.S. national security, public interest, and law enforcement have “primacy” over the data protection principles of the EU-U.S. Privacy Shield, the data transferred under the EU-U.S. Privacy Shield would not be subject to the same level of protections prescribed by the GDPR. Specifically, the CJEU held that the surveillance programs used by U.S. authorities are not proportionally equivalent to those allowed under the EU law because they are not “limited to what is strictly necessary,” nor, under certain surveillance programs, does the U.S. “grant data subjects actionable rights before the courts against the U.S. authorities.” 

    According to the factsheet released by the White House, the U.S. has made “unprecedented commitments” that build on the safeguards that were in place under the annulled EU-U.S. Privacy Shield with the goal of addressing issues identified in the Schrems II decision. These commitments include (i) strengthening the privacy and civil liberties safeguards governing U.S. signals intelligence activities through measures that would limit U.S. intelligence authorities’ data collection to what is necessary to advance legitimate national security objectives; (ii) establishing a new, multi-layered redress mechanism with independent and binding authority “consist[ing] of individuals chosen from outside the U.S. Government who would have full authority to adjudicate claims and direct remedial measures, as needed”; and (iii) enhancing the U.S.’s existing rigorous and layered oversight of signals intelligence activities, and requiring U.S. intelligence agencies to “adopt procedures to ensure effective oversight of new privacy and civil liberties standards.” The factsheet further stated that participating companies and organizations will continue to be required to adhere to the EU-U.S. Privacy Shield principles, including the requirement of self-certification through the U.S. Department of Commerce. EU individuals will also continue to have access to avenues of recourse to resolve complaints against businesses and organizations participating in the Framework, including through alternative dispute resolution and binding arbitration.

    The White House stated that President Biden will issue an executive order outlining the aforementioned commitments “that will form the basis of the Commission’s assessment in its future adequacy decision.” According to the announcement, the U.S. and European Commission “will now continue their cooperation with a view to translate this arrangement into legal documents that will need to be adopted on both sides to put in place this new Trans-Atlantic Data Privacy Framework.”

    Privacy/Cyber Risk & Data Security Consumer Protection EU EU-US Privacy Shield GDPR Of Interest to Non-US Persons

    Share page with AddThis
  • Irish DPC fines global social media company €17 million for GDPR violations

    Privacy, Cyber Risk & Data Security

    On March 15, the Irish Data Protection Commission (DPC) adopted a decision fining a global social media company €17 million (approximately $18.6 million) after finding that the company failed to prevent a series of data breaches in 2018. The DPC conducted an inquiry into a series of 12 data breach notifications it received between June 7, 2018 and December 4, 2018, to examine the extent that the company complied with GDPR requirements related to the processing of personal data. Following the inquiry, the DPC found that the company violated GDPR Articles 5(2) and 24(1) by failing “to have in place appropriate technical and organizational measures which would enable it to readily demonstrate the security measures that it implemented in practice to protect EU users’ data, in the context of the twelve personal data breaches.” Article 5 outlines principles related to the processing of personal data and requires companies to ensure that EU residents’ personal data is processed “in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.” Article 24(1) requires controllers to “implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with” the GDPR. The DPC noted that because the processing under examination constituted “cross-border” processing, the “decision represents the collective views of both the DPC and its counterpart supervisory authorities throughout the EU.” 

    Privacy/Cyber Risk & Data Security Of Interest to Non-US Persons Enforcement EU Data Breach GDPR

    Share page with AddThis
  • U.S.-EU release statement on Joint Financial Regulatory Forum

    Financial Crimes

    On March 1 and 2, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S. – EU Joint Financial Regulatory Forum to continue their ongoing financial regulatory dialogue. Matters discussed focused on six themes: “(1) market developments and current assessment of financial stability risks, (2) operational resilience and digital finance, (3) sustainable finance and climate-related financial risks, (4) regulatory and supervisory cooperation in capital markets, (5) multilateral and bilateral engagement in banking and insurance, and (6) anti-money laundering and countering the financing of terrorism (AML/CFT).”

    While acknowledging that both the U.S. and EU are “experiencing robust economic recoveries,” participants warned that significant uncertainty and risks are created by the current geopolitical situation, as well as challenges stemming from the ongoing Covid-19 pandemic, high energy prices, and supply-chain bottlenecks. “[C]ooperative international engagement to mitigate financial stability risks remains essential,” participants stressed. During the meeting, participants also discussed recent developments related to crypto-assets, digital finance, and so-called stablecoins, as well as the potential for a central bank digital currency, and “acknowledged the importance of ongoing international work on digital finance and recognized the benefits of greater international supervisory cooperation with a view to promote responsible innovation globally.”

    In addition, participants discussed various topics, including those related to third-party providers; climate-related financial risks and challenges, including sustainability reporting standards; the transition from LIBOR; and progress made in strengthening their respective AML/CFT frameworks.

    Financial Crimes Digital Assets Of Interest to Non-US Persons Department of Treasury EU Central Bank Digital Currency Stablecoins Anti-Money Laundering Combating the Financing of Terrorism Fintech Covid-19 Climate-Related Financial Risks LIBOR

    Share page with AddThis
  • France says tool for EU-U.S. data transfers is unsafe

    Privacy, Cyber Risk & Data Security

    On February 10, the French data protection agency, Commission Nationale de l’Informatique et des Libertés (CNIL), issued a decision related to a multinational technology company’s practice of transferring data collected through its analytics tool to the U.S. The analytics tool, which measures the number of user visits, assigns a unique identifier to each visit (which constitutes personal data). The identifier and associated data are then transferred by the company to the U.S. CNIL stated that it received numerous complaints related to the transfer of the collected data and noted that complaints were filed against 101 data controllers for allegedly transferring personal data to the U.S. The agency analyzed the conditions under which the collected data was being transferred, and assessed the risk potential for individuals raising the concerns. According to CNIL, the company’s trans-Atlantic data transfers “are currently not sufficiently regulated” in spite of “additional measures” adopted by the company to regulate these data transfers. These measures “are not sufficient to exclude the accessibility of this data for U.S. intelligence services,” CNIL determined, noting that “in the absence of an adequacy decision (which would establish that this country offers a sufficient level of data protection with regard to the GDPR) concerning transfers to the United States, the transfer of data can only take place if appropriate guarantees are provided for this flow in particular.”

    CNIL stated that these data transfers violate Article 44 et seq. of the GDPR (which governs the transfer of personal data to a third country or to an international organization), and ordered a “website manager to bring this processing into compliance with the GDPR, if necessary by ceasing to use the [analytics tool] functionality (under the current conditions) or by using a tool that does not involve a transfer outside the EU.” The website operator must comply within one month. Additional compliance orders were also issued to other website operators using the analytics tool. CNIL also recommended that the analytics tool should only be used to produce anonymous statistical data, and stated that it has launched an evaluation program to determine solutions that are exempt from consent.

    Privacy/Cyber Risk & Data Security Of Interest to Non-US Persons France GDPR EU

    Share page with AddThis
  • OFAC sanctions Nicaraguan officials connected to Ortega-Murillo regime

    Financial Crimes

    On January 10, the U.S. Treasury Department’s Office of Foreign Assets Control announced sanctions pursuant to Executive Order 13851 against six Nicaraguan government officials. The sanctions, taken in conjunction with EU sanctions adopted the same date, relate to Nicaraguan President Daniel Ortega and Vice President Rosario Murillo’s regime’s ongoing “subjugation of democracy through effectuating sham elections, silencing peaceful opposition, and holding hundreds of people as political prisoners.” Complementing OFAC’s actions, the State Department “impose[d] visa restrictions on individuals complicit in undermining democracy in Nicaragua, including mayors, prosecutors, and university administrators, as well as police, prison, and military officials.” As a result of the sanctions, all property and interests in property of the sanctioned persons subject to U.S. jurisdiction are blocked and must be reported to OFAC. Additionally, “any entities that are owned, directly or indirectly, 50 percent or more in the aggregate by one or more of such persons are also blocked.”

    Financial Crimes Of Interest to Non-US Persons OFAC Department of Treasury OFAC Sanctions OFAC Designations SDN List EU Department of State

    Share page with AddThis
  • Global tech corporation fined for GDPR violations fends off daily fines

    Privacy, Cyber Risk & Data Security

    According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s General Data Protection Regulations (GDPR). As previously covered by InfoBytes, the CNPD fined the corporation $746 million euro (approximately $888 million USD), issuing a decision against the corporation’s European headquarters, claiming the corporation’s “processing of personal data did not comply with the [GDPR].” The decision—which required corresponding practice revisions, the details of which were not disclosed—followed an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes. The December ordinance suspends orders that required the corporation to make a number of changes to its data processes by January 15 or risk additional daily fines. Sources stated that the CNPD’s order “had not been formulated in clear, precise and free of uncertainty terms” that would allow the corporation to meet the conditions. The corporation’s appeal is still pending.

    Privacy/Cyber Risk & Data Security Luxembourg Of Interest to Non-US Persons GDPR EU Enforcement

    Share page with AddThis
  • Norwegian Data Protection Authority fines U.S. dating app $7.1 million for alleged GDPR violations

    Privacy, Cyber Risk & Data Security

    On December 13, the Norwegian Data Protection Authority issued a reduced administrative fine against a U.S. company operating a GPS-based mobile dating app for allegedly violating the EU’s General Data Protection Regulation (GDPR). The regulator’s 2020 complaint stated that the company allegedly forced users to accept a full privacy policy in order to use the app, rather than providing users the option to independently and specifically consent to the sharing of their data with third parties and the company’s other data processing operations. This consent mechanism, the regulator claimed, “infringed most of the requirements for valid consent” under GDPR Articles 4(11), 6(1)(a), 7 and 9(2)(a). According to the regulator, the company allegedly shared user data with third parties for marketing purposes, including IP addresses, GPS location information, gender, age, and device information, among others, without a valid legal basis and disclosed “special category personal data to advertising partners without a valid exemption.” The regulator reduced the originally proposed $11.1 million fine to approximately $7.2 million, noting that the company’s efforts “to remedy the deficiencies in [its] previous [consent mechanism were] a mitigating factor.” However, the regulator noted that the company benefited financially from its GDPR violations, which was an “aggravating factor” in its deliberations.

    Privacy/Cyber Risk & Data Security GDPR EU Enforcement Norway Of Interest to Non-US Persons

    Share page with AddThis

Pages