InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Global tech corporation fined for GDPR violations fends off daily fines
According to sources, the Luxembourg President of the Administrative Tribunal issued an ordinance on December 17 partially suspending a July decision issued by the Luxembourg National Commission for Data Protection (CNPD) against a global technology corporation for alleged violations of the EU’s General Data Protection Regulations (GDPR). As previously covered by InfoBytes, the CNPD fined the corporation $746 million euro (approximately $888 million USD), issuing a decision against the corporation’s European headquarters, claiming the corporation’s “processing of personal data did not comply with the [GDPR].” The decision—which required corresponding practice revisions, the details of which were not disclosed—followed an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes. The December ordinance suspends orders that required the corporation to make a number of changes to its data processes by January 15 or risk additional daily fines. Sources stated that the CNPD’s order “had not been formulated in clear, precise and free of uncertainty terms” that would allow the corporation to meet the conditions. The corporation’s appeal is still pending.
Norwegian Data Protection Authority fines U.S. dating app $7.1 million for alleged GDPR violations
On December 13, the Norwegian Data Protection Authority issued a reduced administrative fine against a U.S. company operating a GPS-based mobile dating app for allegedly violating the EU’s General Data Protection Regulation (GDPR). The regulator’s 2020 complaint stated that the company allegedly forced users to accept a full privacy policy in order to use the app, rather than providing users the option to independently and specifically consent to the sharing of their data with third parties and the company’s other data processing operations. This consent mechanism, the regulator claimed, “infringed most of the requirements for valid consent” under GDPR Articles 4(11), 6(1)(a), 7 and 9(2)(a). According to the regulator, the company allegedly shared user data with third parties for marketing purposes, including IP addresses, GPS location information, gender, age, and device information, among others, without a valid legal basis and disclosed “special category personal data to advertising partners without a valid exemption.” The regulator reduced the originally proposed $11.1 million fine to approximately $7.2 million, noting that the company’s efforts “to remedy the deficiencies in [its] previous [consent mechanism were] a mitigating factor.” However, the regulator noted that the company benefited financially from its GDPR violations, which was an “aggravating factor” in its deliberations.
EU and U.S. release statement on Joint Financial Regulatory Forum
On September 29 and 30, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S. – EU Joint Financial Regulatory Forum to continue their ongoing financial regulatory dialogue. Matters discussed focused on six different themes: “(1) market developments and current assessment of financial stability risks, (2) sustainable finance, (3) multilateral and bilateral engagement in banking and insurance, (4) regulatory and supervisory cooperation in capital markets, (5) financial innovation, and (6) anti-money laundering and countering the financing of terrorism (AML/CFT).”
While acknowledging that both the EU and U.S. are experiencing “robust economic recoveries,” participants cautioned that the uncertainty around the Covid-19 pandemic and the economic outlook has not dissipated. “[C]ooperative international engagement to mitigate financial stability risks remains essential,” participants warned. Participants also explored issues concerning climate-related challenges for the financial sector and mandates for addressing climate-related financial risks, and touched upon the EU’s strategy for financing its transition to a sustainable economy. Regarding financial innovation, participants discussed potential central bank digital currencies and exchanged views on topics such as new types of digital payments, crypto-assets, and stablecoins, with all participants recognizing the “benefits of greater international supervisory cooperation” and “promot[ing] responsible innovation globally.” In addition, participants discussed progress made in strengthening their respective AML/CFT frameworks, “exchanged views on the opportunities and challenges arising from financial innovation in the AML/CFT area and explored potential areas for enhanced cooperation to combat money laundering and terrorist financing bilaterally and in the framework of [the Financial Action Task Force].”
Ireland fines U.S. messaging service €225 million for GDPR violations
On September 2, the Irish Data Protection Commission (Commission) announced that a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based messaging service’s handling of individuals’ personal information. The final Article 65 decision, published by the European Data Protection Board (EDPB), imposes a €225 million on the company, and resolves an investigation into whether the company met its transparency obligations with respect to its data processing activities. The Commission alleged that the company violated provisions of the GDPR through the way it processed users’ and non-users’ data, as well as in the way it processed and shared data with other companies’ owned by the parent global social media company.
According to the final decision, “a number of concerned supervisory authorities” raised objections to aspects of the draft decision, taking issue, among other things, with the size of the proposed fine, which was originally set between €30 and €50 million. Because the Commission was unable to reach a consensus with the objecting concerned supervisory authorities, a dispute resolution process was triggered. The EDPB ultimately ordered the Commission to reassess and increase its proposed fine. In addition to imposing the administrative fine, the Commission also ordered the company “to bring its processing into compliance by taking a range of specified remedial actions.”
SEC, ECB sign MOU concerning security-based swap entity oversight
On August 16, the SEC and the European Central Bank (ECB) entered into a Memorandum of Understanding (MOU) intended to facilitate the consultation, cooperation, and exchange of information connected with the supervision, enforcement, oversight, and inspection of certain security-based swap dealers and major security-based swap entities in EU member states registered with the SEC and supervised by the ECB. These include SEC-registered security-based swap entities participating in the Single Supervisory Mechanism (SSM), the EU’s system of banking supervision, which “is composed of the ECB and the relevant national competent authorities of participating EU Member States.” Among other things, the MOU will “support the SEC’s oversight of the operation of substituted compliance orders that the Commission has issued for security-based swap entities in France and Germany, as well as any future substituted compliance orders for such firms in other EU Member States that participate in the SSM,” to enable an entity to comply with certain Dodd-Frank Act requirements by complying with comparable EU and EU Member State laws. The MOU, which is intended to “foster cooperation” and exchange information between the authorities, states that at the date of execution, “no bank secrecy, blocking laws, or other regulations or legal barriers, should prevent an Authority from providing assistance to the other Authority pursuant to this MOU, or otherwise adversely affect or hinder the operation of this MOU.”
Global tech corporation fined $888 million for GDPR violations
Recently, a global technology corporation disclosed a $746 million euro (approximately $888 million USD) fine issued by the Luxembourg National Commission for Data Protection (CNPD) for alleged violations of the EU’s General Data Protection Regulations (GDPR). The corporation’s Form 10-Q for second quarter 2021 states that on July 16, the CNPD issued a decision against the corporation’s European headquarters, claiming its “processing of personal data did not comply with the [GDPR].” In addition to the fine, the decision also requires corresponding practice revisions, the details of which were not disclosed. The corporation noted that the decision is “without merit” and stated it intends to defend itself “vigorously” in this matter. According to sources, the decision follows an investigation started in 2018 when a French privacy group claiming to represent the interests of Europeans filed complaints against several large technology companies to ensure European consumer data is not manipulated for commercial or political purposes.
U.S.-EU release statement on Joint Financial Regulatory Forum
On March 24 and 25, EU and U.S. participants, including officials from the Treasury Department, Federal Reserve Board, CFTC, FDIC, SEC, and OCC, participated in the U.S.-EU Joint Financial Regulatory Forum to discuss topics of mutual interest, including those related to (i) “next steps” for Covid-19 recovery and for mitigating financial stability risks; (ii) “sustainable finance”; (iii) banking and insurance multilateral and bilateral engagement; (iv) capital market regulatory and supervisory cooperation; (v) regulatory and supervisory developments pertaining to financial innovation, including the importance of promoting ongoing “responsible innovation and international supervisory cooperation”; and (vi) anti-money laundering and countering the financing of terrorism (AML/CFT) issues, including “the potential for enhanced cooperation to combat money laundering and terrorist financing bilaterally and in the framework of [the Financial Action Task Force].” Participants also discussed possible responses to climate-related financial risks, as well as “the progress in their respective legislative and supervisory efforts to ensure a smooth transition away from LIBOR.”
Irish Data Protection Commission fines U.S. social networking company for violating GDPR
On December 15, the Irish Data Protection Commission (Commission) announced a final decision was reached in a General Data Protection Regulation (GDPR) investigation into a U.S.-based social networking tech company’s actions related to a 2019 data breach that affected users across the European Union. The final decision, published by the European Data Protection Board (EDPA), imposes a €450,000 fine against the company, and resolves an investigation in which the Commission alleged the company violated Articles 33(1) and 33(5) of the GDPR by failing to provide notice about the breach within a 72-hour period and by neglecting to adequately document the breach. According to the Commission, this inquiry is the first “dispute resolution” Article 65 decision (draft decision) under the GDPR, and marks the first decision issued against a “big tech” company. According to the final decision, “a number of concerned supervisory authorities raised objections” to aspects of the draft decision, taking issue, among other things, with the size of the proposed fine, which was originally set between €135,000 and €275,000. The EDPA determined that the objections were “relevant and reasoned” and instructed the Commission to increase the fine to ensure “it fulfils its purpose as a corrective measure and meets the requirements of effectiveness, dissuasiveness and proportionality” established under the GDPR.
Agencies provide no-action relief to facilitate transfers of certain legacy swaps
On December 11, the Federal Reserve Board and the OCC issued a joint statement addressing the ability of a covered swap entity to service cross-border clients. (See also OCC Bulletin 2020-108.) As previously covered by InfoBytes, the Fed, OCC, FDIC, FHFA, and Farm Credit Administration adopted an interim final rule (IFR) in 2019 to amend the Swap Margin Rule to assist covered swap entities preparing for the United Kingdom’s withdrawal from the European Union. The IFR addresses the situation where the withdrawal occurs without a negotiated agreement and entities located in the UK transfer existing swap portfolios that face counterparties located in the EU over to affiliates located in the US or the EU. Specifically, the IFR provides that certain swaps under this situation will not lose their “legacy” status—will not trigger the application of the Swap Margin Rule—if carried out in accordance with the conditions of the rule. The OCC notes that the absence of an agreement between the UK and the EU that addresses passporting rights (defined in the joint statement as the “EU’s system of cross-border authorizations to engage in regulated financial entities) would result in UK entities losing the ability to continue servicing their EU clients when the transition period expires.
The joint statement explains that the Fed and OCC “will not recommend that their respective agencies take action if a covered swap entity is a party to a legacy swap that was amended under [certain] conditions.” The no-action relief is applicable to the transfer of legacy swaps completed by the later of January 1, 2022, or one year after the expiration of EU passporting rights, unless amended, extended, terminated, or superseded, and is intended “to provide certainty to covered swap entities currently operating in the affected jurisdictions as to the legacy status of transferred swaps in light of the uncertainty regarding whether the EU will agree to a free trade agreement granting UK companies passporting rights related to financial services.”
Pages
- « first
- ‹ previous
- 1
- 2
- 3
- 4