InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Special Alert: Cross-Border Data Transfers Significantly Impacted by EU Court Decision Invalidating Adequacy of U.S.-EU Data Protection Safe Harbor Framework
On October 6, the Court of Justice of the European Union (CJEU) in Schrems v. Data Protection Commissioner (“Schrems”) declared “invalid” a decision of the European Commission that the United States-European Union Safe Harbor framework (Safe Harbor) provides adequate protection for personal data transferred from the European Union (EU) to the United States (U.S.). Thousands of U.S. companies have registered with the U.S. Department of Commerce in order to permit the transfer of personal data from the EU to the U.S.
The EU’s 1995 Data Protection Directive (Directive) requires that the transfer of personal data from an EU country to another country take place only if the other country ensures an adequate level of data protection. For the past 15 years, per a 2000 decision by the Commission of the European Communities, U.S. companies participating in Safe Harbor have been deemed to meet adequacy standards. Advocate General (AG) Yves Bot of the CJEU issued an opinion in September (“AG Opinion”) calling that 2000 decision invalid. AG Bot’s opinion declared that the existing framework governing that exchange of data fails to “ensure an adequate level of protection of the personal data which is transferred to the United States from the European Union” because that framework, in AG Bot’s view, contains holes that can allow access to European’s personal data by the NSA and other U.S. security agencies. “[T]he law and practice of the United States allow the large-scale collection of the personal data of citizens of the [EU] which is transferred under the [framework] without those citizens benefiting from effective judicial protection.” And while the FTC and private dispute resolution providers have the power to monitor possible breaches of the framework by private companies, neither has the power to monitor possible breaches by U.S. security agencies. AG Bot stated his belief that, even with an adequacy decision, national Data Protection Authorities retain the power to assess the sufficiency of national data protection regimes outside the EU to which personal data will be transferred.
In Schrems, the CJEU, shortly following the AG Opinion, considered the following two questions:
- Are national DPAs bound by adequacy findings of the European Commission with regard to the transfer of personal data to a third country outside the EU?
- May or must a national DPA conduct his or her own investigation of the matter in the light of factual developments in the meantime since that Commission decision if a complaint from a data subject regarding the transfer is received?
In responding to the two questions, the CJEU largely agreed with AG Bot’s opinion, though in language more temperate than the Bot opinion. The CJEU opinion states that:
a decision adopted pursuant to Article 25(6) of [the Data Protection Directive], such as [the decision on adequacy for the Safe Harbor framework], by which the Commission finds that a third country ensures an adequate level of protection, does not prevent a supervisory authority of a Member State, within the meaning of Article 28 of that directive, from examining the claim of a person concerning the protection of his rights and freedoms in regard to the processing of personal data relating to him which has been transferred from a Member State to that third country when that person contends that the law and practices in force in the third country do not ensure an adequate level of protection.
The CJEU found that the “term ‘adequate level of protection’ must be understood as requiring the third country in fact to ensure, by reason of its domestic law or its international commitments, a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed within the European Union by virtue of [the Data Protection Directive] read in the light of the Charter.” In light of well-publicized revelations regarding intelligence gathering by U.S. government agencies and that some of that intelligence gathering involved information transferred by companies from Europe to the U.S., the CJEU found that adequate protections for personal data could not be “ensured” in the U.S. for personal data transferred under Safe Harbor.
Negotiations are underway for a new Safe Harbor. The Obama Administration stated that it is “deeply disappointed” with the CJEU decision with Commerce Secretary Prizker noting that the decision “creates significant uncertainty for both U.S. and EU companies and consumers, and puts at risk the thriving transatlantic digital economy.”
Impact to Clients
Business entities currently relying on Safe Harbor as a transfer mechanism for personal information will need to evaluate alternative transfer mechanisms. Model contracts (contracts containing standard contractual clauses approved by the European Commission) are a viable alternative, however, multiple contracts may be required to effectively cover all of the transfers addressed by a single Safe Harbor certification. While data subject consent is another option, businesses should be aware that Data Protection Authorities and the Article 29 Working Party (which provides guidance on implementing EU Data Protection requirements) generally do not approve of consent as a transfer mechanism for large volume or repeating transfers of EU-sourced personal information. Binding Corporate Rules (BCRs) may provide a longer option, but their scopes of implementation and requirement for national DPA approval make them impractical as an immediate solution.
While the consensus appears to be that there will be some grace period for business entities to adjust to the ruling, those individuals responsible for compliance with privacy and data protection requirements should move swiftly toward an acceptable method for moving personally identifiable information from the EU to the U.S.
* * *
Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.
- Elizabeth E. McGinn, (202 349-7968
Spotlight on the Military Lending Act, Part 3: Falling in Line with MLA Compliance
With recent changes in the regulations implementing the Military Lending Act (“MLA”), creditors are now reevaluating their compliance plans to ensure they are prepared for the new regulations. Although there is no formal guidance on what federal regulators will look for in reviewing MLA compliance, the commentary that accompanied both the proposed and final rule gives some insight as to where regulators will focus examination and enforcement resources. Below, we discuss some of these likely areas of focus, and offer suggestions for how institutions can prepare for regulatory scrutiny.Determining military service and MLA safe harbor provisions
The MLA only applies to a “covered borrower,” which is either a servicemember (as defined under the MLA) or a servicemember’s dependent. The MLA provides two safe harbors to determine if a consumer is a covered borrower: (1) a set of results from the DoD’s MLA database, or (2) a military status indicator in a consumer report.
Although both of these approaches are optional—and a creditor may use a different method to determine if an individual is eligible for MLA protection—they provide several benefits. They are both determinative, so even if the borrower is in fact a servicemember a safe harbor check that shows otherwise will govern. Both checks can also be done without
inconveniencing the consumer or requiring them to attest to their military status.
However, these safe harbor approaches are only effective if the results are actually retained by the creditor. Since military status checks must be performed at origination, we recommend that the results of these checks be retained with the origination documents. Not only does the outcome of the military status check determine the substantive terms of the actual credit obligation, but by keeping all of these documents together, a creditor can ensure that they have all of the governing origination documents are in a single, secure location.
Ancillary products and calculation of the Military APR (“MAPR”)
In crafting the new MLA rules, the Department of Defense expanded the list of items to include in calculating the MAPR. One of the most significant changes is the addition of fees paid “for a credit-related ancillary product sold in connection with the credit transaction.” Although the MAPR limit is 36%, ancillary product fees can add up and—especially for accounts that carry a low balance—can quickly exceed the MAPR limit. This broad definition of the interest rate under the MLA also coincides with the expansive approach that federal regulators have taken regarding enforcement of the interest rate limitations under another military protection statute, the Servicemembers Civil Relief Act. The CFPB has made no secret of the fact that it reviews add-on products closely, and we expect the Bureau to use the MLA as another method of targeting ancillary products.
Prohibition against mandatory arbitration
Although most of the focus has been on the revised MAPR requirements in the new rules, the MLA has prohibited mandatory arbitration for eligible accounts since 2007. While this provision remains the same under the new MLA rules, what has changed since 2007 is a renewed focus on mandatory arbitration by federal regulators. Since the CFPB’s creation in 2011, mandatory arbitration—and its impact on consumers—has been a key area of focus for the Bureau. With the CFPB’s Office of Servicemember Affairs closely watching any practices that may harm military borrowers and the Bureau’s overall focus on arbitration, we expect the arbitration provisions of the MLA to become a keen area for regulatory review.
MLA disclosure requirements compliance
Finally, the MLA requires special disclosure requirements for eligible loans. While most creditors are familiar with the Truth in Lending Act (“TILA”) and Regulation Z disclosure requirements, the MLA also requires that the servicemember receive “a statement of the MAPR applicable to the extension of credit.” This disclosure must be provided before or at the same time that the servicemember enters into the transaction.
To ensure compliance with the MLA, we recommend a streamlined, product-specific set of disclosures that an MLA-eligible consumer can receive at origination. To protect against borrower claims of insufficient disclosures and post hoc regulatory scrutiny, we recommend that creditors retain copies of the MLA disclosures along with the original check of the MLA website and credit agreement.
CFPB Considering Proposals to Limit Pre-Dispute Arbitration Agreements for Consumer Financial Products and Services, Convenes Small Business Review Panel Seeking Feedback
On October 7, the CFPB issued proposals to limit the use of mandatory pre-dispute arbitration agreements, which it contends are often used to evade class action litigation. Under the proposals, the Bureau would seek to prohibit the use of pre-dispute arbitration agreements in consumer financial contracts, unless the agreements explicitly state that the agreements are not applicable to cases filed as class actions, class certification is denied by a court, or class claims are dismissed by a court. While not prohibiting pre-dispute arbitration agreements in their entirety, for companies that elect to use arbitration agreements in consumer financial contracts, the proposals would require that companies submit to the CFPB arbitration claims filed by consumers and any monetary awards issued therefrom. Furthermore, the CFPB is considering publishing the information submitted by companies on its website.
The Bureau also stated that it will convene a Small Business Review Panel, representing the initial step of a potential rulemaking. The Panel is expected to provide feedback on the impact of the proposals set forth by the Bureau and offer possible alternatives to address arbitration agreements in consumer financial contracts.
CFPB Issues TRID FAQs to Help Borrowers Understand the New Mortgage Process
On October 5, the CFPB posted on its blog six FAQs to assist borrowers in understanding the TRID rule and how the new process attempts to make the mortgage process easier. The post comes in light of the TRID rule becoming effective on October 3 and addresses the new required federal disclosures for most mortgages, along with lenders’ requirement to provide a Closing Disclosure at least three business days before consummation. The FAQs also clarify instances where a second three-day review period is required once a Closing Disclosure is received.
GSEs Provide Guidance Regarding TRID Compliance
On October 6, Fannie Mae and Freddie Mac issued guidance stating that both GSEs, under the direction of the FHFA, “will not conduct routine post-purchase loan file reviews for technical compliance with the TRID Rule,” providing a “transitional period” for lenders to update their operational systems to adhere to the Rule’s requirements. However, the GSEs cautioned lenders that they “expect lenders to make good faith efforts to comply with TRID” and will evaluate whether lenders issued the new required disclosure during the mortgage origination process. Moreover, the guidance explains that “failure to use a TRID-required form” will be viewed as a violation, subjecting the loan to all contractual remedies, including repurchase.
CSBS' Multi-State Mortgage Committee: Mortgage Companies Must Comply with Technology-Based Examination Process
On September 29, the Conference of State Bank Supervisors (CSBS) and the Multi-state Mortgage Committee (MMC) released a bulletin titled, “Supervisory Expectations Regarding the Use of Electronic Examination Tools.” The bulletin explains the MMC’s use of electronic examination tools and the supervisory expectations for mortgage companies undergoing the state examination process. As a result of a 2008 initiative by the MMC, state regulators have been using technology to review loan transaction data for years, originally setting the expectation that companies fully participate with the process by 2011. According to the bulletin, however, “the mortgage industry has regularly failed to provide clean data in a format acceptable to the regulators’ technology platform.” As a result of this non-compliance, the MMC recommended that, going forward, state regulators take enforcement action against companies that are unable to provide accurate data in a timely fashion, so as to ensure a “more efficient and timely regulatory process.”
Bristol-Myers Squibb Pays $14 Million to SEC to Resolve China FCPA Offenses
On October 5, the SEC announced a settlement with Bristol-Myers Squibb to resolve allegations that the pharmaceutical company’s Chinese joint venture, BMS China, gave cash, jewelry, and other benefits to health care providers in order to boost prescription sales at state-owned or controlled hospitals. The SEC proceeded via an administrative cease and desist order. The SEC’s order found that the company violated the internal controls and books and records provisions of the FCPA. Bristol-Myers consented to the SEC’s order without admitting or denying the findings, and agreed to disgorge profits of $11.4 million plus $500,000 in pre-judgment interest and pay a civil penalty of $2.75 million. Bristol-Myers also agreed to report to the SEC for two years regarding the status of its efforts to implement anti-corruption compliance controls.
The SEC’s order states that Bristol-Myers failed to investigate red flags and claims by terminated BMS China employees that raised the possibility that sales personnel were making improper payments. The order also states that Bristol-Myers was too slow to fill gaps in its internal controls regarding interactions with health care providers.
Kinross Gold Discloses FCPA Investigation by SEC and DOJ
On October 2, Canadian mining company Kinross Gold Corp. announced that the SEC and DOJ are investigating potentially improper payments to government officials in West Africa. The company’s announcement states that it received subpoenas from the SEC in 2014 and 2015, and a request for information from the DOJ in December 2014. The subpoenas came after the company launched an internal investigation in August 2013 to investigate a whistleblower complaint alleging improper payments to government officials and internal control deficiencies in the company’s West African mining operations.
Former CEO of Siemens-Argentina Pleads Guilty to FCPA Offenses
On September 30, the former CFO of Siemens S.A.-Argentina pleaded guilty in a federal court in New York to conspiring to pay nearly $100 million dollars in bribes to Argentinian officials. The former executive, Andres Truppel, who is a German and Argentinian citizen, pleaded guilty to conspiracy to violate the antibribery, internal controls, and books and records provisions of the FCPA, and conspiracy to commit wire fraud. As described in the U.S. Attorney’s Office for the Southern District of New York’s press release, the violations stemmed from Siemens’ bid to win an Argentine government contract worth $1 billion to create a national identity card system. Mr. Truppel faces up to five years in prison and three years of supervised release when he is sentenced; there is no information on when sentencing will occur.
Truppel was one of eight former Siemens executives indicted in 2011 on charges of conspiring to violate the FCPA and other statutes (see previous BuckleySandler coverage here and here). Siemens itself reached a record $800 million resolution in 2008 with the DOJ and SEC related to FCPA violations in numerous countries, including Argentina. Siemens S.A.-Argentina pleaded guilty to conspiracy to violate the FCPA’s books and records provisions as part of that resolution.
Hyperdynamics Resolves FCPA Investigation with SEC Settlement
On September 29, Hyperdynamics Corp. announced a settlement with the SEC, fully resolving the SEC’s FCPA investigation into the Houston-based oil and gas company’s operations in the Republic of Guinea. The SEC proceeded via an administrative cease and desist order. Hyperdynamics consented to the SEC’s order without admitting or denying the findings, and agreed to pay a $75,000 penalty. The SEC’s order describes books and records and internal control offenses based on the lack of supporting documentation related to $130,000 the company paid for public relations and lobbying services in the Republic of Guinea during 2007 and 2008.
Hyperdynamics first disclosed that the DOJ was investigating alleged FCPA violations by the company in the Republic of Guinea in 2013. In May of this year, the company announced that the DOJ’s investigation had concluded without enforcement action, and released the DOJ’s declination letter, which noted Hyperdynamics’s cooperation with the investigation. At that time, the company acknowledged that a parallel SEC investigation was ongoing. Previous BuckleySandler coverage of this investigation can be found here.
