The Article 29 Working Party published a letter it sent to the European Commission urging it to consider the data protection and privacy issues when adopting the secondary regulations (‘Regulations’) necessary to implement two European Union financial services laws.

These Regulations are required as part of the implementation of the EU Markets in Financial Instruments Directive (‘MiFID’) and the EU Market Abuse Regulation (‘MAR’). According to the Article 29 Working Party, the Regulations (known as delegated acts and implementing measures), do not effectively deal with privacy concerns. The Article 29 Working Party is concerned that key privacy principles such as proportionality and necessity, data retention limitation and transparency, and the future data protection regulation, appear to have been ignored.

A number of recommendations were set out for both delegated acts, notably:

MiFID:

  • Definition of ‘electronic communications’
  • Clearer understanding of the minimum records kept
  • Limiting data retention periods to only what is necessary
  • Ensuring data subjects are informed when being recorded, and requiring data controller to ensure confidentiality and security of personal data by appropriate measures

MAR:

  • Clarification as to the legal basis for recording telephone conversations
  • Set a maximum data retention period (not minimum)
  • Again, ensuring data subjects are informed when being recorded, and requiring data controller to guarantee confidentiality and security of personal data by appropriate measures

The lack of data protection guidelines in industries where data is a valuable commodity is concerning. Many appear to be unaware of the importance of protecting data, and as technology evolves, governance should follow. The Article 29 Working Party is likely to continue sending such letters across industries to ensure personal data is protected.