Activities Presenting New International Privacy Issues
While the Gramm-Leach-Bliley Act mandated that required privacy notices be mailed by July 1 2001, this date is realistically viewed as the beginning of new compliance concerns for financial institutions with US operations rather than as an end to obligations. New leadership in the Senate and new privacy initiatives in California and other states suggest that there will be a renewed focus on such privacy issues as identify theft, data aggregation services and financial institution liabilities for failure to protect a customer's rights to privacy.
In addition, new privacy laws being implemented around the world impose additional and sometimes conflicting requirements on international banks and other financial institutions with international operations. The scheduled review of the European Union Data Protection Directive, the adoption by the European Commission of burdensome model contract clauses and the proposed new Japanese privacy law are only a few examples of heightened scrutiny of privacy issues. A general threshold issue that will need to be addressed in the United States and elsewhere is a fundamental difference in the approach to rights to information privacy. In the United States the focus to date has been on the protection of customer information. Elsewhere, protection of privacy relates to customer information, business contract information and, increasingly, employee information.
Activities Presenting New International Privacy Issues
Numerous activities of international banks might give rise to potential violations of the EU Data Protection Directive. Many international banks routinely share customer or transaction information between and among branches, head office, subsidiaries and affiliates within and outside the European Union. Other banks engage in securitization transactions where portfolios of consumer or business loans might be transferred to a special purpose entity located outside the European Union. Private banking activities might result in management of a French customer's assets in the United States. Lending activities might involve loans to EU-based borrowers by US-based branches or subsidiaries.
With respect to the transfer of protected data from EU countries to the United States, further issues may arise. For example, a bank may be required under US money laundering laws to file suspicious activity reports (SARs) with US law enforcement authorities if circumstances indicate that there is reason to suspect that a customer may be using a bank to facilitate illegal activities. EU jurisdictions might require SAR-type filings with local authorities but would typically strictly forbid disclosure to anyone about such filings and subject anyone who did disclose such information (even to certain other regulators) to severe penalties. The US Office of Foreign Assets Control regulations also present concerns because of their extra-territorial effect.
In many cases international banks either headquartered in the European Union or having branches or subsidiaries located in EU countries will conduct significant cross-border business through US-based entities. Customer information transferred (even inadvertently from EU offices to the United States) might be subject to subpoena by banking regulators, law enforcement authorities or parties to civil litigation. Complying with such US orders might constitute a violation of the directive.
Issues such as those noted above led to the proposal of a 'safe harbour' for US banks (and other companies) that adhere to certain safe harbour principles and requirements. On May 31 2000 the EU member states unanimously approved the safe harbour arrangement. Nonetheless, the safe harbour requirements can be quite onerous and generally represent a compliance challenge for international banks. Among the seven privacy principles that must be followed to meet the safe harbour requirements are principles relating to notice, choice, transfers to third parties, security integrity of data and enforcement. As an alternative to meeting the safe harbour requirements, some financial institutions have chosen to adopt the approach of entering into special model contracts negotiated between a company exporting and a company importing data.
It is important for an international bank to evaluate carefully all domestic and international privacy laws that may affect the conduct of its business. Such a review should be updated continuously because privacy laws are being considered in a number of jurisdictions in addition to those cited. A global privacy review should also consider carefully the effect of anti-money laundering and bank secrecy laws in all jurisdictions where the international bank transacts business. Further, such a review should encompass internet-based customer relationships and transactions as well as those completed through other means. Compliance policies and procedures should be developed to meet the requirements noted through the process of review. Training programmes should be implemented to educate employees as necessary.
For further information on this topic please contact Connie Friesen at Sidley Austin Brown & Wood LLP by telephone (+1 212 906 2000) or by fax (+1 212 906 2021) or by e-mail ([email protected]).
The materials contained on this web site are for general information purposes only and are subject to the disclaimer.