The banker-customer relationship can be classified as an agency contract which entails privacy to be maintained of the said relationship. In general, an agent owes a duty of care and privacy to his principal.
The milestone case identifying the duty of confidentiality and its principles was the case of Tournier v National Provincial and Union Bank of England. The identified principles where a bank is permitted to disclose customers’ information are:
- Where the bank is compelled by law to disclose the information;
- If the bank has a public duty to disclose the information;
- If the bank’s own interests require disclosure; and
- Where the customer has agreed to the information being disclosed.
Furthermore, the banks have started incorporating explicit obligation of confidentiality in their terms and conditions in dealing with customers, and hence, confidentiality has become an explicit legal term in the banker-customer contract.
Further rights to confidentiality of a bank’s customer are granted under the DPA 1998 which was enacted in alignment with the EU Data Protection Directive dealing with the protection of persons with regards to processing of personal information and its free movement.
DPA 1998 imposes several obligations on a data controller with regards to compliance with the ‘data protection principles’. The controller is obliged to ‘use personal data fairly and legally’ for only those aims which the data is meant for ‘without any changes: to be sufficient, relevant and precise’. Moreover, relevant procedures must be undertaken in relation to unauthorized/illegal usage of data, its damage and/or loss.Generally, processing of the personal information is covered by the Act, while several exceptions are available, very much in line with the principles established in Tournier, where customers’ information can be disclosed due to the following:
- Processing of data for the purpose of national security is exempt from data protection principles;
- Processing of data for the prevention/detection of crime or for taxation purposes is exempt from protection;
Further, protection is found under the HRA 1998 which incorporates the European Convention for the Protection of Human Rights and Fundamental Freedoms 1950 (ECHR) into English law in the following ways: a) by requiring the English courts to construe all legislation ‘so far as it is possible to do so…in a way which is compatible with the ECHR rights; b) making it unlawful for a ‘public authority’ to act in a way that is incompatible with ECHR rights; c) introducing a procedure whereby the courts can declare legislation incompatible with ECHR rights’. Article 8(1) of the HRA deems any contravention of an individual’s rights as illegal, whereas Article 8(2) provides conditions to be met by the public authorities to avoid illegal use of sensitive personal data.
The FSA 2012 amending FSMA 2000 provides for financial ombudsman service aimed at helping to settle disputes between consumers and financial institutions such as banks, insurance companies, and finance companies. As case studies show a minor mistake on the part of a bank may cause serious problems, in particular if the customer is operating a business. It has been observed that minor clerical errors might lead to serious business losses. And, hence, banks must look and weigh the outcome of their actions in terms of ‘losses’ and ‘caused distress and inconvenience’.
Legal Protection of Bank Customer Under Egyptian Law
In comparison to the protection of personal data in the banking sector granted under the UK law, Egypt does not have a specific law which regulates protection of personal data. However, there are several provisions in relation to data protection to be found in various laws and regulations in Egypt. In relation to the financial sector, Egyptian Banking Law No. 88/2003 provides for the confidentiality of customers and their account information whereas the Presidential Decree No. 59/1990 governs the duty of banks to maintain secrecy of information related to the customers’ accounts, deposits, transactions, and not to disclose such information without either a written permission of the customer or a decision rendered by a competent court/body. The Executive Regulations of Mortgage Finance Law No. 148/2001 (amended by the Prime Minister Decree No. 465/2005) provides a similar clause which stipulates confidentiality of the data of the customers of mortgage finance companies. Moreover, further provisions can be found in the Constitution concerning the individuals’ right to privacy as well as in the Civil Code which governs the collection, use and processing of personal data whereas Egyptian Civil Status Law No. 143/1994 contains provisions regarding citizens’ civil status data.
It is interesting to note that the Egyptian laws and regulations do not provide for definition of personal data or sensitive personal data. The only law that addresses such a definition is Egyptian Labor Law No. 12/2003.
Personal data controllers are required for managing the customer and account data in banks but they are not required by law to take specific measures against unauthorized processing, accidental loss or deletion/damage of personal data. The controller will be held liable if such damage results from his/her omission. Also, there is no mandatory legal requirement in the Egyptian law with regards to reporting data security breaches or losses to the competent authorities.
Shall the Banking Information Be Concealed or Revealed?
As Gwendoline Griffiths noted, indeed, ‘disclosure is winning the argument at present’ given the recent global initiatives such as AEOI standard for financial account information (the Standard for Automatic Exchange of Financial Account Information in Tax Matters) accepted by almost 50 jurisdictions, and previous efforts by US, Germany and the UK in their efforts to achieve transparency in order to uncover terrorist financing and tax evasion. However, these measures taken towards increased disclosure create tensions and legal difficulties with regards to a sensitive balance between legal frameworks governing confidentiality and privacy and aims of governments in terms of maximizing revenues through tracking tax evaders and cutting terrorism financing in its root. The conflict intensifies in a cross-border context. And, therefore, taking an example of Egypt (which refused cross-jurisdiction exchange of financial account information), the UK’s rights to seek information on a tax payer is governed by its local laws, whereas the non-resident taxpayer will enjoy the confidentiality and data protection under the Egyptian statutes.
Egyptian banks refrain from being caught in political agendas and extra territorial bodies’ efforts as well as being in the middle of a dispute outside of their direct concern, as pertinent to Article 7 of the Presidential Decree No. 59/1990 concerning the confidentiality of bank accounts: ‘without prejudice to any stricter penalty, any person violating the provisions of Article 1, Article 2 and Article 5 of the present law shall be liable to imprisonment for a period of no less than one year, and a fine of no less than ten thousand Egyptian Pounds, and not exceeding twenty thousand pounds’. And, hence, the bank secrecy herein is part of the criminal law regime. And therefore, those jurisdictions where such legal framework exists might refuse to cooperate in terms of disclosure except for the criminal matters and legal basis for disclosure on the premises that disclosure might prejudice sovereignty, security and the state’s interest. And although the disclosure is becoming more common, the conflict between ‘confidentiality and disclosure and conflicting national interests will continue’.