How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?

Fintech (2nd edition)

Belgium Small Flag Belgium

By their digital nature, fintech initiatives are very often exposed to data protection issues. With regard to the protection of personal data, the most important regulations are the GDPR (Regulation 2016/679 of 27 April 2016), the ePrivacy Directive (Directive 2002/58/EC of 12 July 2002) and the provisions transposing this Directive into Belgian law. The Belgian legislator has also adopted the Belgian Data Protection Act of 30 July 2018, which partially incorporates the generally applicable provisions of the GDPR and partially provides for additional provisions. These laws mentioned above however do not specifically address data protection within the context of providing financial services.

For the processing of data within the context of open banking in particular, it is generally agreed upon that the PSD2 and the GDPR are jointly applicable. According to the Belgian transposition of the PSD2, the processing and storage of personal data necessary for the provision of payment services by the payment service provider can only take place with the explicit consent of the payment service user. It is assumed that this explicit consent under the transposition of the PSD2 is a mere contractual consent and does not have to comply with the strict conditions for valid explicit consent under the GDPR, as this would impose significant additional (practical and financial) responsibility on the bank. Parties to a framework agreement may agree that the explicit consent of the payment service user to the access, processing and storage of personal data – this being necessary for the provision of payment services, and falling within the scope of the framework agreement concerned – is effectively given through the consent to the execution of the payment transactions.

However, as the GDPR applies to these processing activities, the bank should always process the personal data on a legitimate basis (e.g. necessity for the performance of a contract) and should at all times respect all principles of lawful processing. Therefore, the bank should ensure that the personal data is processed in a manner that ensures appropriate data security and integrity, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (e.g. through pseudonymisation or encryption of personal data).

Bermuda Small Flag Bermuda

With the implementation of the General Data Protection Regulation (GDPR) in the European Union and the pending implementation of the Personal Information Protection Act 2016 (PIPA) in Bermuda, organisations in the financial services sector have been striving to ensure compliance with relevant data protection legislation and regulations in Bermuda. PIPA delineates conditions required to be met in order for an organisation to use personal information, as well as the obligations of an organisation’s privacy officer for compliance purposes.

Brazil Small Flag Brazil

Open Banking is based on the assumption that the customer’s data belongs to the customer, not to the financial – or any other – entity. Therefore, it is the client decision to share his/herinformation.

That being said, on August 14, 2019, Brazil enacted its first data protection legislation, Law No. 13,709, dated as of August 14, 2018 (“LGPD” or “Law 13,709/18”), which provides for data protection of individuals. The LGPD was largely inspired by the European General Data Protection Regulation (“GDPR”) and brings deep changes in the conditions for processing personal data in Brazil. The LGPD is applicable to any activity that involves the processing of “personal data”, which is defined as any information related to an identified or identifiable natural person.

Furthermore, financial institutions, specifically, are regulated by Supplementary Law No. 105, dated as of January 10, 2001 (“Lei do Sigilo Bancário” or “Bank Secrecy Law”, in a free translation), which dictates the best practices when dealing with customer’s transactional data. Even though the Bank Secret Law preceded Law 13,709/18 in almost two decades, one can find explicit provision regarding sensitive information (or “sensitive data”, as transactional data is defined by LGPD) in its scope.

Therefore, the data protection practices determine that financial institutions must request in the most explicit and informative way permission to their customers to share their data. Once given this consent, financial institutions are free to share the data for the purposes to which the customer has agreed. It is worth mentioning that any action when treating data that does not fit the scope to which the customer gave their consent must be preceded by another authorization regarding this specific sort of treatment.

Chile Small Flag Chile

Chilean regulation on personal data protection (Law N° 19.628 regarding private life protection) which regulates the transmission, treatment, and storage of personal data, does not have a serious impact on the provision of financial services. Although this law regulates the processing of personal data, it is deficient at granting adequate protection to personal data, does not conform to the OECD standards, and is decidedly less strict than the European General Data Protection Regulation (GDPR)

For this reason there is currently a bill submitted to the Chilean Congress that seeks to extend privacy protections. The proposed bill proffers to create an agency or assign to an existing agency the task of oversight and inspection while also facilitating the beneficial and innovative uses of the data in evolving business and technological environments.

United States Small Flag United States

Data privacy regulations add layers of compliance concerns to the provision of financial services to consumers and businesses. Many parties that may not think of themselves as regulated financial institutions may in fact handle financial data or be a part of the transaction flow, which results in potential compliance obligations relating to data security as well as consumer protection regulation requiring consents and disclosures to users of the service. As financial services rely on multiple parties controlling and sharing data, including fintechs, cloud service providers, and incumbent financial institutions, there is an increased risk that data may be compromised in financial transactions.

At a federal level, the primary regimes that protect privacy and govern the regulation of data stem from the Gramm-Leach-Bliley Act (GLBA), the Right to Financial Privacy Act (RFPA), the Bank Secrecy Act (BSA), the Fair Credit Reporting Act (FCRA), and the USA PATRIOT Act. Generally speaking, these regimes require customer notice and stipulate limitations on how data can be used. States also impose regulations relating to the collection, handling, and use of personal data. For instance, beginning on January 1, 2020, the California Consumer Privacy Act (CCPA) will go into effect and impose sweeping restrictions on the handling of California residents’ data. In addition, all fifty states have implemented data breach notification laws.

The totality of these regulations requires financial institutions to be more transparent and put in place numerous controls and procedures to ensure continued compliance. Finally, many financial services providers offer services to customers in foreign countries, resulting in additional compliance obligations with foreign data privacy laws such as the European Union’s General Data Protection Regulations (GDPR).

China Small Flag China

The main data protection legislation in China is the PRC Cybersecurity Law and PRC Law on the Protection of Consumer Rights and Interests, which set out the data protection requirements for network operators, though some other, general legislation concerns data protection as well. For example, illegally collecting, using, processing or transferring personal data is not allowed under civil legislation, and criminal legislation also establishes offences related to infringing citizens’ personal data and privacy, such as the offense of sharing legally collected personal information of citizens without their consent, the offense of refusing to fulfil information network security responsibilities and the offence of stealing, purchasing or illegally disclosing other people’s credit card information. Sector-specific legislation, including in banking, insurance, credit information and other sectors, also set out rules for protecting data. For example, the Law of the People's Republic of China on Commercial Banks, revised in 2015, stipulates principles of confidentiality for commercial banks to follow in handling individual savings deposits while the Tentative Measures for the Administration of Personal Credit Information Basic Database, issued in 2005, requires commercial banks and credit information service centres to establish strict internal control and operational procedures to ensure the security of personal credit information, the scope and method of collecting personal credit information in personal credit databases, the ways for individuals to obtain their credit report, etc.

Such legislation and other relevant supporting regulations, including but not limited to the Measures for Administration of Classified Protection of Information Security and Measures for the Security Review of Network Products and Services (Trial), set out rules for providing financial services to consumers and businesses. For example, (i) network operators must publish the rules for collecting and using personal data, and expressly notify users of the purpose, methods and scope of such collection and use; and (ii) the collecting and using of personal data should abide by the principle of ‘legitimacy, rightfulness and necessity’, which means only collecting personal data relevant and necessary for the provision of services, and only processing the minimum type and amount of personal data necessary to fulfil the purpose that the data subject has given consent for, and processing of personal data should be within a proper and necessary scope.

The Chinese government is treading carefully, anxious not to slow down innovation, instead establishing frameworks and promulgating regulations that support economic growth and at the same time offer greater protection to consumers. China’s cyber security laws and regulations have led fintech firms to strengthen their investments in privacy protection and cybersecurity in order to promote compliance and internal control, so that consumers will be protected while they are enjoying more convenient and cheaper financial payment services brought by fintech innovation.

United Kingdom Small Flag United Kingdom

The main piece of legislation around data is the General Data Protection Regulation (GDPR), which has been incorporated into UK law as the Data Protection Act 2018 (DPA). As in other jurisdictions within the European Union, the GDPR is an evolution of the previous legislation around data protection and in many ways codifies and puts on a mandatory footing what was already best practice in relation to the treatment of personal data. The scope of data covered by the GDPR is broader than under the previous legislation, in ways that are likely to be relevant for a number of fintech business models. For instance, GDPR explicitly includes biometric data within the scope of the “personal data” it governs, which is likely to be of relevance to those providing identity verification or authentication services. It also includes location data, which may well be relevant to fintech providers that are operating mobile-based services.

Among the many other obligations emanating from GDPR around the treatment of personal data, some of the most important for early-stage fintechs to consider are the obligations in Article 25 around data protection be design and by default. These entail the building of systems and processes in a way that integrates data protection principles as a matter of technical architecture and process management. One aspect of this is ensuring that personal data is stored in such a way that it is only seen by people who really need to see it, using techniques such as data minimisation and pseudonymisation, meaning that having one single repository of all customer data is unlikely to be acceptable. Existing large organisations, both within and outside the financial services arena, have had to put a large amount of effort into complying with these requirements; new fintechs have an opportunity to get this right from the outset.

Another key focus of GDPR is transparency and accountability. This means that organisations handling personal data have to be very explicit and clear with their customers and their employees about the personal data they are collecting and how they are using it, and have to keep clear records of the same. There are also obligations to include in contracts with data processors (for instance subcontractors for IT services) specific obligations that are designed to draw out the detail around the treatment of personal data in the contractual arrangement, in a way that will help to ensure compliance with data protection principles. Organisations which carry out certain types of processing activities are also obliged to appoint a data protection officer who is responsible for monitoring the organisation’s compliance with data protection principles.

As the GDPR is EU-focused legislation, any entity transferring personal data outside the EU will need to apply additional protections to that data. This can take the form of, for example, mutual contractual obligations between the transferring and receiving parties. The use of cloud providers, third-party hosting platforms and data centres are just some examples of where personal data is commonly transferred and stored outside the EU.

The GDPR also places restrictions and obligations on entities using personal data for the purpose of profiling data subjects or making solely automated decisions about them. Profiling and automated decision making can only be carried out in certain circumstances, and data subjects have additional rights in relation to this type of processing, such as the right to object and the right to have any such decision manually reviewed. Technology involving big data, artificial intelligence and machine learning frequently involve profiling and/or automated decision making.

One other area of GDPR which is potentially a great advantage in fintech is the new set of obligations which empower individuals whose data you are holding (“data subjects”) to transfer the personal data you hold about them electronically to another service provider. These “data portability rights” can be very useful for a data-driven fintech company, as they may enable it to some extent to get hold of data collected in the context of other services that might otherwise not be obtainable – in many ways this is a broad data access right that is similar in principle to open banking (see answers to question 4 above). Fintechs planning to transfer or store personal data outside the European Economic Area should be aware of the strict requirements in doing so.

The data protection and privacy regulator in the UK, responsible for enforcing GDPR and the DPA, is the Information Commissioner’s Office (“ICO” – not to be confused with “initial coin offerings”). As with all European privacy regulators, the ICO is empowered to conduct investigations into the application of GDPR, and impose fines or restrictions on processing. The fines for the most serious breaches can be up to EUR 20m or 4% of worldwide turnover; however, most fines are likely to be significantly less than this.

The other major pillar of data regulation in the UK likely to affect fintech is around marketing. This is often confused with being part of GDPR, but is a separate regime that sits alongside it. The UK regulations governing marketing communications are the Privacy and Electronic Communications Regulations 2003, commonly referred to as “PECR” or the “PEC Regs”. These govern the way that organisations deal with marketing calls and messages, including as to how consent for such communications is to be obtained and maintained; they also cover the use of cookies and similar tracking technologies. The PEC Regs are again a UK implementation of a European Directive, known as the e-privacy Directive, which is currently in the process of being amended.

It is worth noting that the above areas of data regulation apply to individuals’ personal data, and while this will cover many of the types of data relevant to fintech, it does not cover everything. For instance, while the laws around open banking refer across to GDPR, the payment account data that they govern will in many cases fall outside the personal data regime, as is the case with much of the payments and finance data of small businesses. There are also other areas of financial services where non-personal data is regulated by different regimes, such as the EU Benchmarks Regulation, but these are more niche in their application.

Colombia Small Flag Colombia

Privacy (Law 1581 of 2009) and habeas data regulation (Law 1266 of 2008) are the main regulatory limitations on the collection, transfer and processing of personal and financial data. General authorization on behalf of the consumer is required for each activity but widespread and commonly accepted. However, negative reports on financial behaviour is limited to 4 years after payment which limits lender’s ability to establish long term behavioural credit risk models.

UAE Small Flag UAE

UAE Onshore

UAE Onshore does not have any specific stand-alone data protection legislation. Data privacy and protection is addressed across a number of separate laws and regulations not specifically focused on data protection. Such legislation encompasses generally applicable laws regarding data protection including those under Federal Law No. 3 of 1987 Promulgating the Penal Code (“Penal Code”) and Federal Law No. 5 of 2012 on Combating Cybercrimes (“Cybercrime Law”) which prohibit disclosure or publication of private information and interception of personal communications. There are also sector-specific applicable laws and regulations regarding data protection available in the labor, telecommunications and finance sectors.

With respect to the provision of financial services, the 2017 Payment Regulations impose the following obligations on PSPs with respect to data protection and privacy obligations, inter alia:

- Not to process or share personal data provided by customers, unless necessary as per AML/CFT laws;
- To store and retain all user and transaction data exclusively within the borders of the UAE (excluding Financial Free Zones), for a period of at least five years from the date of the original transaction; and
- To store details of users’ personal information for at least five years from the date the user relationship is terminated.

Furthermore, Article 120 of the 2018 FIA Law provides that all data and information relating to customers’ accounts, deposits, safe deposit boxes and trusts with “Licensed Financial Institutions” and related transactions shall be considered confidential in nature, and may not be perused, or directly or indirectly disclosed to any third party without the “written permission of owner of the account or deposits, his legal attorney or authorized agent, and in legally authorized cases”.

As illustrated above, it is important that no user or transaction data be stored outside the UAE. The requirements under the 2017 Payment Regulations and 2018 FIA Law are in addition to any other applicable laws and regulations, as well as circulars issued by the UAECB.

Financial Free Zones
In the DIFC, the DIFC Law No. 1 of 2007 and DIFC Data Protection Regulations govern the protection of data. In the ADGM, the Data Protection (Amendment) Regulations 2018 and Data Protection Regulation of 2015 govern the protection of data.

The data protection laws in the DIFC and ADGM impose similar requirements on data controllers and data processors with respect to personal data, including the following, inter alia:

- That processing is done fairly, lawfully and securely for a legitimate purpose; and
- That personal data is kept in a form which permits identification of the data subject for no longer than is necessary.

Legitimate processing of personal data in Financial Free Zones may only be conducted upon one of the below requirements being fulfilled, inter alia:

- The data subject provided its written consent;
- The data subject is provided specific information unless it is reasonably expected that it is already aware of the same;
- It is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- It is necessary for compliance with regulatory and legal obligations to which the data controller is subject;
- It is necessary for a task carried out in the interests of the DIFC/ADGM (as applicable) or other specified authorities; or
- It is necessary for the purposes of the legitimate interests pursued by the data controller or third party or parties to whom the personal data is disclosed, except where such interests are overridden by those of the data subject relating to the latter’s particular situation.

The Financial Free Zones’ data protection laws also include requirements with respect to disclosure to third parties, notification to the competent authority, and rights of data subjects, including right to access, erase, block and object to the processing of personal data.

Each Financial Free Zone has issued its own list of jurisdictions to which the transfer of personal data is permitted. With respect to jurisdictions not included in the list, each Financial Free Zone permits the transfer of personal data to such jurisdictions on the condition that certain requirements are fulfilled, e.g. obtaining the consent of the competent authority or the data subject. The competent authority in the case of the DIFC is the Commissioner of Data Protection, and that in the case of the ADGM is the Registrar.

Taiwan Small Flag Taiwan

Currently, there are only two ways for banks to share customer information with third-party services providers under Taiwan law. First of all, the processing of customer information by banks is subject to the Banking Act. The Banking Act requires all banks to keep their customer information in confidence, unless otherwise specified by the law or there is any exceptional circumstance as prescribed by the FSC. Moreover, a bank is only allowed to outsource the operations in relation to customer information to a third-party service provider after it obtains the FSC’s prior approval. A bank shall not transfer customer information to any third party, unless the bank engages such third party to process customer information on its behalf and for its benefits (“Commission Model”). Otherwise, the bank would be deemed to have violated the Banking Act.

On the other hand, the current laws and regulations allow a financial holding company and its subsidiaries to share customer information for joint marketing purposes, and the FSC has designated the FinTech industry as one of the specific industries in which a financial holding company may invest after it obtains the FSC’s approval (“Subsidiary Model”). Nonetheless, the customer information other than names and mailing addresses is only allowed to be disclosed, transferred, or jointly used after written consent from the customers has been obtained (i.e., an “opt-in” consent is required).

Denmark Small Flag Denmark

Regarding the protection of personal data, providers of financial services in Denmark are subject to the EU General Data Protection Regulation (GDPR), as well as the Danish Data Protection Act (In Danish: Lov nr. 502 af 23. maj 2018, databeskyttelsesloven) (the Danish Data Protection Act).

After the implementation of the Revised EU Payment Service Directive (PSD2), the regulation of processing payment data is eased in Denmark, however the processing is still regulated and is applicable to all businesses that process payment data.

It is important to note that the restrictions on processing payment data, c.f. The Danish Payments Act (In Danish: Lov nr. 652 af 8. juni 2017 med senere ændringer, om betalinger) is only applicable to data within the definition of payment data in the Danish Payments Act. This means that only data that can be identified to a person and connected to the specific use of the payment service is covered by the Danish Payment Act.

Likewise, data collected clearly separate from the payments is not covered by the Danish Payments Act, and is only regulated through GDPR and the Danish Data Protection Act. Personal data rendered anonymous in a way such that the person no longer can be identified, is not regarded personal data, hence the processing is not subject to data protection regulation.

Processing of payment data is only allowed in connection with:

  1. The completion or corrective actions regarding a payment,
  2. Services that are addressed directly to the user, but only upon request and with an explicit consent from the user,
  3. Depersonalisation of payment data.

Processing used in order to stipulate individual prices and/or terms is excluded from the abovementioned lawful purposes. However, processing concerning individual prices/terms is allowed in conjunction with the performance of a credit rating.

Switzerland Small Flag Switzerland

Swiss banking secrecy continues to be an important element of providing financial services in Switzerland. Although Switzerland introduced the Automated Information Exchange (AIA) with a great number of other countries and opened up its banks to direct inspections by foreign regulators (in addition to the normal routes of judicial assistance), client data secrecy is still taken seriously. There is no automatic reporting of client data to state authorities (outside of the AIA). Secrecy provisions include art. 47 Banking Act (the well-known banking secrecy), similar provisions in the Stock Exchange and Collective Investment Schemes Acts, rules in the Civil Code and in the Code of Obligations, provisions in the Criminal Code and in the Data Protection Act. A peculiarity of Swiss data protection law is that today, it still not only protects persons but equally applies to legal entities, which is why data transfers even into the EU may be subject to limitations.

Spain Small Flag Spain

The PSD2 introduces strict security requirements for the initiation and processing of electronic payments, which apply to all payment service providers, including newly regulated payment service providers. This stricter approach on security should contribute to reducing the risk of fraud for all new and more traditional means of payment, especially online payments, and to protecting the confidentiality of the user's financial data (including personal data).

Notwithstanding, the regulation that deals with data protection issues in Spain is not specific for the financial sector. This piece of law is the Organic Law 3/2018, of December 5, which adapts the Spanish data protection legislation to the General Data Protection Regulation (GDPR).

Both, the PSD2 and the GDPR, were introduced in 2018 as comprehensive sets of legislation focusing on consumer data. However, these regulations were devised with very different approaches in mind:

  • PSD2 opens up the banking market, promoting competition and innovation, but any access to new products and services that involve personal data must comply with GDPR.
  • GDPR seeks to protect personal data and facilitates the exercise of certain rights.

Germany Small Flag Germany

Since the GDPR came into force in May 2018, the sufficient protection of Consumer’s personal data, which are processed by financial service providers, are of even more importance. The GDPR itself did not create any new obstacles concerning the collection, use or transfer of personal data by financial service providers as such. This is at least the fact if any processing of personal data takes place within a contractual relationship with the consumer or the consumer has otherwise given its informed consent to the provider. Still, the financial services industry has to put more attention to the diligent and lawful handling of personal data, as non-compliance with the GDPR can lead to severe fines. German data protection authorities have already initiated a number of proceedings in cases of GDPR breaches, with threatened fines up to the range of two figure million EUR amounts.

South Korea Small Flag South Korea

The legal system personal information protection in Korea is structured based on opt-in prior consent by the user, which has posed considerable obstacles to providing the relevant business structure in practice. Especially, it is understood that there are significant practical limitations to use of data as there are disputes regarding the standards for non-identification of personal information for performing data-based business such as utilization of big data.
It is possible that such obstacles and limitations may be removed in the future, as the Korean government has been making continuous efforts to resolve such issues, and relevant legal amendments are pending before the National Assembly. Also, there is a case pending before the court involving the issue of non-identification standard which may have impact on the said issues.

Iceland Small Flag Iceland

Iceland being a party of the EEA, the General Data Protection Regulation (GDPR) was implemented into Icelandic legislation with the Act on Data Protection and Processing of Data (Act on Data Protection) in July 2018. Thus, providers of financial services to consumers and businesses are subject to extensive obligations to ensure adequate data protection in all processing activities pursuant to GDPR. The regulation of data impacts the financial service providers by obliging them to adapt certain measures such as (i) ensuring that processing activities are only conducted on a lawful basis and that general principles of data protection are adhered to particularly in relation to obtaining the consent of a data subject for transferring data to third parties, (ii) creating mechanisms and providing information to data subjects that enable them to utilize their rights pursuant to the GDPR, (iii) ensuring data protection via organisational and technical measures, (iv) ensuring that all processors used are GDPR compliant and (v) ensuring that processes and procedures concerning breach notifications are in place.

Portugal Small Flag Portugal

There are no fintech-specific data laws, but as fintech businesses regularly collect, control and process vast amounts of data (including personal data, notably know your customer (KYC) data), they are subject to data protection rules (notably the General Data Protection Regulation – “GDPR”). The GDPR applies not only to fintech companies established in the EU but also to companies established outside the EU, in case they have European natural person customers and the processing of the customers' personal data is made in the context of the offering of services to those data subjects (regardless of whether a payment is required from the data subjects).

The European Data Protection Board (EDPB) has clarified that the intention to target customers in the EU is key to assess whether entities established outside the EU are subject to the GDPR (according to its Guidelines 3/2018 on the territorial scope of the GDPR, which are currently under public consultation).

The processing of personal data by payment services providers may require customer consent. If that is the case (notably, if the processing of a customer's personal data is not strictly necessary to provide a payment service expressly requested by a payment service user, as the EDPB clarified in its PSD2 Letter to Sophie in't Veld from 5 July 2018), pre-ticked opt-in boxes will no longer be allowed for obtaining valid consent. This is because consent must be expressed either through a statement or by a clear affirmative action from the data subject.

The GDPR places onerous accountability obligations on data controllers (such as payment service providers that are regulated under PSD2) to demonstrate compliance, which is a major paradigm shift in the data protection regime. This includes:

  • Conducting data protection impact assessments (DPIAs) for more risky processing operations (such as those involving the processing of personal data which may be used to commit financial fraud);
  • Notifying personal data breaches to the Portuguese Data Protection Authority (CNPD) through its online form;
  • Implementing data protection safeguards by design and by default.

Another important aspect of data processing in the context of the provision of payment services is the definition of clients' profiles and business segmentation, as well as automated decision-making based on profiling. Automated decisions are generally prohibited if they produce effects concerning the data subject or that significantly affect him/her and are based solely on automated processing of data intended to evaluate certain personal aspects relating to him/her.

The GDPR has introduced new provisions to address the risks arising from profiling and automated decision-making. The GDPR allows this type of decision-making only if the decision is either:

  • Necessary for the entry into or performance of a contract with the customer, or authorised by EU or Member State law that applies to the controller;
  • Based on the individual's explicit consent.

Where one of these grounds applies, additional safeguards must be introduced, and specific information must be disclosed about the automated individual decision-making (including profiling).

There are additional restrictions on using special categories of data (such as health-related data or biometric data) for any processing of personal data, which can ultimately impact the way payment service providers will implement Strong Customer Authentication mechanisms under PSD2’s Regulatory Technical Standards Regulation, as the Regulatory Technical Standards Regulation suggests the use of the payment service users' biometric data in that context.

Without prejudice to the above, it is important to note that the final version of the Portuguese legislation implementing the GDPR has been promulgated by the President of the Portuguese Republic and it shall enter into force soon. Said law brings some additional adjustments or restrictions to the rules set out in the GDPR (notably regarding requirements for allowing the portability and interoperability of financial data, which shall take place, whenever possible, in an open format).

Additionally, CNPD has consistently ruled that financial data is sensitive data (in the sense that it reveals aspects of an individual’s private life) and should therefore be protected under the Portuguese Constitution, which may ultimately affect how Portuguese courts will apply the GDPR rules in respect of said financial data.

Furthermore, Article 16 of the PSELF extends the banking secrecy obligations to payment service providers (and to their agents, workers and representatives), even if they are not credit institutions or financial institutions according to Portuguese banking laws. Breaching banking secrecy rules is a criminal offence.

Banking secrecy rules determine that disclosure of clients' data protected by banking secrecy (including cross-border transfers) is only permitted with prior customer authorisation or if the processing is necessary to ensure one of the following:

  • Compliance with a legal obligation of the payment service provider;
  • The performance of a task carried out in the public interest

CNPD has already ruled that all personal data processed by a bank is subject to bank secrecy.
In the case of processing clients' data for the purposes of anti-money laundering reporting, the disclosure of specific relevant personal data is based on the fulfilment of a legal obligation. It is therefore not necessary to obtain clients' authorisation for disclosure to the competent authorities.

The concept of "client authorisation" under PSELF and the financial institutions legal framework differs from the concept of "consent" under the GDPR (that is, the inclusion of client authorisation provisions is part of and requisite of the services being provided by payment service providers, and can be included in general terms and conditions, whereas consent for GDPR purposes must be based on an affirmative and explicit action by the client). Therefore, many banks and other payment service providers choose to collect clients' authorisation to disclose information covered by banking secrecy in the context of their general client terms and conditions.

Payment service providers that are authorised as payment institutions under PSELF and those that fall under the definition of e-money institutions are bound by Law No. 83/2017 of 18 August (which transposes the Fourth EU Anti-Money Laundering Directive). Under the Portuguese AML framework, such service providers must (among others):

  • Apply customer due diligence;
  • Report suspicious transactions;
  • Store copies of, or the extracted data from, documents supplied by customers in the context of customer due diligence;
  • Store customer correspondence and any internal or external documents, records and analysis which show AML compliance;
  • Implement adequate internal policies, procedures, controls and training to prevent money laundering.

Lastly, Regulation (EU) 2018/1807 of the European Parliament and of the Council of 14 November 2018 on a framework for the free flow of non-personal data in the European Union, which became applicable last 29th May, applies to all data other than personal data as defined in the GDPR. This may include, in some instances, financial data processed by payment service providers (as clarified in Annex 5 of the European Commission’s Impact Assessment Report on the Regulation). Most notably, the Regulation states that “the Commission shall encourage and facilitate the development of self-regulatory codes of conduct at Union level in order to contribute to a competitive data economy, based on the principles of transparency and interoperability (…) covering, inter alia, the following aspects: (a) best practices for facilitating the switching of service providers and the porting of data in a structured, commonly used and machine-readable format; (b) minimum information requirements to ensure that professional users are provided, before a contract for data processing is concluded, with sufficiently detailed, clear and transparent information regarding the processes, technical requirements, timeframes and charges that apply in case a professional user wants to switch to another service provider or port data back to its own IT systems.

India Small Flag India

(a) Current data regulatory framework: Data protection in India is currently governed by the Information Technology Act, 2000 read with the Information Technology (Reasonable Security Standards and Procedures and Sensitive Personal Data and Information) Rules, 2011 (SPDI Rules). While the SPDI Rules set out the broad guidelines applicable to processing and storage of customer data by service providers, they are not adequately equipped to address privacy issues and concerns created by modern day technological innovations in delivery and distribution of financial products and services.

(b) Personal Data Protection Bill 2018: The Government of India has proposed a complete overhaul of the data protection regime in India via the draft Personal Data Protection Bill (PDP Bill), which is currently under discussions and is expected to become effective law by the end of this year. The draft PDP Bill has been modelled closely along the lines of the General Data Protection Regulation (GDPR) and adopts its key principles, including fair and reasonable processing, purpose limitation, collection intimation and storage limitation. Financial service providers are currently gearing towards compliance with increased standards of data protection and have started the process of aligning internal data protection systems and controls with what has been prescribed under the PDP Bill.

(c) Data localisation: In addition, the RBI’s circular on storage of payment system data dated April 6, 2018 (read with clarifications issued by the RBI) (Data Localisation Circular) requires all banks and payment system operators to ensure that all data related to payments is stored only in servers located in India. Entities which are required to comply with the Data Localisation Circular are additionally responsible to contractually ensure that any intermediaries or other unregulated entities participating in payment transactions also comply with such localisation requirements. The Data Localisation Circular significantly increases the cost of operation for foreign payment services providers that typically have centralised offshore systems for data processing and storage. The PDP Bill also includes a provision for data localisation of all critical data (the exact scope of which is yet to be finalised).

Peru Small Flag Peru

The Peruvian legislation on the protection of personal data (Law N° 29733) is definitively less strict than the European data protection legislation (GDPR). Nevertheless, Peruvian legislation is of significant importance for the provision of financial services to consumers in Peru.

One of the main obligations of the Peruvian legislation on the protection of personal data is the requirement to request the consent of the data subjects for the processing of their personal data, including its transfer to third parties, unless such personal data are necessary for the performance of contracts or for the fulfilment of legal obligations, such as compliance with obligations relating to the prevention of money laundering and the financing of terrorism, among other exceptions.

In addition, Peruvian legislation on the protection of personal data obliges to inform data subjects the purpose for which their data will be processed and the third parties to whom such data may be transferred, whether or not consent is required.

Israel Small Flag Israel

In recent years, the regulations relating to privacy protection and the use of information have become stricter and more comprehensive, and the enforcement thereof is more prudent. The limitations address two main aspects: (i) obtaining the client's consent for collecting and storing of information, the uses thereof and the transfer of stored information to third parties and (ii) stricter requirements regarding data security.

Om May 2018, the Privacy Protection (Data Security) Regulations came into force. The said regulations address the latter issue. The Privacy Protection Authority issued certain circulars regarding the first issue.

The rules regarding the use of personal information is similar (but not identical) to those of the GDPR.

In general, it is possible to collect and use information, provided that (i) the data subject expressly consents to the collection and information; (ii) the consent is an informed consent (usually – in an opt-in scheme); (iii) the consent expressly defines the type of information collected; (iv) the consent expressly defines the types of uses allowed; (v) in order to allow transfer of data to third parties, there should be an express consent to such transfer, detailing the permitted transferees. In the event that the data will be use for statistical purposes, where the output does not contain information identifiable to any certain individual, the consent can be more general.

The Credit Data Law, 5776-2016 created a database managed by the Bank of Israel which includes credit data of individuals in Israel. There is an opt-out mechanism of the storing of the information in the database and there is an opt-in mechanism regarding the use of information, i.e. only the information of those who have positively given permission to use it shall be used.

The Netherlands Small Flag The Netherlands

As of 25 April 2018 the European General Data Protection Regulation (GDPR) has replaced the Dutch Data Protection Act. The applicable data protection regime in the Netherlands now follows from the GDPR and the Dutch Implementation Act GDPR (Uitvoeringswet AVG). All companies processing personal data within the meaning of the GDPR have to comply with the requirements laid down in this European Regulation. This regime does not have specific implications for fintech companies; it applies to any type of company processing personal data (which is practically any company nowadays). Depending on the type of fintech company and the manner in which it uses personal data, additional requirements following from sector specific legislation could be applicable, such as the explicit consent requirement under PSD2. If a Fintech company makes use of Big Data and/or artificial intelligence specific requirements following from the GDPR with respect to profiling apply. Examples of requirements that must be taken into account if the Dutch data protection regime applies are:

  • personal data may only be processed if such processing is lawfully, fairly and done in a transparent manner in relation to the data subjects;
  • a record of processing activities must be put in place; and
  • depending on the risk to the rights and freedoms of natural persons a data protection impact assessment must be carried out prior to the actual processing of the personal data.

Japan Small Flag Japan

The Act on the Protection of Personal Information (the “APPI”) is a principle-based regime for the processing and protection of personal data in Japan. The APPI generally follows the eight basic principles of the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data. The Act is applicable to all private businesses, including Fintech. Based on the requirements of the APPI, each governmental ministry issued administrative guidelines applicable to the specific industry sectors under its supervision. Fintech businesses must comply with the “Guidelines on Personal Information Protection" that are relevant to the financial services industry.

Jersey Small Flag Jersey

Personal data is critical to the economy of Jersey which has a strong finance industry that holds and processes large amounts of personal data in connection therewith. Whilst Jersey is not a member of the EU, a large proportion of the personal data processed in Jersey relates to EU citizens. Jersey has taken care to ensure its data protection regime provides a standard of protection for personal data equivalent to those in force within the EU and has enacted legislation to mirror the enhanced requirements of the European Data Protection Directive ("GDPR") . [4] Jersey has enacted the Data Protection Authority (Jersey) Law 2018 and the Data Protection (Jersey) Law 2018 (the "DPJL"). The DPJL places a number of restrictions on the provisions of financial services by setting standards for data processing (i.e. by banks and financial institutions), and giving certain rights to data subjects (i.e. bank customers) over their information which is held and processed. This limits the types of products offered to customers (including as to their terms and conditions), limits the ability of financial institutions to market to customers and places restrictions on the back office and administrative operations of financial institutions.

Whilst there is an overlap with PSD and PSD2, this is only to the extent that banks and financial institutions in Jersey choose to operate at the higher PSD/ PSD2 compliant standard (as any data transferred as a result of PSD/PSD 2 will also be subject to the provisions of GDPR and the data protection regime). PSD and particularly PSD2, if fully adopted in Jersey, would have a significant impact on the provision of financial services both operationally (in terms of technological infrastructure) and commercially in terms of payments and information services offered. Not unsurprising given the intention of the legislation was to stimulate competition and innovation for payment services through, among other things, data sharing. Jersey will not, however, be alone in being affected by this legislation (even if not enshrined fully into Jersey law) as open banking will impact the provision of financial services beyond Jersey.

[4] - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data

Liechtenstein Small Flag Liechtenstein

The General Data Protection Regulation (GDPR), which regulates data protection and privacy for all individual citizens, entered into force in Liechtenstein on 20 July 2018 and is supported by the amended Liechtenstein Data Protection Act. The new regulation introduces new requirements and measures for the handling of customer data and imposes severe penalties for misconduct. The customer has been given more rights concerning their data and better protection against the collection of their data without their knowledge, which has lead to difficulties for financial service providers and their business operations.

Consequently, a lot of new technology and the improvement of existing capacities and systems is needed (by established financial institutions) in order to be able to deal with these challenges. This offers companies and institutions, especially fintechs, great business opportunities to develop new solutions and business models or to market their existing solutions. Surveys show that up to 80% of established organisations have purchased or are planning to purchase, in the next 12 month, solutions to these problems (i.e. network activity monitoring, secure enterprise communications, website scanning and cookie compliance etc.).

Mexico Small Flag Mexico

The Data Protection Law applies to private parties, whether individuals or private legal entities, that process personal data, with the exception of:

A. Credit reporting companies, and

B. Persons carrying out the collection and storage of personal data that is exclusively for personal use.

Therefore, the Data Protection Law and its regulations are undoubtedly applicable to financial services entities (including FTIs) in control of personal and financial data, same that must adhere to the principles of legality, consent, notice, quality, purpose, fidelity, proportionality and accountability enshrined in the Data Protection Law.

Luxembourg Small Flag Luxembourg

Luxembourg imposes quite strict rules to financial services providers in terms of professional secrecy. This has some impact on the way how those players can outsource certain activities and processes, even on an intra-group level. Outsourcing to entities (in or outside the group), which are not regulated under Luxembourg financial or insurance legislation, in principle requires the consent of the clients of the outsourcing financial services providers. The same holds true for Luxembourg based payment services providers. Furthermore, these actors must abide by different rules issued by the CSSF which are quite similar to those imposed by the European Banking Authority ("EBA") in its 2019 guidelines on outsourcing arrangements. Specific rules exist in relation to IT outsourcing arrangements based on a cloud infrastructure.

Furthermore, like in all EU Member states, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR") is applicable in Luxembourg.

Malta Small Flag Malta

The regulation of data under Maltese law reflects the provisions of the General Data Protection Regulation (‘GDPR’) which has recently introduced more stringent requirements in relation to the consent which must be provided by data subjects. Consent, based on mere acquiescence or lack of action, is no longer valid for data protection purposes. Under GDPR, consent must be given by a clear affirmative act “establishing a freely given, specific, informed and unambiguous indication of the data subject’s consent to the data processing activities.” The regulation further clarifies the rights of data subject while introducing new rights, such as the right to be forgotten and the right to data portability. Consequent to GDPR, firms in the financial services industry, as data controllers and processors, are now faced with more onerous obligations. Businesses in the insurance sector have to be cautious that any location data collected for car insurance purposes falls within the scope of the said regulation. In terms of enforcement, GDPR, besides exponentially increasing the amount of the fines issued and widens the scope thereof, further provides the data protection authority in Malta with additional investigative powers.

Malaysia Small Flag Malaysia

As mentioned above, all individuals and organizations that process personal data in their dealings must comply with the rules set out in the PDPA except for the Federal Government and the State Government. Any information or data or a chain of information that allows a living individual to be identified are to be dealt in accordance with the provisions specified in the PDPA. The PDPA gives right to the individual for the use of his or her information and data as follows:

a) The right to be told whether their data is processed by an organization;

b) The right to access personal data;

c) The right to rectify personal data;

d) The right to withdraw consent to process personal data;

e) The right to prevent processing likely to cause damage or distress;

f) The right to prevent processing for purposes of direct marketing.

The PDPA provides that if any individuals feel that their personal data have been processed in breach of any provision of the PDPA, that individual may make a complaint to the Personal Data Protection Commissioner. The PDPA is able to strengthen personal data protection as a social obligation and to mitigate the risk of misuse and misappropriation of personal data. This is important in order to protect the privacy of an individual, apart from the objective of producing dignified, integral and responsible traders in daily practices hinged on widespread use of e-commerce characteristics.

Singapore Small Flag Singapore

Data collection, use and disclosure is heavily regulated in the financial services industry.

Under the Banking Act (Cap 19), all customer information shall not be disclosed by a bank unless expressly provided for under the Banking Act.[10] Disclosure is only allowed under certain circumstances – for instance, if the customer has permitted the disclosure in writing.[11]

Additionally, the transfer and usage of personal data is also governed by the Personal Data Protection Act 2012 (No. 26 of 2012) (“PDPA”). Under the PDPA, there are a number of obligations in respect of the protection and handling of personal data that organisations have to meet.

To this end, MAS has issued a Notice on Cyber Hygiene[12] that sets out cyber hygiene practices that all banks in Singapore have to comply with.

It is likely that these obligations will impose an additional cost on providers of financial services, to ensure that the personal data under their control is properly collected, used and disclosed only in accordance with the law.

[10] Section 47 of Banking Act
[11] Third Schedule of Banking Act
[12] https://www.mas.gov.sg/-/media/MAS/Notices/PDF/MAS-Notice-655.pdf

Updated: November 11, 2019