How does the regulation of data in your jurisdiction impact on the provision of financial services to consumers and businesses?
With the implementation of the General Data Protection Regulation (GDPR) in the European Union and the pending implementation of PIPA in Bermuda, organisations in the financial services sector have been striving to ensure compliance with data regulations in Bermuda. PIPA delineates conditions required to be met in order for an organisation to use personal information, as well as the obligations of an organisation’s privacy officer for compliance purposes. PIPA was purposely drafted to ensure that it meets the criteria required for international transfer of data under the GDPR, such that overseas financial companies can allow personal data to flow between EU member states and Bermuda without additional conditions, provided that Bermuda obtains adequacy with the EU.
Due to come into effect in January 2019, the Data Protection Law (DPL) will regulate the future processing of all personal data in the Cayman Islands. The DPL provides a framework of rights and duties designed to give individuals greater control over their personal data. Personal data refers to any information relating to an identified or identifiable natural person.
The DPL applies in respect of personal data to any data controller of an entity:
- established in the Cayman Islands, where the personal data is processed in the context of that establishment; or
- not established in the Cayman Islands, where the personal data is processed in the Cayman Islands other than for the purposes of the data’s transit through the Cayman Islands.
The DPL was drafted with the specific aim of achieving adequacy status in the eyes of the EU to allow personal data to flow freely between EU member states and the Cayman Islands without additional mechanisms being put in place.
The General Data Protection Regulation 2016/67 (GDPR) is directly applicable in Cyprus since 25 May 2018. GDPR attaches to the processing of personal data by ‘controllers’ or ‘processors’ and this will apply to all such persons established in Cyprus and the EU. Personal data refers to any information relating to an identified or identifiable natural person. A business which may be working with corporate entities, may still be processing data relating to individuals within those corporate entities. By way of example, employee details and names or emails of individuals within corporations can constitute personal data.
GDPR is consequently a pervasive legislative framework for the provision of financial services to consumers and business in Cyprus.
Financial businesses as well as any other businesses in Denmark are subject to the provisions of the Danish Data Protection Act, which implements EU's general data protection regulation (GDPR). In addition, Denmark has a special domestic gold-plated payment data regime, pursuant to which the pro-cessing of payment data is prohibited and only allowed in certain situations. The limitation on processing of payment data applies to all businesses in Denmark, but its real impact is on fintechs and other providers of payment services.
Payment data are defined as person identifiable data connected to a payer’s use of a payment service, the type of the payment service used (credit card) and the object(s) purchased using the payment service. Depersonalised data do not constitute payment data or personal data, and are therefore not cov-ered by the Payments Act (or personal data laws).
Payment data, which are not collected via a payment service, but for exam-ple via a loyalty programme, are not covered by the definition of payment data to the extent that the data are collected as a clearly separate function and thereby independently of a payment service. Loyalty programmes will meet these requirements when the processing of the data relating to the use of the payment service on one hand and the product/service purchased on the other takes place in separate data flows.
Pursuant to the Payment Act, a business shall only process payment data in connection with (i) implementation or correction of a payment transaction; (ii) provision of a service directly aimed at the consumer; or (iii) depersonali-sation of payment data. Moreover, a business must obtain prior explicit con-sent from a consumer if it intends to process payment data in connection with the provision of a service, which is directly aimed at the consumer.
Services directly aimed at the consumer are services, which the consumer has actively requested to receive/use, for instance concerning:
(i) Overview and categorisation of the consumption
(ii) Budget planning
(iii) Payment reminders
(vi) Discount and loyalty programmes
(vii) Automatic reporting to public authorities of charity donations.
Therefore, it is possible to use payment data with the consumer’s consent for individual marketing aimed at the consumer. It is not, however, possible to fix individual prices or terms to the consumer based on the payment data - so-called individual price discrimination.
The EU General Data Protection Regulation (2016/679), known as the GDPR, became applicable on 25 May 2018. The GDPR aims to harmonise the European data protection legislation, and the Finnish legislators respect that aim. As financial information can be linked easily with an individual of whom the information is generated from, personal data processing plays a big role in fintech services.
Most importantly, personal data may be processed only for a specified and lawful purpose. In accordance with the "privacy by design" principle, all processing activities should be planned in advance. This is relevant not only from a compliance perspective, but from a business side, too. When personal data is collected for certain purpose, the controller (i.e. the service provider) is bound by that purpose. New, other, business opportunities that are later discovered may prove to be impossible from a legislative perspective, if they were not taken into account when planning the processes.
Some areas of processing of personal data, such as processing of employee personal data and processing of communications data, is regulated on a national level and subject to stricter requirements than those in many other countries, even in other EU Member States. In addition, the bank secrecy rules, as applicable, restrict the disclosure of financial information of private persons.
Personal data processing legislation is often seen as the biggest restriction for data driven innovations, but, although it does bring about some restrictions, it also creates new business opportunities and enables the use of personally identifiable data, provided that the service provider knows the relevant rules and complies with them.
Overall, these matters are governed by the Regulation (UE) 2016/679 dated 27 April 2016 (General data protection regulation). The aim is to harmonize the different European legal frameworks for the protection of personal data, so that there is only one framework that applies to all the Member States of the Union European. The French “Commission Nationale de l'Informatique et des Libertés” (CNIL) is competent regarding data privacy issues and the protection of personal data, regardless of who is dealing with it (administration, company, association, etc). The CNIL is informed of data processing methods used by controlled entities and shall grant an authorisation for these methods. The CNIL also disseminates information to cus-tomers and has the power to lead investigations and issue sanctions. It is notably competent for biometric data, which is considered as personal data under French law.
The current regulation aims to strengthen the right of users and thus to promote trust. Fintech benefit from this regulation which imposes on them obligations but which increases the confidence of the French in the services proposed by the Fintech. Generally, this regulation sets up a number of protections. For example, companies must first obtain the written and explicit consent of the user before any processing of personal data.
She also gives a "right to be forgotten" to obtain the withdrawal or deletion of personal data in case of invasion of privacy, the right to the portability of data, to be able to pass from a social network to the other, from one Internet service provider to another or from one streaming site to another without losing its information, the right to be informed in case of data piracy.
The European General Data Protection Regulation (“GDPR”), which came into force this year and which especially regulates the collection, the storage, the modification and the transfer of personal data, has forced the financial services industry to put more attention to their handling of data, as non-compliance with the GDPR can lead to severe fines.
The General Data Protection Regulation 2016/679 applies, as in the other Member States of the European Union (‘EU’), to the processing of ‘personal data’ - it builds upon Gibraltar’s Data Protection Act 2004 which was designed to implement the Data Protection Directive 95/46/EC. The impact is therefore comparable to that of the other Member States of the EU.
The regulation of data under Maltese law reflects the provisions of the General Data Protection Regulation (“GDPR”) which has recently introduced more stringent requirements in relation to the consent which must be provided by data subjects. Consent, based on mere acquiescence or lack of action, is no longer valid for data protection purposes. Under GDPR, consent must be given by a clear affirmative act “establishing a freely given, specific, informed and unambiguous indication of the data subject’s consent to the data processing activities.” The regulation further clarifies the rights of data subject, while introducing new rights, such as the right to be forgotten and the right to data portability. Consequent to GDPR, firms in the financial services industry, as data controllers and processors, are now faced with more onerous obligations. Businesses in the insurance sector have to be cautious that any location data collected in car insurance will fall within scope of the said regulation. In terms of enforcement, GDPR, besides exponentially increasing the amount of the fines issued and widening the scope thereof, it further provides the data protection authority in Malta with additional investigative powers.
Privacy laws apply to the provision of financial services. The applicable legislation protects private individuals and requires obtaining the informed consent of the applicable subject before it can be collected, saved or used. A person’s financial situation constitutes “sensitive information” under Israeli legislation, which is subject to a higher degree of protection, but neither the legislator nor the state agency charged with its interpretation and implementation have provided any specific instructions or directives with respect to the provision of financial services.
Moreover, the banking sector is subject to additional requirements (including with respect to information security and banking confidentiality) on account of banking legislation and applicable regulation. Similarly, legislation also imposes various obligations on credit providers when checking the central credit database managed by the BOI, such as obtaining the explicit consent of the data’s subject.
The Act on the Protection of Personal Information (the “APPI”) is a principle-based regime for the processing and protection of personal data in Japan. The APPI generally follows the eight basic principles of the OECD Guidelines on the Protection of Privacy and Transborder Flow of Personal Data. The Act is applicable to all private businesses, including Fintech. Based on the requirements of the APPI, each governmental ministry issued administrative guidelines applicable to the specific industry sectors under its supervision. Fintech businesses must comply with the “Guidelines on Personal Information Protection" that are relevant to the financial services industry.
The Data Protection Law applies to private parties, whether individuals or private legal entities, that process personal data, with the exception of:
A. Credit reporting companies, and
B. Persons carrying out the collection and storage of personal data that is exclusively for personal use.
Therefore, the Data Protection Law and its regulations are unquestionably applicable to financial services entities (including Fintech institutions) in control of personal and financial data, same that must adhere to the principles of legality, consent, notice, quality, purpose, fidelity, proportionality and accountability in terms of the Data Protection Law.
British Virgin Islands
At present, the BVI has no direct data protection legislation which would impact on the provision of financial services to consumers and businesses. However, legislation has been drafted and is expected to be implemented in the territory soon. However, the EU General Data Protection Regulation (the GDPR), may apply to business as it applies to the processing of personal data outside the EU by controllers/processors established in the EU, regardless of whether the actual processing takes place in the EU. The GDPR also applies to the processing of EU data subjects by non-EU controllers/processors, where the processing activities are related to the offering of goods or services (including over the internet) or the monitoring of behaviour. Hence, certain corporate groups/service providers based in offshore jurisdictions such as the BVI will need to take care that data processing globally meets EU standards.
SSEK: The wide net cast by the current Indonesian data protection regime does little to address sensitive issues specific to fintech. While several regulations pertaining to financial institutions attempt to provide further requirements for data protection, no more onerous specifications are given in those specific regulations than those already established in general personal data protection regulations. These general personal data protection regulations are Law No. 11 of 2008 regarding Electronic Information and Transactions, as lastly amended by Law No. 19 of 2016 and its implementing regulations, e.g., Government Regulation No. 82 of 2012 regarding the Provision of Electronic Information and Transactions, and Minister of Communication and Informatics Regulation No. 20 of 2016 regarding the Protection of Personal Data in Electronic Systems (together, the “PDP Regulations”). As the requirements set forth in the PDP Regulations are relatively standard, e.g., the requirement of consent to handle any personal data, they do not have a significant impact on the provision of financial services to consumers and businesses.
There are no fintech specific data laws, but as fintech businesses regularly collect, control and process vast amounts of data (including personal data), they are subject to data protection rules (namely the General Data Protection Regulation – “GDPR”). The GDPR applies not only to Fintech companies established in the EU but also to companies established outside the EU, in case they have European customers.
In general, the processing of personal data requires customer’s express and prior consent, which must be met by data controllers, along with other onerous accountability obligations to evidence compliance.
These data protection rules are complemented by bank secrecy and AML rules, where Portuguese approach tends to be conservative and considers all personal data processed by a bank is subject to bank secrecy. In fact, disclosure of clients’ personal data protected by bank secrecy (including cross-border transfers) is permitted only with prior customer consent or, namely, if the processing is necessary to comply with a legal obligation to which the data controller is subject (as it is the case of anti-money laundering reports).
Notwithstanding the above, Portuguese legislation executing the GDPR is currently in preparation and may bring some additional adjustments or restrictions to the rules set out in the GDPR. Also, it is under discussion, within the EU Digital Single Market, a Regulation on the free flow of non-personal data, in order to remove all disproportionate restrictions to the movement of data across Member States and IT systems in the EU. Together with the GDPR, this Regulation intends to ensure a comprehensive and coherent approach to the free movement of all data in the EU.
All 50 states have data breach notification laws that require notice to affected persons and remedial activities. The State of California recently enacted the California Consumer Privacy Act, regulating the collection, storage and processing of personal data.
Even where there are no substantive requirements regarding the processing of personal data, companies must comply with their own stated data privacy policies, or may be subject to enforcement actions by the FTC under their general §5 jurisdiction to prohibit unfair and deceptive business practices.
The impact of data regulation varies depending on the location of the provision of financial services.
The mainland of the UAE does not have any principal data protection legislation existing in its own right. Data privacy and protection is addressed across a number of separate regulations not specifically focused on data protection.
With respect to the provision of financial services, the 2017 Regulations prohibits the offshoring of data and bans the outsourcing of certain functions to offshore locations, including the storage or making available of consumer and transaction data.
Financial Free Zones
In the DIFC, the DIFC Law No. 1 of 2007 and DIFC Data Protection Regulations govern the protection of data. In the ADGM, the Data Protection (Amendment) Regulations 2018 and Data Protection Regulation of 2015 govern the protection of data.
Each Financial Free Zone has issued its own list of jurisdictions to which the transfer of personal data is permitted. With respect to jurisdictions not included in the list, each Financial Free Zone permits the transfer of personal data to such jurisdictions on the condition that certain requirements are fulfilled, e.g. obtaining the consent of the competent authority or the data subject.
Despite the lack of open data in the payment industry, it is possible to conduct activity of a digital bank in Ukraine as a sub-brand of an institutional commercial bank. At the same time the digital services B2C may be provided within the handy web-platform with performing the back-office functions based on the model of a traditional bank. There are examples of a successful business dealing by the similar fintech start-up in Ukraine.
Swiss banking secrecy continues to be an important element of providing financial services in Switzerland. Although Switzerland introduces the Automated Information Exchange (AIA) with a great number of other countries and opened up its banks to direct inspections by foreign regulators (in addition to the normal routes of judicial assistance), client data secrecy is still taken seriously. There is no automatic reporting of client data to state authorities (outside of the AIA). Secrecy provisions include art. 47 Banking Act (the well-known banking secrecy), similar provisions in the Stock Exchange and Collective Investment Schemes Acts, rules in the Civil Code and in the Code of Obligations, provisions in the Criminal Code and in the Data Protection Act. A peculiarity of Swiss data protection law is that it not only protects persons but equally applies to legal entities, which is why data transfers even into the EU may be subject to limitations.
Data is heavily regulated in banking and financial institutions; hence banks and financial institutions have strict confidentiality and security obligations with respect to consumer and banking data. In addition, the RBI has recently in April issued a Notification under the PSS Act mandating data localization requirement for payments information. The Notification states that “complete end to end transaction details including information collected, carried or processed as part of the message or payment instruction, to be exclusively stored in a server/system only in India”. Only the storage abroad of a ‘foreign leg’ of a transaction will be permitted. This is likely to require significant investments in local data center capacity, especially by foreign payment service providers.
The main piece of legislation around data is the General Data Protection Regulation (GDPR), which has been incorporated into UK law as the Data Protection Act 2018 (DPA). As in other jurisdictions within the European Union, the GDPR is an evolution of the previous legislation around data protection and in many ways codifies and puts on a mandatory footing what was already best practice in relation to the treatment of personal data. The scope of data covered by the GDPR is broader than under the previous legislation, in ways that are likely to be relevant for a number of fintech business models. For instance, GDPR explicitly includes biometric data within the scope of the “personal data” it governs, which is likely to be of relevance to those providing identity verification or authentication services. It also includes location data, which may well be relevant to fintech providers that are operating mobile-based services.
Among the many other obligations emanating from GDPR around the treatment of personal data, some of the most important for early-stage fintechs to consider are the obligations in Article 25 around data protection be design and by default. These entail the building of systems and processes in a way that integrates data protection principles as a matter of technical architecture and process management. One aspect of this is ensuring that personal data is stored in such a way that it is only seen by people who really need to see it, using techniques such as data minimisation and pseudonymisation, meaning that having one single repository of all customer data is unlikely to be acceptable. Existing large organisations, both within and outside the financial services arena, have had to put a large amount of effort into complying with these requirements; new fintechs have an opportunity to get this right from the outset.
Another key focus of GDPR is transparency and accountability. This means that organisations handling personal data have to be very explicit and clear with their customers and their employees about the personal data they are collecting and how they are using it, and have to keep clear records of the same. There are also obligations to include in contracts with data processors (for instance subcontractors for IT services) specific obligations that are designed to draw out the detail around the treatment of personal data in the contractual arrangement, in a way that will help to ensure compliance with data protection principles. Organisations which carry out certain types of processing activities are also obliged to appoint a data protection officer who is responsible for monitoring the organisation’s compliance with data protection principles.
As the GDPR is EU-focused legislation, any entity transferring personal data outside the EU will need to apply additional protections to that data. This can take the form of, for example, mutual contractual obligations between the transferring and receiving parties. The use of cloud providers, third-party hosting platforms and data centres are just some examples of where personal data is commonly transferred and stored outside the EU.
The GDPR also places restrictions and obligations on entities using personal data for the purpose of profiling data subjects or making solely automated decisions about them. Profiling and automated decision making can only be carried out in certain circumstances, and data subjects have additional rights in relation to this type of processing, such as the right to object and the right to have any such decision manually reviewed. Technology involving big data, artificial intelligence and machine learning frequently involve profiling and/or automated decision making.
One other area of GDPR which is potentially a great advantage in fintech is the new set of obligations which empower individuals whose data you are holding (“data subjects”) to transfer the personal data you hold about them electronically to another service provider. These “data portability rights” can be very useful for a data-driven fintech company, as they may enable it to some extent to get hold of data collected in the context of other services that might otherwise not be obtainable – in many ways this is a broad data access right that is similar in principle to open banking (see answers to question 4 above). Fintechs planning to transfer or store personal data outside the European Economic Area should be aware of the strict requirements in doing so.
The data protection and privacy regulator in the UK, responsible for enforcing GDPR and the DPA, is the Information Commissioner’s Office (“ICO” – not to be confused with “initial coin offerings”). As with all European privacy regulators, the ICO is empowered to conduct investigations into the application of GDPR, and impose fines or restrictions on processing. The fines for the most serious breaches can be up to EUR 20m or 4% of worldwide turnover; however, most fines are likely to be significantly less than this.
It is worth noting that the above areas of data regulation apply to individuals’ personal data, and while this will cover many of the types of data relevant to fintech, it does not cover everything. For instance, while the laws around open banking refer across to GDPR, the payment account data that they govern will in many cases fall outside the personal data regime, as is the case with much of the payments and finance data of small businesses. There are also other areas of financial services where non-personal data is regulated by different regimes, such as the EU Benchmarks Regulation, but these are more niche in their application.
The use of data in the payment industry is currently a hot topic in the Netherlands. Data relating to payments is becoming increasingly important and its use is growing rapidly. The year 2018 is also the year the GDPR and the PSD2 put the use of data in payments in the spotlights again.
The GDPR directly applies in the Netherlands and sets the rules regarding the use of processing of personal data. Banks and payment institutions need to comply to these rules. The PSD2 requires, as an additional condition, that a payment service user has to provide its ‘explicit consent’ to a third party service provider before this party is allowed to process personal data relating to payments lawfully. The data protection provisions under the GDPR and the PSD 2 together provide for the regulation of data in payments.
One of the reasons why the implementation of the PSD2 has been seriously delayed, related to ongoing discussions as to which regulator was to supervise ‘explicit consent’; DNB or the Dutch Data Protection Authority (“AP”). It has now been decided that the AP will supervise this regulatory requirement. Nevertheless, both regulators have stated that the exact interpretation of the ‘explicit consent’ in practice will be jointly designed by DNB and the AP.
The regulation of data has a huge impact on financial service providers. The PBOC created a broad legal concept of the individual financial information, which covers virtually almost all the information collected by banking institutions in the course of their banking services with the individual customs. Financial institutions are not allowed to transmit, store, process and analyse outside of China, any of the individual financial information collected within China. Financial institutions must not sell, provide to a third party without the consent of the customers, or use for non-banking services purposes, the individuals financial services.
Currently, there are only two ways for banks to share customer information with third-party services providers under Taiwan law. First of all, the processing of customer information by banks is subject to the Banking Act. The Banking Act requires all banks to keep their customer information in confidence, unless otherwise specified by the law or there is any exceptional circumstance as prescribed by the FSC. Moreover, a bank is only allowed to outsource the operations in relation to customer information to a third-party service provider after it obtains the FSC’s prior approval. A bank shall not transfer customer information to any third party, unless the bank engages such third party to process customer information on its behalf and for its benefits (“Commission Model”). Otherwise, the bank would be deemed to have violated the Banking Act.
On the other hand, the current laws and regulations allow a financial holding company and its subsidiaries to share customer information for joint marketing purposes, and the FSC has designated the FinTech industry as one of the specific industries in which a financial holding company may invest after it obtains the FSC’s approval (“Subsidiary Model”). Nonetheless, the customer information other than names and mailing addresses is only allowed to be disclosed, transferred, or jointly used after written consent from the customers has been obtained (i.e., an “opt-in” consent is required).