Banks are lobbying Brussels over a sweeping overhaul of the EU’s privacy rules, which would make it harder for lenders as well as technology groups to collect and keep personal data. Bankers warn that the planned law, which includes the “right to be forgotten” rule that has seen Google forced to remove personal information requested by individuals from its search results, could make it harder for banks to detect fraud, automatically grant loans, and hurt online services.
The draft regulations could result in fines of as much as 5 per cent of global turnover for those who breach the new rules.
“There’s a huge amount of concern about what it’s going to mean in practice,” said Peter Gooch, Deloitte’s data privacy expert. “A lot will depend on the extent of enforcement, under the new regulation the size of fines — 2-5 per cent of global turnover — sounds really scary.”
The European parliament and national governments, which in June agreed the plans that have been recast as the “right to erasure” by EU lawmakers, are pushing to strike a deal by the end of the year. Consumer groups say worries are overblown, and the measures would force banks to behave more responsibly in their collection and use of data.
BEUC, an association that represents national consumer rights groups in the EU, said banks should be more transparent and “curb their appetite for data”, adding that the rules would still let them share information “when there is a legitimate interest for internal administrative purposes”.
Bankers say one of the main concerns is having to get customers’ consent to use their data for purposes beneficial to the bank, a change from the status quo where lenders are allowed to apply a “balance of interest” test on how customer data are used. Currently, if the benefit to the bank from using the data for a specific purpose — such as modelling loan losses or fraud — is greater than the harm to the customer, then the bank can use the data. That test may not be preserved in the updated law.
Angela Teke, managing director for compliance issues at the Association for Financial Markets in Europe, a lobby group that represents lenders including Barclays, BNP Paribas and Deutsche Bank, echoed banks’ fears about restrictions on transferring data outside the EU.
“Current drafting is likely to place businesses in a conflict of law situation with potential serious criminal and/or civil penalties,” she said, adding that the new standards could prohibit international transfers of data even when this sharing is intended to aid the prevention and detection of terrorist financing and other criminal acts.
This claim is challenged by the European Commission, which says that banks will still be able to collect and process the necessary data to comply with other legal obligations, such as measures to tackle money-laundering. Another potential problem for banks is whether they have the mechanisms in place to delete requested customer data. “One of the biggest concerns for banks is, if there is a legitimate request for data to be erased, do they have the mechanisms in place to delete it,” Mr Gooch said, pointing out that data are often held in multiple systems and back-up tapes.
He said the measure had been heavily caveated in the draft regulation, for example so that banks would not have to comply with requests from people who wanted to erase a poor credit history, or who wanted to hide their financial records for nefarious reasons.
The new legislation “will greatly simplify the regulatory environment for banks in the union since one single data protection law will apply across Europe”, said the commission.
Source: Financial Times