In November 1999 the US “Financial Services Modernisation Act” (also known as Gramm-Leach-Bliley (GLB) after its legislative sponsors), was enacted. With this Act the US legislator, especially the US Department of Commerce, intended, amongst other matters to ease the transmission of personal data between the EU/European Economic Area (EEA) and the USA.
GLB required further regulations regarding the protection and disclosure of consumer financial information with respect to financial institutions not covered by the regulations of other federal or state agencies. On May 23, 2003 these privacy provisions, (the Safeguards Rule issued by the United States Federal Trade Commission (FTC)), became effective.
This article considers whether the implementation of GLB meets the requirements of EU data protection law regarding the transfer of personal data to countries outside the EEA, referred to as “third countries” by the European Commission.
II. Legal Framework for the Transfer of Personal Data from the EU/EEA to the USA
Under EU law the transfer of personal data to countries outside the EU/EEA is generally only permitted with the consent of the data subject or if the destination countries provide an adequate level of protection for personal data. The transfer to other third countries is prohibited. This is stipulated in Art. 25 Directive 95/46/EC (Data Protection Directive), a provision that has been implemented into German law by Sect. 4 b para. 2,3 German Federal Data Protection Act (BDSG).
So far US law has not been regarded as providing an adequate standard of protection. The Federal Trade Commission issued the so-called “Safe Harbor” rules in 2000. These rules can be adopted by certain types of organisations (not financial institutions) on a voluntarily basis and permit a continuous transfer of personal data from the EU/EEA to the USA. However, only around 300 US companies and other organisations have signed up to Safe Harbor. Consequently the transfer of data to the USA still faces major obstacles.
III. The Provisions of GLB
GLB applies to institutions in the financial sector. However, it limits a financial institution’s transfer of personal data to third parties only as far as unaffiliated third parties are concerned. The data that is protected is personal, non-public financial information of “consumers” and “customers”. In this context “non-public financial information” means information that a financial institution has a reasonable basis to believe is lawfully available to the general public from one of the following three sources: official records, widely distributed media and public disclosures required by law.
As a general rule financial institutions may not disclose consumers’ non-public financial information to unaffiliated third parties. This applies unless the consumer has been notified prior to the disclosure and has not opted-out. In addition, customers must get initial, annual and corrective notices of the institutions’ privacy policies. And finally, financial institutions may not disclose customers’ account numbers to unaffiliated parties for marketing via the telephone, post or e-mail.
However, this rule is rendered ineffective by numerous exemptions. These exemptions apply, for example, to the institutions’ risk and claims management or fraud prevention, to security or confidentiality of consumers’ records and to resolving consumer disputes or inquiries. Also, amongst others, the financial institutions may disclose the information to persons holding a legal or financial interest relating to the consumer or acting in a fiduciary capacity and to consumer reporting agencies. GLB does now prevent the re-sale of credit header information (basic information identifying the individual to when the credit report relates) by consumer reporting agencies to direct marketers and provides for privacy policies for the more than 100,000 businesses to which GLB applies.
IV. Pending Position of the European Commission
By implementing GLB the FTC has now put the question to the European Commission, whether GLB meets the requirements of Art. 25 Data Protection Directive by providing an adequate level of protection for data exposed to the US. The Commission’s decision will give a guideline for the national Data Protection Authorities (DPAs) as to how to assess this question in their national jurisdictions.
The European Commission has not yet declared its position. According to the findings of the Article 29 Working Party a two-part analysis must be applied to the adequacy test. Firstly, compliance with the minimum principles of (a) purpose limitation, (b) data quality and relevancy, (c) processing transparency, (d) data security, (e) data access, correction and objection and (f) restrictions of onward transfer, and secondly, whether an effective enforcement regime is provided.
V. The German Law Perspective
As long as the Commission has not come to a conclusion about the question of adequacy the national DPAs will have to assess the protection offered by GLB without a common guideline. Under German law each respective Land DPA is competent. They will apply Sect. 4 b para. 2,3 BDSG that stipulates almost the same wording as Art. 25 Data Protection Directive: “Particular consideration for the adequacy of the afforded level of protection shall be given to the nature of the data, the purpose, the duration of the proposed processing operation, the country of origin, the recipient country and the legal norms, professional rules and security measures which apply to the recipient.” These provisions will have to be interpreted in the light of the test described by the Article 29 Working Party.
The implementation of GLB fails to meet this German law test for several clear reasons. To name some major discrepancies: firstly, as described above, GLB only governs the disclosure of data and does not require notification of how the collector, its affiliates or third parties will use the information. Therefore it does not efficiently tie the collection, processing and use to the purpose, the intended use and/or the data subject sets forth. The limitation of the use of personal data is an important principle of German data protection law and expressly mentioned in Sect. 4 b para. 3 BDSG. Secondly GLB does not contain clauses on data quality and relevancy. There are no norms for the relevance of the information collected, its currency or reliability. And finally GLB does not stipulate extensively the data subject’s right to access the data, to rectify inaccurate information and potentially to object to the processing.
For these reasons, it is unlikely that a German DPA will assume that GLB provides an adequate level of protection in the financial sector. Companies transferring personal data from Germany to the USA will still have to adopt the Safe Harbor principles or keep using other adequate safeguards, e.g. the standard contractual clauses of the European Commission. However, in the individual case the DPAs will have to acknowledge that the legislation for the financial sector in the USA has moved towards a stricter regulation.