It is now just over two months since the EU General Data Protection Regulation(GDPR) came into effect on May 25th 2018. Already, the European Union has seen a marked increase in activism from data subjects across Europe seeking to enforce their newly enhanced data protection rights. With the looming threat of potentially significant fines, there has also been a surge in data breach notifications to EU data protection authorities, as businesses scramble to comply, or come close to compliance, with their new obligations.
Regarded by many as “the world’s most sweeping privacy law,” the new regime has completely overhauled the privacy compliance landscape for companies doing business in Europe.
For the fintech industry, and the financial services industry generally, the GDPR presents a unique set of challenges, as players in the financial services space typically hold and process large amounts of wide-ranging customer data as a core part of their business.
In the list below, we have set out 10 key things that every fintech business – whether based in Europe or not – should know about the GDPR, as well as some practical steps that can be taken to meet and address some of the challenges it presents.
1. GDPR may impact your business even if you do not have physical operations in the EU.
The broad territorial scope of the GDPR means that non-EU fintech businesses (for example, US companies with or without a presence in Europe) who offer any goods or services to, or monitor the behavior of, EU data subjects are required to comply with the new rules.
Determining whether someone is “offering goods or services” to individuals in the European Union comes down to a business’s intention, and whether it is apparent that an offer to an EU-based data subject was envisaged. The mere availability of a business’s website to EU data subjects is not of itself sufficient to establish an intention to offer services to EU users. However, the use of an EU language or currency, the ability to place orders in an EU language and references to EU users/customers, would be indicative of that intention.
The concept of “monitoring behavior” of data subjects includes the tracking of data subjects on the internet. Websites that use tracking cookies and apps that track usage by EU data subjects may be within the scope of the GDPR if the information they collect renders an individual identifiable. This may include the collection of IP addresses, which the European courts have previously confirmed qualify as “personal data.”
2. You must document processes and policies.
The GDPR places an emphasis on accountability. This means that businesses must be able to demonstrate that they have taken the necessary measures to comply with the GDPR. Implementation of data protection-related policies and procedures, carrying out data protection impact assessments (DPIAs), keeping records of processing activities, and training board members and employees will help fintech businesses demonstrate this compliance.
Just like the hackers that may target them, fintech companies must constantly innovate when it comes to data security risk. In this regard, the GDPR requires businesses to review their security measures on an ongoing basis to ensure these measures are sufficiently robust to meet the requirements of the GDPR and any guidance issued by EU data protection authorities.
3. You must have an unambiguous and accessible privacy notice.
Transparency is an overarching principle of the GDPR. The transparency principle requires businesses to provide to their data subjects, at the time of collecting their data, a privacy statement or notice with a detailed list of information about how their personal data will be processed. Fintech businesses will need to ensure that their privacy notices contain the required information and are concise, transparent and easily accessible. This means that a privacy notice should not be buried deep within a website. Instead, it should be immediately apparent to the data subjects where and how they can access the required information. The notice can be provided directly, via a link, with a contextual pop-up attached to an online form, or in an interactive digital context, such as a chatbot interface. The main requirement is that the notice must be accessible and brought to the express attention of the user.
4. You should only process personal data for a specified purpose and on a specified legal basis.
Another key principle under the GDPR that can be particularly challenging for fintech businesses is the purpose limitation requirement. This requirement limits the extent to which personal data can be processed to “specified, explicit and legitimate purposes.” Businesses must inform data subjects of these purposes in their privacy notices and they must stick to them. While further processing for a secondary purpose is not absolutely prohibited, it must be: (1) compatible with the original purpose for which the data was collected, (2) based on the data subject’s consent or (3) processed pursuant to a legal obligation.
Once a company has identified its purpose, it must also decide what legal basis it will be relying on to process the data for that purpose. For fintech businesses, typical legal bases that they might rely on could include: (1) consent (this could be the appropriate legal basis in circumstances in which the fintech company is carrying on direct marketing activities) or (2) contractual necessity (this could be appropriate if a fintech company is processing the personal data of its employees).
Companies must make it clear from the outset what purpose and legal basis they are relying upon for their processing and cannot change their position without providing further notification to their data subjects.
5. If you rely on consent for processing, it must be freely given and unambiguous.
A well-discussed aspect of the GDPR is the introduction of stricter requirements for consent to be deemed valid. The GDPR requires consent to be freely given, specific, informed and unambiguous. To give a valid consent, there must be a clear affirmative action (i.e. no pre-checked boxes), and it must be easy to withdraw consent at any time. Fintech businesses will need to review their consent mechanisms (if they are relying on consent as a legal basis for processing) to ensure they comply with the GDPR. They should consider whether consent is the appropriate legal basis for the processing of the data in the first place, or whether there may be a better alternative, such as legitimate interests, compliance with a legal obligation or contractual necessity. The GDPR makes it clear that a request for consent cannot be bundled up as a non-negotiable part of terms and conditions, but rather must be clearly separate, distinguishable and independent from the rest of the terms.
Valid consent under the GDPR has been the cause of some confusion in the financial services sector already. For example, the European Data Protection Board (EDPB) recently had to clarify whether processing of personal data of “silent parties” is legitimate in the context of electronic payment transactions (i.e. where data subject A uses the services of a payment provider to transfer money to data subject B, without data subject B having a contractual relationship with the payment provider). The EDPB has helpfully clarified that processing silent party data in those circumstances could be lawful on the “legitimate interests” legal basis.
The financial services sector is increasingly using biometric identification, such as fingerprint ID, eye-scanning, and facial recognition to simplify password management and provide a smooth authentication process. Biometric data used for the purpose of uniquely identifying an individual constitutes a “special category” of personal data under the GDPR (i.e. it is considered sensitive data). In addition to having the data subject’s explicit consent (or other limited applicable legal bases) to process biometric data, it is essential that fintech companies implement the appropriate technical and organizational security measures to protect the apps and systems that support biometric identification. While the use of biometric identification is rapidly gaining momentum, it is also an area that is increasingly being targeted by cyber criminals, and therefore also likely to be an area of focus of regulation by data protection authorities.
6. Customers have new and enhanced rights, including the “right to be forgotten” and the right to data portability.
The GDPR provides data subjects with much stronger rights, including an enhanced right to erasure of their information and new right to data portability, both of which pose particular challenges for the financial services and fintech sector.
The right to erasure (otherwise known as “the right to be forgotten”) gives data subjects the right to require their data be erased. It is exercisable, for example, when a data subject’s personal data are no longer necessary in relation to the purposes for which they were collected, or when a data subject withdraws its consent or objects to the processing. The right may be refused by a data controller only in limited instances.
One area where the right to be forgotten has come into particular focus is in the blockchain space. Blockchain technology is inherently in conflict with the GDPR’s right to be forgotten, as one of blockchain’s core attributes is its immutability. While information cannot typically be erased from a public or open blockchain, developers are constantly working on new ways to apply the technology without falling afoul of the GDPR. No perfect solution has emerged to date.
The new right to data portability offers data subjects the opportunity to seamlessly switch service providers. It enables individuals to receive back the personal data they provided to a data controller, in a structured, commonly used, and machine readable format. It applies when processing is carried out by automated means, and is based on a data subject’s consent or contractual necessity. Data considered to have been ‘provided’ by the data subject include not only data that a person has actively shared with the controller (such as in online forms), but also personal data generated by a data subject’s activity (such as a person’s account activity, search history, traffic and location data). It does not however extend to data generated by the controller (such as a credit score given by a financial institution).
Other rights of data subjects that companies should be aware of include: (1) rights of access; (2) the right to rectification of incorrect data; (3) the right to object to, or request restriction of, processing; and (4) the right not to be subject to automated decision-making, including profiling. Fintech businesses and their technology must be capable of reacting to all of these rights, or they may find themselves subject to complaints.
7. You must integrate privacy into your company’s technology and systems from the outset.
The GDPR requires organizations to adopt a “privacy by design” and “privacy by default” approach to data protection. “Privacy by design” effectively means that businesses need to embed data privacy into their technology and data processing systems and ensure that data privacy is taken into consideration before data processing takes place, rather than as an afterthought. Even if, as an afterthought, it turns out that the company has in fact complied with the GDPR, it must offer proof that it had considered the GDPR requirements in advance. Companies must also take measures so that, by default, they only collect, process, store and access the minimum amount of personal data.
Businesses must also implement appropriate technical measures (e.g. firewalls, antivirus software and encryption) and organizational measures (e.g. training and non-disclosure agreements) to ensure a level of security appropriate to the risks that their data processing presents. These measures should include, where appropriate:
- Pseudonymization (i.e. masking of data by substituting a name with an artificial identifier, such as an ID number) and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity and resilience of processing systems;
- The ability to restore availability and access to personal data in the event of a physical or technical incident; and
- Regular monitoring and testing of security measures.
While the GDPR recognises that pseudonymization is a good security measure, pseudonymized data still constitutes personal data if the pseudonym can be attributed to a specific individual with the use of additional information. In those circumstances, businesses must continue to comply with the GDPR in regard to such data, even if it has been pseudonymized.
8. You must review and update third party partner contracts.
Article 28 of the GDPR requires a business that engages a processor (i.e. any partner or service provider) to process personal data on its behalf to have a written contract in place imposing certain mandatory contractual obligations on the service provider. Fintech businesses must review their contractual arrangements with third-party partners or service providers to ensure they meet these requirements.
The GDPR expressly provides that parties may be entitled to recover from each other that part of the compensation paid to a data subject which corresponds to their responsibility for the damage suffered. It is vital in that context that data protection-specific indemnity and liability provisions are agreed with third-party partners and service providers to ensure appropriate risk allocation. The GDPR also gives data subjects a new right to recover for financial or non-financial loss (i.e. damages for distress). This is a material shift from the pre-GDPR legal landscape, when non-financial damages were not always recoverable.
9. You must notify relevant EU authority of breaches within 72 hours.
The new data breach notification obligation is the requirement that probably received the most international press coverage leading up to the introduction of the GDPR. A new mandatory obligation was imposed at European level, requiring data controllers to notify relevant data protection authority of personal data breaches within 72 hours of becoming aware of the breach. Individuals must also be notified in certain circumstances.
In a number of recent high profile data breaches, some companies involved in the breaches have, for various reasons, delayed weeks and even months before notifying authorities and the public of the breach. In a post-GDPR world, these kinds of delays could lead to the imposition of very serious sanctions, including significant fines (see below), if EU citizens are impacted by the breach.
Given the potentially severe penalties at stake for non-compliance, fintech businesses should ensure that they have a data breach response procedure in place so that they can manage, contain and respond to breaches quickly. Companies are also under a mandatory obligation to keep a record of all data breaches, irrespective of whether they need to be reported.
10. The potential sanctions for non-compliance are severe!
The penalties for non-compliance with the GDPR are severe and include fines of up to €20 million or four percent of annual group global turnover (i.e. global revenues).
EU data protection authorities have indicated that in determining whether sanctions should be imposed on an organization for an alleged infringement of the GDPR, relevant factors they will take into account will include: (1) the ongoing state of health of the organization’s GDPR compliance program, (2) the organization’s genuine commitment and demonstration of best efforts to meeting its GDPR obligations, (3) the scale and impact of any infringement that may arise, (4) whether the organization was negligent or wilfully in breach and (5) the organization’s readiness to engage openly and transparently with both the relevant authority and the individuals whose data it processes.
The Fintech Sector in a Post-GDPR World: What’s Ahead?
There is currently no equivalent regime to the GDPR at federal level in the US. However, the SEC recently issued guidance on how public companies should disclose breaches and risks. At state level, most states have local laws governing data breaches and notifications. However, for the most part, these laws are limited in scope and do not appear to be nearly as far-reaching as the GDPR.
California recently bucked this trend by passing the California Consumer Privacy Act of 2018, which will come into effect on January 1, 2020. This legislation, which has been described by many as “sweeping”, introduces a comprehensive privacy regime for California, which will give Californian residents more control over the information businesses collect on them, and impose new requirements and prohibitions on businesses. The new Californian regime has a number of broad similarities with the GDPR, and some commentators have even suggested that the Californian legislation may go further than the European regime in some respects. Given the large number of fintech companies that are headquartered and/or have significant operations in Silicon Valley, this move by California will provide additional incentives for fintech companies to pay close attention to data privacy laws and to implement effective data protection programs.
The ability and capability to freely process personal data is key to almost every fintech business. From personal identification documents obtained through mandatory know-your-customer processes, to sensitive personal financial information, the depth and range of personal data that fintech businesses may obtain and hold is vast. Achieving compliance with global data protection requirements may be particularly challenging for the fintech sector in that context.
Despite these challenges, it is in every fintech company’s best interests to take active steps to ensure that it has a clear and effective data protection compliance program in place. With the potentially severe penalties at stake under the GDPR, as well as the increased emphasis globally on better data protection standards, the possible consequence of non-compliance with international data protection laws is, in a post-GDPR world, more than just a slap on the wrist.
Gina Conheady is a Partner in the Corporate and M&A practice and Head of A&L Goodbody’s San Francisco Office. Gina advises US companies on EU and Irish corporate law, with a principal focus on international expansion, cross-border mergers and acquisitions, international corporate reorganisations and corporate governance. Gina works with a wide range of Technology, Biotech and Fintech clients and is also a member of the firm’s Fintech and Life Sciences Groups.
John Whelan is a partner and head of the Commercial & Technology Practice at A&L Goodbody. His practice covers a wide range of technology and IP focussed commercial transactions and data protection law. He is also a member of the firm’s Fintech Group.