Data Protection & Data Flow
Common EU rules have been established to ensure that personal data enjoys a high standard of protection everywhere in the EU as this is considered a fundamental right.
New data protection rules aim to ensure a data subject receives clear, understandable information when their personal data is processed. When consent is required, it will have to be given explicitly before a company will be able to process personal data. It will strengthen peoples' rights in a practical way, recognizing "right to be forgotten", data processors responsibility, and easier access by data subject to their related data.
Updated: May 2016
Position
For ESBG it is essential that European legislation does not create an obstacle for Europe's businesses in the area of big data technology. Every day, banks deal with vast - and growing - amounts of data. Savings and retail banks are aware of the responsibility put upon them by the consumer who trusts them with their data. European savings and retail banks face this challenge and traditionally value the sensitive use and transfer of personal client data. Data is needed along the whole transaction chain from marketing to the assessment of credit risks as well as for legal requirements. Above that, consumers constantly call for an improvement of the customer experience. Those purposes require the use of complex data bases and can only be fulfilled when data can flow freely within the same company (parent company and subsidiaries). This includes taking into account the specific organisation of savings and retail banks in some countries. Within these specific structures it needs to be possible to move data from one savings or retail bank to another.
At the same time, clear borders to portability are of utmost importance: for instance, competitors cannot be obliged to provide each other with data which they have collected on their own. A loophole in this regard has just been avoided in the recently-adopted GDPR. Moving client data - a precious source - from one competing bank to another is a touchy point for savings and retail banks. Rules that would oblige competitors to share collected data with each other would violate consumer trust and be poisonous to healthy competition, as well as possibly violating competition law as such.
Regarding profiling and credit scores, there is a need for those to remain part of the lender assessment toolbox. Scoring is a common procedure used, among other things, to calculate the default risk in lending and to prevent fraud and money-laundering. Savings and retail banks carry out sound and responsible lending practices. This should be continuously possible. Banks should not be forced to replace those practices by riskier models. In addition, daily practices in banking to combat money laundering and fraud should not be hindered, for instance, by having to request the data subject's consent when profiling is requested by such rules. This should be taken into account by the European Data Protection Board when issuing guidance on profiling.
The data protection package is certainly an important puzzle piece in creating a clear legal framework on data flow in Europe. However, as the data subject is at the centre of this initiative, not all issues around business opportunities and technical aspects of data are addressed. Areas where further clarification through legislation is needed are data portability, usability of data and access to data - all three subjects are relevant for the question of data ownership. Above that, clear legal rules regarding the location of personal data within Europe are essential to foster consumer trust in the use of the cloud. In addition, ESBG calls on the European Data Protection Board when setting up their guidelines after the adoption of the GDPR to ensure a proper and compliant functioning of the financial sector and not hinder common daily practices in the banking business.
Background and state of play
The General Data Protection Regulation was adopted on 14 April 2016 by Parliament published on 4 May 2016 in the EU Official Journal. The GDPR and the accompanying directive will enter into force on the 20th day following that of its publication in the Official Journal. Thus, they will be applicable from 25 May 2018 onwards.
More than four years ago, the European Commission presented its proposals of the GDPR with a focus on the protection of individuals and, second, an additional Directive on Data Protection in the area of law enforcement. After long struggles, the negotiators of the regulation reached an informal agreement on 15 December 2015. Initially, the key players of the agreement announced that the European Parliament as a whole would vote on the data protection package early this year.