Do Europe’s Data Protection Laws Apply To Your Credit Union?

December 14, 2017 at 9:33 am 2 comments

Image result for european commission flagThat is the question an increasing number of credit unions have been asking the Association lately. But before I answer the question I want to set a few things straight.

First, the purpose of this blog is not to make compliance officers break in to a cold sweat, drop everything they are doing and curse European integration. It is simply to provide very high level background and encourage those of you who may be directly impacted by Europe’s pending regulations to do additional work.

Second, remember that, while I strive to provide my faithful readers with the best advice I can, this blog is no substitute for seeking out your own attorney who’s aware of the unique needs of your institution.

Yeah, yeah, yeah, Henry. Now do Europe’s data protection laws apply to my credit union? The answer is it depends on how much interactions your members have with European Union countries, the type of banking services you offer, where you store your data and what exactly you do with it. Simply put, for the United Nations Credit Union, this is a big deal. For a small credit union in Jamestown, there are a million better things to worry about. Here’s some background:

In April of 2016, the European Commission adopted greatly enhanced data protection requirements called the General Data Protection Regulation (GDPR). The regulations are designed to increase (1) Data portability – which generally means giving consumers the ability to more easily transfer their personal data from one institution to another. (2) Give consumers enhanced ability to know how their information is being used and (3) Enhance the “right to be forgotten,” which generally means mandating that companies such as Google and Amazon have the ability to remove information from the web at a member’s request. To accomplish this goal, companies that do business in the EU must demonstrate how they are going to comply with these requirements and comply with much stronger member consent mandates than we use here in the states before sharing data. Finally, they must be prepared to report data breaches within 72 hours. To accomplish all these goals they must appoint a Data Protection Officer. All this kicks in officially in May 2018.

Here’s the part that has credit unions concerned. Article 3 of the regulation stipulates that it applies “to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union.” As drafted, the regulation applies not simply to companies located in the European Union but to companies outside the European Union that are processing information on behalf of persons in the EU. In other words, if you have a member traveling or working in the European Union who utilizes your credit union, this regulation arguably applies to your institution. This is not simply the analysis of a paranoid compliance lawyer; European regulators have said that one of the purposes of these regulations is to establish international data protection standards.

What makes this jurisdictional hook even more intriguing is that American regulators, specifically the FTC and the CFPB, seem anxious to see how they can incorporate GDPR principles into the American regulatory framework. For example, in October the CFPB finalized privacy principles which legal commentators were quick to point out were suspiciously similar to the concepts embedded in the GDPR. The FTC was even more forthright. For example, in this January 2016 speech, Julie Brill of the Federal Trade Commission explained “the GDPR is not a purely European document. Some of the key substantive provisions of the GDPR have roots in U.S. privacy law and policy. And some of the big questions left open in the GDPR that the Europeans will have to grapple with over the coming years are questions that we have been grappling with here in the U.S. for some time.”

So what, if anything, should your credit union do to prepare for this new regulatory framework which takes effect in May 2018? I’ll offer some thoughts on that question in tomorrow’s blog. In the meantime, here is a comprehensive analysis performed by the World Council Of Credit Unions. Michael Edwards and all were extremely helpful in helping me with my research.

Entry filed under: Compliance, Regulatory. Tags: , , , .

CUNA Slams “Unconstitutional” Appointment 7 Things You Need To Know On Friday

2 Comments Add your own

  • […] of my blog that’s going to drive people nuts. On paper the answer is yes. As I explained in a previous post, Article 3, paragraph 1 of the Regulation stipulates that it applies to “the processing of […]

  • 2. Karen  |  July 7, 2021 at 11:50 pm

    Is Google up to scratch with her content updating and reliability? She often leaves dangerous content online for no good apparent reason which can be irresponsibly deleted or remove or otherwise circulated to the harm of others and worse be down loaded and used indiscriminately for criminal purposes. Why is Google still being allowed to function after having even so negligent of her duties as a trusted IT company for so many decades and she doesn’t even know about her moral obligations on the internet and the dangers of letting unwanted or useless content lying around in cyberspace and has become decayed trashed material that can be radioactive in so many ways.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 757 other followers


%d bloggers like this: