What Does the GDPR Mean to Your Credit Union?

November 6, 2019 at 8:53 am 1 comment

Greetings, folks.

Since the General Data Protection Regulation took effect in May of 2018, one of the great compliance questions has been: do we or don’t we comply with the GDPR? I’m here to say that I am no longer equivocating on this issue—in my opinion; the GDPR does not apply to your credit union unless your credit union actively solicits members in the European Union.

First, this is one of those instances where I feel compelled to remind you that my blog is my opinion, and not a substitute for the advice of counsel. With that out of the way, I bet you’re all wondering why I feel so dismissive of the GDPR. After all, Article 3 outlining the regulation’s territorial scope makes clear that the regulation applies to an individual citizen who is either a resident or visiting a country within the European Union. It is this broad jurisdictional claim combined with potentially severe penalties for non-compliance which led credit unions to decide to comply with the GDPR, especially when they discovered that they had opened accounts for members of the European Union living in the United States.

Fortunately, I happened to be discussing this very issue with a colleague of mine recently who told me about a recent decision by the European Court of Justice which restricted the reach of the GDPR.

One of the core protections afforded to citizens under the GDPR is the “right to be forgotten.” In the digital context, this means that companies have to be able to remove links to individuals’ who request that their personal information be removed from the web. There are exceptions to this rule, but they are not relevant to this blog discussion.

A case brought against Google involved a French citizen who requested that Google delist him pursuant to the GDPR. In complying with the mandate, Google changed its system so that individual searchers would be sent to search domains corresponding to the location of the search. For example, since the citizen in this case was French, anyone using a Google search engine in the European Union would not be able to find information about him. What Google refused to do was remove information from areas outside of the European Union. In a recent decision, the European Court of Justice ruled that, notwithstanding the broad language of the GDPR, Google’s actions satisfied the requirements of the law. In other words, the GDPR’s reach only applied within the European Union.

If European courts interpret the GDPR as not applying to one of the world’s largest international companies operating outside of the European Union, then clearly, it does not apply to your credit union which, unlike Google, does not operate in Europe.

In addition, this decision was just the latest of recent legal tussles underscoring just how limited the GDPR’s scope is. The Washington Post has a great free website, but if you don’t want the paper to collect your electronic cookies, you have to pay for a subscription. This violates the GDPR, which mandates that individuals have the right to refuse these electronic tracking devices without cost. What did the Washington Post do when it was accused of violating the GDPR? Absolutely nothing. It received a stern warning from Great Britain and went about its business.

Entry filed under: Compliance, Legal Watch, Regulatory, technology. Tags: , , , , , .

Hemp Regulations Bring Banking Issues to the Forefront Jury Decides for USAA in Key RDC Patent Case

1 Comment Add your own

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 653 other followers