Posts tagged ‘European Union’

What Does the GDPR Mean to Your Credit Union?

Greetings, folks.

Since the General Data Protection Regulation took effect in May of 2018, one of the great compliance questions has been: do we or don’t we comply with the GDPR? I’m here to say that I am no longer equivocating on this issue—in my opinion; the GDPR does not apply to your credit union unless your credit union actively solicits members in the European Union.

First, this is one of those instances where I feel compelled to remind you that my blog is my opinion, and not a substitute for the advice of counsel. With that out of the way, I bet you’re all wondering why I feel so dismissive of the GDPR. After all, Article 3 outlining the regulation’s territorial scope makes clear that the regulation applies to an individual citizen who is either a resident or visiting a country within the European Union. It is this broad jurisdictional claim combined with potentially severe penalties for non-compliance which led credit unions to decide to comply with the GDPR, especially when they discovered that they had opened accounts for members of the European Union living in the United States.

Fortunately, I happened to be discussing this very issue with a colleague of mine recently who told me about a recent decision by the European Court of Justice which restricted the reach of the GDPR.

One of the core protections afforded to citizens under the GDPR is the “right to be forgotten.” In the digital context, this means that companies have to be able to remove links to individuals’ who request that their personal information be removed from the web. There are exceptions to this rule, but they are not relevant to this blog discussion.

A case brought against Google involved a French citizen who requested that Google delist him pursuant to the GDPR. In complying with the mandate, Google changed its system so that individual searchers would be sent to search domains corresponding to the location of the search. For example, since the citizen in this case was French, anyone using a Google search engine in the European Union would not be able to find information about him. What Google refused to do was remove information from areas outside of the European Union. In a recent decision, the European Court of Justice ruled that, notwithstanding the broad language of the GDPR, Google’s actions satisfied the requirements of the law. In other words, the GDPR’s reach only applied within the European Union.

If European courts interpret the GDPR as not applying to one of the world’s largest international companies operating outside of the European Union, then clearly, it does not apply to your credit union which, unlike Google, does not operate in Europe.

In addition, this decision was just the latest of recent legal tussles underscoring just how limited the GDPR’s scope is. The Washington Post has a great free website, but if you don’t want the paper to collect your electronic cookies, you have to pay for a subscription. This violates the GDPR, which mandates that individuals have the right to refuse these electronic tracking devices without cost. What did the Washington Post do when it was accused of violating the GDPR? Absolutely nothing. It received a stern warning from Great Britain and went about its business.

November 6, 2019 at 8:53 am 1 comment

California Dreaming? Why and What You Should Know About CA’s Privacy Law and Regulations

The most important regulation that is out for comment right now is not being promulgated by the federal government or New York State. Instead, they are regulations proposed by California to implement the California Consumer Privacy Act of 2018 (CCPA).

To be clear, assuming you are not a California credit union or dealing with California consumers, you can go about your day happy with the fact that there is actually a state that imposes even more onerous mandates on its businesses than New York. That being said, there isn’t a compliance person, IT professional or lawyer working with businesses or financial institutions today that shouldn’t be aware of the steps California has taken to give consumers greater control of their personal online data. We are all going to have to comply with similar frameworks sometime in the future, and my guess is that future is coming sooner rather than later.

So what is the CCPA? It is a comprehensive statute which gives California residents the right to know what private information of theirs is being collected by businesses, as well as to give consumers the right to forbid businesses from selling this information to third parties. It also gives consumers the right to demand that their information be deleted, although there are exceptions to this requirement. The statute was inspired by the European Union’s GDPR framework and was a reaction to Facebook’s mishandling of account information, and the ease with which it gave this private information to venders including political operatives who helped target voters in the 2016 election.

Why is this such a big deal? From a public policy standpoint, it codifies the principle that peoples’ personal information is theirs to control and use as they see fit. This includes a right to internet privacy. From a technical standpoint, the legislation has necessitated a fundamental shift in how information is collected, stored and organized.

For example, in New York, effected businesses worked themselves into a low-level frenzy when the Department of Financial Services established baseline requirements for the encryption of personally identifiable information. In contrast, effective January 1, 2020, California consumers will have the right to know about the specific pieces of personal information that a business has collected about them; a breakdown by category of the personal information that it has collected or sold; the purpose for which they collected or sold this information; and the categories of third parties to whom this information has been sold.

The definition of personal information is broader than what we’ve gotten used to. Specifically, this “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The key to understanding the definition is that it captures big data uses by including information which can be used to identify a specific individual, such as an individual’s ”browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”

In recognition of the difficulty and cost of implementing this radical mandate, the law does not apply to all businesses. Instead, it applies to businesses that have at least 25 million dollars in gross revenues; that buy, receive or sell personal information of 50,000 or more consumers or households; or derive 50% or more of their annual income from selling personal information.

There is much more I could talk about, but there’s only so much I can test your patience when it comes to describing California law. Nevertheless, what California is doing will catch on. I would be asking my IT person or department what resources they would need to comply with this kind of requirement, and to start moving in the direction of being able to segregate personal information by member. The more time you give yourself to integrate this approach into your IT and compliance framework, the more cost-effective it will be.

October 16, 2019 at 9:24 am Leave a comment


Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers

Archives