Posts tagged ‘GDPR’

Why California’s Privacy Law doesn’t apply to your Credit Union

I’m more than a little surprised by how many credit unions outside of the great state of California are concerned that they have to comply with the California Consumer Privacy Act (CCPA). As states such as New York and California move to more aggressively assert their jurisdiction, and even international actors such as the European Union seek to expand the applicability of their laws, it’s important that credit unions look beyond the specific statute they are dealing with and understand the total legal framework in which they operate.

The CCPA is landmark legislation, which aims to give consumers control of their on-line information by, among other things, giving them the ability to make sure information is deleted and giving them greater control over which third parties have access to their data. It’s modeled after Europe’s GDPR. It’s a big deal for those businesses that have to comply with its mandates. But the reality is that the vast majority of credit unions outside of the great state of California are not subject to its requirements. This is not a question governed by California Law but by Article 14 of the U.S. Constitution.

For some background, §1798.140 of the CCPA provides that the law applies to entities that are “doing business” in California provided they meet certain thresholds. There is also an exemption for not-for-profit businesses but the way that term is defined it’s possible that these exemptions will not apply to credit unions when the regulations are finalized by the California Attorney General. Both CUNA and NAFCU have understandably asked for clarification as to how exactly California is going to define these terms.

But keep in mind that no matter how California seeks to interpret its own regulations, it is constrained in its ability to impose these far reaching requirements on out-of-state entities. As none other than RBG explained for the Supreme Court

A state court’s assertion of jurisdiction exposes defendants to the State’s coercive power, and is therefore subject to review for compatibility with the Fourteenth Amendment’s Due Process Clause. *919 International Shoe Co. v. Washington, 326 U.S. 310, 316, 66 S.Ct. 154, 90 L.Ed. 95 (1945) (assertion of jurisdiction over out-of-state corporation must comply with **2851 “ ‘traditional notions of fair play and substantial justice’ Goodyear Dunlop Tires Operations, S.A. v. Brown, 564 U.S. 915, 918–19, 131 S. Ct. 2846, 2850–51, 180 L. Ed. 2d 796 (2011)

This is not controversial. It is a bedrock legal principal embraced across the legal spectrum. This is why California Law stipulates that its state courts may exercise jurisdiction “on any basis not inconsistent with the constitution”. (Cal. Civ. Proc. Code § 410.10)

So how will you know if your credit union is doing business in California? This is a term of art, which means it will ultimately depend on the unique circumstances of each credit union’s operations. But as the Supreme Court has made clear, to establish that a company is doing business more has to be proven than the occasional, incidental and isolated contact with the state. This means that for your average credit union with specific fields of membership and concentrated almost exclusively within New York and maybe some neighboring states, California law will not apply. This will be true even if some of your members end up doing banking on the West Coast. The situation changes of course if your credit union actively engages in California. For example, if you have a field of membership that includes television actors, there is a good chance that your credit union engages in the type of continuous conduct from which a court could reasonably conclude that your credit union is doing business in the state.

Here is my suggestion; before your credit union starts complying with the CCPA, ask an attorney to do an analysis as to whether or not it actually does business in the state. Chances are this will be money well spent.

January 31, 2020 at 10:31 am Leave a comment

What Does the GDPR Mean to Your Credit Union?

Greetings, folks.

Since the General Data Protection Regulation took effect in May of 2018, one of the great compliance questions has been: do we or don’t we comply with the GDPR? I’m here to say that I am no longer equivocating on this issue—in my opinion; the GDPR does not apply to your credit union unless your credit union actively solicits members in the European Union.

First, this is one of those instances where I feel compelled to remind you that my blog is my opinion, and not a substitute for the advice of counsel. With that out of the way, I bet you’re all wondering why I feel so dismissive of the GDPR. After all, Article 3 outlining the regulation’s territorial scope makes clear that the regulation applies to an individual citizen who is either a resident or visiting a country within the European Union. It is this broad jurisdictional claim combined with potentially severe penalties for non-compliance which led credit unions to decide to comply with the GDPR, especially when they discovered that they had opened accounts for members of the European Union living in the United States.

Fortunately, I happened to be discussing this very issue with a colleague of mine recently who told me about a recent decision by the European Court of Justice which restricted the reach of the GDPR.

One of the core protections afforded to citizens under the GDPR is the “right to be forgotten.” In the digital context, this means that companies have to be able to remove links to individuals’ who request that their personal information be removed from the web. There are exceptions to this rule, but they are not relevant to this blog discussion.

A case brought against Google involved a French citizen who requested that Google delist him pursuant to the GDPR. In complying with the mandate, Google changed its system so that individual searchers would be sent to search domains corresponding to the location of the search. For example, since the citizen in this case was French, anyone using a Google search engine in the European Union would not be able to find information about him. What Google refused to do was remove information from areas outside of the European Union. In a recent decision, the European Court of Justice ruled that, notwithstanding the broad language of the GDPR, Google’s actions satisfied the requirements of the law. In other words, the GDPR’s reach only applied within the European Union.

If European courts interpret the GDPR as not applying to one of the world’s largest international companies operating outside of the European Union, then clearly, it does not apply to your credit union which, unlike Google, does not operate in Europe.

In addition, this decision was just the latest of recent legal tussles underscoring just how limited the GDPR’s scope is. The Washington Post has a great free website, but if you don’t want the paper to collect your electronic cookies, you have to pay for a subscription. This violates the GDPR, which mandates that individuals have the right to refuse these electronic tracking devices without cost. What did the Washington Post do when it was accused of violating the GDPR? Absolutely nothing. It received a stern warning from Great Britain and went about its business.

November 6, 2019 at 8:53 am 1 comment

California Dreaming? Why and What You Should Know About CA’s Privacy Law and Regulations

The most important regulation that is out for comment right now is not being promulgated by the federal government or New York State. Instead, they are regulations proposed by California to implement the California Consumer Privacy Act of 2018 (CCPA).

To be clear, assuming you are not a California credit union or dealing with California consumers, you can go about your day happy with the fact that there is actually a state that imposes even more onerous mandates on its businesses than New York. That being said, there isn’t a compliance person, IT professional or lawyer working with businesses or financial institutions today that shouldn’t be aware of the steps California has taken to give consumers greater control of their personal online data. We are all going to have to comply with similar frameworks sometime in the future, and my guess is that future is coming sooner rather than later.

So what is the CCPA? It is a comprehensive statute which gives California residents the right to know what private information of theirs is being collected by businesses, as well as to give consumers the right to forbid businesses from selling this information to third parties. It also gives consumers the right to demand that their information be deleted, although there are exceptions to this requirement. The statute was inspired by the European Union’s GDPR framework and was a reaction to Facebook’s mishandling of account information, and the ease with which it gave this private information to venders including political operatives who helped target voters in the 2016 election.

Why is this such a big deal? From a public policy standpoint, it codifies the principle that peoples’ personal information is theirs to control and use as they see fit. This includes a right to internet privacy. From a technical standpoint, the legislation has necessitated a fundamental shift in how information is collected, stored and organized.

For example, in New York, effected businesses worked themselves into a low-level frenzy when the Department of Financial Services established baseline requirements for the encryption of personally identifiable information. In contrast, effective January 1, 2020, California consumers will have the right to know about the specific pieces of personal information that a business has collected about them; a breakdown by category of the personal information that it has collected or sold; the purpose for which they collected or sold this information; and the categories of third parties to whom this information has been sold.

The definition of personal information is broader than what we’ve gotten used to. Specifically, this “means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The key to understanding the definition is that it captures big data uses by including information which can be used to identify a specific individual, such as an individual’s ”browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.”

In recognition of the difficulty and cost of implementing this radical mandate, the law does not apply to all businesses. Instead, it applies to businesses that have at least 25 million dollars in gross revenues; that buy, receive or sell personal information of 50,000 or more consumers or households; or derive 50% or more of their annual income from selling personal information.

There is much more I could talk about, but there’s only so much I can test your patience when it comes to describing California law. Nevertheless, what California is doing will catch on. I would be asking my IT person or department what resources they would need to comply with this kind of requirement, and to start moving in the direction of being able to segregate personal information by member. The more time you give yourself to integrate this approach into your IT and compliance framework, the more cost-effective it will be.

October 16, 2019 at 9:24 am Leave a comment

Does The GDPR Apply To Your Credit Union?

Few issues in recent years have unsettled credit unions as much as the General Data Protection Regulations adopted by the European Union in 2016 which took effect last April. For the companies to which it is applicable, the regulations usher in a radical new conception empowering consumers to better control who has access to their  data and it comes with hefty potential fines for entities that violate its mandates.  Furthermore, by its very terms the regulation was designed to apply not simply to companies in the European Union but to companies outside of the union which have European consumers. Consequently, while I have always felt that your average credit union did not have much to fear from the GDPR, I have never been able to opine unequivocally which credit unions would and would not conceivably find themselves subject to its mandates.

Fortunately, proposed guidance is currently pending which applies a commonsensical framework to the GDPR’s application. If the guidance is finalized as proposed, the vast majority of credit unions can return to worrying about regulations on this side of the Atlantic.

First some background. The GDPR is an important new regulation which aims to implement a regulatory framework for consumers to control who has access to their data, generally referred to as data portability; give consumers increased ability to know how that data is being used and who it is being given to; establish “the right to be forgotten” whereby internet companies must have the ability to wipe information about an individual off the internet and impose transnational data breach notification requirements.

As explained in this pending guidance the European Union wanted to make the regulation reach as far as possible. Consequently, Article III of the regulation stipulates that it applies to any entity that targets EU members irrespective of where they are located as well as to establishments that process EU data. Of these two criteria, the one that credit unions need to be concerned about is the targeting criteria.

Several months ago I was talking to a compliance specialist in the metropolitan area. In response to the EU regulations the credit union had done some due diligence and discovered that 150 of its members actually lived in the European Union. They were a combination of Europeans living abroad and students studying abroad. Does this mean that the GDPR applied to this credit union? Under the pending guidance the answer is no. The proposed guidance stresses that “the processing of personal data of EU citizens or residents that takes place in a third country does not trigger the application of the GDPR, so long as the processing is not related to a specific offer directed at individuals in the EU or to a monitoring of their behavior in the Union.”

You can tell that credit unions weren’t the only ones concerned about the GDPR’s applicability because the proposed guidance includes this handy example, “a bank in Taiwan has customers that are residing in Taiwan but hold German citizenship. The bank is active only in Taiwan; its activities are not directed at the EU market. The bank’s processing of personal data of its German customers is not subject to the GDPR.” Amen brother.

In fact, credit unions are further shielded from the GDPR’s mandates because their field of memberships by and large limit them to individuals within this country. There are of course exceptions to this general rule but those exceptions clearly don’t apply to your average credit union. Now get back to those regulations on this side of the Atlantic. I will tell you when this is finalized.


May 6, 2019 at 9:37 am Leave a comment

Did The GDPR Just Land On The West Coast?

That is the question I was thinking about this morning after reading California Bill AB-375 which imposes European like restrictions on companies doing business in California that buy and sell large amounts of personal information.

As readers of this blog may recall, I have been unapologetically equivocated when it comes to expressing my opinion as to how much credit unions should really be concerned about the General Data Protection Regulation (GDPR). After all, there are several jurisdictional hurdles that European regulators would have to overcome before imposing penalties on a credit union which has no branches on the continent, does not actively seek out European citizens for membership and only incidentally has some members who qualify for the GDPR protection. That being said, a commitment to giving consumers control over their personal data is the direction in which things are headed.

The California law passed a few days ago shows that things are moving even quicker than anticipated. Most importantly, it gives consumers the right to request that a business that collects personal information disclose to the consumer “the categories and specific pieces of personal information” that the business has collected. This requirement only applies to a consumer who has worked with the business more than once and requests such information.

Similar to the GDPR, the statute also gives consumers the right to be forgotten. Specifically, it empowers them to request that a business “delete any personal information” about the consumer which the business has collected. Finally, a consumer has the right to know if its information has been sold to third-parties. The consumer shall have the right to opt out of allowing its information to be sold by third-parties.

California likes to do things first and this statute certainly fits the bill. Now I want to stress that this bill does not apply to your credit union, unless of course it is based in California. That being said, you should be generally aware of what it mandates because California does tend to establish trends that other states like to follow and on a practical level, so many vendor contracts are interpreted pursuant to California law, you are likely to see increased data protection obligations imposed under some of your agreements.

Have a great July 4th! It appears that many of you are taking the week off so yours truly will be returning with a new blog on Monday. See you then.

July 3, 2018 at 8:30 am Leave a comment

New York State Jumps On Politically Correct Banking Bandwagon

Yesterday, New York’s Department of Financial Services jumped on the politically correct banking bandwagon by issuing guidance reminding state chartered financial institutions that they “can play a significant role in promoting public health and safety in the communities they serve, thereby fulfilling their corporate social responsibility to those communities.” It encourages them to “review any relationships they have with the NRA or similar gun promotion organizations, and to take prompt actions to managing these risks and promote public health and safety.” They should also review their “codes of social responsibility.”

Don’t shoot the messenger so to speak but this is the guidance and as such should not be ignored by state level institutions in New York. Personally, I would review your existing policies and be able to explain to the public as well as examiners the criteria you use when determining whether or not to establish business accounts.

Now for my opinion. We are officially headed down an extremely slippery slope. Do we really want government using its powers to coerce financial institutions to bank or not bank with organizations and individuals who some people don’t like? Could guidance about the reputational risks of working with Starbucks be far behind? Then again, examiners like their hazelnut lattes more than they like guns.

I’m proudly not a member of the NRA and never will be but my views on gun control should have absolutely nothing to do with the advice I give credit unions or with the supervisory oversight to which they are subject.

NCUA Finalizes Advertising Regs

NCUA officially approved a subtle but meaningful changes that will help credit unions in their marketing efforts. When making a print ad, credit unions are currently required to use one of three methods to inform the public that they are federally insured by NCUA. Specifically, 12 CFR 740 provides that credit unions may include the statement “This credit union is federally insured by the National Credit Union Administration”; a shorter version, informing the public that this credit union is “Federally insured by NCUA”; or a shorter version simply stating “Federally Insured by the NCUA.” These notices must also be included in all radio, television and internet ads greater than 15 seconds in length.

The rule finalized yesterday gives credit unions the option of simply reproducing NCUA’s official sign provided it is “clearly legible and no smaller than the smallest font size used in other portions of the advertisement.” In addition, the signage requirement exemption for radio, television and internet ads has been extended to advertisements no more than 30 seconds in length. Those of you looking for specific advertising requirements for social media will have to wait for another day.

The NCUA also approved an amendment giving regulatory relief to credit unions with $10 billion dollars or more in assets that are subject to special stress testing requirements. I haven’t read the final rule yet so that’s all I’m going to say on the subject.

NCUA Responds To FOM Ruling

NCUA provided the Federal District Court in Washington with an explanation of how it intends to implement its ruling invalidating two components of NCUA’s field of membership expansion rule. In its notice to the court, NCUA explained that it will no longer permit federally chartered credit unions to expand, using the invalidated portions of the regulations or accept new members eligible under the invalidated provisions. It argued however that the court’s ruling does not retroactively invalidate the membership of persons who become credit union members as a result of these regulations.

Still no word on whether or not the NCUA intends to appeal the ruling.

GDPR Causes Hamlet Like Angst for Compliance Pros

To comply or not to comply with the GDPR? That is the question confronting credit unions as the May 25th deadline for complying with the European Union’s General Data Protection Regulation gets closer and closer. I know I have equivocated as much as anyone when it comes to complying with this regulation but unless you are a large credit union with extensive portion of EU citizens in your membership base, you have to take a reasoned and proportionate approach to this measure. I love this quote from an article earlier this week in the American Banker, “Big banks, fund companies, large insurance companies are all working through large GDPR compliance efforts,” said Jeff Sanchez, managing director, information security and privacy at Protiviti. “For smaller community and regional banks, it’s more dependent on their analysis of what their customer base looks like and what their exposure to European data subjects is.”


April 20, 2018 at 9:13 am Leave a comment

What Your Credit Union Needs To Know About The GDPR And Why It Needs To Know It

One of the toughest questions I’ve dealt with since I’ve been with the Association is this seemingly straight forward one: Does my credit union have to comply with the GDPR and if so, what can we do? Impacted companies must be in compliance by May 18th. Keeping in mind that the opinions that I express belong to me alone and are not intended as a substitute for legal advice from a lawyer of your choosing, the purpose of this blog is to give you some further thoughts on the subject as well as to explain why I think the Facebook fiasco will ultimately make the GDPR more relevant to all of us. I apologize for its length but there’s no way to boil this down to a few paragraphs.

What is the GDPR? The General Data Protection Regulations (GDPR) are landmark requirements promulgated by the European Union, designed to give consumers firm control of their electronic data and give the European Union enhanced authority to impose these requirements beyond its borders. Violators face potentially severe penalties.

Why is the GDPR such a big deal? On a policy level it represents a totally different conception of the use and monetization of electronic information than has developed in this country. The US has allowed e-commerce to develop organically. The implicit premise has been that, in return for allowing companies like Facebook to easily access our information, consumers receive an enhanced e-commerce experience. In fact, this has happened.

Conversely, the GDPR represents a conception of personal information as the property of the consumer, control over which the consumer never completely surrenders. Under the European approach, at least in theory, members would know that their personal data was sent to Cambridge Analytica and could simply withdraw their consent for the company to use it.

How do the regulations accomplish this goal? By mandating that consumers affirmatively opt in to providing consent before giving away their personal information AND by mandating that companies be able to both transfer information to another company at a consumer’s request as well as remove a person’s electronic footprint. These rights are known as the “right to be forgotten” and the “right to portability.”

Does the GDPR apply to my credit union? This is the part of my blog that’s going to drive people nuts. On paper the answer is yes. As I explained in a previous post, Article 3, paragraph 1 of the Regulation stipulates that it applies to “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.” So on paper the regulation extends to any institution processing and holding data belonging to a citizen of an EU country, regardless of where that consumer happens to be located. For instance, I talked to a downstate credit union that was surprised to find out it had more than a hundred accounts belonging to members who lived in the EU.

Why is this such a big deal? After all, some form of these mandates have already been in effect in Europe. For one thing, this is the first time Europe is trying to impose these mandates outside of its borders. In addition, I’ve read and been told by IT people that, without a serious investment of time and money, these nice sounding mandates are difficult to achieve. They require companies to have the ability to effectively disaggregate data even as more and more of it is being aggregated into the big data hodgepodge. After all, the more information Cambridge Analytica has about Facebook users, the more it can confirm correlations between the type of car they drive, the coffee they drink and their views on gun controls. (I made this example up, but this is exactly the type of research that’s being done).

Can I be sued for not complying with the GDPR? The more I look at the issue, the more I think that the GDPR is likely to become increasingly relevant to your credit union’s compliance efforts, not because of formal action taken against individual companies by the European Union but because courts in this country, rightly or wrongly, recognize the GDPR as the base line standard of care when it comes to protecting a person’s private electronic data. This could happen in one of two ways. First, the GDPR includes a private right of action for consumers who feel their rights under the regulations have been violated.

Secondly, appellate courts may, over time, accept the argument that in an interconnected world, where everything from an individual’s playlist to what they buy when they go shopping could very well be stored on a server in Ireland, it is reasonable to expect companies to recognize the GDPR as the standard of care to which they should be holding themselves.

And let’s keep in mind as legislators seek to react to Facebook and Cambridge Analytica, the GDPR represents a model upon which to create their own system of mandates.

How concerned should my credit union be? Again, this is my opinion, but let’s be a little practical. Regardless of what the EU claims, its ability and desire to impose fines on a credit union that has no physical presence in Europe or does not even advertise its services to Europe is highly questionable. Furthermore, the intent behind the regulation is to put large multi nationals on notice that, to the extent they do business in Europe, then they have to abide by the GDPR. On a practical level, given everything your credit union has to do, investing time and money to comply with the GDPR should be at the bottom of the list unless you actively interact with the European Union.

What’s the bottom line? Unless you are a very unique credit union, I wouldn’t panic about the approaching deadline but I would consider putting a GDPR policy in place since some of what the regulation requires includes measures that your credit union is already taking such as data breach notification protocols. In the medium to longer term, credit unions should be mindful of the GDPR and begin to think of ways that they could comply with its overarching mandates, if not its specific requirements.

The recent Facebook fiasco has finally made people realize that their private information is worth protecting and they’re going to demand that GDPR type restrictions be placed on all companies in financial institutions regardless of where they are located.

March 23, 2018 at 9:55 am 2 comments

Do Europe’s Data Protection Laws Apply To Your Credit Union?

Image result for european commission flagThat is the question an increasing number of credit unions have been asking the Association lately. But before I answer the question I want to set a few things straight.

First, the purpose of this blog is not to make compliance officers break in to a cold sweat, drop everything they are doing and curse European integration. It is simply to provide very high level background and encourage those of you who may be directly impacted by Europe’s pending regulations to do additional work.

Second, remember that, while I strive to provide my faithful readers with the best advice I can, this blog is no substitute for seeking out your own attorney who’s aware of the unique needs of your institution.

Yeah, yeah, yeah, Henry. Now do Europe’s data protection laws apply to my credit union? The answer is it depends on how much interactions your members have with European Union countries, the type of banking services you offer, where you store your data and what exactly you do with it. Simply put, for the United Nations Credit Union, this is a big deal. For a small credit union in Jamestown, there are a million better things to worry about. Here’s some background:

In April of 2016, the European Commission adopted greatly enhanced data protection requirements called the General Data Protection Regulation (GDPR). The regulations are designed to increase (1) Data portability – which generally means giving consumers the ability to more easily transfer their personal data from one institution to another. (2) Give consumers enhanced ability to know how their information is being used and (3) Enhance the “right to be forgotten,” which generally means mandating that companies such as Google and Amazon have the ability to remove information from the web at a member’s request. To accomplish this goal, companies that do business in the EU must demonstrate how they are going to comply with these requirements and comply with much stronger member consent mandates than we use here in the states before sharing data. Finally, they must be prepared to report data breaches within 72 hours. To accomplish all these goals they must appoint a Data Protection Officer. All this kicks in officially in May 2018.

Here’s the part that has credit unions concerned. Article 3 of the regulation stipulates that it applies “to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union.” As drafted, the regulation applies not simply to companies located in the European Union but to companies outside the European Union that are processing information on behalf of persons in the EU. In other words, if you have a member traveling or working in the European Union who utilizes your credit union, this regulation arguably applies to your institution. This is not simply the analysis of a paranoid compliance lawyer; European regulators have said that one of the purposes of these regulations is to establish international data protection standards.

What makes this jurisdictional hook even more intriguing is that American regulators, specifically the FTC and the CFPB, seem anxious to see how they can incorporate GDPR principles into the American regulatory framework. For example, in October the CFPB finalized privacy principles which legal commentators were quick to point out were suspiciously similar to the concepts embedded in the GDPR. The FTC was even more forthright. For example, in this January 2016 speech, Julie Brill of the Federal Trade Commission explained “the GDPR is not a purely European document. Some of the key substantive provisions of the GDPR have roots in U.S. privacy law and policy. And some of the big questions left open in the GDPR that the Europeans will have to grapple with over the coming years are questions that we have been grappling with here in the U.S. for some time.”

So what, if anything, should your credit union do to prepare for this new regulatory framework which takes effect in May 2018? I’ll offer some thoughts on that question in tomorrow’s blog. In the meantime, here is a comprehensive analysis performed by the World Council Of Credit Unions. Michael Edwards and all were extremely helpful in helping me with my research.

December 14, 2017 at 9:33 am 2 comments

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 756 other followers