Position Paper. DG Justice consultation on the protection of personal data

Transcription

1 Position Paper DG Justice consultation on the protection of personal data 22 December 2009 From: ID ITALIAN BANKING ASSOCIATION Piazza del Gesù, Roma Position Paper 1/2009

2 PRIVACY - Commission Consultation on Data Protection 1. Data Protection rules and the requirements imposed by the antimoney laundering legislation. Working Paper. Compliance with the anti-money laundering directive by cross-border banking groups at group level which accurately illustrates the problems detected by the European banking industry with respect to the consistency between certain provisions on countering money laundering and financing terrorism with those on the processing of personal data. We note that both of the cited legal frameworks are an essential part of the regulations that banks must comply with in their day-to-day activities. Within the context of globalization and European financial market integration, operational problems that arise at the national level take on an even greater significance when doing business on a cross-border basis. ABI believes that the objectives of the European Commission s study (a high standard of protection of personal data while preserving the flow of information within the internal market) should be supported. Furthermore, the European Commission should strive for a simplification of the data protection regime, an improved legal certainty namely for data controllers and a better consistency and coordination between different requirements. ABI would nonetheless encourage the Commission conduct a serious impact assessment before envisaging any initiative: interpretation guidelines of the current framework could be adopted by the Commission and professional codes of conduct could be proposed by industry representatives. Herebelow are certain issues that we believe must be addressed. A) As known, the third anti-money laundering directive provides for specific and more stringent rules on customer identification. Clearly a bank that carries out customer identification in accordance with the Third Directive acts legitimately, as it complies with a legal obligation. Nonetheless, certain provisions of this legislation are excessively generic and leave ample room for interpretation on the scope of the identification obligations and sphere of application of the rules. Consequently there is some uncertainty (and, in any case, lack of consistency at the EU level) on the quantity as well as the quality of the personal data that banks must collect to fulfill the anti-money laundering obligations. Position Paper DG Justice consultation on the protection of personal data Pagina 2 di 10

3 As an example, we note that the Italian Data Protection Authority, in an opinion issued in 2003, reiterated that the obligations, specifically those concerning customer identification and registration, must be accurately defined and consistent with the primary reference legislation. The reason for this is so that only relevant data is processed and not data that is excessive with respect to the processing purpose. In a subsequent measure issued in 2005, the Authority stated, the bank or post office has the burden to verify the identity of the customer based on appropriate assessment tools. These tools could consist of: a) personal knowledge; b) documents acquired previously, even before the business relationship started; c) documents proving identity which are objectively necessary in certain circumstances; d) any registration of the personal data taken from the document presented. From another perspective, in the cited measure of 2005, the Authority established that, requesting a customer to produce, even electronically, a copy of a document proving his/her identity and conserving this copy, can only be deemed justified if: there is a legal provision expressly providing for the acquisition and temporary conservation of the copy or if 2) the bank has to prove that it identified the interested party through enhanced means, given the particular circumstances or the transaction to be carried out. Another case that falls within the above mentioned cases is if a check is presented by an unknown individual (banks may also request this for cases of enhanced customer identification obligations). Processing of personal data collected for identification purposes is therefore legitimate, appropriate and not unduly excessive if carried out proportionally as set out above, which is in line with the framework s provisions that state, in other scenarios, the need to conserve a copy of the document to be produced only in the cases selectively identified. Italian law on the processing of personal data provides that data be processed in accordance with the principles of proportionality, need and relevance (as highlighted by the Authority in its Opinion of 2003 requested by the Ministry of Economics and Finance to the Italian Data Protection Authority in relation to three regulatory implementation schemes with respect to Legislative Decree No. 56/2004). The bank must comply with these principles when carrying out its antimoney laundering obligations. Therefore, the processing of data not expressly indicated in the anti-money laundering legislation remains an open problem. For example, a problem arises with respect to customer identification obligations when there are fractioned transactions. As regards this, the Authority in the above-mentioned Opinion, invited the Ministry to assess whether these provisions were consistent with primary legislation, on the basis of which, the identification obligation is more limited: i.e. when, due Pagina 3 di 10

4 to the nature and conditions of the transactions performed, we can say that several transactions, carried out at different times but within a limited timeframe can be considered as parts of a single transaction (art. 13, para 2, of Law Decree. no. 625/1979, art. 3, para 1, of Legislative Decree no. 56/2004). B) Another problem is the many different national frameworks on so-called banking secrecy. While in certain countries, banks cannot pass on any information covered by banking secrecy to the parent company or other branches unless there is a suspicion of money laundering or without the consent of the data subject; instead in other countries, banks are allowed to pass on information if there is a need for additional information on one s customer (see also 2 on the intra-group communications). In this type of case in Italy, banks can only pass on information with the data subject s consent. The Italian Financial Intelligence Unit (UIF) had, through an opinion issued in 2003, recognized the possibility to flow all the information on suspicious transactions collected by companies belonging to the banking group into one person appointed by the group. Legislative coordination at the EU level would also be appropriate. The Italian Data Protection Authority has intervened several times on matters concerning banking secrecy, underlining the importance of banking secrecy in the bank- customer relationship. Banking secrecy, according to the Authority is understood to be an obligation to maintain secrecy over transactions, accounts and positions concerning banking services users. Banking secrecy is an inherent part of the bank customer relationship when applying the principles of integrity and good faith in the performance of an agreement and is expressly referred to, or considered by, diverse frameworks on tax or money laundering matters, in relation to powers of investigation that permit certain public entities to obtain information from credit institutions (Newsletter of 20 May 2001 La legge sulla privacy difende il Segreto bancario [Privacy Law defends banking secrecy]). The Authority recently intervened on the issue of coordinating the framework on personal data protection with that on anti-money laundering (by Measure dated 10 September 2009). It clarified that personal data used in the reporting envisaged under the anti-money laundering framework between financial intermediaries belonging to the same group can be communicated (and consequently processed only in the context of countering money laundering) if the conditions under art. 46, para 4 of Legislative Decree no. 231/2007 exist. In this case the data subject s consent is not needed. This communication may take place if a) it is done to comply with the antimoney laundering framework by parties tasked with satisfying the antimoney laundering obligations; b) the data processor provides the data subjects with an information note which is adequate and up-to-date and Pagina 4 di 10

5 specifically refers to the possibility that the information concerning the transactions requested by the data subjects, if deemed «suspicious» under art. 41, para 1, of Legislative Decree no. 231 of 21 November 2007, may be communicated to other intermediaries belonging to the same group. To this end, we note that certain foreign correspondent banks (in particular US banks) request information on transactions and/or data concerning bank customers of the banking group, stating they need this information due to a suspicion that certain activities involving the group and correspondent banks may be connected to money laundering. As known, provisions on protecting personal data (Legislative Decree no. 196/2003) establish that the data of a data subject in the case under examination, the name of the individual whose information is being sought may be communicated to third parties only if he/she consents to it or a ground for exemption exists. One such important ground is the one under letter a) of article 24 of the cited decree, that establishes that consent is not required when the processing is necessary to fulfill an obligation imposed by law, a regulation or Community legislation. By examining Legislative Decree 231/2007, the only article applicable to this situation appears to be art. 46, para 6, which, rather than imposing an obligation to pass on information, provides a possibility to depart from the prohibition of disclosure, and only in cases of reporting suspicious transactions. The Commission should clarify whether it is of a legal or interpretive nature, on the fact that: the anti-money laundering framework contains a provision that requires/permits communication to third parties (even if located abroad, and provided it is a country meeting the criteria under art. 46, para. 6, of Legislative Decree 231/2007) of customer information when the underlying reason is for countering money laundering; this information can be given in any case, or only if a report of a suspicious transaction has been made by the bank addressee of the request for information or by the bank requesting the information. C) Another issue that must be resolved at the EU level is the problem of guaranteeing the privacy of the individuals within the banks that have reported suspicious transactions to the competent authorities. This is a problem that must be solved to ensure the correct functioning of the reporting system. D) With respect to the time the data must be stored, the reasons why the banks need to consult the data must be clearly identified. As an example, under Italian law, the Banking Law, in accordance with the Basel 2 Pagina 5 di 10

6 Directive, was amended in order to allow banks to store data for a period exceeding the one which is currently contemplated, in accordance with the Directive on Basel 2. 2) Intra-group communications. On the matter of intra-group communications, the cases when the processing of personal data no longer requires the consent of the data subject, as a ground for exemption exists, must be clarified and illustrated at the EU level (under art. 7 of Directive no. 95/46/EC and indicated under art. 24 of Legislative Decree no. 196/2003). On the basis of Italian law, processing of personal data within banking groups is allowed even without the data subject s consent, when with the exclusion of diffusion, it is necessary, in the cases identified by the Authority on the basis of the principles enshrined by law, to pursue a legitimate interest of the owner or a third party recipient of the data, even in reference to the activities of the banking groups, subsidiaries and affiliated companies, in case the rights and fundamental liberties, dignity or a legitimate interest of the interested party do not prevail (art. 24, para 1, letter g, Legislative Decree no. 196/2003). Therefore it is necessary that the issue of passing on personal information within the banking group is dealt with thoroughly and consistently with the new developments in the regulatory framework, so that intermediaries may act, in compliance with the legislation on personal data protection, without excessive constraints when the processing of the personal data between the members of the banking group is justified by one of the equivalent conditions provided by law. Accordingly, as far as intra-group communications are concerned, it should be specified under what cases consent is not required. It could be the case not only for complying with the obligations related to control and monitoring of risks for the group s soundness but also for the processing of data that meets a legitimate interest of the group for purposes of the group s financial activities, as for example those concerning customer data: i) creating and carrying out marketing campaigns; ii) creating business products and marketing. It would also be appropriate, in principle, that authorized employees of the different banks/financial intermediaries of the banking group have direct access to customer data within the same conditions and limitations of those imposed on the employees of the banks/financial intermediaries having a direct relationship with the customer. This is to allow the customer quicker and easier access to credit even at more favorable conditions thanks to the possibility of having direct knowledge of the customer s available Pagina 6 di 10

7 funds/positions with the other banks/financial intermediaries of the banking group. 3) Cross-border circulation of the data necessary to assess creditworthiness. We believe that sharing, at a cross-border level, the information and data necessary to assess the creditworthiness of consumers is positive for creditors as well as for financial intermediaries, and facilitates and expedites access to credit. This would help reduce the risk of over-indebtedness and decrease requests for guarantees. For these reasons, we favorably view art. 9 of the Consumer Credit Directive (2008/48/EC) which provides that 1. Each Member State shall in the case of cross-border credit ensure access for creditors from other Member States to databases used in that Member State for assessing the creditworthiness of consumers. The conditions for access shall be nondiscriminatory. ABI participated in the consultation on the report by the European Commission s Expert Group on credit histories; on that occasion, a common need emerged on harmonizing or at least making consistent provisions under the various national frameworks on data protection governing credit bureaus: considering, specifically, the type of data processed (negative, positive or negative and positive), as well as how long this information should be conserved. 4) Internet code. In 2005 at the national level, the Italian Data Protection Authority launched a round table on defining a Code of conduct to use electronic communications networks and services (Internet Code). This round table is composed of the major trade associations representing Internet Service Providers from Confindustria Servizi Innovativi, ABI and ABI Lab as well as experts. Following an increase in the number of attacks perpetrated through the Internet and the attacks enhanced techniques, we believe an EU code of conduct on using the web would be appropriate. With respect to bank involvement, as they provide information via the Internet, banks also have an interest in participating in defining the processing of data that is transmitted to/from their customers, in order to Pagina 7 di 10

8 place this activity within a context of correctly managing electronic operations connected to transactions carried out on the Internet. As users of communication services, particular attention is paid to enhancing the Internet Service Providers actions to effectively combat Internet fraud. In the same vein, we hope that ISPs role will become more proactive in order to enhance preventative actions and reduce response time. 5) Remote surveillance of workers The Directive provides in its recitals that the level of protection of the rights and freedoms of natural persons concerning the processing of personal data must be the same in all Member States. Legislative Decree 196/2003 expressly refers to the specific provisions of Law 300/1970 on protecting the dignity of workers at the workplace. Specifically there is reference to a provision on remote surveillance of workers through electronic means, which establishes that, inter alia, in order to carry out these checks, there must be an agreement in place with trade unions or, in the absence of such agreement, a public authorization. This is a provision that only exists in Italian law and cannot be found in any other EU Member State legislation. It therefore follows that the Italian framework on processing of workers personal data is more stringent and burdensome with respect to those of other Member States. 6) Countering cybercrime Cybercrime has been targeting financial institutions since its birth and a big effort has been dedicated so far by banks in countering the threats posed to their customers by digital fraudsters. The escalation of digital crimes to internationally organized networks speeded up their evolution towards very sophisticated menaces, whose contrast goes well beyond the mere, even highly sophisticated, technological countermeasures. In fact, the current scenario calls for a joint action to be tackled by all the players involved in the digital fraud schemes, namely the Law Enforcement Agencies, the financial community, the telecommunications providers and the regulatory Institutions. Pagina 8 di 10

9 To this regard, facilitating channels to quickly communicate within a trusted network of peers in such communities becomes a key issue to be successful in fighting digital crimes from both the prevention and the repression points of view. To date very good networks have been established to cooperate in the field, in terms of competencies and representativeness, made up of banks, public institutions and LEAs. The Italian Banking Association itself, by means of ABI Lab Observatory on Information Security, runs a community of the kind at the national level. The more the shared information is timely and precise, the more effective is the action which can follow and the higher is the possibility to stop the fraud while it s still being committed. Information to be shared often acquires an operational value which is strictly related to the possibility of let it flow fast through the network. On such bases some concerns have been raised by Italian banks with reference to some issue addressed by the current regulatory framework on data protection, which could be revised in order to allow a different approach to information exchange. Unified interpretation of the scope of personal data across the EU countries is strongly needed to better understand how to build reliable and effective cross border collaborations, between both banks and LEAs. As an example, in Italy, as well as in other EU countries, according to what stated by the EU Commission, IP addresses have been considered as personal data, and this didn t allow to build at a national level a cooperative network to monitor IP addresses worth to be blacklisted or to share a common white list, which could be a basic countermeasure to isolate fraudster s activities. Further, pursuing criminals should be considered a common target to be accomplished as fast as the crime is committed nowadays, with a priority level as high as the one of protecting personal data of each citizen. To give an example, in order to prevent based crimes such as phishing, it could be reasonable to be able to filter fraudulent communications on the basis of some automatic tool at the ISP level, which is to date not possible letting millions of fraudulent s freely circulate on the web. 7) Specific texts It seems that specific texts (for example in the field of anti-money laundering or consumer credit), while touching upon the treatment of personal data, have failed to provide detailed guidance on how data Pagina 9 di 10

10 controllers should combine their data protection duties with the other obligations foreseen in these specific text. These texts thus leave it to the good will of national data protection authorities to combine these different obligations harmoniously. This can sometimes be achieved through a reliable data protection authority which can be contacted easily and which delivers detailed and balanced legal opinions in a reasonable time. Unfortunately, as explained under question 2, this is not the case in every EU Member State. The EBF and ABI would therefore like to call upon EU and national legislators to be more specific and to provide for a precise list of duties and exemptions in any future specialised legislation that has an impact on data protection. 8) Conclusions As previously stated ABI would encourage the Commission to take a prudent approach when addressing the challenges and adopt a step by step approach by proposing improvements within the current legal framework rather than revising the existing Data Protection Directive. A review of the Data Protection Directive could be disproportionate at first glance. Other options should be explored and particular non-binding tools including interpretation guidelines at EU level and self-regulation. For that purpose precise guidelines should be issued at EU level and should be applied by national data protection authorities. Moreover national data protection authorities should be encouraged to deliver written legal opinions, based on EU legislation, which would provide a sufficient legal certainty to data controllers. Pagina 10 di 10