British Bankers Association submission to the consultation on the legal framework for the fundamental right to protection of personal data The BBA 1 is pleased to respond to the European Commission s consultation on the legal framework for the fundamental right to the protection of personal data. The BBA is a registered organisation in the European Transparency Initiative (ETI). Our registration number is 5897733662-75. Any enquiries in relation to the responses below should be directed to shahid.rahman@bba.org.uk Q1: Please give us your views on the new challenges for personal data protection, in particular in the light of new technologies and globalisation. 1. Banks and other financial services organisations operate in a global environment. The rules imposed by the European Data Protection Directive (95/46/EC) ( the Directive ) governing the transfer of personal data outside the European Economic Area were written at a time when the internet was in its infancy and the need and ability to share personal data across national borders was considerably lower than it is in the 21 st century. 2. One of the challenges is how to provide clarity over who is deemed to be a data controller. In addition, greater clarity is required to assess where a data controller is established ; a typical example might be where an individual logs on to his computer in France, searches a UK website, for which he applies for a product in Africa. In this example, it might be assumed that the Data Controller is not established in Community territory ( 4.1(c)), although this is not necessarily the case. A challenge will be to achieve clarity. 3. Following the same theme, many EU organisations archive or back-up their data on servers outside the EU, where there will be no active processing of the information, simply retaining a mirror copy for disaster recovery purposes. The location is chosen for economic as well as operational reasons. For example, business continuity plans may make it appropriate to archive personal data on a different continent. Under current laws, the location of the server is a determining factor, rather than the law of the jurisdiction in which decisions are made about the processing of the data. 4. Conversely, the Directive applies to a non-eu located data controller that processes personal data in the EU. This extra-territorial effect creates a burden for controllers that would not otherwise have to comply with EU data protection law. It is difficult to enforce and noncompliance by such controllers is likely. It is also a disincentive to locate processing in the EU. Data belonging to another jurisdiction should be governed only by the law pertaining to that jurisdiction and not where the data is processed. 5. Data processors play an increasingly large part in processing activity and yet do not have legal obligations to comply with the Directive. Have the distinction between the two lost its relevance in today s business world? 6. Since 95/46/EC came into force, the world has experienced the events of 9/11, resulting in a range of subsequent anti-terrorism measures, not least the US Patriot Act. 7(e) Public Interest probably has a significantly different interpretation today than it had in the last decade 1 The BBA is the leading association for the UK banking and financial services sector, speaking for 223 banking members from 60 countries on the full range of UK or international banking issues and engaging with 37 associated professional firms. Collectively providing the full range of services, our member banks make up the world s largest international banking centre, operating some 150 million accounts and contributing 50 billion annually to the UK economy.
2 of the 20 th century. It will also be interpreted differently in different jurisdictions, depending on their view (perceived or otherwise) of threats to their community and citizens. 7. The volume of personal data being processed is far greater than it was in 1995. Whilst acknowledging the benefits of data minimisation, data controllers are subject to legal obligations to retain certain types of data for significant periods. 8. A register of Data Controllers does not help a data subject in any material way. It does not appear to have been implemented across Europe in the way intended and is used by some Data Protection Authorities for auditing purposes. Notification appears to be unnecessarily bureaucratic with little added value to either a data subject or data controller. 9. 25 Transfer to third countries would appear to be at odds with the modern world. In the technological world where there are no geographic boundaries, the challenge would seem to be how to enforce the article and whether it is even realistic to try. 10. Each Member State has interpreted and implemented the Directive differently. The lack of harmonisation is a particular challenge, particularly when it comes to what constitutes consent. This can be difficult where, for example, a UK based Group of companies with employees across Europe wishes to hold personal data about those employees centrally in the UK. Some Member States require particularly strong conditions to be met before such transfers may be made, including the explicit consent of the employee and also, perhaps, Works Council approval. This has the effect of restricting the free flow of personal data between Member States. 11. Processing of personal data is on such a scale today that obtaining the necessary level of consent from pre-existing customers is not viable. Whilst data controllers may be able to rely on one of the other fair processing conditions, this is not always possible, especially not on a pan-european basis. This potentially puts controllers at a disadvantage where there may in fact be no potential damage to the data subjects. The absence of an on risk of harm or intent of either the data subject or data controller is a gap in the legislation in this regard. Q2: In your view, how does the current legal framework meet these challenges? 12. The adequacy rule on cross-border data transfers lacks clarity and is unnecessarily burdensome. 13. Globalisation and lack of geographic borders in relation to new technologies such as the internet mean that the current framework is ineffective in a significant volume of daily crossborder transfers. 14. It creates uncertainty over the circumstances when a data processor might be a data controller. The current framework does not reflect the level of responsibility applicable to data processors. 15. There is uncertainty over which is the lead jurisdiction in a multi-jurisdictional relationship. 16. The perception of what is in the public interest has changed significantly since 9/11. The current framework does not reflect that perception. Given that public interest will mean different things to different organisations and individuals in different jurisdictions, it is difficult to understand how any data controller could ever rely on any public interest exemption. 17. 8.1 Special categories of data seems to add no value or benefit to data subjects or data controllers. Indeed, it seems unnecessarily burdensome. Given that the Directive requires all personal data to be processed fairly and lawfully this should be sufficient, without creating extra burden for data subjects and data controllers. An element of proportionality could helpfully be applied. 18. The current framework is too broad in its definition of Access ( 12a) and enables data subjects or their representatives to obtain information as part of wider campaigns, rather than for the intended purposes of (a) identifying whether a data controller is processing information about them and (b)to verify the accuracy of that information.
Q3: What future action would be needed to address the identified challenges? 3 2(a) Personal data definition Harmonisation and greater clarity is required 2(f) Third party We recommend that third party and data processor are brought together under a single definition 2(h) Data subject s consent 3.1 Forms part or intention to form part of a filing system 3.2 Does not apply outside Community law 4.1(c) Controller not established in Community territory Harmonisation and greater clarity is required. There should be a single definition of consent to encompass all types of personal data and all types of processing throughout the Directive for clarity. It is difficult to prove intent. Therefore, we recommend that or intention to form part should be removed. It is not clear what this means in practice, nor how it can work in respect of multi-national companies. It needs a clearer framework of the interaction of the Treaties and Directives. Ideally, this should be removed from the Directive. The law of the jurisdiction where decisions are made should apply, not where the server is located, particularly if the processing is undertaken solely for, say back-up or business continuity purposes. 4.2. Representative As with 4.1(c) this should be removed as it seems to add little value. 7(c) Legal obligation We would welcome the addition of or regulatory before obligation as there is real conflict in respect of non-eu national regulations. 7(e) Public interest Public interest means different things in different countries. We recommend that this clause be deleted as it appears to be difficult for any jurisdiction to be able to rely on this clause. 8.1 Special categories of data 8.2(a) Explicit consent 8.5 Offences, criminal convictions As this can prove burdensome for both data subject and data controller, we recommend that this clause is deleted and that all personal data should be processed fairly and lawfully with protection proportionate to the risk of harm. Explicit is not defined, but clearly it is intended to be stronger than the definition under 7(a). There should be a single definition of consent to encompass all personal data. We recommend that the word offences should be deleted thus enabling organisations to conduct internal investigations under this. 8.6 Derogations It is not clear what value this provision adds. For example, who relies on it? If it is never relied on should it be removed? 8.7 National ID numbers As this is already covered by local legislation and is the same for all other categories of personal data that haven t been deemed special what does this add?
12(a) Access Harmonisation is required to achieve the same reasonable timeframe across the EU. In the interests of proportionality, only personal data being processed now in a live environment should be provided. Archive or back-up data that no longer has any impact of the privacy of the individual should be exempted. An exemption in relation to vexatious requests would ensure focus remains on whether a data controller processes personal data and whether such data is accurate. 18 / 19 Notification (and contents) 4 Notification should be limited to the name and public contact details (e.g. for submitting access requests) of the data controller, plus a general description of the data controller s business, e.g. banking / financial services. It isn t clear what value is being added to the data subject, the data controller or the public at large by the current requirements. This requirement to register/notify hasn t been consistently applied across jurisdictions and so harmonisation is required to facilitate passporting i.e. if notification is accepted in domestic jurisdiction, it would be accepted in all other EU member states in which the data controller operated. 20 Prior checking We recommend that this be removed as it is an unnecessary burden on regulatory authorities and is inconsistently applied across jurisdictions. 25 Transfers to third countries Ideally, this should be removed as it is at odds with the modern world, where geographic boundaries can be by-passed electronically. Alternatively, revise 17 to build in the need for proportionate, harm-based controls in relation to transfers. There should also be a legitimate interest provision. There should be differentiation between intra-group transfers and transfers to other organisations. Add clarity in respect of which law applies where there is multijurisdictional impact. Take account of the concept of Cloud Computing and the chains of parties that exist in modern day outsourcing arrangements. Link in with greater clarity in 4.1. 26.1 Derogations We recommend that this be removed as it seems at odds with the objectives of the Directive to state that security does not apply if the data subject consents to the transfer. There should be a single list of exemptions for all the provisions in the Directive. 26.1(a) adds another variation on consent by introducing unambiguously. There should be a single, all-encompassing definition of consent in all its forms. An additional derogation should be added in relation to back-up data that exists for business continuity purposes only or else the data should not be considered processed in the first place, akin to the rule in relation to data in transit.
5 26.2-4 Authorised Recognising that if 26.1 is not removed, this must transfers / objections / remain, we recommend that BCRs should be approved by one contractual Data Protection Authority and then recognised by all others in safeguards the EU. 27 Codes of conduct We support the use of Codes of conduct, but would welcome mutual recognition across all EU member states as a further move towards harmonisation. In the way that the BCR process is intended to work.