1 Z E N T R A L E R K R E D I T A U S S C H U S S MITGLIEDER: BUNDESVERBAND DER DEUTSCHEN VOLKSBANKEN UND RAIFFEISENBANKEN E.V. BERLIN BUNDESVERBAND DEUTSCHER BANKEN E.V. BERLIN BUNDESVERBAND ÖFFENTLICHER BANKEN DEUTSCHLANDS E.V. BERLIN DEUTSCHER SPARKASSEN- UND GIROVERBAND E.V. BERLIN-BONN VERBAND DEUTSCHER PFANDBRIEFBANKEN E.V. BERLIN Comments of the Zentraler Kreditausschuss 1 on the Communication from the European Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions of 4 November 2010 A comprehensive approach on personal data protection in the European Union COM(2010) 609 final 12 January 2011 Register of Interest Representatives Identification number in the register: The ZKA is the joint committee operated by the central associations of the German banking industry. These associations are the Bundesverband der Deutschen Volksbanken und Raiffeisenbanken (BVR), for the cooperative banks, the Bundesverband deutscher Banken (BdB), for the private commercial banks, the Bundesverband Öffentlicher Banken Deutschlands (VÖB), for the public-sector banks, the Deutscher Sparkassen und Giroverband (DSGV), for the savings banks financial group, and the Verband deutscher Pfandbriefbanken (vdp), for the mortgage banks. Collectively, they represent more than 2,200 banks.
2 - 2 - In its Communication of 4 November 2010, the European Commission sets out its approach to modernising data protection at EU level. Our comments on the Commission s objectives are as follows: 1. General remarks The requirements of the Data Protection Directive have now been in force for fifteen years and have generally proved their worth. This is the right time to carefully review and, where necessary, adjust them. Not only the technical environment, but also the European Union itself has changed. Article 8 of the EU Charter of Fundamental Rights has made data protection a basic right throughout Europe, and this also has to be taken into account when modernising data protection rules. 1.1 Intelligibility The right to the protection of personal data enshrined in Article 8 of the EU Charter of Fundamental Rights should be reflected in data protection rules in a manner which is readily intelligible to citizens and companies. In some member states, data protection legislation has become so complex that even experts find it difficult to understand. To gain broad acceptance, the data protection framework of tomorrow will have to be formulated in plain language. The EU should therefore urge its member states to implement the revised data protection framework in a way which is easily understandable and should lead by example. This is all the more important given that only intelligible legal texts can be translated into all EU languages with relatively little loss of meaning. 1.2 Avoid contradictory regulatory requirements Banking supervisors are continually issuing more stringent anti-money laundering, anti-fraud and compliance requirements for banks. These frequently conflict with data protection rules: take, for instance, the rules on monitoring payments for indications of money laundering. Banks can only comply with both regimes if they are consistent with one another. When modernising the EU data protection framework, a legal mechanism should therefore be found under which data protection law will take better account of regulatory requirements for banks. 1.3 Data protection and technology Experience has shown that one of the strengths of the Data Protection Directive is its avoidance of excessive technical detail. Technical and organisational aspects of data protection should nevertheless not be ignored since they raise key questions which the Commission s
3 - 3 - comprehensive approach has not yet addressed. Differing application and perception of technical and organisational measures in member states make it difficult to implement data protection rules in practice. Consideration should therefore be given to offering guidance in the form of a pan-european minimum standard for technical and organisational measures. Existing standards for IT security, such as ISO 27001, could be complemented an EU standard for technical and organisational aspects of data protection. A pan-european standard of this kind, recognised by data protection authorities in all member states, would eliminate the need to repeat the same check multiple times on the basis of different local data protection laws. The standard would, at the same time, need to be flexible enough to allow companies to tailor implementation to their individual requirements. 1.4 Take account of new forms of data processing Technological progress and the potential of the internet mean the way in which data are processed in companies and public institutions will continue to change. Here are two examples: Cloud computing is a new way of organising data processing in which several parties are involved. The concept of the data controller and the data processor enshrined in the Data Protection Directive will need to be revisited in the light of this development. A modern legal framework will have to be found which allows companies and public institutions to exploit the potential of cloud computing in their capacity as controllers while complying with data protection rules. Requirements should also be drawn up for cloud service providers in their capacity as processors to ensure that they assume joint responsibility for, and satisfy a minimum level of, data protection. New social network services on the internet have led to a growth in the amount of publicly or semi-publicly accessible personal data. More and more companies are opening their own network accounts for marketing purposes. This raises questions concerning provider identification information, for example, or about the use of personal data which account holders themselves have made publicly available. 1.5 Self-protection by the data subject An essential prerequisite for effective data protection, particularly on the internet, is that data subjects make responsible use of their personal data and take full advantage of available security functions. Raising the awareness of data subjects and promoting technical literacy are therefore important objectives of data protection policy. Unfortunately, there appears to be a
4 - 4 - growing trend in e-commerce via the internet for certain service providers to request customers making online payments to disclose the personal identification media, such as PINs and onetime passwords, which banks have given them for the purpose of protecting themselves when banking online. This has the potential to undermine the security and integrity of online banking. When modernising the data protection framework, consideration should therefore be given to how legal requirements could safeguard the technical self-protection tools of the data subject (e.g. identification media, encryption technologies) against unauthorised use or access by third parties. 2. Transparency for data subjects (section of the Communication) 2.1 Scope of the information requirements Transparency is without question a fundamental condition for enabling data subjects to exercise their rights. When discussing how to enhance transparency, however, the following points should be borne in mind: Information should be tailored to the needs of the individual There is already a trend in consumer protection legislation towards requiring banks to provide customers with so much information that the question arises whether it is more than they want or can understand. We would therefore have reservations about introducing even more information requirements if these resulted in a flood of information which customers were unable to process. A two-step approach would be more useful. It should initially be sufficient to provide customers with general information. Only if they then specifically ask for more should additional information be supplied in a manner tailored to the customer s needs. This means that statutory information requirements should be kept to a minimum and further details should be provided only on request. (Take, for example, an automated individual decision affecting a customer of a bank. It should be mandatory for the bank to inform its customer of this decision. But the bank should only have to give the customer further details if so requested.) It is also important to remember that all information requirements are ultimately paid for in part by the customer. A cost-benefit analysis should therefore be carried out before any new requirement is introduced.
5 - 5 - Transparency requirements should not only apply to companies in the private sector People often complain about the increasing amount of data in the hands of businesses and conclude that transparency requirements for the private sector should be increased. It is frequently forgotten, however, that public institutions also collect and process personal data on a large scale. Though the need to combat terrorism and other crime is beyond dispute, it must be recognised that, from the perspective of the data subject, there is a particular lack of transparency surrounding access by public authorities to payments data in the banking industry for these purposes. In Germany, automated access by law enforcement agencies to customer account details under Section 24c of the German Banking Act is not transparent to either banks as controllers or their customers as data subjects. Those affected are often not even informed after the event that their data have been accessed. The credibility of data protection is not enhanced if lawmakers use double standards and demand greater transparency from businesses while more or less excluding the public sector. The basic right to the protection of personal data enshrined in Article 8 of the EU Charter of Fundamental Rights demands the same level of transparency from the private and public sectors. 2.2 EU standard forms ( privacy information notices ) It would be particularly helpful for small and medium-sized firms if the Commission pursued the idea of drafting EU standard forms for privacy notices. This would facilitate the implementation of statutory information requirements and help to ensure a minimum level of quality in the content of the notices. 2.3 Obligation to notify personal data breaches We understand the Commission s desire to protect the interests of data subjects by requiring them to be notified in the event of a breach in the handling of their personal data. A requirement of this kind already exists in Germany. The following points should nevertheless be borne in mind: The notification requirement should be limited to serious breaches affecting more than one individual. There is otherwise a danger of triggering an avalanche of notifications with the potential to confuse and desensitise affected data subjects.
6 - 6 - Data controllers in both the public and the private sectors should have to comply with the requirements in equal measure. From the perspective of the data subject, it is immaterial whether the breach occurred at a public institution or a private company. Data protection legislation should, moreover, set data controllers the right incentives. The notification requirement should not apply, for example, if the loss of data poses no threat because the data involved were adequately encrypted. This would encourage the practice of encrypting personal data, especially prior to their transmission. It should also be possible to dispense with notification if measures are taken to adequately compensate those affected (e.g. by issuing new credit cards to replace cards whose details have been compromised). 3. Enhancing control over one s own data (section of the Communication) 3.1 Rectification, erasure or blocking of data by electronic means It would seem a logical step to make it easier for citizens to use electronic means to exercise their right to rectify, erase or block data. The question nevertheless arises as to how data subjects identity can be authenticated electronically so as to safeguard their personal data against manipulation by unauthorised persons. One possibility would be the electronic proof of identity feature used on German identity cards issued since 1 November Right to be forgotten Discussions about the right to be forgotten focus primarily on the internet and especially on online social network services. An open question is whether it is technically feasible to realise such a right. It should also be borne in mind that many companies in their capacity as controllers, particularly banks, collect and process personal data for the purpose of fulfilling contractual agreements with their customers. In addition, a number of national rules and regulations require the collection, processing and transmission of data, particularly in the banking industry. Data processing practices in banks are therefore essentially determined by contractual and statutory obligations. A bank s customers have a right to be forgotten only when these obligations no longer apply. And even then, record-keeping regulations have to be observed. In Germany, records must be kept for six or ten years to comply with commercial law and tax law respectively. It would greatly benefit both individuals and companies if at least statutory record-keeping requirements were harmonised across the EU.
7 Raising awareness (section of the Communication) Making citizens more sensitive to data protection issues is a matter that concerns society as a whole. The banking industry would warmly welcome more awareness-raising activities by public authorities. 5. Ensuring informed and free consent (section of the Communication) General legal principles and the Data Protection Directive already provide a basis for ensuring that consent can only be deemed effective when given freely and in possession of all the relevant facts. We therefore see no need for further action. In view of the doubts expressed by some data protection authorities about whether declarations of consent within a business relationship between a company and a customer are really given freely, it could be clarified that it is permissible to ask customers to authorise the processing and transmission of their personal data outside the scope of an existing contract. It must, for instance, remain possible for customers to agree to their bank transmitting their personal data to a credit bureau or to another company for advertising purposes. Free consent should not be interpreted so narrowly as to infringe on the right of a company or a customer to conclude an agreement. If, for instance, a customer withholds permission for a bank to obtain their credit history report from a credit bureau, the bank should be under no obligation to grant the customer a loan. Though a link then exists between consent and the conclusion of an agreement, this does not mean that the customer is being forced to consent. Both parties are simply exercising their right under the freedom of contract to determine the conditions for concluding the agreement. 6. Remedies and sanctions (section of the Communication) There is no need for a right to collective action along the lines outlined by the Commission. Under the existing data protection regime, responsibility for monitoring and imposing sanctions lies with the data protection authorities. Should a right for associations to bring collective action nevertheless be considered, it should be possible to bring such an action against both public and private-sector entities. As mentioned above, citizens right to protection should not depend on whether their data have been processed by a private-sector company or a public institution.
8 Increasing legal certainty and providing a level playing field for data controllers (section of the Communication) 7.1 Eliminating national differences We would welcome further harmonisation of data protection rules in the internal market. Considerable time has elapsed since the Data Protection Directive was implemented in member states national law. National data protection rules have moved on during this period. In Germany, for example, there have been several changes to the German Data Protection Act in the last two years alone. These changes affect, among other things, the use of data for advertising purposes, scoring practices, the transmission of data to credit bureaus and notification requirements in the event of breaches in the handling of personal data. Rules on data protection in the workplace are also to be overhauled in the near future. Since it may be assumed that data protection legislation has evolved in other member states as well, new differences across national jurisdictions cannot be ruled out. This development has the potential to impede the functioning of the internal market. The European Commission and its member states should therefore undertake a review of cross-border obstacles arising from data protection rules. The need for further harmonisation should then be tackled on the basis of the review s findings. 7.2 Facilitating the free flow of personal data in the internal market As a result of the Commission s standard clauses for the transfer of data to third countries, it is sometimes easier to arrange for personal data to be processed outside the EU than it is to have the data processed in another member state. This is because differing implementation of the Data Protection Directive in member states means that the relevant national rules and regulations first have to be ascertained and analysed. These differences in national legal regimes across member states impede the free flow of personal data in the internal market. There is an especially pressing need for improvements in the following areas: Rules for outsourcing data processing are not the same in all member states. While in Germany, for example, Section 11 (2) of the Data Protection Act requires the data controller and data processor to make detailed contractual arrangements concerning, among other things, technical and organisational measures to protect the data, other member states do not have a requirement of this kind or they have diverging requirements. In the interests of practicality, a standardised framework for outsourcing data processing within the EU is needed.
9 - 9 - Conditions governing the exchange of data within groups of affiliated companies within the EU should be further harmonised and simplified. This would take account of the trend towards an increasing division of labour within groups of affiliated companies in the internal market (e.g. concentrating data processing in one unit of a financial group). A legal framework facilitating the exchange of data within groups of affiliated companies acting on the same level of data protection would promote the internal market effectively and in the long term. 8. Reducing the administrative burden (section of the Communication) Differences in notification systems often generate red tape while delivering virtually no added value. A cost-benefit analysis of the existing regime should be carried out. Consideration should be given to the idea of dispensing with notification requirements as far as possible. Though a standard EU registration form would simplify notification for companies operating in more than one member state, an administrative burden would still remain. 9. The responsibility of data controllers (section of the Communication) We would welcome a clear legal framework governing data controllers obligations and responsibilities. When it comes to conventional forms of data processing, however, we consider the existing legal framework generally sufficient. In Germany, data protection officers already function as an effective internal control mechanism in companies. And data protection impact assessment is already ensured by the system of prior checking enshrined in Article 20 of the Data Protection Directive. New forms of data processing, however, especially cloud computing, require a modern legal framework which will enable companies and public authorities to exploit the potential of cloud computing while offering an appropriate level of data protection. The idea should be explored of redefining the term data controller to cover cloud service providers so that they have a share in the responsibility. Not only the company using the provider, but also the provider itself would then have an obligation to ensure data protection. The advantage for data subjects would be that they could enforce their rights against the provider of cloud services direct. 10. Encouraging self-regulatory initiatives and exploring EU certification schemes (section of the Communication) Data protection legislation, in Germany at any rate, already offers a basis for self-regulation and certification. Banks, however, have had some reservations about adopting such an approach up to now. This is mainly because banks have to comply with requirements of
10 banking supervisory law as well as data protection rules when processing personal data. The requirements set by banking regulators are not always consistent with objectives of data protection law take, for example, the measures banks have to implement to combat money laundering and fraud. This sandwiching effect on banks is exacerbated by the fact that different supervisory authorities are involved. Self-regulation measures might well help to remedy the problem, but they would need clearance from both banking supervisors and data protection authorities. It should also be borne in mind that self-regulatory action by industry associations frequently has antitrust implications. As a result, a self-regulatory initiative by a banking association can only function in practice if it is supported by banking supervisors, data protection authorities and the competition authorities. It will therefore be necessary to establish a procedural environment for self-regulation which accommodates all the regulatory regimes involved and in which the state speaks with a single voice when approving initiatives. 11. Revising data protection rules in the area of police and judicial cooperation in criminal matters (section 2.3 of the Communication) Not least with the aims of combating the increased threat of terrorism and solving serious crime, law enforcement agencies have been progressively increasing the degree and scope of their access to payments data in the banking industry 2. The banks legal position and the extent of their obligations to provide access are not always clear-cut. There is also sometimes a tendency, moreover, for law enforcement agencies to submit informal requests for information. There is little transparency for data subjects whose payments data have been accessed by the state. Affected persons often have no knowledge of what has occurred, even after the event. What is more, data are sometimes accessed from banks data processors (e.g. computer centres for processing card payments) with the result that the bank involved is either not informed at all or only informed at a later date. The SWIFT agreement adopted in summer 2010 also demonstrates the need for further action regarding state access to data on payments by bank customers. All in all, revised data protection rules will only have credibility for customers and banks if transparency requirements have to be met in equal measure by public and private entities. When adjusting the data protection regime, account should therefore also be taken of access to payments data by the police, law enforcement agencies and the intelligence services. 2 In connection with a series of murders in 2005, the Bavarian Office of Criminal Investigation requested around 2,100 banks, various computer centres and the operators of the German electronic-cash network to provide law enforcement agencies with data on card-based payments made during a specifically defined period. In autumn 2006, the public prosecutor s office in Halle carried out an investigation into child pornography (Operation Mikado). In the course of this investigation, banks and credit card companies were asked for information about cardholders who had used their card during a certain period to pay a certain amount to a provider of child pornography on the internet. Around 20 million credit cards were affected. More than 300 offenders were identified in Germany with the help of this data.
11 Clarifying and simplifying the rules for international data transfers (section 2.4 of the Communication) Given increasing globalisation and the rate of technical progress on the internet, the question arises as to whether the Data Protection Directive s regime for international data transfers is still a realistic approach. The Commission s standard clauses have proved extremely helpful for internationally active companies with operations outside the EU. Further streamlining is nevertheless needed, especially with respect to the approach of the responsible data protection authorities and the scope of an authorisation issued by one authority. Another issue needing to be addressed more fully in this context is how to ensure an adequate level of data protection in global groups and networks. Rules are required which enable groups and financial institutions belonging to the same institutional protection scheme to process personal data using relatively straightforward, standardised procedures and with minimum bureaucracy. Moreover, these rules should be formulated in such a way as to support those industries which take their responsibility for data protection seriously.