On April 13, the Article 29 Working Party (WP29) of the European Union released its assessment of the draft framework for transatlantic data flows: EU-US Privacy Shield, which was announced on February 2. According to the assessment, the WP29 evaluated the Privacy Shield from a commercial as well as a national security perspective. Regarding commercial aspects of the Privacy Shield, the WP29 maintained that “key data protection principles as outlined in European law are not reflected in the draft adequacy decision and the annexes, or have been inadequately substituted by alternative notions.” The WP29 further opined that it “cannot find in the documents constituting the Privacy Shield any reference to the necessity for data controllers to ensure that the data are deleted once the purpose for which they were collected or further processed has become obsolete. Hence, as it seems, the Principles do not impose to the certified organisations [sic] a limit for the period of retention of the data comparable to what is imposed by the data retention limitation principle under EU law.” Regarding onward transfers and national security, the WP29 commented that, because the Privacy Shield will be used to transfer data outside the U.S., it must ensure the same level of protection on all aspects, including national security, and “should not lead to lower or circumvent EU data protection principles.” According to the WP29, as the Privacy Shield is currently drafted, “onward transfers of EU personal data are insufficiently framed, especially regarding their scope, the limitation of their purpose and the guarantees applying to transfers to Agents.” Finally, the WP29 raised doubts about the effectiveness of the Ombudsperson at the U.S. State Department, questioning whether the designated person would be equal in independence to national security oversight bodies in other countries.
On April 18, Senators Sherrod Brown (D-OH), Jeffrey Merkley (D-OR), and Jeanne Shaheen (D-NH) sent a letter to the Government Accountability Office (GAO) requesting that it complete a study on the fintech industry. Under the Dodd-Frank Act, the GAO is required to examine the regulatory structure of person-to-person (P2P) lending. While the letter recognizes that the GAO issued a report on P2P lending in 2011, the senators urged the GAO to recognize that the lending platforms of financial technology firms (often called fintech) “has changed dramatically and evolved beyond consumer lending,” and that “P2P lending, now generally called marketplace lending, is not the only form of fintech that has developed over the last several years.” The letter further cautions that, “gaps in understanding and regulation of emerging financial products may result in predatory lending, consumer abuse, or systemic issues.” Finally, Senators Brown, Merkley, and Shaheen urged the GAO to provide responses to questions relating to, among other things, (i) the size and structure of the loan portfolios maintained by privately owned fintech lenders; (ii) how fintech lenders’ relationships with financial institutions impact both the financial system at large and regulatory framework; (ii) whether the risks that may arise from the investor base shifting from individual investor to institutional investor have grown since this issue was first noted in the GAO’s 2011 report; and (iii) the anti-money laundering, data security, and privacy requirements fintech companies are subject to.
Recently, the New York DFS announced that an online payday loan lead generator and its CEO will pay a $1 million penalty and cease payday loan lead generation activities in New York to resolve allegations that its payday loans charge fees had interest rates greater than the usury limits allowed under New York law, and that it failed to protect consumers’ personal information. According to the DFS, the company (i) “advertised payday loans and connected New York consumers to payday lenders without disclosing that the payday loans contained terms that violate New York usury laws”; and (ii) failed to take any protective measures when selling leads to its network of lead buyers, despite advertising that it “‘prides itself in putting [its] customer’s security and personal information protection at the top of [its] priority list.’” In the event that the company solicits non-payday lending services in New York in the future, the order requires it to establish and adhere to data security protocols for the secure use, transfer, and storage of consumers’ personal information. This action represents the DFS’s first action to require a company to implement consumer data security measures to its future collection of consumers’ personal information.
FTC Issues Inquiry into Credit Card Companies’ Compliance with Payment Card Industry Data Security Standards
On March 7, the FTC announced that it issued orders to nine companies requiring them to file a Special Report regarding their assessments of other companies’ compliance with the Payment Card Industry Data Security Standards (PCI DSS). Specifically, the FTC’s Order stated that it is “seeking insight into data security compliance auditing and its role in protecting consumers’ information and privacy.” Among other things, a company in receipt of the Order must state whether or not it performs PCI DSS Compliance Assessments, whether or not it provides any Data Security Forensic Audit Services, and whether or not it has been the “subject of any government or regulatory inquiry, private action, arbitration or mediation related to the provision of Data Security Services.” If a company performs PCI DSS Compliance Assessments, the Order requires that it submit certain information on the assessment process, including but not limited to, (i) whether or not Qualified Security Assessors are hired to perform the assessment; (ii) the number and percentage of clients for which it completed a Compliance Assessment, including the number it did not provide a “compliant” or “in place” designation on the Attestation of Compliance or the Report on Compliance, respectively; (iii) the policies and procedures related to the Compliance Assessment; and (iv) copies of a limited set of PCI DSS compliance assessments performed. Companies must file the Special Report within 45 days after the date of service of the Order, dated March 4, 2016.
This week, the Department of Commerce released a package related to the EU-U.S. Privacy Shield Framework for transatlantic data flows. In February, the European Commission announced that the U.S. and the European Commission had agreed to a new Framework, but the Department of Commerce’s recently issued package is the first time the text of the agreement has been made available to the public. In addition to including the Framework itself, the package contains various copies of correspondence from U.S. officials discussing matters related to the Framework and how the appropriate U.S. government agencies will ensure the Framework, if adopted, will be enforced. Among other things, the new agreement (i) requires companies to respond to consumer complaints within 45 days of receiving the complaint; and (ii) describes a binding arbitration option for “certain ‘residual’ claims as to data covered by the EU-U.S. Privacy Shield.” Significantly, as noted in a statement from the European Commission, a final decision regarding the implementation of the Framework has not yet been made: “Now, a committee composed of representatives of the Member States will be consulted and the EU Data Protection Authorities (Article 29 Working Party) will give their opinion, before a final decision by the [members of the Commission]. In the meantime, the U.S. side will make the necessary preparations to put in place the new framework, monitoring mechanisms and the new Ombudsperson mechanism.”
On a related note, President Obama signed the Judicial Redress Act last week, which will lead to the highly anticipated signature of the EU-U.S. Data Protection Umbrella Agreement.