EU data protection in the context of financial services

Executive Summary:

Individual privacy has always been a source of concern for common citizens, but mainly from the perspective of human rights and civil liberties.

Nowadays, the internet has focused attention once again on the issue of data protection. The major barrier to full development of the internet and e-commerce precisely remains consumers' reluctance to provide private and confidential information.

With globalization of the economy and the IT revolution, the banking industry is going through an evolutionary process, re-adapting the relationship with clients through new products and new means of delivery. In order to reap all the benefits from these new potentialities, however, financial services should not undermine the privacy issue.

National legislation on data protection is often out-of-date, ineffective and unenforceable owing to jurisdictional limitations, whereas at international level, a multiplicity of initiatives has led to a situation that is plagued by inconsistencies. Nevertheless, international instruments serve as an example for other national and EU legislation.

As an alternative to the legislative approach, self-regulation, i.e. a code of conduct, appears particularly well suited to the issue of data protection in the context of the internet. In 1995 and 1997, the EU adopted the directives on data protection based on a careful balance of interests between consumer protection and completion of the Internal Market through the free movement of information. This legislative framework provides a reasonable level of security within the EU area. Consumer confidence is reinforced through rights and obligations controlled by supervision authorities.

Nevertheless, the system for international transfer of data outside EU territory appears impracticable and not easily enforceable. International movements are restricted to third countries providing an adequate level of protection, which represents a complex and incommensurate verification procedure. As far as the transfer of data to the US is concerned, the existing agreement provides an adequate level of protection but does not cover financial services. Therefore, the EU directive does not provide full protection all over the world, but simply grants people covered by its scope with a guarantee of an adequate level of protection for transfers.

Regarding this EU legislative framework, several problems remain since full harmonization and effective and uniform implementation are not yet in place. Further to the adoption of the EU rules, national legislations continue to diverge, creating additional obstacles to the completion of the Internal Market. Furthermore, each member state uses the margin of manoeuvre allowed them by the directive in opposite ways, thereby creating legal uncertainty. Hence, the EU market continues, in practice, to be fragmented.

In addition, some other EU initiatives address indirectly the problem of data protection, such as the investment services or consumer credit directives. If most of the legislation is concerned with consumer privacy, some rules are derogating to the general framework, again creating inconsistencies and additional barriers. Confronted with this unpromising situation, the EU launched in 2002 a revision process of the current legislative framework on data protection. It appears that most of shortcomings experienced are not caused primarily by the EU instruments themselves but mainly because of their national application. Therefore, it's improbable that the text would be amended.

However, others discrepancies are clearly up to the EU directive itself, such as the international data transfer system and the negotiation of the Safe Harbour Agreement.
In any case, technological developments will always be ahead of the EU's political willingness to address the issue of data protection and of the member states' ability to transpose and implement related legislation.

• Primary Source