In this Privacy Tracker series, we look at laws from across the globe and match them up against the European Union General Data Protection Regulation. The aim is to help you determine how much duplication of operational effort you might avoid as you move toward GDPR compliance and help you focus your efforts. In this installment, Federal Home Loan Bank of San Francisco Information Security Officer Katy Liu compares two major U.S. federal financial privacy laws and the recent New York Cybersecurity Regulation with the GDPR.
Summary
The GDPR and U.S. financial privacy protection laws support transparency, accurate information, privacy protection and information security. The GDPR presents a single set of requirements for EU member states that covers personal data, whereas the U.S. enforces a patchwork of federal and state financial privacy laws to protect consumer financial information. Other U.S. laws, such as the Health Insurance and Portability and Accountability Act, focus on protection of health information.
The Fair Credit Reporting Act
The FCRA is a federal law that became effective in 1970 and that has undergone amendments by a variety of laws, including the Fair and Accurate Credit Transactions of 2003. Under the FCRA, credit reporting agencies are required to maintain accurate information about consumers in consumer reports and protect the privacy of consumer report information. In the U.S., the three largest nationwide providers of consumer reports are Equifax, Experian and Transunion. They collect information from information furnishers (e.g., banks, credit card companies, etcetera) and generate reports for other parties that includes the repayment history for credit cards, loans, an individual’s total credit amount and the credit he or she uses, and the debt information, including medical debt. Under the FCRA, individuals may request one free credit report per year from Equifax, Experian and TransUnion to check for inaccurate information.
In addition to the three largest nationwide CRAs, specialty reporting companies also collect information about individuals and provide the information to other parties. For employment screening, specialty reporting companies collect information, such as credit information, employment history, salary information and professional license information. Generally, consumers may request one free report from specialty reporting companies, but some specialty reporting companies may require a fee for the information.
The FCRA specifies the type of information that CRAs may include in a credit report; when a CRA may furnish or provide a consumer report; and requires CRAs to maintain reasonable procedures to ensure that consumer reports contain accurate information (15 U.S.C. 1681).
Under the FCRA, a consumer has the right to dispute inaccurate report information with the CRA and the information furnisher that gave the information to the CRA. The CRA must conduct a “reasonable investigation” of the dispute “before the end of the 30-day period beginning on the date on which the agency receives the dispute from the consumer or reseller” (15 U.S.C. 1681).
FCRA and GDPR Article 5 regarding the accuracy of personal data: Similar to FCRA requirements that limit when a CRA may provide a consumer report, GDPR Recital 64, while not binding, states, “The controller should use all reasonable measures to verify the identity of a data subject who requests access, in particular in the context of online services and online identifiers.”
GDPR Article 5(d) states that a controller must be able to demonstrate compliance with the principle that personal data must be “accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’) (…).”
FCRA and GDPR Article 15: Right of access by the data subject: Data subjects under the GDPR have the right to obtain from the controller information about any personal data processed, including the source of data if data was provided by a party other than the data subject, and the “recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations.” The data subject also has the right to receive a copy of the personal data that is being processed. Controllers must also give data subjects contact information of a supervisory authority if the data subject wants to lodge a complaint.
FCRA and GDPR Article 16: Right to rectification: Both the FCRA and the GDPR give data subjects the right to dispute inaccurate information. The timelines between the FCRA and the GDPR differ; the GDPR gives data subjects the right to have inaccurate information corrected “without undue delay.” Also, Article 19 requires the controller to notify each recipient of any “rectification or erasure of personal data or restriction of processing.” The data subject has the right to request and receive a list of recipients who received notification.
FCRA and GDPR Article 18: Right to restriction of processing: The FCRA allows consumers to request a CRA include a fraud alert in the consumer’s file with any credit score generated using the contents of the file for 90 days. There are a variety of fraud alerts that can be placed on a consumer’s file to alert consumer report recipients of a risk of fraud or identity theft. GDPR Article 18 gives data subjects broader control over the processing of their information. Specifically, Article 18 states that the controller must stop processing for reasons including when “the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data.”
The Gramm-Leach-Bliley Act
Twenty-nine years after the FCRA, the GLBA became effective as federal law. Under the GLBA, “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information” (15 U.S.C. section 6801). Financial institutions include banks, loan companies and insurance companies. nonpublic information is information that is collected to receive or in relation to a financial transaction (e.g., name, address, Social Security number, credit report information, etcetera).
Summary of the GLBA
Under the GLBA, financial institutions must provide customers and consumers a privacy notice and the ability to opt out or prevent the financial institution from sharing nonpublic financial information with nonaffiliated third parties. There are exceptions for when a customer does not have the ability to opt out of information sharing. For example, a customer may not opt out if the financial institution must share the information with a service provider that needs the nonpublic information to process or administer the financial transaction on behalf of the financial institution.
The GLBA describes the requirements of a privacy notice. The notice must describe the categories of information collected, provide information about affiliated and nonaffiliated third parties who will receive the information, and how the financial institution protects the confidentiality and security of the information (15 U.S.C. 6803). If the financial institution wants to share nonpublic information with nonaffiliated third parties, the financial institution must give the customer or consumer a privacy notice that “clearly and conspicuously” provides the consumer with information about how to opt out of information-sharing (15 U.S.C. 6802).
With respect to the GLBA’s focus on “protect[ing] the security and confidentiality” of nonpersonal information, U.S. financial regulatory agencies jointly developed and issued Interagency Guidelines Establishing Information Security Standards for financial institutions. The guidelines describe administrative, technical and physical safeguards that financial institutions must implement to ensure the confidentiality, integrity and proper disposal of consumer information. The guidelines require that financial institutions have an information security program, conduct risk assessments, implement risk mitigation controls, develop a security breach response plan, and implement other protection processes and controls.
GLBA privacy notice v. GDPR information requirements for data subjects: GDPR Article 13 requires a controller to provide a data subject with information when the controller collects personal data from the data subject. GDPR requirements are very specific in comparison to GLBA privacy notice requirements. The GDPR requires the controller to provide information that will “ensure fair and transparent processing,” including how long the data will be stored or the criteria that will determine how the data will be stored, and where automated decision-making is involved, “meaningful information about the logic involved, as well as the significant and envisaged consequences of such processing for the data subject.”
GDPR Article 14 describes what a controller must tell a data subject if the controller collects personal data that was not obtained by the data subject.
GLBA opt-out v. GDPR consent: Unlike the GLBA, where a user must opt out from information sharing, the GDPR requires that processing can occur only if the data subject gives consent, or “a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement.” Since it will be difficult to prove consent based on the GDPR’s requirements, processors will probably choose another reason to lawfully process personal data.
GLBA Safeguards Rule v. GDPR Security of Processing: The GDPR accountability principle requires personal data be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’)” (Article 5(f)).
GDPR Article 32(1), Security of Processing, requires processors and controllers to, “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (…).” The GDPR provides specific examples of acceptable measures:
- “pseudonymisation and encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
New York Department of Financial Services Cybersecurity Regulations
The latest financial regulation in the United States with stringent requirements for financial institutions is not a federal financial privacy law, but state law. The New York Department of Financial Services’ (DFS) Cybersecurity Regulations, effective March 2017, raises the bar for cybersecurity programs for financial institutions in New York. Specifically, the regulations set a minimum baseline for information security programs that include the use of technology and services such as penetration assessments, vulnerability scans, encryption for data in transit and at rest, secure application development practices, multi-factor authentication, and identity and access management. Similar to the GDPR, the regulations also require periodic disposal of nonpublic information that is no longer needed for business operations (20 NYCRR 500.13).
While the GDPR focuses on customer protection by specifying data subjects’ rights to understand how their personal data is collected and processed and the “right to be forgotten,” the NY regulations protect personal information by requiring financial covered entities to implement a cybersecurity program that will “ensure the safety and soundness of the institution and protect its customers” (23 NYCC 500.00).
Conclusion
The GDPR places great responsibility on controllers and processors to respond to the requests of data subjects, including meeting a data subject’s request to be forgotten in certain instances. In the U.S., financial privacy laws and the recent NY Cybersecurity Regulations have generally focused on requiring organizations to implement information security or cybersecurity programs that will protect data from unauthorized access, or breaches. As laws evolve and set new baselines for privacy rights and information security requirements, more human and technological resources will be needed to meet these requirements.
| Topic | GLBA | FCRA | New York Cybersecurity Regs | EU General Data Protection Regulation |
|---|---|---|---|---|
| Access to information | • | 15 USC 1681(g): Disclosures to Consumers | • | Article 5: Principles relating to the processing of personal data |
| Right to correct/rectify inaccurate personal information | • | 15 U.S.C. 1681i: Procedure in cases of disputed accuracy | • | Article 16: Right to rectification |
| Notice to the customer/consumer (U.S.) or the data subject (EU) | 15 U.S.C. 6802: Obligations with respect to disclosures of personal information 15 U.S.C. 6803: Disclosure of institution privacy policy | • | • | Article 12: Transparent information, communication, and modalities for the exercise of the rights of the data subject Article 13: Information to be provided where personal data are collected from the data subject Article 14: Information to be provided where personal data have not been obtained from the data subject |
| Consent | 15 U.S.C. 6803: Disclosure of institution privacy policy | • | • | Article 7: When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract. Article 7: Conditions for Consent Article 8: Conditions applicable to child’s consent in relation to information society services |
| Safeguarding information | 15 U.S.C. 6801: Protection of nonpublic personal information The Interagency Guidelines Establishing Information Security Standards (Guidelines) | • | 20 NYCRR 500.13: Limitations on Data Retention | Article 25: Data protection by design and by default-requirements for controllers Article 32: Security of Processing – requirements for controllers and processors |
| Consumer’s right to access information | • | 12 CFR 1022.136: Centralized source for requesting annual file disclosures from nationwide consumer reporting agencies. | • | Article 15: Right of access by the data subject |
photo credit: Justin Marty Waving Flag via photopin (license)