The European Commissioner for Justice, Fundamental Rights and Citizenship Viviane Reding is dead set on updating the European Union’s 15 year old Data Protection Directive in order to ensure that it is “stronger and more consistent” across the region. However, the regulation is likely to have a significant impact on data managers and the vendor community by introducing a host of new rules to govern the way that data is stored and accessed.
The regulatory community is seemingly keen on introducing privacy enhancing technologies and rules to ensure that personal data is adequately protected across Europe. Reding, who was recently appointed to the newly created position within the Commission, has already enacted reform of the telecoms industry with regards to protecting consumer rights and is keen to ensure stronger data protection is in place across the market as a whole.
The idea of “privacy by design” is fundamental to the changes, essentially meaning a reworking of the way firms deal with customer data. Regulators are keen for firms to voluntarily build in new privacy safeguards by integrating privacy principles like limited data collection, consumer notice, individual consent and reasonable security into their data processes.
Obviously, this regime change could have a significant impact on the data management function within the financial services sector as a whole. Certain data system features could become a compliance issue under the new rules and the regulation is likely to introduce new data protection compliance audits. Cloud computing is one such area that has already been beleaguered by concerns over data security and could potentially face a host of new hoops to jump through.
At this point in time, the reforms are at a very early stage and Reding has yet to draw up a definitive list of changes to the Directive. Discussions on the subject are likely to be ongoing over the next couple of months and the industry should keep a close eye on developments.
However, there are also discussions going on an international level at the moment regarding financial data transfer across the Swift network. US and European regulators are seeking to come to a new agreement on the transfer of personal data across the financial network for anti-terrorist financing measures, following the rejection of the Swift proposals in February. European regulators are concerned about the transfer of customer data in bulk across SwiftNet and are keen for more guarantees and safeguards to be put in place. There is a degree of criticism about the use of bulk transfers, as some regulators feel this not an appropriate model, given that data that may not be required could be transferred along with the data that is required. The European Commission is hoping to have an agreement on the subject signed by June.