Please enable JavaScript to view this website.

The Ongoing Debate Over Federal Preemption in Breach Notification Requirements for Financial Institutions

Considering the European Union’s status as a bastion of privacy in the digital age, it may come as a surprise that currently, the EU prescribes no breach notification requirements (BNR) for financial institutions. The explanation for this conspicuous lacuna derives partly from an accident of history and partly from the same political forces that have stymied efforts for BNR progress in the US.

The EU has held the position as the world’s preeminent leader in privacy law for at least a few decades, because its privacy law, the Data Protection Directive (DPD), was sweeping and comprehensive ((See Virginia Boyd, Financial Privacy in the United States and the European Union: A Path to Transatlantic Regulatory Harmonization, 24 Berkeley J. Int’l L. 939, 939 (2006) (describing a historical overview of privacy law in the United States).)) Ironically, the all-encompassing nature of the DPD made it hard to implement for EU Member States, and hard for EU leaders to update in light of rapidly changing technology ((See Anne-Marie Zell, Data Protection in the Federal Republic of Germany and the European Union: An Unequal Playing Field, 15 German L.J. 461, 472-73 (2014) (comparing Member State implementation of a directive to implementation of a regulation).)) Rather than try and fix the outmoded DPD, EU leaders decided to scrap it for a more comprehensive but binding regulation ((See James Castro-Edwards, The Proposed European Data Protection Regulation, 17 J. Internet L. 3 (2013) (describing the history of the Data Protection Regulation).))

The Data Protection Regulation (DPR) is set to become law by 2018 ((See Radical Changes to European Data Protection Legislation, Allen & Overy LLP, http://www.allenovery.com/publications/en-gb/data-protection/Pages/Timetable.aspx (providing a timeline for the implementation of the Data Protection Regulation).)) It attempts to draw upon the strengths of the DPD and correct its weaknesses. As stated above, the DPR keeps the comprehensiveness of the DPD by establishing regulations across industries. It also sets comparatively high standards of protection. For example, the DPR includes a BNR that applies to any “controller” or “processor” of information ((Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of individuals with regard to the processing of personal data and on the free movement of such data, arts. 4.3, .5, http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52012PC0011.)) Importantly for US firms, this includes processors and controllers outside of the EU “where the processing activities are related to the offering of goods or services to such data subjects in the EU, or the monitoring of their behavior” ((Id. at arts. 3.1-.2.)) Unlike the DPD, the DPR binds all Member States ((Id. at art. 1.5.))

Despite its high level of protections and carefully structured enforcement mechanisms, I wonder whether, like the DPD, the DPR will fail its lofty goals because it sets its ambitions so high. While the US’ sector-by-sector approach to BNR has left significant gaps and inconsistencies for firms and consumers, it has been able to respond to changes in technology and sensitivities that vary by industry. The DPR, by contrast, attempts to regulate all industries, from banking to social media, alike. On the one hand, consumers deserve fair protection regardless of where they park their information. Conversely, though, the DPR may provide inefficient for firms who – perhaps rightly so – wish to tailor their levels of protection to the risk of harm they create. While the question of how the law can protect individuals in the digital age remains a vastly unresolved area, at the very lease, the passage of the DPR will provide the rest of the world with a heretofore-unprecedented level of protection from which to learn from.