GDPR Means General Data Protection Regulation

If you have been seeing Cookie Acceptance Notifications pop up on many global websites lately, it is precisely because this 2016 EU law, which goes into effect on May 25, 2018.  The law is broad in scope, but the notifications require the site user to accept the cookies being used, which is to document the site-user of opting in to the cookie tracking.  The sites are require to be able to evidence this opt-in.

The major requirement is in the title: Data Protection.  The foundational principle is that the website user owns his or her personal data that the site is collecting, so, as long as the site receives acceptance to use the data, the site also is responsible for protecting the data from data breaches.  Considering the ever-growing prowess of Black Hat Hackers, many sites are opting to purge the user data.  Major social networking site are probably coming up with ways to anonymize user data.

This principle that the user owns the data that is being collected has other ramifications.  The user can request erasure of his or her data.  The user will likely be able to request all users of his or her data, however removed from the originating data collector, to provide how the data was used.  All of the rights of ownership are attached to the data.

This is quite contrary to the American legal principle of privacy, which requires sites to keep the data private, but since the site owns the user’s data, it can do what it can do with any other asset it owns.  The defense of the American legal principle is that much of the data collected are actually intellectual property.  Take, for example, demographic information.  One site may analyze my personal data and conclude that I am a social conservative while another a social liberal; the conclusion is the result of the site’s work.

The EU legal principle suggests that such work may indeed be owned by the site, but if it is derived from the user, then user has derivative ownership of those conclusions.  Essentially, it recognizes that the user’s information has economic value and, therefore, the site will have to have a valid contract to use that data.

Since the law protects all EU citizens and residents and their data, it is global in nature.  Also, if an American tourist logs in from the EU jurisdiction, the American is protected as well.  For that matter, the American would be protected if the data is harvested from the United States but it is stored or passes through the EU jurisdiction.

Some questions remain, at least for me.  Would a company legally headquartered in Ireland but its activities are in Menlo Park, California, is the company treated as an EU company, and, therefore, require data protection to all user information going through Menlo Park because the financial results of that information is reported to the Irish tax authorities?

How about counter-terrorism efforts?

Or, does the public figure have an economic right to his or biography published by a traditional publisher of hardcover books?

Advertisements

FinCEN Final CDD Rule… For Now

FinCEN CDD Rule is the shorthand for Customer Due Diligence Requirements for Financial Institutions, which FIs were supposed to have implemented by May 11, 2018.  The requirement is to obtain beneficial ownership information, financial institutions will have to identify and verify the identity of any individual who owns 25 percent or more of a legal entity, and an individual who controls the legal entity, among others.  At the time of this publication, May 16, 2018, the requirement also includes the collection of beneficial ownership information during product or service renewals, such as loan renewals and certificates of deposit rollovers. FIN-2018-G001 FAQ Regarding CDD Requirement for FIs, pages 9 and 10.  This is the most controversial definition of a new product or service.  Practically speaking, it means a short term 1-month CD will trigger the need to collect a certification of beneficial ownership, which also includes the work of due diligence to support the certification.  There is no provision to apply this on a risk basis, which means the pensioner in Wichita and a Middle Eastern correspondent bank will be treated the same for the purposes of this requirement.  Obviously, FIs as awaiting any guidance on the enforcement strategy from regulators.

Update:  On May 16, 2018, at around 6pm, FinCEN delayed the enforcement of this rule. Due to the unexpected interpretation by FinCEN, FIs were not ready to consider rollovers as purchase of a new financial product.  Realizing that they provided guide far too late for FIs to comply, FinCEN is providing a 90-day limited exceptive relief.  Also, as, what seems to be, a jab at FIs sounding the alarm, FinCEN added:

Consistent with the definition of “account” in the Customer Identification Program
(CIP) rules and subsequent interagency guidance, each time a loan is renewed or
a certificate of deposit is rolled over, the bank establishes another formal banking
relationship and a new account is created…

FinCEN understands that some covered institutions have not treated such rollovers or renewals as new accounts and have established automatic processes to continue the banking relationship with the customer.