On European Folklore: The Rule With the Longest Arms in All the Land
Written by Elizabeth M. Young LaBerge, Senior Regulatory Compliance Counsel, NAFCU
A few weeks ago, we blogged about misinformation that is being spread surrounding scope and applicability of the European Union's GDPR, and we looked to the language of the rule itself for clarification. With that in mind, we can now discuss the need for risk assessments surrounding the GDPR.
Unfortunately, assessing the risk of GDPR noncompliance posed to a credit union is a legally difficult question. It is something that a competent attorney familiar with the credit union's operations, membership, agreements and international law is in the best position to advise on. However, this blog is intended as a starting place to have that conversation.
Beware the Murky Threat of International Enforcement
For credit unions with branches in the EU, the assessed risk of the GDPR may be pretty straight-forward. A credit union with a physical presence in the EU is likely to be subject to the laws of that jurisdiction.
However, the GDPR states that it applies to organizations not established in the EU. It states:
"3. This Regulation applies to the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law." EU Regulation 2016/679, Ch. 1, Art. 3(3) (Emphasis added).
So the question becomes, "Does the law of an EU member state apply in the United States by virtue of public international law?"
Many journalists, consultants, bloggers, and especially vendors have spent a great deal of time discussing the significant penalties which can be assessed under the GDPR: 4% of global annual turnover! 20 million euros! What is often glossed over if mentioned it all is how a European Union member state would enforce such a penalty against an organization established and entirely located in the United States.
The truth is, this is a question that has not been tested, let alone settled. It is a general principal of public international law that a nation state doesn't exercise jurisdiction beyond its own borders. This is referred to as territoriality. Instead, nation states establish treaties and agreements to mutually enforce laws within certain limitations. In order for an EU member state to enforce the GDPR against an organization in the United States, it is likely an enforcement action would need to be brought in a United States court. There, a U.S. court can determine whether the EU nation state has jurisdiction over the U.S. organization to bind it in an enforcement action and assess penalties. There are several theories of how a foreign nation state could argue that is has jurisdiction over a U.S. organization. Even to those in the EU, it is not entirely clear how the GDPR can be enforced against everyone to which it applies, given the breadth of its applicability. However, it is a consistent principal of U.S. jurisdiction law that the stronger the relationship is between the organization and the state trying to enforce the law, the more likely it is the state would have jurisdiction, and vice versa.
"Simply because GDPR aspires to global jurisdiction, however, does not answer the question of whether that aspiration is legitimate under international law. Longstanding rules and norms of public international law must be satisfied before regulatory agencies and courts can exercise jurisdiction over subjects outside their territory. Under these well-established principles of public international law, legitimate questions can be raised about whether European courts can exercise jurisdiction over non-EU publishers that do nothing on EU soil other than engage in globally accepted Internet advertising techniques that Europe believes constitute “monitor[ing] the behaviour” of Internet users." Kurt Wimmer, Free Expression and Privacy: Can New European Laws Reach U.S. Publishers?, The Media Institute.
Credit unions without a physical presence in the EU and who are not actively seeking EU citizens or residents as members should be suspicious of any vendor or consultant that states that the GDPR applies to the credit union and may result in penalties being assessed without any qualification. It is reasonable to ask how the vendor or consultant arrived at that conclusion and their understanding of the mechanism of enforcement under international law.
Ultimately, an analysis of an EU member state's jurisdiction over and ability to enforce the GDPR against an individual credit union requires two things: an understanding of international law and a factual analysis of the individual credit union's operations and members. Therefore, a proper assessment of the risk of noncompliance with the GDPR would likely require the assistance of counsel.
Behold the Non-Enforcement Risks of Noncompliance
The Magic Words: Adequacy Findings and Market Access
Outside of the threat of enforcement and GDPR penalties, there are a few other important considerations surrounding GDPR noncompliance which may inform an organization's risk assessment. One is simply business pressures to access the European market. For organizations without a presence in the European Union, but who are actively courting EU citizens as a future consumer base, the question of whether the GDPR is legally enforceable may matter less than the effect of noncompliance on the organization's ability to do business in Europe with other organizations which require compliance.
Further, in order to assist its businesses in participating in the European market, a nation state may try to obtain "adequacy findings" regarding the similarity of the law in the EU to that of another nation state:
"There is also a particular reason why it will be seen by non-EU countries as desirable to be able to enforce GDPR fines, which is the desire among the international community to obtain (or keep) an adequacy finding. This status, conferred upon countries deemed by the EU to have equivalent legal protections for personal data to those in the EU, is a very beneficial one for the international commerce of that country, as it allows organizations in that country to receive personal data from the EU without needing to provide evidence of additional measures put in place to protect that data as it passes across international borders. If a country fails to support a fine under the GDPR in its jurisdiction, it is likely to be treated by the EU as evidence of inferior protections for personal data and will impact that country’s assertion that it provides protections equivalent to the EU." Tim Bell, Is Article 27 the GDPR's 'Hidden Obligation'?, IAPP, May 3, 2018.
In the U.S., this has taken the form of the EU-U.S. and Swiss-U.S. Privacy Shield Framework. This is a completely voluntary certification run through the FTC which is only available for organizations subject to the FTC's jurisdiction – and specifically not federally-chartered financial institutions. The Privacy Shield Framework only applies to the cross-border data transfer provisions of the GDPR, not the rule as a whole.
While pressure to conform with the GDPR to access European markets or to retain adequacy findings under the privacy shield framework may be significant for many organizations, these motivations are less significant for the credit union industry which is limited by field of membership and may not even be permitted to access existing adequacy-finding programs.
Heed Your Contractual Entanglements
Another and potentially significant risk to assess surrounding the GDPR is the credit unions' contractual obligations to vendors. Most credit unions' data storage, transfer, and security environment involves the use of vendors.
GDPR noncompliance may pose a low risk to an individual credit union, however, the risk assessment may differ significantly for its vendors by virtue of the vendor's other clients and operations. While the credit union may be the "controller" of its member's personal information, a vendor may be a "processor" of personal data under the GDPR. See, EU Regulation 2016/679, Ch. 1, Art. 4(2), (7) and (8). Being a processor under the GDPR may come with its own requirements and liabilities. Vendors who know they are subject to the GDPR in connection with other clients may begin to use contractual provisions intended to shield them against liability which could arise from a controller's noncompliance with the GDPR. Already, a few credit unions have reported to NAFCU that these provisions are appearing in agreements unexpectedly.
For this reason, credit unions assessing the risk of noncompliance with the GDPR may not need to only consider direct enforcement by EU nation states, but also any potential contractual enforcement through a vendor. If a vendor is subject to the EU's jurisdiction, and an enforcement action is initiated against the vendor in the EU for failure to comply with the GDPR, the vendor may attempt to rely on its contractual agreements to shift liability to the credit union, either in the EU or in the U.S. Therefore, a credit union may need to examine its agreements with vendors, clarify the vendor's expectations of GDPR compliance by the credit union and understand the vendors' own risk assessments regarding GDPR compliance to properly assess its risk.