In recent months there have been a few interesting developments in European data protection to which financial firms outside the European Economic Area, especially in the US, should pay attention. The obvious one is Schrems II, last month's decision by a European court to invalidate the EU/US 'Privacy Shield.'

Since May 2018, when the European Union's General Data Protection Regulation (GDPR) came into effect, the EU's data regulators have imposed fines on many companies to the collective value of more than €430 million (US$501.3 million).

In July the British Information Commissioner's Office told the public that it intended to fine British Airways a record £183.39 million because it had compromised the personal information of approximately 500,000 customers. The ICO's investigation found that users of British Airways’ website had been diverted to a fraudulent site where their personal data, including bank and credit card details, were stolen. In an interesting turn of events, however, there is evidence to suggest that the actual fine may be a mere fraction of the eye-watering £183 million. The International Consolidated Airlines Group, British Airways’ parent company, published an Interim Management Report on Monday 3 August which stated that a mere €22 million “has been recorded in respect of a provision concerning the theft of customer data at British Airways in 2018.”

Extraterritoriality

The GDPR introduced two principles concerning territorial applicability: the principle of establishment and the principle of extra-territorial effect. Article 3 of the GDPR states that it applies to non-EEA companies:

• if the processing of personal data takes place in the context of the activities of an establishment or organisation in the EU, regardless of whether the processing itself takes place in the EU (as per section 1); and
• if the personal data of people in the EU is processed by an organisation not established in the EU and the processing concerns the offering of goods or services to people in the EU, or monitoring the behaviour of individuals that takes place in the EU (Article 3, Section 2 of the GDPR).

Therefore, American or other non-EEA companies doing business with Europeans or in the EEA may fall within the scope of the GDPR, examples of this are such US-based multinational companies as Morgan Stanley, Bank of America, JPMorgan Private Bank, Citigroup, Goldman Sachs, Raymond James, Northern Trust and Wells Fargo. They now may be subject to the second and third (or possibly first and second, considering the new developments in British Airways’ case) largest fines to be imposed by regulators in the EU.

Last July, the ICO issued a notice of intention to fine Marriott International, the hotel chain, £99 million after the company uncovered an earlier 'data breach' (the GDPR's term for a transgression against it) and notified the ICO in November 2018. The problem was thought to have begun in late 2014 in Starwood Hotels Group which Marriott International then acquired in 2016 before the implementation of the GDPR. This infraction compromised the passwords and credit card records of 30 million people who lived in the EU. The ICO’s potential fine against Marriott International represented 3% of its worldwide annual revenue, which is close to the maximum penalty allowed by the GDPR. Marriott later stated that it plans to appeal against the fine.

Similarly, in January last year, French data authorities fined Google €50 million (US$58.27 million) after finding Google’s use of blanket consent forms and pre-ticked boxes was not sufficient enough to constitute ‘valid and explicit consent under GDPR.’ At the time, this was the largest fine issued for a GDPR violation. Google’s fine represented approximately 0.4% of its worldwide annual revenue, which is substantially less than the GDPR’s maximum penalty of 4% (in this case, 4% would amount to more than $4 billion for Google). Google is in the process of appealing against the fine. Additionally, Greece fined PwC, the American accountancy firm, for failing to obtain employees' consent for the purpose of analysing their personal data.

Several investigations of US firms are in progress, many of them directed at tech companies, which frequently use personal data to conduct business. Ireland, the country in which many US tech firms base their European operations, is the venue of many, but the data protection authorities of France, the UK and Germany are conducting some as well.

Schrems II

Last month the Court of Justice of the EU made a long-awaited decision on the so called Privacy Shield in Schrems II, invalidating the adequacy decision applied to the US self-certification regime because of America's invasive national security laws. The EU and the US originally created the 'shield' after the European Court invalidated the original Euro-American data transfer deal, the US Safe Harbour in the case known as Shrems I. The CJEU has now decided that the Privacy Shield did not protect the personal data of EU citizens as well as the GDPR does. It reiterated the validity of Standard Contractual Clauses (SCCs) which now may become the standard fallback position for any financial firm that used to rely on Privacy Shield, but it also stated that these SCCs should not be treated as a box-ticking exercise as, although they are available in templates, they do create enforceable contractual obligations. If their provisions cannot be observed because of legal obligations that the non-EEA country in question has imposed on the data importer, they will be invalid.

Schrems II has created further uncertainty about the future of transatlantic data transfers. As the EU and the US try to negotiate another deal, US banks and other financial firms that have to obey the GDPR should review their flows of personal data, find out whether they or their sub-contractors are subject to US national security laws and decide whether it is feasible for them to adjust various contracts or take technical steps to supplement the required reasonable safeguards.

Furthermore, each one of them should ensure that it does not have European establishment. It then ought to have a European representative as set out in Article 27 of the GDPR, as the lack of such a representative when the business has no establishment in the EEA is against the GDPR.

The GDPR is here to stay and, although there have been some high-profile fines, regulators are bound to look at smaller businesses also. This is especially the case since the court in Schrems II also exhorted EU regulators to act on any irregularities. More investigations and enforcement actions are to be expected.

* Laven Partners can be reached on +44 (0) 20 7838 0010