Regulators press EU on data privacy exemption

LONDON: Financial watchdogs from North America, Britain and Asia are urgently seeking a formal exemption from the European Union’s tough new data privacy law to avoid hampering cross-border investigations, regulatory officials said.
Failure by the EU to explicitly exempt markets regulators from the bloc’s General Data Protection Regulation (GDPR) could jeopardise international probes and enforcement actions in cases involving market manipulation and fraud, the officials warned.
The new rules, which came into force on May 25, have been several years in the making but lobbying by foreign regulators and their key international body has intensified over the past year with multiple meetings on both sides of the Atlantic as the law’s launch has approached, three people said.
The new EU law strengthens personal data privacy rights in the bloc, giving consumers greater control over their personal information.
It also narrows an exemption for cross-border personal data transfers made in the “public interest” by imposing new conditions, including extra privacy safeguards, on its use, said the officials and legal experts.
Under the previous law, regulators used the exemption to share vital information, such as bank and trading account data, to advance probes into a range of misconduct.
For now, regulators are operating on the basis they can continue sharing such data under the new exemption but say doing so takes them into legally ambiguous territory because the new law’s language leaves room for interpretation.
They fear that without explicit guidance, investigations such as current US probes into cryptocurrency fraud and market manipulation in which many actors are based overseas, could be at risk. This is because in the absence of an exemption, cross-border information sharing could be challenged on the grounds that some countries’ privacy safeguards fall short of those now offered by the EU.
To fend off that risk, regulators are pressing the Brussels-based European Data Protection Board (EDPB) to formally sign-off on an “administrative arrangement” that would clarify in writing if and how the public interest exemption can be applied to their cross-border information sharing, three people with direct knowledge of the matter said.
The issue is sensitive given that regulators’ slow response to the 2007-2009 global financial crisis was blamed in part on poor cross-border coordination, which has since improved with information sharing leading to billions of dollars in fines for banks, such as for trying to rig Libor interest rate benchmarks.
Two of the regulatory officials said the EU is reluctant to give such explicit guidance because it is worried the exemption could be used to illegitimately circumvent its privacy safeguards, now among the toughest in the world, harming EU citizens.
Regulators involved in the discussions include the EU’s European Securities and Markets Authority (ESMA), the US Commodity Futures Trading Commission (CFTC), the Securities and Exchange Commission (SEC), the Ontario Securities Commission (OSC), the Japan Financial Services Agency (FSA), Britain’s Financial Conduct Authority (FCA), and the Hong Kong Securities and Futures Commission (SFC), the people said.
Asked to respond to overseas regulators’ concerns about the lack of clear EU guidance, European Commission spokesman Christian Wigand said that data flows between the EU and non-EU countries could be ensured using the mechanisms provided under the EU data protection legislation. “Europe is open for business,” he said in a statement. — Reuters