The Professional Insurance Brokers’ Association (PIBA) said 76% of brokers it surveyed had said that banks had threatened to withdraw customer overdrafts and other loan agreements unless they agreed to take out particular products offered by the banks.
The Association said the activity was "illegal" and that the Irish data protection watchdog had confirmed that such a practice breaches data protection laws. However, a spokesperson for the Office of the Irish Data Protection Commissioner (ODPC) told Out-Law.com that it was waiting for PIBA to provide it with evidence of wrongdoing before it takes any action.
"These are illegal practices," Diarmuid Kelly, PIBA chief executive, said. "The banks are flagrantly violating consumer protection laws and pressurising consumers who feel they have little choice because their credit facilities could be curtailed or withdrawn."
"Because of the surreptitious nature of the pressure being applied and the uneven nature of the relationship, which is particularly acute given the economic situation, consumers are loath to report such practices for fear of the financial consequences for themselves,” Kelly said.
A spokesperson for the ODPC said it had recently met with PIBA and had also previously "separately examined" the issues that PIBA had raised. It reported those findings in its 2010 annual report. (126-page / 928KB PDF)
In the report the ODPC detailed how it had conducted data protection audits of a number of financial institutions after a whistleblower at a "large" such organisation said that the branch in which they worked "was targeting marketing at customers, using their direct debit payment information to pinpoint areas for attention."
The ODPC said its investigations had unveiled that banks had been marketing to customers based on "information contained in their direct debits, such as a monthly payment to another financial institution or a payment to the life branch of an insurance company." At the time the watchdog said all financial institutions should "ensure that there is no direct marketing activity within their organisations based on customer direct debit data."
However, the ODPC told Out-Law.com that it needed proof substantiating the PIBA claims before it could take regulatory action.
"The position at present is that we are awaiting receipt from PIBA, its members or any other party evidence of the practices that it has highlighted," an ODPC spokesperson said. "We would then be in a position to take action under the Data Protection Act."
When asked the spokesperson confirmed that the potential action would relate to whether the banks had a lawful ground to monitor customer transactions.
Pressed on whether obtaining consumers' consent was the only lawful ground for processing in this instance, or whether there are other justifiable grounds for monitoring consumer transactions for marketing purposes, she added that the ODPC "would not wish to pre-determine any investigation that may take place."
Ireland, like the UK, has implemented national data protection laws that stem from an EU Directive. Under the EU's Data Protection Directive personal data can only be processed under strict conditions. Personal data must be "processed fairly and lawfully" and generally it can only be collected for "specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes".
Organisations must either obtain "unambiguous consent" from individuals before processing is lawful or satisfy one of a number of other conditions instead. Those conditions include if the processing is "necessary in order to protect the vital interests of the data subject" or if it is "necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract."
Organisations can also claim that personal data processing is "necessary for the purposes of the legitimate interests" they are pursuing, as long as those interests are not "overridden by the interests for fundamental rights and freedoms of the data subject".
Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said that he is not surprised that banks would be interested in monitoring their customers' transactions. He said that banks needed to be able to justify the lawfulness of both reviewing customers' personal data and then marketing to those individuals.
"It appears to me that banks will increasingly be looking to customise the services they provide to consumers based on the rich data they hold on them," Dautlich said. "This is similar in a way to the way bank managers would engage with customers on a personal level 25 years ago, where they would be aware of individuals' financial position and would offer tailored services to those needs."
"However independent providers of financial services have a legitimate interest in ensuring that banks are not unfairly pressurising their customers into switching products," he said.
"From a data protection and consumer protection perspective the banks have to ensure that they are transparent with customers about any transaction monitoring. The most obvious way for banks to do this is by clearly detailing the practice within the terms and conditions that they issue to customers," he said.