The European Commission has drafted a new EU Directive and Regulation that sets out laws on the access to the activity of credit institutions and the prudential supervision of credit institutions and investment firms, and on prudential requirements for credit institutions and investment firms.
Under the planned framework regulators could issue sanctions to both companies and individuals responsible for breaking the rules. Under the proposed regime the regulators that issue sanctions would be obliged to publish details of those sanctions.
However, the European Data Protection Supervisor (EDPS) said that the laws as currently drafted are in breach of data protection requirements.
"The EDPS is of the view that the provision on the mandatory publication of sanctions — as it is currently formulated — does not comply with the fundamental right to privacy and data protection," Giovanni Buttarelli, assistant EDPS, said in an opinion (8-page / 767KB PDF) adopted by the watchdog. "The legislator should carefully assess the necessity of the proposed system and verify whether the publication obligation goes beyond what is necessary to achieve the public interest objective pursued and whether there are less restrictive measures to attain the same objective."
"Subject to the outcome of this proportionality test, the publication obligation should in any event be supported by adequate safeguards to ensure respect of the presumption of innocence, the right of the persons concerned to object, the security/accuracy of the data and their deletion after an appropriate period of time," he said.
The EDPS opinion said that it is "of crucial importance" that public disclosure of personal data serves a "clear and well-defined purpose" in order to be data protection law compliant. However, Buttarelli said that it may not always serve a justifiable purpose to disclose the details of individuals who breach the new EU financial services rules.
"The EDPS is under the impression that the purpose, and consequently the necessity, of this measure is not clearly established," the opinion said. "While the recitals of the proposal are silent on these issues, the impact assessment report merely states that the ‘publication of sanctions is an important element in ensuring that sanctions have a dissuasive effect on the addressees and is necessary to ensure that sanctions have a dissuasive effect on the general public’."
"However, the report does not consider whether less intrusive methods might have guaranteed the same result in terms of deterrence without interfering with the privacy rights of the individuals concerned. It does not explain, in particular why financial penalties or other types of sanctions not affecting privacy would not be sufficient," Buttarelli added.
Whether individuals' details should be published should be considered on a "case by case basis", it added. Such an approach was "a more proportionate and therefore a preferred option compared to mandatory publication in all cases."
"This discretion would, for example, enable the competent authority to avoid publication in cases of less serious violations, where the violation caused no significant harm, where the party has shown a cooperative attitude, etc," Buttarelli said.
Safeguards protecting individuals' privacy rights are not sufficiently detailed in the Commission's plans, the watchdog said.
Individuals should be able to challenge in court a regulator's finding that they are responsible for a breach before their identity within a sanction notice is published and individuals should also be informed prior to publication of a sanction notice that they have a right, under data protection laws, to challenge that publication on "compelling legitimate grounds," Buttarelli added.
In addition, EU member states must ensure that sanction notices posted on the internet under the new framework are deleted after a "reasonable period of time" and that there are "adequate security measures and safeguards ... in place, especially to protect from the risks related to the use of external search engines."
The EDPS' opinion also raised questions over whether the privacy rights of whistleblowers were also adequately accounted for under the draft new laws. The proposed Directive outlines a mechanism that enables whistleblowers to report violations of the planned new rules, but there should be a "specific reference to the need to respect the confidentiality of whistleblowers' and informants' identity," Buttarelli said.
Whistleblowers' identity should only be disclosed if it "is required by national law in the context of further investigation or subsequent judicial proceedings," the opinion said. In addition, the watchdog said that the rights of individuals accused of breaking the law by whistleblowers should also be guaranteed.
The rights of the accused include "the right to be informed, right of access to the investigation file and presumption of innocence" and should only be limited "to the extent necessary."
A more "comprehensive and binding" reference to compliance with EU data protection laws should also be made within the Commission's proposals and, in drawing up their own whistleblowing schemes nationally, member states should take account of previously issued guidelines on whistleblowing and privacy, the opinion said.
"The entities concerned should bear in mind the need to respect proportionality by limiting, as far as possible, the categories of persons entitled to report, the categories of persons who may be incriminated and the breaches for which they may be incriminated; the need to promote identified and confidential reports against anonymous reports; the need to provide for disclosure of the identity of whistleblowers where the whistleblower made malicious statements; and the need to comply with strict data retention periods," Buttarelli said.
The Commission's draft new laws should also set out that regulators seeking to share personal data with counterparts based in "third countries" must make sure that there are adequate data protection safeguards in place in those third countries to protect individuals' rights in such a transfer, the assistant EDPS added.
Current EU data protection laws prevent companies sending personal data outside of the European Economic Area (EEA) except where adequate protections have been put in place or in circumstances where the destination country has been pre-approved as having adequate data protection. Only a handful of countries, including Argentina, Canada and Switzerland, have qualified as having adequate protection. The EEA includes all 27 EU member states, Iceland, Norway and Liechtenstein.
When an organisation wants to send personal data to other non-EEA countries, that organisation must ensure that adequate protections are in place.