WASHINGTON/BRUSSELS (Reuters) – Financial watchdogs from North America, Britain and Asia are urgently seeking a formal exemption from the European Union’s tough new GDPR data privacy law to avoid hampering cross-border investigations, regulatory officials told Reuters.
Failure by the EU to explicitly exempt markets regulators from the bloc’s General Data Protection Regulation could jeopardize international probes and enforcement actions in cases involving market manipulation and fraud, the officials warned.
The new rules, which came into force on May 25, have been several years in the making but lobbying by foreign regulators and their key international body has intensified over the past year with multiple meetings on both sides of the Atlantic as the law’s launch has approached, three people said.
The new EU law strengthens personal data privacy rights in the bloc, giving consumers greater control over their personal information.
It also narrows an exemption for cross-border personal data transfers made in the “public interest” by imposing new conditions, including extra privacy safeguards, on its use, said the officials and legal experts.
Under the previous law, regulators used the exemption to share vital information, such as bank and trading account data, to advance probes into a range of misconduct. For now, regulators are operating on the basis they can continue sharing such data under the new exemption but say doing so takes them into legally ambiguous territory because the new law’s language leaves room for interpretation.
They fear that without explicit guidance, investigations such as current US probes into cryptocurrency fraud and market manipulation in which many actors are based overseas, could be at risk. This is because in the absence of an exemption, cross-border information sharing could be challenged on the grounds that some countries’ privacy safeguards fall short of those now offered by the EU.
To fend off that risk, regulators are pressing the Brussels-based European Data Protection Board (EDPB) to formally sign-off on an “administrative arrangement” that would clarify in writing if and how the public interest exemption can be applied to their cross-border information sharing, three people with direct knowledge of the matter told Reuters.
The issue is sensitive given that regulators’ slow response to the 2007-2009 global financial crisis was blamed in part on poor cross-border coordination, which has since improved with information sharing leading to billions of dollars in fines for banks, such as for trying to rig Libor interest rate benchmarks.
Two of the regulatory officials said the EU is reluctant to give such explicit guidance because it is worried the exemption could be used to illegitimately circumvent its privacy safeguards, now among the toughest in the world, harming EU citizens.
Regulators involved in the discussions include the EU’s European Securities and Markets Authority (ESMA), the US Commodity Futures Trading Commission (CFTC), the Securities and Exchange Commission (SEC), the Ontario Securities Commission (OSC), the Japan Financial Services Agency (FSA), Britain’s Financial Conduct Authority (FCA), and the Hong Kong Securities and Futures Commission (SFC), the people said.
Asked to respond to overseas regulators’ concerns about the lack of clear EU guidance, European Commission spokesman Christian Wigand said that data flows between the EU and non-EU countries could be ensured using the mechanisms provided under the EU data protection legislation.
“Europe is open for business,” he said in an emailed statement.
The United States has been especially active on the issue, telling EU regulators on a number of occasions after the GDPR was first unveiled in 2012 that the public interest exemption may prove to be too narrow, said one of the people.
Most recently, US regulators raised concerns again during bilateral US-EU meetings in Washington in January, later on the sidelines of the International Monetary Fund meetings there in April, and in Brussels this month, according to two people. More meetings are scheduled in Europe in coming weeks, two of the people said.
The January meetings were attended by staff from the US Treasury and regulators, including the CFTC and the SEC as well as staff from ESMA, the European Commission and EU banking regulators.
According to a read-out of that gathering seen by Reuters, the Europeans seemed to have “divergent views” on how to address US concerns about GDPR. One of the people said recent meetings had been very positive but it was still unclear if the top EU brass would ultimately sanction a deal.
Regulators say they should be exempt because they cannot be expected to change their own data privacy laws to fall in line with the EU, which would be a breach of their sovereignty.
“There are rules in the GDPR that say you need to have in place a system with appropriate standards and you have other jurisdictions saying ‘No, our standards are adequate already’,” said an official from a Europe-based securities regulator.
The regulator said there has been no impact on cross-border cooperation so far, though the new EU rules have only been in force a month.
The International Organization of Securities Commissions (IOSCO), a body comprising regulators from more than 100 jurisdictions, has spent the past year trying to address that. The Madrid-based organization has been drafting an administrative arrangement with tough data protections, which would allow members that sign up to it to meet EU standards without importing the bloc’s rules into their national laws.
A spokesman for ESMA, Europe’s securities watchdog, pointed Reuters to a March 22 document it submitted to the EU privacy body seeking clarity over whether non-EU regulators were required to comply with the GDPR when receiving data under the exemption and whether such transfers could be performed on a repeated basis.
It added, however, that while the proposed administrative arrangement was being examined, it believed regulators could rely on the exemption to swap data in “specific situations subject to a case by case assessment.”
An EDPB spokeswoman said the EU privacy watchdog was in an ongoing discussion with ESMA on the matter, adding: “We are not entitled to give any information on this and cannot anticipate the outcome.”
A spokeswoman for the CFTC said in a statement the regulator was “confident European authorities fully recognize the critical importance of information sharing and access by financial regulators to safeguard our respective markets.”
However, two people familiar with the matter said it was not a given that the EU privacy watchdog would be satisfied by the data privacy safeguards outlined in the arrangement and that a resolution may not come for months, if at all.
Spokespeople for the FCA, SEC and Treasury declined to comment. Japan’s regulator confirmed that negotiations were “ongoing,” while the OSC directed Reuters to IOSCO. The Hong Kong regulator, which currently chairs IOSCO, pointed to a May statement in which the body said it would “continue to engage with European authorities to address any issues that are identified as the GDPR is implemented.”
(Reporting by Michelle Price and Huw Jones; Editing by Tomasz Janowski)