All of us have been bombarded recently with those updates on our mobile phones and on the various websites asking us to accept the new privacy terms. Very few of us take the time to actually read those, myself included, instead opting to “click the box” and move on to where you want to be. Many of these recent updates, however, are driven by the European Union’s General Data Protection Regulation (“GDPR”) which went into effect in Europe on May 25, 2018.
Which brings us to the question, how is it that a European regulation is governing the conduct of U.S. businesses, including U.S. credit unions, and why do I have to comply with a European regulation when I already have privacy laws governing me in the U.S.? These questions do not have simple, easy answers, but it is clear that the European Union is attempting to extend its influence beyond its borders and is setting a new and higher standard in the data privacy/data protection arena.
By way of background, the EU GDPR applies whenever an entity (such as a credit union) processes the personal data of an EU resident when offering them goods or services; or when you monitor the behavior of an EU resident; or where a country’s public law provides for it. Any of these potential jurisdictional thresholds warrant extensive discussion, but basically the more contacts you have with EU residents or businesses or perhaps a physical presence in the EU, the more likely you will be subject to the GDPR. This is why, with our world becoming increasingly connected through the internet and otherwise, big tech companies such as Google, Amazon, and Facebook, with their extensive data collection activities and global focus are being dramatically affected by this regulation (hence the increase in those privacy update requests).
So, yes, as a credit union you will need to pay attention to certain international regulations and look closely at your operations in the United States to figure out if this EU regulation affects your credit union and whether this regulation can be enforced against your credit union. Further, with the publication of the ePrivacy regulation as a proposal text (affecting electronic communications such as email, instant messaging, electronic marketing, etc.) which will round out the EU data protection framework, the compliance picture will likely get more complicated.
To that end, it could have been much worse. WOCCU was active during the development of this regulation in urging the elimination of registration requirements and fees, and flexibility in who can be a data protection officer (such as a BSA officer) under the regulation. Also, there are still ways to ensure compliance with the EU regulation without having to significantly alter your operations (i.e. through contractual provisions, the Privacy Shield). So don’t ignore those international laws from some far off place. Keep an eye on them. The world isn’t that big any more.
A complete guide to the EU GDPR available for WOCCU and CUNA Members is available at: https://members.woccu.org/documents/EUDataProtectionPrivacyShield2017ComplianceGuide