1
PERSONAL DATA PROTECTION IN BANKING AND FINANCE”Session 2:
Personal data processing in systems such as credit bureaus
Bucharest
Thursday - 24 May 2007
"Balance of interests between industry and data protection"
Wulf BachWulf Bach
President ACCISPresident ACCIS
2
Contents:
- The legal basis and goals of data protection
- The legal basis and goals of credit bureau activity
- Reasonable balance of interests
3
1. The legal basis and goals of data protection
1.1 Basis in constitutional law
- EU - no constitutional provisions for data protection
- ECJ Catalogue of Human Rights (see charta of Human Rights)
Comparable to the ECHR
- European Convention on Human Rights - ECHR
Art. 8 “Right to respect for private and family life”
Interference permitted in “justified” cases
(cf. ruling of 6 October 1982)
Art. 14 Protection of “sensitive" data
see also Art. 8, DPD
not affected by CBs
4
- National
- Example: Germany
Federal Constitutional Court:
“right of self-determination regarding information“
as a “consequence of the fundament right of
human dignity”
But:
“The right of self-determination with regard to
information is not unlimited.”
(see Art. 8 par. 2 Charta of Human Rights)
5
Federal Constitutional Court D (25 July 1988)
"… Personal information also reflects an image of social reality
that does not belong exclusively to the individual in question.
Thus the individual must accept restrictions of his or her right to
self-determination with regard to information in the general public
interest, … and with strict adherence to the principle of
commensurability.”
Balance of interests
6
1.2 General laws
- EU
- Data Protection Directive
- National
applied in all Member States
politically defined balance of interests
expressed in EU and national law
sufficient basis for the assurance of data protection
7
Primary aspect of the assurance of data protection
- Trust in the legality of CB concepts as applied in practice,
including security and regulatory mechanisms
8
2. The legal basis and goals of credit bureau activity
2.1 General - freedom of services - objectives/goals of credit bureaus
EU goal development of an EU Single
Market
for retail banking, among others
“credit” “he believes”
generally accepted basis for the provision of credit responsible lending only after careful
assessment of the borrower’s ability to repay (draft CCD, Art. 7a)
data exchange as old as credit itself The provision of credit on a broad basis
would be inconceivable without data-sharing!
9
2.2 Special regulations - EU - for credit bureaus
none
but various references in directives and political discourse -
see further details later
10
2.3 Special regulations - EU - containing references to credit
bureaus services- Basel II /CRD
requirement to implement risk-management
instruments / systems
external or internal ratings
basis: processing of “available” data
11
2.4 EU assessment of the importance of CBs
- ECJ - ruling of 23 November 2006
CBs serve to:
increase the effectiveness of credit offerings(access to
credit)
increase the mobility of borrowers
reduce credit interest rates
12
EU Parliament
- “Purvis Report” (Green Book on Mortgage Credit)
“Stresses the importance of comprehensive and reliable client
credit databases and urges the Commission to promote the
development of a process of transition to a consistent format
in all Member States”; (36)
“Recognizes that, subject to justifiable privacy protection,
access to both positive and negative credit data is desirable;”
13
- EU Parliament
“CIVIC Consulting Report”
“… the third most important barrier [for the establishment of a
single market on retail banking] was credit risk for lenders - no
access to credit worthiness information …”
“access to credit registers is essential for crediting”
14
- EU Commission
DG Market - Green Book on Retail Financial Services
"Lenders who are unable to access accurate credit information
may charge higher prices or even refuse to provide credit to
consumer…”
“The Commission will tackle the barriers to competition
identified by the sector inquiry into retail banking …”
15
- EU Commission - DG Competition
“Sector Inquiry on Retail Banking - Final Report -”
“Authorities should note that credit data sharing regimes with
high reporting threshold or based on the exchange of only
negative data are likely to favour large incumbents at the
expense of smaller players and particularly new entrants.
Therefore national authorities … may wish to consider reforms
to their regulatory framework for credit data sharing …”
16
Interim result
- The necessary exchange of data between credit providers
- through credit bureaus -
conflicts with the goals of data protection. This conflict must be
resolved.
Goal:
a reasonable balance of interests
17
2.5 Special regulations - national - for credit bureaus
- old EU Member States
Only to the extent that a credit bureau is operated
through a central bank (as provided by law) - e.g.
Belgium, France, Spain, Italy (principle of the legality of
public administration)
- new EU Member States
Some have enacted CB laws (e.g. Poland)
(to be assessed based on the results of the EU Sector
Inquiry …)
18
3. A reasonable balance of interests
3.1 General - Data Protection Directive
Goal too: "Free movement of … services and capital …"
permits the exchange of data via credit bureaus
Defines the balance of interests as an “essential
regulatory component”
A wide range of credit bureaus systems operating
legally in Europe on the basis of the DPD
19
3.2 Positive and negative versus negative data only- Studies world-wide
e.g. South America Japan Italy positive and negative
- EU CCD - 1st draft
“tendency to recommend positive registers” Sector Inquiry
positive and negative Positive data are required for full access to credit information. economic growth
- ACCIS 76 % of members also exchange positive data.
20
3.3 “Minimum threshold” for negative reports (”in arrears at least 120 days”?)
- Basis Civil law
- Goals quickest possible access to indications of inability to repay
/ unwillingness to pay
Goal: risk-minimization and prevention of excessive
debt
- Example: Germany
generally recognized (by courts, consumer protection
organisations and data protection authorities)
14 days after second fruitless reminder
exception: claim was “plausibly” disputed until then
21
3.4 Deletion periods for negative data 1 - 2 years
- EU-DPD as long as required
criterion: “required” (Art. 6, 1, c)
- Germany at the end of the 4th calendar year
after entry into register if no longer
required
- CRD minimum data history of 5 years
- ACCIS Data are stored by members for an
average
of 5 years.
22
3.5 Sources of data / participants in the exchange of data- International experience
Non-bank data are important - especially for banks - as
“early-warning signals” of potential economic problems
- EU- CCD (Art. 7a, 8)
Not restricted to banks Applicable to all forms of “consumer credit”
- Sector Inquiry on Retail Banking Disadvantage to non-banks as credit providers
weakens/conflicts with competition
- ACCIS approx. 50 % of CBs also exchange data with “non-banks”
(e.g. mail-order houses, retailers, telecommunication
companies)
23
3.6 Possible “balance of interests” with regard to data protection -
general
- transparency
information
consent (e.g. to the exchange of positive data)
right of information (access to personal data)
right of deletion, correction, blocking of access
- "Code of Conduct"
cf. UK (government, industry, data protection, consumer
protection)
24
Thank you for your attention!Thank you for your attention!
ACCIS Association of Consumer Credit Information Suppliers IVZWACCIS Association of Consumer Credit Information Suppliers IVZWInternational non-profit association under Belgian law, Reg. address: International non-profit association under Belgian law, Reg. address:
Avenue de Tervuren 267, 1150 BrusselsAvenue de Tervuren 267, 1150 Brusselswww.accis.eu
Top Related