As soon as the new European General Data Protection Regulation (GDPR) went into effect at the end of May, it was almost inevitable that organizations, companies and regulators located outside of the EU would begin looking for exemptions. And that’s exactly what has happened – a group of financial market regulators from outside the European Union (including the very influential SEC in the United States as well as regulators in both Japan and Hong Kong) are now asking for GDPR exemptions from some of the strict privacy guidelines put into place by the GDPR.
When is data privacy not in the public interest?
Of particular concern for these regulators is that fact that a long-time loophole for sharing data across borders appears to have been closed – or at least, narrowed significantly – by the GDPR. That loophole – known as the “public interest” exemption, enables regulators to freely share bank and trading account data with each other across national borders as long as they are doing so in the public interest.
Such types of GDPR exemptions, they say, are absolutely vital to doing their jobs properly. For example, if they are trying to crack down on securities fraud, and the paper trail takes them out of Europe and into North America or Asia, they need to be able to do so without dealing with all the encumbrances created by the GDPR. The same thing is true if they are trying to crack down on cryptocurrency fraud, or trying to prevent a group of banks from banding together to rig key market rates (such as the LIBOR rate, which is used to determine interest rates charged on loans).
And, to really make their case, these market regulators have raised the specter of an event almost too unfathomable for words: a global financial meltdown. They point to the example of the 2007-2009 global financial crisis, which they only narrowly averted from turning into a full-scale meltdown by being able to coordinate across borders. At the time, critics blamed these regulators for not being able to do precisely that quickly enough, and it’s obvious that these regulators feel that their ability to crack down on securities fraud and market manipulation is well within the “public interest.”
Lobbying efforts for GDPR exemptions intensify
To make their case for GDPR exemptions as palatable as possible for the European Data Protection Board (set up to enforce the GDPR) to accept, these market regulators have used the term “administrative arrangement” rather than “GDPR exemptions” or “loophole.” As well, these market regulators have steadily ramped up their lobbying pressure for GDPR exemptions. In January, a bilateral EU-U.S. meeting in Washington became the scene of backroom negotiating. And that was followed up by more lobbying at an International Monetary Fund (IMF) event in February in Washington, and then by a high-level meeting in Brussels in June after the GDPR had just gone into effect.
On one hand, it’s plausible to argue that the new GDPR is unclear on whether or not financial market regulators have the power to exchange data across borders. This is still very much unknown territory, and the EDPB itself might not know exactly how to act. The regulators claim that there is “a lack of clear EU guidance,” and they want any type of exemption (administrative arrangement) written down on paper so they don’t run afoul of the GDPR.
For now, the EU claims that the GDPR is very clear on what it specifies, and what it does not. For example, an EU spokesperson said, “The EU is open for business.” This would seem to imply that the EU does not see any risk to doing business as usual, and also suggests that any type of exemption might not be coming soon.
Market regulators look for enhanced guidance from the GDPR
Ever since the GDPR began to take shape, non-EU organizations, companies and government regulators have sought greater clarity about what the GDPR covers, as well as what it doesn’t cover. Taking a high-level view, the GDPR applies to all EU member states, as well as all non-EU entities that interact with EU residents (known as “data subjects”). Thus, any organization that has any dealings whatsoever with EU data subjects are forced to comply with the GDPR. This includes processing activities, and is designed to safeguard EU data subjects from data breaches. It also requires organizations to put into place the role of the data protection officer.
However, there is room for EU member states to introduce derogations, which could potentially weaken the full force of the GDPR. When it comes to this weakening of the GDPR, a lot now revolves around Article 23, which is known as the “Restrictions” article. Within Article 23, it says that EU member states “can restrict by way of a legislative measure the scope of the obligations and rights” provided for by the GDPR. You can think of these as GDPR exemptions.
Article 23, Section (d) is a key clause for figuring out whether or not the GDPR applies to market regulators – it says the GDPR can be restricted if it applies to “the prevention, investigation, detection or prosecution of criminal penalties, including the safeguarding against and the prevention of threats to public security.” This would seem to cover the “bank fraud” and “criminal wrongdoing” elements that the market regulators keep mentioning. Based on this reading of the GDPR, it would appear that GDPR exemptions might be possible.
Will the rest of the world get behind the GDPR?
What’s particularly notable, of course, is how many financial regulators have gotten behind efforts for GDPR exemptions. The list includes the EU’s own European Securities and Markets Authority (ESMA), the U.S. Commodities and Futures Trading Commission (CFTC), the U.S. SEC, Japan’s Financial Services Agency (FSSA) and the Hong Kong Securities and Futures Commission.
In other words, the search for GDPR exemptions is global in scope. That would seem to suggests that the rest of the world is not so eager to get behind the GDPR as bureaucrats (such as the Information Commissioner’s Office of the UK) might have once thought. At one time, it looked like the GDPR might spark a global embrace of data privacy rights and protections for the processing of personal data. Now, it appears that it might spark exactly the opposite – a stealth backlash by top market regulators, followed by a more public backlash by companies more concerned with the free flow of goods and services than the protection of personal data.