|
EBF Key Messages
Avoiding fragmentation between EU member state authorities
Interpretation of GDPR or general approaches towards data protection by national Data Protection Authorities should avoid fragmentation.
Lack of a consistent interpretation across member states may lead to an increased operational burden and legal uncertainty for the banking sector, making it more difficult for banks to scale their services and provide cross-border services.
For example, diverging views on the use of legitimate interest, as seen in the Netherlands, can trigger unaligned approaches in different jurisdictions.
By issuing model Standard Contractual Clauses (SCC) DPAs aim at more certainty, but multiple model SCCs could cause fragmentation, particularly if guidance differs slightly per country.
Consistency across the EU should be ensured in order to facilitate the development of a single market for retail financial services, a long-standing ambition of policy makers.
Transferring data across borders
Banks support the European Commission’s ongoing work on developing revised Standard Contractual Clauses, as SCC’s enable fast and efficient exporting and importing of data while providing a high-level of protection of data subjects rights.
We would also encourage an alignment of the SCCs with the provision of Article 28, so that the data controller exporting the data to the data processor in the third party would not be obliged to enter into both – the SCC and the data processing agreement.
Banks support the continuing work of the European Commission to pursue and sign adequacy decisions with third countries as continuing divergence between jurisdictions complicates certain aspects of banks operations.
Applying new technologies
The development of technologies such as AI or blockchain and the level of adoption by companies might be limited depending on the interpretation that supervisors could make of those principles and how they apply to the use of technologies.
To cater a global data economy, Europe needs to increase the speed of technology adoption in order to not risk lagging behind other regions.
Supervisory authorities should understand the interactions among the principles set in the GDPR and the needs of technology developments and assess compliance.