Privacy fines outweigh Finance fines

This article was first published in Thomson Reuters Regulatory Intelligence on 6 November 2023 and is the personal view of the author, Robert Baugh. Subscribers link. Free trial link.

A potentially explosive compliance danger exists for finance firms that over-prioritise anti-money laundering (AML) and know-your-customer (KYC) imperatives at the expense of Privacy.

The EU’s General Data Protection Regulation (GDPR) may only have applied from mid-2018, but given the high value of total fines imposed by European data protection authorities (DPAs) compared to fines by financial regulators, a disproportionate focus on AML/ KYC risks obfuscating significant, continuing Privacy liability.

Data protection enforcement figures suggest that:

1. Location matters.
2. Cross-border business matters.
3. Firms ignore Privacy at their peril.

Chosen markets

This article examines the penalties imposed by Finance and Privacy regulators during three calendar years (2020-2022) in the UK, Ireland, France, and Germany, including discussion and insights.

Country-specific data sources include the following:

• United Kingdom: Financial regulatory data published by the Financial Conduct Authority (FCA). Data protection information from the Information Commissioner’s Office (ICO).
• France: Finance sector data published by market regulator AMF and prudential supervisor ACPR. Privacy information supplied by data regulator CNIL.
• Germany: Finance sector data published by regulator BaFin. Privacy data sourced from DLA Piper’s annual GDPR penalty reports.
• Ireland: Finance sector figures published by the Central Bank of Ireland. Privacy data sourced from the Irish Data Protection Commission, the online GDPR enforcement tracker, and DLA Piper’s GDPR reports.

Do financial services firms face Privacy enforcement risks?

They do. While the largest Privacy fines have been issued against non-finance firms, such as Meta, TikTok, Amazon, and Google, they have targeted matters that equally affect finance firms, such as:

• Compliance with GDPR principles.
• Providing appropriate, clear information to individuals.
• Transfers outside the European Economic Area (EEA).
• Protecting children and their data.
• Security.
• Online trackers and cookies.

Compliance with GDPR principles

This includes having identified the appropriate legal basis for processing personal data.

In July 2022, the Lower Saxony DPA issued a €900,000 fine against a bank for combining datasets to profile its customers without their consent. The bank’s defence strategy cited legitimate interests, but that argument was rejected by the DPA.

Transparency

Individuals must have sufficient information about the processing of their personal data. This is particularly true of automated decision-making processes that can have significant legal or other consequences for individuals, such as a firm using algorithms to filter client applications.

In May 2023, the Berlin DPA fined a Berlin-based bank €300,000 for failing to be transparent about why its algorithm denied a credit card to an applicant.

Fines from Finance and Privacy regulators, 2020-2022

• Financial regulators in the UK, Ireland, France, and Germany imposed €1.7 billion in total penalties throughout 2020, 2021, and 2022.
• Data protection authorities, on the other hand, issued €2.1 billion in fines over the same period.

In other words, Privacy fines across the four countries were 22% higher than financial regulatory fines.

There are, however, significant differences within the jurisdictions.

United Kingdom

The numbers clearly show that the FCA is the primary enforcement risk vector for firms only operating in the UK. London is a centre of finance, as demonstrated by the FCA’s substantial fines, but the regulator’s total is still shy of Ireland’s single biggest Privacy fine.

Whether it is deserved or not, in data protection circles in the UK and EEA, the ICO has a reputation for issuing relatively few GDPR fines. One may argue that Ireland has all the enormous US-based tech groups, and that is a valid argument, but DPAs in countries such as Spain issue many more fines than the UK ICO.

Here though, looking at quantum, there is a significant imbalance in the UK, with Finance fines totalling £976.2m, compared to £61.7m for Privacy fines.

Ireland

The Central Bank of Ireland’s finance fines total €305.3 million in the years 2020 to 2022.

As mentioned above, however, significant US technology companies are designating their Irish subsidiaries as the EEA controller under GDPR. Ireland is therefore home to the EEA headquarters for most of the largest US-based tech groups and is the lead supervisory authority for cross-border processing under GDPR.

The numbers clearly reflect this situation, with Ireland’s Data Protection Commissioner (DPC) issuing exceptionally large Privacy fines totalling more than €1.5 billion throughout 2020-2022.

Enforcement work by Ireland’s DPC illustrates that investigations can take two to three years to complete, and the DPC has more than its share of large investigations. GDPR took effect in mid-2018 but delivering headline penalties required years of preparation.

It also illustrates the rapidly growing size of GDPR fines and the impact of the regulation’s cooperation and consistency mechanism, which requires data authorities to circulate draft decisions to peer agencies. Additionally, supervisors can turn to the European Data Protection Board (EDPB) to adjudicate difficult-to-resolve disagreements. That process has resulted in large increases to draft fines proposed by the DPC.

France

As with Ireland, French Privacy penalties (€453.9 million) significantly outpaced those for financial misconduct (€231.7 million).

CNIL, the French DPA, is known for proactively asserting its jurisdiction and issuing large fines around cookies under the ePrivacy Directive.

Germany

Precise figures for German Privacy fines can be difficult to find, due to the country’s array of state DPAs working alongside the national DPA. Germany’s Finance and Privacy fines were the lowest of the four example countries.

Unlike the other three countries, German penalties were more evenly distributed between financial misconduct (€64.2 million) and Privacy violations (€51.7 million).

Outliers

Three Privacy enforcement cases outside the scope of this analysis further demonstrate that GDPR fines are growing:

• Meta: Fined €1.2 billion in May 2023 by Ireland’s DPC, an amount equal to all financial-sector penalties issued in the UK and Ireland from 2020 through 2022.
• Amazon: Fined €746 million in July 2021 by Luxembourg’s DPA, which was just €60 million short of the combined Finance and Privacy fines issued by France and Germany in the 2020-2022 period.
• TikTok: Fined €345 million in September 2023 by the Irish DPC, an amount greater than all of Ireland’s Finance-sector penalties during the 2020-2022 period.

Closing thoughts

AML and KYC are, and will rightly remain, key areas of compliance for the financial industry. However, the risk of Privacy fines on Finance players looks to be increasing, particularly with the widespread adoption of artificial intelligence, cross-border processing, and Europe’s ever-growing customer base.

European DPAs have shown their willingness to impose significant penalties, which can be further amplified by the GDPR’s consistency mechanism for cross-border processing. Additionally, the race to deploy artificial intelligence tools may soon result in GDPR super-fines targeting finance firms.

(Robert Baugh is the Founder and CEO of Keepabl, Privacy Management SaaS based in London. Prior to Keepabl, Robert was General Counsel of technology growth companies for more than a decade.)