1

PERSONAL DATA PROTECTION IN BANKING AND FINANCE”Session 2:

Personal data processing in systems such as credit bureaus

Bucharest

Thursday - 24 May 2007

"Balance of interests between industry and data protection"

Wulf BachWulf Bach

President ACCISPresident ACCIS

2

Contents:

- The legal basis and goals of data protection

- The legal basis and goals of credit bureau activity

- Reasonable balance of interests

3

1. The legal basis and goals of data protection

1.1 Basis in constitutional law

- EU - no constitutional provisions for data protection

- ECJ Catalogue of Human Rights (see charta of Human Rights)

Comparable to the ECHR

- European Convention on Human Rights - ECHR

Art. 8 “Right to respect for private and family life”

Interference permitted in “justified” cases

(cf. ruling of 6 October 1982)

Art. 14 Protection of “sensitive" data

see also Art. 8, DPD

not affected by CBs

4

- National

- Example: Germany

Federal Constitutional Court:

“right of self-determination regarding information“

as a “consequence of the fundament right of

human dignity”

But:

“The right of self-determination with regard to

information is not unlimited.”

(see Art. 8 par. 2 Charta of Human Rights)

5

Federal Constitutional Court D (25 July 1988)

"… Personal information also reflects an image of social reality

that does not belong exclusively to the individual in question.

Thus the individual must accept restrictions of his or her right to

self-determination with regard to information in the general public

interest, … and with strict adherence to the principle of

commensurability.”

Balance of interests

6

1.2 General laws

- EU

- Data Protection Directive

- National

applied in all Member States

politically defined balance of interests

expressed in EU and national law

sufficient basis for the assurance of data protection

7

Primary aspect of the assurance of data protection

- Trust in the legality of CB concepts as applied in practice,

including security and regulatory mechanisms

8

2. The legal basis and goals of credit bureau activity

2.1 General - freedom of services - objectives/goals of credit bureaus

EU goal development of an EU Single

Market

for retail banking, among others

“credit” “he believes”

generally accepted basis for the provision of credit responsible lending only after careful

assessment of the borrower’s ability to repay (draft CCD, Art. 7a)

data exchange as old as credit itself The provision of credit on a broad basis

would be inconceivable without data-sharing!

9

2.2 Special regulations - EU - for credit bureaus

none

but various references in directives and political discourse -

see further details later

10

2.3 Special regulations - EU - containing references to credit

bureaus services- Basel II /CRD

requirement to implement risk-management

instruments / systems

external or internal ratings

basis: processing of “available” data

11

2.4 EU assessment of the importance of CBs

- ECJ - ruling of 23 November 2006

CBs serve to:

increase the effectiveness of credit offerings(access to

credit)

increase the mobility of borrowers

reduce credit interest rates

12

EU Parliament

- “Purvis Report” (Green Book on Mortgage Credit)

“Stresses the importance of comprehensive and reliable client

credit databases and urges the Commission to promote the

development of a process of transition to a consistent format

in all Member States”; (36)

“Recognizes that, subject to justifiable privacy protection,

access to both positive and negative credit data is desirable;”

13

- EU Parliament

“CIVIC Consulting Report”

“… the third most important barrier [for the establishment of a

single market on retail banking] was credit risk for lenders - no

access to credit worthiness information …”

“access to credit registers is essential for crediting”

14

- EU Commission

DG Market - Green Book on Retail Financial Services

"Lenders who are unable to access accurate credit information

may charge higher prices or even refuse to provide credit to

consumer…”

“The Commission will tackle the barriers to competition

identified by the sector inquiry into retail banking …”

15

- EU Commission - DG Competition

“Sector Inquiry on Retail Banking - Final Report -”

“Authorities should note that credit data sharing regimes with

high reporting threshold or based on the exchange of only

negative data are likely to favour large incumbents at the

expense of smaller players and particularly new entrants.

Therefore national authorities … may wish to consider reforms

to their regulatory framework for credit data sharing …”

16

Interim result

- The necessary exchange of data between credit providers

- through credit bureaus -

conflicts with the goals of data protection. This conflict must be

resolved.

Goal:

a reasonable balance of interests

17

2.5 Special regulations - national - for credit bureaus

- old EU Member States

Only to the extent that a credit bureau is operated

through a central bank (as provided by law) - e.g.

Belgium, France, Spain, Italy (principle of the legality of

public administration)

- new EU Member States

Some have enacted CB laws (e.g. Poland)

(to be assessed based on the results of the EU Sector

Inquiry …)

18

3. A reasonable balance of interests

3.1 General - Data Protection Directive

Goal too: "Free movement of … services and capital …"

permits the exchange of data via credit bureaus

Defines the balance of interests as an “essential

regulatory component”

A wide range of credit bureaus systems operating

legally in Europe on the basis of the DPD

19

3.2 Positive and negative versus negative data only- Studies world-wide

e.g. South America Japan Italy positive and negative

- EU CCD - 1st draft

“tendency to recommend positive registers” Sector Inquiry

positive and negative Positive data are required for full access to credit information. economic growth

- ACCIS 76 % of members also exchange positive data.

20

3.3 “Minimum threshold” for negative reports (”in arrears at least 120 days”?)

- Basis Civil law

- Goals quickest possible access to indications of inability to repay

/ unwillingness to pay

Goal: risk-minimization and prevention of excessive

debt

- Example: Germany

generally recognized (by courts, consumer protection

organisations and data protection authorities)

14 days after second fruitless reminder

exception: claim was “plausibly” disputed until then

21

3.4 Deletion periods for negative data 1 - 2 years

- EU-DPD as long as required

criterion: “required” (Art. 6, 1, c)

- Germany at the end of the 4th calendar year

after entry into register if no longer

required

- CRD minimum data history of 5 years

- ACCIS Data are stored by members for an

average

of 5 years.

22

3.5 Sources of data / participants in the exchange of data- International experience

Non-bank data are important - especially for banks - as

“early-warning signals” of potential economic problems

- EU- CCD (Art. 7a, 8)

Not restricted to banks Applicable to all forms of “consumer credit”

- Sector Inquiry on Retail Banking Disadvantage to non-banks as credit providers

weakens/conflicts with competition

- ACCIS approx. 50 % of CBs also exchange data with “non-banks”

(e.g. mail-order houses, retailers, telecommunication

companies)

23

3.6 Possible “balance of interests” with regard to data protection -

general

- transparency

information

consent (e.g. to the exchange of positive data)

right of information (access to personal data)

right of deletion, correction, blocking of access

- "Code of Conduct"

cf. UK (government, industry, data protection, consumer

protection)

24

Thank you for your attention!Thank you for your attention!

ACCIS Association of Consumer Credit Information Suppliers IVZWACCIS Association of Consumer Credit Information Suppliers IVZWInternational non-profit association under Belgian law, Reg. address: International non-profit association under Belgian law, Reg. address:

Avenue de Tervuren 267, 1150 BrusselsAvenue de Tervuren 267, 1150 Brusselswww.accis.eu