Presentation on Global Privacy Laws and Rules in Financial Firms

Ms. Lynn. A. Goldstein, Chief Privacy Officer from JP Morgan Chase Co. gave a presentation on global privacy laws and rules in financial firms, Dec 3, 2009.

She first introduced the major difference between privacy laws in US and EU, EU laws are more conservative which covers everybody and everything dealing with EU’s financial data.

In EU, consumers’ financial data cannot be shared. In US, such data can be used and shared under various circumstances. Information can be shared with third parties and be used for channel marketing. Information can even be shared with affiliate firms for marketing purposes unless the consumers “opt out”. The consumers could choose to opt out so their credit information will not be shared, however, their transaction information are still shared for no condition.

To regulate information sharing with third parties, the Gramm-Leach-Bliley Act (GLBA) was initiated in 1999 which provides limited protection against the sale of information. GLBA requires financial institutions to offer privacy policy to the consumers and the option to opt out to share with unaffiliated companies, or not to share limited nonpublic personal information. However, if financial institutions want to share consumer information with a third party company, even a non-financial party, all they need to do is to include the notice in the privacy statement. And consumers could choose to opt out.. In California, the law is quite different. According to California Financial Information Privacy Act: Senate Bill 1, consumers need to opt in to allow the financial institutions to share their information with third parties. This policy protects the consumers better because of the nature that people don’t opt in even with benefit.

US also has regulations to limit the use of credit information. Fair Credit Reporting Act (FCRA) gives the consumers rights to know what are in their credit files and to limit access to the files. Employers must obtain the consent from the consumer to access the credit report.

Telephone Consumer Privacy Act (TCPA) restricts the use of telemarketing. It limits the time to call by solicitors, prohibits the use of artificial voices or recording, advertising faxes without consent. And the Act requires solicitors to keep a “Do Not Call” list and the list mush be honored for 10 years.

Ms. Goldstein also introduced Data protection/breach. For JP Morgan Chase Co, data breach is applied to both paper and electronic information. When a data breach happens, e.g., an unauthorized access to protected information, the consumer must be notified, along with other actions to cover the potential loss of the breach to guarantee the right of the consumer.

Compared to U.S, EU Data Protection Directives is broader covering all information related to every individual, and there is no distinction between natural person and legal person. For financial institutions, there is limit for them to keep the private information in a certain period and for reasonable purposes. Consumers have the right to know what content is included in their files. For special categories, private information cannot be used without consent.

For global institutions such as JP Morgan Chase, a challenge is to transfer financial data among districts with different privacy laws and with countries like China without a privacy law. For example, EU Date Protection Directive restricts data transfer to countries with no adequate level of protection. To promote privacy protection and flow of information in Asia Pacific regions, APEC issued a Privacy Framework in 2005 which facilitates information transfer. However, the framework is still in the stage of path finding.