Partnering With Tech and Fintech Firms: Key EU/UK Regulatory Considerations for the Payments Sector
There has been a rapid increase in collaboration between fintechs and other technology firms and more traditional payment service providers (PSPs) such as banks, merchant acquirers, and money transmitters. While fintechs and technology firms are often seen as direct competitors of traditional PSPs, in a market driven by innovation, both sides of the market increasingly consider collaboration a mutually beneficial way to play to each participating firm’s strengths. For more traditional PSPs, the technologies that a fintech or technology firm develops can help enhance and streamline, and in some cases modernize, the services provided to customers. For a fintech or technology firm, partnering with a PSP can provide an efficient and effective way to expand into the payment services market, particularly for customers who are more inclined to use traditional PSPs.
Regulators are monitoring these developments with growing interest and with an eye to potential risks to customers and markets as well as their ability to supervise regulated firms and their operations. This post highlights a number of EU/UK regulatory issues that fintechs, technology companies, and PSPs should consider when collaborating with one another.
Schrems II – Live Reaction to the Key Landmark Decision on the Future of International Data Transfers
Join Us for Post-Decision Coverage of the Schrems II Case
On July 16, the Court of Justice of the European Union will release its much anticipated decision in the Schrems II case, evaluating the validity of key data transfer mechanisms, including Standard Contractual Clauses. The decision could impact the future of international data flows and your business.
We will host an immediate reaction and analysis with leading industry panelists on this landmark decision to understand its impact and what the future may hold.
French Council of State Partially Annuls CNIL Cookie Guidelines on Use of Cookie Walls
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision partially annulling the Guidelines of the French Data Protection Authority (the “CNIL”) on cookies and other tracking tools (“Guidelines”). The Council of State ruled that the CNIL’s Guidelines could not prohibit the use of ‘cookie walls’, a practice which consists of blocking user access to a website where the user refuses to consent to cookies and other tracking tools. Nevertheless, the Council of State confirms the Guidelines on other key points, such as the requirement to facilitate the right to withdraw consent to cookies, the retention period for cookies and the information requirement for cookies not subject to a consent requirement.
Privacy and Cybersecurity Roundtable: Monitor-Side Chat Series
These informal video chats, moderated by Sidley partner Alan Raul, are designed to help fill the COVID-19 induced privacy discussion drought. We look forward to hearing what is on the mind of key data protection and cybersecurity thought leaders from both public and private sectors. Each chat will be relatively brief, leaving some time to address participant questions via our virtual space. Please feel free to suggest any topics you would be interested to hear addressed by contacting dcevents@sidley.com.
Key Takeaways From Sidley’s Privacy and Cybersecurity Monitor-Side Chat Featuring Bruno Gencarelli, Head of International Data Flows and Protection at the European Commission
On June 25, 2020, Sidley partner, Alan Raul, founder and co-head of Sidley’s privacy and cybersecurity practice, hosted Bruno Gencarelli, head of International Data Flows and Protection at the European Commission, for a Monitor-Side Chat.
The discussion focused largely on the Commission’s report on two years of the GDPR which was issued on 24 June 2020. Key themes of the report include:
- EU data protection authorities (“DPAs”) should increase their efforts towards the adoption of a harmonised approach to responding to cross-border investigations;
- a call for greater resources to be given to DPAs by EU Member States to ensure the GDPR is sufficiently enforced;
- a need for greater consistency among EU Member States on interpretations of the GDPR in national laws in order to avoid unnecessary burdens on companies; and
- greater utilisation of the data portability right under the GDPR to ensure individuals have greater involvement in the digital economy by enabling them to switch between different service providers and make use of other innovative services.
French Council of State Upholds €50m CNIL Fine against Google
On June 19, 2020, the French Conseil d’État (“Council of State”) issued a decision upholding the €50 Million fine imposed against Google LLC by the French Supervisory Authority (the “CNIL”). On January 21, 2019, the French CNIL had issued a fine against Google’s U.S. headquarters for failure to comply with the EU General Data Protection Regulation’s (“GDPR”) fundamental principles of transparency and legitimacy. Please refer to the relevant Sidley Data Matters’ blog post on the CNIL decision here. The CNIL found that Google had insufficiently informed Android users about their data processing activities, given the complexity of Google’s privacy policy and terms & conditions, and that the consent obtained from them through the use of pre-ticked boxes was insufficient to serve as a legal basis for processing used for targeted advertising. This was the first and highest regulatory fine the CNIL had issued on the basis of the GDPR.
European Commission’s Public Consultation on Proposed EU Artificial Intelligence Regulatory Framework
On 19 February 2020, the European Commission published a white paper on the use of artificial intelligence (“AI”) in the EU (the “White Paper”). The White Paper forms part of the Commission President, Ursula Von der Leyen’s, digital strategy, one of the key pillars of her administration’s five year tenure, recognising that the EU has fallen behind the US and China with respect to the strategic deployment of AI. To tackle this problem, the Commission proposes a common EU approach to ‘speed up the uptake’ of AI in the EU, whilst also tackling the human and ethical implications of AI’s fast growing use in the EU, including the possible downsides of its use, such as opaque decision making and hidden, embedded gender and racial discrimination. In order to achieve a common EU approach to AI, and to create “trustworthy” AI that can rival developments in the US and China, the Commission proposes the creation of a regulatory framework for AI.
Clinical Trials in the EU: Ongoing Uncertainty Around Data Protection Compliance for Sponsors
Ongoing confusion about lawful basis for data processing in a clinical study environment: European Data Protection Board and European Commission on the one hand and certain Member States on the other differ on the correct approach. Swiss sponsors operating clinical studies in the EU face ongoing uncertainty around the appropriate lawful basis for processing study subject personal data in spite of guidance being published by the European Commission and the European Data Protection Board.
WEBINAR – COVID-19 – European and U.S. Cybersecurity Issues: Preventing and Responding to Cyber Incidents
Join OneTrust DataGuidance and Sidley for a webinar discussing COVID-19 and European and U.S. cybersecurity and cyber risk insurance issues.
The COVID-19 global pandemic presents unique legal and practical challenges for companies across all industries, including with respect to cybersecurity risks and protections. There are increased cyber vulnerabilities from insider and external threat actors, including cyber attacks on individuals and companies.
In this webinar, we will highlight the dynamic and evolving cybersecurity threats companies face as a result of the pandemic, and the global legal implications of a cyber breach in this new environment – and how they can reduce these risks, and effectively respond to a cyber incident.
European Data Protection Board Releases Statement on Personal Data and COVID-19
On 20 March 2020, the European Data Protection Board (“EDPB”) released a statement on the protection of personal data in connection with measures that public authorities and business organizations (including employers) are taking to address the Coronavirus (COVID-19) pandemic. This statement is an extension of the statement released by the EDPB chair on 16 March 2020, (which can be accessed here). In its latest statement, the EDPB emphasises that EU data protection law (in particular, the EU General Data Protection Regulation (“GDPR”)) does not stand in the way of measures adopted to fight against COVID-19 – if these measures are necessary, proportionate and consistent with safeguards required under EU Member State laws. The EDPB statement also provides useful guidance for organisations to consider when adopting measures to lawfully process personal data during this time.
Overall, while EDPB statement may provide some reassurance to organizations with respect to COVID-19 measures, organizations will be advised to consider guidance issued by specific EU Member State data protection authorities as well. In particular, specific EU Member State data protection authorities have begun issuing COVID-19 guidance that is, at least in certain respects divergent: while certain data protection authorities are adopting a more restrictive approach (for example, the French CNIL), others are more permissible (for example, the UK’s Information Commissioner’s Office).
