| 
GDPR Lift-off
“We are not looking for perfection. We do not have thousands of inspectors going out and checking people’s homework. What we do have are millions of people that have new rights and they can make a complaint against a company to our office”.
Information Commissioner Elizabeth Denham, BBC Radio 4’s Today programme, 25 May 2018
Few in the asset finance industry will not be familiar with the EU General Data Protection Regulation, which was finalised as long ago as April 2016. A two-year period was allowed for implementation, and the UK government decided that the GDPR would have direct effect in English law from 25 May 2018 without the need for any refinements in a statute such as was the case in the 1998 Data Protection Act which implemented an earlier EU directive.
Now that the dust has settled and all well advised asset financiers should be well on the way to ensure compliance with the new regime, this article will assume familiarity with the basic concepts and take a look at 5 issues which deserve closer scrutiny: –
(1) the extent to which obligations extend beyond customers who are individuals or a partnership;
(2) whether current practice in the industry is always sufficient to comply with notification requirements to individuals ;
(3) the interplay between intermediaries and funders in relation to the notification requirements;
(4) the notification obligations of a confidential assignee of asset finance agreements; and
(5) whether breaches of the GDPR are likely to be a serious concern for asset financiers.
1 Who is protected other than individual and partnership customers?
“Personal data” is defined in the GDPR as “any information relating to an identified or identifiable natural person”, and “processing” “means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (GDPR Article 4(2)).
Thus the processing of personal information which is subject to the GDPR extends well beyond obvious matters such as credit checks and the payment history of individual or partnership customers, and for example the name and address of an individual guarantor, personal information held about directors and other persons of significant control in corporate customers, and of course information about employees are all covered by the requirements of the GDPR.
There is also a very important and widespread additional category of persons whose information is processed: prospects whose applications do not result in a concluded Finance Agreement. This has been overlooked by some asset financiers, for example in relation to specifying data retention periods in Privacy Notices there is often a reference to a period such as six years after the termination of Agreements, without stating that in the case of applicants who do not become customers information may be retained for a period of 12 months or so.
2 Rights of data subjects to notification of processing
The heart of the GDPR is the enhanced rights given to the data subjects relating to the processing of their personal information. For asset financiers the key issue is the information to be provided to the data subject, and this is usually done by a “Privacy Notice” or “Fair Processing Notice”.
This usually appears on the face of the Finance Agreement, and modern best practice as recommended by the Information Commissioner’s Office (“ICO”) and endorsed by the FLA is to adopt a “layered” approach, in which the main points are summarised and reference is made to the full text of a Privacy Notice normally online.
The credit reference agencies have agreed a lengthy Privacy Notice (“CRAIN”) with the ICO and require asset financiers to provide a short summary in a format which has been agreed with the ICO and which links to the full text online.
However, although this is common practice throughout the industry and achieves compliance where the relevant individuals themselves sign the Finance Agreement, there are difficulties with this approach where other individuals are involved who are not signatories to the Agreement. For example if credit checks are to be carried out on all directors but only one or two of them sign the Finance Agreement, there will never been proper notification to the other directors merely by relying on the reference to the Privacy Notice in the Agreement itself.
Best practice would be to ensure that all relevant individuals whose information is processed acknowledge that they have been given the opportunity to read and understand the Privacy Notice, for example by signing an Application Form extraneous to the Finance Agreement.
The same point applies to direct marketing: whilst it is generally understood that “opting in” to electronic means of marketing such as email and telephone is now required, tick boxes on the face of Finance Agreements can only really apply to a single signatory, so again it is better for them to be used in the context of short Application Forms.
3 Interplay between Intermediaries and Funders
One of the most difficult issues, which remains to at least some extent unresolved, relates to the respective roles of intermediaries and funders in providing individuals with the information required by the GDPR.
Even in a simple transaction there may be at least three parties involved in the chain of information: the dealer, broker and funder. Who has the obligation to inform the prospect about all this processing of his or her personal information?
The FLA stepped into the breach and gave some helpful advice on this difficult issue in its Information for Intermediaries just as the GDPR came into effect; the key passage includes the following: –
“While the GDPR does permit privacy notices to refer to ‘categories’ of recipients of the individual’s information, rather than necessarily named recipients, this possibility has to be considered alongside the Regulation’s overall requirement that information be handled fairly and transparently. This is a high bar. Consistent with this, the ICO’s view is therefore that the most practical solution is for the intermediary’s privacy notice to explain why the individual’s information is being passed to finance providers, with individuals then being directed to finance providers’ websites where their own privacy notices can be read. The inclusion of links to finance providers’ information is however not mandatory and it is for firms to consider the most appropriate approach for their organisations and customers.
Lenders may for example prefer to contact a customer directly, or the intermediary may not agree to display such granular information”.
It is particularly interesting to note that the last two sentences were added to the initial draft which was circulated for consultation amongst FLA members; this rather suggests that there was considerable pushback to the ICO’s apparent suggestion that intermediaries should refer prospects to Privacy Notices for each individual prospective funder.
In practice it would appear that funders are still grappling with this issue. At the end of the day a broker has an obligation to inform the prospect of its processing of information about the prospect, and funders have obligations to inform the prospect about their own processing of his or her information, whether or not any of the processing results in the conclusion of a Finance Agreement.
To ensure strict compliance would involve: –
(1) the broker providing the prospect with a copy of its Privacy Notice on first contact; and
(2) each prospective funder providing the prospect with access to its Privacy Notice on first contact, and not only if an agreement is concluded, whether this be by itself or through the broker.
It was interesting to see the lengthy addendums to Broker Agreements circulated by a number of funders just before 25 May, some of which were more comprehensible than others, but it would seem that the interplay between brokers and funders in providing GDPR compliant information to prospects is something which is going to be worked out in practice over the coming months.
4 Confidential assignments of asset finance agreements
What are the notification obligations of a confidential assignee of asset finance agreements such as in block discounting or other commonly used financing structures?
There were notification provisions in the 1998 legislation which required that: –
“the data controller ensures so far as practicable that …the data subject has, is provided with, or has made readily available to him” information about the identity of the data controller and the purposes of the data processing (see paragraph 2 of Schedule 1 Part 2 of the 1998 Act).
Obviously this raised a serious issue for facilities involving confidential assignments, so in the invoice finance market the trade body (then the FDA) entered into discussions with the ICO which resulted in what effectively amounted to a concession being granted by the ICO, that it would be permissible for individual (and where relevant partnership) debtors to be told by the invoice financier’s client that information would be processed by “our financiers,” provided that the identity of the financier would be revealed if the debtor asked for it.
The GDPR goes much further, there is no reference to the obligation to notify being limited “so far as practicable” or the information being “made readily available” as opposed to actually provided to an individual.
However, Article 14.5(b) of the GDPR provides that the notification requirements shall not apply where and insofar as: –
“the provision of such information proves impossible or would involve a disproportionate effort, in particular for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, subject to the conditions and safeguards referred to in Article 89(1) or in so far as the obligation referred to in paragraph 1 of this Article is likely to render impossible or seriously impair the achievement of the objectives of that processing. In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available.”
How does this apply to asset finance where there has been a confidential assignment? Assuming that the assignee financier has information enabling it to identify an individual, how does each limb of this exemption apply?
(a) Impossibility
It is not impossible for the information to be provided.
(b) Disproportionate effort
Providing the information may be inconvenient but would surely not involve a disproportionate effort – this was the view of the ICO expressed to the FDA in relation to the 1998 Act, and is also the view of the EU Article 29 Working Party set up to offer guidance on the GDPR (see WP260 rev.01 Guidelines on transparency under Regulation 2016/679EU at paragraphs 61 – 64).
(c) Serious impairment of the achievement of the objectives of that processing
Different lawyers have come to different conclusions as to whether this limb of the exemption can properly be applied to confidential asset financing.
It is one thing to say that notification to an individual would seriously impair the achievement of the underlying commercial objectives of a confidential assignment of an asset finance agreement, but the precise wording of the exemption refers back to “that processing,” ie. “processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes”.
To the layperson (and particularly to seasoned asset financiers) the distinction may seem to be dancing on the head of a pin, but it is important to recognise that the GDPR has to be interpreted as a whole in the light of its stated objectives.
This is where the recitals on the overall purpose of the Regulation need to be considered. It would seem from an examination of various recitals to the GDPR that it is intended that an individual is entitled to know who is processing information about him or her and the reasons why; for example recital 39 provides: –
“It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. … That principle concerns, in particular, information to the data subjects on the identity of the controller and the purposes of the processing and further information to ensure fair and transparent processing in respect of the natural persons concerned and their right to obtain confirmation and communication of personal data concerning them which are being processed”.
In addition, recital 60 states:-
“The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes;”
The concept of “transparency” is a major difference between the 1998 Act and the enhanced protection for individuals contained in the GDPR. The starting point for the GDPR in Article 5.1 requires data to be processed “lawfully, fairly and in a transparent manner in relation to the data subject”, so when read against these provisions there must be at least a doubt as to whether a confidential assignee financier is entitled to rely on the exemption in Article 14.5 (b).
The view of the EU working party in WP260 rev.01 at paragraph 65 is that: –
“To rely on this exception, data controllers must demonstrate that the provision of the information set out in Article 14.1 alone would nullify the objectives of the processing. Notably, reliance on this aspect of Article 14.5(b) presupposes that the data processing satisfies all of the principles set out in Article 5 and that most importantly, in all of the circumstances, the processing of the personal data is fair and that it has a legal basis”.
The working party then gives an example of a bank giving a suspicious activity report under the anti-money laundering legislation: in such a case providing the data subject with notification would seriously impair the objectives of the legislation; however, even in this case the EU working party expresses the view that to comply with the exemption:-
“..general information should be provided to all account holders with [the Bank] when an account is opened that their personal data may be processed for anti-money laundering purposes”.
This interpretation and the wording of Article 14.5(b) itself does suggest that the exemption may well not have been intended to apply to the confidential assignment of asset finance agreements. However, there are many other situations where the same issue arises, for example in securitisation in general, not to mention the monitoring of a business’s debtor ledger by a bank providing overdraft finance, and our considered view is that it is worth exploring options to adapt existing operational procedures to minimise the chances of a successful challenge under the GDPR.
5 Consequences of Breaching the GDPR
There has been much publicity about the potentially devastating consequences of enforcement action by the ICO against breaches of the GDPR, with potential fines of up to €20 million or 4% of worldwide annual turnover if higher.
However, noises coming from the ICO have made it clear that the vast majority of reputable financial services providers are unlikely to be the targets of enquiry provided that they can demonstrate genuine attempts to achieve compliance. Our considered view is that difficult as some of the issues raised in this article may be, they are not the sort of thing which is likely to attract attention from the ICO at least in the early stages of the new regime.
The GDPR also gives rights to compensation for damage suffered by individuals as a result of breaches, but in reality asset financiers may have little to fear in this respect since even allowing for the excesses of the claims management industry, it is difficult to see many circumstances in which alleged breaches of the GDPR will result in actual financial loss to individuals.