Academic journal article Fordham Journal of Corporate & Financial Law

Reconciling U.S. Banking and Securities Data Preservation Rules with European Mandatory Data Erasure under Gdpr

Academic journal article Fordham Journal of Corporate & Financial Law

Reconciling U.S. Banking and Securities Data Preservation Rules with European Mandatory Data Erasure under Gdpr

Article excerpt

Introduction

United States financial law conflicts with European Union data protection law. United States financial law, meaning banking law and securities law, requires financial institutions to keep and maintain customer data for specified time periods.1 Specifically, securities law requires certain classes of data to be kept and maintained on nonrewritable, non-erasable storage media.2 European Union data protection law requires firms doing business with European customers to honor customer requests for data erasure.3

A U.S. financial institution doing business with customers from the European Union cannot possibly comply with both sets of laws as it cannot preserve and erase the same data simultaneously. Therefore, if a U.S.-regulated financial institution does business with a European customer who later demands erasure, the institution faces conflicting requirements. This issue is especially prominent in light of the financial system's international nature. Investors from EU Member States traded over $16.52 trillion U.S. securities in the first half of 2018, and at the end of 2017, 5.15 percent of FINRA member-firms had foreign offices.4

Part I of this Note focuses first on U.S. federal law. It discusses financial law and foreign relations law. Financial law consists of banking law and securities law. Each require U.S. financial institutions to keep and maintain customer data for minimum time periods. Securities law requires broker-dealers to keep and maintain much of this data in a format that cannot be altered or erased during the retention period.5

United States foreign relations law consists of two parts "(a) international law as it applies to the United States; and (b) domestic law that has [either] substantial significance for . . . foreign relations . . . or . . . substantial international consequences."6 The domestic component mainly consists of the Constitution, statutes, court decisions, federal rules, and federal regulatory actions.7 The domestic component includes conflict of law rules, i.e., "law directed to resolving controversies between private persons . . . arising out of situations having a significant relationship to more than one state."8

Part I also focuses on two subjects in EU law. First, it discusses the data protection law: the General Data Protection Regulation. In particular, pursuant to Article 17(1), the General Data Protection Regulation compels firms who do business with European customers to erase personal data about any customers who demand erasure.9 Second, Part I discusses European financial regulation under the Markets in Financial Instruments Directive. Specifically, it focuses on that law's limited data retention requirements for European investment firms. Such requirements are relevant to the interest balancing test discussed in Parts II and III.

Part II focuses on frameworks for resolving this conflict, both when litigated in U.S. courts and when litigated in European courts. United States foreign relations law and customary international law both suggest an interest balancing approach to resolving conflicts of law.10 Understanding interest balancing requires understanding the concepts of jurisdiction to prescribe and international comity.11

United States foreign relations law does not bind the European Union.12 Litigating data-related conflicts in European courts would likely result in a judgment against the U.S. financial institution when, as discussed in Part II, European conflict of law rules apply European data protection law instead of U.S. financial law.13 Part II also discusses the European Union's jurisdiction to enforce judgments against nonEuropean businesses in the United States.

Part III first balances each states' interest in applying its substantive law. Then, it performs balancing tests for banking law and securities law. In so balancing, it offers a resolution to the conflict when litigated in U.S. courts. Since European conflict of law rules govern the conflict in European courts, Part III examines the enforceability of European judgments against U. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.