New EU privacy laws capture Aussie banks

  • By Elizabeth Fry

Australia banks that trade in Euros and monitor transactions of any customers travelling in Europe will be forced to comply Eurozone’s new privacy laws, or face heavy fines.

Under the new Eurozone rules, if local banks offering services to citizens of the European Union, have subsidiaries in the EU or use data analytics to understand and predict icustomer behaviour, they have new obligations, according to Matthew Quick, KPMG’s director, technology risk & assurance.

Quick argues that the major banks will all be captured by European Union’s General Data Protection Regulation (GDPR) as they all trade European currencies.

“Plus, if an Australian bank customer uses their mobile banking app in Europe and the lender using data analytics on transactions, there is the potential for that bank to be captured by GDPR," he added.

The problem for the banks, he said, is that the new law hasn’t been tested yet in terms of clearly identifying if the new law captures a situation, or not.

“And that is probably the first call to action for the banks,” he argued. “They need to check because if they are covered then they need to be very acutely aware of what happen if they are in breach.

“With fines of up to 4 per cent of global turnover, or €20 million - whichever is greater there is no time to waste since the GDPR comes into force within 12 months.”
 

Double whammy

The problem, according to Quick, is that the wording is very broad. The GDPR not only apples to the processor of personal data inside the EU but also outside Europe where a firm offers goods and services, even if no payment is made.

That means where firms are monitoring the behaviour of individuals within the EU especially if they are profiling any activity for predictive purposes.

Australian banks face a double whammy since GDPR comes into forces in next May – just three months after data breach notification becomes mandatory in Australia.

“Together these new laws will require fundamental changes to how Australian firms handle personal information, especially the banks.”

According to Quick, the changes to local law in February mostly just tweak one aspect of the existing Australian privacy laws, which is to do with the notification of data breaches

Under the existing regime, there is no clear obligation to notify an individual if data is lost or stolen or even notify the regulator.