United States law, which requires financial institutions to retain customer data, conflicts with European Union law, which requires financial institutions to delete customer data on demand. A financial institution operating transnationally cannot comply with both U.S. and EU law. Financial institutions thus face the issue that they cannot possibly delete and retain the same data simultaneously. This Note will clarify the scope and nature of this conflict.
First, it will clarify the conflict by examining (1) the relevant laws, which are Europe’s General Data Protection Regulation (GDPR), the U.S. Bank Secrecy Act, and Securities and Exchange Commission (SEC) regulations, (2) GDPR’s application to U.S. financial institutions, and (3) U.S. law’s extraterritorial application to financial institutions operating in Europe, under the U.S. Supreme Court’s Morrison-Kiobel two-step analysis. Second, it will propose a solution by examining international law and U.S. foreign relations law.
United States law subjects financial institutions to multiple data retention requirements. Securities regulations require broker-dealers to retain customer account and complaint records. The Bank Secrecy Act of 1970 requires financial institutions to retain customer data for at least five years. Sometimes, banks must permanently retain certain records.
GDPR empowers individuals to demand that companies erase their data. Couched in the theory of a right to erasure, GDPR lets customers withdraw their consent for a financial institution to process or retain their data. Violators may face fines of 4 percent of their worldwide revenue. GDPR applies broadly to U.S. data-processors that either (1) are established in the European Union, or (2) monitor or offer to sell goods or services to individuals in the European Union. Establishment is broadly construed by European courts and may be met by “a single representative in the European Union.”
In U.S. law, a two-step analysis determines whether and to what extent federal statutes govern conduct abroad. First, courts analyze whether the presumption against extraterritoriality has been rebutted. The presumption derives from the canon that a statute, “unless a contrary intent appears, is meant to apply only within the territorial jurisdiction” of the United States. If the presumption is not rebutted, the court proceeds to the second step, when the court considers the statute’s “focus” and whether the case involves the statute’s domestic application. United States law has domestic application to data stored domestically, and sometimes possibly to data stored internationally; such data operations may also fall under GPDR’s jurisdiction. Then, if a customer asks a financial institution to delete data, the financial institution will face conflicting laws.
This Note seeks to resolve the conflict, recommending that courts approach resolution from the framework of the Restatement (Third) of Foreign Relations Law.
To download a full PDF of this note, click here.