The Consumer Financial Protection Bureau (CFPB), the primary federal regulator charged with enforcing consumer financial protection laws, recently announced a proposed rulemaking that would require the myriad non-banks subject to CFPB authority to disclose various consumer contract provisions that the CFPB deems potentially harmful on a public registry. These provisions include arbitration requirements; waivers of claims a consumer can bring in a legal action; limits on a company’s liability to a consumer; clauses limiting a consumer’s ability to bring legal actions by dictating the time frame, form, or venue for legal action; limits on the consumer’s ability to voice complaints or post reviews; and other waivers of consumer rights and legal protections.
On October 20, 2020, a consortium of U.S. federal financial regulators (Regulators), issued a proposed rule (Proposed Rule) that, if enacted, would codify that mere supervisory guidance that is not the product of notice and comment rulemaking—e.g., interagency statements, advisories, bulletins, policy statements, and FAQs—does not have the force of law. The Proposed Rule would further clarify that the Regulators will not take enforcement actions (including less draconian supervisory actions, like issuing “matters requiring attention”) based on violations of, or non-compliance with, such guidance.
The Board of Governors of the Federal Reserve System has recently indicated it may move forward with enhanced cybersecurity standards that had previously been floated by the Board, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) back in 2016. Specifically, in October 2016, the Board, the three entities issued a joint advance notice of proposed rulemaking (ANPR) on enhanced cybersecurity standards before deprioritizing it in 2017. While the OCC and the FDIC withdrew their ANPRs earlier this Spring, the Board may revive the issue this coming Fall.
In what is a challenging sector—especially following recent revelations over “secretive” government-awarded post-Brexit contracts—the UK Government recently issued new guidance on outsourcing aimed at improving government procurement and delivering better public service. Released on February 20, 2019, the “Outsourcing Playbook” targets improvements in how government works with industry and delivers better public services, but there are lessons to be learned for the private sector, as well.
The long awaited and, one hopes, much prepared for new General Data Protection Regulations (GDPR) are just a few short months away from becoming law. To help companies look at the practical steps they need to take now in order to be ready, Pillsbury will be presenting “#ReadyforGDPR?” on February 20 from Noon – 1:00pm EST. We will discuss how these new laws will significantly impact companies doing business in Europe, even those without a physical EU presence, and the latest feedback from enforcers as to what will trigger fines. We hope you can join!
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (a.k.a. the General Data Protection Regulation or GDPR) will, as most business people are probably aware of by now, come into force across the EU on 25 May 2018.
This will be the case in the UK (notwithstanding Brexit) and every other member state, since EU regulations have direct applicability. In other words, they do not need an act of parliament in the member state to make them into law. By contrast, EU directives are not directly applicable. When passed they still need legislation to be passed before they become part of national law. The current regime of the 1995 Data Protection Directive, and the UK’s Data Protection Act of 1998, both of which are due to be replaced next year, are good examples of this.
To complete the picture, from a UK regulatory perspective, in terms of what is changing, the government has introduced a Data Protection Bill which is currently passing through parliament. The Bill does not replace GDPR in the UK. Instead it seeks to make the UK’s own data protection laws “fit for purpose” in a digital age, replacing 1998 Act and, amongst other things, implementing the “GDPR standards across all general data processing”.
Those of us who have been grappling with how best to approach GDPR compliance in outsourcing and other commercial contracts will be all too familiar with Article 28 of the GDPR. Article 28.3 builds on the limited obligations that existed under the existing regime but also include some significant enhancements to the minimum processor obligations to be addressed head on in the contract.
Processor’s obligation to notify infringing instructions
One requirement of Article 28.3 in particular, has provided clients and counsel alike with a degree of angst since the final draft of the GDPR was published in May 2016, and further back still for those of us who had followed the negotiations and multiple redrafts of the GDPR prior to its final publication.
The UK’s Financial Conduct Authority (‘FCA’) has now announced the participants in the second cohort of its regulatory sandbox, with the companies involved offering a range of ideas-based payment services and artificial intelligence software. In “The FCA Announces The Second Cohort For Its Regulatory Sandbox“, an article in Payments & FinTech Lawyer, Pillsbury partner Tim Wright provides an overview of the second cohort and their characteristics.
The UK Government has published a statement of intent containing details of its proposed Data Protection Bill. The full text of the Bill is expected in September 2017, when the UK Parliament returns from its summer break.
The Bill will enshrine the EU General Data Protection Regulation (GDPR) into UK domestic law. It will also implement the requirements of EU Directive 2016/680 (The Law Enforcement Directive) which covers the processing of personal data for crime prevention, and the free movement of such data.
Why is a UK bill needed?